RedHatQE · myakove · Nov 27, 2024 · Oct 23, 2024 · Oct 23, 2024 · Oct 28, 2024
diff --git a/ocp_resources/resource.py b/ocp_resources/resource.py
@@ -134,9 +134,78 @@ def sub_resource_level(current_class: Any, owner_class: Any, parent_class: Any)
     return None
 
 
-# Exceptions classes
+def replace_key_with_hashed_value(resource_dict: Dict[Any, Any], key_name: str) -> Dict[Any, Any]:
+    """
+    Recursively search a nested dictionary for a given key and changes its value to "******" if found.
+
+    The function supports two key formats:
+    1. Regular dictionary path:
+        A key to be hashed can be found directly in a dictionary, e.g. "a>b>c", would hash the value associated with
+        key "c", where dictionary format is:
+        input = {
+            "a": {
+                "b": {
+                    "c": "sensitive data"
+                }
+            }
+        }
+        output = {
+            "a": {
+                "b": {
+                    "c": "*******"
+                }
+            }
+        }
+    2. List path:
+        A key to be hashed can be found in a dictionary that is in list somewhere in a dictionary, e.g. "a>b[]>c",
+        would hash the value associated with key "c", where dictionary format is:
+        input = {
+            "a": {
+                "b": [
+                    {"d": "not sensitive data"},
+                    {"c": "sensitive data"}
+                ]
+            }
+        }
+        output = {
+            "a": {
+                "b": [
+                    {"d": "not sensitive data"},
+                    {"c": "*******"}
+                ]
+            }
+        }
+
+    Args:
+        resource_dict: The nested dictionary to search.
+        key_name: The key path to find.
+
+    Returns:
+        Dict[Any, Any]: A copy of the input dictionary with the specified key's value replaced with "*******".
+
+    """
+    result = copy.deepcopy(resource_dict)
+
+    benedict_resource_dict = benedict(result, keypath_separator=">")
+
+    if "[]" not in key_name:
+        if benedict_resource_dict.get(key_name):
+            benedict_resource_dict[key_name] = "*******"
+        return dict(benedict_resource_dict)
+
+    key_prefix, remaining_key = key_name.split("[]>", 1)
+    if not benedict_resource_dict.get(key_prefix):
+        return dict(benedict_resource_dict)
+
+    resource_data = benedict_resource_dict[key_prefix]
+    if not isinstance(resource_data, list):
+        return dict(benedict_resource_dict)
 
-# End Exceptions classes
+    for index, element in enumerate(resource_data):
+        if isinstance(element, dict):
+            resource_data[index] = replace_key_with_hashed_value(resource_dict=element, key_name=remaining_key)
+
+    return dict(benedict_resource_dict)
 
 
 class KubeAPIVersion(Version):
@@ -1173,21 +1242,18 @@ def keys_to_hash(self) -> List[str]:
 
          Example:
              given a dict: {"spec": {"data": <value_to_hash>}}
-             To hash spec['data'] key pass: ["spec..data"]
+             To hash spec['data'] key pass: ["spec>data"]
         """
         return []
 
     def hash_resource_dict(self, resource_dict: Dict[Any, Any]) -> Dict[Any, Any]:
+        if not isinstance(resource_dict, dict):
+            raise ValueError("Expected a dictionary as the first argument")
+
         if self.keys_to_hash and self.hash_log_data:
             resource_dict = copy.deepcopy(resource_dict)
-            resource_dict = benedict(resource_dict, keypath_separator="..")
-
-            for key in self.keys_to_hash:
-                if key in resource_dict:
-                    resource_dict[key] = "***"
-
-            return resource_dict
-
+            for key_name in self.keys_to_hash:
+                resource_dict = replace_key_with_hashed_value(resource_dict=resource_dict, key_name=key_name)
         return resource_dict
 
     def get_condition_message(self, condition_type: str, condition_status: str = "") -> str:

diff --git a/ocp_resources/sealed_secret.py b/ocp_resources/sealed_secret.py
@@ -50,4 +50,4 @@ def to_dict(self) -> None:
 
