Updated Branches: refs/heads/master c0f60651b -> 06f8c1de7
CLOUDSTACK-5692: obscure passwords when using cifs as storage Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/06f8c1de Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/06f8c1de Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/06f8c1de Branch: refs/heads/master Commit: 06f8c1de7559f8e1d22ffe1ded3a089dc109f784 Parents: c0f6065 Author: Saksham Srivastava <saksham.srivast...@citrix.com> Authored: Thu Jan 16 16:50:40 2014 +0530 Committer: Devdeep Singh <devd...@gmail.com> Committed: Fri Jan 17 14:00:24 2014 +0530 ---------------------------------------------------------------------- core/src/com/cloud/agent/transport/Request.java | 28 ++++++++++++++- .../resource/HypervDirectConnectResource.java | 36 +++++++++++++++++--- .../CloudStackImageStoreLifeCycleImpl.java | 30 ++++++++++++++-- .../api/query/dao/ImageStoreJoinDaoImpl.java | 11 ++++-- .../api/query/dao/StoragePoolJoinDaoImpl.java | 13 +++++-- ui/scripts/sharedFunctions.js | 4 ++- 6 files changed, 107 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/core/src/com/cloud/agent/transport/Request.java ---------------------------------------------------------------------- diff --git a/core/src/com/cloud/agent/transport/Request.java b/core/src/com/cloud/agent/transport/Request.java index f4ed5c4..b5890d9 100755 --- a/core/src/com/cloud/agent/transport/Request.java +++ b/core/src/com/cloud/agent/transport/Request.java @@ -23,6 +23,7 @@ import java.io.StringReader; import java.lang.reflect.Type; import java.nio.ByteBuffer; import java.util.ArrayList; +import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.zip.GZIPInputStream; @@ -49,6 +50,7 @@ import com.cloud.exception.UnsupportedVersionException; import com.cloud.serializer.GsonHelper; import com.cloud.utils.NumbersUtil; import com.cloud.utils.Pair; +import com.cloud.utils.StringUtils; import com.cloud.utils.exception.CloudRuntimeException; /** @@ -436,11 +438,35 @@ public class Request { } buf.append(", Ver: ").append(_ver.toString()); buf.append(", Flags: ").append(Integer.toBinaryString(getFlags())).append(", "); - buf.append(content); + String cleanContent = content.toString(); + if(cleanContent.contains("password")) { + buf.append(cleanPassword(cleanContent)); + } else { + buf.append(content); + } buf.append(" }"); return buf.toString(); } + public static String cleanPassword(String logString) { + String cleanLogString = null; + if (logString != null) { + cleanLogString = logString; + String[] temp = logString.split(","); + int i = 0; + if (temp != null) { + while (i < temp.length) { + temp[i] = StringUtils.cleanString(temp[i]); + i++; + } + List<String> stringList = new ArrayList<String>(); + Collections.addAll(stringList, temp); + cleanLogString = StringUtils.join(stringList, ","); + } + } + return cleanLogString; + } + /** * Factory method for Request and Response. It expects the bytes to be * correctly formed so it's possible that it throws underflow exceptions http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java b/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java index 519f457..d6ffa1d 100644 --- a/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java +++ b/plugins/hypervisors/hyperv/src/com/cloud/hypervisor/hyperv/resource/HypervDirectConnectResource.java @@ -31,6 +31,8 @@ import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -41,6 +43,7 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.http.HttpResponse; import org.apache.http.HttpStatus; import org.apache.http.client.ClientProtocolException; @@ -130,7 +133,6 @@ import com.cloud.utils.net.NetUtils; import com.cloud.utils.ssh.SshHelper; import com.cloud.vm.VirtualMachine; import com.cloud.vm.VirtualMachineName; - /** * Implementation of dummy resource to be returned from discoverer. **/ @@ -433,7 +435,8 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S // Only Answer instances are returned by remote agents. // E.g. see Response.getAnswers() Answer[] result = s_gson.fromJson(ansStr, Answer[].class); - s_logger.debug("executeRequest received response " + s_gson.toJson(result)); + String logResult = cleanPassword(StringEscapeUtils.unescapeJava(result.toString())); + s_logger.debug("executeRequest received response " + logResult); if (result.length > 0) { return result[0]; } @@ -1679,7 +1682,10 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S // comment to use Apache HttpClient // http://stackoverflow.com/a/2793153/939250, but final comment is to // use Apache. - s_logger.debug("POST request to" + agentUri.toString() + " with contents" + jsonCmd); + String logMessage = StringEscapeUtils.unescapeJava(jsonCmd); + logMessage = cleanPassword(logMessage); + s_logger.debug("POST request to " + agentUri.toString() + + " with contents " + logMessage); // Create request HttpClient httpClient = null; @@ -1719,7 +1725,8 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S StringEntity cmdJson = new StringEntity(jsonCmd); request.addHeader("content-type", "application/json"); request.setEntity(cmdJson); - s_logger.debug("Sending cmd to " + agentUri.toString() + " cmd data:" + jsonCmd); + s_logger.debug("Sending cmd to " + agentUri.toString() + + " cmd data:" + logMessage); HttpResponse response = httpClient.execute(request); // Unsupported commands will not route. @@ -1736,7 +1743,8 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S return null; } else { result = EntityUtils.toString(response.getEntity()); - s_logger.debug("POST response is" + result); + String logResult = cleanPassword(StringEscapeUtils.unescapeJava(result)); + s_logger.debug("POST response is " + logResult); } } catch (ClientProtocolException protocolEx) { // Problem with HTTP message exchange @@ -1862,4 +1870,22 @@ public class HypervDirectConnectResource extends ServerResourceBase implements S return "Unable to connect"; } + public static String cleanPassword(String logString) { + String cleanLogString = null; + if (logString != null) { + cleanLogString = logString; + String[] temp = logString.split(","); + int i = 0; + if (temp != null) { + while (i < temp.length) { + temp[i] = StringUtils.cleanString(temp[i]); + i++; + } + List<String> stringList = new ArrayList<String>(); + Collections.addAll(stringList, temp); + cleanLogString = StringUtils.join(stringList, ","); + } + } + return cleanLogString; + } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java ---------------------------------------------------------------------- diff --git a/plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java b/plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java index 13bd5d8..7675e94 100644 --- a/plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java +++ b/plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java @@ -18,6 +18,8 @@ package org.apache.cloudstack.storage.datastore.lifecycle; import java.net.URI; import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -26,7 +28,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import com.ibm.wsdl.util.StringUtils; +import com.cloud.utils.StringUtils; import org.apache.cloudstack.engine.subsystem.api.storage.ClusterScope; import org.apache.cloudstack.engine.subsystem.api.storage.DataStore; @@ -86,7 +88,13 @@ public class CloudStackImageStoreLifeCycleImpl implements ImageStoreLifeCycle { DataStoreRole role = (DataStoreRole)dsInfos.get("role"); Map<String, String> details = (Map<String, String>)dsInfos.get("details"); - s_logger.info("Trying to add a new data store at " + StringUtils.cleanString(url) + " to data center " + dcId); + String logString = ""; + if(url.contains("cifs")) { + logString = cleanPassword(url); + } else { + logString = StringUtils.cleanString(url); + } + s_logger.info("Trying to add a new data store at " + logString + " to data center " + dcId); URI uri = null; try { @@ -167,4 +175,22 @@ public class CloudStackImageStoreLifeCycleImpl implements ImageStoreLifeCycle { return imageStoreHelper.convertToStagingStore(store); } + public static String cleanPassword(String logString) { + String cleanLogString = null; + if (logString != null) { + cleanLogString = logString; + String[] temp = logString.split(","); + int i = 0; + if (temp != null) { + while (i < temp.length) { + temp[i] = StringUtils.cleanString(temp[i]); + i++; + } + List<String> stringList = new ArrayList<String>(); + Collections.addAll(stringList, temp); + cleanLogString = StringUtils.join(stringList, ","); + } + } + return cleanLogString; + } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java index 90c155f..55bc573 