Fix #29445: do not log raw sessionids

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/event/AuthFailedEvent.java

@@ -25,22 +25,14 @@
 public class AuthFailedEvent extends ApplicationEvent {
 
     private final String userId;
-    private final String sessionId;
 
-    public AuthFailedEvent(Object source, String userId, String sessionId) {
+    public AuthFailedEvent(Object source, String userId) {
         super(source);
         this.userId = userId;
-        this.sessionId = sessionId;
-    }
-
-    public String getSessionId() {
-        return sessionId;
     }
 
     public String getUserId() {
         return userId;
     }
 
 }
-
-

src/main/java/eu/openanalytics/containerproxy/event/UserLoginEvent.java

@@ -25,22 +25,15 @@
 public class UserLoginEvent extends ApplicationEvent {
 
     private final String userId;
-    private final String sessionId;
 
-    public UserLoginEvent(Object source, String userId, String sessionId) {
+    public UserLoginEvent(Object source, String userId) {
         super(source);
         this.userId = userId;
-        this.sessionId = sessionId;
     }
 
-    public String getSessionId() {
-        return sessionId;
-    }
 
     public String getUserId() {
         return userId;
     }
 
 }
-
-

src/main/java/eu/openanalytics/containerproxy/event/UserLogoutEvent.java

@@ -25,27 +25,20 @@
 public class UserLogoutEvent extends ApplicationEvent {
 
     private final String userId;
-    private final String sessionId;
     private final Boolean wasExpired;
 
     /**
      *
      * @param source
      * @param userId
-     * @param sessionId
      * @param wasExpired whether the user is logged automatically because the session has expired
      */
-    public UserLogoutEvent(Object source, String userId, String sessionId, Boolean wasExpired) {
+    public UserLogoutEvent(Object source, String userId, Boolean wasExpired) {
         super(source);
         this.userId = userId;
-        this.sessionId = sessionId;
         this.wasExpired = wasExpired;
     }
 
-    public String getSessionId() {
-        return sessionId;
-    }
-
     public String getUserId() {
         return userId;
     }
@@ -54,5 +47,3 @@ public Boolean getWasExpired() {
         return wasExpired;
     }
 }
-
-

src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java

@@ -98,7 +98,7 @@ public boolean allowedByUsers(Authentication auth, AccessControl accessControl)
             return false;
         }
         for (String user : accessControl.getUsers()) {
-            if (auth.getName().equals(user)) {
+            if (UserService.getUserId(auth).equals(user)) {
                 return true;
             }
         }

src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java

@@ -257,7 +257,7 @@ public Command startProxy(Authentication user, ProxySpec spec, List<RuntimeValue
 			Proxy.ProxyBuilder proxyBuilder = Proxy.builder();
 			proxyBuilder.id(proxyId);
 			proxyBuilder.status(ProxyStatus.New);
-			proxyBuilder.userId(userService.getUserId(user));
+			proxyBuilder.userId(UserService.getUserId(user));
 			proxyBuilder.specId(spec.getId());
 			proxyBuilder.createdTimestamp(System.currentTimeMillis());
 

src/main/java/eu/openanalytics/containerproxy/service/UserService.java

@@ -27,6 +27,7 @@
 import eu.openanalytics.containerproxy.event.UserLogoutEvent;
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
+import eu.openanalytics.containerproxy.util.Sha256;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.context.ApplicationEventPublisher;
@@ -40,6 +41,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.session.HttpSessionDestroyedEvent;
 import org.springframework.stereotype.Service;
@@ -154,11 +156,11 @@ public boolean isMember(Authentication auth, String groupName) {
 		return false;
 	}
 
-	public String getUserId(Authentication auth) {
+	public static String getUserId(Authentication auth) {
 		if (auth == null) return null;
 		if (auth instanceof AnonymousAuthenticationToken) {
-			// Anonymous authentication: use the session id instead of the user name.
-			return RequestContextHolder.currentRequestAttributes().getSessionId();
+			// Anonymous authentication: use the session id instead of the username.
+			return Sha256.hash(((WebAuthenticationDetails) auth.getDetails()).getSessionId());
 		}
 		return auth.getName();
 	}
@@ -167,13 +169,12 @@ public String getUserId(Authentication auth) {
 	public void onAbstractAuthenticationFailureEvent(AbstractAuthenticationFailureEvent event) {
 		Authentication source = event.getAuthentication();
 		Exception e = event.getException();
-		log.info(String.format("Authentication failure [user: %s] [error: %s]", source.getName(), e.getMessage()));
+		log.info(String.format("Authentication failure [user: %s] [error: %s]", getUserId(source), e.getMessage()));
 		String userId = getUserId(source);
 
 		applicationEventPublisher.publishEvent(new AuthFailedEvent(
 				this,
-				userId,
-				RequestContextHolder.currentRequestAttributes().getSessionId()));
+				userId));
 	}
 
 	public void logout(Authentication auth) {
@@ -186,26 +187,23 @@ public void logout(Authentication auth) {
 		HttpSession session = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest().getSession();
 		session.setAttribute(ATTRIBUTE_USER_INITIATED_LOGOUT, "true"); // mark that the user initiated the logout
 
