fix: PII in REST_INVOKE logs (#21)

pagopa · Mar 3, 2025 · 93e8ac5 · 93e8ac5
1 parent afa02c7
commit 93e8ac5
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 7 deletions.
diff --git a/src/main/java/it/gov/pagopa/pu/send/config/RestTemplateConfig.java b/src/main/java/it/gov/pagopa/pu/send/config/RestTemplateConfig.java
@@ -1,6 +1,7 @@
 package it.gov.pagopa.pu.send.config;
 
 import it.gov.pagopa.pu.send.performancelogger.RestInvokePerformanceLogger;
+import it.gov.pagopa.pu.send.util.SecurityUtils;
 import jakarta.annotation.Nonnull;
 import lombok.extern.slf4j.Slf4j;
 import org.slf4j.Logger;
@@ -53,12 +54,12 @@ protected void handleError(@Nonnull ClientHttpResponse response, @Nonnull HttpSt
                     super.handleError(response, statusCode, url, method);
                 } catch (HttpStatusCodeException ex) {
                     errorBodyLogger.info("{} {} Returned status {} and resulted on exception {} - {}: {}",
-                            method,
-                            url,
-                            ex.getStatusCode(),
-                            ex.getClass().getSimpleName(),
-                            ex.getMessage(),
-                            ex.getResponseBodyAsString());
+                      method,
+                      SecurityUtils.removePiiFromURI(url),
+                      ex.getStatusCode(),
+                      ex.getClass().getSimpleName(),
+                      ex.getMessage(),
+                      ex.getResponseBodyAsString());
                     throw ex;
                 }
             }

diff --git a/src/main/java/it/gov/pagopa/pu/send/performancelogger/RestInvokePerformanceLogger.java b/src/main/java/it/gov/pagopa/pu/send/performancelogger/RestInvokePerformanceLogger.java
@@ -1,5 +1,6 @@
 package it.gov.pagopa.pu.send.performancelogger;
 
+import it.gov.pagopa.pu.send.util.SecurityUtils;
 import jakarta.annotation.Nonnull;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.client.ClientHttpRequestExecution;
@@ -23,6 +24,6 @@ public ClientHttpResponse intercept(@Nonnull HttpRequest request, @Nonnull byte[
     }
 
     static String getRequestDetails(HttpRequest request) {
-        return "%s %s".formatted(request.getMethod(), request.getURI());
+        return "%s %s".formatted(request.getMethod(), SecurityUtils.removePiiFromURI(request.getURI()));
     }
 }
diff --git a/src/main/java/it/gov/pagopa/pu/send/util/SecurityUtils.java b/src/main/java/it/gov/pagopa/pu/send/util/SecurityUtils.java
@@ -1,8 +1,11 @@
 package it.gov.pagopa.pu.send.util;
 
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.jwt.Jwt;
 
+import java.net.URI;
+import java.security.Principal;
 import java.util.Optional;
 
 public class SecurityUtils {
@@ -15,4 +18,21 @@ public static String getAccessToken() {
       .map(a -> ((Jwt) a.getCredentials()).getTokenValue())
       .orElse(null);
   }
+
+  public static String getCurrentUserExternalId(){
+    return getAuthentication()
+      .map(Principal::getName)
+      .orElse(null);
+  }
+
+  private static Optional<Authentication> getAuthentication() {
+    return Optional.ofNullable(SecurityContextHolder.getContext())
+      .flatMap(c -> Optional.ofNullable(c.getAuthentication()));
+  }
+
+  public static String removePiiFromURI(URI uri){
+    return uri != null
+      ? uri.toString().replaceAll("=[^&]*", "=***")
+      : null;
+  }
 }
diff --git a/src/test/java/it/gov/pagopa/pu/send/util/SecurityUtilsTest.java b/src/test/java/it/gov/pagopa/pu/send/util/SecurityUtilsTest.java
@@ -3,11 +3,14 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 
+import java.net.URI;
+
 class SecurityUtilsTest {
 
   @AfterEach
@@ -44,4 +47,28 @@ void givenJwtWhenGetAccessTokenThenReturnToken(){
     Assertions.assertSame(jwt, result);
   }
 //endregion
+
+  @Test
+  void givenJwtWhenGetCurrentUserExternalIdThenReturnPrincipalName(){
+    // Given
+    String principalName = "PRINCIPALNAME";
+    SecurityContextHolder.setContext(new SecurityContextImpl(new JwtAuthenticationToken(Mockito.mock(Jwt.class), null, principalName)));
+
+    // When
+    String result = SecurityUtils.getCurrentUserExternalId();
+
+    // Then
+    Assertions.assertSame(principalName, result);
+  }
+
+  @Test
+  void givenUriWhenRemovePiiFromURIThenOk(){
+    String result = SecurityUtils.removePiiFromURI(URI.create("https://host/path?param1=PII&param2=noPII"));
+    Assertions.assertEquals("https://host/path?param1=***&param2=***", result);
+  }
+
+  @Test
+  void givenNullUriWhenRemovePiiFromURIThenOk(){
+    Assertions.assertNull(SecurityUtils.removePiiFromURI(null));
+  }
 }