From d68e2a1818a7b694d7ae9c730304cb33cd99ec73 Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Wed, 10 Jun 2026 11:42:26 +0530 Subject: [PATCH] framework-jobs: fix password obfuscation for job result Fixes #13387 Signed-off-by: Abhishek Kumar --- .../jobs/impl/AsyncJobManagerImpl.java | 38 +++++++++++-------- .../framework/jobs/AsyncJobManagerTest.java | 20 ++++++++++ 2 files changed, 43 insertions(+), 15 deletions(-) diff --git a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java index 80140b0d9502..4c1e44c5e500 100644 --- a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java +++ b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java @@ -31,6 +31,8 @@ import java.util.concurrent.RejectedExecutionException; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.inject.Inject; import javax.naming.ConfigurationException; @@ -114,6 +116,8 @@ import org.apache.logging.log4j.ThreadContext; public class AsyncJobManagerImpl extends ManagerBase implements AsyncJobManager, ClusterManagerListener, Configurable { + private static final Pattern PASSWORD_FIELD_PATTERN = Pattern.compile("\\\"password\\\":\\\"([^\\\"]*)\\\"+"); + // Advanced public static final ConfigKey JobExpireMinutes = new ConfigKey("Advanced", Long.class, "job.expire.minutes", "1440", "Time (in minutes) for async-jobs to be kept in system", true, ConfigKey.Scope.Global); @@ -517,22 +521,26 @@ public AsyncJob queryJob(final long jobId, final boolean updatePollTime) { } public String obfuscatePassword(String result, boolean hidePassword) { - if (hidePassword) { - String pattern = "\"password\":"; - if (result != null) { - if (result.contains(pattern)) { - String[] resp = result.split(pattern); - String psswd = resp[1].toString().split(",")[0]; - if (psswd.endsWith("}")) { - psswd = psswd.substring(0, psswd.length() - 1); - result = resp[0] + pattern + psswd.replace(psswd.substring(2, psswd.length() - 1), "*****") + "}," + resp[1].split(",", 2)[1]; - } else { - result = resp[0] + pattern + psswd.replace(psswd.substring(2, psswd.length() - 1), "*****") + "," + resp[1].split(",", 2)[1]; - } - } - } + if (!hidePassword || StringUtils.isBlank(result)) { + return result; + } + + Matcher matcher = PASSWORD_FIELD_PATTERN.matcher(result); + StringBuilder obfuscatedResult = new StringBuilder(); + while (matcher.find()) { + String password = matcher.group(1); + String replacement = "\"password\":\"" + obfuscatePasswordValue(password) + "\""; + matcher.appendReplacement(obfuscatedResult, Matcher.quoteReplacement(replacement)); + } + matcher.appendTail(obfuscatedResult); + return obfuscatedResult.toString(); + } + + private String obfuscatePasswordValue(String password) { + if (StringUtils.isEmpty(password)) { + return password; } - return result; + return password.charAt(0) + "*****"; } private void scheduleExecution(final AsyncJobVO job) { diff --git a/framework/jobs/src/test/java/org/apache/cloudstack/framework/jobs/AsyncJobManagerTest.java b/framework/jobs/src/test/java/org/apache/cloudstack/framework/jobs/AsyncJobManagerTest.java index 7130873e4eed..f3cd37188456 100644 --- a/framework/jobs/src/test/java/org/apache/cloudstack/framework/jobs/AsyncJobManagerTest.java +++ b/framework/jobs/src/test/java/org/apache/cloudstack/framework/jobs/AsyncJobManagerTest.java @@ -17,12 +17,15 @@ package org.apache.cloudstack.framework.jobs; import org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl; +import org.apache.commons.lang3.StringUtils; import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Spy; import org.mockito.junit.MockitoJUnitRunner; +import com.cloud.utils.HumanReadableJson; + @RunWith (MockitoJUnitRunner.class) public class AsyncJobManagerTest { @@ -37,6 +40,12 @@ public class AsyncJobManagerTest { String inputNoBraces = "\"password\":\"password\"\",\"action\":\"OFF\""; String expectedNoBraces = "\"password\":\"p*****\",\"action\":\"OFF\""; + String realUserVmResponseWithPasswordInput = "{\"id\":\"f75b0990-5801-4b78-bcb0-58a503afa49c\",\"name\":\"pw-vm\"," + + "\"displayname\":\"pw-vm\",\"account\":\"admin\",\"password\":\"67wSK5\",\"instancename\":\"i-2-17-VM\"," + + "\"details\":{\"password\":\"3WTVryPJZJwMZGcJJ+OOYf84+uixk/1FraomPG9N6/Uvng\\u003d\\u003d\"," + + "\"Message.ReservedCapacityFreed.Flag\":\"true\",\"rootDiskController\":\"osdefault\"}," + + "\"arch\":\"x86_64\",\"jobid\":\"c13865d3-61ec-4269-979a-3d799181d5fe\",\"jobstatus\":0}"; + @Test public void obfuscatePasswordTest() { String result = asyncJobManager.obfuscatePassword(input, true); @@ -79,4 +88,15 @@ public void obfuscatePasswordTestHidePasswordNoPassword() { Assert.assertEquals(noPassword, result); } + @Test + public void obfuscatePasswordTestHidePasswordRealInput() { + String result = asyncJobManager.obfuscatePassword(realUserVmResponseWithPasswordInput, true); + + Assert.assertNotNull(result); + Assert.assertFalse(result.contains("\"password\":\"3WTVryPJZJwMZGcJJ+OOYf84+uixk\"")); + String jsonObject = HumanReadableJson.getHumanReadableBytesJson(result); + Assert.assertTrue(StringUtils.isNotEmpty(jsonObject)); + Assert.assertTrue(jsonObject.contains("\"password\":\"3*****\"")); + } + }