aboutsummaryrefslogtreecommitdiffstats
path: root/datarouter-prov/src/main
diff options
context:
space:
mode:
authorefiacor <fiachra.corcoran@est.tech>2020-02-05 11:57:18 +0000
committerefiacor <fiachra.corcoran@est.tech>2020-02-05 13:54:58 +0000
commit0ad65c47b4fbddd5d1b653c5e38dcdf84884de9f (patch)
tree33ec4d4797ab682bfb229936376ea7440d1db3a8 /datarouter-prov/src/main
parenta884c481af24e2405f9389b01842c4671a03a75e (diff)
Removing passwordencryption key
Signed-off-by: efiacor <fiachra.corcoran@est.tech> Change-Id: I1d5f193ae0215d5a5939227097adbb01a5b9866a Issue-ID: DMAAP-1367
Diffstat (limited to 'datarouter-prov/src/main')
-rwxr-xr-xdatarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java49
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java4
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java4
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java7
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java12
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java4
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java7
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java2
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java78
-rwxr-xr-xdatarouter-prov/src/main/resources/provserver.properties1
10 files changed, 32 insertions, 136 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java
index c0290bbb..52629ffb 100755
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java
@@ -33,7 +33,6 @@ import com.att.eelf.configuration.EELFLogger;
import com.att.eelf.configuration.EELFManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
-import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.sql.Connection;
import java.sql.SQLException;
@@ -49,6 +48,7 @@ import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONArray;
@@ -66,7 +66,6 @@ import org.onap.dmaap.datarouter.provisioning.beans.NodeClass;
import org.onap.dmaap.datarouter.provisioning.beans.Parameters;
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;
import org.onap.dmaap.datarouter.provisioning.beans.Updateable;
-import org.onap.dmaap.datarouter.provisioning.utils.PasswordProcessor;
import org.onap.dmaap.datarouter.provisioning.utils.Poker;
import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils;
import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
@@ -156,6 +155,7 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider {
static final String START_TIME = "start_time";
static final String END_TIME = "end_time";
static final String REASON_SQL = "reasonSQL";
+ static final String JSON_HASH_STRING = "password";
/**
* A boolean to trigger one time "provisioning changed" event on startup.
@@ -331,7 +331,7 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider {
try {
jo = new JSONObject(new JSONTokener(req.getInputStream()));
if (intlogger.isDebugEnabled()) {
- intlogger.debug("JSON: " + jo.toString());
+ intlogger.debug("JSON: " + hashPasswords(new JSONObject(jo.toString())).toString());
}
} catch (Exception e) {
intlogger.info("Error reading JSON: " + e);
@@ -339,38 +339,37 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider {
return jo;
}
- /**
- * This method encrypt/decrypt the key in the JSON passed by user request inside the authorisation
- * header object in request before logging the JSON.
- *
- * @param jo the JSON passed in http request.
- * @param maskKey the key to be masked in the JSON passed.
- * @param action whether to mask the key or unmask it in a JSON passed.
- * @return the JSONObject, or null if the stream cannot be parsed.
