Madhura Bhave
commit
eeab9233cc
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,8 +16,12 @@
|
|||
|
||||
package org.springframework.boot.actuate.endpoint;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
|
@ -32,18 +36,29 @@ import org.springframework.util.StringUtils;
|
|||
* @author Nicolas Lejeune
|
||||
* @author Stephane Nicoll
|
||||
* @author HaiTao Zhang
|
||||
* @author Chris Bono
|
||||
* @since 2.0.0
|
||||
*/
|
||||
public class Sanitizer {
|
||||
|
||||
private static final String[] REGEX_PARTS = { "*", "$", "^", "+" };
|
||||
|
||||
private static final Set<String> DEFAULT_KEYS_TO_SANITIZE = new LinkedHashSet<>(Arrays.asList("password", "secret",
|
||||
"key", "token", ".*credentials.*", "vcap_services", "sun.java.command"));
|
||||
|
||||
private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
|
||||
Arrays.asList("uri", "uris", "address", "addresses"));
|
||||
|
||||
private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$");
|
||||
|
||||
private Pattern[] keysToSanitize;
|
||||
|
||||
static {
|
||||
DEFAULT_KEYS_TO_SANITIZE.addAll(URI_USERINFO_KEYS);
|
||||
}
|
||||
|
||||
public Sanitizer() {
|
||||
this("password", "secret", "key", "token", ".*credentials.*", "vcap_services", "sun.java.command", "uri");
|
||||
this(DEFAULT_KEYS_TO_SANITIZE.toArray(new String[0]));
|
||||
}
|
||||
|
||||
public Sanitizer(String... keysToSanitize) {
|
||||
|
|
@ -91,8 +106,8 @@ public class Sanitizer {
|
|||
}
|
||||
for (Pattern pattern : this.keysToSanitize) {
|
||||
if (pattern.matcher(key).matches()) {
|
||||
if (pattern.matcher("uri").matches()) {
|
||||
return sanitizeUri(value);
|
||||
if (keyIsUriWithUserInfo(pattern)) {
|
||||
return sanitizeUris(value.toString());
|
||||
}
|
||||
return "******";
|
||||
}
|
||||
|
|
@ -100,12 +115,24 @@ public class Sanitizer {
|
|||
return value;
|
||||
}
|
||||
|
||||
private Object sanitizeUri(Object value) {
|
||||
String uriString = value.toString();
|
||||
Matcher matcher = URI_USERINFO_PATTERN.matcher(uriString);
|
||||
private boolean keyIsUriWithUserInfo(Pattern pattern) {
|
||||
for (String uriKey : URI_USERINFO_KEYS) {
|
||||
if (pattern.matcher(uriKey).matches()) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private Object sanitizeUris(String value) {
|
||||
return Arrays.stream(value.split(",")).map(this::sanitizeUri).collect(Collectors.joining(","));
|
||||
}
|
||||
|
||||
private String sanitizeUri(String value) {
|
||||
Matcher matcher = URI_USERINFO_PATTERN.matcher(value);
|
||||
String password = matcher.matches() ? matcher.group(1) : null;
|
||||
if (password != null) {
|
||||
return StringUtils.replace(uriString, ":" + password + "@", ":******@");
|
||||
return StringUtils.replace(value, ":" + password + "@", ":******@");
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -51,6 +51,7 @@ import static org.assertj.core.api.Assertions.entry;
|
|||
* @author Andy Wilkinson
|
||||
* @author Stephane Nicoll
|
||||
* @author HaiTao Zhang
|
||||
* @author Chris Bono
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
class ConfigurationPropertiesReportEndpointTests {
|
||||
|
|
@ -201,7 +202,7 @@ class ConfigurationPropertiesReportEndpointTests {
|
|||
}
|
||||
|
||||
@Test
|
||||
void sanitizedUriWithSensitiveInfo() {
|
||||
void sanitizeUriWithSensitiveInfo() {
|
||||
this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
|
||||
.withPropertyValues("sensible.sensitiveUri=http://user:password@localhost:8080")
|
||||
.run(assertProperties("sensible", (properties) -> assertThat(properties.get("sensitiveUri"))
|
||||
|
|
@ -214,7 +215,7 @@ class ConfigurationPropertiesReportEndpointTests {
|
|||
}
|
||||
|
||||
@Test
|
||||
void sanitizedUriWithNoPassword() {
|
||||
void sanitizeUriWithNoPassword() {
|
||||
this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
|
||||
