[Java] Add support of 'x-obfuscated' property allowing for generated model classes an obfuscation of sensitive data (e.g. password) in toString() output (#2662)

[SergeyLyakhov]

PR checklist

[+] Read the contribution guidelines.
[+] Ran the shell script under ./bin/ to update Petstore sample so that CIs can verify the change. (For instance, only need to run ./bin/{LANG}-petstore.sh and ./bin/security/{LANG}-petstore.sh if updating the {LANG} (e.g. php, ruby, python, etc) code generator or {LANG} client's mustache templates). Windows batch files can be found in .\bin\windows\.
[+] Filed the PR against the correct branch: 3.0.0 branch for changes related to OpenAPI spec 3.0. Default: master.
[+ ] Copied the technical committee to review the pull request if your PR is targeting a particular programming language.
@bbdouglas @JFCote @sreeshas @jfiala @lukoyanov @cbornet

Description of the PR

This change adds support of "x-obfuscated" [true|false] vendor extension property.
E.g.:

  User:
    properties:
      password:
        type: string
        x-obfuscated: true

This will allow to exclude (obfuscate) sensitive data from toString() result for generated model class.

The following changes added:

1. For 13 java-based "language" templates:
   1.1. changed pojo.mustache toString() to allow obfuscation of properties with "x-obfuscated: true" attribute;
   1.2. added templates for model test generation: model_test.mustache pojo_test.mustache modelEnum_test.mustache. Where pojo_test.mustache contains testObfuscation_* junit method;
   1.3. added util/ModelTestUtils.mustache utility class for model tests.
2. added "x-obfuscated: true" for User.password in 4 petstore test models (yaml/json).
3. In swagger-codegen module (java code):
   3.1 enabled model tests (model_test.mustache) generation for java-based languages.
   3.2. added support for static resources for model test generation (util/ModelTestUtils.java).
4. Added missed projects to /bin/java-petstore-all.sh (also separated into client and server scripts).
5. Fixed pom.mustache for few java-based language templates (projects were not built before the fix).
6. Added to /bin/utils/maven/ two helper scripts for executing maven builds for java-petstore-* projects.
7. Updated (generated) java-based samples (also includes changes for earlier commits, missed to be added before).

P.S. There are few sample projects which are not built because of errors in its templates (not related to this change):

Clients:

• jersey2-java6
• okhttp-gson-parcelableModel

Servers:

• java-msf4j
• java-vertx
• jaxrs-spec
• jaxrs-spec-interface

[SergeyLyakhov]

Moved these scripts to java-petstore-client-all.sh (all of them are clients).
Also added there retrofit2-play25 and vertx clients.

[SergeyLyakhov]

Build clients generated by /bin/java-petstore-client-all.sh

[SergeyLyakhov]

Build projects generated by /bin/java-petstore-server-all.sh
Does not include sbt-based java-play-framework* projects.

[SergeyLyakhov]

Moved into a separate method for reusing.

[SergeyLyakhov]

This method generates/copies "static" resources for model build. This is similar to "generateSupportingFiles", but "generateSupportingFiles" and "generateModelTests" are independent "phases".

[SergeyLyakhov]

Build with samples profile (-Psamples) fails on server/java-msf4j, and this is not related to the fix.
Is it necessary to fix all sample projects which are failed?

[wing328]

Thanks for the PR but your commit (as shown in the Commits tab) is not linked to your Github account, which means this PR won't count as your contribution in https://github.com/swagger-api/swagger-codegen/graphs/contributors.

Let me know if you need help fixing it.

Ref: https://github.com/swagger-api/swagger-codegen/wiki/FAQ#how-can-i-update-commits-that-are-not-linked-to-my-github-account

[SergeyLyakhov]

@wing328 Sorry for missing that. Fixed.

[SergeyLyakhov]

@wing328
Should I perform any additional actions for this request?
I'm not able to trigger the rebuild task. But think there are only issues with samples test builds for several languages (listed in my 1st comment), which are not caused by this fix.

[wing328]

Build with samples profile (-Psamples) fails on server/java-msf4j, and this is not related to the fix.

I've fixed that in the latest master.

[wing328]

@SergeyLyakhov can you merge the latest origin/master to see if the CI errors are fixed?

[SergeyLyakhov]

@wing328 Merged latest origin/master into feature/x-obfuscated-java

[wing328]

@SergeyLyakhov thanks. Let's see if all the tests pass.

[SergeyLyakhov]

@wing328 >I've fixed that in the latest master.
It looks like the sample for server java-msf4j was not updated in master (see my last commit).

[SergeyLyakhov]

@wing328 Also other projects with errors (listed in the description section of PR) are still not built.
See the build results for java samples https://ibb.co/hWpFEm

Clients:

1. jersey2-java6: uses jersey-version==2.6 where LoggingFeature.class doesn't exist.
2. okhttp-gson-parcelableModel: bug in template (for type: array).

Servers:

1. java-vertx: requires *Impl model classes.
2. jaxrs-spec:
   2.1. missed jackson dependencies in pom.xml;
   2.2. incorrect sourceDirectory in pom.xml;
   2.3. errors in templates (missed imports).

[carolmorneau]

This is an interesting PR. Is it still being worked on?

[SergeyLyakhov]

@carolmorneau

This is an interesting PR. Is it still being worked on?

This fix is completed, tested and covered by unit tests.
However there are some issues in several java configurations (not related to this fix). Those issues prevent this PR to pass build checks successfully.

[SergeyLyakhov]

@wing328

For #7060, I'll ping you via email to discuss the best way

Thank you!
I may split this PR into 2-4 more simple changes, if needed.

1. Add support for static resources for model test (in my case shared utility test class) - java code.
2. Template changes with x-obfuscated vendor extension - mustache.
   2.1. Model tests of obfuscation in toString() - mustache + java.
3. Samples re-generated with new templates.
4. Exclude changes in bash scripts if needed (suppose this change was useful/correct however).

[wing328]

@SergeyLyakhov I would appreciate if you can do (1) and (2) in a single PR based on the latest master.

I'll do (3) and (4) later after merging the PR.

[smiklosovic]

@SergeyLyakhov please can you continue on this? I would love to see this in action.

[SergeyLyakhov]

@smiklosovic
I'm waiting on another #7910 PR approval. Will upate this pull request as soon as #7910 is approved.

[gumuszee]

Hello, is this feature by any chance still alive? Is there any possibility of a merge, or was it abandoned altogether? Thank you.

[rchalaszczyk]

Any chance for it?

[Thiruj]

is there any work around to hide the sensitive field information ?

[samuelrcitx]

hey, is there any solution to this problem already?

[ashastr]

Team, can we please get this PR merged? This would address a major security concern.