You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/10/06 23:34:22 UTC

[ranger] branch master updated: RANGER-3453: Avoid logging sensitive information in UserMgr.java

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 4715c3e  RANGER-3453: Avoid logging sensitive information in UserMgr.java
4715c3e is described below

commit 4715c3e81fdf59b3d9bcc9fc0133ec6228799404
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Wed Oct 6 16:16:02 2021 -0700

    RANGER-3453: Avoid logging sensitive information in UserMgr.java
---
 .../main/java/org/apache/ranger/biz/UserMgr.java   | 151 ++++++---------------
 .../org/apache/ranger/view/VXPasswordChange.java   |   6 +-
 2 files changed, 45 insertions(+), 112 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 7046c9b..91144fb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -198,127 +198,73 @@ public class UserMgr {
 	 * @return
 	 */
 	public XXPortalUser updateUser(VXPortalUser userProfile) {
-		XXPortalUser gjUser = daoManager.getXXPortalUser().getById(
-				userProfile.getId());
+		XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId());
 
 		if (gjUser == null) {
-			logger.error("updateUser(). User not found. userProfile="
-					+ userProfile);
+			logger.error("updateUser(). User not found. userProfile=" + userProfile);
 			return null;
 		}
 
 		checkAccess(gjUser);
-                rangerBizUtil.blockAuditorRoleUser();
-		boolean updateUser = false;
+		rangerBizUtil.blockAuditorRoleUser();
 		// Selectively update fields
 
-		// status
-		if (userProfile.getStatus() != gjUser.getStatus()) {
-			updateUser = true;
-		}
-
 		// Allowing email address update even when its set to empty.
-		// emailAddress
 		String emailAddress = userProfile.getEmailAddress();
 		if (stringUtil.isEmpty(emailAddress)) {
 			userProfile.setEmailAddress(null);
-			updateUser = true;
 		} else {
 			if (stringUtil.validateEmail(emailAddress)) {
-				XXPortalUser checkUser = daoManager.getXXPortalUser()
-						.findByEmailAddress(emailAddress);
+				XXPortalUser checkUser = daoManager.getXXPortalUser().findByEmailAddress(emailAddress);
 				if (checkUser != null) {
 					String loginId = userProfile.getLoginId();
 					if (loginId == null) {
 						throw restErrorUtil.createRESTException(
-								"Invalid user, please provide valid "
-										+ "username.",
-								MessageEnums.INVALID_INPUT_DATA);
+								"Invalid user, please provide valid username.", MessageEnums.INVALID_INPUT_DATA);
 					} else if (!loginId.equals(checkUser.getLoginId())) {
-						throw restErrorUtil
-								.createRESTException(
-										"The email address "
-												+ "you've provided already exists in system.",
-										MessageEnums.INVALID_INPUT_DATA);
+						throw restErrorUtil.createRESTException(
+								"The email address you've provided already exists in system.", MessageEnums.INVALID_INPUT_DATA);
 					} else {
 						userProfile.setEmailAddress(emailAddress);
-						updateUser = true;
 					}
 				} else {
 					userProfile.setEmailAddress(emailAddress);
-					updateUser = true;
 				}
 			} else {
-				throw restErrorUtil.createRESTException(
-						"Please provide valid email address.",
-						MessageEnums.INVALID_INPUT_DATA);
+				throw restErrorUtil.createRESTException("Please provide valid email address.", MessageEnums.INVALID_INPUT_DATA);
 			}
 		}
 
-		// loginId
-		// if (!stringUtil.isEmpty(userProfile.getLoginId())
-		// && !userProfile.getLoginId().equals(gjUser.getLoginId())) {
-		// gjUser.setLoginId(userProfile.getLoginId());
-		// updateUser = true;
-		// }
-
 		// firstName
 		if("null".equalsIgnoreCase(userProfile.getFirstName())){
 			userProfile.setFirstName("");
 		}
-		if (!stringUtil.isEmpty(userProfile.getFirstName())
-				&& !userProfile.getFirstName().equals(gjUser.getFirstName())) {
-			userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile
-					.getFirstName()));
-			updateUser = true;
+		if (!stringUtil.isEmpty(userProfile.getFirstName()) && !userProfile.getFirstName().equals(gjUser.getFirstName())) {
+			userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile.getFirstName()));
 		}
-
 		if("null".equalsIgnoreCase(userProfile.getLastName())){
 			userProfile.setLastName("");
 		}
-		if (!stringUtil.isEmpty(userProfile.getLastName())
-				&& !userProfile.getLastName().equals(gjUser.getLastName())) {
-			userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile
-					.getLastName()));
-			updateUser = true;
+		if (!stringUtil.isEmpty(userProfile.getLastName()) && !userProfile.getLastName().equals(gjUser.getLastName())) {
+			userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile.getLastName()));
 		}
 
 		// publicScreenName
-		if (userProfile.getFirstName() != null
-				&& userProfile.getLastName() != null
-				&& !userProfile.getFirstName().trim().isEmpty()
+		if (userProfile.getFirstName() != null && userProfile.getLastName() != null && !userProfile.getFirstName().trim().isEmpty()
 				&& !userProfile.getLastName().trim().isEmpty()) {
-			userProfile.setPublicScreenName(userProfile.getFirstName() + " "
-					+ userProfile.getLastName());
-			updateUser = true;
+			userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName());
 		} else {
 			userProfile.setPublicScreenName(gjUser.getLoginId());
-			updateUser = true;
 		}
 
