framework-jobs: fix password obfuscation for job result

Fixes #13387

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

Author: shwstppr

framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java

@@ -31,6 +31,8 @@
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
@@ -114,6 +116,8 @@
 import org.apache.logging.log4j.ThreadContext;
 
 public class AsyncJobManagerImpl extends ManagerBase implements AsyncJobManager, ClusterManagerListener, Configurable {
+    private static final Pattern PASSWORD_FIELD_PATTERN = Pattern.compile("\\\"password\\\":\\\"([^\\\"]*)\\\"+");
+
     // Advanced
     public static final ConfigKey<Long> JobExpireMinutes = new ConfigKey<Long>("Advanced", Long.class, "job.expire.minutes", "1440",
         "Time (in minutes) for async-jobs to be kept in system", true, ConfigKey.Scope.Global);
@@ -517,22 +521,26 @@ public AsyncJob queryJob(final long jobId, final boolean updatePollTime) {
     }
 
     public String obfuscatePassword(String result, boolean hidePassword) {
-        if (hidePassword) {
-            String pattern = "\"password\":";
-            if (result != null) {
-                if (result.contains(pattern)) {
-                    String[] resp = result.split(pattern);
-                    String psswd = resp[1].toString().split(",")[0];
-                    if (psswd.endsWith("}")) {
-                        psswd = psswd.substring(0, psswd.length() - 1);
-                        result = resp[0] + pattern + psswd.replace(psswd.substring(2, psswd.length() - 1), "*****") + "}," + resp[1].split(",", 2)[1];
-                    } else {
-                        result = resp[0] + pattern + psswd.replace(psswd.substring(2, psswd.length() - 1), "*****") + "," + resp[1].split(",", 2)[1];
-                    }
-                }
-            }
+        if (!hidePassword || StringUtils.isBlank(result)) {
+            return result;
+        }
+
+        Matcher matcher = PASSWORD_FIELD_PATTERN.matcher(result);
+        StringBuilder obfuscatedResult = new StringBuilder();
+        while (matcher.find()) {
+            String password = matcher.group(1);
+            String replacement = "\"password\":\"" + obfuscatePasswordValue(password) + "\"";
+            matcher.appendReplacement(obfuscatedResult, Matcher.quoteReplacement(replacement));
+        }
+        matcher.appendTail(obfuscatedResult);
+        return obfuscatedResult.toString();
+    }
+
+    private String obfuscatePasswordValue(String password) {
+        if (StringUtils.isEmpty(password)) {
+            return password;
         }
-        return result;
+        return password.charAt(0) + "*****";
     }
 
     private void scheduleExecution(final AsyncJobVO job) {

framework/jobs/src/test/java/org/apache/cloudstack/framework/jobs/AsyncJobManagerTest.java

@@ -17,12 +17,15 @@
 package org.apache.cloudstack.framework.jobs;
 
 import org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl;
+import org.apache.commons.lang3.StringUtils;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
+import com.cloud.utils.HumanReadableJson;
+
 @RunWith (MockitoJUnitRunner.class)
 public class AsyncJobManagerTest {
 
@@ -37,6 +40,12 @@ public class AsyncJobManagerTest {
     String inputNoBraces = "\"password\":\"password\"\",\"action\":\"OFF\"";
     String expectedNoBraces = "\"password\":\"p*****\",\"action\":\"OFF\"";
 
+    String realUserVmResponseWithPasswordInput = "{\"id\":\"f75b0990-5801-4b78-bcb0-58a503afa49c\",\"name\":\"pw-vm\"," +
+            "\"displayname\":\"pw-vm\",\"account\":\"admin\",\"password\":\"67wSK5\",\"instancename\":\"i-2-17-VM\"," +
+            "\"details\":{\"password\":\"3WTVryPJZJwMZGcJJ+OOYf84+uixk/1FraomPG9N6/Uvng\\u003d\\u003d\"," +
+            "\"Message.ReservedCapacityFreed.Flag\":\"true\",\"rootDiskController\":\"osdefault\"}," +
+            "\"arch\":\"x86_64\",\"jobid\":\"c13865d3-61ec-4269-979a-3d799181d5fe\",\"jobstatus\":0}";
+
     @Test
     public void obfuscatePasswordTest() {
         String result = asyncJobManager.obfuscatePassword(input, true);
@@ -79,4 +88,15 @@ public void obfuscatePasswordTestHidePasswordNoPassword() {
         Assert.assertEquals(noPassword, result);
     }
 
+    @Test
+    public void obfuscatePasswordTestHidePasswordRealInput() {
+        String result = asyncJobManager.obfuscatePassword(realUserVmResponseWithPasswordInput, true);
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(result.contains("\"password\":\"3WTVryPJZJwMZGcJJ+OOYf84+uixk\""));
+        String jsonObject = HumanReadableJson.getHumanReadableBytesJson(result);
+        Assert.assertTrue(StringUtils.isNotEmpty(jsonObject));
+        Assert.assertTrue(jsonObject.contains("\"password\":\"3*****\""));
+    }
+
 }