From b8df8ffe08c727be90ffaba9c02f067a30015d57 Mon Sep 17 00:00:00 2001
From: burgerni10 <nicolas.burger@optimistik.com>
Date: Thu, 24 Aug 2023 12:00:53 +0200
Subject: [PATCH] fix(logger): Keep loki password secret

---
 .../__mocks__/encryption-service.mock.ts      |  1 +
 .../controllers/oibus.controller.spec.ts      | 49 ++++++++++++++-----
 .../controllers/oibus.controller.ts           | 11 ++++-
 .../edit-engine/edit-engine.component.ts      |  2 +-
 4 files changed, 48 insertions(+), 15 deletions(-)

diff --git a/backend/src/tests/__mocks__/encryption-service.mock.ts b/backend/src/tests/__mocks__/encryption-service.mock.ts
index 74e6963ee0..baf50c2d9b 100644
--- a/backend/src/tests/__mocks__/encryption-service.mock.ts
+++ b/backend/src/tests/__mocks__/encryption-service.mock.ts
@@ -6,6 +6,7 @@ export default jest.fn().mockImplementation((keyFolder: string, certsFolder: str
     keyFolder,
     certsFolder,
     decryptText: jest.fn(pass => pass),
+    encryptText: jest.fn(pass => pass),
     filterSecrets: jest.fn(),
     encryptConnectorSecrets: jest.fn()
   };
diff --git a/backend/src/web-server/controllers/oibus.controller.spec.ts b/backend/src/web-server/controllers/oibus.controller.spec.ts
index ba8135193a..3b17729602 100644
--- a/backend/src/web-server/controllers/oibus.controller.spec.ts
+++ b/backend/src/web-server/controllers/oibus.controller.spec.ts
@@ -3,7 +3,7 @@ import Joi from 'joi';
 import OibusController from './oibus.controller';
 import JoiValidator from './validators/joi.validator';
 import KoaContextMock from '../../tests/__mocks__/koa-context.mock';
-import { OIBusInfo } from '../../../../shared/model/engine.model';
+import { EngineSettingsCommandDTO, EngineSettingsDTO, OIBusInfo } from '../../../../shared/model/engine.model';
 
 jest.mock('./validators/joi.validator');
 
@@ -12,21 +12,29 @@ const schema = Joi.object({});
 const oibusController = new OibusController(validator, schema);
 
 const ctx = new KoaContextMock();
-const engineCommand = {
-  name: 'name',
-  port: 8080,
-  logParameters: {},
-  healthSignal: {}
-};
-const engine = {
-  id: '1',
-  ...engineCommand
-};
 
 describe('Oibus controller', () => {
+  let engineCommand: EngineSettingsCommandDTO;
+  let engine: EngineSettingsDTO;
+
   beforeEach(async () => {
     jest.resetAllMocks();
     jest.useFakeTimers();
+
+    engineCommand = {
+      name: 'name',
+      port: 8080,
+      logParameters: {
+        loki: {
+          username: 'user',
+          password: 'pass'
+        }
+      }
+    } as EngineSettingsCommandDTO;
+    engine = {
+      id: '1',
+      ...engineCommand
+    };
   });
 
   it('getEngineSettings() should return engine settings', async () => {
@@ -47,7 +55,7 @@ describe('Oibus controller', () => {
     expect(ctx.notFound).toHaveBeenCalledWith();
   });
 
-  it('updateEngineSettings() should update engine settings', async () => {
+  it('updateEngineSettings() should update engine settings with loki password change', async () => {
     ctx.request.body = engineCommand;
     const newEngine = { ...engine, name: 'new name' };
     ctx.app.repositoryService.engineRepository.getEngineSettings.mockReturnValueOnce(engine).mockReturnValueOnce(newEngine);
@@ -55,6 +63,23 @@ describe('Oibus controller', () => {
     await oibusController.updateEngineSettings(ctx);
 