100644 --- a/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/ImageStoreJoinDaoImpl.java @@ -23,17 +23,17 @@ import javax.ejb.Local; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; - import org.apache.cloudstack.api.response.ImageStoreDetailResponse; import org.apache.cloudstack.api.response.ImageStoreResponse; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; +import org.springframework.stereotype.Component; import com.cloud.api.query.vo.ImageStoreJoinVO; import com.cloud.storage.ImageStore; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; +import com.cloud.utils.StringUtils; @Component @Local(value = {ImageStoreJoinDao.class}) @@ -67,7 +67,12 @@ public class ImageStoreJoinDaoImpl extends GenericDaoBase<ImageStoreJoinVO, Long osResponse.setName(ids.getName()); osResponse.setProviderName(ids.getProviderName()); osResponse.setProtocol(ids.getProtocol()); - osResponse.setUrl(ids.getUrl()); + String url = ids.getUrl(); + //if store is type cifs, remove the password + if(ids.getProtocol().equals("cifs".toString())) { + url = StringUtils.cleanString(url); + } + osResponse.setUrl(url); osResponse.setScope(ids.getScope()); osResponse.setZoneId(ids.getZoneUuid()); osResponse.setZoneName(ids.getZoneName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/server/src/com/cloud/api/query/dao/StoragePoolJoinDaoImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/dao/StoragePoolJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/StoragePoolJoinDaoImpl.java index 0a5fb5e..274bf1c 100644 --- a/server/src/com/cloud/api/query/dao/StoragePoolJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/StoragePoolJoinDaoImpl.java @@ -34,6 +34,7 @@ import com.cloud.capacity.Capacity; import com.cloud.storage.ScopeType; import com.cloud.storage.StoragePool; import com.cloud.storage.StorageStats; +import com.cloud.utils.StringUtils; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @@ -60,7 +61,7 @@ public class StoragePoolJoinDaoImpl extends GenericDaoBase<StoragePoolJoinVO, Lo spIdSearch.and("id", spIdSearch.entity().getId(), SearchCriteria.Op.EQ); spIdSearch.done(); - this._count = "select count(distinct id) from storage_pool_view WHERE "; + _count = "select count(distinct id) from storage_pool_view WHERE "; } @Override @@ -69,7 +70,10 @@ public class StoragePoolJoinDaoImpl extends GenericDaoBase<StoragePoolJoinVO, Lo poolResponse.setId(pool.getUuid()); poolResponse.setName(pool.getName()); poolResponse.setState(pool.getStatus()); - poolResponse.setPath(pool.getPath()); + String path = pool.getPath(); + //cifs store may contain password entry, remove the password + path = StringUtils.cleanString(path); + poolResponse.setPath(path); poolResponse.setIpAddress(pool.getHostAddress()); poolResponse.setZoneId(pool.getZoneUuid()); poolResponse.setZoneName(pool.getZoneName()); @@ -129,7 +133,10 @@ public class StoragePoolJoinDaoImpl extends GenericDaoBase<StoragePoolJoinVO, Lo poolResponse.setId(pool.getUuid()); poolResponse.setName(pool.getName()); poolResponse.setState(pool.getStatus()); - poolResponse.setPath(pool.getPath()); + String path = pool.getPath(); + //cifs store may contain password entry, remove the password + path = StringUtils.cleanString(path); + poolResponse.setPath(path); poolResponse.setIpAddress(pool.getHostAddress()); poolResponse.setZoneId(pool.getZoneUuid()); poolResponse.setZoneName(pool.getZoneName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06f8c1de/ui/scripts/sharedFunctions.js ---------------------------------------------------------------------- diff --git a/ui/scripts/sharedFunctions.js b/ui/scripts/sharedFunctions.js index a632850..b9dc2f3 100644 --- a/ui/scripts/sharedFunctions.js +++ b/ui/scripts/sharedFunctions.js @@ -1201,7 +1201,9 @@ var processPropertiesInImagestoreObject = function(jsonObj) { var url = jsonObj.url; //e.g. 'cifs://10.1.1.1/aaa/aaa2/aaa3?user=bbb&password=ccc&domain=ddd' var passwordIndex = url.indexOf('&password='); //38 var domainIndex = url.indexOf('&domain='); //51 - jsonObj.url = url.substring(0, passwordIndex) + url.substring(domainIndex); //remove '&password=ccc' from jsonObj.url + if (passwordIndex >= 0) { + jsonObj.url = url.substring(0, passwordIndex) + url.substring(domainIndex); //remove '&password=ccc' from jsonObj.url + } } }
