Merge pull request #21 from javabeanz/multi-marker-test

Test masking with multi-markers good job !

Author: javabeanz

owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java

@@ -17,6 +17,7 @@
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.appender.rewrite.RewritePolicy;
 import org.apache.logging.log4j.core.config.plugins.Plugin;
+import org.apache.logging.log4j.core.config.plugins.PluginFactory;
 import org.apache.logging.log4j.core.impl.Log4jLogEvent;
 import org.apache.logging.log4j.message.Message;
 import org.apache.logging.log4j.message.ParameterizedMessage;
@@ -30,7 +31,12 @@
 @Plugin(name = "MaskingRewritePolicy", category = "Core", elementType = "rewritePolicy", printObject = true)
 public class MaskingRewritePolicy implements RewritePolicy {
 
-	private static final Object MASKED_PASSWORD = "********";
+	public static final Object MASKED_PASSWORD = "********";
+        
+    @PluginFactory
+    public static MaskingRewritePolicy createPolicy() {
+        return new MaskingRewritePolicy();
+    }
 
 	/**
 	 * Rewrite the event.
@@ -40,6 +46,7 @@ public class MaskingRewritePolicy implements RewritePolicy {
 	 *            logging event.
 	 * @return The LogEvent after rewriting.
 	 */
+        @Override
 	public LogEvent rewrite(LogEvent source) {
 		// get the markers for the log event. If no markers, nothing can be
 		// tagged confidential and we can return

owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java

@@ -8,10 +8,22 @@
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.impl.Log4jLogEvent;
 import org.apache.logging.log4j.core.impl.Log4jLogEvent.Builder;
+import org.apache.logging.log4j.junit.InitialLoggerContext;
 import org.apache.logging.log4j.message.Message;
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.apache.logging.log4j.message.SimpleMessage;
+import org.apache.logging.log4j.test.appender.ListAppender;
+import org.junit.After;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertTrue;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.FixMethodOrder;
+import org.junit.Test;
+import org.junit.runners.MethodSorters;
 import org.owasp.security.logging.SecurityMarkers;
+import org.slf4j.LoggerFactory;
 
 /**
  * The class <code>MaskingRewritePolicyTest</code> contains tests for the class
@@ -25,79 +37,118 @@
  *
  * @version $Revision$
  */
-public class MaskingRewritePolicyTest extends TestCase {
+public class MaskingRewritePolicyTest { 
 
-	/**
-	 * Construct new test instance
-	 *
-	 * @param name
-	 *            the test name
-	 */
-	public MaskingRewritePolicyTest(String name) {
-		super(name);
-	}
+	private static final String CONFIG = "log4j2.xml";
 
-	public void testRewriteConfidentialNoParams() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Marker marker = new MarkerManager.Log4jMarker(
-				SecurityMarkers.CONFIDENTIAL.getName());
-		Log4jLogEvent event = createEvent(marker, new SimpleMessage());
-		LogEvent result = fixture.rewrite(event);
-		assertEquals(event, result);
-	}
+	private static final org.slf4j.Logger LOGGER = LoggerFactory
+			.getLogger(MaskingRewritePolicyTest.class);
 
-	public void testRewriteConfidentialWithParams() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Marker marker = new MarkerManager.Log4jMarker(
-				SecurityMarkers.CONFIDENTIAL.getName());
-		Message message = new ParameterizedMessage("ddd", "gladiator");
-		LogEvent event = createEvent(marker, message);
-		LogEvent result = fixture.rewrite(event);
-		assertNotSame(event, result);
-	}
+        private static final String SSN = "123-45-6789";
 
-	public void testRewriteNotConfidential() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Marker marker = new MarkerManager.Log4jMarker(
-				SecurityMarkers.EVENT_FAILURE_MARKER_NAME);
-		Message message = new ParameterizedMessage("ddd", "gladiator");
-		LogEvent event = createEvent(marker, message);
-		LogEvent result = fixture.rewrite(event);
-		assertEquals(event, result);
-	}
+	@ClassRule
+	public static InitialLoggerContext context = new InitialLoggerContext(CONFIG);
 
-	public void testRewriteConfidentialWithZeroParams() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Marker marker = new MarkerManager.Log4jMarker(
-				SecurityMarkers.CONFIDENTIAL.getName());
-		Message message = new ParameterizedMessage("ddd", null);
-		LogEvent event = createEvent(marker, message);
-		LogEvent result = fixture.rewrite(event);
-		assertEquals(event, result);
-	}
+	ListAppender appender;
 
-	public void testRewriteConfidentialNoMessage() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Marker marker = new MarkerManager.Log4jMarker(
-				SecurityMarkers.CONFIDENTIAL.getName());
-		Log4jLogEvent event = createEvent(marker, null);
-		LogEvent result = fixture.rewrite(event);
-		assertEquals(event, result);
+	@Before
+	public void setUp() {
+            System.out.println("CONTEXT: " + context);
+            appender = context.getListAppender("List");
 	}
 
