[ACM-30430] Sanitize error messages to prevent information disclosure

[dislbenn]

Summary

Fixes ACM-30430 by sanitizing error messages that expose internal API structure and implementation details.

Changes

Removed sensitive information from user-facing error messages across OCM API clients and controllers:

• HTTP status codes
• Raw API response bodies
• Internal error codes and reasons
• API endpoint details

All internal details now logged at V(1) debug level for troubleshooting while returning generic error messages to users.

Files Modified

• pkg/ocm/cluster/client.go - Generic "failed to retrieve cluster information"
• pkg/ocm/auth/provider.go - Generic "authentication failed"
• pkg/ocm/subscription/provider.go - Generic "failed to retrieve subscription information"
• pkg/ocm/subscription/service.go - Sanitized status code logs
• pkg/ocm/tls_util.go - Generic "failed to retrieve TLS configuration"
• controllers/discoveredcluster_controller.go - Generic "invalid authentication configuration"

Testing

• All existing tests pass
• Internal debugging fields (Code, Response, StatusCode) still populated for test assertions
• V(1) debug logs contain full details for troubleshooting

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Standardized error messages across authentication, cluster information retrieval, and subscription operations for improved consistency
  • Enhanced error handling for invalid authentication configurations with clearer messaging

• Chores

  • Improved internal logging infrastructure for authentication, cluster, and subscription operations to support better diagnostics and troubleshooting capabilities
  • Refined error message consistency across API interactions

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dislbenn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dislbenn]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates auto-generated deepcopy methods to properly deep-copy slice fields, refactors error handling across OCM modules to use structured logging with generic error messages, and simplifies build constraints by removing deprecated directives.

Changes

Cohort / File(s)	Summary
Auto-generated Deepcopy Methods api/v1/zz_generated.deepcopy.go, api/v1alpha1/zz_generated.deepcopy.go	Updated build constraints by removing legacy // +build directives. Enhanced Filter.DeepCopyInto to allocate new backing arrays and copy slice contents for ClusterTypes, InfrastructureProviders, and Regions fields.
OCM Error Handling & Logging pkg/ocm/auth/provider.go, pkg/ocm/cluster/client.go, pkg/ocm/subscription/provider.go, pkg/ocm/subscription/service.go	Replaced detailed error messages (including status codes, reasons, and raw bodies) with generic ones while adding structured logging at debug/info levels to capture response details for troubleshooting.
Controller & TLS Utilities controllers/discoveredcluster_controller.go, pkg/ocm/tls_util.go	Added structured logging for authentication method validation failures and API errors; changed error returns to be generic without wrapping underlying error details; simplified per-status informational messages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hop through logs now clean and bright,
Where secrets hide from prying sight,
Deep copies leap without a care,
With proper slices everywhere,
Generic whispers guide the way—
A cleaner code to hop-hop-hooray! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers the required sections including summary, changes made, files modified, and testing notes. It is complete and provides sufficient detail about the sanitization effort.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The PR title directly and clearly describes the main change: sanitizing error messages to prevent information disclosure, which aligns perfectly with all the file modifications that remove sensitive details from user-facing errors.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/ocm/subscription/provider.go (1)

118-136: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Populate StatusCode and Response on every subscription error path.

The non-JSON branch returns StatusCode == 0, and the parsed-error branch drops Response whenever Reason is present. pkg/ocm/subscription/service.go switches on err.StatusCode, so a 401/404/429/5xx with a plain-text or HTML body will now miss the empty-list fallback and bubble an error instead.

Suggested fix

 	if response.StatusCode > 299 {
 		var errResponse SubscriptionError
 		if err := json.Unmarshal(bytes, &errResponse); err != nil {
 			logf.V(1).Info("Subscription API error response", "status", response.StatusCode, "body", string(bytes))
 			return nil, &SubscriptionError{
 				Error:    fmt.Errorf("failed to retrieve subscription information"),
 				Response: bytes,
+				StatusCode: response.StatusCode,
 			}
 		}

 		logf.V(1).Info("Subscription API error", "status", response.StatusCode, "reason", errResponse.Reason)
+		errResponse.Response = bytes

 		if errResponse.Reason == "" {
 			errResponse.Error = fmt.Errorf("failed to retrieve subscription information")
-			errResponse.Response = bytes
-		} else {
-			errResponse.Error = fmt.Errorf("failed to retrieve subscription information")
 		}
+		errResponse.Error = fmt.Errorf("failed to retrieve subscription information")

 		errResponse.StatusCode = response.StatusCode
 		return nil, &errResponse
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/ocm/subscription/provider.go` around lines 118 - 136, The code paths for
subscription API errors don't always populate StatusCode and Response: when
json.Unmarshal fails the SubscriptionError returned lacks StatusCode, and when
parsing succeeds but errResponse.Reason != "" the parsed errResponse drops
Response; update the error handling so the SubscriptionError literal
(constructed when json.Unmarshal fails) includes StatusCode:
response.StatusCode, and always set errResponse.Response = bytes (in the
parsed-error branch regardless of Reason) before returning; keep setting
errResponse.StatusCode = response.StatusCode and return &errResponse as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/ocm/auth/provider.go`:
- Around line 105-116: The parsed auth error handling currently only sets
errResponse.Response when ErrorMessage or Description is empty, losing the raw
response for other parsed failures; modify the logic in the auth error handling
(where errResponse.Code is set and logf.V(1).Info is called) to assign
errResponse.Response = bytes unconditionally for non-2xx responses before the
subsequent branch that checks errResponse.ErrorMessage and
errResponse.Description so every parsed auth error retains the raw payload
(leave the existing Error/ErrInvalidToken assignments intact).

---

Outside diff comments:
In `@pkg/ocm/subscription/provider.go`:
- Around line 118-136: The code paths for subscription API errors don't always
populate StatusCode and Response: when json.Unmarshal fails the
SubscriptionError returned lacks StatusCode, and when parsing succeeds but
errResponse.Reason != "" the parsed errResponse drops Response; update the error
handling so the SubscriptionError literal (constructed when json.Unmarshal
fails) includes StatusCode: response.StatusCode, and always set
errResponse.Response = bytes (in the parsed-error branch regardless of Reason)
before returning; keep setting errResponse.StatusCode = response.StatusCode and
return &errResponse as before.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 42a4c1ca-d509-4700-b0d7-eb561aced9ad

📥 Commits

Reviewing files that changed from the base of the PR and between b6d4b43 and ba363d9.

📒 Files selected for processing (8)

• api/v1/zz_generated.deepcopy.go
• api/v1alpha1/zz_generated.deepcopy.go
• controllers/discoveredcluster_controller.go
• pkg/ocm/auth/provider.go
• pkg/ocm/cluster/client.go
• pkg/ocm/subscription/provider.go
• pkg/ocm/subscription/service.go
• pkg/ocm/tls_util.go

💤 Files with no reviewable changes (1)

• api/v1alpha1/zz_generated.deepcopy.go