GEODE-2633: When turning on fine logging, GEODE logs the keystore password in clear text
Project: http://git-wip-us.apache.org/repos/asf/geode/repo Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/c02970b4 Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/c02970b4 Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/c02970b4 Branch: refs/heads/feature/GEODE-2420 Commit: c02970b4fdb8f3238e9bec10f9b5692eed6006df Parents: 22750cf Author: Kevin J. Duling <kdul...@pivotal.io> Authored: Thu Mar 9 15:21:23 2017 -0800 Committer: Ken Howe <kh...@pivotal.io> Committed: Fri Mar 17 13:09:45 2017 -0700 ---------------------------------------------------------------------- .../geode/internal/net/SocketCreator.java | 59 ++++++++++---------- .../geode/internal/util/ArgumentRedactor.java | 9 +-- 2 files changed, 32 insertions(+), 36 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/geode/blob/c02970b4/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java index 742e7f3..7a8f3ad 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java +++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java @@ -14,6 +14,32 @@ */ package org.apache.geode.internal.net; +import org.apache.commons.lang.StringUtils; +import org.apache.geode.GemFireConfigException; +import org.apache.geode.SystemConnectException; +import org.apache.geode.SystemFailure; +import org.apache.geode.admin.internal.InetAddressUtil; +import org.apache.geode.cache.wan.GatewaySender; +import org.apache.geode.cache.wan.GatewayTransportFilter; +import org.apache.geode.distributed.ClientSocketFactory; +import org.apache.geode.distributed.internal.DistributionConfig; +import org.apache.geode.distributed.internal.DistributionConfigImpl; +import org.apache.geode.distributed.internal.InternalDistributedSystem; +import org.apache.geode.internal.ClassPathLoader; +import org.apache.geode.internal.ConnectionWatcher; +import org.apache.geode.internal.GfeConsoleReaderFactory; +import org.apache.geode.internal.GfeConsoleReaderFactory.GfeConsoleReader; +import org.apache.geode.internal.admin.SSLConfig; +import org.apache.geode.internal.cache.wan.TransportFilterServerSocket; +import org.apache.geode.internal.cache.wan.TransportFilterSocketFactory; +import org.apache.geode.internal.i18n.LocalizedStrings; +import org.apache.geode.internal.logging.LogService; +import org.apache.geode.internal.logging.log4j.LocalizedMessage; +import org.apache.geode.internal.security.SecurableCommunicationChannel; +import org.apache.geode.internal.util.ArgumentRedactor; +import org.apache.geode.internal.util.PasswordUtil; +import org.apache.logging.log4j.Logger; + import java.io.FileInputStream; import java.io.IOException; import java.net.BindException; @@ -71,32 +97,6 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; -import org.apache.commons.lang.StringUtils; -import org.apache.logging.log4j.Logger; - -import org.apache.geode.GemFireConfigException; -import org.apache.geode.SystemConnectException; -import org.apache.geode.SystemFailure; -import org.apache.geode.admin.internal.InetAddressUtil; -import org.apache.geode.cache.wan.GatewaySender; -import org.apache.geode.cache.wan.GatewayTransportFilter; -import org.apache.geode.distributed.ClientSocketFactory; -import org.apache.geode.distributed.internal.DistributionConfig; -import org.apache.geode.distributed.internal.DistributionConfigImpl; -import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.ConnectionWatcher; -import org.apache.geode.internal.GfeConsoleReaderFactory; -import org.apache.geode.internal.GfeConsoleReaderFactory.GfeConsoleReader; -import org.apache.geode.internal.admin.SSLConfig; -import org.apache.geode.internal.cache.wan.TransportFilterServerSocket; -import org.apache.geode.internal.cache.wan.TransportFilterSocketFactory; -import org.apache.geode.internal.i18n.LocalizedStrings; -import org.apache.geode.internal.logging.LogService; -import org.apache.geode.internal.logging.log4j.LocalizedMessage; -import org.apache.geode.internal.security.SecurableCommunicationChannel; -import org.apache.geode.internal.util.PasswordUtil; - /** * Analyze configuration data (gemfire.properties) and configure sockets accordingly for SSL. * <p> @@ -1126,13 +1126,14 @@ public class SocketCreator { private void printConfig() { if (!configShown && logger.isDebugEnabled()) { configShown = true; - StringBuffer sb = new StringBuffer(); + StringBuilder sb = new StringBuilder(); sb.append("SSL Configuration: \n"); - sb.append(" ssl-enabled = " + this.sslConfig.isEnabled()).append("\n"); + sb.append(" ssl-enabled = ").append(this.sslConfig.isEnabled()).append("\n"); // add other options here.... for (String key : System.getProperties().stringPropertyNames()) { // fix for 46822 if (key.startsWith("javax.net.ssl")) { - sb.append(" ").append(key).append(" = ").append(System.getProperty(key)).append("\n"); + String redactedString = ArgumentRedactor.redact(key, System.getProperty(key)); + sb.append(" ").append(key).append(" = ").append(redactedString).append("\n"); } } logger.debug(sb.toString()); http://git-wip-us.apache.org/repos/asf/geode/blob/c02970b4/geode-core/src/main/java/org/apache/geode/internal/util/ArgumentRedactor.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/util/ArgumentRedactor.java b/geode-core/src/main/java/org/apache/geode/internal/util/ArgumentRedactor.java index 419f3f9..8873a52 100644 --- a/geode-core/src/main/java/org/apache/geode/internal/util/ArgumentRedactor.java +++ b/geode-core/src/main/java/org/apache/geode/internal/util/ArgumentRedactor.java @@ -63,10 +63,10 @@ public class ArgumentRedactor { /** * Parse a string to find key=value pairs and redact the values if necessary. If more than one - * key=value pair exists in the input, each pair must be preceeded by a hyphen '-' to delineate + * key=value pair exists in the input, each pair must be preceded by a hyphen '-' to delineate * the pairs. <br> * Example:<br> - * Single value: "password=secret" or "--password=secret" Mulitple values: "-Dflag -Dkey=value + * Single value: "password=secret" or "--password=secret" Multiple values: "-Dflag -Dkey=value * --classpath=." * * @param line The input to be parsed @@ -145,10 +145,5 @@ public class ArgumentRedactor { compareKey = compareKey.substring(2); } return compareKey.toLowerCase().contains("password"); - // return compareKey - // .startsWith(DistributionConfig.GEMFIRE_PREFIX + DistributionConfig.SECURITY_PREFIX_NAME) - // || compareKey.startsWith( - // DistributionConfigImpl.SECURITY_SYSTEM_PREFIX + DistributionConfig.SECURITY_PREFIX_NAME) - // || compareKey.toLowerCase().contains("password"); } }