From b54d5b6102bc4a2e9cc47e2ad909f5d246ebf926 Mon Sep 17 00:00:00 2001 From: Martin Laguna Date: Wed, 19 Oct 2022 12:41:18 -0400 Subject: [PATCH] Property AUTH_SOURCE_PASSWORD is no longer visible in logs Observations have been fixed --- .../classes/model/AuthenticationSource.php | 16 +++++++++++++--- workflow/engine/classes/LdapAdvanced.php | 16 ++++++++++------ 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/rbac/engine/classes/model/AuthenticationSource.php b/rbac/engine/classes/model/AuthenticationSource.php index 60f093290..90ccd2448 100644 --- a/rbac/engine/classes/model/AuthenticationSource.php +++ b/rbac/engine/classes/model/AuthenticationSource.php @@ -63,6 +63,11 @@ class AuthenticationSource extends BaseAuthenticationSource { } } $aData['AUTH_SOURCE_DATA'] = (is_array($aData['AUTH_SOURCE_DATA']) ? serialize($aData['AUTH_SOURCE_DATA']) : $aData['AUTH_SOURCE_DATA']); + + // Removing sensitive data + $loggableData = $aData; + unset($loggableData['AUTH_SOURCE_PASSWORD']); + $oConnection = Propel::getConnection(AuthenticationSourcePeer::DATABASE_NAME); try { $oAuthenticationSource = new AuthenticationSource(); @@ -71,7 +76,7 @@ class AuthenticationSource extends BaseAuthenticationSource { $oConnection->begin(); $iResult = $oAuthenticationSource->save(); $oConnection->commit(); - Log::channel(':ldapAdvanced')->info("create", Bootstrap::context($aData)); + Log::channel(':ldapAdvanced')->info("create", Bootstrap::context($loggableData)); $authSourceServerName = isset($aData['AUTH_SOURCE_SERVER_NAME']) ? ' - Server Name: '.$aData['AUTH_SOURCE_SERVER_NAME'] : ''; $authSourcePort = isset($aData['AUTH_SOURCE_PORT']) ? ' - Port: '.$aData['AUTH_SOURCE_PORT'] : ''; @@ -116,6 +121,11 @@ class AuthenticationSource extends BaseAuthenticationSource { $authSourceFilter = isset($aData['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER']) ? ' - Aditional Filter: '.$aData['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER'] : ''; $aData['AUTH_SOURCE_DATA'] = (is_array($aData['AUTH_SOURCE_DATA']) ? serialize($aData['AUTH_SOURCE_DATA']) : $aData['AUTH_SOURCE_DATA']); + + // Removing sensitive data + $loggableData = $aData; + unset($loggableData['AUTH_SOURCE_PASSWORD']); + $oConnection = Propel::getConnection(AuthenticationSourcePeer::DATABASE_NAME); try { $oAuthenticationSource = AuthenticationSourcePeer::retrieveByPK($aData['AUTH_SOURCE_UID']); @@ -125,7 +135,7 @@ class AuthenticationSource extends BaseAuthenticationSource { $oConnection->begin(); $iResult = $oAuthenticationSource->save(); $oConnection->commit(); - Log::channel(':ldapAdvanced')->info("update", Bootstrap::context($aData)); + Log::channel(':ldapAdvanced')->info("update", Bootstrap::context($loggableData)); G::auditLog("UpdateAuthSource", "Authentication Source Name: ".$aData['AUTH_SOURCE_NAME']." - Authentication Source ID: (".$aData['AUTH_SOURCE_UID'].") ".$authSourceServerName.$authSourcePort.$authSourceEnabledTLS.$authSourceVersion.$authSourceBaseDn.$authAnonymous.$authSourceSearchUser.$authSourceLdapType.$authSourceIdentifier.$authSourceFilter); return $iResult; } @@ -135,7 +145,7 @@ class AuthenticationSource extends BaseAuthenticationSource { foreach($aValidationFailures as $oValidationFailure) { $sMessage .= $oValidationFailure->getMessage() . '
'; } - Log::channel(':ldapAdvanced')->error($sMessage, Bootstrap::context($aData)); + Log::channel(':ldapAdvanced')->error($sMessage, Bootstrap::context($loggableData)); throw(new Exception('The registry cannot be updated!
