feature_622392.txt

来自「Software Testing Automation Framework (S」· 文本 代码 · 共 1,537 行 · 第 1/5 页

Feature ID  : 622392 
Title       : Ability to mask passwords/sensitive data 


Description 
----------- 

This feature will provide the ability to mask passwords and other sensitive
data that is provided in the value for some options in STAF service requests.
Thus, when the data is logged or displayed, sensitive data will be masked to
keep it private for security reasons. 


Problem(s) Solved 
----------------- 

Currently, if you have at least trust level 2, you can submit a request to
list all STAF requests currently in progress on a machine (e.g. STAF machA 
SERVICE LIST REQUESTS).  If any of the requests contain sensitive information
like passwords, this information is displayed as well.  For example: 

C:\>staf server1 service list requests 
Response 
-------- 
Req#    Start Date-Time   Service Request 
------- ----------------- ------- --------------------------------------------- 
4320649 20050824-14:17:13 wiou    INSTALL TARGET ceres.rchland.ibm.com VERSION 
                                  6.0.2 PRODUCT was-nd-core-ptf USERNAME root P 
                                  ASSWORD mysecret BUILDLEVEL gm TEMPDIR /worka 
                                  rea/WAS60-ptf/ INSTALLROOT /opt/WASND_602/ 
4323776 20050824-14:43:42 awacs   STARTDM HOST :27:mhpae01.rtp.raleigh.ibm.com 
                                  PORT :4:8879 INSTALLROOT :27:/opt/cc/WebSpher 
                                  e/AppServer PROFILE :7:cc_DMGR USERNAME :7:ws 
                                  admin PASSWORD :8:mysecret 
4320649 20050824-14:57:25 handle  AUTHENTICATE USER JohnDoe@us.ibm.com PASSWORD 
                                   mypassword 
4323776 20050824-14:58:12 process START COMMAND :34:C:/tests/testA.exe /PASSWOR 
                                  D testpw" USERID user1 PASSWORD myPassword 

Also, if you enable tracing for ServiceRequest and/or ServiceResult tracepoints
(trust level 5 is required), if any of the requests contain sensitive information
like passwords, this information is displayed as well.  For example: 

20050824-14:49:51;1808;00000001;PROCESS Service Request - Client: local://local, 
 Handle: 375, Process: STAF/Client, Request: start command notepad parms :16:-pa 
ssword secret USERNAME User1 PASSWORD secret2 wait 
20050824-14:49:54;1808;00000002;PROCESS Service Result (0) - Client: local://loc 
al, Handle: 375, Process: STAF/Client, Request: start command notepad parms :16: 
-password secret USERNAME User1 PASSWORD secret2 wait, Result: { 
  Return Code: 0 
  Key        : <None> 
  Files      : [] 
}

Many services also provide the ability to list or query information and, in some
cases, log information.  We need a way to prevent sensitive data for being
displayed or logged.  For example, the Automation Control Center (ACC) web
application allows you to submit STAX jobs for execution from a website.  It
also allows you to query not only the status of your job but also other STAX
jobs.  Job status information includes STAX job logs and information about
processes and STAF commands that are currently running in a STAX job.
Currently, the "Start" log record for a STAX job that is logged in the STAX Job
log displays the arguments passes to the main function.  The arguments could
contain sensitive data like passwords.  In addition, when displaying process
information, the command being executed by each process is displayed.  The
process command could contain sensitive data as well (e.g. PROCESS START COMMAND
"net use x: /user1 myPassword").  Also, many other STAF service requests
(e.g. HANDLE AUTHENTICATE USER JohnDoe@company.com PASSWORD secret) could
contain sensitive data. 

This feature provides the ability to deal with private data.  This feature
updates STAF and it's services to handle private data by: 
- Adding privacy delimiters to indicate that certain data is private. 
- Removing privacy delimiters to get to the actual private data 
- Masking private data so that if it is logged/displayed, etc., the actual
  private data is not provided. 


Related Features 
---------------- 

This feature is related to Feature #1279520 "Add ability to specify properties
for function args" (also being provided in STAF V3.1.0).  This feature adds a
private property to a STAX function argument to indicate whether an argument 
contains private data. This allows applications like the ACC that execute STAX
jobs to check if an argument is private and do special things to indicate that
like automaticallly adding privacy delimiters and masking it as the argument
value is specified.  In addition to specifying a "private" property, this 
feature will allow you to specify other arbitrary properties such as the
"type" of an argument (e.g. int, string, enum). 

