security fixes (kubernetes-sigs#1451)

Author: M00nF1sh

Dockerfile

@@ -19,6 +19,7 @@ RUN --mount=type=bind,target=. \
 
 FROM amazonlinux:2 as bin-unix
 COPY --from=build /out/controller /controller
+USER 1002
 ENTRYPOINT ["/controller"]
 
 FROM bin-unix AS bin-linux

pkg/model/elbv2/listener.go

@@ -2,6 +2,7 @@ package elbv2
 
 import (
 	"context"
+	"encoding/json"
 	"github.com/pkg/errors"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 )
@@ -123,8 +124,8 @@ type AuthenticateOIDCActionConditionalBehavior string
 
 const (
 	AuthenticateOIDCActionConditionalBehaviorDeny         AuthenticateOIDCActionConditionalBehavior = "deny"
-	AuthenticateOIDCActionConditionalBehaviorAllow                                                  = "allow"
-	AuthenticateOIDCActionConditionalBehaviorAuthenticate                                           = "authenticate"
+	AuthenticateOIDCActionConditionalBehaviorAllow        AuthenticateOIDCActionConditionalBehavior = "allow"
+	AuthenticateOIDCActionConditionalBehaviorAuthenticate AuthenticateOIDCActionConditionalBehavior = "authenticate"
 )
 
 // Request parameters when using an identity provider (IdP) that is compliant with OpenID Connect (OIDC) to authenticate users.
@@ -168,6 +169,14 @@ type AuthenticateOIDCActionConfig struct {
 	ClientSecret string `json:"clientSecret"`
 }
 
+func (cfg AuthenticateOIDCActionConfig) MarshalJSON() ([]byte, error) {
+	type redactedCFG AuthenticateOIDCActionConfig
+	redactedCfg := redactedCFG(cfg)
+	redactedCfg.ClientID = "[REDACTED]"
+	redactedCfg.ClientSecret = "[REDACTED]"
+	return json.Marshal(redactedCfg)
+}
+
 // Information about an action that returns a custom HTTP response.
 type FixedResponseActionConfig struct {
 	// The content type.

pkg/model/elbv2/listener_test.go

@@ -0,0 +1,54 @@
+package elbv2
+
+import (
+	"encoding/json"
+	awssdk "github.com/aws/aws-sdk-go/aws"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestAuthenticateOIDCActionConfig_MarshalJSON(t *testing.T) {
+	deny := AuthenticateOIDCActionConditionalBehaviorDeny
+	type fields struct {
+		AuthenticationRequestExtraParams map[string]string
+		OnUnauthenticatedRequest         *AuthenticateOIDCActionConditionalBehavior
+		Scope                            *string
+		SessionCookieName                *string
+		SessionTimeout                   *int64
+		Issuer                           string
+		AuthorizationEndpoint            string
+		TokenEndpoint                    string
+		UserInfoEndpoint                 string
+		ClientID                         string
+		ClientSecret                     string
+	}
+	tests := []struct {
+		name string
+		cfg  *AuthenticateOIDCActionConfig
+		want string
+	}{
+		{
+			name: "clientID and clientSecret should be redacted",
+			cfg: &AuthenticateOIDCActionConfig{
+				AuthenticationRequestExtraParams: map[string]string{"key": "value"},
+				OnUnauthenticatedRequest:         &deny,
+				Scope:                            awssdk.String("oidc"),
+				SessionCookieName:                awssdk.String("my-cookie"),
+				Issuer:                           "my-issuer",
+				AuthorizationEndpoint:            "my-auth-endpoint",
+				TokenEndpoint:                    "my-token-endpoint",
+				UserInfoEndpoint:                 "my-user-endpoint",
+				ClientID:                         "client-id",
+				ClientSecret:                     "client-secret",
+			},
+			want: `{"authenticationRequestExtraParams":{"key":"value"},"onUnauthenticatedRequest":"deny","scope":"oidc","sessionCookieName":"my-cookie","issuer":"my-issuer","authorizationEndpoint":"my-auth-endpoint","tokenEndpoint":"my-token-endpoint","userInfoEndpoint":"my-user-endpoint","clientID":"[REDACTED]","clientSecret":"[REDACTED]"}`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			payload, _ := json.Marshal(tt.cfg)
+			got := string(payload)
+			assert.JSONEq(t, tt.want, got)
+		})
+	}
+}