-	public void testRewriteNoMarker() {
-		MaskingRewritePolicy fixture = new MaskingRewritePolicy();
-		Message message = new ParameterizedMessage("ddd", "gladiator");
-		Log4jLogEvent event = createEvent(null, message);
-		LogEvent result = fixture.rewrite(event);
-		assertEquals(event, result);
-	}
+        @After
+        public void tearDown() {
+            appender.clear();
+        }
+        
+        @Test
+        public void testRewriteMultiMarker() {
+            System.out.println("running testRewriteMultiMarker()");
+            org.slf4j.Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE);
+            
+            // test a logging event with the multi-marker
+            LOGGER.info(multiMarker, "ssn={}", SSN);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD));
+        }
+ 
+        /**
+         * This test case has the CONFIDENTIAL marker so the results should be masked
+         */
+        @Test
+        public void testRewriteConfidentialWithParams() {
+            System.out.println("running testRewriteConfidentialWithParams()");
+
+            // test a logging event with the CONFIDENTIAL marker
+            LOGGER.info(SecurityMarkers.CONFIDENTIAL, "ssn={}", SSN);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD));
+        }
+        
+        /**
+         * This test case has the CONFIDENTIAL marker, but it is not parameterized 
+         * so masking cannot take place.
+         */
+        @Test
+        public void testRewriteConfidentialNoParams() {
+            System.out.println("running testRewriteConfidentialNoParams()");
+
+            // test a logging event with the CONFIDENTIAL marker
+            LOGGER.info(SecurityMarkers.CONFIDENTIAL, "ssn=" + SSN);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage().contains("ssn=" + SSN));
+        }
+ 
+        /**
+         * This test case is parameterized, but does not have the CONFIDENTIAL 
+         * marker, so it should not be masked
+         */
+        @Test
+        public void testRewriteNotConfidential() {
+            System.out.println("running testRewriteSingleMarker()");
+
+            // test a logging event with the CONFIDENTIAL marker
+            LOGGER.info(SecurityMarkers.SECURITY_SUCCESS, "ssn={}", SSN);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage().contains("ssn=" + SSN));
+        }
+ 
+        @Test
+        public void testRewriteNoMarker() {
+            System.out.println("running testRewriteNoMarker()");
+
+            // test a logging event with no marker
+            LOGGER.info("ssn={}", SSN);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage().contains("ssn=" + SSN));
+        }
+ 
+	@Test
+        public void testRewriteConfidentialNoMessage() {
+            System.out.println("running testRewriteConfidentialNoMessage()");
 
-	private Log4jLogEvent createEvent(Marker marker, Message message) {
-		Log4jLogEvent.Builder builder = new Builder();
-		builder.setMarker(marker).setLevel(Level.DEBUG).setLoggerName("jjj")
-				.setLoggerFqcn("ggg").setMessage(message);
-		Log4jLogEvent event = builder.build();
-		return event;
+            // test a logging event with null marker
+            LOGGER.info(null);
+            LogEvent failEvent = appender.getEvents().get(0);
+            Message message = failEvent.getMessage();
+            
+            System.out.println("Formatted message: " + message.getFormattedMessage());
+            assertTrue(message.getFormattedMessage() == null);
 	}
 }

owasp-security-logging-log4j/src/test/resources/log4j2.xml

@@ -11,12 +11,16 @@
       </Filters>
     </Console>
     <List name="List"></List>
-  </Appenders>
-  <Loggers>
-    <Root level="debug">
+    <Rewrite name="MaskingRewritePolicy">
+      <MaskingRewritePolicy />
       <AppenderRef ref="Console"/>
       <AppenderRef ref="SecureConsole"/>
       <AppenderRef ref="List"/>
+    </Rewrite>
+  </Appenders>
+  <Loggers>
+    <Root level="debug">
+      <AppenderRef ref="MaskingRewritePolicy"/>
     </Root>
   </Loggers>
 </Configuration>

owasp-security-logging-logback/src/test/java/org/owasp/security/logging/mask/MaskingConverterTest.java

@@ -41,6 +41,7 @@
 import org.mockito.runners.MockitoJUnitRunner;
 import org.owasp.security.logging.SecurityMarkers;
 import org.slf4j.LoggerFactory;
+import org.slf4j.Marker;
 
 /**
  *
@@ -109,4 +110,28 @@ public void test() {
 		assertFalse(layoutMessage.contains("secret"));
 	}
 
+    /**
+     * Test that masking works for combinations of markers and not just
+     * SecurityMarkers.CONFIDENTIAL
+     *
+     * @see https://github.com/javabeanz/owasp-security-logging/issues/19
+     */
+    @Test
+    public void markerTest() {
+        Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE);
+
+        String ssn = "123-45-6789";
+        LOGGER.info(multiMarker, "ssn={}", ssn);
+
+        // Now verify our logging interactions
+        verify(mockAppender).doAppend(captorLoggingEvent.capture());
+
+        // Get the logging event from the captor
+        final LoggingEvent loggingEvent = captorLoggingEvent.getValue();
+
+        // Check the message being logged is correct
+        String layoutMessage = encoder.getLayout().doLayout(loggingEvent);
+        assertTrue(layoutMessage.contains("ssn=" + MaskingConverter.MASKED_PASSWORD));
+    }
+        
 }