Keyfactor · doebrowsk · Jan 31, 2025 · Jan 23, 2025 · Jan 24, 2025 · Jan 30, 2025
diff --git a/PaloAlto/Client/PaloAltoClient.cs b/PaloAlto/Client/PaloAltoClient.cs
@@ -25,6 +25,8 @@
 using Keyfactor.Extensions.Orchestrator.PaloAlto.Models.Responses;
 using Keyfactor.Logging;
 using Microsoft.Extensions.Logging;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 
 namespace Keyfactor.Extensions.Orchestrator.PaloAlto.Client
 {
@@ -393,6 +395,59 @@ private void EnsureSuccessfulResponse(HttpResponseMessage response)
                 _logger.LogError($"Error Occured in PaloAltoClient.EnsureSuccessfulResponse: {e.Message}");
                 throw;
             }
+        }
+
+        public string MaskSensitiveData(string json)
+        {
+            try
+            {
+                JObject jsonObject = JObject.Parse(json);
+
+                // Replace all keys named "Password" or similar
+                MaskKey(jsonObject, "StorePassword");
+                MaskKey(jsonObject, "ServerPassword");
+                MaskKey(jsonObject, "PrivateKeyPassword");
+
+                return jsonObject.ToString(Newtonsoft.Json.Formatting.Indented);
+            }
+            catch (JsonException ex)
+            {
+                Console.WriteLine("Invalid JSON provided: " + ex.Message);
+                return json; // Return the original JSON if parsing fails
+            }
+        }
+
+        private static void MaskKey(JObject jsonObject, string key)
+        {
+            foreach (var property in jsonObject.Properties())
+            {
+                if (property.Name.Equals(key, StringComparison.OrdinalIgnoreCase))
+                {
+                    property.Value = "*****";
+                }
+                else if (property.Value.Type == JTokenType.Object)
+                {
+                    MaskKey((JObject)property.Value, key);
+                }
+                else if (property.Value.Type == JTokenType.String)
+                {
+                    // Optionally handle nested JSON strings
+                    string value = property.Value.ToString();
+                    if (value.StartsWith("{") && value.EndsWith("}"))
+                    {
+                        try
+                        {
+                            JObject nestedObject = JObject.Parse(value);
+                            MaskKey(nestedObject, key);
+                            property.Value = nestedObject.ToString(Newtonsoft.Json.Formatting.None);
+                        }
+                        catch
+                        {
+                            // Not a valid JSON string, skip
+                        }
+                    }
+                }
+            }
         }
     }
 }
diff --git a/PaloAlto/Jobs/Inventory.cs b/PaloAlto/Jobs/Inventory.cs
@@ -40,6 +40,7 @@ public Inventory(IPAMSecretResolver resolver)
             _resolver = resolver;
         }
 
+        private PaloAltoClient _client;
         private string ServerPassword { get; set; }
         private string ServerUserName { get; set; }
 
@@ -79,25 +80,26 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
                     config.JobHistoryId, ServerUserName, ServerPassword);
                 if (!valid) return result;
 
+                //Get the list of certificates and Trusted Roots
+                _client =
+                    new PaloAltoClient(config.CertificateStoreDetails.ClientMachine,
+                        ServerUserName, ServerPassword); //Api base URL Plus Key
+
                 _logger.LogTrace("Store Properties are Valid");
-                _logger.LogTrace($"Inventory Config {JsonConvert.SerializeObject(config)}");
+                _logger.LogTrace($"Inventory Config {_client.MaskSensitiveData(JsonConvert.SerializeObject(config))}");
                 _logger.LogTrace(
                     $"Client Machine: {config.CertificateStoreDetails.ClientMachine} ApiKey: {config.ServerPassword}");
 
-                //Get the list of certificates and Trusted Roots
-                var client =
-                    new PaloAltoClient(config.CertificateStoreDetails.ClientMachine,
-                        ServerUserName, ServerPassword); //Api base URL Plus Key
                 _logger.LogTrace("Inventory Palo Alto Client Created");
 
                 //Change the path if you are pointed to a Panorama Device
-                var rawCertificatesResult = client.GetCertificateList($"{config.CertificateStoreDetails.StorePath}/certificate/entry").Result;
+                var rawCertificatesResult = _client.GetCertificateList($"{config.CertificateStoreDetails.StorePath}/certificate/entry").Result;
 
                 var certificatesResult =
                     rawCertificatesResult.CertificateResult.Entry.FindAll(c => c.PublicKey != null);
                 LogResponse(certificatesResult); //Trace Write Certificate List Response from Palo Alto
 
-                var trustedRootPayload = client.GetTrustedRootList().Result;
+                var trustedRootPayload = _client.GetTrustedRootList().Result;
                 LogResponse(trustedRootPayload); //Trace Write Trusted Cert List Response from Palo Alto
 
                 var warningFlag = false;
@@ -133,7 +135,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
                         try
                         {
                             _logger.LogTrace($"Building Trusted Root Inventory Item Alias: {trustedRootCert.Name}");
-                            var certificatePem = client.GetCertificateByName(trustedRootCert.Name);
+                            var certificatePem = _client.GetCertificateByName(trustedRootCert.Name);
                             _logger.LogTrace($"Certificate String Back From Palo Pem: {certificatePem.Result}");
                             var bytes = Encoding.ASCII.GetBytes(certificatePem.Result);
                             var cert = new X509Certificate2(bytes);