fix: PII in REST_INVOKE logs (#20)

src/main/java/it/gov/pagopa/pu/classification/config/RestTemplateConfig.java

@@ -1,6 +1,7 @@
 package it.gov.pagopa.pu.classification.config;
 
 import it.gov.pagopa.pu.classification.performancelogger.RestInvokePerformanceLogger;
+import it.gov.pagopa.pu.classification.util.SecurityUtils;
 import jakarta.annotation.Nonnull;
 import lombok.extern.slf4j.Slf4j;
 import org.slf4j.Logger;
@@ -53,12 +54,12 @@ protected void handleError(@Nonnull ClientHttpResponse response, @Nonnull HttpSt
                     super.handleError(response, statusCode, url, method);
                 } catch (HttpStatusCodeException ex) {
                     errorBodyLogger.info("{} {} Returned status {} and resulted on exception {} - {}: {}",
-                            method,
-                            url,
-                            ex.getStatusCode(),
-                            ex.getClass().getSimpleName(),
-                            ex.getMessage(),
-                            ex.getResponseBodyAsString());
+                      method,
+                      SecurityUtils.removePiiFromURI(url),
+                      ex.getStatusCode(),
+                      ex.getClass().getSimpleName(),
+                      ex.getMessage(),
+                      ex.getResponseBodyAsString());
                     throw ex;
                 }
             }

src/main/java/it/gov/pagopa/pu/classification/performancelogger/RestInvokePerformanceLogger.java

@@ -1,5 +1,6 @@
 package it.gov.pagopa.pu.classification.performancelogger;
 
+import it.gov.pagopa.pu.classification.util.SecurityUtils;
 import jakarta.annotation.Nonnull;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.client.ClientHttpRequestExecution;
@@ -23,6 +24,6 @@ public ClientHttpResponse intercept(@Nonnull HttpRequest request, @Nonnull byte[
     }
 
     static String getRequestDetails(HttpRequest request) {
-        return "%s %s".formatted(request.getMethod(), request.getURI());
+        return "%s %s".formatted(request.getMethod(), SecurityUtils.removePiiFromURI(request.getURI()));
     }
 }

src/main/java/it/gov/pagopa/pu/classification/util/SecurityUtils.java

@@ -4,6 +4,7 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.jwt.Jwt;
 
+import java.net.URI;
 import java.security.Principal;
 import java.util.Optional;
 
@@ -27,4 +28,10 @@ private static Optional<Authentication> getAuthentication() {
     return Optional.ofNullable(SecurityContextHolder.getContext())
       .flatMap(c -> Optional.ofNullable(c.getAuthentication()));
   }
+
+  public static String removePiiFromURI(URI uri){
+    return uri != null
+      ? uri.toString().replaceAll("=[^&]*", "=***")
+      : null;
+  }
 }

src/test/java/it/gov/pagopa/pu/classification/util/SecurityUtilsTest.java

@@ -9,6 +9,8 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 
+import java.net.URI;
+
 class SecurityUtilsTest {
 
   @AfterEach
@@ -46,6 +48,8 @@ void givenJwtWhenGetAccessTokenThenReturnToken(){
   }
 //endregion
 
+
+
   @Test
   void givenJwtWhenGetCurrentUserExternalIdThenReturnPrincipalName(){
     // Given
@@ -58,4 +62,15 @@ void givenJwtWhenGetCurrentUserExternalIdThenReturnPrincipalName(){
     // Then
     Assertions.assertSame(principalName, result);
   }
+
+  @Test
+  void givenUriWhenRemovePiiFromURIThenOk(){
+    String result = SecurityUtils.removePiiFromURI(URI.create("https://host/path?param1=PII&param2=noPII"));
+    Assertions.assertEquals("https://host/path?param1=***&param2=***", result);
+  }
+
+  @Test
+  void givenNullUriWhenRemovePiiFromURIThenOk(){
+    Assertions.assertNull(SecurityUtils.removePiiFromURI(null));
+  }
 }