Extend default AWS masking patterns with assume role credentials

.gitignore

@@ -4,6 +4,7 @@
 /.project
 /pom.xml.bak
 /.settings/
+.idea
 
 # source https://github.com/github/gitignore/blob/master/Global/JetBrains.gitignore
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider

src/main/java/com/tsystems/sbs/DefaultRegexpPairs.java

@@ -13,22 +13,28 @@
 public final class DefaultRegexpPairs {
 
     private final static List<RegexpPair> DEFAULT_REGEXES
-            = Collections.<RegexpPair>unmodifiableList(
-                    Arrays.<RegexpPair>asList(
+            = Collections.unmodifiableList(
+                    Arrays.asList(
                     new RegexpPair("(https?+://[^:\\s]++):[^@\\s]++@", "$1:********@"),//Passwd URL MASKING
                     new RegexpPair("password=\\S*", "password=********") //PASSWORD MASKING
             ));
 
     private final static List<RegexpPair> DEFAULT_REGEXES_AWS
-            = Collections.<RegexpPair>unmodifiableList(
-            Arrays.<RegexpPair>asList(
+            = Collections.unmodifiableList(
+            Arrays.asList(
                     new RegexpPair("(AWS_[a-zA-Z_]+=)(\\S+)", "$1********"), // AWS RegExp MASKING
-                    new RegexpPair("(aws_[a-zA-Z_]+=)(\\S+)", "$1********")
+                    new RegexpPair("(aws_[a-zA-Z_]+=)(\\S+)", "$1********"),
+                    regexpMaskForJsonKeyEndingWith("accesskeyid"),
+                    regexpMaskForJsonKeyEndingWith("secretaccesskey"),
+                    regexpMaskForJsonKeyEndingWith("token"),
+                    regexpMaskForEscapedJsonKeyWithSuffix("AccessKeyId"),
+                    regexpMaskForEscapedJsonKeyWithSuffix("SecretAccessKey"),
+                    regexpMaskForEscapedJsonKeyWithSuffix("Token")
             ));
 
     private final static List<RegexpPair> DEFAULT_REGEXES_DD
-            = Collections.<RegexpPair>unmodifiableList(
-            Arrays.<RegexpPair>asList(
+            = Collections.unmodifiableList(
+            Arrays.asList(
                     new RegexpPair("((?i)(\\bdatadog|dd|dogapi\\b).*)(\\b([a-zA-Z-0-9]{32})\\b)", "$1********"), // Datadog RegExp MASKING API KEY
                     new RegexpPair("((?i)(\\bdatadog|dd|dogapi\\b).*)(\\b([a-zA-Z-0-9]{40})\\b)", "$1********") // Datadog RegExp MASKING APP KEY
             ));
@@ -44,4 +50,23 @@ public static List<RegexpPair> getDefaultRegexesAWS() {
     public static List<RegexpPair> getDefaultRegexesDD() {
         return DEFAULT_REGEXES_DD;
     }
+
+    /**
+     * Case-insensitive regexp that matches output key ending with specified word, value of which should be masked
+     * Sample input:
+     * "ansible_ec2_iam_security_credentials_instance_profiles_accesskeyid": "ASIAU5QBETVVXEXAMPLE"
+     */
+    private static RegexpPair regexpMaskForJsonKeyEndingWith(String keySuffix) {
+        return new RegexpPair("(?i)\"\\w*" + keySuffix + "\\\":\\s*\\\"[\\w\\d/+=*]+\\\"", "\"" + keySuffix + "\": \"********\"");
+    }
+
+    /**
+     * Case-sensitive regexp that matches escaped output key, value of which should be masked
+     * Typically it is masked output of escaped json
+     * Sample input:
+     * \"AccessKeyId\" : \"ASIAU5QBETVVXEXAMPLE\"
+     */
+    private static RegexpPair regexpMaskForEscapedJsonKeyWithSuffix(String key) {
+        return new RegexpPair("\\\\\\\"" + key + "\\\\\\\"\\s*:\\s*\\\\\\\"[\\w\\d/+=*]+\\\\\\\"", "\\\"" + key + "\\\": \\\"********\\\"");
+    }
 }

src/test/java/com/tsystems/sbs/DefaultRegexpPairsAWSTest.java

@@ -1,16 +1,13 @@
 package com.tsystems.sbs;
 
