jsafrane
diff --git a/‎Gopkg.lock‎
Lines changed: 154 additions & 0 deletions b/‎Gopkg.lock‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎Gopkg.toml‎
Lines changed: 6 additions & 0 deletions b/‎Gopkg.toml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎protosanitizer/protosanitizer.go‎
Lines changed: 135 additions & 0 deletions b/‎protosanitizer/protosanitizer.go‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎protosanitizer/protosanitizer_test.go‎
Lines changed: 81 additions & 0 deletions b/‎protosanitizer/protosanitizer_test.go‎
Lines changed: 81 additions & 0 deletions
@@ -0,0 +1,6 @@
+# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html
+# for detailed Gopkg.toml documentation.
+
+[prune]
+  go-tests = true
+  unused-packages = true
@@ -0,0 +1,135 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package protosanitizer supports logging of gRPC messages without
+// accidentally revealing sensitive fields.
+package protosanitizer
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/golang/protobuf/descriptor"
+	"github.com/golang/protobuf/proto"
+	protobuf "github.com/golang/protobuf/protoc-gen-go/descriptor"
+)
+
+// StripSecrets returns a wrapper around the original CSI gRPC message
+// which has a Stringer implementation that serializes the message
+// as one-line JSON, but without including secret information.
+// Instead of the secret value(s), the string "***stripped***" is
+// included in the result.
+//
+// StripSecrets itself is fast and therefore it is cheap to pass the
+// result to logging functions which may or may not end up serializing
+// the parameter depending on the current log level.
+func StripSecrets(msg interface{}) fmt.Stringer {
+	return &stripSecrets{msg}
+}
+
+type stripSecrets struct {
+	msg interface{}
+}
+
+func (s *stripSecrets) String() string {
+	// First convert to a generic representation. That's less efficient
+	// than using reflect directly, but easier to work with.
+	var parsed interface{}
+	b, err := json.Marshal(s.msg)
+	if err != nil {
+		return fmt.Sprintf("<<json.Marshal %T: %s>>", s.msg, err)
+	}
+	if err := json.Unmarshal(b, &parsed); err != nil {
+		return fmt.Sprintf("<<json.Unmarshal %T: %s>>", s.msg, err)
+	}
+
+	// Now remove secrets from the generic representation of the message.
+	strip(parsed, s.msg)
+
+	// Re-encoded the stripped representation and return that.
+	b, err = json.Marshal(parsed)
+	if err != nil {
+		return fmt.Sprintf("<<json.Marshal %T: %s>>", s.msg, err)
+	}
+	return string(b)
+}
+
+func strip(parsed interface{}, msg interface{}) {
+	protobufMsg, ok := msg.(descriptor.Message)
+	if !ok {
+		// Not a protobuf message, so we are done.
+		return
+	}
+
+	// The corresponding map in the parsed JSON representation.
+	parsedFields, ok := parsed.(map[string]interface{})
+	if !ok {
+		// Probably nil.
+		return
+	}
+
+	// Walk through all fields and replace those with ***stripped*** that
+	// are marked as secret. This relies on protobuf adding "json:" tags
+	// on each field where the name matches the field name in the protobuf
+	// spec (like volume_capabilities). The field.GetJsonName() method returns
+	// a different name (volumeCapabilities) which we don't use.
+	_, md := descriptor.ForMessage(protobufMsg)
+	fields := md.GetField()
+	if fields != nil {
+		for _, field := range fields {
+			ex, err := proto.GetExtension(field.Options, csi.E_CsiSecret)
+			if err == nil && ex != nil && *ex.(*bool) {
+				parsedFields[field.GetName()] = "***stripped***"
+			} else if field.GetType() == protobuf.FieldDescriptorProto_TYPE_MESSAGE {
+				// When we get here,
+				// the type name is something like ".csi.v1.CapacityRange" (leading dot!)
+				// and looking up "csi.v1.CapacityRange"
+				// returns the type of a pointer to a pointer
+				// to CapacityRange. We need a pointer to such
+				// a value for recursive stripping.
+				typeName := field.GetTypeName()
+				if strings.HasPrefix(typeName, ".") {
+					typeName = typeName[1:]
+				}
+				t := proto.MessageType(typeName)
+				if t == nil || t.Kind() != reflect.Ptr {
+					// Shouldn't happen, but
+					// better check anyway instead
+					// of panicking.
+					continue
+				}
+				v := reflect.New(t.Elem())
+
+				// Recursively strip the message(s) that
+				// the field contains.
+				i := v.Interface()
+				entry := parsedFields[field.GetName()]
+				if slice, ok := entry.([]interface{}); ok {
+					// Array of values, like VolumeCapabilities in CreateVolumeRequest.
+					for _, entry := range slice {
+						strip(entry, i)
+					}
+				} else {
+					// Single value.
+					strip(entry, i)
+				}
+			}
+		}
+	}
+}
@@ -0,0 +1,81 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package protosanitizer
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStripSecrets(t *testing.T) {
+	secretName := "secret-abc"
+	secretValue := "123"
+	createVolume := &csi.CreateVolumeRequest{
+		Name: "foo",
+		VolumeCapabilities: []*csi.VolumeCapability{
+			&csi.VolumeCapability{
+				AccessType: &csi.VolumeCapability_Mount{
+					Mount: &csi.VolumeCapability_MountVolume{
+						FsType: "ext4",
+					},
+				},
+			},
+		},
+		CapacityRange: &csi.CapacityRange{
+			RequiredBytes: 1024,
+		},
+		Secrets: map[string]string{
+			secretName:   secretValue,
+			"secret-xyz": "987",
+		},
+	}
+
+	cases := []struct {
+		original, stripped interface{}
+	}{
+		{nil, "null"},
+		{1, "1"},
+		{"hello world", `"hello world"`},
+		{true, "true"},
+		{false, "false"},
+		{createVolume, `{"capacity_range":{"required_bytes":1024},"name":"foo","secrets":"***stripped***","volume_capabilities":[{"AccessType":{"Mount":{"fs_type":"ext4"}}}]}`},
+
+		// There is currently no test case that can verify
+		// that recursive stripping works, because there is no
+		// message where that is necessary. The code
+		// nevertheless implements it and it has been verified
+		// manually that it recurses properly for single and
+		// repeated values. One-of might require further work.
+	}
+
+	for _, c := range cases {
+		before := fmt.Sprint(c.original)
+		stripped := StripSecrets(c.original)
+		if assert.Equal(t, c.stripped, fmt.Sprintf("%s", stripped), "unexpected result for fmt s of %s", c.original) {
+			assert.Equal(t, c.stripped, fmt.Sprintf("%v", stripped), "unexpected result for fmt v of %s", c.original)
+		}
+		assert.Equal(t, before, fmt.Sprint(c.original), "original value modified")
+	}
+
+	// The secret is hidden because StripSecrets is a struct referencing it.
+	dump := fmt.Sprintf("%#v", StripSecrets(createVolume))
+	assert.NotContains(t, dump, secretName)
+	assert.NotContains(t, dump, secretValue)
+}