You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/10/06 23:34:22 UTC
[ranger] branch master updated: RANGER-3453: Avoid logging
sensitive information in UserMgr.java
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4715c3e RANGER-3453: Avoid logging sensitive information in UserMgr.java
4715c3e is described below
commit 4715c3e81fdf59b3d9bcc9fc0133ec6228799404
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Wed Oct 6 16:16:02 2021 -0700
RANGER-3453: Avoid logging sensitive information in UserMgr.java
---
.../main/java/org/apache/ranger/biz/UserMgr.java | 151 ++++++---------------
.../org/apache/ranger/view/VXPasswordChange.java | 6 +-
2 files changed, 45 insertions(+), 112 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 7046c9b..91144fb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -198,127 +198,73 @@ public class UserMgr {
* @return
*/
public XXPortalUser updateUser(VXPortalUser userProfile) {
- XXPortalUser gjUser = daoManager.getXXPortalUser().getById(
- userProfile.getId());
+ XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId());
if (gjUser == null) {
- logger.error("updateUser(). User not found. userProfile="
- + userProfile);
+ logger.error("updateUser(). User not found. userProfile=" + userProfile);
return null;
}
checkAccess(gjUser);
- rangerBizUtil.blockAuditorRoleUser();
- boolean updateUser = false;
+ rangerBizUtil.blockAuditorRoleUser();
// Selectively update fields
- // status
- if (userProfile.getStatus() != gjUser.getStatus()) {
- updateUser = true;
- }
-
// Allowing email address update even when its set to empty.
- // emailAddress
String emailAddress = userProfile.getEmailAddress();
if (stringUtil.isEmpty(emailAddress)) {
userProfile.setEmailAddress(null);
- updateUser = true;
} else {
if (stringUtil.validateEmail(emailAddress)) {
- XXPortalUser checkUser = daoManager.getXXPortalUser()
- .findByEmailAddress(emailAddress);
+ XXPortalUser checkUser = daoManager.getXXPortalUser().findByEmailAddress(emailAddress);
if (checkUser != null) {
String loginId = userProfile.getLoginId();
if (loginId == null) {
throw restErrorUtil.createRESTException(
- "Invalid user, please provide valid "
- + "username.",
- MessageEnums.INVALID_INPUT_DATA);
+ "Invalid user, please provide valid username.", MessageEnums.INVALID_INPUT_DATA);
} else if (!loginId.equals(checkUser.getLoginId())) {
- throw restErrorUtil
- .createRESTException(
- "The email address "
- + "you've provided already exists in system.",
- MessageEnums.INVALID_INPUT_DATA);
+ throw restErrorUtil.createRESTException(
+ "The email address you've provided already exists in system.", MessageEnums.INVALID_INPUT_DATA);
} else {
userProfile.setEmailAddress(emailAddress);
- updateUser = true;
}
} else {
userProfile.setEmailAddress(emailAddress);
- updateUser = true;
}
} else {
- throw restErrorUtil.createRESTException(
- "Please provide valid email address.",
- MessageEnums.INVALID_INPUT_DATA);
+ throw restErrorUtil.createRESTException("Please provide valid email address.", MessageEnums.INVALID_INPUT_DATA);
}
}
- // loginId
- // if (!stringUtil.isEmpty(userProfile.getLoginId())
- // && !userProfile.getLoginId().equals(gjUser.getLoginId())) {
- // gjUser.setLoginId(userProfile.getLoginId());
- // updateUser = true;
- // }
-
// firstName
if("null".equalsIgnoreCase(userProfile.getFirstName())){
userProfile.setFirstName("");
}
- if (!stringUtil.isEmpty(userProfile.getFirstName())
- && !userProfile.getFirstName().equals(gjUser.getFirstName())) {
- userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile
- .getFirstName()));
- updateUser = true;
+ if (!stringUtil.isEmpty(userProfile.getFirstName()) && !userProfile.getFirstName().equals(gjUser.getFirstName())) {
+ userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile.getFirstName()));
}
-
if("null".equalsIgnoreCase(userProfile.getLastName())){
userProfile.setLastName("");
}
- if (!stringUtil.isEmpty(userProfile.getLastName())
- && !userProfile.getLastName().equals(gjUser.getLastName())) {
- userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile
- .getLastName()));
- updateUser = true;
+ if (!stringUtil.isEmpty(userProfile.getLastName()) && !userProfile.getLastName().equals(gjUser.getLastName())) {
+ userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile.getLastName()));
}
// publicScreenName
- if (userProfile.getFirstName() != null
- && userProfile.getLastName() != null
- && !userProfile.getFirstName().trim().isEmpty()
+ if (userProfile.getFirstName() != null && userProfile.getLastName() != null && !userProfile.getFirstName().trim().isEmpty()
&& !userProfile.getLastName().trim().isEmpty()) {
- userProfile.setPublicScreenName(userProfile.getFirstName() + " "
- + userProfile.getLastName());
- updateUser = true;
+ userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName());
} else {
userProfile.setPublicScreenName(gjUser.getLoginId());
- updateUser = true;
}
- // notes
- /*
- * if (!stringUtil.isEmpty(userProfile.getNotes()) &&
