[release-4.8] Bug 2021572: Anonymize identity provider attributes in …

…the (openshift#520) (openshift#527)

* Anonymize identity provider attributes in the
authentication.operator.openshift.io definition

* More robust way....

pkg/gatherers/clusterconfig/operators.go

@@ -9,13 +9,15 @@ import (
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/insights-operator/pkg/record"
 	"github.com/openshift/insights-operator/pkg/utils"
+	"github.com/openshift/insights-operator/pkg/utils/anonymize"
 )
 
 const (
@@ -162,6 +164,7 @@ func collectClusterOperatorResources(ctx context.Context,
 			if !ok {
 				klog.Warningf("Can't find spec for cluster operator resource %s", name)
 			}
+			anonymizeIdentityProviders(clusterResource.Object)
 			res = append(res, clusterOperatorResource{Spec: spec, Kind: kind, Name: name, APIVersion: apiVersion})
 		}
 	}
@@ -194,3 +197,30 @@ func getOperatorResourcesVersions(discoveryClient discovery.DiscoveryInterface)
 	}
 	return resourceVersionMap, nil
 }
+
+// anonymizeIdentityProviders tries to get an array of identity providers defined in OAuth config
+// and anonymize potentially sensitive data - e.g LDAP domain, url
+func anonymizeIdentityProviders(obj map[string]interface{}) {
+	ips, err := utils.NestedSliceWrapper(obj, "spec", "observedConfig", "oauthServer", "oauthConfig", "identityProviders")
+
+	// most of the clusteroperator resources will not have any identity provider config so silence the error
+	if err != nil {
+		return
+	}
+	sensittiveProviderAttributes := []string{"url", "bindDN", "hostname", "clientID", "hostedDomain", "issuer", "domainName"}
+	for _, ip := range ips {
+		ip, ok := ip.(map[string]interface{})
+		if !ok {
+			klog.Warningln("Failed to convert %v to map[string]interface{}", ip)
+			continue
+		}
+		for _, sensitiveVal := range sensittiveProviderAttributes {
+			// check if the sensitive value is in the provider definition under "provider" attribute
+			// and overwrite only if exists
+			if val, err := utils.NestedStringWrapper(ip, "provider", sensitiveVal); err == nil {
+				_ = unstructured.SetNestedField(ip, anonymize.String(val), "provider", sensitiveVal)
+			}
+		}
+	}
+	_ = unstructured.SetNestedSlice(obj, ips, "spec", "observedConfig", "oauthServer", "oauthConfig", "identityProviders")
+}

pkg/utils/unstructured_wrappers.go

@@ -0,0 +1,53 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func NestedStringWrapper(obj map[string]interface{}, fields ...string) (string, error) {
+	s, ok, err := unstructured.NestedString(obj, fields...)
+	if !ok {
+		return "", fmt.Errorf("can't find %s", formatSlice(fields...))
+	}
+	if err != nil {
+		return "", err
+	}
+
+	return s, nil
+}
+
+func NestedSliceWrapper(obj map[string]interface{}, fields ...string) ([]interface{}, error) {
+	s, ok, err := unstructured.NestedSlice(obj, fields...)
+	if !ok {
+		return nil, fmt.Errorf("can't find %s", formatSlice(fields...))
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return s, nil
+}
+
+func NestedInt64Wrapper(obj map[string]interface{}, fields ...string) (int64, error) {
+	i, ok, err := unstructured.NestedInt64(obj, fields...)
+	if !ok {
+		return 0, fmt.Errorf("can't find %s", formatSlice(fields...))
+	}
+	if err != nil {
+		return 0, err
+	}
+
+	return i, nil
+}
+
+func formatSlice(s ...string) string {
+	var str string
+	for _, f := range s {
+		str += fmt.Sprintf("%s.", f)
+	}
+	str = strings.TrimRight(str, ".")
+	return str
+}