From ce47c60e9676e6ed4fa6b0e8a5bf0f36e9dfe2e1 Mon Sep 17 00:00:00 2001 From: Sergey Potachev Date: Thu, 29 Oct 2020 18:38:26 +0300 Subject: [PATCH] #10 Password Hashes and API Tokens Returned in Response Summary: - Removed fields with sensitive data from users information. Test Plan: Scenario. 1. Login YW. 2. Open the browser developers panel; tab 'Network'; type of packets 'XHR'; (captions are from Chrome, could differ for other browsers); 3. In YW: go to 'Profile' (from the dropdown list under the user icon in right upper corner); open tab 'Users'; 4. In developers panel: Find a request ''users", select the "Preview" mode in right panel of the developers panel; check that each user's description (data) doesn't have fields 'passwordHash' and 'apiToken' (see the picture). {F14340} Reviewers: daniel Reviewed By: daniel Subscribers: jenkins-bot, yugaware, wesley Differential Revision: https://phabricator.dev.yugabyte.com/D9785 --- .../java/com/yugabyte/yw/models/Users.java | 5 ++--- .../java/com/yugabyte/yw/models/UsersTest.java | 18 +++++++++--------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/managed/src/main/java/com/yugabyte/yw/models/Users.java b/managed/src/main/java/com/yugabyte/yw/models/Users.java index 7e79991fc56e..1dc3f72895a0 100644 --- a/managed/src/main/java/com/yugabyte/yw/models/Users.java +++ b/managed/src/main/java/com/yugabyte/yw/models/Users.java @@ -11,8 +11,6 @@ import javax.persistence.Entity; import javax.persistence.Enumerated; import javax.persistence.EnumType; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; import javax.persistence.Id; import org.joda.time.DateTime; @@ -26,7 +24,6 @@ import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.node.ObjectNode; -import com.google.common.base.Joiner; import play.data.validation.Constraints; import play.libs.Json; @@ -91,6 +88,7 @@ public String getEmail() { return this.email; } + @JsonIgnore @Column(length = 256, nullable = false) public String passwordHash; @@ -107,6 +105,7 @@ public void setPassword(String password) { @Column(nullable = true) private Date authTokenIssueDate; + @JsonIgnore @Column(nullable = true) private String apiToken; diff --git a/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java b/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java index 85035557ce13..e800007a9895 100644 --- a/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java +++ b/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java @@ -3,24 +3,15 @@ package com.yugabyte.yw.models; import com.fasterxml.jackson.databind.JsonNode; -import com.yugabyte.yw.common.ApiUtils; import com.yugabyte.yw.common.ModelFactory; -import com.yugabyte.yw.forms.UniverseDefinitionTaskParams; -import org.apache.commons.lang3.RandomStringUtils; import org.junit.Before; import org.junit.Test; -import org.mindrot.jbcrypt.BCrypt; import play.libs.Json; import com.yugabyte.yw.common.FakeDBApplication; import javax.persistence.PersistenceException; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.UUID; - import static com.yugabyte.yw.models.Users.Role; import static org.junit.Assert.*; @@ -136,4 +127,13 @@ public void testSetRole() { assertEquals(fetchUser.getRole(), Role.ReadOnly); } + @Test + public void testNoSensitiveDataInJson() { + Users u = Users.create("foo@foo.com", "password", Role.Admin, customer.uuid); + assertNotNull(u.uuid); + + JsonNode json = Json.toJson(u); + assertEquals(false, json.has("passwordHash")); + assertEquals(false, json.has("apiToken")); + } }