github.com/jaylevin/jenkins-library@v1.230.4/pkg/cnbutils/privacy/privacy.go (about)

     1  package privacy
     2  
     3  import (
     4  	"strings"
     5  
     6  	containerName "github.com/google/go-containerregistry/pkg/name"
     7  )
     8  
     9  var allowedBuildpackSources = []struct {
    10  	registry, repositoryPrefix string
    11  }{
    12  	// Paketo
    13  	{
    14  		registry:         "gcr.io",
    15  		repositoryPrefix: "paketo-buildpacks/",
    16  	}, {
    17  		registry:         "index.docker.io",
    18  		repositoryPrefix: "paketobuildpacks/",
    19  	},
    20  	// Google Buildpacks
    21  	{
    22  		registry:         "gcr.io",
    23  		repositoryPrefix: "buildpacks/",
    24  	},
    25  	// Heroku
    26  	{
    27  		registry:         "public.ecr.aws",
    28  		repositoryPrefix: "heroku-buildpacks/",
    29  	},
    30  }
    31  
    32  func FilterBuilder(builder string) string {
    33  	result := FilterBuildpacks([]string{builder})
    34  	return result[0]
    35  }
    36  
    37  // FilterBuildpacks filters a list of buildpacks to redact Personally Identifiable Information (PII) like the hostname of a personal registry
    38  func FilterBuildpacks(buildpacks []string) []string {
    39  	result := make([]string, 0, len(buildpacks))
    40  	for _, buildpack := range buildpacks {
    41  		ref, err := containerName.ParseReference(strings.ToLower(buildpack))
    42  		if err != nil {
    43  			result = append(result, "<error>")
    44  			continue
    45  		}
    46  
    47  		registry := ref.Context().Registry.Name()
    48  		repository := ref.Context().RepositoryStr()
    49  
    50  		allowed := false
    51  		for _, allowedBuildpackSource := range allowedBuildpackSources {
    52  			if registry == allowedBuildpackSource.registry && strings.HasPrefix(repository, allowedBuildpackSource.repositoryPrefix) {
    53  				allowed = true
    54  				break
    55  			}
    56  		}
    57  
    58  		if allowed {
    59  			result = append(result, buildpack)
    60  		} else {
    61  			result = append(result, "<redacted>")
    62  		}
    63  	}
    64  	return result
    65  }
    66  
    67  var allowedEnvKeys = map[string]interface{}{
    68  	// Java
    69  	// https://github.com/paketo-buildpacks/sap-machine and https://github.com/paketo-buildpacks/bellsoft-liberica
    70  	"BP_JVM_VERSION": nil,
    71  	"BP_JVM_TYPE":    nil,
    72  	// https://github.com/paketo-buildpacks/apache-tomcat
    73  	"BP_TOMCAT_VERSION": nil,
    74  
    75  	// Node
    76  	// https://github.com/paketo-buildpacks/node-engine
    77  	"BP_NODE_VERSION": nil,
    78  }
    79  
    80  // FilterEnv filters a map of environment variables to redact Personally Identifiable Information (PII)
    81  func FilterEnv(in map[string]interface{}) map[string]interface{} {
    82  	out := map[string]interface{}{}
    83  	for key, value := range in {
    84  		_, allowed := allowedEnvKeys[key]
    85  		if allowed {
    86  			out[key] = value
    87  		}
    88  	}
    89  	return out
    90  }