     @property
     def keys_to_hash(self):
-        return ["spec..data", "spec..encryptedData"]
+        return ["spec>data", "spec>encryptedData"]
diff --git a/ocp_resources/virtual_machine.py b/ocp_resources/virtual_machine.py
@@ -175,3 +175,7 @@ def wait_for_status_none(self, status, timeout=TIMEOUT_4MINUTES):
         ):
             if sample is None:
                 return
+
+    @property
+    def keys_to_hash(self):
+        return ["spec>template>spec>volumes[]>cloudInitNoCloud>userData"]
diff --git a/tests/test_unittests.py b/tests/test_unittests.py
@@ -0,0 +1,88 @@
+import pytest
+from benedict import benedict
+from ocp_resources.resource import replace_key_with_hashed_value
+
+
+@pytest.fixture()
+def vm_spec():
+    return {
+        "spec": {
+            "template": {
+                "features": {"someNewFeature": {"someNewData": "sensitive information"}},
+                "spec": {
+                    "volumes": [
+                        {"name": "volume1", "userData": "sensitive-data"},
+                    ]
+                },
+            }
+        }
+    }
+
+
+@pytest.mark.parametrize(
+    "key_name, expected_key",
+    [
+        pytest.param(
+            "spec>template>features>someNewFeature>someNewData",
+            "spec>template>features>someNewFeature>someNewData",
+            id="test_replace_key_with_hashed_value_replace_key",
+        ),
+        pytest.param(
+            "spec>template>spec>volumes[]>userData",
+            "spec>template>spec>volumes[0]>userData",
+            id="test_replace_key_with_hashed_value_replace_key_in_list",
+        ),
+    ],
+)
+def test_replace_key_with_hashed_value(vm_spec, key_name, expected_key):
+    result = benedict(replace_key_with_hashed_value(resource_dict=vm_spec, key_name=key_name), keypath_separator=">")
+    assert result[expected_key] == "*******"
+    vm_spec_benedict = benedict(vm_spec, keypath_separator=">")
+    result_benedict = benedict(result, keypath_separator=">")
+    del vm_spec_benedict[expected_key]
+    del result_benedict[expected_key]
+    assert result_benedict == vm_spec_benedict
+
+
+@pytest.mark.parametrize(
+    "resource, key_name, expected_result",
+    [
+        # Empty dictionary
+        pytest.param({}, "a>b", {}, id="test_replace_key_with_hashed_value_empty_dict"),
+        # Non-existent key
+        pytest.param(
+            {"x": {"y": "z"}}, "a>b", {"x": {"y": "z"}}, id="test_replace_key_with_hashed_value_key_doesnt_exist"
+        ),
+        # Malformed key
+        pytest.param(
+            {"x": {"y": "z"}}, "x>y>", {"x": {"y": "z"}}, id="test_replace_key_with_hashed_value_malformed_key"
+        ),
+        # empty key path
+        pytest.param({"x": {"y": "z"}}, "", {"x": {"y": "z"}}, id="test_replace_key_with_hashed_value_empty_key"),
+    ],
+)
+def test_replace_key_with_hashed_value_edge_cases(resource, key_name, expected_result):
+    """Test edge cases for replace_key_with_hashed_value function."""
+    assert replace_key_with_hashed_value(resource_dict=resource, key_name=key_name) == expected_result
+
+
+def test_replace_key_with_hashed_value_multiple_occurances(vm_spec):
+    vm_spec["spec"]["template"]["spec"]["volumes"].append({"name": "volume2", "userData": "more sensitive-data"})
+    result = replace_key_with_hashed_value(resource_dict=vm_spec, key_name="spec>template>spec>volumes[]>userData")
+    for volume in result["spec"]["template"]["spec"]["volumes"]:
+        assert volume["userData"] == "*******"
+
+
+@pytest.mark.parametrize(
+    "resource, key_name, exception_type",
+    [
+        pytest.param(None, "a>b", TypeError, id="test_replace_key_with_hashed_value_empty_dict_valid_key"),
+        pytest.param({}, None, TypeError, id="test_replace_key_with_hashed_value_empty_dict_no_key"),
+        pytest.param({}, 123, TypeError, id="test_replace_key_with_hashed_value_empty_dict_invalid_key"),
+        pytest.param("not_a_dict", "a>b", ValueError, id="test_replace_key_with_hashed_value_invalid_dict_valid_key"),
+    ],
+)
+def test_replace_key_with_hashed_value_invalid_inputs(resource, key_name, exception_type):
+    """Test that the function handles invalid inputs appropriately."""
+    with pytest.raises(exception_type):
+        replace_key_with_hashed_value(resource_dict=resource, key_name=key_name)
diff --git a/tox.toml b/tox.toml
@@ -5,6 +5,7 @@ env_list = [
   "class-generator",
   "resource-tests",
   "api-group-order",
+  "validate-unittests"
 ]
 
 [env.resource-tests]
@@ -57,3 +58,8 @@ commands = [
 description = "Run API group order tests"
 deps = ["uv"]
 commands = [["uv", "run", "pytest", "tests/test_api_group_order.py"]]
+
+[env.unittests]
+description = "Run unittests"
+deps = ["uv"]
+commands = [["uv", "run", "pytest", "tests/test_unittests.py", "-svv"]]