From d931e9cd73c29da7ca80b15d57431e2c6b7782b5 Mon Sep 17 00:00:00 2001
From: Marco Bergen <marco.bergen-extern@cloudogu.com>
Date: Wed, 13 Nov 2024 13:16:01 +0100
Subject: [PATCH] [#233] Prevent logging of invalid login credentials

because the DefaultDelegatedClientIdentityProviderConfigurationProducer of apereo.cas
would print invalid credentials at an invalid login attempt, the password in the log event need to be masked to prevent guessing of actual credentials
---
 CHANGELOG.md                                  |  1 +
 app/etc/cas/config/log4j2.xml                 |  7 ++++
 .../MisspelledPasswordRewritePolicy.java      | 42 +++++++++++++++++++
 resources/etc/cas/config/log4j2.xml.tpl       |  7 ++++
 4 files changed, 57 insertions(+)
 create mode 100644 app/src/main/java/de/triology/cas/logging/MisspelledPasswordRewritePolicy.java

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc226822..272c9362 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Fix configuration for delegated authentication with OIDC [#222]
+- Prevent logging of invalid login credentials [#233]
 
 ## [v7.0.8-3] - 2024-10-11
 ### Changed
diff --git a/app/etc/cas/config/log4j2.xml b/app/etc/cas/config/log4j2.xml
index 9ed0543a..4073754c 100644
--- a/app/etc/cas/config/log4j2.xml
+++ b/app/etc/cas/config/log4j2.xml
@@ -67,6 +67,10 @@
             <LoggingHandlerPasswordRewritePolicy />
             <AppenderRef ref="casConsole" />
         </Rewrite>
+        <Rewrite name="misspelledPasswordRewritePolicy" >
+            <MisspelledPasswordRewritePolicy />
+            <AppenderRef ref="casConsole" />
+        </Rewrite>
     </Appenders>
     <Loggers>
         <!-- If adding a Logger with level set higher than ${sys:ces.log.level}, make category as selective as possible -->
@@ -104,6 +108,9 @@
         <AsyncLogger name="io.netty.handler.logging.LoggingHandler" level="${sys:ces.log.level}" includeLocation="true" additivity="false">
             <AppenderRef ref="loggingHandlerPasswordRewritePolicy"/>
         </AsyncLogger>
+        <AsyncLogger name="org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer" level="${sys:ces.log.level}" includeLocation="true" additivity="false">
+            <AppenderRef ref="misspelledPasswordRewritePolicy"/>
+        </AsyncLogger>
 
         <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
         <AsyncRoot level="${sys:ces.log.level}">
diff --git a/app/src/main/java/de/triology/cas/logging/MisspelledPasswordRewritePolicy.java b/app/src/main/java/de/triology/cas/logging/MisspelledPasswordRewritePolicy.java
new file mode 100644
index 00000000..f10cbf9a
--- /dev/null
+++ b/app/src/main/java/de/triology/cas/logging/MisspelledPasswordRewritePolicy.java
@@ -0,0 +1,42 @@
+package de.triology.cas.logging;
+
+import org.apache.logging.log4j.core.config.plugins.Plugin;
+import org.apache.logging.log4j.core.config.plugins.PluginFactory;
+
+@Plugin(
+        name = "MisspelledPasswordRewritePolicy",
+        category = "Core",
+        elementType = "rewritePolicy",
+        printObject = true
+)
+/*
+ * Password rewriter for class org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.
+ */
+public final class MisspelledPasswordRewritePolicy extends AbstractCASPasswordRewritePolicy {
+    private static final String PARAMETER_PASSWORD_TEXT = "password=";
+
+    @PluginFactory
+    public static MisspelledPasswordRewritePolicy createPolicy() {
+        return new MisspelledPasswordRewritePolicy();
+    }
+
+    private MisspelledPasswordRewritePolicy() {
+        //
+    }
+
+    @Override
+    protected String getPasswordFlag() {
+        return PARAMETER_PASSWORD_TEXT;
+    }
+
+    @Override
+    protected String replacePasswordValue(String originMessage) {
+        String truncatedMessage = null;
+
+        if (originMessage != null) {
+            truncatedMessage = originMessage.replaceAll("password=\\[.*\\],\\s*exec", "password=[******], exec");
+        }
+
+        return truncatedMessage;
+    }
+}
\ No newline at end of file
diff --git a/resources/etc/cas/config/log4j2.xml.tpl b/resources/etc/cas/config/log4j2.xml.tpl
index be69d14e..feaac3fa 100644
--- a/resources/etc/cas/config/log4j2.xml.tpl
+++ b/resources/etc/cas/config/log4j2.xml.tpl
@@ -67,6 +67,10 @@
             <LoggingHandlerPasswordRewritePolicy />
             <AppenderRef ref="casConsole" />
         </Rewrite>
+        <Rewrite name="misspelledPasswordRewritePolicy" >
+            <MisspelledPasswordRewritePolicy />
+            <AppenderRef ref="casConsole" />
+        </Rewrite>
     </Appenders>
     <Loggers>
         <!-- If adding a Logger with level set higher than ${sys:ces.log.level}, make category as selective as possible -->
@@ -104,6 +108,9 @@
         <AsyncLogger name="io.netty.handler.logging.LoggingHandler" level="${sys:ces.log.level}" includeLocation="true" additivity="false">
             <AppenderRef ref="loggingHandlerPasswordRewritePolicy"/>
         </AsyncLogger>
+        <AsyncLogger name="org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer" level="${sys:ces.log.level}" includeLocation="true" additivity="false">
+            <AppenderRef ref="misspelledPasswordRewritePolicy"/>
+        </AsyncLogger>
 
         <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
         <AsyncRoot level="${sys:ces.log.level}">