/
mask.go
89 lines (76 loc) · 2.42 KB
/
mask.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/*
Copyright 2023 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package jsondiff
import (
"strings"
"github.com/wI2L/jsondiff"
)
const (
sensitiveMaskDefault = "***"
sensitiveMaskBefore = "*** (before)"
sensitiveMaskAfter = "*** (after)"
)
// MaskSecretPatchData masks the data and stringData fields of a Secret object
// in the given JSON patch. It replaces the values with a default mask value if
// the field is added or removed. Otherwise, it replaces the values with a
// before/after mask value if the field is modified.
func MaskSecretPatchData(patch jsondiff.Patch) jsondiff.Patch {
for i := range patch {
v := &patch[i]
oldMaskValue, newMaskValue := sensitiveMaskDefault, sensitiveMaskDefault
if v.OldValue != nil && v.Value != nil {
oldMaskValue = sensitiveMaskBefore
newMaskValue = sensitiveMaskAfter
}
switch {
case v.Path == "/data" || v.Path == "/stringData":
maskMap(v.OldValue, v.Value)
case strings.HasPrefix(v.Path, "/data/") || strings.HasPrefix(v.Path, "/stringData/"):
if v.OldValue != nil {
v.OldValue = oldMaskValue
}
if v.Value != nil {
v.Value = newMaskValue
}
}
}
return patch
}
// maskMap replaces the values with a default mask value if a field is added or
// removed. Otherwise, it replaces the values with a before/after mask value if
// the field is modified.
func maskMap(from interface{}, to interface{}) {
fromMap, fromIsMap := from.(map[string]interface{})
if !fromIsMap || fromMap == nil {
fromMap = make(map[string]interface{})
}
toMap, toIsMap := to.(map[string]interface{})
if !toIsMap || toMap == nil {
toMap = make(map[string]interface{})
}
for k := range fromMap {
if _, ok := toMap[k]; ok {
if fromMap[k] != toMap[k] {
fromMap[k] = sensitiveMaskBefore
toMap[k] = sensitiveMaskAfter
continue
}
}
fromMap[k] = sensitiveMaskDefault
}
for k := range toMap {
if _, ok := fromMap[k]; !ok {
toMap[k] = sensitiveMaskDefault
}
}
}