Implement recursive SanitizedCopy() for KongState, refactor SetCredential

internal/ingress/controller/kong.go

@@ -395,12 +395,25 @@ func (n *KongController) toDeckContent(
 		for _, p := range c.Plugins {
 			consumer.Plugins = append(consumer.Plugins, &file.FPlugin{Plugin: p})
 		}
-		consumer.KeyAuths = c.KeyAuths
-		consumer.HMACAuths = c.HMACAuths
-		consumer.BasicAuths = c.BasicAuths
-		consumer.JWTAuths = c.JWTAuths
-		consumer.ACLGroups = c.ACLGroups
-		consumer.Oauth2Creds = c.Oauth2Creds
+
+		for _, v := range c.KeyAuths {
+			consumer.KeyAuths = append(consumer.KeyAuths, &v.KeyAuth)
+		}
+		for _, v := range c.HMACAuths {
+			consumer.HMACAuths = append(consumer.HMACAuths, &v.HMACAuth)
+		}
+		for _, v := range c.BasicAuths {
+			consumer.BasicAuths = append(consumer.BasicAuths, &v.BasicAuth)
+		}
+		for _, v := range c.JWTAuths {
+			consumer.JWTAuths = append(consumer.JWTAuths, &v.JWTAuth)
+		}
+		for _, v := range c.ACLGroups {
+			consumer.ACLGroups = append(consumer.ACLGroups, &v.ACLGroup)
+		}
+		for _, v := range c.Oauth2Creds {
+			consumer.Oauth2Creds = append(consumer.Oauth2Creds, &v.Oauth2Credential)
+		}
 		content.Consumers = append(content.Consumers, consumer)
 	}
 	sort.SliceStable(content.Consumers, func(i, j int) bool {
@@ -415,6 +428,7 @@ func (n *KongController) toDeckContent(
 
 	return &content
 }
+
 func getFCertificateFromKongCert(kongCert kong.Certificate) file.FCertificate {
 	var res file.FCertificate
 	if kongCert.ID != nil {

internal/ingress/controller/parser/kongstate/consumer.go

@@ -5,121 +5,103 @@ import (
 
 	"github.com/kong/go-kong/kong"
 	configurationv1 "github.com/kong/kubernetes-ingress-controller/pkg/apis/configuration/v1"
-	"github.com/mitchellh/mapstructure"
-	"github.com/sirupsen/logrus"
 )
 
 // Consumer holds a Kong consumer and its plugins and credentials.
 type Consumer struct {
 	kong.Consumer
 	Plugins    []kong.Plugin
-	KeyAuths   []*kong.KeyAuth
-	HMACAuths  []*kong.HMACAuth
-	JWTAuths   []*kong.JWTAuth
-	BasicAuths []*kong.BasicAuth
-	ACLGroups  []*kong.ACLGroup
+	KeyAuths   []*KeyAuth
+	HMACAuths  []*HMACAuth
+	JWTAuths   []*JWTAuth
+	BasicAuths []*BasicAuth
+	ACLGroups  []*ACLGroup
 
