Redact S3 credentials from logs

[jerome079]

Description

This PR addresses a security issue where S3 credentials used for Secondary Storage were being logged in plain text in CloudStack logs (access.log and management-server.log). Even when debug logging is enabled, secret credentials such as accessKey and secretKey should never appear in logs.

Fix details:

• Redacts the accessKey and secretKey from the S3TO object before logging DownloadCommand in NfsSecondaryStorageResource.java.
• Adds a unit test in NfsSecondaryStorageResourceTest.java to verify that credentials are redacted.

Steps to reproduce the issue:

1. Deploy CloudStack 4.20.0.0 with KVM and Ceph RGW S3 as Secondary Storage.
2. Create a Secondary Storage using S3 credentials.
3. Observe logs in /var/log/cloudstack/management/access.log or management-server.log — credentials will be printed.

Fixes: #10339

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• test (unit or integration test code)

Bug Severity

• Major

How Has This Been Tested?

• Added a unit test that mocks S3TO and verifies that setAccessKey("***REDACTED***") and setSecretKey("***REDACTED***") are called during executeRequest.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@cloudstack.apache.org (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[DaanHoogland]

code looks good, but it seems this should be in LogUtils. There is other obfuscation code also scattered across the code base, so definately not a 👎 but a mere suggestion.

[DaanHoogland]

@blueorangutan LLpackage

[blueorangutan]

@DaanHoogland a [LL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.91%. Comparing base (8e4fe1c) to head (ff6a437).
⚠️ Report is 392 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (8e4fe1c) and HEAD (ff6a437). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (8e4fe1c)	HEAD (ff6a437)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #10811       +/-   ##
=============================================
- Coverage     16.57%    3.91%   -12.67%     
=============================================
  Files          5745      415     -5330     
  Lines        510847    33793   -477054     
  Branches      62140     6078    -56062     
=============================================
- Hits          84696     1322    -83374     
+ Misses       416677    32313   -384364     
+ Partials       9474      158     -9316     

Flag	Coverage Δ
uitests	3.91% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [LL]: ✖️ el7 ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 6219

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 14149

[DaanHoogland]

@jerome079 can you have a look at this PR?

20:43:58 [ERROR] /jenkins/workspace/acs-centos8-pkg-builder/dist/rpmbuild/BUILD/cloudstack-4.21.0.0-SNAPSHOT/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java:299: Line has trailing spaces. [RegexpSingleline]

[github-actions]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[rajujith]

@jerome079 can you resolve the conflicts and retarget the PR to the 4.22 branch?

[DaanHoogland]

@jerome079 can you resolve the conflicts and retarget the PR to the 4.22 branch?

@jerome079 @rajujith , I think if any retargeting for this one is done it should be for 4.20 (20.3 release)