Skip to content

Commit

Permalink
Merge pull request #661 from fluxcd/ssa-data-masking
Browse files Browse the repository at this point in the history
ssa: improve data masking
  • Loading branch information
hiddeco authored Oct 6, 2023
2 parents bf2de60 + 19c86d5 commit 2fa04c5
Show file tree
Hide file tree
Showing 5 changed files with 346 additions and 190 deletions.
59 changes: 2 additions & 57 deletions ssa/manager_diff.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,6 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

const (
defaultMask = "*****"
diffMask = "******"
)

// DiffOptions contains options for server-side dry-run apply requests.
type DiffOptions struct {
// Exclusions determines which in-cluster objects are skipped from dry-run apply
Expand Down Expand Up @@ -79,13 +74,10 @@ func (m *ResourceManager) Diff(ctx context.Context, object *unstructured.Unstruc
unstructured.RemoveNestedField(dryRunObject.Object, "metadata", "managedFields")
unstructured.RemoveNestedField(existingObject.Object, "metadata", "managedFields")

if dryRunObject.GetKind() == "Secret" {
d, ex, err := m.sanitizeDriftedSecrets(existingObject, dryRunObject)
if err != nil {
if IsSecret(dryRunObject) {
if err := SanitizeUnstructuredData(existingObject, dryRunObject); err != nil {
return nil, nil, nil, err
}

dryRunObject, existingObject = d, ex
}

return cse, existingObject, dryRunObject, nil
Expand All @@ -94,53 +86,6 @@ func (m *ResourceManager) Diff(ctx context.Context, object *unstructured.Unstruc
return m.changeSetEntry(dryRunObject, UnchangedAction), nil, nil, nil
}

// sanitizeDriftedSecrets masks the data values of the given secret objects
func (m *ResourceManager) sanitizeDriftedSecrets(existingObject, dryRunObject *unstructured.Unstructured) (*unstructured.Unstructured, *unstructured.Unstructured, error) {
dryRunData, foundDryRun, err := getNestedMap(dryRunObject)
if err != nil {
return nil, nil, fmt.Errorf("unable to get data from dry run object: %w", err)
}

existingData, foundExisting, err := getNestedMap(existingObject)
if err != nil {
return nil, nil, fmt.Errorf("unable to get data from existing object: %w", err)
}

if !foundDryRun || !foundExisting {
if foundDryRun {
d, err := maskSecret(dryRunData, dryRunObject, diffMask)
if err != nil {
return nil, nil, fmt.Errorf("masking secret data failed: %w", err)
}
return d, existingObject, nil
}

e, err := maskSecret(existingData, existingObject, diffMask)
if err != nil {
return nil, nil, fmt.Errorf("masking secret data failed: %w", err)
}
return dryRunObject, e, nil
}

if foundDryRun && foundExisting {
d, ex := cmpMaskData(dryRunData, existingData)

err := setNestedMap(dryRunObject, d)
if err != nil {
return nil, nil, fmt.Errorf("masking secret data failed: %w", err)
}

err = setNestedMap(existingObject, ex)
if err != nil {
return nil, nil, fmt.Errorf("masking secret data failed: %w", err)
}

}

return dryRunObject, existingObject, nil

}

// hasDrifted detects changes to metadata labels, annotations and spec.
func (m *ResourceManager) hasDrifted(existingObject, dryRunObject *unstructured.Unstructured) bool {
if dryRunObject.GetResourceVersion() == "" {
Expand Down
92 changes: 92 additions & 0 deletions ssa/sanitize.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
/*
Copyright 2023 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package ssa

import (
"fmt"

"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

const (
sanitizeMaskDefault = "***"
sanitizeMaskBefore = "*** (before)"
sanitizeMaskAfter = "*** (after)"
)

// SanitizeUnstructuredData masks the "data" values of an Unstructured object,
// the objects are modified in place.
// If the data value is the same in both objects, the mask is replaced with a
// default mask. If the data value is different, the mask is replaced with a
// before and after mask.
func SanitizeUnstructuredData(old, new *unstructured.Unstructured) error {
oldData, err := getUnstructuredData(old)
if err != nil {
return fmt.Errorf("unable to get data from old object: %w", err)
}

newData, err := getUnstructuredData(new)
if err != nil {
return fmt.Errorf("unable to get data from new object: %w", err)
}

for k, _ := range oldData {
if _, ok := newData[k]; ok {
if oldData[k] != newData[k] {
oldData[k] = sanitizeMaskBefore
newData[k] = sanitizeMaskAfter
continue
}
newData[k] = sanitizeMaskDefault
}
oldData[k] = sanitizeMaskDefault
}
for k, _ := range newData {
if _, ok := oldData[k]; !ok {
newData[k] = sanitizeMaskDefault
}
}

if old != nil && oldData != nil {
if err = unstructured.SetNestedMap(old.Object, oldData, "data"); err != nil {
return fmt.Errorf("masking data in old object failed: %w", err)
}
}

if new != nil && newData != nil {
if err = unstructured.SetNestedMap(new.Object, newData, "data"); err != nil {
return fmt.Errorf("masking data in new object failed: %w", err)
}
}
return nil
}

// getUnstructuredData returns the data map from an Unstructured. If the given
// object is nil or does not contain a data map, nil is returned.
func getUnstructuredData(u *unstructured.Unstructured) (map[string]interface{}, error) {
if u == nil {
return nil, nil
}
data, found, err := unstructured.NestedMap(u.UnstructuredContent(), "data")
if err != nil {
return nil, err
}
if !found {
return nil, nil
}
return data, nil
}
Loading

0 comments on commit 2fa04c5

Please sign in to comment.