feat: connection_details view with sensitive fields masked

flanksource · Sep 10, 2024 · 82a6d64 · 82a6d64
1 parent 4ceaf5d
commit 82a6d64
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/views/027_connections.sql b/views/027_connections.sql
@@ -1,3 +1,4 @@
+-- A basic connection view free from any sensitive data.
 DROP VIEW IF EXISTS connections_list;
 CREATE OR REPLACE VIEW connections_list AS
   SELECT
@@ -18,3 +19,37 @@ CREATE OR REPLACE VIEW connections_list AS
     deleted_at IS NULL
   ORDER BY
     created_at;
+
+-- 
+CREATE OR REPLACE FUNCTION mask_sensitive(field_value TEXT)
+RETURNS TEXT AS $$
+BEGIN
+  RETURN CASE
+    WHEN field_value LIKE 'secret://%' OR 
+         field_value LIKE 'configmap://%' OR 
+         field_value LIKE 'helm://%' OR 
+         field_value LIKE 'serviceaccount://%' OR 
+         field_value = '' THEN field_value
+    ELSE '***'
+  END;
+END;
+$$ LANGUAGE plpgsql;
+-- 
+
+-- A connection view that masks sensitive fields.
+DROP VIEW IF EXISTS connection_details;
+CREATE OR REPLACE VIEW connection_details AS
+  SELECT
+    id, name, namespace, type, source, properties, insecure_tls, created_by, created_at, updated_at,
+    CASE
+      WHEN (string_to_array(url, '://'))[1] IN ('bark', 'discord', 'smtp', 'gotify', 'googlechat', 'ifttt', 'join', 'mattermost', 'matrix', 'ntfy', 'opsgenie', 'pushbullet', 'pushover', 'rocketchat', 'slack', 'teams', 'telegram', 'zulip') THEN 'notification'
+      ELSE ''
+    END AS category,
+    mask_sensitive(username) AS username,
+    mask_sensitive(PASSWORD) AS PASSWORD,
+    mask_sensitive(certificate) AS certificate
+  FROM connections
+  WHERE
+    deleted_at IS NULL
+  ORDER BY
+    created_at;