fix(jans-auth-server): client secret printed on logs (#7608)

#4323 Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Feb 1, 2024 · 8600b19 · 8600b19
1 parent 4b661db
commit 8600b19
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 21 deletions.
diff --git a/...th-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java b/...th-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java
@@ -64,6 +64,7 @@
 import java.util.function.Function;
 
 import static io.jans.as.model.config.Constants.*;
+import static io.jans.as.server.util.ServerUtil.prepareForLogs;
 import static org.apache.commons.lang.BooleanUtils.isFalse;
 import static org.apache.commons.lang.BooleanUtils.isTrue;
 
@@ -161,7 +162,7 @@ public Response requestAccessToken(String grantType, String code,
         log.debug(
                 "Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " +
                         "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}, authorizationDetails = {}",
-                grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(),
+                grantType, code, redirectUri, username, refreshToken, clientId, prepareForLogs(request.getParameterMap()),
                 sec.isSecure(), codeVerifier, ticket, authorizationDetails);
 
         boolean isUma = StringUtils.isNotBlank(ticket);

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java b/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java
@@ -6,33 +6,13 @@
 
 package io.jans.as.server.util;
 
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLDecoder;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.List;
-import java.util.Map;
-import java.util.TimeZone;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.ThreadFactory;
-
-import org.apache.commons.lang.StringUtils;
-import org.json.JSONObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.AnnotationIntrospector;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.introspect.JacksonAnnotationIntrospector;
 import com.fasterxml.jackson.datatype.jsonorg.JsonOrgModule;
-
 import io.jans.as.common.service.common.ApplicationFactory;
 import io.jans.as.model.uma.persistence.UmaPermission;
 import io.jans.as.server.uma.service.UmaScopeService;
@@ -45,6 +25,20 @@
 import jakarta.faces.context.FacesContext;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.core.CacheControl;
+import org.apache.commons.lang.StringUtils;
+import org.json.JSONObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.*;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ThreadFactory;
 
 /**
  * @author Yuriy Zabrovarnyy
@@ -72,6 +66,18 @@ public class ServerUtil {
     private ServerUtil() {
     }
 
+    public static Map<String, String[]> prepareForLogs(Map<String, String[]> parameters) {
+        if (parameters == null || parameters.isEmpty()) {
+            return new HashMap<>();
+        }
+
+        Map<String, String[]> result = new HashMap<>(parameters);
+        if (result.containsKey("client_secret")) {
+            result.put("client_secret", new String[] {"*****"});
+        }
+        return result;
+    }
+
     public static GregorianCalendar now() {
         return new GregorianCalendar(TimeZone.getTimeZone("UTC"));
     }

diff --git a/jans-auth-server/server/src/test/java/io/jans/as/server/util/ServerUtilTest.java b/jans-auth-server/server/src/test/java/io/jans/as/server/util/ServerUtilTest.java
@@ -0,0 +1,24 @@
+package io.jans.as.server.util;
+
+import org.testng.annotations.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author Yuriy Z
+ */
+public class ServerUtilTest {
+
+    @Test
+    public void prepareForLogs_whenCalled_shouldNotHaveClearTextClientPassword() {
+        Map<String, String[]> parameters = new HashMap<>();
+        parameters.put("client_secret", new String[] {"124"});
+
+        final Map<String, String[]> result = ServerUtil.prepareForLogs(parameters);
+
+        assertEquals("*****", result.get("client_secret")[0]);
+    }
+}
diff --git a/jans-auth-server/server/src/test/resources/testng.xml b/jans-auth-server/server/src/test/resources/testng.xml
@@ -52,6 +52,9 @@
             <!-- SESSION -->
             <class name="io.jans.as.server.session.ws.rs.EndSessionRestWebServiceImplTest" />
             <class name="io.jans.as.server.session.ws.rs.EndSessionServiceTest" />
+
+            <!-- UTIL -->
+            <class name="io.jans.as.server.util.ServerUtilTest" />
         </classes>
     </test>