fix(oxauth): client secret printed on logs (#1880)

#1811
GluuFederation · Nov 22, 2023 · d15735f · d15735f
1 parent 6ee8d28
commit d15735f
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 2 deletions.
diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
@@ -52,6 +52,8 @@
 import java.util.Arrays;
 import java.util.Date;
 
+import static org.gluu.oxauth.util.ServerUtil.prepareForLogs;
+
 /**
  * Provides interface for token REST web services
  *
@@ -124,7 +126,7 @@ public Response requestAccessToken(String grantType, String code,
         log.debug(
                 "Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " +
                         "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}",
-                grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(),
+                grantType, code, redirectUri, username, refreshToken, clientId, prepareForLogs(request.getParameterMap()),
                 sec.isSecure(), codeVerifier, ticket);
 
         boolean isUma = StringUtils.isNotBlank(ticket);

diff --git a/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java b/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java
@@ -52,11 +52,23 @@
 
 public class ServerUtil {
 
-    private final static Logger log = LoggerFactory.getLogger(ServerUtil.class);
+    private static final Logger log = LoggerFactory.getLogger(ServerUtil.class);
 
     private ServerUtil() {
     }
 
+    public static Map<String, String[]> prepareForLogs(Map<String, String[]> parameters) {
+        if (parameters == null || parameters.isEmpty()) {
+            return new HashMap<>();
+        }
+
+        Map<String, String[]> result = new HashMap<>(parameters);
+        if (result.containsKey("client_secret")) {
+            result.put("client_secret", new String[] {"*****"});
+        }
+        return result;
+    }
+
     public static JSONObject getJwks(Client client) {
         return Strings.isNullOrEmpty(client.getJwks())
                 ? JwtUtil.getJSONWebKeys(client.getJwksUri())

diff --git a/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java b/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java
@@ -0,0 +1,24 @@
+package org.gluu.oxauth.util;
+
+import org.testng.annotations.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author Yuriy Z
+ */
+public class ServerUtilTest {
+
+    @Test
+    public void prepareForLogs_whenCalled_shouldNotHaveClearTextClientPassword() {
+        Map<String, String[]> parameters = new HashMap<>();
+        parameters.put("client_secret", new String[] {"124"});
+
+        final Map<String, String[]> result = ServerUtil.prepareForLogs(parameters);
+
+        assertEquals("*****", result.get("client_secret")[0]);
+    }
+}
diff --git a/Server/src/test/resources/testng.xml b/Server/src/test/resources/testng.xml
@@ -14,6 +14,7 @@
             <class name="org.gluu.oxauth.model.CIBAGrantTest" />
             <class name="org.gluu.oxauth.authorize.ws.rs.AuthorizeRestWebServiceValidatorTest" />
             <class name="org.gluu.oxauth.session.ws.rs.EndSessionRestWebServiceImplTest" />
+            <class name="org.gluu.oxauth.util.ServerUtilTest" />
         </classes>
     </test>