-	Oauth2Creds []*kong.Oauth2Credential
+	Oauth2Creds []*Oauth2Credential
 
 	K8sKongConsumer configurationv1.KongConsumer
 }
 
-func (c *Consumer) SetCredential(log logrus.FieldLogger, credType string, credConfig interface{}) error {
+// SanitizedCopy returns a shallow copy with sensitive values redacted best-effort.
+func (c *Consumer) SanitizedCopy() *Consumer {
+	return &Consumer{
+		Consumer: c.Consumer,
+		Plugins:  c.Plugins,
+		KeyAuths: func() (res []*KeyAuth) {
+			for _, v := range c.KeyAuths {
+				res = append(res, v.SanitizedCopy())
+			}
+			return
+		}(),
+		HMACAuths: func() (res []*HMACAuth) {
+			for _, v := range c.HMACAuths {
+				res = append(res, v.SanitizedCopy())
+			}
+			return
+		}(),
+		JWTAuths: func() (res []*JWTAuth) {
+			for _, v := range c.JWTAuths {
+				res = append(res, v.SanitizedCopy())
+			}
+			return
+		}(),
+		BasicAuths: func() (res []*BasicAuth) {
+			for _, v := range c.BasicAuths {
+				res = append(res, v.SanitizedCopy())
+			}
+			return
+		}(),
+		Oauth2Creds: func() (res []*Oauth2Credential) {
+			for _, v := range c.Oauth2Creds {
+				res = append(res, v.SanitizedCopy())
+			}
+			return
+		}(),
+		ACLGroups:       c.ACLGroups,
+		K8sKongConsumer: c.K8sKongConsumer,
+	}
+}
+
+func (c *Consumer) SetCredential(credType string, credConfig interface{}) error {
 	switch credType {
 	case "key-auth", "keyauth_credential":
-		var cred kong.KeyAuth
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewKeyAuth(credConfig)
 		if err != nil {
-			return fmt.Errorf("failed to decode key-auth credential: %w", err)
-
+			return err
 		}
-		// TODO we perform these validity checks here because passing credentials without these fields will panic deck
-		// later on. Ideally this should not be handled in the controller, but we cannot currently handle it elsewhere
-		// (i.e. in deck or go-kong) without entering a sync failure loop that cannot actually report the problem
-		// piece of configuration. if we can address those limitations, we should remove these checks.
-		// See https://github.com/Kong/deck/pull/223 and https://github.com/Kong/kubernetes-ingress-controller/issues/532
-		// for more discussion.
-		if cred.Key == nil {
-			return fmt.Errorf("key-auth for consumer %s is invalid: no key", *c.Username)
-		}
-		c.KeyAuths = append(c.KeyAuths, &cred)
+		c.KeyAuths = append(c.KeyAuths, cred)
 	case "basic-auth", "basicauth_credential":
-		var cred kong.BasicAuth
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewBasicAuth(credConfig)
 		if err != nil {
-			return fmt.Errorf("failed to decode basic-auth credential: %w", err)
-		}
-		if cred.Username == nil {
-			return fmt.Errorf("basic-auth for consumer %s is invalid: no username", *c.Username)
+			return err
 		}
-		c.BasicAuths = append(c.BasicAuths, &cred)
+		c.BasicAuths = append(c.BasicAuths, cred)
 	case "hmac-auth", "hmacauth_credential":
-		var cred kong.HMACAuth
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewHMACAuth(credConfig)
 		if err != nil {
-			return fmt.Errorf("failed to decode hmac-auth credential: %w", err)
+			return err
 		}
-		if cred.Username == nil {
-			return fmt.Errorf("hmac-auth for consumer %s is invalid: no username", *c.Username)
-		}
-		c.HMACAuths = append(c.HMACAuths, &cred)
+		c.HMACAuths = append(c.HMACAuths, cred)
 	case "oauth2":
-		var cred kong.Oauth2Credential
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewOauth2Credential(credConfig)
 		if err != nil {
-			return fmt.Errorf("failed to decode oauth2 credential: %w", err)
-		}
-		if cred.ClientID == nil {
-			return fmt.Errorf("oauth2 for consumer %s is invalid: no client_id", *c.Username)
+			return err
 		}
-		c.Oauth2Creds = append(c.Oauth2Creds, &cred)
+		c.Oauth2Creds = append(c.Oauth2Creds, cred)
 	case "jwt", "jwt_secret":
-		var cred kong.JWTAuth
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewJWTAuth(credConfig)
 		if err != nil {
-			log.Errorf("failed to process JWT credential: %v", err)
+			return err
 		}
-		// This is treated specially because only this
-		// field might be omitted by user under the expectation
-		// that Kong will insert the default.
-		// If we don't set it, decK will detect a diff and PUT this
-		// credential everytime it performs a sync operation, which
-		// leads to unnecessary cache invalidations in Kong.
-		if cred.Algorithm == nil || *cred.Algorithm == "" {
-			cred.Algorithm = kong.String("HS256")
-		}
-		if cred.Key == nil {
-			return fmt.Errorf("jwt-auth for consumer %s is invalid: no key", *c.Username)
-		}
-		c.JWTAuths = append(c.JWTAuths, &cred)
+		c.JWTAuths = append(c.JWTAuths, cred)
 	case "acl":
-		var cred kong.ACLGroup
-		err := decodeCredential(credConfig, &cred)
+		cred, err := NewACLGroup(credConfig)
 		if err != nil {
-			log.Errorf("failed to process ACL group: %v", err)
+			return err
 		}
-		if cred.Group == nil {
-			return fmt.Errorf("acl for consumer %s is invalid: no group", *c.Username)
-		}
-		c.ACLGroups = append(c.ACLGroups, &cred)
+		c.ACLGroups = append(c.ACLGroups, cred)
 	default:
 		return fmt.Errorf("invalid credential type: '%v'", credType)
 	}
 	return nil
 }
-
-func decodeCredential(credConfig interface{},
-	credStructPointer interface{}) error {
-	decoder, err := mapstructure.NewDecoder(
-		&mapstructure.DecoderConfig{TagName: "json",
-			Result: credStructPointer,
-		})
-	if err != nil {
-		return fmt.Errorf("failed to create a decoder: %w", err)
-	}
-	err = decoder.Decode(credConfig)
-	if err != nil {
-		return fmt.Errorf("failed to decode credential: %w", err)
-	}
-	return nil
-}