fix[backend,frontend,plugins](integrations): mask sensitive config values, improve validation error messages per provider, and prevent double-encryption

Author: Kbayero

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -161,6 +161,7 @@ public final class Constants {
 
     public static final String CONF_TYPE_PASSWORD = "password";
     public static final String CONF_TYPE_FILE = "file";
+    public static final String MASKED_VALUE = "*****";
 
     public static final String API_KEY_HEADER = "Utm-Api-Key";
     public static final List<String> API_ENDPOINT_IGNORE = Collections.emptyList();

backend/src/main/java/com/park/utmstack/domain/application_modules/validators/UtmModuleConfigValidator.java

@@ -35,12 +35,15 @@ public boolean validate(UtmModule module, List<UtmModuleGroupConfiguration> keys
         List<UtmModuleGroupConfDTO> configDTOs = dbConfigs.stream()
                 .map(dbConf -> {
                     UtmModuleGroupConfiguration override = findInKeys(keys, dbConf.getConfKey());
-                    UtmModuleGroupConfiguration source = override != null ? override : dbConf;
-
-                    return new UtmModuleGroupConfDTO(
-                            source.getConfKey(),
-                            override != null ? source.getConfValue() : decryptIfNeeded(source.getConfDataType(), source.getConfValue())
-                    );
+                    String value;
+                    if (override != null && !Constants.MASKED_VALUE.equals(override.getConfValue())) {
+                        // User provided a new value — use it as plaintext
+                        value = override.getConfValue();
+                    } else {
+                        // No override or masked — decrypt from DB
+                        value = decryptIfNeeded(dbConf.getConfDataType(), dbConf.getConfValue());
+                    }
+                    return new UtmModuleGroupConfDTO(dbConf.getConfKey(), value);
                 })
                 .toList();
 

backend/src/main/java/com/park/utmstack/service/UtmIntegrationConfService.java

@@ -40,7 +40,8 @@ public UtmIntegrationConf save(UtmIntegrationConf utmIntegrationConf) throws Exc
         final String ctx = CLASSNAME + ".save";
         try {
             String dataType = utmIntegrationConf.getConfDatatype();
-            if (StringUtils.hasText(dataType) && dataType.equals("password"))
+            if (StringUtils.hasText(dataType) && dataType.equals("password")
+                    && !Constants.MASKED_VALUE.equals(utmIntegrationConf.getConfValue()))
                 utmIntegrationConf.setConfValue(CipherUtil.encrypt(utmIntegrationConf.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
             return utmIntegrationConfRepository.save(utmIntegrationConf);
         } catch (Exception e) {

backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java

@@ -22,7 +22,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.stream.Collectors;
 
 /**
@@ -51,38 +50,41 @@ public void createConfigurationKeys(List<UtmModuleGroupConfiguration> keys) thro
     }
 
     /**
-     * Update configuration of the application modules
-     *
-     * @param keys List of configuration keys to save
+     * Update configuration of the application modules.
+     * Password/file fields with the masked value are skipped (not changed).
+     * Password/file fields with a new value are encrypted before saving.
      */
     public UtmModule updateConfigurationKeys(Long moduleId, List<UtmModuleGroupConfiguration> keys) {
         final String ctx = CLASSNAME + ".updateConfigurationKeys";
         try {
             if (CollectionUtils.isEmpty(keys))
                 throw new ApiException("No configuration keys were provided to update", HttpStatus.BAD_REQUEST);
 
-            // Load existing values from DB to detect unchanged encrypted fields
-            Map<String, String> existingValues = keys.stream()
-                .filter(k -> k.getId() != null)
-                .map(k -> moduleConfigurationRepository.findById(k.getId()).orElse(null))
-                .filter(java.util.Objects::nonNull)
-                .collect(Collectors.toMap(UtmModuleGroupConfiguration::getConfKey,
-                    c -> c.getConfValue() != null ? c.getConfValue() : "", (a, b) -> a));
-
             for (UtmModuleGroupConfiguration key : keys) {
+                boolean isSensitive = isSensitiveType(key.getConfDataType());
+
+                // Skip masked values — the user did not change this field
+                if (isSensitive && Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                    continue;
+                }
+
                 if (key.getConfRequired() && !StringUtils.hasText(key.getConfValue()))
                     throw new Exception(String.format("No value was found for required configuration: %1$s (%2$s)", key.getConfName(), key.getConfKey()));
-                if (key.getConfDataType().equals("password") || key.getConfDataType().equals("file")) {
-                    String existingEncrypted = existingValues.get(key.getConfKey());
-                    // Only encrypt if the value actually changed (is not the same encrypted value from DB)
-                    if (existingEncrypted != null && existingEncrypted.equals(key.getConfValue())) {
-                        // Value unchanged - already encrypted in DB, don't re-encrypt
-                        continue;
-                    }
+
+                // Encrypt new sensitive values
+                if (isSensitive) {
                     key.setConfValue(CipherUtil.encrypt(key.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
                 }
             }
-            moduleConfigurationRepository.saveAll(keys);
+
+            // Remove masked entries so they don't overwrite DB values
+            List<UtmModuleGroupConfiguration> toSave = keys.stream()
+                .filter(k -> !(isSensitiveType(k.getConfDataType()) && Constants.MASKED_VALUE.equals(k.getConfValue())))
+                .collect(Collectors.toList());
+
+            if (!toSave.isEmpty()) {
+                moduleConfigurationRepository.saveAll(toSave);
+            }
 
