6497b7520d
tag v0.165.0 Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> Changes with 0.165.0 ---------------- * distro: move rhel9 into a generic distro (osbuild/images#1645) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger * Revert "distro: drop `ImageType.BasePartitionTable()`" (osbuild/images#1691) * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza * Update dependencies 2025-07-20 (osbuild/images#1675) * Author: SchutzBot, Reviewers: Achilleas Koutsou, Simon de Vlieger * defs: add missing `bootstrap_containers` (osbuild/images#1679) * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza * disk: handle adding `PReP` partition on PPC64/s390x (HMS-8884) (osbuild/images#1681) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger * distro: bring per-distro checkOptions back (osbuild/images#1678) * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza * distro: cleanups in the pkg/distro/generic area (osbuild/images#1686) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger * distro: move rhel8 into a generic distro (osbuild/images#1643) * Author: Michael Vogt, Reviewers: Nobody * distro: small followups for PR#1682 (osbuild/images#1689) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger, Tomáš Hozza * distro: unify transform/match into a single concept (osbuild/images#1682) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Tomáš Hozza * distros: de-duplicate runner build packages for centos10 (osbuild/images#1680) * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza * github: disable Go dep updates through dependabot (osbuild/images#1683) * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza * repos: include almalinux 9.6 (osbuild/images#1677) * Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza * rhel9: wsl distribution config (osbuild/images#1694) * Author: Simon de Vlieger, Reviewers: Michael Vogt, Sanne Raymaekers * test/manifests/all-customizations: don't embed local file via URI (osbuild/images#1684) * Author: Tomáš Hozza, Reviewers: Achilleas Koutsou, Brian C. Lane — Somewhere on the Internet, 2025-07-28 --- tag v0.166.0 Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> Changes with 0.166.0 ---------------- * customizations/subscription: conditionally enable semanage call (HMS-8866) (osbuild/images#1673) * Author: Sanne Raymaekers, Reviewers: Achilleas Koutsou, Michael Vogt * distro/rhel-10: versionlock shim-x64 in the azure-cvm image (osbuild/images#1697) * Author: Achilleas Koutsou, Reviewers: Michael Vogt, Simon de Vlieger * manifestmock: move container/pkg/commit mocks into helper (osbuild/images#1700) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger * rhel9: `vagrant-libvirt`, `vagrant-virtualbox` (osbuild/images#1693) * Author: Simon de Vlieger, Reviewers: Michael Vogt, Sanne Raymaekers * rhel{9,10}: centos WSL refinement (HMS-8922) (osbuild/images#1690) * Author: Simon de Vlieger, Reviewers: Ondřej Budai, Sanne Raymaekers, Tomáš Hozza — Somewhere on the Internet, 2025-07-29 --- tag v0.167.0 Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> Changes with 0.167.0 ---------------- * RHEL/Azure: drop obsolete WAAgentConfig keys [RHEL-93894] and remove loglevel kernel option [RHEL-102372] (osbuild/images#1611) * Author: Achilleas Koutsou, Reviewers: Michael Vogt, Ondřej Budai, Sanne Raymaekers * Update dependencies 2025-07-27 (osbuild/images#1699) * Author: SchutzBot, Reviewers: Achilleas Koutsou, Simon de Vlieger * distro/rhel9: set default_kernel to kernel-uki-virt (osbuild/images#1704) * Author: Achilleas Koutsou, Reviewers: Ondřej Budai, Simon de Vlieger * distro: drop legacy loaders and update tests (osbuild/images#1687) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Tomáš Hozza * distro: fix issues with yaml distro definitions and enable yaml checks (osbuild/images#1702) * Author: Achilleas Koutsou, Reviewers: Michael Vogt, Ondřej Budai, Simon de Vlieger — Somewhere on the Internet, 2025-07-30 --- tag v0.168.0 Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> Changes with 0.168.0 ---------------- * distro: fix bug in variable substitution for static distros (osbuild/images#1710) * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger * rhel{9,10}: azure for non-RHEL (HMS-8949) (osbuild/images#1707) * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Michael Vogt — Somewhere on the Internet, 2025-07-30 ---
175 lines
4.2 KiB
Go
175 lines
4.2 KiB
Go
package log
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"sync/atomic"
|
|
|
|
hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
|
|
)
|
|
|
|