- * !userProfile.getNotes().equalsIgnoreCase(gjUser.getNotes())) {
- * updateUser = true; }
- */
-
// userRoleList
updateRoles(userProfile.getId(), userProfile.getUserRoleList());
- if (updateUser) {
-
- List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog(
- userProfile, gjUser, "update");
-
- userProfile.setPassword(gjUser.getPassword());
- xPortalUserService.updateResource(userProfile);
- sessionMgr.resetUserSessionForProfiles(ContextUtil
- .getCurrentUserSession());
-
- rangerBizUtil.createTrxLog(trxLogList);
- }
-
+ List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog(userProfile, gjUser, "update");
+ userProfile.setPassword(gjUser.getPassword());
+ xPortalUserService.updateResource(userProfile);
+ sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession());
+ rangerBizUtil.createTrxLog(trxLogList);
return gjUser;
}
@@ -473,56 +419,43 @@ public class UserMgr {
* @param changeEmail
* @return
*/
- public VXPortalUser changeEmailAddress(XXPortalUser gjUser,
- VXPasswordChange changeEmail) {
+ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) {
checkAccessForUpdate(gjUser);
- rangerBizUtil.blockAuditorRoleUser();
+ rangerBizUtil.blockAuditorRoleUser();
if (StringUtils.isEmpty(changeEmail.getEmailAddress())) {
changeEmail.setEmailAddress(null);
}
if (!StringUtils.isEmpty(changeEmail.getEmailAddress()) && !stringUtil.validateEmail(changeEmail.getEmailAddress())) {
logger.info("Invalid email address." + changeEmail);
- throw restErrorUtil.createRESTException(
- "serverMsg.userMgrInvalidEmail",
- MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(),
- "emailAddress", changeEmail.toString());
-
+ throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidEmail",
+ MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), "emailAddress", changeEmail.toString());
}
-
+
if (this.isFipsEnabled) {
if (!isPasswordValid(changeEmail.getLoginId(), gjUser.getPassword(), changeEmail.getOldPassword())) {
- logger.info("changeEmailAddress(). Invalid password. changeEmail="
- + changeEmail);
- throw restErrorUtil.createRESTException(
- "serverMsg.userMgrWrongPassword",
- MessageEnums.OPER_NO_PERMISSION, null, null, ""
- + changeEmail);
- }
- } else {
- String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
- if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
- logger.info("changeEmailAddress(). Invalid password. changeEmail="
- + changeEmail);
- throw restErrorUtil.createRESTException(
- "serverMsg.userMgrWrongPassword",
- MessageEnums.OPER_NO_PERMISSION, null, null, ""
- + changeEmail);
- }
+ logger.info("changeEmailAddress(). Invalid password. changeEmail=" + changeEmail);
+ throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword",
+ MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
+ }
+ } else {
+ String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
+ if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
+ logger.info("changeEmailAddress(). Invalid password. changeEmail=" + changeEmail);
+ throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword",
+ MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
}
+ }
// Normalize email. Make it lower case
- gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail
- .getEmailAddress()));
+ gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail.getEmailAddress()));
- String saltEncodedpasswd = encrypt(gjUser.getLoginId(),
- changeEmail.getOldPassword());
- if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) {
- gjUser.setPassword(saltEncodedpasswd);
- }
- else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
- gjUser.setPassword(gjUser.getPassword());
- }
+ String saltEncodedpasswd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
+ if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) {
+ gjUser.setPassword(saltEncodedpasswd);
+ } else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ gjUser.setPassword(gjUser.getPassword());
+ }
daoManager.getXXPortalUser().update(gjUser);
return mapXXPortalUserVXPortalUser(gjUser);
}
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java b/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
index 96f7117..6619a7a 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXPasswordChange.java
@@ -185,13 +185,13 @@ public class VXPasswordChange extends ViewBaseBean implements java.io.Serializab
*/
public String toString( ) {
String str = "VXPasswordChange={";
- str += super.toString();
+ str += super.toString() + " ";
str += "id={" + id + "} ";
str += "loginId={" + loginId + "} ";
str += "emailAddress={" + emailAddress + "} ";
str += "resetCode={" + resetCode + "} ";
- str += "oldPassword={***length=" + (oldPassword == null? 0 : oldPassword.length()) + "***} ";
- str += "updPassword={***length=" + (updPassword == null? 0 : updPassword.length()) + "***} ";
+ str += "isOldPasswordNull={" + (oldPassword == null) + "} ";
+ str += "isUpdPasswordNull={" + (updPassword == null) + "}";
str += "}";
return str;
}