             List<ModuleName> needRestartModules = Arrays.asList(ModuleName.AWS_IAM_USER, ModuleName.AZURE,
                     ModuleName.GCP, ModuleName.SOPHOS);
@@ -100,32 +102,27 @@ public UtmModule updateConfigurationKeys(Long moduleId, List<UtmModuleGroupConfi
     }
 
     /**
-     * Find all configurations of a module group
-     *
-     * @param groupId Identifier of the group to get the configurations
-     * @return A list of configuration of a group
-     * @throws Exception In case of any error
+     * Find all configurations of a module group.
+     * Sensitive values (password, file) are masked before returning.
      */
     public List<UtmModuleGroupConfiguration> findAllByGroupId(Long groupId) throws Exception {
         final String ctx = CLASSNAME + ".findAllByGroupId";
         try {
-            return moduleConfigurationRepository.findAllByGroupId(groupId);
+            List<UtmModuleGroupConfiguration> configs = moduleConfigurationRepository.findAllByGroupId(groupId);
+            maskSensitiveValues(configs);
+            return configs;
         } catch (Exception e) {
             throw new Exception(ctx + ": " + e.getMessage());
         }
     }
 
     /**
      * Gets all configuration parameter for a group and convert it to a map
-     *
-     * @param groupId Identifier of a group
-     * @return A map with the module group configuration
-     * @throws Exception In case of any error
      */
     public Map<String, String> getGroupConfigurationAsMap(Long groupId) throws Exception {
         final String ctx = CLASSNAME + ".getGroupConfigurationAsMap";
         try {
-            List<UtmModuleGroupConfiguration> configurations = findAllByGroupId(groupId);
+            List<UtmModuleGroupConfiguration> configurations = moduleConfigurationRepository.findAllByGroupId(groupId);
 
             if (CollectionUtils.isEmpty(configurations))
                 return Collections.emptyMap();
@@ -138,18 +135,30 @@ public Map<String, String> getGroupConfigurationAsMap(Long groupId) throws Excep
 
     /**
      * Find a configuration parameter by his group and key
-     *
-     * @param groupId Identifier of the group to the param belongs
-     * @param confKey Key word of the configuration parameter
-     * @return A ${@link UtmModuleGroupConfiguration} object with the configuration parameter information
-     * @throws Exception In case of any error
      */
     public UtmModuleGroupConfiguration findByGroupIdAndConfKey(Long groupId, String confKey) throws Exception {
         final String ctx = CLASSNAME + ".findByGroupIdAndConfKey";
         try {
-            return moduleConfigurationRepository.findByGroupIdAndConfKey(groupId, confKey);
+            UtmModuleGroupConfiguration config = moduleConfigurationRepository.findByGroupIdAndConfKey(groupId, confKey);
+            if (config != null && isSensitiveType(config.getConfDataType())) {
+                config.setConfValue(Constants.MASKED_VALUE);
+            }
+            return config;
         } catch (Exception e) {
             throw new Exception(ctx + ": " + e.getMessage());
         }
     }
+
+    private boolean isSensitiveType(String dataType) {
+        return Constants.CONF_TYPE_PASSWORD.equals(dataType) || Constants.CONF_TYPE_FILE.equals(dataType);
+    }
+
+    private void maskSensitiveValues(List<UtmModuleGroupConfiguration> configs) {
+        if (configs == null) return;
+        for (UtmModuleGroupConfiguration config : configs) {
+            if (isSensitiveType(config.getConfDataType()) && StringUtils.hasText(config.getConfValue())) {
+                config.setConfValue(Constants.MASKED_VALUE);
+            }
+        }
+    }
 }

backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupService.java

@@ -250,6 +250,9 @@ public void updateCollectorConfigurationKeys(CollectorConfigDTO collectorConfig)
             } else {
                 for (UtmModuleGroupConfiguration key : keys) {
                     if (key.getConfDataType().equals("password")) {
+                        if (Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                            continue;
+                        }
                         key.setConfValue(CipherUtil.encrypt(key.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
                     }
                 }

backend/src/main/java/com/park/utmstack/service/collectors/CollectorOpsService.java

