[
https://issues.apache.org/jira/browse/GEODE-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15736630#comment-15736630
]
ASF GitHub Bot commented on GEODE-2119:
---------------------------------------
Github user jaredjstewart commented on a diff in the pull request:
https://github.com/apache/geode/pull/311#discussion_r91812659
--- Diff:
geode-core/src/test/java/org/apache/geode/distributed/LauncherRedactionJUnitTest.java
---
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
contributor license
+ * agreements. See the NOTICE file distributed with this work for
additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache
License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
ANY KIND, either express
+ * or implied. See the License for the specific language governing
permissions and limitations under
+ * the License.
+ */
+package org.apache.geode.distributed;
+
+import static org.junit.Assert.assertTrue;
+
+import org.apache.geode.distributed.AbstractLauncher.ServiceState;
+import org.apache.geode.distributed.AbstractLauncher.Status;
+import org.apache.geode.test.junit.categories.UnitTest;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+
+/**
+ * AbstractLauncher Tester.
+ */
+@Category(UnitTest.class)
+public class LauncherRedactionJUnitTest {
+
+ @Test
+ public void testRedactedJvmArguments() {
+ String jvmArgs =
+ "-Dgemfire.security-username=admin
-Dgemfire.locators=pdx2-office-dhcp9.eng.vmware.com[10334]
-Dgemfire.use-cluster-configuration=true -Dgemfire.security-password=********
-Dgemfire.start-dev-rest-api=false -XX:OnOutOfMemoryError=kill -KILL %p
-Dgemfire.launcher.registerSignalHandlers=true -Djava.awt.headless=true
-Dsun.rmi.dgc.server.gcInterval=9223372036854775806";
+ List<String> jvmArguments = buildArgumentArray(jvmArgs);
+ ServiceState serviceState = new ServiceState(Status.STARTING,
"statusMessage",
+ System.currentTimeMillis(), "here", 12345,
System.currentTimeMillis(), "/tmp", jvmArguments,
+ ".", "1.0", "1.8", "logging.log", "localhost", "4201", "member") {
+ @Override
+ protected String getServiceName() {
+ return null;
+ }
+ };
+ List redactedJvmArguments = serviceState.getRedactedJvmArguments();
+
assertTrue(redactedJvmArguments.toString().contains("password=********"));
--- End diff --
I think it would be good to add tests for keys falling into these scenarios:
```
key.startsWith(DistributionConfig.GEMFIRE_PREFIX +
DistributionConfig.SECURITY_PREFIX_NAME)
```
and
```
key.startsWith(DistributionConfigImpl.SECURITY_SYSTEM_PREFIX +
DistributionConfig.SECURITY_PREFIX_NAME)
```
As well as to add a test making sure that normal values (i.e., those for
non-security related keys) **do not** get redacted.
> gfsh user and password visible in clear text
> --------------------------------------------
>
> Key: GEODE-2119
> URL: https://issues.apache.org/jira/browse/GEODE-2119
> Project: Geode
> Issue Type: Bug
> Components: gfsh
> Reporter: Karen Smoler Miller
> Assignee: Kevin Duling
>
> Both gfsh connect and gfsh start server allow the specification on the
> command line of a user name and a password for use as credentials in
> authentication. Clear text versions of the user name and password are then
> visible
> 1. if the user runs gfsh history
> 2. in historyfile, if the user runs gfsh history --file=historyfile
> 3. in the output of ps
> It would be worth a check to see if clear text versions of the user or
> password end up in any locator or server logs. I don't believe it does for
> gfsh connect, but it might for the start server case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
