Add sanitizer to history output. (#4968)

Corneil du Plessis · web-flow · commit 439f26ac5735 · 2022-06-30T17:29:09.000+02:00
Fixes - #4964
diff --git a/spring-cloud-dataflow-rest-resource/src/main/java/org/springframework/cloud/dataflow/rest/util/ArgumentSanitizer.java b/spring-cloud-dataflow-rest-resource/src/main/java/org/springframework/cloud/dataflow/rest/util/ArgumentSanitizer.java
@@ -17,12 +17,20 @@
 package org.springframework.cloud.dataflow.rest.util;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import org.springframework.batch.core.JobParameter;
 import org.springframework.batch.core.JobParameters;
 import org.springframework.cloud.dataflow.core.DefinitionUtils;
@@ -39,8 +47,10 @@
  * @author Glenn Renfro
  * @author Gunnar Hillert
  * @author Ilayaperumal Gopinathan
+ * @author Corneil du Plessis
  */
 public class ArgumentSanitizer {
+	private final static Logger logger = LoggerFactory.getLogger(ArgumentSanitizer.class);
 
     private static final String[] REGEX_PARTS = {"*", "$", "^", "+"};
 
@@ -204,4 +214,75 @@ public HttpHeaders sanitizeHeaders(HttpHeaders headers) {
         }
         return result;
     }
+	/**
+	 * Will replace sensitive string value in the Map with '*****'
+	 *
+	 * @param input to be sanitized
+	 * @return the sanitized map.
+	 */
+	public Map<String, Object> sanitizeMap(Map<String, Object> input) {
+		Map<String, Object> result = new HashMap<>();
+		for (Map.Entry<String, Object> entry : input.entrySet()) {
+			if (entry.getValue() instanceof String) {
+				result.put(entry.getKey(), sanitize(entry.getKey(), (String) entry.getValue()));
+			} else if (entry.getValue() instanceof Map) {
+				Map<String, Object> map = (Map<String, Object>) entry.getValue();
+				result.put(entry.getKey(), sanitizeMap(map));
+			} else {
+				result.put(entry.getKey(), entry.getValue());
+			}
+		}
+		return result;
+	}
+
+	/**
+	 * Will replace the sensitive string fields with '*****'
+	 *
+	 * @param input to be sanitized
+	 * @return The sanitized JSON string
+	 * @throws JsonProcessingException
+	 */
+	public String sanitizeJsonString(String input) throws JsonProcessingException {
+		ObjectMapper mapper = new ObjectMapper();
+		Map<String, Object> data = mapper.readValue(input, new TypeReference<Map<String, Object>>() {
+		});
+		return mapper.writeValueAsString(sanitizeMap(data));
+	}
+
+	/**
+	 * Will replace the sensitive string fields with '*****'
+	 *
+	 * @param input to be sanitized
+	 * @return The sanitized YAML string
+	 * @throws JsonProcessingException
+	 */
+	public String sanitizeYamlString(String input) throws JsonProcessingException {
+		ObjectMapper mapper = new ObjectMapper(new YAMLFactory());
+		Map<String, Object> data = mapper.readValue(input, new TypeReference<Map<String, Object>>() {});
+		return mapper.writeValueAsString(sanitizeMap(data));
+	}
+	/**
+	 * Will determine the type of data and treat as JSON or YAML to sanitize sensitive values.
+	 *
+	 * @param input to be sanitized
+	 * @return the sanitized string
+	 * @throws JsonProcessingException
+	 */
+	public String sanitizeJsonOrYamlString(String input) throws JsonProcessingException {
+
+		try { // Try parsing as JSON
+			return sanitizeJsonString(input);
+		} catch (Throwable x) {
+			logger.debug("Cannot parse as JSON:" + x);
+		}
+		try {
+			return sanitizeYamlString(input);
+		} catch (Throwable x) {
+			logger.debug("Cannot parse as YAML:" + x);
+		}
+		if (input.contains("\n")) {
+			return StringUtils.collectionToDelimitedString(sanitizeArguments(Arrays.asList(StringUtils.split(input, "\n"))), "\n");
+		}
+		return sanitize(input);
+	}
 }
diff --git a/spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/controller/StreamDeploymentController.java b/spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/controller/StreamDeploymentController.java
@@ -19,7 +19,9 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Map;
+import java.util.stream.Collectors;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -29,6 +31,7 @@
 import org.springframework.cloud.dataflow.rest.UpdateStreamRequest;
 import org.springframework.cloud.dataflow.rest.resource.DeploymentStateResource;
 import org.springframework.cloud.dataflow.rest.resource.StreamDeploymentResource;
+import org.springframework.cloud.dataflow.rest.util.ArgumentSanitizer;
 import org.springframework.cloud.dataflow.server.controller.support.ControllerUtils;
 import org.springframework.cloud.dataflow.server.repository.NoSuchStreamDefinitionException;
 import org.springframework.cloud.dataflow.server.repository.StreamDefinitionRepository;
@@ -142,7 +145,19 @@ public ResponseEntity<String> manifest(@PathVariable("name") String name,
 	@RequestMapping(path = "/history/{name}", method = RequestMethod.GET)
 	@ResponseStatus(HttpStatus.OK)
 	public Collection<Release> history(@PathVariable("name") String releaseName) {
-		return this.streamService.history(releaseName);
+		ArgumentSanitizer sanitizer = new ArgumentSanitizer();
+		return this.streamService.history(releaseName)
+			.stream()
+			.map(release -> {
+				if (release.getConfigValues() != null && StringUtils.hasText(release.getConfigValues().getRaw())) {
+					try {
+						release.getConfigValues().setRaw(sanitizer.sanitizeJsonOrYamlString(release.getConfigValues().getRaw()));
+					} catch (JsonProcessingException e) {
+						logger.error("history:exception:" + e, e);
+					}
+				}
+				return release;
+			}).collect(Collectors.toList());
 	}
 
