AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration via the API (just like we do it for service configs)

ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RootServiceComponentConfigurationResourceProvider.java

@@ -40,6 +40,7 @@
 import org.apache.ambari.server.controller.utilities.PredicateHelper;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.ambari.server.utils.SecretReference;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 
@@ -210,7 +211,7 @@ private Resource toResource(String serviceName, String componentName, String cat
     setResourceProperty(resource, CONFIGURATION_SERVICE_NAME_PROPERTY_ID, serviceName, requestedIds);
     setResourceProperty(resource, CONFIGURATION_COMPONENT_NAME_PROPERTY_ID, componentName, requestedIds);
     setResourceProperty(resource, CONFIGURATION_CATEGORY_PROPERTY_ID, categoryName, requestedIds);
-    setResourceProperty(resource, CONFIGURATION_PROPERTIES_PROPERTY_ID, properties, requestedIds);
+    setResourceProperty(resource, CONFIGURATION_PROPERTIES_PROPERTY_ID, SecretReference.maskPasswordInPropertyMap(properties), requestedIds);
     setResourceProperty(resource, CONFIGURATION_PROPERTY_TYPES_PROPERTY_ID, propertyTypes, requestedIds);
     return resource;
   }

ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java

@@ -94,17 +94,32 @@ public static String generateStub(String configType, Long configVersion, String
    * @return New string with the passwords masked, or null if the property map is null.
    */
   public static String maskPasswordInPropertyMap(String propertyMap) {
-    if (null == propertyMap) return null;
-    Map<String, String> maskedMap = new HashMap<>();
-    Map<String, String> map = gson.fromJson(propertyMap, new TypeToken<Map<String, String>>() {}.getType());
-    for (Map.Entry<String, String> e : map.entrySet()) {
-      String value = e.getValue();
-      if (e.getKey().toLowerCase().contains(PASSWORD_TEXT) || e.getKey().toLowerCase().contains(PASSWD_TEXT)) {
-        value = secretPrefix;
-      }
-      maskedMap.put(e.getKey(), value);
+    if (null == propertyMap) {
+      return null;
+    }
+    final Map<String, String> map = gson.fromJson(propertyMap, new TypeToken<Map<String, String>>() {}.getType());
+    return gson.toJson(maskPasswordInPropertyMap(map));
+  }
+
+  /**
+   * Helper function to mask a string of properties that may contain a property with a password.
+   * @param propertyMap Property map to mask by replacing any passwords with the text "SECRET"
+   * @return a new map with the passwords masked, or null if the <code>propertyMap</code> is null.
+   */
+  public static Map<String, String> maskPasswordInPropertyMap(Map<String, String> propertyMap) {
+    if (null == propertyMap) {
+      return null;
+    }
+    final Map<String, String> maskedMap = new HashMap<>();
+    for (Map.Entry<String, String> property : propertyMap.entrySet()) {
+      String value = isPassword(property.getKey()) ? secretPrefix : property.getValue();
+      maskedMap.put(property.getKey(), value);
     }
-    return gson.toJson(maskedMap);
+    return maskedMap;
+  }
+
+  private final static boolean isPassword(String propertyName) {
+    return propertyName.toLowerCase().contains(PASSWORD_TEXT) || propertyName.toLowerCase().contains(PASSWD_TEXT);
   }
 
   /**