@@ -436,6 +436,9 @@ public void updateCollectorConfigurationKeys(CollectorConfigDTO collectorConfig)
                 utmModuleGroupRepository.deleteAll(configs);
             } else {
                 for (UtmModuleGroupConfiguration key : keys) {
+                    if (key.getConfDataType().equals("password") && Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                        continue;
+                    }
                     if (key.getConfRequired() && !StringUtils.hasText(key.getConfValue()))
                         throw new Exception(String.format("No value was found for required configuration: %1$s (%2$s)", key.getConfName(), key.getConfKey()));
                     if (key.getConfDataType().equals("password"))

backend/src/main/java/com/park/utmstack/web/rest/application_modules/UtmModuleGroupResource.java

@@ -131,7 +131,19 @@ public ResponseEntity<UtmModuleGroup> updateUtmConfigurationGroup(@Valid @Reques
     public ResponseEntity<List<UtmModuleGroup>> getModuleGroups(@RequestParam Long moduleId) {
         final String ctx = CLASSNAME + ".getModuleGroups";
         try {
-            return ResponseEntity.ok(moduleGroupService.findAllByModuleId(moduleId));
+            List<UtmModuleGroup> groups = moduleGroupService.findAllByModuleId(moduleId);
+            for (UtmModuleGroup group : groups) {
+                if (group.getModuleGroupConfigurations() != null) {
+                    for (UtmModuleGroupConfiguration conf : group.getModuleGroupConfigurations()) {
+                        if ((Constants.CONF_TYPE_PASSWORD.equals(conf.getConfDataType())
+                                || Constants.CONF_TYPE_FILE.equals(conf.getConfDataType()))
+                                && conf.getConfValue() != null) {
+                            conf.setConfValue(Constants.MASKED_VALUE);
+                        }
+                    }
+                }
+            }
+            return ResponseEntity.ok(groups);
         } catch (Exception e) {
             String msg = ctx + ": " + e.getMessage();
             log.error(msg);

frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.html

@@ -119,11 +119,14 @@
                  && integrationConfig.confDataType !== 'select'
                  && integrationConfig.confDataType !== 'file'"
                    (input)="addChange(integrationConfig)"
+                   (focus)="onPasswordFocus(integrationConfig)"
+                   (blur)="onPasswordBlur(integrationConfig)"
                    [(ngModel)]="integrationConfig.confValue"
                    [attr.autocomplete]="'disabled'"
                    [id]="'sectionParam'+integrationConfig.id"
                    [name]="integrationConfig.confName"
                    [type]="integrationConfig.confDataType"
+                   [placeholder]="integrationConfig.confDataType === 'password' ? 'Enter new value to change' : ''"
                    (ngModelChange)="integrationConfig.confOptions === 'unique' ? inputChange$.next({id: integrationConfig.groupId, value: $event}) : null"
                    class="form-control" [required]="integrationConfig.confRequired">
 

frontend/src/app/app-module/conf/int-generic-group-config/int-generic-group-config.component.ts

@@ -205,8 +205,8 @@ export class IntGenericGroupConfigComponent implements OnInit, OnChanges, OnDest
       },
       error: err => {
         if (err.status === 400) {
-          this.toast.showError('Invalid Configuration',
-            'The configuration data is invalid. Please check your inputs and try again.');
+          const message = this.extractValidationError(err);
+          this.toast.showError('Invalid Configuration', message);
         } else {
           this.toast.showError('Error saving configuration',
             'Error while trying to save tenant configuration, please try again.');
@@ -452,6 +452,43 @@ export class IntGenericGroupConfigComponent implements OnInit, OnChanges, OnDest
   }
 