.withPropertyValues("sensible.noPasswordUri=http://user:@localhost:8080")
|
||||
.run(assertProperties("sensible", (properties) -> assertThat(properties.get("noPasswordUri"))
|
||||
|
|
@ -226,6 +227,13 @@ class ConfigurationPropertiesReportEndpointTests {
|
|||
}));
|
||||
}
|
||||
|
||||
@Test
|
||||
void sanitizeAddressesFieldContainingMultipleRawSensitiveUris() {
|
||||
this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
|
||||
.run(assertProperties("sensible", (properties) -> assertThat(properties.get("rawSensitiveAddresses"))
|
||||
.isEqualTo("http://user:******@localhost:8080,http://user2:******@localhost:8082")));
|
||||
}
|
||||
|
||||
@Test
|
||||
void sanitizeLists() {
|
||||
this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
|
||||
|
|
@ -647,6 +655,8 @@ class ConfigurationPropertiesReportEndpointTests {
|
|||
|
||||
private List<String> simpleList = new ArrayList<>();
|
||||
|
||||
private String rawSensitiveAddresses = "http://user:password@localhost:8080,http://user2:password2@localhost:8082";
|
||||
|
||||
private List<ListItem> listItems = new ArrayList<>();
|
||||
|
||||
private List<List<ListItem>> listOfListItems = new ArrayList<>();
|
||||
|
|
@ -672,6 +682,14 @@ class ConfigurationPropertiesReportEndpointTests {
|
|||
return this.noPasswordUri;
|
||||
}
|
||||
|
||||
public String getRawSensitiveAddresses() {
|
||||
return this.rawSensitiveAddresses;
|
||||
}
|
||||
|
||||
public void setRawSensitiveAddresses(final String rawSensitiveAddresses) {
|
||||
this.rawSensitiveAddresses = rawSensitiveAddresses;
|
||||
}
|
||||
|
||||
public List<ListItem> getListItems() {
|
||||
return this.listItems;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -16,7 +16,11 @@
|
|||
|
||||
package org.springframework.boot.actuate.endpoint;
|
||||
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.params.ParameterizedTest;
|
||||
import org.junit.jupiter.params.provider.MethodSource;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
|
|
@ -25,11 +29,12 @@ import static org.assertj.core.api.Assertions.assertThat;
|
|||
*
|
||||
* @author Phillip Webb
|
||||
* @author Stephane Nicoll
|
||||
* @author Chris Bono
|
||||
*/
|
||||
class SanitizerTests {
|
||||
|
||||
@Test
|
||||
void defaults() {
|
||||
void defaultNonUriKeys() {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize("password", "secret")).isEqualTo("******");
|
||||
assertThat(sanitizer.sanitize("my-password", "secret")).isEqualTo("******");
|
||||
|
|
@ -40,23 +45,71 @@ class SanitizerTests {
|
|||
assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
|
||||
assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
|
||||
assertThat(sanitizer.sanitize("sun.java.command", "--spring.redis.password=pa55w0rd")).isEqualTo("******");
|
||||
assertThat(sanitizer.sanitize("my.uri", "http://user:password@localhost:8080"))
|
||||
}
|
||||
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithSingleValueWithPasswordShouldBeSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize(key, "http://user:password@localhost:8080"))
|
||||
.isEqualTo("http://user:******@localhost:8080");
|
||||
}
|
||||
|
||||
@Test
|
||||
void uriWithNoPasswordShouldNotBeSanitized() {
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithSingleValueWithNoPasswordShouldNotBeSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize("my.uri", "http://localhost:8080")).isEqualTo("http://localhost:8080");
|
||||
assertThat(sanitizer.sanitize(key, "http://localhost:8080")).isEqualTo("http://localhost:8080");
|
||||
assertThat(sanitizer.sanitize(key, "http://user@localhost:8080")).isEqualTo("http://user@localhost:8080");
|
||||
}
|
||||
|
||||
@Test
|
||||
void uriWithPasswordMatchingOtherPartsOfString() {
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithSingleValueWithPasswordMatchingOtherPartsOfStringShouldBeSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize("my.uri", "http://user://@localhost:8080"))
