CASL_797 Mask Sensitive Fields Handler Response

.github/workflows/reusable-build-and-publish.yml

@@ -79,7 +79,7 @@ jobs:
         run: |
           ls -lR $ARTIFACT_DIR
       - name: Save artifact content
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ env.GITHUB_ARTIFACT_NAME }}
           path: ${{ env.ARTIFACT_DIR }}

gradle.properties

@@ -10,5 +10,5 @@ mavenPassword=YourPassword
 # When updating the version, please as well consider:
 # - here-naksha-lib-core/src/main/com/here/naksha/lib/core/NakshaVersion (static property: latest)
 # - here-naksha-app-service/src/main/resources/swagger/openapi.yaml (info.version property)
-version=2.2.2
+version=2.2.3
 

here-naksha-app-service/src/main/java/com/here/naksha/app/service/http/ops/MaskingUtil.java

@@ -25,25 +25,28 @@
 import java.util.Set;
 
 public class MaskingUtil {
-
+  public static final Set<String> SENSITIVE_PROPERTIES = Set.of("password", "authorization");
   static final String MASK = "xxxxxx";
 
   private MaskingUtil() {}
 
-  public static void maskProperties(XyzFeature feature, Set<String> propertiesToMask) {
-    maskProperties(feature.getProperties(), propertiesToMask);
+  public static void maskProperties(XyzFeature feature) {
+    maskProperties(feature.getProperties());
   }
 
-  private static void maskProperties(Map<String, Object> propertiesAsMap, Set<String> propertiesToMask) {
+  private static void maskProperties(Map<String, Object> propertiesAsMap) {
     for (Entry<String, Object> entry : propertiesAsMap.entrySet()) {
-      if (propertiesToMask.contains(entry.getKey())) {
+      if (SENSITIVE_PROPERTIES.stream()
+          .anyMatch(property -> entry.getKey().toLowerCase().contains(property.toLowerCase()))) {
         entry.setValue(MASK);
       } else if (entry.getValue() instanceof Map) {
-        maskProperties((Map<String, Object>) entry.getValue(), propertiesToMask);
+        maskProperties((Map<String, Object>) entry.getValue());
       } else if (entry.getValue() instanceof ArrayList array) {
         // recursive call to the nested array json
         for (Object arrayEntry : array) {
-          maskProperties((Map<String, Object>) arrayEntry, propertiesToMask);
+          if (arrayEntry instanceof Map) {
+            maskProperties((Map<String, Object>) arrayEntry);
+          }
         }
       }
     }

here-naksha-app-service/src/main/java/com/here/naksha/app/service/http/tasks/EventHandlerApiTask.java

@@ -18,6 +18,7 @@
  */
 package com.here.naksha.app.service.http.tasks;
 
+import static com.here.naksha.app.service.http.ops.MaskingUtil.maskProperties;
 import static com.here.naksha.common.http.apis.ApiParamsConst.HANDLER_ID;
 import static com.here.naksha.lib.core.NakshaAdminCollection.EVENT_HANDLERS;
 
@@ -97,10 +98,7 @@ protected void init() {}
     // Read request JSON
     final EventHandler newHandler = handlerFromRequestBody();
     final WriteXyzFeatures writeRequest = RequestHelper.createFeatureRequest(EVENT_HANDLERS, newHandler, false);
-    // persist new handler in Admin DB (if doesn't exist already)
-    try (Result writeResult = executeWriteRequestFromSpaceStorage(writeRequest)) {
-      return transformWriteResultToXyzFeatureResponse(writeResult, EventHandler.class);
-    }
+    return transformedResponseTo(writeRequest);
   }
 
   private @NotNull XyzResponse executeGetHandlers() {
@@ -109,18 +107,16 @@ protected void init() {}
     // Submit request to NH Space Storage
     try (Result rdResult = executeReadRequestFromSpaceStorage(request)) {
       // transform ReadResult to Http FeatureCollection response
-      return transformReadResultToXyzCollectionResponse(rdResult, EventHandler.class);
+      return transformReadResultToXyzCollectionResponse(
+          rdResult, EventHandler.class, this::handlerWithMaskedSensitiveProperties);
     }
   }
 
   private @NotNull XyzResponse executeGetHandlerById() {
     // Create ReadFeatures Request to read the handler with the specific ID from Admin DB
     final String handlerId = routingContext.pathParam(HANDLER_ID);
     final ReadFeatures request = new ReadFeatures(EVENT_HANDLERS).withPropertyOp(POp.eq(PRef.id(), handlerId));
-    // Submit request to NH Space Storage
-    try (Result rdResult = executeReadRequestFromSpaceStorage(request)) {
-      return transformReadResultToXyzFeatureResponse(rdResult, EventHandler.class);
-    }
+    return transformedResponseTo(request);
   }
 
