Extract package name from JWT token

The dynamic log level feature was extend by two filters for log4j2 and logback,
that allow filtering on package names. To configure what packages should be
eligible for dynamic log level change the JWT token can now contain a field
`packages`. When the new filters are used, the log level change is only applied
to those packages.

Author: KarstenSchnitter

cf-java-logging-support-servlet/src/main/java/com/sap/hcp/cf/logging/servlet/dynlog/DynamicLogLevelProcessor.java

@@ -39,8 +39,10 @@ public void copyDynamicLogLevelToMDC(HttpServletRequest httpRequest) {
             try {
                 DecodedJWT jwt = tokenDecoder.validateAndDecodeToken(logLevelToken);
                 String dynamicLogLevel = jwt.getClaim("level").asString();
+				String packages = jwt.getClaim("packages").asString();
                 if (ALLOWED_DYNAMIC_LOGLEVELS.contains(dynamicLogLevel)) {
                     MDC.put(DynamicLogLevelHelper.MDC_DYNAMIC_LOG_LEVEL_KEY, dynamicLogLevel);
+					MDC.put(DynamicLogLevelHelper.MDC_DYNAMIC_LOG_LEVEL_PREFIXES, packages);
                 } else {
                     throw new DynamicLogLevelException("Dynamic Log-Level [" + dynamicLogLevel +
                                                        "] provided in header is not valid. Allowed Values are " +

cf-java-logging-support-servlet/src/main/java/com/sap/hcp/cf/logging/servlet/dynlog/TokenCreator.java

@@ -19,107 +19,112 @@
 import org.apache.commons.lang3.StringUtils;
 
 import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTCreator.Builder;
 import com.auth0.jwt.algorithms.Algorithm;
 
