Merge pull request #41 from securenative/dev

Support pii data remove from config

Author: inbaltako

pom.xml

@@ -6,7 +6,7 @@
     <groupId>com.securenative.java</groupId>
     <artifactId>securenative-java</artifactId>
     <packaging>jar</packaging>
-    <version>0.5.6</version>
+    <version>0.5.7</version>
     <url>https://github.com/securenative/securenative-java</url>
 
     <name>${project.groupId}:${project.artifactId}:${project.version}</name>

src/main/java/com/securenative/config/ConfigurationManager.java

@@ -105,7 +105,9 @@ private static SecureNativeOptions getOptions(Properties properties) {
                 .withDisable(Utils.parseBooleanOrDefault(getPropertyOrEnvOrDefault(properties, "SECURENATIVE_DISABLE", defaultOptions.getDisabled()), defaultOptions.getDisabled()))
                 .withLogLevel(getPropertyOrEnvOrDefault(properties, "SECURENATIVE_LOG_LEVEL", defaultOptions.getLogLevel()))
                 .withFailoverStrategy(FailoverStrategy.fromString(Objects.requireNonNull(getPropertyOrEnvOrDefault(properties, "SECURENATIVE_FAILOVER_STRATEGY", defaultOptions.getFailoverStrategy())), defaultOptions.getFailoverStrategy()))
-                .withProxyHeaders(getPropertyListOrEnvOrDefault(properties, "SECURENATIVE_PROXY_HEADERS", defaultOptions.getProxyHeaders()));
+                .withProxyHeaders(getPropertyListOrEnvOrDefault(properties, "SECURENATIVE_PROXY_HEADERS", defaultOptions.getProxyHeaders()))
+                .withPiiHeaders(getPropertyListOrEnvOrDefault(properties, "SECURENATIVE_PII_HEADERS", defaultOptions.getPiiHeaders()))
+                .withPiiRegexPattern(getPropertyOrEnvOrDefault(properties, "SECURENATIVE_PII_REGEX_PATTERN", defaultOptions.getPiiRegexPattern()));
         return builder.build();
     }
 }

src/main/java/com/securenative/config/SecureNativeConfigurationBuilder.java

@@ -55,6 +55,16 @@ public class SecureNativeConfigurationBuilder {
      */
     private ArrayList<String> proxyHeaders;
 
+    /**
+     * Pii Headers
+     */
+    private ArrayList<String> piiHeaders;
+
+    /**
+     * Pii Regex Pattern
+     */
+    private String piiRegexPattern;
+
     private SecureNativeConfigurationBuilder() {
     }
 
@@ -69,7 +79,9 @@ public static SecureNativeConfigurationBuilder defaultConfigBuilder() {
                 .withDisable(false)
                 .withLogLevel("fatal")
                 .withFailoverStrategy(FailoverStrategy.FAIL_OPEN)
-                .withProxyHeaders(new ArrayList<>());
+                .withProxyHeaders(new ArrayList<>())
+                .withPiiHeaders(new ArrayList<>())
+                .withPiiRegexPattern(null);
     }
 
     public SecureNativeConfigurationBuilder withApiKey(String apiKey) {
@@ -122,7 +134,17 @@ public SecureNativeConfigurationBuilder withProxyHeaders(ArrayList<String> proxy
         return this;
     }
 
+    public SecureNativeConfigurationBuilder withPiiHeaders(ArrayList<String> piiHeaders) {
+        this.piiHeaders = piiHeaders;
+        return this;
+    }
+
+    public SecureNativeConfigurationBuilder withPiiRegexPattern(String piiRegexPattern) {
+        this.piiRegexPattern = piiRegexPattern;
+        return this;
+    }
+
     public SecureNativeOptions build() {
-        return new SecureNativeOptions(apiKey, apiUrl, interval, maxEvents, timeout, autoSend, disable, logLevel, failoverStrategy, proxyHeaders);
+        return new SecureNativeOptions(apiKey, apiUrl, interval, maxEvents, timeout, autoSend, disable, logLevel, failoverStrategy, proxyHeaders, piiHeaders, piiRegexPattern);
     }
 }

src/main/java/com/securenative/config/SecureNativeOptions.java

@@ -55,7 +55,17 @@ public class SecureNativeOptions {
      */
     private final ArrayList<String> proxyHeaders;
 
