github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/cnbutils/privacy/privacy.go

github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/cnbutils/privacy/privacy.go (about)

     1  package privacy
     2  
     3  import (
     4  	"crypto/sha256"
     5  	"fmt"
     6  	"strings"
     7  
     8  	containerName "github.com/google/go-containerregistry/pkg/name"
     9  )
    10  
    11  var allowedBuildpackSources = []struct {
    12  	registry, repositoryPrefix string
    13  }{
    14  	// Paketo
    15  	{
    16  		registry:         "gcr.io",
    17  		repositoryPrefix: "paketo-buildpacks/",
    18  	}, {
    19  		registry:         "index.docker.io",
    20  		repositoryPrefix: "paketobuildpacks/",
    21  	},
    22  	// Google Buildpacks
    23  	{
    24  		registry:         "gcr.io",
    25  		repositoryPrefix: "buildpacks/",
    26  	},
    27  	// Heroku
    28  	{
    29  		registry:         "public.ecr.aws",
    30  		repositoryPrefix: "heroku-buildpacks/",
    31  	},
    32  }
    33  
    34  func FilterBuilder(builder string) string {
    35  	result := FilterBuildpacks([]string{builder})
    36  	return result[0]
    37  }
    38  
    39  // FilterBuildpacks filters a list of buildpacks to redact Personally Identifiable Information (PII) like the hostname of a personal registry
    40  func FilterBuildpacks(buildpacks []string) []string {
    41  	result := make([]string, 0, len(buildpacks))
    42  	hash := sha256.New()
    43  
    44  	for _, buildpack := range buildpacks {
    45  		ref, err := containerName.ParseReference(strings.ToLower(buildpack))
    46  		if err != nil {
    47  			result = append(result, "<error>")
    48  			continue
    49  		}
    50  
    51  		registry := ref.Context().Registry.Name()
    52  		repository := ref.Context().RepositoryStr()
    53  
    54  		allowed := false
    55  		for _, allowedBuildpackSource := range allowedBuildpackSources {
    56  			if registry == allowedBuildpackSource.registry && strings.HasPrefix(repository, allowedBuildpackSource.repositoryPrefix) {
    57  				allowed = true
    58  				break
    59  			}
    60  		}
    61  
    62  		if allowed {
    63  			result = append(result, buildpack)
    64  		} else {
    65  			hash.Write([]byte(buildpack))
    66  			result = append(result, fmt.Sprintf("%x", hash.Sum(nil)))
    67  			hash.Reset()
    68  		}
    69  	}
    70  	return result
    71  }
    72  
    73  var allowedEnvKeys = map[string]interface{}{
    74  	// Java
    75  	// https://github.com/paketo-buildpacks/sap-machine and https://github.com/paketo-buildpacks/bellsoft-liberica
    76  	"BP_JVM_VERSION": nil,
    77  	"BP_JVM_TYPE":    nil,
    78  	// https://github.com/paketo-buildpacks/apache-tomcat
    79  	"BP_TOMCAT_VERSION": nil,
    80  
    81  	// Node
    82  	// https://github.com/paketo-buildpacks/node-engine
    83  	"BP_NODE_VERSION": nil,
    84  }
    85  
    86  // FilterEnv filters a map of environment variables to redact Personally Identifiable Information (PII)
    87  func FilterEnv(in map[string]interface{}) map[string]interface{} {
    88  	out := map[string]interface{}{}
    89  	for key, value := range in {
    90  		_, allowed := allowedEnvKeys[key]
    91  		if allowed {
    92  			out[key] = value
    93  		}
    94  	}
    95  	return out
    96  }