Redact the rest values once the previous one matches redact fields

jenting · roboquat · commit cd0247a7ce32 · 2022-09-15T11:37:16.000+02:00
Signed-off-by: JenTing Hsiao &lt;hsiaoairplane@gmail.com&gt;
diff --git a/components/common-go/log/redact.go b/components/common-go/log/redact.go
@@ -7,6 +7,7 @@ package log
 import (
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"strings"
 )
 
@@ -16,6 +17,9 @@ var (
 		"auth_",
 		"password",
 		"token",
+		"key",
+		"jwt",
+		"secret",
 	}
 )
 
@@ -59,6 +63,7 @@ func redactArray(data *[]interface{}) {
 }
 
 func redactObject(data *map[string]interface{}) {
+	var forceRedact bool
 	for k, v := range *data {
 		for _, prohibited := range redactedFields {
 			if strings.Contains(strings.ToLower(fmt.Sprintf("%v", k)), prohibited) {
@@ -67,10 +72,18 @@ func redactObject(data *map[string]interface{}) {
 			}
 		}
 
+		if forceRedact {
+			(*data)[k] = redactedValue
+		}
 		if (*data)[k] != redactedValue {
 			//TODO: refactor
 			//nolint:gosec
+			was := (*data)[k]
 			(*data)[k] = redactValue(&v)
+			if !reflect.DeepEqual(was, (*data)[k]) {
+				// force the rest values to redact
+				forceRedact = true
+			}
 		}
 	}
 }
diff --git a/components/common-go/log/redact_test.go b/components/common-go/log/redact_test.go
@@ -14,8 +14,8 @@ func TestRedactJSON(t *testing.T) {
 		Expectation string
 	}{
 		{
-			`{"auth":{"total":{}},"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"super-secret-password","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
-			`{"auth":{"total":{}},"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"[redacted]","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
+			`{"auth":{"total":{}},"env":[{"name":"SECRET_PASSWORD","value":"i-am-leaked-in-the-logs-yikes"},{"name":"GITHUB_TOKEN","value":"thisismyGitHubTokenDontStealIt"},{"name":"SUPER_SEKRET","value":"you.cant.see.me.or.can.you"},{"name":"GITHUB_SSH_PRIVATE_KEY","value":"super-secret-private-ssh-key-from-github"},{"name":"SHELL","value":"zsh"},{"name":"GITLAB_TOKEN","value":"abcsecrettokendef"}],"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"super-secret-password","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
+			`{"auth":{"total":{}},"env":[{"name":"[redacted]","value":"[redacted]"},{"name":"[redacted]","value":"[redacted]"},{"name":"SUPER_SEKRET","value":"you.cant.see.me.or.can.you"},{"name":"[redacted]","value":"[redacted]"},{"name":"SHELL","value":"zsh"},{"name":"[redacted]","value":"[redacted]"}],"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"[redacted]","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ package log`
`7`	`7`	`import (`
`8`	`8`	`"encoding/json"`
`9`	`9`	`"fmt"`
	`10`	`+ "reflect"`
`10`	`11`	`"strings"`
`11`	`12`	`)`
`12`	`13`
`@@ -16,6 +17,9 @@ var (`
`16`	`17`	`"auth_",`
`17`	`18`	`"password",`
`18`	`19`	`"token",`
	`20`	`+ "key",`
	`21`	`+ "jwt",`
	`22`	`+ "secret",`
`19`	`23`	`}`
`20`	`24`	`)`
`21`	`25`
`@@ -59,6 +63,7 @@ func redactArray(data *[]interface{}) {`
`59`	`63`	`}`
`60`	`64`
`61`	`65`	`func redactObject(data *map[string]interface{}) {`
	`66`	`+ var forceRedact bool`
`62`	`67`	`for k, v := range *data {`
`63`	`68`	`for _, prohibited := range redactedFields {`
`64`	`69`	`if strings.Contains(strings.ToLower(fmt.Sprintf("%v", k)), prohibited) {`
`@@ -67,10 +72,18 @@ func redactObject(data *map[string]interface{}) {`
`67`	`72`	`}`
`68`	`73`	`}`
`69`	`74`
	`75`	`+ if forceRedact {`
	`76`	`+ (*data)[k] = redactedValue`
	`77`	`+ }`
`70`	`78`	`if (*data)[k] != redactedValue {`
`71`	`79`	`//TODO: refactor`
`72`	`80`	`//nolint:gosec`
	`81`	`+ was := (*data)[k]`
`73`	`82`	`(*data)[k] = redactValue(&v)`
	`83`	`+ if !reflect.DeepEqual(was, (*data)[k]) {`
	`84`	`+ // force the rest values to redact`
	`85`	`+ forceRedact = true`
	`86`	`+ }`
`74`	`87`	`}`
`75`	`88`	`}`
`76`	`89`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ func TestRedactJSON(t *testing.T) {`
`14`	`14`	`Expectation string`
`15`	`15`	`}{`
`16`	`16`	`{`
`17`		- `{"auth":{"total":{}},"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"super-secret-password","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
`18`		- `{"auth":{"total":{}},"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"[redacted]","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
	`17`	+ `{"auth":{"total":{}},"env":[{"name":"SECRET_PASSWORD","value":"i-am-leaked-in-the-logs-yikes"},{"name":"GITHUB_TOKEN","value":"thisismyGitHubTokenDontStealIt"},{"name":"SUPER_SEKRET","value":"you.cant.see.me.or.can.you"},{"name":"GITHUB_SSH_PRIVATE_KEY","value":"super-secret-private-ssh-key-from-github"},{"name":"SHELL","value":"zsh"},{"name":"GITLAB_TOKEN","value":"abcsecrettokendef"}],"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"super-secret-password","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
	`18`	+ `{"auth":{"total":{}},"env":[{"name":"[redacted]","value":"[redacted]"},{"name":"[redacted]","value":"[redacted]"},{"name":"SUPER_SEKRET","value":"you.cant.see.me.or.can.you"},{"name":"[redacted]","value":"[redacted]"},{"name":"SHELL","value":"zsh"},{"name":"[redacted]","value":"[redacted]"}],"source":{"file":{"contextPath":".","dockerfilePath":".gitpod.dockerfile","dockerfileVersion":"82561e7f6455e3c0e6ee98be03c4d9aab4d459f8","source":{"git":{"checkoutLocation":"test.repo","cloneTaget":"good-workspace-image","config":{"authPassword":"[redacted]","authUser":"oauth2","authentication":"BASIC_AUTH"},"remoteUri":"https://github.com/AlexTugarev/test.repo.git","targetMode":"REMOTE_BRANCH"}}}}}`,
`19`	`19`	`},`
`20`	`20`	`}`
`21`	`21`