 public class TokenCreator {
 
-    private static final List<String> ALLOWED_DYNAMIC_LOGLEVELS = Arrays.asList("TRACE", "DEBUG", "INFO", "WARN",
-                                                                                "ERROR");
-
-    /**
-     * Run this application locally in order to generate valid dynamic log level
-     * JWT tokens which enable you to change the log level threshold on your
-     * CF-Application for a single thread.
-     */
-    public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchProviderException,
-                                           DynamicLogLevelException, InvalidKeySpecException {
-
-        /*
-         * PLEASE PROVIDE THIS INFORMATION ***********************************
-         */
-        // Replace with email address
-        String issuer = "firstname.lastname@sap.com";
-        // Replace with the log level that should be transmitted via the token
-        // Valid log level thresholds are:
-        // "TRACE", "DEBUG", "INFO", "WARN", "ERROR"
-        String level = "TRACE";
-        // Set a validity period in days
-        long validityPeriodInDays = 2;
-        // If available provide Base64 encoded private key here:
-        String privateKey = "";
-        // If available provide Base64 encoded private key here:
-        String publicKey = "";
-        // (If no keys are provided, new keys will be generated)
-        /*
-         * ********************************************************************
-         */
-
-        KeyPair keyPair;
-
-        if (StringUtils.isNotBlank(privateKey)) {
-            keyPair = new KeyPair(publicKeyConverter(publicKey), privateKeyConverter(privateKey));
-        }
-
-        else {
-            KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+	private static final List<String> ALLOWED_DYNAMIC_LOGLEVELS = Arrays.asList("TRACE", "DEBUG", "INFO", "WARN",
+			"ERROR");
+
+	/**
+	 * Run this application locally in order to generate valid dynamic log level JWT
+	 * tokens which enable you to change the log level threshold on your
+	 * CF-Application for a single thread.
+	 */
+	public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchProviderException,
+			DynamicLogLevelException, InvalidKeySpecException {
+
+		/*
+		 * PLEASE PROVIDE THIS INFORMATION ***********************************
+		 */
+		// Replace with email address
+		String issuer = "firstname.lastname@sap.com";
+		// Replace with the log level that should be transmitted via the token
+		// Valid log level thresholds are:
+		// "TRACE", "DEBUG", "INFO", "WARN", "ERROR"
+		String level = "TRACE";
+		// Replace with the packages that should be transmitted via the token
+		// Multiple packages should be separated by a comma.
+		String packages = "";
+		// Set a validity period in days
+		long validityPeriodInDays = 2;
+		// If available provide Base64 encoded private key here:
+		String privateKey = "";
+		// If available provide Base64 encoded private key here:
+		String publicKey = "";
+		// (If no keys are provided, new keys will be generated)
+		/*
+		 * ********************************************************************
+		 */
+
+		KeyPair keyPair;
+
+		if (StringUtils.isNotBlank(privateKey)) {
+			keyPair = new KeyPair(publicKeyConverter(publicKey), privateKeyConverter(privateKey));
+		}
+
+		else {
+			KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
 			keyGen.initialize(2048);
-            keyPair = keyGen.generateKeyPair();
-            // keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-        }
-        privateKey = DatatypeConverter.printBase64Binary(keyPair.getPrivate().getEncoded());
-        publicKey = DatatypeConverter.printBase64Binary(keyPair.getPublic().getEncoded());
-        Date issuedAt = new Date();
-        Date expiresAt = new Date(new Date().getTime() + validityPeriodInDays * 86400000);
-        String token = TokenCreator.createToken(keyPair, issuer, issuedAt, expiresAt, level);
-
-        System.out.println("You successfully created a dynamic log level token with log level " + level + "!");
-        System.out.println();
-        System.out.println("Your private key is:");
-        System.out.println(privateKey);
-        System.out.println("Your public key is:");
-        System.out.println(publicKey);
-        System.out.println("Your JWT token with log level " + level + " is:");
-        System.out.println(token);
-        System.out.println();
-        System.out.println("Please copy and save token and keys for later usage. The JWT token can now be written");
-        System.out.println("to an HTTP header in order to change the corresponding request's log level to " + level);
-        System.out.println("For token validation, the public key must be added to the environment of the application.");
-        System.out.println("In order to generate a new token with specific keys, the variables privateKey and publicKey");
-        System.out.println("can be instantiated with these keys");
-
-    }
-
-    public static String createToken(KeyPair keyPair, String issuer, Date issuedAt, Date expiresAt, String level)
-                                                                                                                  throws NoSuchAlgorithmException,
-                                                                                                                  NoSuchProviderException,
-                                                                                                                  DynamicLogLevelException {
-        Algorithm rsa256 = Algorithm.RSA256((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate());
-        if (ALLOWED_DYNAMIC_LOGLEVELS.contains(level)) {
-            return JWT.create().withIssuer(issuer).//
-                      withIssuedAt(issuedAt). //
-                      withExpiresAt(expiresAt).//
-                      withClaim("level", level).sign(rsa256);
-        } else {
-            throw new DynamicLogLevelException("Dynamic Log-Level [" + level +
-                                               "] provided in header is not valid. Allowed Values are " +
-                                               ALLOWED_DYNAMIC_LOGLEVELS.toString());
-        }
-    }
-
-    private static RSAPublicKey publicKeyConverter(String pemKey) throws NoSuchAlgorithmException,
-                                                                  InvalidKeySpecException {
-        byte[] keyBytes = DatatypeConverter.parseBase64Binary(pemKey);
-        X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-        return (RSAPublicKey) keyFactory.generatePublic(spec);
-    }
-
-    private static RSAPrivateKey privateKeyConverter(String pemKey) throws NoSuchAlgorithmException,
-                                                                    InvalidKeySpecException {
-        byte[] keyBytes = DatatypeConverter.parseBase64Binary(pemKey);
-        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-        return (RSAPrivateKey) keyFactory.generatePrivate(spec);
-    }
+			keyPair = keyGen.generateKeyPair();
+			// keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+		}
+		privateKey = DatatypeConverter.printBase64Binary(keyPair.getPrivate().getEncoded());
+		publicKey = DatatypeConverter.printBase64Binary(keyPair.getPublic().getEncoded());
+		Date issuedAt = new Date();
+		Date expiresAt = new Date(new Date().getTime() + validityPeriodInDays * 86400000);
+		String token = TokenCreator.createToken(keyPair, issuer, issuedAt, expiresAt, level, packages);
+
+		System.out.println("You successfully created a dynamic log level token with log level " + level
+				+ " and packages " + packages + "!");
+		System.out.println();
+		System.out.println("Your private key is:");
+		System.out.println(privateKey);
+		System.out.println("Your public key is:");
+		System.out.println(publicKey);
+		System.out.println("Your JWT token with log level " + level + " is:");
+		System.out.println(token);
+		System.out.println();
+		System.out.println("Please copy and save token and keys for later usage. The JWT token can now be written");
+		System.out.println("to an HTTP header in order to change the corresponding request's log level to " + level);
+		System.out.println("For token validation, the public key must be added to the environment of the application.");
+		System.out
+				.println("In order to generate a new token with specific keys, the variables privateKey and publicKey");
+		System.out.println("can be instantiated with these keys");
+
+	}
+
+	public static String createToken(KeyPair keyPair, String issuer, Date issuedAt, Date expiresAt, String level,
+			String packages) throws NoSuchAlgorithmException, NoSuchProviderException, DynamicLogLevelException {
+		Algorithm rsa256 = Algorithm.RSA256((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate());
+		if (ALLOWED_DYNAMIC_LOGLEVELS.contains(level)) {
+			Builder builder = JWT.create().withIssuer(issuer).//
+					withIssuedAt(issuedAt). //
+					withExpiresAt(expiresAt).//
+					withClaim("level", level);
+			builder = StringUtils.isNotBlank(packages) ? builder.withClaim("packages", packages) : builder;
+			return builder.withClaim("packages", packages).sign(rsa256);
+		} else {
+			throw new DynamicLogLevelException("Dynamic Log-Level [" + level
+					+ "] provided in header is not valid. Allowed Values are " + ALLOWED_DYNAMIC_LOGLEVELS.toString());
+		}
+	}
+
+	private static RSAPublicKey publicKeyConverter(String pemKey)
+			throws NoSuchAlgorithmException, InvalidKeySpecException {
+		byte[] keyBytes = DatatypeConverter.parseBase64Binary(pemKey);
+		X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
+		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+		return (RSAPublicKey) keyFactory.generatePublic(spec);
+	}
+
+	private static RSAPrivateKey privateKeyConverter(String pemKey)
+			throws NoSuchAlgorithmException, InvalidKeySpecException {
+		byte[] keyBytes = DatatypeConverter.parseBase64Binary(pemKey);
+		PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
+		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+		return (RSAPrivateKey) keyFactory.generatePrivate(spec);
+	}
 
