Remove Kubernetes IP address from errors returned in Threat Monitoring

This fix resolves problems with leaked Kubernetes IP address in error messages.

Remove Kubernetes IP address from errors returned in Threat Monitoring
This fix resolves problems with leaked Kubernetes IP address in error messages.
26e688bf · Alan Paruszewski · e3a57b32 · 26e688bf · 26e688bf · 26e688bf
Commit 26e688bf authored Jan 04, 2021 by Alan Paruszewski
7 changed files
--- a/ee/app/services/network_policies/delete_resource_service.rb
+++ b/ee/app/services/network_policies/delete_resource_service.rb
@@ -23,7 +23,7 @@ module NetworkPolicies

      ServiceResponse.success
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end
  end
 end
--- a/ee/app/services/network_policies/deploy_resource_service.rb
+++ b/ee/app/services/network_policies/deploy_resource_service.rb
@@ -26,7 +26,7 @@ module NetworkPolicies
      load_policy_from_resource
      ServiceResponse.success(payload: policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end

    private

--- a/ee/app/services/network_policies/find_resource_service.rb
+++ b/ee/app/services/network_policies/find_resource_service.rb
@@ -16,7 +16,7 @@ module NetworkPolicies

      ServiceResponse.success(payload: get_policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end

    private

--- a/ee/changelogs/unreleased/289930-fix-leaking-kubernetes-cluster-ip.yml
+++ b/ee/changelogs/unreleased/289930-fix-leaking-kubernetes-cluster-ip.yml
+---
+title: Remove Kubernetes IP address from error messages returned in Threat Monitoring
+merge_request:
+author:
+type: security
--- a/ee/spec/services/network_policies/delete_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/delete_resource_service_spec.rb
@@ -49,8 +49,11 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -58,6 +61,10 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end

    context 'with CiliumNetworkPolicy' do

--- a/ee/spec/services/network_policies/deploy_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/deploy_resource_service_spec.rb
@@ -94,8 +94,11 @@ RSpec.describe NetworkPolicies::DeployResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -103,6 +106,10 @@ RSpec.describe NetworkPolicies::DeployResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end

    context 'with cilium network policy' do

--- a/ee/spec/services/network_policies/find_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/find_resource_service_spec.rb
@@ -62,8 +62,11 @@ RSpec.describe NetworkPolicies::FindResourceService do
    end

    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
+
      before do
-        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end

      it 'returns error response' do
@@ -71,6 +74,10 @@ RSpec.describe NetworkPolicies::FindResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end
  end
 end