-    public SecureNativeOptions(String apiKey, String apiUrl, int interval, int maxEvents, int timeout, boolean autoSend, boolean disable, String logLevel, FailoverStrategy failoverStrategy, ArrayList<String> proxyHeaders) {
+    /**
+     * Pii Headers
+     */
+    private final ArrayList<String> piiHeaders;
+
+    /**
+     * Pii Regex Pattern
+     */
+    private final String piiRegexPattern;
+
+    public SecureNativeOptions(String apiKey, String apiUrl, int interval, int maxEvents, int timeout, boolean autoSend, boolean disable, String logLevel, FailoverStrategy failoverStrategy, ArrayList<String> proxyHeaders, ArrayList<String> piiHeaders, String piiRegexPattern) {
         this.apiKey = apiKey;
         this.apiUrl = apiUrl;
         this.interval = interval;
@@ -66,6 +76,8 @@ public SecureNativeOptions(String apiKey, String apiUrl, int interval, int maxEv
         this.logLevel = logLevel;
         this.failoverStrategy = failoverStrategy;
         this.proxyHeaders = proxyHeaders;
+        this.piiHeaders = piiHeaders;
+        this.piiRegexPattern = piiRegexPattern;
     }
 
     public String getApiKey() {
@@ -107,4 +119,12 @@ public FailoverStrategy getFailoverStrategy() {
     public ArrayList<String> getProxyHeaders() {
         return proxyHeaders;
     }
+
+    public ArrayList<String> getPiiHeaders() {
+        return piiHeaders;
+    }
+
+    public String getPiiRegexPattern() {
+        return piiRegexPattern;
+    }
 }

src/main/java/com/securenative/context/SecureNativeContextBuilder.java

@@ -54,7 +54,7 @@ public static SecureNativeContextBuilder defaultContextBuilder() {
     }
 
     public static SecureNativeContextBuilder fromHttpServletRequest(HttpServletRequest request, SecureNativeOptions options) {
-        Map<String, String> headers = RequestUtils.getHeadersFromRequest(request);
+        Map<String, String> headers = RequestUtils.getHeadersFromRequest(request, options);
 
         String clientToken = RequestUtils.getCookieValueFromRequest(request, RequestUtils.SECURENATIVE_COOKIE);
         if (Utils.isNullOrEmpty(clientToken)) {

src/main/java/com/securenative/utils/RequestUtils.java

@@ -5,19 +5,45 @@
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import java.util.*;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class RequestUtils {
     public final static String SECURENATIVE_COOKIE = "_sn";
     public final static String SECURENATIVE_HEADER = "x-securenative";
     private final static List<String> ipHeaders = Arrays.asList("x-forwarded-for", "x-client-ip", "x-real-ip", "x-forwarded", "x-cluster-client-ip", "forwarded-for", "forwarded", "via");
+    private final static List<String> piiHeaders = Arrays.asList("authorization", "access_token", "apikey", "password", "passwd", "secret", "api_key");
 
