From 5d8e89b08ab5ce78dc00645593b93abaf6deaf12 Mon Sep 17 00:00:00 2001 From: Pavel Busko Date: Tue, 18 Apr 2023 09:10:38 +0200 Subject: [PATCH] feat(cnbBuild): use SHA256 hashed values for redacted telemetry properties (#4328) * feat(cnbBuild): use SHA256 hashed values for redacted telemetry properties * update unit tests --- cmd/cnbBuild_test.go | 5 ++--- pkg/cnbutils/privacy/privacy.go | 8 +++++++- pkg/cnbutils/privacy/privacy_test.go | 13 +++++++++---- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/cmd/cnbBuild_test.go b/cmd/cnbBuild_test.go index cff119578..e24de5ea4 100644 --- a/cmd/cnbBuild_test.go +++ b/cmd/cnbBuild_test.go @@ -518,8 +518,7 @@ uri = "some-buildpack"`)) assert.Contains(t, customData.Data[0].Buildpacks.FromConfig, "paketobuildpacks/java") assert.NotContains(t, customData.Data[0].Buildpacks.FromProjectDescriptor, "paketobuildpacks/java") - assert.Contains(t, customData.Data[0].Buildpacks.FromProjectDescriptor, "") - assert.NotContains(t, customData.Data[0].Buildpacks.Overall, "") + assert.Contains(t, customData.Data[0].Buildpacks.FromProjectDescriptor, "bcc73ab1f0a0d3fb0d1bf2b6df5510a25ccd14a761dbc0f5044ea24ead30452b") assert.Contains(t, customData.Data[0].Buildpacks.Overall, "paketobuildpacks/java") assert.True(t, customData.Data[0].ProjectDescriptor.Used) @@ -639,7 +638,7 @@ uri = "some-buildpack" assert.Equal(t, "11", customData.Data[0].BuildEnv.KeyValues["BP_NODE_VERSION"]) assert.NotContains(t, customData.Data[0].BuildEnv.KeyValues, "PROJECT_KEY") - assert.Contains(t, customData.Data[0].Buildpacks.Overall, "") + assert.Contains(t, customData.Data[0].Buildpacks.Overall, "bcc73ab1f0a0d3fb0d1bf2b6df5510a25ccd14a761dbc0f5044ea24ead30452b") }) t.Run("success case (multiple images configured)", func(t *testing.T) { diff --git a/pkg/cnbutils/privacy/privacy.go b/pkg/cnbutils/privacy/privacy.go index 98f409389..d6ae656d5 100644 --- a/pkg/cnbutils/privacy/privacy.go +++ b/pkg/cnbutils/privacy/privacy.go @@ -1,6 +1,8 @@ package privacy import ( + "crypto/sha256" + "fmt" "strings" containerName "github.com/google/go-containerregistry/pkg/name" @@ -37,6 +39,8 @@ func FilterBuilder(builder string) string { // FilterBuildpacks filters a list of buildpacks to redact Personally Identifiable Information (PII) like the hostname of a personal registry func FilterBuildpacks(buildpacks []string) []string { result := make([]string, 0, len(buildpacks)) + hash := sha256.New() + for _, buildpack := range buildpacks { ref, err := containerName.ParseReference(strings.ToLower(buildpack)) if err != nil { @@ -58,7 +62,9 @@ func FilterBuildpacks(buildpacks []string) []string { if allowed { result = append(result, buildpack) } else { - result = append(result, "") + hash.Write([]byte(buildpack)) + result = append(result, fmt.Sprintf("%x", hash.Sum(nil))) + hash.Reset() } } return result diff --git a/pkg/cnbutils/privacy/privacy_test.go b/pkg/cnbutils/privacy/privacy_test.go index 65107cf1c..07d137072 100644 --- a/pkg/cnbutils/privacy/privacy_test.go +++ b/pkg/cnbutils/privacy/privacy_test.go @@ -57,6 +57,7 @@ func TestCnbPrivacy_FilterBuildpacks(t *testing.T) { t.Run("filters others", func(t *testing.T) { images := []string{ "test/nodejs:v1", + "test/nodejs:v1", // SHA should be the same for multiple occurences "my-mirror.de/paketobuildpacks/nodejs:v1", "gcr.io/my-project/paketo-buildpacks/nodejs:v1", } @@ -64,9 +65,13 @@ func TestCnbPrivacy_FilterBuildpacks(t *testing.T) { filtered := privacy.FilterBuildpacks(images) require.Len(t, filtered, len(images)) - for _, image := range filtered { - assert.Equal(t, "", image) - } + + assert.ElementsMatch(t, filtered, []string{ + "6ea013d746199ccc0e48e0b4984a6d9357105b82f936ecf18d15786805ac892f", + "6ea013d746199ccc0e48e0b4984a6d9357105b82f936ecf18d15786805ac892f", + "66131ef922cf26b1500e54a74827f051b43857bcf8d0596593c182548f7d4bd6", + "4fd8f0a950aacd7e428c79fce6f51bb1fbf0ab15caf4aca7accc18609acd79b1", + }) }) t.Run("fails gracefully on parse error", func(t *testing.T) { @@ -133,7 +138,7 @@ func TestCnbPrivacy_FilterBuilder(t *testing.T) { filteredBuilder := privacy.FilterBuilder(builder) - assert.Equal(t, "", filteredBuilder) + assert.Equal(t, "70278d9360533fa4978e5c50aa79bc35a8c0167a353e00521202feeaa09a305b", filteredBuilder) }) }