This feature is also related to Feature #1292268 "Provide Java methods to
compare STAF versions" (also being provided in STAF V3.1.0).  This feature
provides a new STAFVersion class and a new STAFUtil.compareSTAFVersion() method.
Since the privacy methods are being added to STAF V3.1.0, a STAF service or
application that calls these privacy methods should first verify that the STAF
version is 3.1 or later.  To do this, they can use the new
STAFUtil.compareSTAFVersion() method.  However, since the compareSTAFVersion()
method was also added in STAF V3.1.0, need to call the
STAFUtil.compareSTAFVersion() method within a try/catch error block in case
the method doesn't exist.  An example of calling this method is provided later. 


External Design 
--------------- 

To solve this problem, we are going to add support for privacy delimiters 
which STAF users will be able to use to protect private data like passwords
when providing this data in a STAF service request.  Service writers will be
able to specify which options on service requests will handle private data
and what data in the result buffer for a LIST/QUERY, etc. request will be
masked to protect private data. 

To indicate data is private or sensitive, specify delimiter !!@ at the
beginning of the private data and specify delimiter @!! at the end of the
private data.  For example: 

  !!@myPassword@!! 

If the private data contains the actual opening or ending privacy delimiter
string, a caret (^) can be used to used to escape the characters so that
they are not seen as privacy delimiters.  For example, if you wanted to add
privacy delimiters to string "myP@ss@!!d", you would first have to escape
the @!! characters contained in the private data.  For example: 

  myP@ss^@!!d 

Note that an escapePrivacyDelimiters method is provided that handles this
for you.  See below for more information. 

Then you can add privacy delimiters.  For example: 

  !!@myP@ss^^@!!@!! 

Also, you can nest private data.  For example, the following string
contains three levels of nested private data: 

  "!!@Msg: ^!!@Top secret info: password=^^!!@secret^^@!!.^@!!@!!" 
1)                                            ------ 
2)             ------------------------------------------- 
3)    -------------------------------------------------------- 

Note that a caret (^) is added to escape any !!@ and @!! characters that
are nested within another set of privacy delimiters. 

Note that an addPrivacyDelimiters method is provided that handles all of
this for you.  See below for more information. 

Common Privacy Utility Methods 

Some common utility methods will be provided that can be used by services
writers and testcase writers and others to add privacy delimiters, remove
privacy delimiters, to mask private data  identified by the privacy
delimiters, and to escape privacy delimiters.  These utility methods will
be provided for all of the languages that STAF supports (e.g. Java, C++,
Python, Perl,Tcl, and REXX).  The utility methods are: 

1) addPrivacyDelimiters:  Accepts a string argument that contains private 
data and returns a string with the privacy delimiters added to the
beginning and end of the string. 

Here's a description of the what this method does: 
1) Checks if data is null or has length of 0, and if so, returns data
   passed in since there's no data protect. 
2) Checks if data already has privacy delimiters at beginning and end,
   and if so, returns data passed in (e.g. won't add additional privacy
   delimiters). 
3) Escapes all occurrences of the opening and closing privacy delimiters
   with a caret (^).  That is, replace all occurrences of !!@ with ^!!@
   and replace all occurrences of @!! with ^@!!. 
4) Adds an opening privacy delimiter (!!@) to the beginning of the data. 
5) Adds a closing privacy delimiter (@!!) to the end of the data. 
6) Returns the updated data. 

Examples: 
- If you pass string "passw0rd" to the addPrivacyDelimiters method, it
  would return "!!@passw0rd@!!". 
- If you pass string "!!@passw0rd@!!" to the addPrivacyDelimiters method,
  it would return "!!@passw0rd@!!". 
- If you pass string "passw^@!!d" to the addPrivacyDelimiters method, it
  would return "!!@passw^^@!!d@!!". 
- If you pass string "Password=!!@secret@!!." to the addPrivacyDelimiters
  method, it would return "!!@Password=^!!@secret^@!!.@!!". 
- If you pass string "Msg: !!@Password=^!!@secret^@!!.@!!" to the 
  addPrivacyDelimiters method, it would return:
  "!!@Msg: ^!!@Password=^^!!@secret^^@!!.^@!!@!!". 

Java Example: 

  String password = STAFUtil.addPrivacyDelimiters("passw0rd"); 

C++ Example: 

  STAFString password = STAFHandle::addPrivacyDelimiters("passw0rd"); 

2)  removePrivacyDelimiters:  Accepts a string argument that contains may
contain private data indicated using the privacy delimiters and, optionally,
an integer that specified the number of levels of privacy delimiters to
remove (where 0, the default value, indicates to remove all levels of
privacy delimiters).  It returns a string with privacy delimiters removed.
Note that generally you'll want to remove all levels of privacy delimiters. 