 }

cf-java-logging-support-servlet/src/test/java/com/sap/hcp/cf/logging/servlet/dynlog/DynamicLogLevelProcessorTest.java

@@ -39,7 +39,7 @@ public void setup() throws NoSuchAlgorithmException, NoSuchProviderException, Dy
         String keyBase64 = DatatypeConverter.printBase64Binary(keyPair.getPublic().getEncoded());
         Date issuedAt = new Date();
         Date expiresAt = new Date(new Date().getTime() + 10000);
-        String token = TokenCreator.createToken(keyPair, "issuer", issuedAt, expiresAt, "TRACE");
+		String token = TokenCreator.createToken(keyPair, "issuer", issuedAt, expiresAt, "TRACE", "myPrefix");
         when(environment.getVariable("DYN_LOG_LEVEL_KEY")).thenReturn(keyBase64);
         when(environment.getVariable("DYN_LOG_HEADER")).thenReturn("SAP-LOG-LEVEL");
         when(httpRequest.getHeader("SAP-LOG-LEVEL")).thenReturn(token);
@@ -62,4 +62,11 @@ public void testDeleteDynamicLogLevelFromMDC() throws Exception {
         processor.removeDynamicLogLevelFromMDC();
         assertEquals(null, MDC.get(DynamicLogLevelHelper.MDC_DYNAMIC_LOG_LEVEL_KEY));
     }
+
+	@Test
+	public void testCopyDynamicLogPackagesToMDC() throws Exception {
+		processor.copyDynamicLogLevelToMDC(httpRequest);
+		assertEquals("myPrefix", MDC.get(DynamicLogLevelHelper.MDC_DYNAMIC_LOG_LEVEL_PREFIXES));
+
+	}
 }

cf-java-logging-support-servlet/src/test/java/com/sap/hcp/cf/logging/servlet/dynlog/TokenDecoderTest.java

@@ -26,14 +26,15 @@ public void setup() throws NoSuchAlgorithmException, NoSuchProviderException, Dy
         invalidKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
         Date issuedAt = new Date();
         Date expiresAt = new Date(new Date().getTime() + 10000);
-        token = TokenCreator.createToken(validKeyPair, "issuer", issuedAt, expiresAt, "TRACE");
+		token = TokenCreator.createToken(validKeyPair, "issuer", issuedAt, expiresAt, "TRACE", "myPrefix");
     }
 
     @Test
     public void testTokenContent() throws Exception {
         TokenDecoder tokenDecoder = new TokenDecoder((RSAPublicKey) validKeyPair.getPublic());
         DecodedJWT jwt = tokenDecoder.validateAndDecodeToken(token);
         assertEquals(jwt.getClaim("level").asString(), "TRACE");
+		assertEquals(jwt.getClaim("packages").asString(), "myPrefix");
     }
 
     @Test(expected = DynamicLogLevelException.class)