You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by GitBox <gi...@apache.org> on 2021/09/08 18:11:11 UTC
[GitHub] [pinot] apucher commented on a change in pull request #7407: Obfuscator base implementation
apucher commented on a change in pull request #7407:
URL: https://github.com/apache/pinot/pull/7407#discussion_r704659809
##########
File path: pinot-spi/src/main/java/org/apache/pinot/spi/utils/Obfuscator.java
##########
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.spi.utils;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.util.List;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+import java.util.stream.Stream;
+
+
+/**
+ * Simple obfuscator for object trees and configuration containers with key-value pairs. Matches a configurable set of
+ * patterns and replaces sensitive values with a pre-defined masked value for output.
+ *
+ * Example input:
+ * <pre>
+ * {
+ * "type": "sample object",
+ * "nestedCredentials": {
+ * "user": "admin",
+ * "password": "verysecret"
+ * }
+ * }
+ * </pre>
+ *
+ * Example output
+ * <pre>
+ * {
+ * "type": "sample object",
+ * "nestedCredentials": {
+ * "user": "admin",
+ * "password": "*****"
+ * }
+ * }
+ * </pre>
+ */
+public final class Obfuscator {
+ private static final String DEFAULT_MASKED_VALUE = "*****";
+ private static final List<Pattern> DEFAULT_PATTERNS =
+ Stream.of("(?i).*secret$", "(?i).*password$", "(?i).*token$").map(Pattern::compile).collect(Collectors.toList());
+
+ private final String _maskedValue;
+ private final List<Pattern> _patterns;
+
+ /**
+ * Obfuscator with default behavior matching (ignore case) "secret", "password", and "token" suffixes. Masks any
+ * values with '*****'
+ */
+ public Obfuscator() {
+ _maskedValue = DEFAULT_MASKED_VALUE;
+ _patterns = DEFAULT_PATTERNS;
+ }
+
+ /**
+ * Obfuscator with customized masking behavior. Defaults do not apply! Please ensure case-insensitive regex matching.
+ *
+ * @param maskedValue replacement value
+ * @param patterns key patterns to obfuscate
+ */
+ public Obfuscator(String maskedValue, List<Pattern> patterns) {
+ _maskedValue = maskedValue;
+ _patterns = patterns;
+ }
+
+ /**
+ * Serialize an object tree as JSON and obfuscate matching keys.
+ *
+ * @param object input value
+ * @return obfuscated JSON tree
+ */
+ public JsonNode obfuscateJson(Object object) {
Review comment:
that obfuscator would just be a set of regexes? in that case this is the "utility class" already.
I bet there's a way to extend jackson with this directly but digging into this seems overkill for what we're trying to achieve here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org