// This package scrubs objects of potentially sensitive information to pass to logging
|
|
|
|
type genMap = map[string]interface{}
|
|
type scrubberFunc func(genMap) error
|
|
|
|
const _scrubbedReplacement = "<scrubbed>"
|
|
|
|
var (
|
|
ErrUnknownType = errors.New("encoded object is of unknown type")
|
|
|
|
// case sensitive keywords, so "env" is not a substring on "Environment"
|
|
_scrubKeywords = [][]byte{[]byte("env"), []byte("Environment")}
|
|
|
|
_scrub atomic.Bool
|
|
)
|
|
|
|
// SetScrubbing enables scrubbing
|
|
func SetScrubbing(enable bool) { _scrub.Store(enable) }
|
|
|
|
// IsScrubbingEnabled checks if scrubbing is enabled
|
|
func IsScrubbingEnabled() bool { return _scrub.Load() }
|
|
|
|
// ScrubProcessParameters scrubs HCS Create Process requests with config parameters of
|
|
// type internal/hcs/schema2.ScrubProcessParameters (aka hcsshema.ScrubProcessParameters)
|
|
func ScrubProcessParameters(s string) (string, error) {
|
|
// todo: deal with v1 ProcessConfig
|
|
b := []byte(s)
|
|
if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
|
|
return s, nil
|
|
}
|
|
|
|
pp := hcsschema.ProcessParameters{}
|
|
if err := json.Unmarshal(b, &pp); err != nil {
|
|
return "", err
|
|
}
|
|
pp.Environment = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
|
|
|
|
b, err := encode(pp)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(b), nil
|
|
}
|
|
|
|
// ScrubBridgeCreate scrubs requests sent over the bridge of type
|
|
// internal/gcs/protocol.containerCreate wrapping an internal/hcsoci.linuxHostedSystem
|
|
func ScrubBridgeCreate(b []byte) ([]byte, error) {
|
|
return scrubBytes(b, scrubBridgeCreate)
|
|
}
|
|
|
|
func scrubBridgeCreate(m genMap) error {
|
|
if !isRequestBase(m) {
|
|
return ErrUnknownType
|
|
}
|
|
if ss, ok := m["ContainerConfig"]; ok {
|
|
// ContainerConfig is a json encoded struct passed as a regular string field
|
|
s, ok := ss.(string)
|
|
if !ok {
|
|
return ErrUnknownType
|
|
}
|
|
b, err := scrubBytes([]byte(s), scrubLinuxHostedSystem)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
m["ContainerConfig"] = string(b)
|
|
return nil
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
func scrubLinuxHostedSystem(m genMap) error {
|
|
if m, ok := index(m, "OciSpecification"); ok { //nolint:govet // shadow
|
|
if _, ok := m["annotations"]; ok {
|
|
m["annotations"] = map[string]string{_scrubbedReplacement: _scrubbedReplacement}
|
|
}
|
|
if m, ok := index(m, "process"); ok { //nolint:govet // shadow
|
|
if _, ok := m["env"]; ok {
|
|
m["env"] = []string{_scrubbedReplacement}
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
// ScrubBridgeExecProcess scrubs requests sent over the bridge of type
|
|
// internal/gcs/protocol.containerExecuteProcess
|
|
func ScrubBridgeExecProcess(b []byte) ([]byte, error) {
|
|
return scrubBytes(b, scrubExecuteProcess)
|
|
}
|
|
|
|
func scrubExecuteProcess(m genMap) error {
|
|
if !isRequestBase(m) {
|
|
return ErrUnknownType
|
|
}
|
|
if m, ok := index(m, "Settings"); ok { //nolint:govet // shadow
|
|
if ss, ok := m["ProcessParameters"]; ok {
|
|
// ProcessParameters is a json encoded struct passed as a regular sting field
|
|
s, ok := ss.(string)
|
|
if !ok {
|
|
return ErrUnknownType
|
|
}
|
|
|
|
s, err := ScrubProcessParameters(s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
m["ProcessParameters"] = s
|
|
return nil
|
|
}
|
|
}
|
|
return ErrUnknownType
|
|
}
|
|
|
|
func scrubBytes(b []byte, scrub scrubberFunc) ([]byte, error) {
|
|
if !IsScrubbingEnabled() || !hasKeywords(b) || !json.Valid(b) {
|
|
return b, nil
|
|
}
|
|
|
|
m := make(genMap)
|
|
if err := json.Unmarshal(b, &m); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// could use regexp, but if the env strings contain braces, the regexp fails
|
|
// parsing into individual structs would require access to private structs
|
|
if err := scrub(m); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b, err := encode(m)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return b, nil
|
|
}
|
|
|
|
func isRequestBase(m genMap) bool {
|
|
// neither of these are (currently) `omitempty`
|
|
_, a := m["ActivityId"]
|
|
_, c := m["ContainerId"]
|
|
return a && c
|
|
}
|
|
|
|
// combination `m, ok := m[s]` and `m, ok := m.(genMap)`
|
|
func index(m genMap, s string) (genMap, bool) {
|
|
if m, ok := m[s]; ok {
|
|
mm, ok := m.(genMap)
|
|
return mm, ok
|
|
}
|
|
|
|
return m, false
|
|
}
|
|
|
|
func hasKeywords(b []byte) bool {
|
|
for _, bb := range _scrubKeywords {
|
|
if bytes.Contains(b, bb) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|