Here's a description of the what this method does: 
1) Checks if data is null or has length of 0 or doesn't contain any privacy
   delimiters, and if so, returns data passed in since there's no privacy 
   delimiters to remove. 
2) Loops to remove privacy delimiters for the specified number of levels
   (where 0, the default, indicates to remove all levels).  Within this loop: 
     a) Checks if any more unescaped opening privacy delimiters.   If no
        more unescaped opening privacy delimiters, exits the loop since no
        more levels of private data. 
     b) Checks if any more unescaped closing privacy delimiters after the
        position of the opening unescaped privacy delimiter. 
     c) Loops to handle all opening and closing privacy delimiters at this
        level.  Within this loop: 
          i) Checks if there are any escaped privacy delimiters between this
             opening privacy delimiter and the closing privacy delimiter.
             If so, removes the escape character (^) from them. 
          ii) Removes this set of unescaped opening and closing privacy 
              delimiters. 
          iii) Checks if there is another set of unescaped opening and
               closing privacy delimiters, after this closing delimiter.
               If not breaks out of this loop. 
3) If all levels of privacy delimiters have been removed:
   a) Replaces any remaining escaped closing privacy delimiters with
      unescaped closing privacy delimiters. 
   b) Replaces any remaining escaped opening privacy delimiters with 
      unescaped opening privacy delimiters. 
4) Returns the updated data. 

Examples: 
- If you pass string "!!@passw0rd@!!" to the removePrivacyDelimiters method,
  it would return "passw0rd". 
- If you pass string "!!@passw^^@!!d@!!"  to the addPrivacyDelimiters 
  method, it would return "passw^@!!d" 
- If you pass string "testA.exe -password !!@secret@!!"  to the 
  removePrivacyDelimiters method, it would return "testA.exe -password secret". 
- If you pass string  "!!@Password=^!!@secret^@!!.@!!"." to the
  addPrivacyDelimiters method and specify to remove all levels of privacy data,
  it would return "Password=secret. 
- If you pass string  "!!@Password=^!!@secret^@!!.@!!"." to the
  addPrivacyDelimiters method and specify to remove 1 level of privacy data,
  it would return "Password=!!@secret@!!. 
- If you pass string "!!@Msg: ^!!@Password=^^!!@secret^^@!!.^@!!@!!" to the
  addPrivacyDelimiters method and specify to remove all levels, it would
  return "Msg: Password=secret.". 
- If you pass string "!!@Msg: ^!!@Password=^^!!@secret^^@!!.^@!!@!!" to the
  addPrivacyDelimiters method and specify to remove 1 level of privacy data,
  it would return "Msg: !!@Password=^!!@secret^@!!.@!!". 

Java Example: 

  // Remove all levels of privacy delimiters 
  String command2 = STAFUtil.removePrivacyDelimiters(command); 

  // Remove one level of privacy delimiters 
  String password2 = STAFUtil.removePrivacyDelimiters(password, 1); 

C++ Example: 

  // Remove all levels of privacy delimiters 
  STAFString command2 = STAFHandle::removePrivacyDelimiters(command); 

  // Remove one level of privacy delimiters   
  STAFString password2 = STAFHandle::removePrivacyDelimiters(password, 1); 

3)  maskPrivateData:  Accepts a string argument that contains a value that
may contain private data indicated using the privacy delimiters and returns
a string with the private data masked by replacing the privacy delimiters
and private data contained within the privacy delimiters with asterisks
("*") on a character for character basis (so that the length of the data is
not changed to ensure that marshalled data and colonLenthcolon data is not
corrupted). 

Here's a description of the what this method does: 
1) Checks if data is null or has length of 0 or doesn't contain any
   privacy delimiters, and if so, returns data passed in since there's no
   privacy delimiters to remove. 
2) Loops to find all unescaped opening privacy delimiters with matching
   unescaped closing privacy delimiters and replace all data between
   these privacy delimiters with asterisks.  Within this loop: 
     a) Finds position of next unescaped opening privacy delimiter.
        If no more, exits loop. 
     b) Finds position of next unescaped closing privacy delimiter after
        this unescaped opening delimiter.  If no more, exits loop. 
     c) Replaces these open and closing privacy delimiters and all data 
        in between with the same number of asterisks ("*"). 
3) Returns the updated data. 

For example, if you pass string "testA.exe -password !!@secret@!!" to the 
maskPrivate Data method, it will return "testA.exe -password ************". 

Java Example: 

  resultMap['command'] = STAFUtil.maskPrivateData(command); 

C++ Example: 

  processMap->put("command", STAFHandle::maskPrivateData(command)); 

4)  escapePrivacyDelimiters:  Accepts a string argument that contains may
contain the privacy delimiters and returns a string with all privacy
delimiters escaped with a caret (^).  This method is useful if data
contains substring "!!@" and/or "@!!" but not intended as privacy 
delimiters so you can escape them before adding privacy delimiters. 

Here's a description of the what this method does: 
1) Checks if data is null or has length of 0, and if so, returns data