 	@RequestMapping(path = "/platform/list", method = RequestMethod.GET)
diff --git a/spring-cloud-dataflow-server-core/src/test/java/org/springframework/cloud/dataflow/server/support/ArgumentSanitizerTest.java b/spring-cloud-dataflow-server-core/src/test/java/org/springframework/cloud/dataflow/server/support/ArgumentSanitizerTest.java
@@ -16,6 +16,9 @@
 
 package org.springframework.cloud.dataflow.server.support;
 
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.LinkedHashMap;
@@ -30,10 +33,14 @@
 import org.springframework.batch.core.JobParameters;
 import org.springframework.cloud.dataflow.core.TaskDefinition;
 import org.springframework.cloud.dataflow.rest.util.ArgumentSanitizer;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.Resource;
+import org.springframework.util.FileCopyUtils;
 
 /**
  * @author Christian Tzolov
  * @author Ilayaperumal Gopinathan
+ * @author Corneil du Plessis
  */
 public class ArgumentSanitizerTest {
 
@@ -151,38 +158,31 @@ public void testMultipartProperty() {
 		Assert.assertEquals("--one.two.password=******", sanitizer.sanitize("--one.two.password=boza"));
 		Assert.assertEquals("--one_two_password=******", sanitizer.sanitize("--one_two_password=boza"));
 	}
+	private String loadStringFromResource(String uri) throws IOException {
+		Resource resource = new DefaultResourceLoader().getResource(uri);
+		try (Reader reader = new InputStreamReader(resource.getInputStream())) {
+			return FileCopyUtils.copyToString(reader);
+		}
+	}
+	@Test
+	public void testJsonData() throws IOException {
+		String input = loadStringFromResource("classpath:sanitizer1.json");
+		String output = sanitizer.sanitizeJsonOrYamlString(input);
+		System.out.println("Read:" + input);
+		System.out.println("Sanitized:" + output);
+		Assert.assertTrue(output.contains("*****"));
+		Assert.assertFalse(output.contains("54321"));
+
+	}
+
+	@Test
+	public void testYamlData() throws IOException {
+		String input = loadStringFromResource("classpath:sanitizer2.yaml");
+		String output = sanitizer.sanitizeJsonOrYamlString(input);
+		System.out.println("Read:" + input);
+		System.out.println("Sanitized:" + output);
+		Assert.assertTrue(output.contains("*****"));
+		Assert.assertFalse(output.contains("54321"));
+	}
 
-//	@Test
-//	public void testHierarchicalPropertyNames() {
-//		Assert.assertEquals("time --password='******' | log",
-//				sanitizer.sanitizeStream(new StreamDefinition("stream", "time --password=bar | log")));
-//	}
-//
-//	@Test
-//	public void testStreamPropertyOrder() {
-//		Assert.assertEquals("time --some.password='******' --another-secret='******' | log",
-//				sanitizer.sanitizeStream(new StreamDefinition("stream", "time --some.password=foobar --another-secret=kenny | log")));
-//	}
-//
-//	@Test
-//	public void testStreamMatcherWithHyphenDotChar() {
-//		Assert.assertEquals("twitterstream --twitter.credentials.access-token-secret='******' "
-//						+ "--twitter.credentials.access-token='******' --twitter.credentials.consumer-secret='******' "
-//						+ "--twitter.credentials.consumer-key='******' | "
-//						+ "filter --expression=#jsonPath(payload,'$.lang')=='en' | "
-//						+ "twitter-sentiment --vocabulary=https://dl.bintray.com/test --model-fetch=output/test "
-//						+ "--model=https://dl.bintray.com/test | field-value-counter --field-name=sentiment --name=sentiment",
-//				sanitizer.sanitizeStream(new StreamDefinition("stream", "twitterstream "
-//						+ "--twitter.credentials.consumer-key=dadadfaf --twitter.credentials.consumer-secret=dadfdasfdads "
-//						+ "--twitter.credentials.access-token=58849055-dfdae "
-//						+ "--twitter.credentials.access-token-secret=deteegdssa4466 | filter --expression='#jsonPath(payload,''$.lang'')==''en''' | "
-//						+ "twitter-sentiment --vocabulary=https://dl.bintray.com/test --model-fetch=output/test --model=https://dl.bintray.com/test | "
-//						+ "field-value-counter --field-name=sentiment --name=sentiment")));
-//	}
-//
-//	@Test
-//	public void testStreamSanitizeOriginalDsl() {
-//		StreamDefinition streamDefinition = new StreamDefinition("test", "time --password='******' | log --password='******'", "time --password='******' | log");
-//		Assert.assertEquals("time --password='******' | log", sanitizer.sanitizeOriginalStreamDsl(streamDefinition));
-//	}
 }
diff --git a/spring-cloud-dataflow-server-core/src/test/resources/sanitizer1.json b/spring-cloud-dataflow-server-core/src/test/resources/sanitizer1.json
@@ -0,0 +1,9 @@
+{
+  "password": "54321",
+  "username": "user21",
+  "server": "localhost",
+  "aws": {
+    "secretKey": "5432111",
+    "keyId": "key12"
+  }
+}
diff --git a/spring-cloud-dataflow-server-core/src/test/resources/sanitizer2.yaml b/spring-cloud-dataflow-server-core/src/test/resources/sanitizer2.yaml
@@ -0,0 +1,7 @@
+properties:
+  password: '54321'
+  username: 'user21'
+  server: 'localhost'
+  aws:
+    secretKey: '5432111'
+    keyId: 'key12'
