From 99f0cd45af1a4e9d09e0fad619508a83086fbaf2 Mon Sep 17 00:00:00 2001 From: Carl Lundin Date: Thu, 11 Aug 2022 00:30:08 +0000 Subject: [PATCH] fix: disable logging from http requests and responses. The contents of the Auth library requests contains sensitive data that should not be logged. --- oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java | 3 +++ .../com/google/auth/oauth2/ComputeEngineCredentials.java | 5 +++++ oauth2_http/java/com/google/auth/oauth2/IamUtils.java | 4 ++++ .../java/com/google/auth/oauth2/IdentityPoolCredentials.java | 2 ++ .../java/com/google/auth/oauth2/ImpersonatedCredentials.java | 2 ++ .../com/google/auth/oauth2/ServiceAccountCredentials.java | 4 ++++ .../java/com/google/auth/oauth2/StsRequestHandler.java | 3 +++ oauth2_http/java/com/google/auth/oauth2/TokenVerifier.java | 3 +++ oauth2_http/java/com/google/auth/oauth2/UserAuthorizer.java | 4 ++++ oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 2 ++ 10 files changed, 32 insertions(+) diff --git a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java index 168af3054..3f617d6f2 100644 --- a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java @@ -200,6 +200,7 @@ private String retrieveResource( HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory(); HttpRequest request = requestFactory.buildRequest(requestMethod, new GenericUrl(url), content); + request.setLoggingEnabled(false); HttpHeaders requestHeaders = request.getHeaders(); for (Map.Entry header : headers.entrySet()) { @@ -207,6 +208,8 @@ private String retrieveResource( } HttpResponse response = request.execute(); + response.setLoggingEnabled(false); + return response.parseAsString(); } catch (IOException e) { throw new IOException(String.format("Failed to retrieve AWS %s.", resourceName), e); diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java index 92ab0cb34..ee959e4e8 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java @@ -269,9 +269,12 @@ private HttpResponse getMetadataResponse(String url) throws IOException { request.setParser(parser); request.getHeaders().set(METADATA_FLAVOR, GOOGLE); request.setThrowExceptionOnExecuteError(false); + request.setLoggingEnabled(false); + HttpResponse response; try { response = request.execute(); + response.setLoggingEnabled(false); } catch (UnknownHostException exception) { throw new IOException( "ComputeEngineCredentials cannot find the metadata server. This is" @@ -296,8 +299,10 @@ static boolean runningOnComputeEngine( transportFactory.create().createRequestFactory().buildGetRequest(tokenUrl); request.setConnectTimeout(COMPUTE_PING_CONNECTION_TIMEOUT_MS); request.getHeaders().set(METADATA_FLAVOR, GOOGLE); + request.setLoggingEnabled(false); HttpResponse response = request.execute(); + response.setLoggingEnabled(false); try { // Internet providers can return a generic response to all requests, so it is necessary // to check that metadata header is present also. diff --git a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java index 58ba91f97..3674f7d3c 100644 --- a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java +++ b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java @@ -113,8 +113,10 @@ private static String getSignature( JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); request.setParser(parser); request.setThrowExceptionOnExecuteError(false); + request.setLoggingEnabled(false); HttpResponse response = request.execute(); + response.setLoggingEnabled(false); int statusCode = response.getStatusCode(); if (statusCode >= 400 && statusCode < HttpStatusCodes.STATUS_CODE_SERVER_ERROR) { GenericData responseError = response.parseAs(GenericData.class); @@ -182,8 +184,10 @@ static IdToken getIdToken( JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); request.setParser(parser); request.setThrowExceptionOnExecuteError(false); + request.setLoggingEnabled(false); HttpResponse response = request.execute(); + response.setLoggingEnabled(false); int statusCode = response.getStatusCode(); if (statusCode >= 400 && statusCode < HttpStatusCodes.STATUS_CODE_SERVER_ERROR) { GenericData responseError = response.parseAs(GenericData.class); diff --git a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java index 200d56fbb..20c01bdd1 100644 --- a/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/IdentityPoolCredentials.java @@ -227,6 +227,7 @@ private String getSubjectTokenFromMetadataServer() throws IOException { .createRequestFactory() .buildGetRequest(new GenericUrl(identityPoolCredentialSource.credentialLocation)); request.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY)); + request.setLoggingEnabled(false); if (identityPoolCredentialSource.hasHeaders()) { HttpHeaders headers = new HttpHeaders(); @@ -236,6 +237,7 @@ private String getSubjectTokenFromMetadataServer() throws IOException { try { HttpResponse response = request.execute(); + response.setLoggingEnabled(false); return parseToken(response.getContent()); } catch (IOException e) { throw new IOException( diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java index 375d957a4..ecde82eeb 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java @@ -518,10 +518,12 @@ public AccessToken refreshAccessToken() throws IOException { HttpRequest request = requestFactory.buildPostRequest(url, requestContent); adapter.initialize(request); request.setParser(parser); + request.setLoggingEnabled(false); HttpResponse response = null; try { response = request.execute(); + response.setLoggingEnabled(false); } catch (IOException e) { throw new IOException("Error requesting access token", e); } diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java index 123d72dc0..a5c1f16d3 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java @@ -539,6 +539,7 @@ public AccessToken refreshAccessToken() throws IOException { request.setNumberOfRetries(0); } request.setParser(new JsonObjectParser(jsonFactory)); + request.setLoggingEnabled(false); ExponentialBackOff backoff = new ExponentialBackOff.Builder() @@ -563,6 +564,7 @@ public boolean isRequired(HttpResponse response) { try { response = request.execute(); + response.setLoggingEnabled(false); } catch (HttpResponseException re) { String message = String.format(errorTemplate, re.getMessage(), getIssuer()); throw GoogleAuthException.createWithTokenEndpointResponseException(re, message); @@ -606,9 +608,11 @@ public IdToken idTokenWithAudience(String targetAudience, List