Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(kuma-cp): remove value of secret when logging Secret Resources #5384

Merged
merged 9 commits into from
Dec 1, 2022
20 changes: 20 additions & 0 deletions api/system/v1alpha1/datasource_helpers.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package v1alpha1

import util_proto "github.com/kumahq/kuma/pkg/util/proto"

func (ds *DataSource) MaskInlineDatasource() *DataSource {
if ds == nil {
return nil
}
if ds.GetInline().String() != "" {
return &DataSource{
Type: &DataSource_Inline{Inline: util_proto.Bytes([]byte("***"))},
}
}
if ds.GetInlineString() != "" {
return &DataSource{
Type: &DataSource_InlineString{InlineString: "***"},
}
}
return nil
}
5 changes: 5 additions & 0 deletions api/system/v1alpha1/secret_helper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
package v1alpha1

func (s *Secret) MarshalLog() interface{} {
return "***"
}
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ require (
github.com/kumahq/protoc-gen-kumadoc v0.3.1
github.com/lib/pq v1.10.7
github.com/miekg/dns v1.1.50
github.com/mitchellh/copystructure v1.2.0
github.com/natefinch/atomic v1.0.1
github.com/onsi/ginkgo/v2 v2.5.1
github.com/onsi/gomega v1.24.1
Expand Down Expand Up @@ -147,7 +148,6 @@ require (
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
Expand Down
7 changes: 0 additions & 7 deletions pkg/core/resources/apis/mesh/external_service_helper.go

This file was deleted.

46 changes: 46 additions & 0 deletions pkg/core/resources/apis/mesh/external_service_helpers.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
package mesh

import (
"github.com/mitchellh/copystructure"

mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
)

func (es *ExternalServiceResource) IsReachableFromZone(zone string) bool {
return es.Spec.Tags[mesh_proto.ZoneTag] == "" || es.Spec.Tags[mesh_proto.ZoneTag] == zone
}

func (esl *ExternalServiceResourceList) MarshalLog() interface{} {
maskedList := make([]*ExternalServiceResource, len(esl.Items))
Automaat marked this conversation as resolved.
Show resolved Hide resolved
for _, es := range esl.Items {
maskedList = append(maskedList, es.MarshalLog().(*ExternalServiceResource))
}
return ExternalServiceResourceList{
Items: maskedList,
Pagination: esl.Pagination,
}
}

func (es *ExternalServiceResource) MarshalLog() interface{} {
c, err := copystructure.Copy(es)
Automaat marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return nil
}
esCopy := c.(*ExternalServiceResource)
spec := esCopy.Spec
if spec == nil {
return es
}
net := spec.GetNetworking()
if net == nil {
return es
}
tls := net.GetTls()
if tls == nil {
return es
}
tls.CaCert = tls.CaCert.MaskInlineDatasource()
tls.ClientCert = tls.ClientCert.MaskInlineDatasource()
tls.ClientKey = tls.ClientKey.MaskInlineDatasource()
return esCopy
}
49 changes: 49 additions & 0 deletions pkg/core/resources/apis/mesh/mesh_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@ import (
"strings"
"time"

"github.com/mitchellh/copystructure"

mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
"github.com/kumahq/kuma/pkg/plugins/ca/provided/config"
util_proto "github.com/kumahq/kuma/pkg/util/proto"
)

func (m *MeshResource) HasPrometheusMetricsEnabled() bool {
Expand Down Expand Up @@ -135,3 +139,48 @@ func ParseDuration(durationStr string) (time.Duration, error) {
}
return dur, nil
}

func (ml *MeshResourceList) MarshalLog() interface{} {
maskedList := make([]*MeshResource, len(ml.Items))
Automaat marked this conversation as resolved.
Show resolved Hide resolved
for _, mesh := range ml.Items {
maskedList = append(maskedList, mesh.MarshalLog().(*MeshResource))
}
return MeshResourceList{
Items: maskedList,
Pagination: ml.Pagination,
}
}

func (m *MeshResource) MarshalLog() interface{} {
c, err := copystructure.Copy(m)
if err != nil {
return nil
}
meshCopy := c.(*MeshResource)
spec := meshCopy.Spec
if spec == nil {
return m
}
mtls := spec.Mtls
if mtls == nil {
return m
}
for _, backend := range mtls.Backends {
conf := backend.Conf
if conf == nil {
continue
}
cfg := &config.ProvidedCertificateAuthorityConfig{}
err := util_proto.ToTyped(conf, cfg)
if err != nil {
continue
}
cfg.Key = cfg.Key.MaskInlineDatasource()
cfg.Cert = cfg.Cert.MaskInlineDatasource()
backend.Conf, err = util_proto.ToStruct(cfg)
if err != nil {
continue
}
}
return meshCopy
}
40 changes: 40 additions & 0 deletions pkg/core/resources/apis/system/secret_resource_helper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
package system

import (
"github.com/kumahq/kuma/pkg/core/resources/model"
)

type secretResource struct {
Meta model.ResourceMeta
Spec string
}

func (l *SecretResourceList) MarshalLog() interface{} {
list := make([]interface{}, len(l.Items))
Automaat marked this conversation as resolved.
Show resolved Hide resolved
for _, res := range l.Items {
list = append(list, res.MarshalLog())
}
return list
}

func (sr *SecretResource) MarshalLog() interface{} {
return secretResource{
Meta: sr.Meta,
Spec: "***",
}
}

func (l *GlobalSecretResourceList) MarshalLog() interface{} {
list := make([]interface{}, len(l.Items))
for _, res := range l.Items {
list = append(list, res.MarshalLog())
}
return list
}

func (gs *GlobalSecretResource) MarshalLog() interface{} {
return secretResource{
Meta: gs.Meta,
Spec: "***",
}
}