'.$sMessage)); } } diff --git a/workflow/engine/classes/LdapAdvanced.php b/workflow/engine/classes/LdapAdvanced.php index a8ea2aa15..37321fc67 100644 --- a/workflow/engine/classes/LdapAdvanced.php +++ b/workflow/engine/classes/LdapAdvanced.php @@ -511,6 +511,10 @@ class LdapAdvanced { $pass = explode("_", $aAuthSource["AUTH_SOURCE_PASSWORD"]); + // Removing sensitive data + $loggableAuthSource = $aAuthSource; + unset($loggableAuthSource["AUTH_SOURCE_PASSWORD"]); + foreach ($pass as $index => $value) { if ($value == "2NnV3ujj3w") { $aAuthSource["AUTH_SOURCE_PASSWORD"] = G::decrypt($pass[0], $aAuthSource["AUTH_SOURCE_SERVER_NAME"]); @@ -518,18 +522,18 @@ class LdapAdvanced } $ldapcnn = ldap_connect($aAuthSource['AUTH_SOURCE_SERVER_NAME'], $aAuthSource['AUTH_SOURCE_PORT']); - $this->stdLog($ldapcnn, "ldap_connect", $aAuthSource); + $this->stdLog($ldapcnn, "ldap_connect", $loggableAuthSource); $ldapServer = $aAuthSource["AUTH_SOURCE_SERVER_NAME"] . ":" . $aAuthSource["AUTH_SOURCE_PORT"]; ldap_set_option($ldapcnn, LDAP_OPT_PROTOCOL_VERSION, 3); - $this->stdLog($ldapcnn, "ldap_set_option", $aAuthSource); + $this->stdLog($ldapcnn, "ldap_set_option", $loggableAuthSource); ldap_set_option($ldapcnn, LDAP_OPT_REFERRALS, 0); - $this->stdLog($ldapcnn, "ldap_set_option", $aAuthSource); + $this->stdLog($ldapcnn, "ldap_set_option", $loggableAuthSource); if (isset($aAuthSource["AUTH_SOURCE_ENABLED_TLS"]) && $aAuthSource["AUTH_SOURCE_ENABLED_TLS"]) { $resultLDAPStartTLS = @ldap_start_tls($ldapcnn); - $this->stdLog($ldapcnn, "ldap_start_tls", $aAuthSource); + $this->stdLog($ldapcnn, "ldap_start_tls", $loggableAuthSource); $ldapServer = "TLS " . $ldapServer; } @@ -538,9 +542,9 @@ class LdapAdvanced $this->log($ldapcnn, "bind $ldapServer like anonymous user"); } else { $bBind = @ldap_bind($ldapcnn, $aAuthSource['AUTH_SOURCE_SEARCH_USER'], $aAuthSource['AUTH_SOURCE_PASSWORD']); - $this->log($ldapcnn, "bind $ldapServer with user " . $aAuthSource["AUTH_SOURCE_SEARCH_USER"]); + $this->log($ldapcnn, "bind $ldapServer with user " . $loggableAuthSource["AUTH_SOURCE_SEARCH_USER"]); } - $this->stdLog($ldapcnn, "ldap_bind", $aAuthSource); + $this->stdLog($ldapcnn, "ldap_bind", $loggableAuthSource); $this->getDiagnosticMessage($ldapcnn); if (!$bBind) { throw new Exception("Unable to bind to server: $ldapServer . " . "LDAP-Errno: " . ldap_errno($ldapcnn) . " : " . ldap_error($ldapcnn) . " \n");