-import hudson.console.LineTransformationOutputStream;
 import org.junit.Test;
 
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import static org.codehaus.groovy.runtime.ResourceGroovyMethods.filterLine;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.greaterThan;
-import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 
 
@@ -34,6 +31,57 @@ public void testDefaultPairs() {
         String expected = "AWS_ACCESS_KEY_ID=******** AWS_SECRET_ACCESS_KEY=******** AWS_SESSION_TOKEN=********";
 
 
+        String replacedInputString = maskIntput(input, defaultRegexpPairs);
+        System.out.println("Replaced input result: " + replacedInputString);
+
+        // Test the behavior
+        assertEquals(expected, replacedInputString);
+    }
+
+    @Test
+    public void testDefaultJsonKeyValuePairsMasking() {
+        List<RegexpPair> defaultRegexpPairs = getDefaultRegexpPairs();
+
+        String input = "log message with json {" +
+                "\"ansible_ec2_iam_security_credentials_instance_profiles_accesskeyid\": \"ASIAU5QBETVVXEXAMPLE\"," +
+                "\"ansible_ec2_iam_security_credentials_instance_profiles_secretaccesskey\": \"/lD8T9bXuZUW/F/8MutOB1vDXK2uG/gNHUe/d8bG\"," +
+                "\"ansible_ec2_iam_security_credentials_instance_profiles_token\": \"Z1XKqTnKIHd7eLJhBZb9QWVcG0Rj3f8z1uYgO4Xm6vNiD5F7cM9pA\"" +
+                "}";
+        String expected = "log message with json {" +
+                "\"accesskeyid\": \"********\"," +
+                "\"secretaccesskey\": \"********\"," +
+                "\"token\": \"********\"" +
+                "}";
+
+        String replacedInputString = maskIntput(input, defaultRegexpPairs);
+
+        // Test the behavior
+        assertEquals(expected, replacedInputString);
+    }
+
+
+    @Test
+    public void testDefaultEscapedJsonKeyValuePairsMasking() {
+        List<RegexpPair> defaultRegexpPairs = getDefaultRegexpPairs();
+
+        String input = "log message with escaped json {" +
+                "\\\"AccessKeyId\\\" : \\\"ASIAU5QBETVVXEXAMPLE\\\", " +
+                "\\\"SecretAccessKey\\\" : \\\"/lD8T9bXuZUW/F/8MutOB1vDXK2uG/gNHUe/d8bG\\\"," +
+                "\\\"Token\\\" : \\\"Z1XKqTnKIHd7eLJhBZb9QWVcG0Rj3f8z1uYgO4Xm6vNiD5F7cM9pA\\\"" +
+                "}";
+        String expected = "log message with escaped json {" +
+                "\\\"AccessKeyId\\\": \\\"********\\\", " +
+                "\\\"SecretAccessKey\\\": \\\"********\\\"," +
+                "\\\"Token\\\": \\\"********\\\"" +
+                "}";
+
+        String replacedInputString = maskIntput(input, defaultRegexpPairs);
+
+        // Test the behavior
+        assertEquals(expected, replacedInputString);
+    }
+
+    private static String maskIntput(String input, List<RegexpPair> defaultRegexpPairs) {
         StringBuilder replacedInput = new StringBuilder(input);
 
         for (RegexpPair pair : defaultRegexpPairs) {
@@ -44,7 +92,6 @@ public void testDefaultPairs() {
             Matcher matcher = regexPattern.matcher(replacedInput);
 
             while (matcher.find()) {
-                String matchedPattern = matcher.group();
                 String replacedString = replacement;
 
                 // Replace all occurrences of $n with the matched groups
@@ -58,11 +105,7 @@ public void testDefaultPairs() {
             }
         }
 
-        String replacedInputString = replacedInput.toString();
-        System.out.println("Replaced input result: " + replacedInputString);
-
-        // Test the behavior
-        assertEquals(expected, replacedInputString);
+        return replacedInput.toString();
     }
 }