fix: Add log masking class for sensitive logs (#2003)

CarsonCook · web-flow · commit 994b4831d321 · 2022-01-14T08:27:50.000+01:00
* Add logging mask class

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Clean up masking layout

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Add json value helpers to masker

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Add log mask to all logback configurations

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Fix typo in json patterns

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Add unit tests

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;

* Add license header

Signed-off-by: Carson Cook &lt;carson.cook@ibm.com&gt;
diff --git a/apiml-common/src/main/resources/logback.xml b/apiml-common/src/main/resources/logback.xml
@@ -21,8 +21,10 @@
     </if>
     <conversionRule conversionWord="clr" converterClass="org.springframework.boot.logging.logback.ColorConverter" />
     <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
@@ -39,8 +41,10 @@
             <maxFileSize>${MAX_FILE_SIZE}</maxFileSize>
         </triggeringPolicy>
 
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
diff --git a/apiml-utility/src/main/java/org/zowe/apiml/product/logging/MaskingLogPatternLayout.java b/apiml-utility/src/main/java/org/zowe/apiml/product/logging/MaskingLogPatternLayout.java
@@ -0,0 +1,71 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.product.logging;
+
+import ch.qos.logback.classic.PatternLayout;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.IntStream;
+
+public class MaskingLogPatternLayout extends PatternLayout {
+    private static final String MASK_VALUE = "***";
+    private static final Pattern maskPatterns = new MaskPatternBuilder()
+        .addJsonValue("password")
+        .addJsonValue("newPassword")
+        .build();
+
+    @Override
+    public String doLayout(ILoggingEvent event) {
+        return maskMessage(super.doLayout(event));
+    }
+
+    protected String maskMessage(String message) {
+        StringBuilder sb = new StringBuilder(message);
+        Matcher matcher = maskPatterns.matcher(sb);
+        while (matcher.find()) {
+            IntStream.rangeClosed(1, matcher.groupCount()).forEach(group -> {
+                if (matcher.group(group) != null) {
+                    sb.replace(matcher.start(group), matcher.end(group), MASK_VALUE);
+                }
+            });
+        }
+        return sb.toString();
+    }
+
+    public static class MaskPatternBuilder {
+        private final List<String> maskPatterns = new ArrayList<>();
+
+        public MaskPatternBuilder add(String prefix, String capture) {
+            return add(prefix, capture, "");
+        }
+
+        public MaskPatternBuilder add(String prefix, String capture, String postfix) {
+            maskPatterns.add(prefix + "(" + capture + ")" + postfix);
+            return this;
+        }
+
+        public MaskPatternBuilder addJsonValue(String jsonKey, String... keys) {
+            // pattern to get \"KEY\":\"VALUE\" with optional white space separating them
+            add("\\\"" + jsonKey + "\\\"\\s*:\\s*", "\\\".*?\\\"");
+            for (String k : keys) {
+                add("\\\"" + k + "\\\"\\s*:\\s*", "\\\".*?\\\"");
+            }
+            return this;
+        }
+
+        public Pattern build() {
+            return Pattern.compile(String.join("|", maskPatterns), Pattern.MULTILINE);
+        }
+    }
+}
diff --git a/apiml-utility/src/test/java/org/zowe/apiml/product/logging/MaskingLogPatternLayoutTest.java b/apiml-utility/src/test/java/org/zowe/apiml/product/logging/MaskingLogPatternLayoutTest.java
@@ -0,0 +1,67 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+package org.zowe.apiml.product.logging;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class MaskingLogPatternLayoutTest {
+    @Nested
+    class WhenBuildMask {
+        private MaskingLogPatternLayout.MaskPatternBuilder underTest;
+
+        @BeforeEach
+        void setup() {
+            underTest = new MaskingLogPatternLayout.MaskPatternBuilder();
+        }
+
+        @Test
+        void givenMultiplePatterns_thenReturnMaskRegexForBoth() {
+            String expectedRegex = "one(cap1)|two(cap2)post";
+            underTest.add("one", "cap1").add("two", "cap2", "post");
+
+            assertEquals(expectedRegex, underTest.build().pattern());
+        }
+
+        @Test
+        void givenJsons_thenMaskRegexWithJsonFormat() {
+            String expectedRegex = "\\\"key1\\\"\\s*:\\s*(\\\".*?\\\")|\\\"key2\\\"\\s*:\\s*(\\\".*?\\\")";
+            underTest.addJsonValue("key1", "key2");
+
+            assertEquals(expectedRegex, underTest.build().pattern());
+        }
+    }
+
+    @Nested
+    class WhenMaskMessage {
+        private MaskingLogPatternLayout underTest;
+
+        @BeforeEach
+        void setup() {
+            underTest = new MaskingLogPatternLayout();
+        }
+
+        @Test
+        void givenNothingToMask_thenNoMask() {
+            String message = "expected log";
+            String actual = underTest.maskMessage(message);
+            assertEquals(message, actual);
+        }
+
+        @Test
+        void givenSensitiveData_thenMaskData() {
+            String actual = underTest.maskMessage("\"password\":\"mypassword\"");
+            assertEquals("\"password\":***", actual);
+        }
+    }
+}
diff --git a/caching-service/src/main/resources/logback.xml b/caching-service/src/main/resources/logback.xml
@@ -15,8 +15,10 @@
     </turboFilter>
     <conversionRule conversionWord="clr" converterClass="org.springframework.boot.logging.logback.ColorConverter" />
     <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
@@ -33,8 +35,10 @@
             <maxFileSize>${MAX_FILE_SIZE}</maxFileSize>
         </triggeringPolicy>
 
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
diff --git a/metrics-service/src/main/resources/logback.xml b/metrics-service/src/main/resources/logback.xml
@@ -15,8 +15,10 @@
     </turboFilter>
     <conversionRule conversionWord="clr" converterClass="org.springframework.boot.logging.logback.ColorConverter" />
     <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
@@ -33,8 +35,10 @@
             <maxFileSize>${MAX_FILE_SIZE}</maxFileSize>
         </triggeringPolicy>
 
-        <encoder>
-            <pattern>${apimlLogPattern}</pattern>
+        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+            <layout class="org.zowe.apiml.product.logging.MaskingLogPatternLayout">
+                <pattern>${apimlLogPattern}</pattern>
+            </layout>
         </encoder>
     </appender>
 
