diff options
author | efiacor <fiachra.corcoran@est.tech> | 2020-02-05 11:57:18 +0000 |
---|---|---|
committer | efiacor <fiachra.corcoran@est.tech> | 2020-02-05 13:54:58 +0000 |
commit | 0ad65c47b4fbddd5d1b653c5e38dcdf84884de9f (patch) | |
tree | 33ec4d4797ab682bfb229936376ea7440d1db3a8 /datarouter-prov/src/main | |
parent | a884c481af24e2405f9389b01842c4671a03a75e (diff) |
Removing passwordencryption key
Signed-off-by: efiacor <fiachra.corcoran@est.tech>
Change-Id: I1d5f193ae0215d5a5939227097adbb01a5b9866a
Issue-ID: DMAAP-1367
Diffstat (limited to 'datarouter-prov/src/main')
10 files changed, 32 insertions, 136 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java index c0290bbb..52629ffb 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java @@ -33,7 +33,6 @@ import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import java.net.InetAddress; import java.net.UnknownHostException; -import java.security.GeneralSecurityException; import java.security.cert.X509Certificate; import java.sql.Connection; import java.sql.SQLException; @@ -49,6 +48,7 @@ import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; +import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.lang3.StringUtils; import org.jetbrains.annotations.Nullable; import org.json.JSONArray; @@ -66,7 +66,6 @@ import org.onap.dmaap.datarouter.provisioning.beans.NodeClass; import org.onap.dmaap.datarouter.provisioning.beans.Parameters; import org.onap.dmaap.datarouter.provisioning.beans.Subscription; import org.onap.dmaap.datarouter.provisioning.beans.Updateable; -import org.onap.dmaap.datarouter.provisioning.utils.PasswordProcessor; import org.onap.dmaap.datarouter.provisioning.utils.Poker; import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils; import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask; @@ -156,6 +155,7 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { static final String START_TIME = "start_time"; static final String END_TIME = "end_time"; static final String REASON_SQL = "reasonSQL"; + static final String JSON_HASH_STRING = "password"; /** * A boolean to trigger one time "provisioning changed" event on startup. @@ -331,7 +331,7 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { try { jo = new JSONObject(new JSONTokener(req.getInputStream())); if (intlogger.isDebugEnabled()) { - intlogger.debug("JSON: " + jo.toString()); + intlogger.debug("JSON: " + hashPasswords(new JSONObject(jo.toString())).toString()); } } catch (Exception e) { intlogger.info("Error reading JSON: " + e); @@ -339,38 +339,37 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { return jo; } - /** - * This method encrypt/decrypt the key in the JSON passed by user request inside the authorisation - * header object in request before logging the JSON. - * - * @param jo the JSON passed in http request. - * @param maskKey the key to be masked in the JSON passed. - * @param action whether to mask the key or unmask it in a JSON passed. - * @return the JSONObject, or null if the stream cannot be parsed. - */ - static JSONObject maskJSON(JSONObject jo, String maskKey, boolean action) { + public static JSONObject hashPasswords(JSONObject jo) { if (!jo.isNull("authorization")) { JSONArray endpointIds = jo.getJSONObject("authorization").getJSONArray("endpoint_ids"); for (int index = 0; index < endpointIds.length(); index++) { - if ((!endpointIds.getJSONObject(index).isNull(maskKey))) { - String password = endpointIds.getJSONObject(index).get(maskKey).toString(); - processPassword(maskKey, action, endpointIds, index, password); + if ((!endpointIds.getJSONObject(index).isNull(JSON_HASH_STRING))) { + String password = endpointIds.getJSONObject(index).get(JSON_HASH_STRING).toString(); + processPassword(endpointIds, index, password); } } } + if (!jo.isNull("delivery")) { + JSONObject deliveryObj = jo.getJSONObject("delivery"); + String password = deliveryObj.get(JSON_HASH_STRING).toString(); + processPassword(deliveryObj, password); + } return jo; } - private static void processPassword(String maskKey, boolean action, JSONArray endpointIds, int index, - String password) { + private static void processPassword(JSONArray endpointIds, int index, String password) { try { - if (action) { - endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.encrypt(password)); - } else { - endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.decrypt(password)); - } - } catch (JSONException | GeneralSecurityException e) { - intlogger.info("Error reading JSON while masking: " + e); + endpointIds.getJSONObject(index).put(JSON_HASH_STRING, DigestUtils.sha256Hex(password)); + } catch (JSONException e) { + intlogger.info("Error reading JSON while hashing: " + e); + } + } + + private static void processPassword(JSONObject deliveryObj, String password) { + try { + deliveryObj.put(JSON_HASH_STRING, DigestUtils.sha256Hex(password)); + } catch (JSONException e) { + intlogger.info("Error reading JSON while hashing: " + e); } } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java index f0ab3956..eada4862 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java @@ -34,7 +34,6 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.json.JSONObject; - import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.Feed; @@ -269,9 +268,6 @@ public class DRFeedsServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - if (intlogger.isDebugEnabled()) { - intlogger.debug(jo.toString()); - } if (++activeFeeds > maxFeeds) { activeFeeds--; message = "Cannot create feed; the maximum number of feeds has been configured."; diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java index 4b94159e..de27c652 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java @@ -34,7 +34,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.json.JSONException; import org.json.JSONObject; - import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.Feed; @@ -310,9 +309,6 @@ public class FeedServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - if (intlogger.isDebugEnabled()) { - intlogger.debug(jo.toString()); - } Feed feed; try { feed = new Feed(jo); diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java index 73f859ac..432ea3c0 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java @@ -181,9 +181,6 @@ public class GroupServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - if (intlogger.isDebugEnabled()) { - intlogger.debug(jo.toString()); - } Group gup; try { gup = new Group(jo); @@ -275,10 +272,6 @@ public class GroupServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - if (intlogger.isDebugEnabled()) { - intlogger.debug(jo.toString()); - } - Group gup; try { gup = new Group(jo); diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java index 4732183a..efa1c102 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java @@ -39,19 +39,17 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.StandardCopyOption; import java.util.Properties; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.json.JSONArray; -import org.onap.dmaap.datarouter.provisioning.utils.Poker; -import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.LogRecord; import org.onap.dmaap.datarouter.provisioning.beans.Parameters; import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs; import org.onap.dmaap.datarouter.provisioning.utils.LogfileLoader; +import org.onap.dmaap.datarouter.provisioning.utils.Poker; import org.onap.dmaap.datarouter.provisioning.utils.RLEBitSet; +import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask; @@ -454,7 +452,7 @@ public class InternalServlet extends ProxyServlet { if ("/logs".equals(path) || LOGS.equals(path)) { String ctype = req.getHeader("Content-Type"); - if (ctype == null || !TEXT_CT.equals(ctype)) { + if (!TEXT_CT.equals(ctype)) { elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); elr.setMessage("Bad media type: " + ctype); resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); @@ -494,7 +492,7 @@ public class InternalServlet extends ProxyServlet { } try { fs.close(); - } catch (Exception e) { + } catch (UnsupportedOperationException | IOException e) { intlogger.error("PROV0137 InternalServlet.doPost: " + e.getMessage(), e); } if (total != 0 && ((avail * 100) / total) < 5) { @@ -522,7 +520,7 @@ public class InternalServlet extends ProxyServlet { if ("/drlogs".equals(path) || "/drlogs/".equals(path)) { // Receive post request and generate log entries String ctype = req.getHeader("Content-Type"); - if (ctype == null || !TEXT_CT.equals(ctype)) { + if (!TEXT_CT.equals(ctype)) { elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); elr.setMessage("Bad media type: " + ctype); resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java index 21b838de..fa4a24ff 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java @@ -34,7 +34,6 @@ import java.util.Collection; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.json.JSONObject; - import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.Feed; @@ -241,9 +240,6 @@ public class SubscribeServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - if (intlogger.isDebugEnabled()) { - intlogger.debug(jo.toString()); - } if (++activeSubs > maxSubs) { activeSubs--; message = "Cannot create subscription; the maximum number of subscriptions has been configured."; diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java index 1f7c291d..b3bb679b 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java @@ -39,10 +39,10 @@ import javax.servlet.http.HttpServletResponse; import org.json.JSONException;
