Bug 9447 - ModifySshKeyCommand contents are logged...

Since private and public keys are logged, this is a Security concern Changes: Added capability to 'Command' instances to support excluding certain fields from getting logged using GSON @Expose annotation.
2011-04-20 13:52:53 -07:00 · 2011-04-20 13:52:53 -07:00 · 09b4b06b63
parent e69774e13a
commit 09b4b06b63
4 changed files with 47 additions and 13 deletions
--- a/api/src/com/cloud/agent/api/Command.java
+++ b/api/src/com/cloud/agent/api/Command.java
@ -56,4 +56,9 @@ public abstract class Command {
    public String getContextParam(String name) {
        return contextMap.get(name);
    }
+    
+    public boolean doesCommandUseExposeAnnotation(){
+    	return false;
+    }
+
 }
--- a/api/src/com/cloud/agent/api/ModifySshKeysCommand.java
+++ b/api/src/com/cloud/agent/api/ModifySshKeysCommand.java
@ -18,9 +18,11 @@

 package com.cloud.agent.api;

+import com.google.gson.annotations.Expose;
+
 public class ModifySshKeysCommand extends Command {
-	private String _pubKey;
-	private String _prvKey;
+	@Expose(serialize = false, deserialize = false) private String _pubKey;
+	@Expose(serialize = false, deserialize = false) private String _prvKey;
 	public ModifySshKeysCommand() {
 		
 	}
@ -39,5 +41,11 @@ public class ModifySshKeysCommand extends Command {
 		// TODO Auto-generated method stub
 		return false;
 	}
+	
+	@Override
+	public boolean doesCommandUseExposeAnnotation(){
+    	return true;
+    }
+

 }
--- a/core/src/com/cloud/agent/transport/ArrayTypeAdaptor.java
+++ b/core/src/com/cloud/agent/transport/ArrayTypeAdaptor.java
@ -40,10 +40,10 @@ import com.google.gson.JsonSerializer;
 public class ArrayTypeAdaptor<T> implements JsonDeserializer<T[]>, JsonSerializer<T[]> {

 	static final GsonBuilder s_gBuilder;
+	static final GsonBuilder s_exposeAnnotationBuilder;
    static {
        s_gBuilder = Request.initBuilder();
-//        final Type listType = new TypeToken<List<VolumeVO>>() {}.getType();
-//        s_gBuilder.registerTypeAdapter(listType, new VolListTypeAdaptor());
+        s_exposeAnnotationBuilder = Request.initBuilderWithExposeAnnotation();
    }
 	
 	
@ -56,6 +56,12 @@ public class ArrayTypeAdaptor<T> implements JsonDeserializer<T[]>, JsonSerialize
        Gson gson = s_gBuilder.create();
        JsonArray array = new JsonArray();
        for (T cmd : src) {
+        	if(typeOfSrc.getClass().isInstance(Command.class)){
+        		Command innercmd = (Command)cmd;
+        		if(innercmd.doesCommandUseExposeAnnotation()){
+        			gson = s_exposeAnnotationBuilder.create();
+        		}
+        	}
            JsonObject obj = new JsonObject();
            obj.add(cmd.getClass().getName().substring(s_pkg.length()), gson.toJsonTree(cmd));
            array.add(obj);
--- a/core/src/com/cloud/agent/transport/Request.java
+++ b/core/src/com/cloud/agent/transport/Request.java
@ -32,6 +32,8 @@ import com.cloud.exception.UnsupportedVersionException;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.google.gson.ExclusionStrategy;
+import com.google.gson.FieldAttributes;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonArray;
@ -88,20 +90,33 @@ public class Request {
    protected static final short FLAG_CONTROL = 0x40;

    protected static final GsonBuilder s_gBuilder;
+    protected static final GsonBuilder s_exposeAnnotationBuilder;
+
    static {
        s_gBuilder = new GsonBuilder();
-        s_gBuilder.registerTypeAdapter(Command[].class, new ArrayTypeAdaptor<Command>());
-        s_gBuilder.registerTypeAdapter(Answer[].class, new ArrayTypeAdaptor<Answer>());
-//        final Type listType = new TypeToken<List<VolumeVO>>() {}.getType();
-//        s_gBuilder.registerTypeAdapter(listType, new VolListTypeAdaptor());
-        s_gBuilder.registerTypeAdapter(new TypeToken<List<PortConfig>>() {}.getType(), new PortConfigListTypeAdaptor());
-        s_gBuilder.registerTypeAdapter(new TypeToken<Pair<Long, Long>>() {}.getType(), new NwGroupsCommandTypeAdaptor());
-        s_logger.info("Builder inited.");
+        setDefaultGsonConfig(s_gBuilder);
+        s_logger.info("Default Builder inited.");
+        
+        s_exposeAnnotationBuilder = new GsonBuilder();
+        setDefaultGsonConfig(s_exposeAnnotationBuilder);
+		s_exposeAnnotationBuilder.excludeFieldsWithoutExposeAnnotation();
+        s_logger.info("Expose annotation Builder inited.");
+    }
+    
+    public static void setDefaultGsonConfig(GsonBuilder builder){
+    	builder.registerTypeAdapter(Command[].class, new ArrayTypeAdaptor<Command>());
+    	builder.registerTypeAdapter(Answer[].class, new ArrayTypeAdaptor<Answer>());
+    	builder.registerTypeAdapter(new TypeToken<List<PortConfig>>() {}.getType(), new PortConfigListTypeAdaptor());
+    	builder.registerTypeAdapter(new TypeToken<Pair<Long, Long>>() {}.getType(), new NwGroupsCommandTypeAdaptor());
    }

    public static GsonBuilder initBuilder() {
        return s_gBuilder;
    }
+    
+    public static GsonBuilder initBuilderWithExposeAnnotation() {
+        return s_exposeAnnotationBuilder;
+    }

    protected Version                 _ver;
    protected long                    _seq;
@ -240,7 +255,7 @@ public class Request {
    public String toString() {
        String content = _content;
        if (content == null) {
-            final Gson gson = s_gBuilder.create();
+        	final Gson gson = s_gBuilder.create();
            try {
            	content = gson.toJson(_cmds);
            } catch(Throwable e) {
@ -330,7 +345,7 @@ public class Request {
            s_logger.trace(buf.toString());
        }
    }
-
+    
    /**
     * Factory method for Request and Response.  It expects the bytes to be
     * correctly formed so it's possible that it throws underflow exceptions