search

ef-labs / stash-hook-mirror

An Atlassian Stash repository hook for mirroring to one or more remote git repositories.
MIT License
77 stars 58 forks source link

Encrypt the password #1

Closed adrianluisgonzalez closed 11 years ago

adrianluisgonzalez commented 11 years ago

Password should not be returned to the client in clear text json

adrianluisgonzalez commented 11 years ago

The problem is the settings are internally stored in an immutable map which makes it difficult to modify values before they are persisted. One option would be to schedule a handler to reload the settings and save them encrypted after a short delay.

RepositoryHookResource.java

@PUT
    @Path("{hookKey}/settings")
    public Response setSettings(
            @Context Repository repository,
            @PathParam("hookKey") String hookKey,
            Map<String, Object> rawSettings) throws IOException {
        Settings settings = createSettings(rawSettings);

        settings = repositoryHookService.setSettings(repository, hookKey, settings);
        return ResponseFactory
                .ok(settings.asMap())
                .build();
    }

DefaultRepositoryHookService.java

    public Settings setSettings(@Nonnull Repository repository, @Nonnull String hookKey, @Nonnull Settings settings) throws FormValidationException {
        checkNotNull(settings, "settings");
        return repositorySettingsService.save(repository, hookKey, settings);
    }

DefaultRepositorySettingService.java

    public Settings save(@Nonnull Repository repository, @Nonnull String moduleKey, @Nonnull Settings settings) throws FormValidationException {
        checkNotNull(repository, "repository");
        checkNotNull(moduleKey, "moduleKey");
        checkNotNull(settings, "settings");
        ModuleDescriptor<?> enabledPluginModule = pluginAccessor.getEnabledPluginModule(moduleKey);
        Preconditions.checkArgument(enabledPluginModule instanceof ValidatorModuleDescriptor,
                "Module '" + moduleKey + "' does not implement ValidatorModuleDescriptor");
        ValidatorModuleDescriptor<?> moduleDescriptor = (ValidatorModuleDescriptor<?>) enabledPluginModule;
        validate(moduleDescriptor.getValidator(), repository, settings);
        save(convertToInternalRepository(repository), moduleKey, serialize(settings));
        return settings;
    }

    private void validate(RepositorySettingsValidator validator, Repository repository, Settings settings) throws FormValidationException {
        if (validator != null) {
            Errors errors = new SettingsErrors(settings);
            validator.validate(settings, new SettingsValidationErrorsImpl(errors), repository);
            if (errors.hasErrors()) {
                throw new FormValidationException(i18nService.getKeyedText("stash.repository.setting.validation.error", "Validation errors occurred when saving settings"), new ErrorsWrapper(errors));
            }
        }
    }

The RepositorySettingsValidator validate method does not allow modifying the settings.