-		// notes
-		/*
-		 * if (!stringUtil.isEmpty(userProfile.getNotes()) &&
-		 * !userProfile.getNotes().equalsIgnoreCase(gjUser.getNotes())) {
-		 * updateUser = true; }
-		 */
-
 		// userRoleList
 		updateRoles(userProfile.getId(), userProfile.getUserRoleList());
 
-		if (updateUser) {
-
-			List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog(
-					userProfile, gjUser, "update");
-
-			userProfile.setPassword(gjUser.getPassword());
-			xPortalUserService.updateResource(userProfile);
-			sessionMgr.resetUserSessionForProfiles(ContextUtil
-					.getCurrentUserSession());
-
-                        rangerBizUtil.createTrxLog(trxLogList);
-		}
-
+		List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog(userProfile, gjUser, "update");
+		userProfile.setPassword(gjUser.getPassword());
+		xPortalUserService.updateResource(userProfile);
+		sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession());
+		rangerBizUtil.createTrxLog(trxLogList);
 		return gjUser;
 	}
 
@@ -473,56 +419,43 @@ public class UserMgr {
 	 * @param changeEmail
 	 * @return
 	 */
-	public VXPortalUser changeEmailAddress(XXPortalUser gjUser,
-			VXPasswordChange changeEmail) {
+	public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) {
 		checkAccessForUpdate(gjUser);
-                rangerBizUtil.blockAuditorRoleUser();
+		rangerBizUtil.blockAuditorRoleUser();
 		if (StringUtils.isEmpty(changeEmail.getEmailAddress())) {
 			changeEmail.setEmailAddress(null);
 		}
 
 		if (!StringUtils.isEmpty(changeEmail.getEmailAddress()) && !stringUtil.validateEmail(changeEmail.getEmailAddress())) {
 			logger.info("Invalid email address." + changeEmail);
-			throw restErrorUtil.createRESTException(
-					"serverMsg.userMgrInvalidEmail",
-					MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(),
-					"emailAddress", changeEmail.toString());
-
+			throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidEmail",
+					MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), "emailAddress", changeEmail.toString());
 		}
-		
+
 		if (this.isFipsEnabled) {
 			if (!isPasswordValid(changeEmail.getLoginId(), gjUser.getPassword(), changeEmail.getOldPassword())) {
-				logger.info("changeEmailAddress(). Invalid  password. changeEmail="
-								+ changeEmail);
-								throw restErrorUtil.createRESTException(
-											"serverMsg.userMgrWrongPassword",
-												MessageEnums.OPER_NO_PERMISSION, null, null, ""
-														+ changeEmail);
-					}
-			} else {
-				String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
-				if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
-					logger.info("changeEmailAddress(). Invalid  password. changeEmail="
-							+ changeEmail);
-					throw restErrorUtil.createRESTException(
-							"serverMsg.userMgrWrongPassword",
-							MessageEnums.OPER_NO_PERMISSION, null, null, ""
-									+ changeEmail);
-				}
+				logger.info("changeEmailAddress(). Invalid  password. changeEmail=" + changeEmail);
+				throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword",
+												MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
+			}
+		} else {
+			String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
+			if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
+				logger.info("changeEmailAddress(). Invalid  password. changeEmail=" + changeEmail);
+				throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword",
+						MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
 			}
+		}
 
 		// Normalize email. Make it lower case
-		gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail
-				.getEmailAddress()));
+		gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail.getEmailAddress()));
 
-		String saltEncodedpasswd = encrypt(gjUser.getLoginId(),
-				changeEmail.getOldPassword());
-        if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) {
-		gjUser.setPassword(saltEncodedpasswd);
-       }
-        else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
-                gjUser.setPassword(gjUser.getPassword());
-        }
+		String saltEncodedpasswd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
+		if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) {
+			gjUser.setPassword(saltEncodedpasswd);
+		} else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+			gjUser.setPassword(gjUser.getPassword());
+		}
 		daoManager.getXXPortalUser().update(gjUser);
 		return mapXXPortalUserVXPortalUser(gjUser);
 	}
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java b/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
index 96f7117..6619a7a 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
@@ -185,13 +185,13 @@ public class VXPasswordChange extends ViewBaseBean implements java.io.Serializab
 	*/
 	public String toString( ) {
 		String str = "VXPasswordChange={";
-		str += super.toString();
+		str += super.toString() + " ";
 		str += "id={" + id + "} ";
 		str += "loginId={" + loginId + "} ";
 		str += "emailAddress={" + emailAddress + "} ";
 		str += "resetCode={" + resetCode + "} ";
-		str += "oldPassword={***length=" + (oldPassword == null? 0 : oldPassword.length()) + "***} ";
-		str += "updPassword={***length=" + (updPassword == null? 0 : updPassword.length()) + "***} ";
+		str += "isOldPasswordNull={" + (oldPassword == null) + "} ";
+		str += "isUpdPasswordNull={" + (updPassword == null) + "}";
 		str += "}";
 		return str;
 	}