Merge "Remove clear text password"

author: Vijay Venkatesh Kumar <vv770d@att.com> 2018-12-12 21:25:56 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2018-12-12 21:25:56 +0000
commit: 142a1d4d8177e86eac9e1e534708c6e8cc9d4c22 (patch)
tree: 57487f99433255d64e40eadeabb3dab2902257ef /src
parent: 713bb43a00682ebaeb1ada4eb27af965a8d7d56d (diff)
parent: 27b6e6483e73e37a235b8160ad9a1c9f3f68d5ea (diff)
6 files changed, 18 insertions, 14 deletions
diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java
index ead148c4..f140def2 100644
--- a/src/main/java/org/onap/dcae/ApplicationSettings.java
+++ b/src/main/java/org/onap/dcae/ApplicationSettings.java
@@ -90,8 +90,10 @@ public class ApplicationSettings {
     }
 
     private Map<String, String> prepareUsersMap(@Nullable String allowedUsers) {
-        return allowedUsers == null ? HashMap.empty() : List.ofAll(stream(allowedUsers.split("\\|")))
-                .toMap(t -> t.split(",")[0].trim(), t -> new String(Base64.getDecoder().decode(t.split(",")[1])).trim());
+        return allowedUsers == null ? HashMap.empty()
+                : List.of(allowedUsers.split("\\|"))
+                .map(t->t.split(","))
+                .toMap(t-> t[0].trim(), t -> t[1].trim());
     }
 
     private String findOutConfigurationFileLocation(Map<String, String> parsedArgs) {
diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
index 8061ec5a..6b5a64aa 100644
--- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
+++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
@@ -20,19 +20,20 @@
 package org.onap.dcae.restapi;
 
 import io.vavr.control.Option;
+import java.io.IOException;
+import java.util.Base64;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import org.onap.dcae.ApplicationSettings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.Base64;
-
 final class ApiAuthInterceptor extends HandlerInterceptorAdapter {
 
     private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class);
+    private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
     private final ApplicationSettings applicationSettings;
 
     private Logger errorLog;
@@ -65,11 +66,11 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter {
             String providedPassword = decodedData.split(":")[1].trim();
             Option<String> maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser);
             boolean userRegistered = maybeSavedPassword.isDefined();
-            return userRegistered && maybeSavedPassword.get().equals(providedPassword);
+            return userRegistered && passwordEncoder.matches(providedPassword,maybeSavedPassword.get());
         } catch (Exception e) {
             LOG.warn(String.format("Could not check if user is authorized (header: '%s')), probably malformed header.",
                     authorizationHeader), e);
             return false;
         }
     }
-}
+}
+\ No newline at end of file
diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
index 9ebb5394..c44e0d45 100644
--- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
+++ b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
@@ -32,6 +32,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 @EnableWebMvc
 @Configuration
 public class ApiConfiguration implements WebMvcConfigurer {
+
     private final ApplicationSettings applicationSettings;
     private Logger errorLogger;
 
diff --git a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
index 55160ff5..0e91bc70 100644
--- a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
+++ b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
@@ -389,8 +389,8 @@ public class ApplicationSettingsTest {
         ).validAuthorizationCredentials();
 
         // then
-        assertEquals(allowedUsers.get("pasza").get(), "simplepassword");
-        assertEquals(allowedUsers.get("someoneelse").get(), "simplepassword");
+        assertEquals(allowedUsers.get("pasza").get(), "c2ltcGxlcGFzc3dvcmQNCg==");
+        assertEquals(allowedUsers.get("someoneelse").get(), "c2ltcGxlcGFzc3dvcmQNCg==");
     }
 
     @Test
diff --git a/src/test/java/org/onap/dcae/TLSTest.java b/src/test/java/org/onap/dcae/TLSTest.java
index 63099b7d..c73bb53b 100644
--- a/src/test/java/org/onap/dcae/TLSTest.java
+++ b/src/test/java/org/onap/dcae/TLSTest.java
@@ -113,7 +113,7 @@ public class TLSTest extends TLSTestBase {
             when(settings.keystoreFileLocation()).thenReturn(KEYSTORE.toString());
             when(settings.keystorePasswordFileLocation()).thenReturn(KEYSTORE_PASSWORD_FILE.toString());
             when(settings.authorizationEnabled()).thenReturn(true);
-            when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, PASSWORD));
+            when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, "$2a$10$51tDgG2VNLde5E173Ay/YO.Fq.aD.LR2Rp8pY3QAKriOSPswvGviy"));
         }
     }
 
diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
index cb4d334c..569fd969 100644
--- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
+++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
@@ -139,9 +139,9 @@ public class ApiAuthInterceptionTest {
     public void shouldSucceed() throws IOException {
         // given
         final HttpServletRequest request = createRequestWithAuthorizationHeader();
-
         when(settings.authorizationEnabled()).thenReturn(true);
-        when(settings.validAuthorizationCredentials()).thenReturn(CREDENTIALS);
+        when(settings.validAuthorizationCredentials()).thenReturn(
+            HashMap.of(USERNAME, "$2a$10$BsZkEynNm/93wbAeeZuxJeu6IHRyQl4XReqDg2BtYOFDhUsz20.3G"));
         when(response.getWriter()).thenReturn(writer);
 
         // when
author	Vijay Venkatesh Kumar <vv770d@att.com>	2018-12-12 21:25:56 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2018-12-12 21:25:56 +0000
commit	142a1d4d8177e86eac9e1e534708c6e8cc9d4c22 (patch)
tree	57487f99433255d64e40eadeabb3dab2902257ef /src
parent	713bb43a00682ebaeb1ada4eb27af965a8d7d56d (diff)
parent	27b6e6483e73e37a235b8160ad9a1c9f3f68d5ea (diff)