AMBARI-6234. Security issue - private key password show in logs (dlysnichenko)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/7888bbf2 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/7888bbf2 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/7888bbf2 Branch: refs/heads/trunk Commit: 7888bbf21a6c867131d138a08f680b458bc1056c Parents: ce815fb Author: Lisnichenko Dmitro <dlysniche...@hortonworks.com> Authored: Mon Jun 23 14:52:05 2014 +0300 Committer: Lisnichenko Dmitro <dlysniche...@hortonworks.com> Committed: Mon Jun 23 16:13:29 2014 +0300 ---------------------------------------------------------------------- .../org/apache/ambari/server/utils/ShellCommandUtil.java | 11 +++++++++-- .../apache/ambari/server/utils/TestShellCommandUtil.java | 10 +++++++--- 2 files changed, 16 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/7888bbf2/ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java b/ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java index 7e447f9..ee83aa0 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/utils/ShellCommandUtil.java @@ -32,7 +32,7 @@ public class ShellCommandUtil { private static final Log LOG = LogFactory.getLog(ShellCommandUtil.class); private static final Object WindowsProcessLaunchLock = new Object(); private static final String PASS_TOKEN = "pass:"; - + private static final String KEY_TOKEN = "-key "; /* public static String LogAndReturnOpenSslExitCode(String command, int exitCode) { logOpenSslExitCode(command, exitCode); @@ -49,7 +49,14 @@ public class ShellCommandUtil { } public static String hideOpenSslPassword(String command){ - int start = command.indexOf(PASS_TOKEN)+PASS_TOKEN.length(); + int start; + if(command.contains(PASS_TOKEN)){ + start = command.indexOf(PASS_TOKEN)+PASS_TOKEN.length(); + } else if (command.contains(KEY_TOKEN)){ + start = command.indexOf(KEY_TOKEN)+KEY_TOKEN.length(); + } else { + return command; + } CharSequence cs = command.subSequence(start, command.indexOf(" ", start)); return command.replace(cs, "****"); } http://git-wip-us.apache.org/repos/asf/ambari/blob/7888bbf2/ambari-server/src/test/java/org/apache/ambari/server/utils/TestShellCommandUtil.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/utils/TestShellCommandUtil.java b/ambari-server/src/test/java/org/apache/ambari/server/utils/TestShellCommandUtil.java index 32a25ad..27a033c 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/utils/TestShellCommandUtil.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/utils/TestShellCommandUtil.java @@ -133,10 +133,14 @@ public class TestShellCommandUtil extends TestCase { @Test public void testHideOpenSslPassword(){ - String command = "openssl ca -config ca.config -in agent_hostname1.csr -out "+ + String command_pass = "openssl ca -config ca.config -in agent_hostname1.csr -out "+ "agent_hostname1.crt -batch -passin pass:1234 -keyfile ca.key -cert ca.crt"; - - assertFalse(ShellCommandUtil.hideOpenSslPassword(command).contains("1234")); + String command_key = "openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key " + + "-key 1234 -selfsign -extensions jdk7_ca " + + "-config /var/lib/ambari-server/keys/ca.config -batch " + + "-infiles /var/lib/ambari-server/keys/ca.csr"; + assertFalse(ShellCommandUtil.hideOpenSslPassword(command_pass).contains("1234")); + assertFalse(ShellCommandUtil.hideOpenSslPassword(command_key).contains("1234")); } }