Update Kafka-JUnit dependency, add tests to ensure sensitive fields c… (#63)

* Update Kafka-JUnit dependency, add tests to ensure sensitive fields cannot be logged

* add missing header files

Author: Crim

kafka-webview-ui/pom.xml

@@ -32,6 +32,7 @@
         <java.version>1.8</java.version>
         <bootstrap.version>4.0.0-beta</bootstrap.version>
         <thymeleaf.version>3.0.9.RELEASE</thymeleaf.version>
+        <kafka.version>0.11.0.2</kafka.version>
     </properties>
 
     <dependencies>
@@ -46,7 +47,7 @@
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>
-            <version>0.11.0.1</version>
+            <version>${kafka.version}</version>
         </dependency>
 
         <!-- Use ThymeLeaf 3.0.x -->
@@ -133,8 +134,25 @@
         <dependency>
             <groupId>com.salesforce.kafka.test</groupId>
             <artifactId>kafka-junit4</artifactId>
-            <version>1.0.0</version>
+            <version>2.2.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.kafka</groupId>
+            <artifactId>kafka_2.11</artifactId>
+            <version>${kafka.version}</version>
             <scope>test</scope>
+            <exclusions>
+                <!-- Don't bring in kafka's logging framework -->
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-log4j12</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.mail</groupId>
+                    <artifactId>mail</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
     </dependencies>
 

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/configuration/AppProperties.java

@@ -73,7 +73,7 @@ public String toString() {
         return "AppProperties{"
             + "name='" + name + '\''
             + ", uploadPath='" + uploadPath + '\''
-            + ", appKey='" + appKey + '\''
+            + ", appKey='XXXXXX'"
             + ", maxConcurrentWebSocketConsumers=" + maxConcurrentWebSocketConsumers
             + ", consumerIdPrefix='" + consumerIdPrefix + '\''
             + '}';

kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/controller/configuration/user/forms/UserForm.java

@@ -111,8 +111,8 @@ public String toString() {
             + "id=" + id
             + ", email='" + email + '\''
             + ", displayName='" + displayName + '\''
-            + ", password='" + password + '\''
-            + ", password2='" + password2 + '\''
+            + ", password='XXXXX'"
+            + ", password2='XXXXX'"
             + ", userRole=" + userRole
             + '}';
     }

kafka-webview-ui/src/test/java/org/sourcelab/kafka/webview/ui/configuration/AppPropertiesTest.java

@@ -0,0 +1,52 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2017, 2018 SourceLab.org (https://github.com/Crim/kafka-webview/)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.sourcelab.kafka.webview.ui.configuration;
+
+import org.junit.Test;
+import java.lang.reflect.Field;
+
+import static org.junit.Assert.assertFalse;
+
+public class AppPropertiesTest {
+
+    /**
+     * Validate toString never spits out sensitive fields.
+     */
+    @Test
+    public void testToString() throws NoSuchFieldException, IllegalAccessException {
+        final String expectedSecret = "MySuperSecretKey";
+
+        // Create app Properties instance
+        final AppProperties appProperties = new AppProperties();
+
+        // Jump through hoops to set property
+        final Field field = appProperties.getClass().getDeclaredField("appKey");
+        field.setAccessible(true);
+        field.set(appProperties, expectedSecret);
+
+        final String result = appProperties.toString();
+        assertFalse("Should not contain our sensitive field", result.contains(expectedSecret));
+    }
+}

kafka-webview-ui/src/test/java/org/sourcelab/kafka/webview/ui/controller/configuration/user/forms/UserFormTest.java

@@ -0,0 +1,58 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2017, 2018 SourceLab.org (https://github.com/Crim/kafka-webview/)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.sourcelab.kafka.webview.ui.controller.configuration.user.forms;
+
+import org.junit.Test;
+import java.lang.reflect.Field;
+
+import static org.junit.Assert.*;
+
+public class UserFormTest {
+
+    /**
+     * Validate toString never spits out sensitive fields
+     */
+    @Test
+    public void testToString() throws IllegalAccessException, NoSuchFieldException {
+        final String expectedSecret1 = "MySuperSecretKey";
+        final String expectedSecret2 = "AnotherSecret";
+
+        // Create app Properties instance
+        final UserForm userForm = new UserForm();
+
+        // Jump through hoops to set properties
+        final Field field1 = userForm.getClass().getDeclaredField("password");
+        field1.setAccessible(true);
+        field1.set(userForm, expectedSecret1);
+
+        final Field field2 = userForm.getClass().getDeclaredField("password2");
+        field2.setAccessible(true);
+        field2.set(userForm, expectedSecret1);
+
+        final String result = userForm.toString();
+        assertFalse("Should not contain our sensitive field", result.contains(expectedSecret1));
+        assertFalse("Should not contain our sensitive field", result.contains(expectedSecret2));
+    }
+}

kafka-webview-ui/src/test/java/org/sourcelab/kafka/webview/ui/model/ClusterTest.java

@@ -0,0 +1,59 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2017, 2018 SourceLab.org (https://github.com/Crim/kafka-webview/)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.sourcelab.kafka.webview.ui.model;
+
+import org.junit.Test;
+import java.lang.reflect.Field;
+
+import static org.junit.Assert.assertFalse;
+
+
+public class ClusterTest {
+
+    /**
+     * Validate toString never spits out sensitive fields
+     */
+    @Test
+    public void testToString() throws IllegalAccessException, NoSuchFieldException {
+        final String expectedSecret1 = "MySuperSecretKey";
+        final String expectedSecret2 = "AnotherSecret";
+
+        // Create app Properties instance
+        final Cluster cluster = new Cluster();
+
+        // Jump through hoops to set properties
+        final Field field1 = cluster.getClass().getDeclaredField("trustStorePassword");
+        field1.setAccessible(true);
+        field1.set(cluster, expectedSecret1);
+
+        final Field field2 = cluster.getClass().getDeclaredField("keyStorePassword");
+        field2.setAccessible(true);
+        field2.set(cluster, expectedSecret1);
+
+        final String result = cluster.toString();
+        assertFalse("Should not contain our sensitive field", result.contains(expectedSecret1));
+        assertFalse("Should not contain our sensitive field", result.contains(expectedSecret2));
+    }
+}