From d15735fd09d28f1e7ef6a15db154d6428314b50b Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Wed, 22 Nov 2023 22:32:44 +0200 Subject: [PATCH] fix(oxauth): client secret printed on logs (#1880) https://github.com/GluuFederation/oxAuth/issues/1811 --- .../token/ws/rs/TokenRestWebServiceImpl.java | 4 +++- .../java/org/gluu/oxauth/util/ServerUtil.java | 14 ++++++++++- .../org/gluu/oxauth/util/ServerUtilTest.java | 24 +++++++++++++++++++ Server/src/test/resources/testng.xml | 1 + 4 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java index 40393f33c9..983a535bfd 100644 --- a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java +++ b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java @@ -52,6 +52,8 @@ import java.util.Arrays; import java.util.Date; +import static org.gluu.oxauth.util.ServerUtil.prepareForLogs; + /** * Provides interface for token REST web services * @@ -124,7 +126,7 @@ public Response requestAccessToken(String grantType, String code, log.debug( "Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}", - grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), + grantType, code, redirectUri, username, refreshToken, clientId, prepareForLogs(request.getParameterMap()), sec.isSecure(), codeVerifier, ticket); boolean isUma = StringUtils.isNotBlank(ticket); diff --git a/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java b/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java index 4a8cd6311b..c2c5a3c463 100644 --- a/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java +++ b/Server/src/main/java/org/gluu/oxauth/util/ServerUtil.java @@ -52,11 +52,23 @@ public class ServerUtil { - private final static Logger log = LoggerFactory.getLogger(ServerUtil.class); + private static final Logger log = LoggerFactory.getLogger(ServerUtil.class); private ServerUtil() { } + public static Map prepareForLogs(Map parameters) { + if (parameters == null || parameters.isEmpty()) { + return new HashMap<>(); + } + + Map result = new HashMap<>(parameters); + if (result.containsKey("client_secret")) { + result.put("client_secret", new String[] {"*****"}); + } + return result; + } + public static JSONObject getJwks(Client client) { return Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) diff --git a/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java b/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java new file mode 100644 index 0000000000..5cc7311fe6 --- /dev/null +++ b/Server/src/test/java/org/gluu/oxauth/util/ServerUtilTest.java @@ -0,0 +1,24 @@ +package org.gluu.oxauth.util; + +import org.testng.annotations.Test; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertEquals; + +/** + * @author Yuriy Z + */ +public class ServerUtilTest { + + @Test + public void prepareForLogs_whenCalled_shouldNotHaveClearTextClientPassword() { + Map parameters = new HashMap<>(); + parameters.put("client_secret", new String[] {"124"}); + + final Map result = ServerUtil.prepareForLogs(parameters); + + assertEquals("*****", result.get("client_secret")[0]); + } +} diff --git a/Server/src/test/resources/testng.xml b/Server/src/test/resources/testng.xml index f0a64c0523..25644f13ed 100644 --- a/Server/src/test/resources/testng.xml +++ b/Server/src/test/resources/testng.xml @@ -14,6 +14,7 @@ +