Redact secrets in slices (#11271) (#11389)

Redact secrets in config and component files found in the diagnostics archive that occur within slices.

(cherry picked from commit 42e78ec)

Co-authored-by: Michel Laterman <[email protected]>

Author: mergify[bot]

changelog/fragments/1763589181-Redact-secrets-in-slices.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: security
+
+# Change summary; a 80ish characters long description of the change.
+summary: Redact secrets in slices
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: Redact secrets in conifg and component files found in the diagnostics archive that occur within slices.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/11271
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

internal/pkg/diagnostics/diagnostics.go

@@ -369,11 +369,11 @@ func redactMap[K comparable](errOut io.Writer, inputMap map[K]interface{}, slice
 		if rootValue != nil {
 			switch cast := rootValue.(type) {
 			case map[string]interface{}:
-				rootValue = redactMap(errOut, cast, sliceElem)
+				rootValue = redactMap(errOut, cast, false)
 			case map[interface{}]interface{}:
-				rootValue = redactMap(errOut, cast, sliceElem)
+				rootValue = redactMap(errOut, cast, false)
 			case map[int]interface{}:
-				rootValue = redactMap(errOut, cast, sliceElem)
+				rootValue = redactMap(errOut, cast, false)
 			case []interface{}:
 				// Recursively process each element in the slice so that we also walk
 				// through lists (e.g. inputs[4].streams[0]). This is required to

internal/pkg/diagnostics/diagnostics_test.go

@@ -791,3 +791,70 @@ func TestAddRedactionMarkers(t *testing.T) {
 		})
 	}
 }
+
+func TestRedactSSLKeyInInputs(t *testing.T) {
+	inputYaml := []byte(`inputs:
+    - ssl:
+        certificate: cert1
+        key: key1
+      nested:
+        ssl:
+          certificate: cert2
+          key: key2
+      slice:
+        - ssl:
+            certificate: cert3
+            key: key3`)
+
+	var unmarshalled map[string]any
+	err := yaml.Unmarshal(inputYaml, &unmarshalled)
+	require.NoError(t, err)
+
+	var errOut bytes.Buffer
+	redacted := Redact(unmarshalled, &errOut)
+	assert.Equalf(t, 0, errOut.Len(), "Unexpected errors written when redacting secrets: %s", errOut.String())
+	require.NotNil(t, redacted)
+
+	require.Contains(t, redacted, "inputs")
+	inputs, ok := redacted["inputs"].([]any)
+	require.Truef(t, ok, "expected inputs to be slice, detected: %T", redacted["inputs"])
+	require.Len(t, inputs, 1)
+	input, ok := inputs[0].(map[string]any)
+	require.True(t, ok, "expected input to be object, detected: %T", inputs[0])
+
+	// check top level ssl
+	require.Contains(t, input, "ssl")
+	top, ok := input["ssl"].(map[string]any)
+	require.True(t, ok, "expected type to be object, detected: %T", input["ssl"])
+	require.Contains(t, top, "certificate")
+	assert.Equal(t, REDACTED, top["certificate"])
+	require.Contains(t, top, "key")
+	assert.Equal(t, REDACTED, top["key"])
+
+	// check nested object
+	require.Contains(t, input, "nested")
+	nested, ok := input["nested"].(map[string]any)
+	require.True(t, ok, "expected type to be object, detected: %T", input["nested"])
+	require.Contains(t, nested, "ssl")
+	nestedSSL, ok := nested["ssl"].(map[string]any)
+	require.True(t, ok, "expected type to be object, detected: %T", nested["ssl"])
+	require.Contains(t, nestedSSL, "certificate")
+	assert.Equal(t, REDACTED, nestedSSL["certificate"])
+	require.Contains(t, nestedSSL, "key")
+	assert.Equal(t, REDACTED, nestedSSL["key"])
+
+	// check nested slice
+	require.Contains(t, input, "slice")
+	slice, ok := input["slice"].([]any)
+	require.True(t, ok, "expected type to be slice, detected: %T", input["slice"])
+	require.Len(t, slice, 1)
+	elem, ok := slice[0].(map[string]any)
+	require.True(t, ok, "expected type to be object, detected: %T", slice[0])
+	require.Contains(t, elem, "ssl")
+	sliceSSL, ok := elem["ssl"].(map[string]any)
+	require.True(t, ok, "expected type to be object, detected: %T", elem["ssl"])
+	require.Contains(t, sliceSSL, "certificate")
+	assert.Equal(t, REDACTED, sliceSSL["certificate"])
+	require.Contains(t, sliceSSL, "key")
+	assert.Equal(t, REDACTED, sliceSSL["key"])
+}