HADOOP-17618. ABFS: Partially obfuscate SAS object IDs in Logs

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/services/AbfsHttpOperation.java

@@ -52,6 +52,7 @@ public class AbfsHttpOperation implements AbfsPerfLoggable {
   private static final Logger LOG = LoggerFactory.getLogger(AbfsHttpOperation.class);
 
   public static final String SIGNATURE_QUERY_PARAM_KEY = "sig=";
+  private static final String[] SAS_OID_PARAM_KEYS = {"skoid", "saoid", "suoid"};
 
   private static final int CONNECT_TIMEOUT = 30 * 1000;
   private static final int READ_TIMEOUT = 30 * 1000;
@@ -547,6 +548,7 @@ public static String encodedUrlStr(String url) {
   public String getSignatureMaskedUrl() {
     if (this.maskedUrl == null) {
       this.maskedUrl = getSignatureMaskedUrl(this.url.toString());
+      maskSASObjectIDs();
     }
     return this.maskedUrl;
   }
@@ -558,6 +560,24 @@ public String getSignatureMaskedEncodedUrl() {
     return this.maskedEncodedUrl;
   }
 
+  public void maskSASObjectIDs() {
+    int oidStartIdx, ampIdx, oidEndIndex, qpStrIdx;
+    for (String qpKey : SAS_OID_PARAM_KEYS) {
+      qpStrIdx = maskedUrl.indexOf('&' + qpKey);
+      if (qpStrIdx == -1) {
+        qpStrIdx = maskedUrl.indexOf('?' + qpKey);
+        if (qpStrIdx == -1) {
+          continue;
+        }
+      }
+      oidStartIdx = qpStrIdx + qpKey.length() + 1;
+      ampIdx = maskedUrl.indexOf("&", oidStartIdx);
+      oidEndIndex = (ampIdx != -1) ? ampIdx : maskedUrl.length();
+      maskedUrl = maskedUrl.substring(0, oidStartIdx + 5) + "XXXX" + maskedUrl
+          .substring(oidEndIndex);
+    }
+  }
+
   public static class AbfsHttpOperationWithFixedResult extends AbfsHttpOperation {
     /**
      * Creates an instance to represent fixed results.

hadoop-tools/hadoop-azure/src/test/java/org/apache/hadoop/fs/azurebfs/ITestAzureBlobFileSystemDelegationSAS.java

@@ -64,6 +64,7 @@
  */
 public class ITestAzureBlobFileSystemDelegationSAS extends AbstractAbfsIntegrationTest {
   private static final String TEST_GROUP = UUID.randomUUID().toString();
+  private static final String[] OID_KEYS = {"skoid", "saoid", "suoid"};
 
   private static final Logger LOG =
       LoggerFactory.getLogger(ITestAzureBlobFileSystemDelegationSAS.class);
@@ -410,6 +411,31 @@ public void testSignatureMask() throws Exception {
         .startsWith("sig%3DXXXX");
   }
 
+  @Test
+  public void testSASObjectIDMask() throws IOException {
+    final AzureBlobFileSystem fs = getFileSystem();
+    AbfsHttpOperation abfsHttpOperation = fs.getAbfsClient().getAclStatus("/")
+        .getResult();
+    String url = abfsHttpOperation.getSignatureMaskedUrl();
+    String encodedUrl = abfsHttpOperation.getSignatureMaskedEncodedUrl();
+    int startIndex;
+    for (String qpKey : OID_KEYS) {
+      startIndex = url.indexOf(qpKey);
+      if (startIndex != -1) {
+        Assertions.assertThat(url.substring(startIndex + qpKey.length() + 5))
+            .describedAs("OID query param should be masked in url")
+            .startsWith("XXXX");
+      }
+      startIndex = encodedUrl.indexOf(qpKey);
+      if (startIndex != -1) {
+        Assertions
+            .assertThat(encodedUrl.substring(startIndex + qpKey.length() + 7))
+            .describedAs("OID query param should be masked in encoded url")
+            .startsWith("XXXX");
+      }
+    }
+  }
+
   @Test
   public void testSignatureMaskOnExceptionMessage() throws Exception {
     intercept(IOException.class, "sig=XXXX",