Merge pull request #3167 from wansir/sensitive-config

config data desensitization

pkg/apiserver/authentication/oauth/oauth_options.go

@@ -17,9 +17,11 @@ limitations under the License.
 package oauth
 
 import (
+	"encoding/json"
 	"errors"
 	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
 	"net/url"
+	"strings"
 	"time"
 )
 
@@ -75,8 +77,57 @@ type Options struct {
 	AccessTokenInactivityTimeout time.Duration `json:"accessTokenInactivityTimeout" yaml:"accessTokenInactivityTimeout"`
 }
 
+// the type of key must be string
 type DynamicOptions map[string]interface{}
 
+func (o DynamicOptions) MarshalJSON() ([]byte, error) {
+	data, err := json.Marshal(desensitize(o))
+	return data, err
+}
+
+var (
+	sensitiveKeys = [...]string{"password", "secret"}
+)
+
+// isSensitiveData returns whether the input string contains sensitive information
+func isSensitiveData(key string) bool {
+	for _, v := range sensitiveKeys {
+		if strings.Contains(strings.ToLower(key), v) {
+			return true
+		}
+	}
+	return false
+}
+
+// desensitize returns the desensitized data
+func desensitize(data map[string]interface{}) map[string]interface{} {
+	output := make(map[string]interface{})
+	for k, v := range data {
+		if isSensitiveData(k) {
+			continue
+		}
+		switch v.(type) {
+		case map[interface{}]interface{}:
+			output[k] = desensitize(convert(v.(map[interface{}]interface{})))
+		default:
+			output[k] = v
+		}
+	}
+	return output
+}
+
+// convert returns formatted data
+func convert(m map[interface{}]interface{}) map[string]interface{} {
+	output := make(map[string]interface{})
+	for k, v := range m {
+		switch k.(type) {
+		case string:
+			output[k.(string)] = v
+		}
+	}
+	return output
+}
+
 type IdentityProviderOptions struct {
 	// The provider name.
 	Name string `json:"name" yaml:"name"`