Skip to content

Commit

Permalink
[release-4.9] Bug 2017773: Anonymize identity provider attributes in …
Browse files Browse the repository at this point in the history
…the (#520) (#527)

* Anonymize identity provider attributes in the
authentication.operator.openshift.io definition

* More robust way....
  • Loading branch information
tremes authored Nov 9, 2021
1 parent 5cb1350 commit dd4d72c
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions pkg/gatherers/clusterconfig/operators.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,15 @@ import (
configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/discovery"
"k8s.io/client-go/dynamic"
"k8s.io/klog/v2"

"github.com/openshift/insights-operator/pkg/record"
"github.com/openshift/insights-operator/pkg/utils"
"github.com/openshift/insights-operator/pkg/utils/anonymize"
)

const (
Expand Down Expand Up @@ -167,6 +169,7 @@ func collectClusterOperatorResources(ctx context.Context,
if !ok {
klog.Warningf("Can't find spec for cluster operator resource %s", name)
}
anonymizeIdentityProviders(clusterResource.Object)
res = append(res, clusterOperatorResource{Spec: spec, Kind: kind, Name: name, APIVersion: apiVersion})
}
}
Expand Down Expand Up @@ -199,3 +202,30 @@ func getOperatorResourcesVersions(discoveryClient discovery.DiscoveryInterface)
}
return resourceVersionMap, nil
}

// anonymizeIdentityProviders tries to get an array of identity providers defined in OAuth config
// and anonymize potentially sensitive data - e.g LDAP domain, url
func anonymizeIdentityProviders(obj map[string]interface{}) {
ips, err := utils.NestedSliceWrapper(obj, "spec", "observedConfig", "oauthServer", "oauthConfig", "identityProviders")

// most of the clusteroperator resources will not have any identity provider config so silence the error
if err != nil {
return
}
sensittiveProviderAttributes := []string{"url", "bindDN", "hostname", "clientID", "hostedDomain", "issuer", "domainName"}
for _, ip := range ips {
ip, ok := ip.(map[string]interface{})
if !ok {
klog.Warningln("Failed to convert %v to map[string]interface{}", ip)
continue
}
for _, sensitiveVal := range sensittiveProviderAttributes {
// check if the sensitive value is in the provider definition under "provider" attribute
// and overwrite only if exists
if val, err := utils.NestedStringWrapper(ip, "provider", sensitiveVal); err == nil {
_ = unstructured.SetNestedField(ip, anonymize.String(val), "provider", sensitiveVal)
}
}
}
_ = unstructured.SetNestedSlice(obj, ips, "spec", "observedConfig", "oauthServer", "oauthConfig", "identityProviders")
}

0 comments on commit dd4d72c

Please sign in to comment.