-		String sessionId = RequestContextHolder.currentRequestAttributes().getSessionId();
 		applicationEventPublisher.publishEvent(new UserLogoutEvent(
 				this,
 				userId,
-				sessionId,
 				false));
 	}
 
 	@EventListener
 	public void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) {
 		Authentication auth = event.getAuthentication();
-		String userName = auth.getName();
+		String userName = getUserId(auth);
 
 		log.info(String.format("User logged in [user: %s]", userName));
 
 		String userId = getUserId(auth);
 		applicationEventPublisher.publishEvent(new UserLoginEvent(
 				this,
-				userId,
-				RequestContextHolder.currentRequestAttributes().getSessionId()));
+				userId));
 	}
 
 	@EventListener
@@ -222,21 +220,20 @@ public void onHttpSessionDestroyedEvent(HttpSessionDestroyedEvent event) {
 				SecurityContext securityContext = event.getSecurityContexts().get(0);
 				if (securityContext == null) return;
 
-				String userId = securityContext.getAuthentication().getName();
+				String userId = getUserId(securityContext.getAuthentication());
 
 				log.info(String.format("User logged out [user: %s]", userId));
 				applicationEventPublisher.publishEvent(new UserLogoutEvent(
 						this,
 						userId,
-						event.getSession().getId(),
 						true
 				));
 			} else if (authBackend.getName().equals("none")) {
-				log.info(String.format("Anonymous user logged out [user: %s]", event.getSession().getId()));
+				String userId = Sha256.hash(event.getSession().getId());
+				log.info(String.format("Anonymous user logged out [user: %s]", userId));
 				applicationEventPublisher.publishEvent(new UserLogoutEvent(
 						this,
-						event.getSession().getId(),
-						event.getSession().getId(),
+						userId,
 						true
 				));
 			}
@@ -246,11 +243,11 @@ public void onHttpSessionDestroyedEvent(HttpSessionDestroyedEvent event) {
 	@EventListener
 	public void onHttpSessionCreated(HttpSessionCreatedEvent event) {
 		if (authBackend.getName().equals("none")) {
-			log.info(String.format("Anonymous user logged in [user: %s]", event.getSession().getId()));
+			String userId = Sha256.hash(event.getSession().getId());
+			log.info(String.format("Anonymous user logged in [user: %s]", userId));
 			applicationEventPublisher.publishEvent(new UserLoginEvent(
 					this,
-					event.getSession().getId(),
-					event.getSession().getId()));
+					userId));
 		}
 	}
 

src/main/java/eu/openanalytics/containerproxy/service/session/AbstractSessionService.java

@@ -22,6 +22,7 @@
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.NoAuthenticationBackend;
+import eu.openanalytics.containerproxy.util.Sha256;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.security.core.Authentication;
 
@@ -45,7 +46,7 @@ protected String extractAuthName(Authentication authentication, String sessionId
         }
 
         if (authBackend.getName().equals(NoAuthenticationBackend.NAME)) {
-            return sessionId;
+            return Sha256.hash(sessionId);
         }
 
         return null;

src/main/java/eu/openanalytics/containerproxy/spec/expression/SpecExpressionContext.java

@@ -135,7 +135,7 @@ public static SpecExpressionContext create(SpecExpressionContextBuilder builder,
             }
             if (o instanceof Authentication) {
                 builder.groups = Arrays.asList(UserService.getGroups((Authentication) o));
-                builder.userId = ((Authentication) o).getName();
+                builder.userId = UserService.getUserId(((Authentication) o));
             }
         }
         return builder.build();

src/main/java/eu/openanalytics/containerproxy/stat/impl/Micrometer.java

@@ -118,13 +118,13 @@ public void run() {
 
     @EventListener
     public void onUserLogoutEvent(UserLogoutEvent event) {
-        logger.debug("UserLogoutEvent [user: {}, sessionId: {}, expired: {}]", event.getUserId(), event.getSessionId(), event.getWasExpired());
+        logger.debug("UserLogoutEvent [user: {},  expired: {}]", event.getUserId(),  event.getWasExpired());
         userLogouts.increment();
     }
 
     @EventListener
     public void onUserLoginEvent(UserLoginEvent event) {
-        logger.debug("UserLoginEvent [user: {}, sessionId: {}]", event.getUserId(), event.getSessionId());
+        logger.debug("UserLoginEvent [user: {}]", event.getUserId());
         userLogins.increment();
     }
 
@@ -178,7 +178,7 @@ public void onProxyStartFailedEvent(ProxyStartFailedEvent event) {
 
     @EventListener
     public void onAuthFailedEvent(AuthFailedEvent event) {
-        logger.debug("AuthFailedEvent [user: {}, sessionId: {}]", event.getUserId(), event.getSessionId());
+        logger.debug("AuthFailedEvent [user: {}]", event.getUserId());
         authFailedCounter.increment();
     }
 

src/main/java/eu/openanalytics/containerproxy/util/Sha256.java

@@ -0,0 +1,40 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.util;
+
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class Sha256 {
+
+    public static String hash(String value)  {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            digest.reset();
+            digest.update(value.getBytes());
+            return String.format("%040x", new BigInteger(1, digest.digest()));
+        } catch (NoSuchAlgorithmException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+}