Merge pull request #40 from sophiegreen/master

ledina · web-flow · commit 65df90cb1fbf · 2020-06-25T14:34:23.000+01:00
Store password as char arrays
diff --git a/src/main/java/com/ibm/cics/bundle/deploy/BundleDeployHelper.java b/src/main/java/com/ibm/cics/bundle/deploy/BundleDeployHelper.java
@@ -51,7 +51,7 @@ public class BundleDeployHelper {
 
 	private static final String AUTHORIZATION_HEADER = "Authorization";
 
-	public static void deployBundle(URI endpointURL, File bundle, String bunddef, String csdgroup, String cicsplex, String region, String username, String password, boolean allowSelfSignedCertificate) throws BundleDeployException, IOException {
+	public static void deployBundle(URI endpointURL, File bundle, String bunddef, String csdgroup, String cicsplex, String region, String username, char[] password, boolean allowSelfSignedCertificate) throws BundleDeployException, IOException {
 		MultipartEntityBuilder mpeb = MultipartEntityBuilder.create();
 		mpeb.addPart("bundle", new FileBody(bundle, ContentType.create("application/zip")));
 		mpeb.addPart("bunddef", new StringBody(bunddef, ContentType.TEXT_PLAIN));
@@ -103,9 +103,8 @@ public static void deployBundle(URI endpointURL, File bundle, String bunddef, St
 			}
 		}
 		
-		
-		
-		String credentials = username + ":" + password;
+		String stringPassword = (password == null || password.length == 0) ? null : String.valueOf(password);
+		String credentials = username + ":" + stringPassword;
 		String encoding = Base64.getEncoder().encodeToString(credentials.getBytes());
 		httpPost.setHeader(AUTHORIZATION_HEADER, "Basic " + encoding);
 		
@@ -127,31 +126,35 @@ public static void deployBundle(URI endpointURL, File bundle, String bunddef, St
 		
 		if (responseStatus.getStatusCode() != 200) {
 			BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));
-			String responseContent = bufferedReader.lines().collect(Collectors.joining());
-			if (contentType == null) {
-				throw new BundleDeployException("Http response: " + responseStatus);
-			} else if (contentType.equals("application/xml")) {
-				//liberty level error
-				throw new BundleDeployException(responseContent);
-			} else if (contentType.equals("application/json")) {
-				//error from deploy endpoint
-				ObjectMapper objectMapper = new ObjectMapper();
-				String responseMessage = objectMapper.readTree(responseContent).get("message").asText();
-				String responseErrors = "";
-				
-				if (responseMessage.contains("Some of the supplied parameters were invalid")) {
-					Iterator<Entry<String, JsonNode>> errorFields = objectMapper.readTree(responseContent).get("requestErrors").fields();
-					while (errorFields.hasNext()) {
-						Entry<String, JsonNode> errorField = errorFields.next();
-						responseErrors += errorField.getKey() + ": " + errorField.getValue().asText() + "\n";
+			try {
+				String responseContent = bufferedReader.lines().collect(Collectors.joining());
+				if (contentType == null) {
+					throw new BundleDeployException("Http response: " + responseStatus);
+				} else if (contentType.equals("application/xml")) {
+					//liberty level error
+					throw new BundleDeployException(responseContent);
+				} else if (contentType.equals("application/json")) {
+					//error from deploy endpoint
+					ObjectMapper objectMapper = new ObjectMapper();
+					String responseMessage = objectMapper.readTree(responseContent).get("message").asText();
+					String responseErrors = "";
+					
+					if (responseMessage.contains("Some of the supplied parameters were invalid")) {
+						Iterator<Entry<String, JsonNode>> errorFields = objectMapper.readTree(responseContent).get("requestErrors").fields();
+						while (errorFields.hasNext()) {
+							Entry<String, JsonNode> errorField = errorFields.next();
+							responseErrors += errorField.getKey() + ": " + errorField.getValue().asText() + "\n";
+						}
+					} else if (responseMessage.contains("Bundle deployment failure")) {
+						responseErrors = objectMapper.readTree(responseContent).get("deployments").findValue("message").asText();
 					}
-				} else if (responseMessage.contains("Bundle deployment failure")) {
-					responseErrors = objectMapper.readTree(responseContent).get("deployments").findValue("message").asText();
+					throw new BundleDeployException(responseMessage + ":\n - " + responseErrors);
+				} else {
+					//CICS level error
+					throw new BundleDeployException(responseContent);
 				}
-				throw new BundleDeployException(responseMessage + ":\n - " + responseErrors);
-			} else {
-				//CICS level error
-				throw new BundleDeployException(responseContent);
+			} finally {
+				bufferedReader.close();
 			}
 		}
 	}
diff --git a/src/main/java/com/ibm/cics/bundle/deploy/BundleDeployer.java b/src/main/java/com/ibm/cics/bundle/deploy/BundleDeployer.java
@@ -30,7 +30,7 @@ public static void main(String[] args) {
 		String cicsplex = args[4];
 		String region = args[5];
 		String username = args[6];
-		String password = args[7];
+		char[] password = getPasswordAsChars(args[7]);
 		boolean allowSelfSignedCertificate = Boolean.parseBoolean(args[8]);
 		