 
+  extractValidationError(err: any): string {
+    const defaultMsg = 'The configuration data is invalid. Please check your inputs and try again.';
+    try {
+      const body = err.error;
+      // Spring fieldErrors format
+      if (body && body.fieldErrors && body.fieldErrors.length > 0) {
+        return body.fieldErrors.map(e => e.message).join('. ');
+      }
+      // Spring message format
+      if (body && body.message) {
+        return body.message;
+      }
+      // X-UtmStack-error header
+      const headerError = err.headers ? err.headers.get('X-UtmStack-error') : null;
+      if (headerError) {
+        return headerError;
+      }
+      // Plain string body
+      if (typeof body === 'string' && body.length > 0) {
+        return body;
+      }
+    } catch (e) {}
+    return defaultMsg;
+  }
+
+  onPasswordFocus(config: UtmModuleGroupConfType) {
+    if (config.confDataType === 'password' && config.confValue === '*****') {
+      config.confValue = '';
+    }
+  }
+
+  onPasswordBlur(config: UtmModuleGroupConfType) {
+    if (config.confDataType === 'password' && (config.confValue === '' || config.confValue === null)) {
+      config.confValue = '*****';
+    }
+  }
+
   ngOnDestroy() {
     this.destroy$.next();
     this.destroy$.complete();

frontend/src/app/app-module/guides/guide-soc-ai/guide-soc-ai.component.ts

@@ -370,17 +370,15 @@ export class GuideSocAiComponent implements OnInit {
         this.formValues['url'] = urlConf.confValue || '';
       }
 
-      // Extract API key from custom headers
+      // Check if API key exists in custom headers — show masked if so
       const customHeaders = this.getConf('utmstack.socai.customHeaders');
-      if (customHeaders && customHeaders.confValue) {
+      if (customHeaders && customHeaders.confValue && customHeaders.confValue !== '{}') {
         try {
           const headers = JSON.parse(customHeaders.confValue);
           const authConfig = this.providerAuthHeaders[this.activeProvider];
           if (authConfig && headers[authConfig.headerName]) {
-            const rawValue = headers[authConfig.headerName];
-            this.formValues['apiKey'] = authConfig.headerValuePrefix
-              ? rawValue.replace(authConfig.headerValuePrefix, '')
-              : rawValue;
+            // API key exists — show masked, don't expose the real value
+            this.formValues['apiKey'] = '*****';
           }
         } catch (e) {}
         this.formValues['customHeaders'] = customHeaders.confValue;
@@ -462,12 +460,14 @@ export class GuideSocAiComponent implements OnInit {
     } else {
       // Known providers: build auth header from API key
       const authConfig = this.providerAuthHeaders[this.activeProvider];
-      if (authConfig && this.formValues['apiKey']) {
+      if (authConfig && this.formValues['apiKey'] && this.formValues['apiKey'] !== '*****') {
+        // User entered a new API key — build auth headers
         const headers: {[k: string]: string} = {};
         headers[authConfig.headerName] = authConfig.headerValuePrefix + this.formValues['apiKey'];
         this.pushChange(changes, 'utmstack.socai.authType', 'custom-headers');
         this.pushChange(changes, 'utmstack.socai.customHeaders', JSON.stringify(headers));
       }
+      // If apiKey is '*****', don't touch customHeaders — keep existing value in DB
     }
 
     this.moduleGroupConfService.update({
@@ -481,7 +481,8 @@ export class GuideSocAiComponent implements OnInit {
       (err) => {
         this.saving = false;
         if (err.status === 400) {
-          this.toast.showError('Invalid Configuration', 'Please check your inputs and try again.');
+          const message = this.extractValidationError(err);
+          this.toast.showError('Invalid Configuration', message);
         } else {
           this.toast.showError('Error', 'Failed to save configuration. Please try again.');
         }
@@ -501,6 +502,27 @@ export class GuideSocAiComponent implements OnInit {
     }
   }
 
+  private extractValidationError(err: any): string {
+    const defaultMsg = 'The configuration data is invalid. Please check your inputs and try again.';
+    try {
+      const body = err.error;
+      if (body && body.fieldErrors && body.fieldErrors.length > 0) {
+        return body.fieldErrors.map((e: any) => e.message).join('. ');
+      }
+      if (body && body.message) {
+        return body.message;
+      }
+      const headerError = err.headers ? err.headers.get('X-UtmStack-error') : null;
+      if (headerError) {
+        return headerError;
+      }
+      if (typeof body === 'string' && body.length > 0) {
+        return body;
+      }
+    } catch (e) {}
+    return defaultMsg;
+  }
+
   onToggle(key: string, value: boolean) {
     this.formValues[key] = value.toString();
   }