   private @NotNull XyzResponse executeUpdateHandler() throws JsonProcessingException {
@@ -132,20 +128,41 @@ protected void init() {}
     } else {
       final WriteXyzFeatures updateHandlerReq =
           RequestHelper.updateFeatureRequest(EVENT_HANDLERS, handlerToUpdate);
-      try (Result updateHandlerResult = executeWriteRequestFromSpaceStorage(updateHandlerReq)) {
-        return transformWriteResultToXyzFeatureResponse(updateHandlerResult, EventHandler.class);
-      }
+      return transformedResponseTo(updateHandlerReq);
     }
   }
 
   private @NotNull XyzResponse executeDeleteHandler() {
     final String handlerId = ApiParams.extractMandatoryPathParam(routingContext, HANDLER_ID);
     final WriteXyzFeatures wrRequest = RequestHelper.deleteFeatureByIdRequest(EVENT_HANDLERS, handlerId);
     try (Result wrResult = executeWriteRequestFromSpaceStorage(wrRequest)) {
-      return transformDeleteResultToXyzFeatureResponse(wrResult, EventHandler.class);
+      return transformDeleteResultToXyzFeatureResponse(
+          wrResult, EventHandler.class, this::handlerWithMaskedSensitiveProperties);
     }
   }
 
+  @NotNull
+  private XyzResponse transformedResponseTo(ReadFeatures rdRequest) {
+    try (Result rdResult = executeReadRequestFromSpaceStorage(rdRequest)) {
+      return transformReadResultToXyzFeatureResponse(
+          rdResult, EventHandler.class, this::handlerWithMaskedSensitiveProperties);
+    }
+  }
+
+  @NotNull
+  private XyzResponse transformedResponseTo(WriteXyzFeatures updateHandlerReq) {
+    // persist new handler in Admin DB (if doesn't exist already)
+    try (Result updateHandlerResult = executeWriteRequestFromSpaceStorage(updateHandlerReq)) {
+      return transformWriteResultToXyzFeatureResponse(
+          updateHandlerResult, EventHandler.class, this::handlerWithMaskedSensitiveProperties);
+    }
+  }
+
+  private EventHandler handlerWithMaskedSensitiveProperties(EventHandler handler) {
+    maskProperties(handler);
+    return handler;
+  }
+
   private @NotNull EventHandler handlerFromRequestBody() throws JsonProcessingException {
     try (final Json json = Json.get()) {
       final String bodyJson = routingContext.body().asString();

here-naksha-app-service/src/main/java/com/here/naksha/app/service/http/tasks/StorageApiTask.java

@@ -39,19 +39,14 @@
 import com.here.naksha.lib.core.util.json.Json;
 import com.here.naksha.lib.core.util.storage.RequestHelper;
 import com.here.naksha.lib.core.view.ViewDeserialize;
-import com.here.naksha.lib.psql.PsqlInstanceConfig;
 import io.vertx.ext.web.RoutingContext;
-import java.util.Set;
 import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class StorageApiTask extends AbstractApiTask<XyzResponse> {
 
   private static final Logger logger = LoggerFactory.getLogger(StorageApiTask.class);
-
-  private static final Set<String> SENSITIVE_PROPERTIES =
-      Set.of(PsqlInstanceConfig.PASSWORD, "Authorization", "authorization");
   private final @NotNull StorageApiReqType reqType;
 
   public enum StorageApiReqType {
@@ -164,7 +159,7 @@ private XyzResponse transformedResponseTo(WriteXyzFeatures updateStorageReq) {
   }
 
   private Storage storageWithMaskedSensitiveProperties(Storage storage) {
-    maskProperties(storage, SENSITIVE_PROPERTIES);
+    maskProperties(storage);
     return storage;
   }
 

here-naksha-app-service/src/main/resources/swagger/openapi.yaml

@@ -12,7 +12,7 @@ servers:
 info:
   title: "Naksha Hub-API"
   description: "Naksha Hub-API is a REST API to provide simple access to geo data."
-  version: "2.2.2"
+  version: "2.2.3"
 
 security:
   - AccessToken: [ ]

here-naksha-app-service/src/test/java/com/here/naksha/app/service/http/ops/MaskingUtilTest.java

