feat: mask sensitive data before printing the preview changes (#1227)

KusionStack · Jul 18, 2024 · 1e8dabc · 1e8dabc
1 parent dbf3bde
commit 1e8dabc
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/pkg/cmd/preview/preview.go b/pkg/cmd/preview/preview.go
@@ -36,6 +36,7 @@ import (
 	"kusionstack.io/kusion/pkg/engine/release"
 	"kusionstack.io/kusion/pkg/engine/runtime/terraform"
 	"kusionstack.io/kusion/pkg/log"
+	"kusionstack.io/kusion/pkg/util/diff"
 	"kusionstack.io/kusion/pkg/util/i18n"
 	"kusionstack.io/kusion/pkg/util/pretty"
 	"kusionstack.io/kusion/pkg/util/terminal"
@@ -268,6 +269,14 @@ func (o *PreviewOptions) Run() error {
 
 	if o.Output == jsonOutput {
 		var previewChanges []byte
+
+		// Mask sensitive data before printing the preview changes.
+		for _, v := range changes.ChangeSteps {
+			maskedFrom, maskedTo := diff.MaskSensitiveData(v.From, v.To)
+			v.From = maskedFrom
+			v.To = maskedTo
+		}
+
 		previewChanges, err = json.Marshal(changes)
 		if err != nil {
 			return fmt.Errorf("json marshal preview changes failed as %w", err)

diff --git a/pkg/util/diff/diff.go b/pkg/util/diff/diff.go
@@ -76,7 +76,7 @@ func ToRawString(humanReport *dyff.HumanReport) (string, error) {
 func ToReport(oldData, newData interface{}) (*dyff.Report, error) {
 	// Mask the sensitive data in Kubernetes Secret before generating the
 	// diff report.
-	maskedOldData, maskedNewData := maskSensitiveData(oldData, newData)
+	maskedOldData, maskedNewData := MaskSensitiveData(oldData, newData)
 
 	from, err := LoadFile(yaml.MergeToOneYAML(maskedOldData), "Old item")
 	if err != nil {
@@ -115,9 +115,9 @@ func LoadFile(input, location string) (ytbx.InputFile, error) {
 	}, nil
 }
 
-// maskSensitiveData masks the sensitive data with placeholders before generating
+// MaskSensitiveData masks the sensitive data with placeholders before generating
 // the diff report.
-func maskSensitiveData(oldData, newData interface{}) (interface{}, interface{}) {
+func MaskSensitiveData(oldData, newData interface{}) (interface{}, interface{}) {
 	from, ok1 := oldData.(*v1.Resource)
 	to, ok2 := newData.(*v1.Resource)
 

diff --git a/pkg/util/diff/diff_test.go b/pkg/util/diff/diff_test.go
@@ -293,7 +293,7 @@ func TestMaskSensitiveData(t *testing.T) {
 
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			actualMaskedOldData, actualMaskedNewData := maskSensitiveData(
+			actualMaskedOldData, actualMaskedNewData := MaskSensitiveData(
 				tc.oldData, tc.newData,
 			)