 		try {
@@ -45,7 +45,18 @@ public static void main(String[] args) {
 			System.err.println("IO Exception: " + e.getMessage());
 		}
 		
-		
+	}
+	
+	/*
+	 * Current best practice is to avoid putting strings containing passwords onto
+	 *  the heap or interning the strings containing them, hence using char[] where possible
+	 */
+	public static char[] getPasswordAsChars(String password) {
+		if (password != null && !password.isEmpty()) {
+			return password.toCharArray();
+		} else {
+			return new char[0];
+		}
 	}
 	
 }
diff --git a/src/test/java/com/ibm/cics/bundle/deploy/BundleDeployHelperTest.java b/src/test/java/com/ibm/cics/bundle/deploy/BundleDeployHelperTest.java
@@ -55,7 +55,7 @@ public void testBundleDeployHelper_response200() throws Exception {
 
 		File bundleArchive = new File(bundleFilePath);
 
-		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", true);
+		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), true);
 	}
 	
 	@Test
@@ -71,7 +71,7 @@ public void testBundleDeployHelper_selfSignedNotValid() throws Exception {
 		File bundleArchive = new File(bundleFilePath);
 
 		try {
-			BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", false);
+			BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), false);
 			fail("Expected SSLException because self signed certificates are not allowed");
 		} catch (SSLException e) {
 			// pass
@@ -93,7 +93,7 @@ public void testBundleDeployHelper_invalidFile() throws Exception {
 		expectedException.expect(BundleDeployException.class);
 		expectedException.expectMessage("Bundle does not exist: 'invalid path'");
 		
-		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", true);
+		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), true);
 	}
 	
 	@Test
@@ -111,7 +111,7 @@ public void testBundleDeployHelper_invalidBundle() throws Exception {
 		expectedException.expect(BundleDeployException.class);
 		expectedException.expectMessage("Some of the supplied parameters were invalid:\n - bundle: Derived bundledir \"" + bundleFilePath + "\" didn't match the target BUNDDEF's bundle dir \"" + bundleFilePath + "\"\n");;
 		
-		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", true);
+		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), true);
 	}
 	
 	@Test
@@ -129,7 +129,7 @@ public void testBundleDeployHelper_unauthenticated401() throws Exception {
 		expectedException.expect(BundleDeployException.class);
 		expectedException.expectMessage("Http response: HTTP/1.1 401 Unauthorized");
 
-		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", true);
+		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), true);
 	}
 	
 	@Test
@@ -146,7 +146,7 @@ public void testBundleDeployHelper_unauthenticated401_noContentType() throws Exc
 		expectedException.expect(BundleDeployException.class);
 		expectedException.expectMessage("Http response: HTTP/1.1 401 Unauthorized");
 
-		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password", true);
+		BundleDeployHelper.deployBundle(new URI(wireMockRule.baseUrl()), bundleArchive, "bundle", "csdgroup", "cicsplex", "region", "username", "password".toCharArray(), true);
 	}
 	
 	@Test
@@ -169,7 +169,7 @@ public void noPath() throws Exception {
 			"cicsplex",
 			"region",
 			"username",
-			"password",
+			"password".toCharArray(),
 			true
 		);
 	}
@@ -195,7 +195,7 @@ public void noPathSlash() throws Exception {
 			"cicsplex",
 			"region",
 			"username",
-			"password",
+			"password".toCharArray(),
 			true
 		);
 	}
@@ -221,7 +221,7 @@ public void pathNoSlash() throws Exception {
 			"cicsplex",
 			"region",
 			"username",
-			"password",
+			"password".toCharArray(),
 			true
 		);
 	}
@@ -247,7 +247,7 @@ public void pathEndsWithSlash() throws Exception {
 			"cicsplex",
 			"region",
 			"username",
-			"password",
+			"password".toCharArray(),
 			true
 		);
 	}
