You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by al...@apache.org on 2022/06/08 13:17:02 UTC
[brooklyn-server] branch master updated: if env var is multiline string, sanitize each line so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars
This is an automated email from the ASF dual-hosted git repository.
algairim pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push:
new aa26085448 if env var is multiline string, sanitize each line so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars
new 7b80db6001 Merge pull request #1319 from ahgittin/sanitize-env-var-multiline
aa26085448 is described below
commit aa26085448592fbf0be170cd313b44fb0ad4c1a5
Author: Alex Heneveld <al...@cloudsoft.io>
AuthorDate: Wed Jun 8 13:38:31 2022 +0100
if env var is multiline string, sanitize each line
so we can suppress multiline maps esp multiline json/yaml/properties passed as env vars
---
.../java/org/apache/brooklyn/core/config/Sanitizer.java | 1 +
.../software/base/AbstractSoftwareProcessStreamsTest.java | 15 +++++++++++++++
.../software/base/VanillaSoftwareProcessStreamsTest.java | 4 ++++
3 files changed, 20 insertions(+)
diff --git a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
index a4b4669357..efe54699bf 100644
--- a/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
+++ b/core/src/main/java/org/apache/brooklyn/core/config/Sanitizer.java
@@ -203,6 +203,7 @@ public final class Sanitizer {
String stringValue = kv.getValue() != null ? kv.getValue().toString() : "";
if (!stringValue.isEmpty()) {
stringValue = Sanitizer.suppressIfSecret(kv.getKey(), stringValue);
+ stringValue = sanitizeMultilineString(stringValue);
stringValue = BashStringEscapes.wrapBash(stringValue);
}
sb.append(kv.getKey()).append("=").append(stringValue).append("\n");
diff --git a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
index bf40438c61..fc8db13a5f 100644
--- a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
+++ b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/AbstractSoftwareProcessStreamsTest.java
@@ -32,6 +32,7 @@ import org.apache.brooklyn.core.entity.BrooklynConfigKeys;
import org.apache.brooklyn.core.mgmt.BrooklynTaskTags;
import org.apache.brooklyn.core.test.BrooklynAppLiveTestSupport;
import org.apache.brooklyn.core.test.entity.TestApplication;
+import org.apache.brooklyn.test.Asserts;
import org.apache.brooklyn.util.core.task.TaskPredicates;
import org.apache.brooklyn.util.text.StringPredicates;
import org.slf4j.Logger;
@@ -101,6 +102,20 @@ public abstract class AbstractSoftwareProcessStreamsTest extends BrooklynAppLive
}
}
+ protected <T extends SoftwareProcess> String getAnyTaskEnvStream(final T softwareProcessEntity) {
+ Set<Task<?>> tasks = BrooklynTaskTags.getTasksInEntityContext(mgmt.getExecutionManager(), softwareProcessEntity);
+
+ for (Map.Entry<String, String> entry : getCommands().entrySet()) {
+ String taskNameRegex = entry.getKey();
+
+ Task<?> subTask = findTaskOrSubTask(tasks, TaskPredicates.displayNameSatisfies(StringPredicates.matchesRegex(taskNameRegex))).get();
+
+ return getStreamOrFail(subTask, BrooklynTaskTags.STREAM_ENV);
+ }
+
+ throw Asserts.fail("No commands found");
+ }
+
protected <T extends SoftwareProcess> void assertEnvStream(final T softwareProcessEntity, final Map<String, String> expectedEnv) {
Set<Task<?>> tasks = BrooklynTaskTags.getTasksInEntityContext(mgmt.getExecutionManager(), softwareProcessEntity);
diff --git a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
index 4b9dfe05f0..19ebac01b3 100644
--- a/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
+++ b/software/base/src/test/java/org/apache/brooklyn/entity/software/base/VanillaSoftwareProcessStreamsTest.java
@@ -28,6 +28,7 @@ import org.apache.brooklyn.api.location.MachineLocation;
import org.apache.brooklyn.core.config.Sanitizer;
import org.apache.brooklyn.location.byon.FixedListMachineProvisioningLocation;
import org.apache.brooklyn.location.ssh.SshMachineLocation;
+import org.apache.brooklyn.test.Asserts;
import org.apache.brooklyn.util.core.internal.ssh.RecordingSshTool;
import org.apache.brooklyn.util.core.internal.ssh.RecordingSshTool.ExecCmdPredicates;
import org.apache.brooklyn.util.stream.Streams;
@@ -71,6 +72,7 @@ public class VanillaSoftwareProcessStreamsTest extends AbstractSoftwareProcessSt
// Prepare expected environment variables, secret names are keys with values that should be masked in env stream
Map<String, String> expectedEnv = new ImmutableMap.Builder<String, String>()
.put("KEY1", "VAL1")
+ .put("KEY2A", "v1=v2 secret=not_hidden_if_on_same_line\nsecret2=should_be_suppressed")
.putAll(Sanitizer.DEFAULT_SENSITIVE_FIELDS_TOKENS.stream().collect(Collectors.toMap(item -> item, item -> item)))
.build();
@@ -115,10 +117,12 @@ public class VanillaSoftwareProcessStreamsTest extends AbstractSoftwareProcessSt
// Calculate MD5 hash for all keys that are expected to be masked and verify them displayed masked in env stream
Map<String, String> expectedMaskedEnv = new ImmutableMap.Builder<String, String>()
.put("KEY1", "VAL1") // this key must appear unmasked, it is not in the list of SECRET NAMES to mask
+ .put("KEY2A", "v1=v2 secret=not_hidden_if_on_same_line\nsecret2= "+Sanitizer.suppress("should_be_suppressed"))
.putAll(Sanitizer.DEFAULT_SENSITIVE_FIELDS_TOKENS.stream().collect(Collectors.toMap(
item -> item, // key and expected masked (suppressed) value for a SECRET NAME with MD5 hash
Sanitizer::suppress)))
.build();
+ Asserts.assertStringDoesNotContain(getAnyTaskEnvStream(entity), "should_be_suppressed");
assertEnvStream(entity, expectedMaskedEnv);
}