chore(jans-auth-server): sanitized username to avoid fake logs from i…

…nput (#10543) chore(jans-auth-server): sanitized username to avoid fake logs from input #10543 Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Jan 6, 2025 · 57f970e · 57f970e
1 parent b8a7e1a
commit 57f970e
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 13 deletions.
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java b/jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java
@@ -44,6 +44,7 @@
 import java.util.Map.Entry;
 
 import static io.jans.as.model.config.Constants.AUTH_STEP;
+import static io.jans.as.server.util.ServerUtil.sanitizeUsernameForLog;
 import static org.apache.commons.lang3.BooleanUtils.isFalse;
 import static org.apache.commons.lang3.BooleanUtils.isTrue;
 
@@ -213,7 +214,7 @@ public String authenticateImpl(HttpServletRequest servletRequest, boolean intera
                                    boolean service) {
         String result = Constants.RESULT_FAILURE;
         try {
-            logger.trace("Authenticating ... (interactive: {}, skipPassword: {}, credentials.username: {})", interactive, skipPassword, credentials.getUsername());
+            logger.trace("Authenticating ... (interactive: {}, skipPassword: {}, credentials.username: {})", interactive, skipPassword, sanitizeUsernameForLog(credentials.getUsername()));
             if (isServiceAuthentication(service, skipPassword, servletRequest)) {
                 boolean authenticated = clientAuthentication(credentials, interactive, skipPassword);
                 if (authenticated) {
@@ -237,11 +238,11 @@ public String authenticateImpl(HttpServletRequest servletRequest, boolean intera
         }
 
         if (Constants.RESULT_SUCCESS.equals(result)) {
-            logger.trace("Authentication successfully for '{}'", credentials.getUsername());
+            logger.trace("Authentication successfully for '{}'", sanitizeUsernameForLog(credentials.getUsername()));
             return result;
         }
 
-        logger.info("Authentication failed for '{}'", credentials.getUsername());
+        logger.debug("Authentication failed for '{}'", sanitizeUsernameForLog(credentials.getUsername()));
         return result;
     }
 
@@ -259,7 +260,7 @@ public boolean clientAuthentication(Credentials credentials, boolean interactive
 
                 boolean result = externalAuthenticationService.executeExternalAuthenticate(customScriptConfiguration,
                         null, 1);
-                logger.info("Authentication result for user '{}', result: '{}'", credentials.getUsername(), result);
+                logger.info("Authentication result for user '{}', result: '{}'", sanitizeUsernameForLog(credentials.getUsername()), result);
 
                 if (result) {
                     Client client = authenticationService.configureSessionClient();
@@ -445,10 +446,10 @@ private String userAuthenticationInteractive(HttpServletRequest servletRequest)
                 authenticationService.quietLogin(credentials.getUsername());
 
                 // Redirect to authorization workflow
-                logger.debug("Sending event to trigger user redirection: '{}'", credentials.getUsername());
+                logger.debug("Sending event to trigger user redirection: '{}'", sanitizeUsernameForLog(credentials.getUsername()));
                 authenticationService.onSuccessfulLogin(eventSessionId);
 
-                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername());
+                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername()));
                 return Constants.RESULT_SUCCESS;
             }
         } else {
@@ -460,14 +461,14 @@ private String userAuthenticationInteractive(HttpServletRequest servletRequest)
                             sessionIdAttributes);
 
                     // Redirect to authorization workflow
-                    logger.debug("Sending event to trigger user redirection: '{}'", credentials.getUsername());
+                    logger.debug("Sending event to trigger user redirection: '{}'", sanitizeUsernameForLog(credentials.getUsername()));
                     authenticationService.onSuccessfulLogin(eventSessionId);
                 } else {
                     // Force session lastUsedAt update if authentication attempt is failed
                     sessionIdService.updateSessionId(sessionId);
                 }
 
-                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername());
+                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername()));
                 return Constants.RESULT_SUCCESS;
             }
         }
@@ -528,16 +529,16 @@ private boolean userAuthenticationService() {
 
                 boolean result = externalAuthenticationService.executeExternalAuthenticate(customScriptConfiguration,
                         null, 1);
-                logger.info("Authentication result for '{}'. auth_step: '{}', result: '{}'", credentials.getUsername(),
+                logger.info("Authentication result for '{}'. auth_step: '{}', result: '{}'", sanitizeUsernameForLog(credentials.getUsername()),
                         this.authStep, result);
 
                 if (result) {
                     authenticationService.configureEventUser();
 
-                    logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername());
+                    logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername()));
                     return true;
                 }
-                logger.info("Authentication failed for User: '{}'", credentials.getUsername());
+                logger.info("Authentication failed for User: '{}'", sanitizeUsernameForLog(credentials.getUsername()));
             }
         }
 
@@ -547,10 +548,10 @@ private boolean userAuthenticationService() {
             if (authenticated) {
                 authenticationService.configureEventUser();
 
-                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, credentials.getUsername());
+                logger.info(AUTHENTICATION_SUCCESS_FOR_USER, sanitizeUsernameForLog(credentials.getUsername()));
                 return true;
             }
-            logger.info("Authentication failed for User: '{}'", credentials.getUsername());
+            logger.info("Authentication failed for User: '{}'", sanitizeUsernameForLog(credentials.getUsername()));
         }
 
         return false;

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java b/jans-auth-server/server/src/main/java/io/jans/as/server/util/ServerUtil.java
@@ -26,6 +26,7 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.core.CacheControl;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -66,6 +67,21 @@ public class ServerUtil {
     private ServerUtil() {
     }
 
+    /**
+     * Sanitized username before output by logger
+     * @param username username
+     *
+     * @return sanitized username
+     */
+    public static String sanitizeUsernameForLog(String username) {
+        if (username == null) {
+            return "unknown_user";
+        }
+        final int maximumUsernameLength = 50;
+        username = username.length() > maximumUsernameLength ? username.substring(0, maximumUsernameLength) : username;
+        return StringEscapeUtils.escapeJava(username).replaceAll("[\\r\\n]", "_");
+    }
+
     public static Map<String, String[]> prepareForLogs(Map<String, String[]> parameters) {
         if (parameters == null || parameters.isEmpty()) {
             return new HashMap<>();