You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by al...@apache.org on 2022/06/08 13:17:02 UTC

[brooklyn-server] branch master updated: if env var is multiline string, sanitize each line so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars

This is an automated email from the ASF dual-hosted git repository.

algairim pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git


The following commit(s) were added to refs/heads/master by this push:
     new aa26085448 if env var is multiline string, sanitize each line so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars
     new 7b80db6001 Merge pull request #1319 from ahgittin/sanitize-env-var-multiline
aa26085448 is described below

commit aa26085448592fbf0be170cd313b44fb0ad4c1a5
Author: Alex Heneveld <al...@cloudsoft.io>
AuthorDate: Wed Jun 8 13:38:31 2022 +0100

    if env var is multiline string, sanitize each line
    so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars
---
 .../java/org/apache/brooklyn/core/config/Sanitizer.java   |  1 +
 .../software/base/AbstractSoftwareProcessStreamsTest.java | 15 +++++++++++++++
 .../software/base/VanillaSoftwareProcessStreamsTest.java  |  4 ++++
 3 files changed, 20 insertions(+)

diff --git a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
index a4b4669357..efe54699bf 100644
--- a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
+++ b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
@@ -203,6 +203,7 @@ public final class Sanitizer {
                 String stringValue = kv.getValue() != null ? kv.getValue().toString() : "";
                 if (!stringValue.isEmpty()) {
                     stringValue = Sanitizer.suppressIfSecret(kv.getKey(), stringValue);
+                    stringValue = sanitizeMultilineString(stringValue);
                     stringValue = BashStringEscapes.wrapBash(stringValue);
                 }
                 sb.append(kv.getKey()).append("=").append(stringValue).append("\n");
diff --git a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
index bf40438c61..fc8db13a5f 100644
--- a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
+++ b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
@@ -32,6 +32,7 @@ import org.apache.brooklyn.core.entity.BrooklynConfigKeys;
 import org.apache.brooklyn.core.mgmt.BrooklynTaskTags;
 import org.apache.brooklyn.core.test.BrooklynAppLiveTestSupport;
 import org.apache.brooklyn.core.test.entity.TestApplication;
+import org.apache.brooklyn.test.Asserts;
 import org.apache.brooklyn.util.core.task.TaskPredicates;
 import org.apache.brooklyn.util.text.StringPredicates;
 import org.slf4j.Logger;
@@ -101,6 +102,20 @@ public abstract class AbstractSoftwareProcessStreamsTest extends BrooklynAppLive
         }
     }
 
+    protected <T extends SoftwareProcess> String getAnyTaskEnvStream(final T softwareProcessEntity) {
+        Set<Task<?>> tasks = BrooklynTaskTags.getTasksInEntityContext(mgmt.getExecutionManager(), softwareProcessEntity);
+
+        for (Map.Entry<String, String> entry : getCommands().entrySet()) {
+            String taskNameRegex = entry.getKey();
+
+            Task<?> subTask = findTaskOrSubTask(tasks, TaskPredicates.displayNameSatisfies(StringPredicates.matchesRegex(taskNameRegex))).get();
+
+            return getStreamOrFail(subTask, BrooklynTaskTags.STREAM_ENV);
+        }
+
+        throw Asserts.fail("No commands found");
+    }
+
     protected <T extends SoftwareProcess> void assertEnvStream(final T softwareProcessEntity, final Map<String, String> expectedEnv) {
         Set<Task<?>> tasks = BrooklynTaskTags.getTasksInEntityContext(mgmt.getExecutionManager(), softwareProcessEntity);
 
diff --git a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
index 4b9dfe05f0..19ebac01b3 100644
--- a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
+++ b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
@@ -28,6 +28,7 @@ import org.apache.brooklyn.api.location.MachineLocation;
 import org.apache.brooklyn.core.config.Sanitizer;
 import org.apache.brooklyn.location.byon.FixedListMachineProvisioningLocation;
 import org.apache.brooklyn.location.ssh.SshMachineLocation;
+import org.apache.brooklyn.test.Asserts;
 import org.apache.brooklyn.util.core.internal.ssh.RecordingSshTool;
 import org.apache.brooklyn.util.core.internal.ssh.RecordingSshTool.ExecCmdPredicates;
 import org.apache.brooklyn.util.stream.Streams;
@@ -71,6 +72,7 @@ public class VanillaSoftwareProcessStreamsTest extends AbstractSoftwareProcessSt
         // Prepare expected environment variables, secret names are keys with values that should be masked in env stream
         Map<String, String> expectedEnv = new ImmutableMap.Builder<String, String>()
                 .put("KEY1", "VAL1")
+                .put("KEY2A", "v1=v2 secret=not_hidden_if_on_same_line\nsecret2=should_be_suppressed")
                 .putAll(Sanitizer.DEFAULT_SENSITIVE_FIELDS_TOKENS.stream().collect(Collectors.toMap(item -> item, item -> item)))
                 .build();
 
@@ -115,10 +117,12 @@ public class VanillaSoftwareProcessStreamsTest extends AbstractSoftwareProcessSt
         // Calculate MD5 hash for all keys that are expected to be masked and verify them displayed masked in env stream
         Map<String, String> expectedMaskedEnv = new ImmutableMap.Builder<String, String>()
                 .put("KEY1", "VAL1") // this key must appear unmasked, it is not in the list of SECRET NAMES to mask
+                .put("KEY2A", "v1=v2 secret=not_hidden_if_on_same_line\nsecret2= "+Sanitizer.suppress("should_be_suppressed"))
                 .putAll(Sanitizer.DEFAULT_SENSITIVE_FIELDS_TOKENS.stream().collect(Collectors.toMap(
                         item -> item, // key and expected masked (suppressed) value for a SECRET NAME with MD5 hash
                         Sanitizer::suppress)))
                 .build();
+        Asserts.assertStringDoesNotContain(getAnyTaskEnvStream(entity), "should_be_suppressed");
         assertEnvStream(entity, expectedMaskedEnv);
     }