#3679 hide certificate, key and chain ca in AS3 response (#3714)

F5Networks · Jan 15, 2025 · db749c8 · db749c8
1 parent 79353ee
commit db749c8
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst
@@ -12,6 +12,7 @@ Added Functionality
 
 Bug Fixes
 ````````````
+* `Issue 3679 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/3679>`_: Certificate, CA chain, and private key shown in debug logs
 
 2.19.0
 -------------

diff --git a/pkg/agent/as3/postManager.go b/pkg/agent/as3/postManager.go
@@ -401,8 +401,13 @@ func (postMgr *PostManager) getBigipRegKeyURL() string {
 }
 
 func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
+	// Avoid modifying the original response
+	responseMapCopy := make(map[string]interface{})
+	for key, value := range responseMap {
+		responseMapCopy[key] = value
+	}
 	// removing the certificates/privateKey from response log
-	if declaration, ok := (responseMap["declaration"]).([]interface{}); ok {
+	if declaration, ok := (responseMapCopy["declaration"]).(map[string]interface{}); ok {
 		for _, value := range declaration {
 			if tenantMap, ok := value.(map[string]interface{}); ok {
 				for _, value2 := range tenantMap {
@@ -425,9 +430,9 @@ func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
 			log.Errorf("[AS3] error while reading declaration from AS3 response: %v\n", err)
 			return
 		}
-		responseMap["declaration"] = as3Declaration(decl)
+		responseMapCopy["declaration"] = as3Declaration(decl)
 	}
-	log.Debugf("[AS3] Raw response from Big-IP: %v ", responseMap)
+	log.Debugf("[AS3] Raw response from Big-IP: %v ", responseMapCopy)
 }
 
 func (postMgr *PostManager) logAS3Request(cfg string) {

diff --git a/pkg/controller/postManager.go b/pkg/controller/postManager.go
@@ -637,8 +637,13 @@ func (postMgr *PostManager) getBigipRegKeyURL() string {
 }
 
 func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
+	// Avoid modifying the original response
+	responseMapCopy := make(map[string]interface{})
+	for key, value := range responseMap {
+		responseMapCopy[key] = value
+	}
 	// removing the certificates/privateKey from response log
-	if declaration, ok := (responseMap["declaration"]).([]interface{}); ok {
+	if declaration, ok := (responseMapCopy["declaration"]).(map[string]interface{}); ok {
 		for _, value := range declaration {
 			if tenantMap, ok := value.(map[string]interface{}); ok {
 				for _, value2 := range tenantMap {
@@ -661,9 +666,9 @@ func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
 			log.Errorf("[AS3]%v error while reading declaration from AS3 response: %v\n", postMgr.postManagerPrefix, err)
 			return
 		}
-		responseMap["declaration"] = as3Declaration(decl)
+		responseMapCopy["declaration"] = as3Declaration(decl)
 	}
-	log.Debugf("[AS3]%v Raw response from Big-IP: %v ", postMgr.postManagerPrefix, responseMap)
+	log.Debugf("[AS3]%v Raw response from Big-IP: %v ", postMgr.postManagerPrefix, responseMapCopy)
 }
 
 func (postMgr *PostManager) logAS3Request(cfg string) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ Added Functionality @@
     Bug Fixes
     ````````````
+    * `Issue 3679 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/3679>`_: Certificate, CA chain, and private key shown in debug logs
 .19.0
     -------------
@@ Expand Down @@