@@ -15,19 +15,22 @@ class MaskingUtilTest {
   void shouldMaskProperties(){
     // Given
     XyzFeature feature = featureWithProps(mutableMapOf(
-        "sensitiveObject", mutableMapOf(
+        "Authorization", mutableMapOf(
             "some_entry_1", 123,
             "some_entry_2", "lorem ipsum"
         ),
         "headers", mutableMapOf(
             "Authorization", "secret stuff, do not look",
             "Content-Type", "application/json"
         ),
+        "customValProperties", mutableMapOf(
+                    "mod.extension-database.password", "pwd"
+            ),
         "very", mutableMapOf(
             "nested", mutableMapOf(
                 "map", mutableMapOf(
                     "to", mutableMapOf(
-                        "sensitiveObject", mutableMapOf(
+                        "authorization", mutableMapOf(
                             "foo", "bar"
                         )
                     )
@@ -36,24 +39,24 @@ void shouldMaskProperties(){
         )
     ));
 
-    // And:
-    Set<String> sensitiveProperties = Set.of("sensitiveObject", "Authorization");
-
     // When:
-    MaskingUtil.maskProperties(feature, sensitiveProperties);
+    MaskingUtil.maskProperties(feature);
 
     // Then:
     assertEquals(Map.of(
-        "sensitiveObject", MaskingUtil.MASK,
+        "Authorization", MaskingUtil.MASK,
         "headers", Map.of(
             "Authorization", MaskingUtil.MASK,
             "Content-Type", "application/json"
         ),
+        "customValProperties", Map.of(
+                 "mod.extension-database.password", MaskingUtil.MASK
+        ),
         "very", Map.of(
             "nested", Map.of(
                 "map", Map.of(
                     "to", Map.of(
-                        "sensitiveObject", MaskingUtil.MASK
+                        "authorization", MaskingUtil.MASK
                     )
                 )
             )

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0100_createEventHandler/create_event_handler.json

@@ -9,7 +9,13 @@
   "properties": {
     "storageId": "event_handler_api_test_storage",
     "collection": {
-      "maxAge": 2
+      "maxAge": 2,
+      "sensitiveObject": {
+        "authorization": "testAuthorization"
+      }
+    },
+    "customValProperties": {
+      "mod.extension-database.password": "pwd"
     },
     "autoCreateCollection": true,
     "autoDeleteCollection": false

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0100_createEventHandler/response.json

@@ -5,10 +5,16 @@
   "active": true,
   "description": "For unit testing",
   "properties": {
+    "customValProperties": {
+      "mod.extension-database.password": "xxxxxx"
+    },
     "autoDeleteCollection": false,
     "autoCreateCollection": true,
     "collection": {
-      "maxAge": 2
+      "maxAge": 2,
+      "sensitiveObject": {
+        "authorization": "xxxxxx"
+      }
     },
     "storageId": "event_handler_api_test_storage"
   },

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0120_getHandlerById/create_event_handler.json

@@ -9,6 +9,9 @@
     "storageId": "event_handler_api_test_storage",
     "collection": {
       "maxAge": 2
+    },
+    "customValProperties": {
+      "mod.extension-database.password": "pwd"
     }
   }
 }

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0120_getHandlerById/get_response.json

@@ -6,6 +6,9 @@
   "className": "com.here.naksha.lib.handlers.DefaultStorageHandler",
   "active": true,
   "properties": {
+    "customValProperties": {
+      "mod.extension-database.password": "xxxxxx"
+    },
     "storageId": "event_handler_api_test_storage",
     "collection": {
       "maxAge": 2

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0160_updateEventHandler/response.json

@@ -6,6 +6,9 @@
   "className": "com.here.naksha.lib.handlers.DefaultStorageHandler",
   "active": true,
   "properties": {
+    "customValProperties": {
+      "mod.extension-database.password": "xxxxxx"
+    },
     "storageId": "event_handler_api_test_storage",
     "collection": {
       "maxAge": 3

here-naksha-app-service/src/test/resources/unit_test_data/EventHandlerApi/TC0160_updateEventHandler/update_event_handler.json

@@ -9,6 +9,9 @@
     "storageId": "event_handler_api_test_storage",
     "collection": {
       "maxAge": 3
+    },
+    "customValProperties": {
+      "mod.extension-database.password": "pwd"
     }
   }
 }

here-naksha-lib-core/src/main/java/com/here/naksha/lib/core/NakshaVersion.java

@@ -60,12 +60,13 @@ public class NakshaVersion implements Comparable<NakshaVersion> {
   public static final String v2_2_0 = "2.2.0";
   public static final String v2_2_1 = "2.2.1";
   public static final String v2_2_2 = "2.2.2";
+  public static final String v2_2_3 = "2.2.3";
 
   /**
    * The latest version of the naksha-extension stored in the resources.
    */
   @AvailableSince(v2_0_5)
-  public static final NakshaVersion latest = of(v2_2_2);
+  public static final NakshaVersion latest = of(v2_2_3);
 
   private final int major;
   private final int minor;