-    public static Map<String, String> getHeadersFromRequest(HttpServletRequest request) {
+    public static Map<String, String> getHeadersFromRequest(HttpServletRequest request, SecureNativeOptions options) {
         Map<String, String> headersMap = new HashMap<>();
-        for (Enumeration<String> headerNames = request.getHeaderNames(); headerNames.hasMoreElements(); ) {
-            String headerName = headerNames.nextElement();
-            String headerValue = request.getHeader(headerName);
-            headersMap.put(headerName, headerValue);
+        if (options != null && options.getPiiHeaders().size() > 0) {
+            for (Enumeration<String> headerNames = request.getHeaderNames(); headerNames.hasMoreElements(); ) {
+                String headerName = headerNames.nextElement();
+                if (!options.getPiiHeaders().contains(headerName.toLowerCase()) && !options.getPiiHeaders().contains(headerName.toUpperCase())) {
+                    String headerValue = request.getHeader(headerName);
+                    headersMap.put(headerName, headerValue);
+                }
+            }
+        } else if (options != null && options.getPiiRegexPattern() != null) {
+            for (Enumeration<String> headerNames = request.getHeaderNames(); headerNames.hasMoreElements(); ) {
+                String headerName = headerNames.nextElement();
+                Pattern pattern = Pattern.compile(options.getPiiRegexPattern(), Pattern.CASE_INSENSITIVE);
+                Matcher matcher = pattern.matcher(headerName);
+                if (!matcher.find()) {
+                    String headerValue = request.getHeader(headerName);
+                    headersMap.put(headerName, headerValue);
+                }
+            }
+        } else {
+            for (Enumeration<String> headerNames = request.getHeaderNames(); headerNames.hasMoreElements(); ) {
+                String headerName = headerNames.nextElement();
+                if (!piiHeaders.contains(headerName.toLowerCase()) && !piiHeaders.contains(headerName.toUpperCase())) {
+                    String headerValue = request.getHeader(headerName);
+                    headersMap.put(headerName, headerValue);
+                }
+            }
         }
+
         return headersMap;
     }
 
@@ -38,7 +64,7 @@ public static String getCookieValueFromRequest(HttpServletRequest request, Strin
     }
 
     public static String getClientIpFromRequest(HttpServletRequest request, Map<String, String> headers, SecureNativeOptions options) {
-        if (options.getProxyHeaders().size() > 0) {
+        if (options != null && options.getProxyHeaders().size() > 0) {
             for (String header : options.getProxyHeaders()) {
                 if (headers.containsKey(header)) {
                     String headerValue = headers.get(header);

src/test/java/com/securenative/config/ConfigurationManagerTest.java

@@ -42,7 +42,9 @@ public void ParseConfigFileCorrectlyTest() throws SecureNativeConfigException {
                 "SECURENATIVE_DISABLE=false",
                 "SECURENATIVE_LOG_LEVEL=fatal",
                 "SECURENATIVE_FAILOVER_STRATEGY=fail-closed",
-                "SECURENATIVE_PROXY_HEADERS=CF-Connecting-IP,Some-Random-Ip");
+                "SECURENATIVE_PROXY_HEADERS=CF-Connecting-IP,Some-Random-Ip",
+                "SECURENATIVE_PII_HEADERS=authentication,apiKey",
+                "SECURENATIVE_PII_REGEX_PATTERN=/http_auth_/i");
 
         InputStream inputStream = new ByteArrayInputStream(config.getBytes());
 
@@ -63,6 +65,8 @@ public void ParseConfigFileCorrectlyTest() throws SecureNativeConfigException {
         assertThat(options.getMaxEvents()).isEqualTo(100);
         assertThat(options.getTimeout()).isEqualTo(1500);
         assertThat(options.getProxyHeaders().size() == 0);
+        assertThat(options.getPiiHeaders().size() == 0);
+        assertThat(options.getPiiRegexPattern()).isEqualTo("/http_auth_/i");
 
         // restore resource stream
         ConfigurationManager.setResourceStream(new ResourceStreamImpl());
@@ -163,6 +167,8 @@ public void loadDefaultConfigTest() throws SecureNativeConfigException {
         assertThat(options.getLogLevel()).isEqualTo("fatal");
         assertThat(options.getFailoverStrategy()).isEqualTo(FailoverStrategy.FAIL_OPEN);
         assertThat(options.getProxyHeaders().size() == 0);
+        assertThat(options.getPiiHeaders().size() == 0);
+        assertThat(options.getPiiRegexPattern()).isEqualTo(null);
 
         ConfigurationManager.setResourceStream(new ResourceStreamImpl());
     }