From f051be6ecc0ceeef0d4d086085547218d5f4e8d6 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Thu, 29 Jul 2021 11:11:15 -0400 Subject: Address weak crypto issues Fix 2 weak cryptography issues identified by SonarCloud scans. Issue-ID: CCSDK-3196 Signed-off-by: Dan Timoney Change-Id: I0fee14e7a96badeac8a278de4d74ef244c24f06f --- ms/neng/pom.xml | 5 +++++ .../apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java | 3 ++- .../ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java | 4 +++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ms/neng/pom.xml b/ms/neng/pom.xml index e2d8aefe..ef3f5a55 100644 --- a/ms/neng/pom.xml +++ b/ms/neng/pom.xml @@ -350,6 +350,11 @@ jest 5.3.3 + + org.onap.ccsdk.sli.core + utils-provider + ${ccsdk.sli.version} + diff --git a/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java b/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java index d577dc4b..33510332 100644 --- a/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java +++ b/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java @@ -46,6 +46,7 @@ import org.onap.ccsdk.apps.ms.neng.core.resource.model.GetConfigRequestV2; import org.onap.ccsdk.apps.ms.neng.core.resource.model.GetConfigResponse; import org.onap.ccsdk.apps.ms.neng.core.rs.interceptors.PolicyManagerAuthorizationInterceptor; import org.onap.ccsdk.apps.ms.neng.extinf.props.PolicyManagerProps; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.web.client.RestTemplateBuilder; @@ -233,7 +234,7 @@ public class PolicyFinderServiceImpl implements PolicyFinder { TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true; SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom() .loadTrustMaterial(null, acceptingTrustStrategy).build(); - HostnameVerifier verifier = (String arg0, SSLSession arg1) -> true; + HostnameVerifier verifier = new AcceptIpAddressHostNameVerifier(); SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, verifier); CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build(); HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); diff --git a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java index bd0abe6f..80c42fb2 100644 --- a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java +++ b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; @@ -51,7 +52,8 @@ public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter{ protected void configure(AuthenticationManagerBuilder auth) throws Exception { List userDetails = new ArrayList<>(); - PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); + // Explicitly set bcrypt password encoder rather than using default + PasswordEncoder encoder = new BCryptPasswordEncoder(); final User.UserBuilder userBuilder = User.builder().passwordEncoder(encoder::encode); String authString = environment.getProperty("application.authToken"); -- cgit 1.2.3-korg