|
||||
assertThat(sanitizer.sanitize(key, "http://user://@localhost:8080"))
|
||||
.isEqualTo("http://user:******@localhost:8080");
|
||||
}
|
||||
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithMultipleValuesEachWithPasswordShouldHaveAllSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(
|
||||
sanitizer.sanitize(key, "http://user1:password1@localhost:8080,http://user2:password2@localhost:8082"))
|
||||
.isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082");
|
||||
}
|
||||
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithMultipleValuesNoneWithPasswordShouldHaveNoneSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize(key, "http://user@localhost:8080,http://localhost:8082"))
|
||||
.isEqualTo("http://user@localhost:8080,http://localhost:8082");
|
||||
}
|
||||
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithMultipleValuesSomeWithPasswordShouldHaveThoseSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize(key,
|
||||
"http://user1:password1@localhost:8080,http://user2@localhost:8082,http://localhost:8083")).isEqualTo(
|
||||
"http://user1:******@localhost:8080,http://user2@localhost:8082,http://localhost:8083");
|
||||
}
|
||||
|
||||
@ParameterizedTest(name = "key = {0}")
|
||||
@MethodSource("matchingUriUserInfoKeys")
|
||||
void uriWithMultipleValuesWithPasswordMatchingOtherPartsOfStringShouldBeSanitized(String key) {
|
||||
Sanitizer sanitizer = new Sanitizer();
|
||||
assertThat(sanitizer.sanitize(key, "http://user1://@localhost:8080,http://user2://@localhost:8082"))
|
||||
.isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082");
|
||||
}
|
||||
|
||||
private static Stream<String> matchingUriUserInfoKeys() {
|
||||
return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
|
||||
"addresses", "my.addresses", "myaddresses");
|
||||
}
|
||||
|
||||
@Test
|
||||
void regex() {
|
||||
Sanitizer sanitizer = new Sanitizer(".*lock.*");
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -50,6 +50,7 @@ import static org.assertj.core.api.Assertions.assertThat;
|
|||
* @author Madhura Bhave
|
||||
* @author Andy Wilkinson
|
||||
* @author HaiTao Zhang
|
||||
* @author Chris Bono
|
||||
*/
|
||||
class EnvironmentEndpointTests {
|
||||
|
||||
|
|
@ -246,13 +247,25 @@ class EnvironmentEndpointTests {
|
|||
}
|
||||
|
||||
@Test
|
||||
void uriPropertryWithSensitiveInfo() {
|
||||
void uriPropertyWithSensitiveInfo() {
|
||||
ConfigurableEnvironment environment = new StandardEnvironment();
|
||||
TestPropertyValues.of("sensitive.uri=http://user:password@localhost:8080").applyTo(environment);
|
||||
EnvironmentEntryDescriptor descriptor = new EnvironmentEndpoint(environment).environmentEntry("sensitive.uri");
|
||||
assertThat(descriptor.getProperty().getValue()).isEqualTo("http://user:******@localhost:8080");
|
||||
}
|
||||
|
||||
@Test
|
||||
void addressesPropertyWithMultipleEntriesEachWithSensitiveInfo() {
|
||||
ConfigurableEnvironment environment = new StandardEnvironment();
|
||||
TestPropertyValues
|
||||
.of("sensitive.addresses=http://user:password@localhost:8080,http://user2:password2@localhost:8082")
|
||||
.applyTo(environment);
|
||||
EnvironmentEntryDescriptor descriptor = new EnvironmentEndpoint(environment)
|
||||
.environmentEntry("sensitive.addresses");
|
||||
assertThat(descriptor.getProperty().getValue())
|
||||
.isEqualTo("http://user:******@localhost:8080,http://user2:******@localhost:8082");
|
||||
}
|
||||
|
||||
private static ConfigurableEnvironment emptyEnvironment() {
|
||||
StandardEnvironment environment = new StandardEnvironment();
|
||||
environment.getPropertySources().remove(StandardEnvironment.SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME);
|
||||
|
|
|
|||
Loading…
Reference in New Issue