fixing s3 credentials leak

Author: jerome079

services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java

@@ -286,7 +286,17 @@ public static String retrieveNfsVersionFromParams(Map<String, Object> params) {
 
     @Override
     public Answer executeRequest(Command cmd) {
-        logger.debug(LogUtils.logGsonWithoutException("Executing command %s [%s].", cmd.getClass().getSimpleName(), cmd));
+        if (cmd instanceof DownloadCommand) {
+            DownloadCommand safeCmd = new DownloadCommand((DownloadCommand) cmd);
+            DataStoreTO store = safeCmd.getDataStore();
+            if (store instanceof S3TO) {
+                ((S3TO) store).setAccessKey("***REDACTED***");
+                ((S3TO) store).setSecretKey("***REDACTED***");
+            }
+            logger.debug(LogUtils.logGsonWithoutException("Executing command %s [%s].", safeCmd.getClass().getSimpleName(), safeCmd));
+        } else {
+            logger.debug(LogUtils.logGsonWithoutException("Executing command %s [%s].", cmd.getClass().getSimpleName(), cmd));
+        }        
         if (cmd instanceof DownloadProgressCommand) {
             return _dlMgr.handleDownloadCommand(this, (DownloadProgressCommand)cmd);
         } else if (cmd instanceof DownloadCommand) {

services/secondary-storage/server/src/test/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResourceTest.java

@@ -47,6 +47,8 @@
 import org.mockito.junit.MockitoJUnitRunner;
 
 import com.cloud.agent.api.to.DataStoreTO;
+import org.apache.cloudstack.storage.command.DownloadCommand;
+import com.cloud.agent.api.to.S3TO;
 
 @RunWith(MockitoJUnitRunner.class)
 public class NfsSecondaryStorageResourceTest {
@@ -241,4 +243,18 @@ public void getUploadProtocolTestReturnHttpWhenUseHttpsToUploadIsFalse() {
 
         Assert.assertEquals(NetUtils.HTTP_PROTO, result);
     }
-}
+
+    @Test
+    public void testExecuteRequestRedactsS3Credentials() {
+        S3TO mockS3 = Mockito.mock(S3TO.class);
+        DownloadCommand mockCmd = Mockito.mock(DownloadCommand.class);
+
+        Mockito.when(mockCmd.getDataStore()).thenReturn(mockS3);
+
+        resource.executeRequest(mockCmd);
+
+        Mockito.verify(mockS3).setAccessKey("***REDACTED***");
+        Mockito.verify(mockS3).setSecretKey("***REDACTED***");
+    }
+
+}