From 57f970e71f819e90734fd6f0b7f9fb07b9000ec8 Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Mon, 6 Jan 2025 16:42:51 +0200 Subject: [PATCH] chore(jans-auth-server): sanitized username to avoid fake logs from input (#10543) chore(jans-auth-server): sanitized username to avoid fake logs from input #10543 Signed-off-by: YuriyZ --- .../io/jans/as/server/auth/Authenticator.java | 27 ++++++++++--------- .../io/jans/as/server/util/ServerUtil.java | 16 +++++++++++ 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java b/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java index bb99ae6cbed..16a0aa5052d 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java @@ -44,6 +44,7 @@ import java.util.Map.Entry; import static io.jans.as.model.config.Constants.AUTH_STEP; +import static io.jans.as.server.util.ServerUtil.sanitizeUsernameForLog; import static org.apache.commons.lang3.BooleanUtils.isFalse; import static org.apache.commons.lang3.BooleanUtils.isTrue; @@ -213,7 +214,7 @@ public String authenticateImpl(HttpServletRequest servletRequest, boolean intera boolean service) { String result = Constants.RESULT_FAILURE; try { - logger.trace("Authenticating ... (interactive: {}, skipPassword: {}, credentials.username: {})", interactive, skipPassword, credentials.getUsername()); + logger.trace("Authenticating ... (interactive: {}, skipPassword: {}, credentials.username: {})", interactive, skipPassword, sanitizeUsernameForLog(credentials.getUsername())); if (isServiceAuthentication(service, skipPassword, servletRequest)) { boolean authenticated = clientAuthentication(credentials, interactive, skipPassword); if (authenticated) { @@ -237,11 +238,11 @@ public String authenticateImpl(HttpServletRequest servletRequest, boolean intera } if (Constants.RESULT_SUCCESS.equals(result)) { - logger.trace("Authentication successfully for '{}'", credentials.getUsername()); + logger.trace("Authentication successfully for '{}'", sanitizeUsernameForLog(credentials.getUsername())); return result; } - logger.info("Authentication failed for '{}'", credentials.getUsername()); + logger.debug("Authentication failed for '{}'", sanitizeUsernameForLog(credentials.getUsername())); return result; } @@ -259,7 +260,7 @@ public boolean clientAuthentication(Credentials credentials, boolean interactive boolean result = externalAuthenticationService.executeExternalAuthenticate(customScriptConfiguration, null, 1); - logger.info("Authentication result for user '{}', result: '{}'", credentials.getUsername(), result); + logger.info("Authentication result for user '{}', result: '{}'", sanitizeUsernameForLog(credentials.getUsername()), result); if (result) { Client client = authenticationService.configureSessionClient(); @@ -445,10 +446,10 @@ private String userAuthenticationInteractive(HttpServletRequest servletRequest) authenticationService.quietLogin(credentials.getUsername()); // Redirect to authorization workflow - logger.debug("Sending event to trigger user redirection: '{}'", credentials.getUsername()); + logger.debug("Sending event to trigger user redirection: '{}'", sanitizeUsernameForLog(credentials.getUsername())); authenticationService.onSuccessfulLogin(eventSessionId); - logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername()); + logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername())); return Constants.RESULT_SUCCESS; } } else { @@ -460,14 +461,14 @@ private String userAuthenticationInteractive(HttpServletRequest servletRequest) sessionIdAttributes); // Redirect to authorization workflow - logger.debug("Sending event to trigger user redirection: '{}'", credentials.getUsername()); + logger.debug("Sending event to trigger user redirection: '{}'", sanitizeUsernameForLog(credentials.getUsername())); authenticationService.onSuccessfulLogin(eventSessionId); } else { // Force session lastUsedAt update if authentication attempt is failed sessionIdService.updateSessionId(sessionId); } - logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername()); + logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername())); return Constants.RESULT_SUCCESS; } } @@ -528,16 +529,16 @@ private boolean userAuthenticationService() { boolean result = externalAuthenticationService.executeExternalAuthenticate(customScriptConfiguration, null, 1); - logger.info("Authentication result for '{}'. auth_step: '{}', result: '{}'", credentials.getUsername(), + logger.info("Authentication result for '{}'. auth_step: '{}', result: '{}'", sanitizeUsernameForLog(credentials.getUsername()), this.authStep, result); if (result) { authenticationService.configureEventUser(); - logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername()); + logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername())); return true; } - logger.info("Authentication failed for User: '{}'", credentials.getUsername()); + logger.info("Authentication failed for User: '{}'", sanitizeUsernameForLog(credentials.getUsername())); } } @@ -547,10 +548,10 @@ private boolean userAuthenticationService() { if (authenticated) { authenticationService.configureEventUser(); - logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername()); + logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername())); return true; } - logger.info("Authentication failed for User: '{}'", credentials.getUsername()); + logger.info("Authentication failed for User: '{}'", sanitizeUsernameForLog(credentials.getUsername())); } return false; diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java b/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java index 7e6ad125190..1bbf17244a2 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java @@ -26,6 +26,7 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.ws.rs.core.CacheControl; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,6 +67,21 @@ public class ServerUtil { private ServerUtil() { } + /** + * Sanitized username before output by logger + * @param username username + * + * @return sanitized username + */ + public static String sanitizeUsernameForLog(String username) { + if (username == null) { + return "unknown_user"; + } + final int maximumUsernameLength = 50; + username = username.length() > maximumUsernameLength ? username.substring(0, maximumUsernameLength) : username; + return StringEscapeUtils.escapeJava(username).replaceAll("[\\r\\n]", "_"); + } + public static Map prepareForLogs(Map parameters) { if (parameters == null || parameters.isEmpty()) { return new HashMap<>();