Fix #185 Desensitize the old password while logging

src/main/java/run/halo/app/service/impl/UserServiceImpl.java

@@ -124,7 +124,7 @@ public class UserServiceImpl extends AbstractCrudService<User, Integer> implemen
         User updatedUser = update(user);
 
         // Log it
-        eventPublisher.publishEvent(new LogEvent(this, updatedUser.getId().toString(), LogType.PASSWORD_UPDATED, oldPassword));
+        eventPublisher.publishEvent(new LogEvent(this, updatedUser.getId().toString(), LogType.PASSWORD_UPDATED, HaloUtils.desensitize(oldPassword, 2, 1)));
 
         return updatedUser;
     }

src/main/java/run/halo/app/utils/HaloUtils.java

@@ -21,6 +21,44 @@ import static run.halo.app.model.support.HaloConst.FILE_SEPARATOR;
 @Slf4j
 public class HaloUtils {
 
+    /**
+     * Desensitizes the plain text.
+     *
+     * @param plainText plain text must not be null
+     * @param leftSize  left size
+     * @param rightSize right size
+     * @return desensitization
+     */
+    public static String desensitize(@NonNull String plainText, int leftSize, int rightSize) {
+        Assert.hasText(plainText, "Plain text must not be blank");
+
+        if (leftSize < 0) {
+            leftSize = 0;
+        }
+
+        if (leftSize > plainText.length()) {
+            leftSize = plainText.length();
+        }
+
+        if (rightSize < 0) {
+            rightSize = 0;
+        }
+
+        if (rightSize > plainText.length()) {
+            rightSize = plainText.length();
+        }
+
+        if (plainText.length() < leftSize + rightSize) {
+            rightSize = plainText.length() - leftSize;
+        }
+
+        int remainSize = plainText.length() - rightSize - leftSize;
+
+        String left = StringUtils.left(plainText, leftSize);
+        String right = StringUtils.right(plainText, rightSize);
+        return StringUtils.rightPad(left, remainSize + leftSize, '*') + right;
+    }
+
     /**
      * Changes file separator to url separator.
      *

src/test/java/run/halo/app/utils/HaloUtilsTest.java

@@ -1,5 +1,6 @@
 package run.halo.app.utils;
 
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.junit.Test;
 
@@ -14,6 +15,7 @@ import static org.junit.Assert.assertThat;
  * @author johnniang
  * @date 3/29/19
  */
+@Slf4j
 public class HaloUtilsTest {
 
     @Test
@@ -92,4 +94,37 @@ public class HaloUtilsTest {
     public void pluralizeLabelExceptionTest() {
         HaloUtils.pluralize(1, null, null);
     }
+
+    @Test
+    public void desensitizeSuccessTest() {
+        String plainText = "12345678";
+
+        String desensitization = HaloUtils.desensitize(plainText, 1, 1);
+        assertThat(desensitization, equalTo("1******8"));
+
+        desensitization = HaloUtils.desensitize(plainText, 2, 3);
+        assertThat(desensitization, equalTo("12***678"));
+
+        desensitization = HaloUtils.desensitize(plainText, 2, 6);
+        assertThat(desensitization, equalTo("12345678"));
+
+        desensitization = HaloUtils.desensitize(plainText, 2, 7);
+        assertThat(desensitization, equalTo("12345678"));
+
+        desensitization = HaloUtils.desensitize(plainText, 0, 0);
+        assertThat(desensitization, equalTo("********"));
+
+        desensitization = HaloUtils.desensitize(plainText, -1, -1);
+        assertThat(desensitization, equalTo("********"));
+
+        plainText = " ";
+        desensitization = HaloUtils.desensitize(plainText, 1, 1);
+        assertThat(desensitization, equalTo("********"));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void desensitizeFailureTest() {
+        String plainText = " ";
+        HaloUtils.desensitize(plainText, 1, 1);
+    }
 }