truncate long issuers in log messages

Author: richard-dennehy

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java

@@ -267,8 +267,16 @@ private ElasticsearchSecurityException samlSignatureException(Issuer issuer, Lis
         return samlSignatureException(issuer, credentials, signature, null);
     }
 
-    private String describeIssuer(@Nullable Issuer issuer) {
-        return issuer != null ? Strings.format(" The issuer included in the SAML message was [%s]", issuer.getValue()) : "";
+    // package private for testing
+    String describeIssuer(@Nullable Issuer issuer) {
+        if (issuer == null) {
+            return "";
+        }
+        final String msg = " The issuer included in the SAML message was [%s]";
+        if (issuer.getValue().length() > 64) {
+            return Strings.format(msg + "...", Strings.cleanTruncate(issuer.getValue(), 64));
+        }
+        return Strings.format(msg, issuer.getValue());
     }
 
     private static String describeCredentials(List<Credential> credentials) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java

@@ -39,6 +39,8 @@
 import org.opensaml.saml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml.saml2.core.SubjectConfirmationData;
 import org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder;
+import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
+import org.opensaml.saml.saml2.core.impl.IssuerImpl;
 import org.opensaml.saml.saml2.encryption.Encrypter;
 import org.opensaml.security.credential.BasicCredential;
 import org.opensaml.security.credential.Credential;
@@ -83,7 +85,9 @@
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.endsWith;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasLength;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.iterableWithSize;
@@ -1370,6 +1374,28 @@ public void testFailureWhenIdPCredentialsAreNull() throws Exception {
         }
     }
 
+    public void testDescribeNullIssuer() {
+        assertThat(authenticator.describeIssuer(null), equalTo(""));
+    }
+
+    public void testDescribeIssuer() {
+        final Issuer issuer = new IssuerBuilder().buildObject();
+        issuer.setValue("https://idp.saml.elastic.test/");
+        assertThat(
+            authenticator.describeIssuer(issuer),
+            equalTo(" The issuer included in the SAML message was [https://idp.saml.elastic.test/]")
+        );
+    }
+
+    public void testDescribeVeryLongIssuer() {
+        final Issuer issuer = new IssuerBuilder().buildObject();
+        issuer.setValue("https://idp.saml.elastic.test/" + "a".repeat(128));
+
+        final String description = authenticator.describeIssuer(issuer);
+        assertThat(description, hasLength(114));
+        assertThat(description, endsWith("..."));
+    }
+
     private interface CryptoTransform {
         String transform(String xml, Tuple<X509Certificate, PrivateKey> keyPair) throws Exception;
     }