     expect(validator.validate).toHaveBeenCalledWith(schema, engineCommand);
+    expect(ctx.app.encryptionService.encryptText).toHaveBeenCalledWith('pass');
+    expect(ctx.app.repositoryService.engineRepository.getEngineSettings).toHaveBeenCalledTimes(2);
+    expect(ctx.app.repositoryService.engineRepository.updateEngineSettings).toHaveBeenCalledWith(engineCommand);
+    await expect(ctx.app.reloadService.onUpdateOibusSettings).toHaveBeenCalledWith(engine, newEngine);
+    expect(ctx.noContent).toHaveBeenCalled();
+  });
+
+  it('updateEngineSettings() should update engine settings without password change', async () => {
+    ctx.request.body = JSON.parse(JSON.stringify(engineCommand));
+    ctx.request.body.logParameters.loki.password = '';
+    const newEngine = { ...engine, name: 'new name' };
+    ctx.app.repositoryService.engineRepository.getEngineSettings.mockReturnValueOnce(engine).mockReturnValueOnce(newEngine);
+
+    await oibusController.updateEngineSettings(ctx);
+
+    expect(validator.validate).toHaveBeenCalledWith(schema, engineCommand);
+    expect(ctx.app.encryptionService.encryptText).not.toHaveBeenCalled();
     expect(ctx.app.repositoryService.engineRepository.getEngineSettings).toHaveBeenCalledTimes(2);
     expect(ctx.app.repositoryService.engineRepository.updateEngineSettings).toHaveBeenCalledWith(engineCommand);
     await expect(ctx.app.reloadService.onUpdateOibusSettings).toHaveBeenCalledWith(engine, newEngine);
diff --git a/backend/src/web-server/controllers/oibus.controller.ts b/backend/src/web-server/controllers/oibus.controller.ts
index 4ffedc8ce6..9a70355709 100644
--- a/backend/src/web-server/controllers/oibus.controller.ts
+++ b/backend/src/web-server/controllers/oibus.controller.ts
@@ -6,6 +6,7 @@ export default class OibusController extends AbstractController {
   async getEngineSettings(ctx: KoaContext<void, EngineSettingsDTO>): Promise<void> {
     const settings = ctx.app.repositoryService.engineRepository.getEngineSettings();
     if (settings) {
+      settings.logParameters.loki.password = '';
       ctx.ok(settings);
     } else {
       ctx.notFound();
@@ -15,8 +16,14 @@ export default class OibusController extends AbstractController {
   async updateEngineSettings(ctx: KoaContext<EngineSettingsCommandDTO, void>): Promise<void> {
     try {
       await this.validate(ctx.request.body);
-      const oldEngineSettings = ctx.app.repositoryService.engineRepository.getEngineSettings();
-      ctx.app.repositoryService.engineRepository.updateEngineSettings(ctx.request.body as EngineSettingsCommandDTO);
+      const command = ctx.request.body as EngineSettingsCommandDTO;
+      const oldEngineSettings = ctx.app.repositoryService.engineRepository.getEngineSettings()!;
+      if (!command.logParameters.loki.password) {
+        command.logParameters.loki.password = oldEngineSettings.logParameters.loki.password;
+      } else {
+        command.logParameters.loki.password = await ctx.app.encryptionService.encryptText(command.logParameters.loki.password);
+      }
+      ctx.app.repositoryService.engineRepository.updateEngineSettings(command);
       const newEngineSettings = ctx.app.repositoryService.engineRepository.getEngineSettings();
       await ctx.app.reloadService.onUpdateOibusSettings(oldEngineSettings, newEngineSettings!);
       ctx.noContent();
diff --git a/frontend/src/app/engine/edit-engine/edit-engine.component.ts b/frontend/src/app/engine/edit-engine/edit-engine.component.ts
index f5d1279f77..624887c429 100644
--- a/frontend/src/app/engine/edit-engine/edit-engine.component.ts
+++ b/frontend/src/app/engine/edit-engine/edit-engine.component.ts
@@ -29,7 +29,7 @@ export class EditEngineComponent implements OnInit {
       }),
       file: this.fb.group({
         level: ['info' as LogLevel, Validators.required],
-        maxFileSize: [null as number | null, [Validators.required, Validators.min(1)]],
+        maxFileSize: [null as number | null, [Validators.required, Validators.min(1), Validators.max(10)]],
         numberOfFiles: [null as number | null, [Validators.required, Validators.min(1)]]
       }),
       database: this.fb.group({