import org.json.JSONObject;
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
-import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
+import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
/**
* This servlet handles provisioning for the <subscriptionURL> which is generated by the provisioning server to
@@ -315,10 +315,7 @@ public class SubscriptionServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
- Subscription sub = null;
+ Subscription sub;
try {
sub = new Subscription(jo);
} catch (InvalidObjectException e) {
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java index ac1f70af..c6344301 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java @@ -185,7 +185,7 @@ public class Feed extends Syncable { if (fid.getId().length() > 60) {
throw new InvalidObjectException("id field is too long (" + fid.getId() + ")");
}
- if (fid.getPassword().length() > 32) {
+ if (fid.getPassword().length() > 100) {
//Fortify scan fixes - Privacy Violation
throw new InvalidObjectException("password field is too long (" + fid.getPassword() + ")");
}
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java deleted file mode 100644 index a6a3e2b5..00000000 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java +++ /dev/null @@ -1,78 +0,0 @@ -/**
- * -
- * ============LICENSE_START=======================================================
- * Copyright (C) 2019 Nordix Foundation.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * <p>http://www.apache.org/licenses/LICENSE-2.0
- *
- * <p>* Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * <p>* SPDX-License-Identifier: Apache-2.0
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.dmaap.datarouter.provisioning.utils;
-
-import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.util.Base64;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.PBEParameterSpec;
-import org.onap.dmaap.datarouter.provisioning.ProvRunner;
-
-/**
- * The Processing of a Password. Password can be encrypted and decrypted.
- * @author Vikram Singh
- * @version $Id: PasswordProcessor.java,v 1.0 2016/12/14 10:16:52 EST
- */
-public class PasswordProcessor {
-
- private static final String SECRET_KEY_FACTORY_TYPE = "PBEWithMD5AndDES";
- private static final String PASSWORD_ENCRYPTION_STRING =
- ProvRunner.getProvProperties().getProperty("org.onap.dmaap.datarouter.provserver.passwordencryption");
- private static final char[] PASSWORD = PASSWORD_ENCRYPTION_STRING.toCharArray();
- private static final byte[] SALT = {(byte) 0xde, (byte) 0x33, (byte) 0x10,
- (byte) 0x12, (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,};
-
- private PasswordProcessor(){
- }
-
- /**
- * Encrypt password.
- * @param property the Password
- * @return Encrypted password.
- */
- public static String encrypt(String property) throws GeneralSecurityException {
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);
- pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 32));
- return Base64.getEncoder().encodeToString(pbeCipher.doFinal(property.getBytes(StandardCharsets.UTF_8)));
- }
-
- /**
- * Decrypt password.
- * @param property the Password
- * @return Decrypt password.
- */
- public static String decrypt(String property) throws GeneralSecurityException {
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);
- pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 32));
- return new String(pbeCipher.doFinal(Base64.getDecoder().decode(property)), StandardCharsets.UTF_8);
- }
-
-}
diff --git a/datarouter-prov/src/main/resources/provserver.properties b/datarouter-prov/src/main/resources/provserver.properties index 20b5cb92..ad9a19e3 100755 --- a/datarouter-prov/src/main/resources/provserver.properties +++ b/datarouter-prov/src/main/resources/provserver.properties @@ -52,7 +52,6 @@ org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2 # AAF config org.onap.dmaap.datarouter.provserver.cadi.enabled = false -org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234# org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub org.onap.dmaap.datarouter.provserver.aaf.instance = legacy |