- */
- static JSONObject maskJSON(JSONObject jo, String maskKey, boolean action) {
+ public static JSONObject hashPasswords(JSONObject jo) {
if (!jo.isNull("authorization")) {
JSONArray endpointIds = jo.getJSONObject("authorization").getJSONArray("endpoint_ids");
for (int index = 0; index < endpointIds.length(); index++) {
- if ((!endpointIds.getJSONObject(index).isNull(maskKey))) {
- String password = endpointIds.getJSONObject(index).get(maskKey).toString();
- processPassword(maskKey, action, endpointIds, index, password);
+ if ((!endpointIds.getJSONObject(index).isNull(JSON_HASH_STRING))) {
+ String password = endpointIds.getJSONObject(index).get(JSON_HASH_STRING).toString();
+ processPassword(endpointIds, index, password);
}
}
}
+ if (!jo.isNull("delivery")) {
+ JSONObject deliveryObj = jo.getJSONObject("delivery");
+ String password = deliveryObj.get(JSON_HASH_STRING).toString();
+ processPassword(deliveryObj, password);
+ }
return jo;
}
- private static void processPassword(String maskKey, boolean action, JSONArray endpointIds, int index,
- String password) {
+ private static void processPassword(JSONArray endpointIds, int index, String password) {
try {
- if (action) {
- endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.encrypt(password));
- } else {
- endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.decrypt(password));
- }
- } catch (JSONException | GeneralSecurityException e) {
- intlogger.info("Error reading JSON while masking: " + e);
+ endpointIds.getJSONObject(index).put(JSON_HASH_STRING, DigestUtils.sha256Hex(password));
+ } catch (JSONException e) {
+ intlogger.info("Error reading JSON while hashing: " + e);
+ }
+ }
+
+ private static void processPassword(JSONObject deliveryObj, String password) {
+ try {
+ deliveryObj.put(JSON_HASH_STRING, DigestUtils.sha256Hex(password));
+ } catch (JSONException e) {
+ intlogger.info("Error reading JSON while hashing: " + e);
}
}
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
index f0ab3956..eada4862 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
@@ -34,7 +34,6 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
@@ -269,9 +268,6 @@ public class DRFeedsServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
if (++activeFeeds > maxFeeds) {
activeFeeds--;
message = "Cannot create feed; the maximum number of feeds has been configured.";
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java
index 4b94159e..de27c652 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java
@@ -34,7 +34,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONException;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
@@ -310,9 +309,6 @@ public class FeedServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
Feed feed;
try {
feed = new Feed(jo);
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java
index 73f859ac..432ea3c0 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java
@@ -181,9 +181,6 @@ public class GroupServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
Group gup;
try {
gup = new Group(jo);
@@ -275,10 +272,6 @@ public class GroupServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
-
Group gup;
try {
gup = new Group(jo);
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
index 4732183a..efa1c102 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
@@ -39,19 +39,17 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.util.Properties;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.json.JSONArray;
-import org.onap.dmaap.datarouter.provisioning.utils.Poker;
-import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.LogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Parameters;
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
import org.onap.dmaap.datarouter.provisioning.utils.LogfileLoader;
+import org.onap.dmaap.datarouter.provisioning.utils.Poker;
import org.onap.dmaap.datarouter.provisioning.utils.RLEBitSet;
+import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
@@ -454,7 +452,7 @@ public class InternalServlet extends ProxyServlet {
if ("/logs".equals(path) || LOGS.equals(path)) {
String ctype = req.getHeader("Content-Type");
- if (ctype == null || !TEXT_CT.equals(ctype)) {
+ if (!TEXT_CT.equals(ctype)) {
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
elr.setMessage("Bad media type: " + ctype);
resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
@@ -494,7 +492,7 @@ public class InternalServlet extends ProxyServlet {
}
try {
fs.close();
- } catch (Exception e) {
+ } catch (UnsupportedOperationException | IOException e) {
intlogger.error("PROV0137 InternalServlet.doPost: " + e.getMessage(), e);
}
if (total != 0 && ((avail * 100) / total) < 5) {
@@ -522,7 +520,7 @@ public class InternalServlet extends ProxyServlet {
if ("/drlogs".equals(path) || "/drlogs/".equals(path)) {
// Receive post request and generate log entries
String ctype = req.getHeader("Content-Type");
- if (ctype == null || !TEXT_CT.equals(ctype)) {
+ if (!TEXT_CT.equals(ctype)) {
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
elr.setMessage("Bad media type: " + ctype);
resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
index 21b838de..fa4a24ff 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
@@ -34,7 +34,6 @@ import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
@@ -241,9 +240,6 @@ public class SubscribeServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
if (++activeSubs > maxSubs) {
activeSubs--;
message = "Cannot create subscription; the maximum number of subscriptions has been configured.";
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
index 1f7c291d..b3bb679b 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
@@ -39,10 +39,10 @@ import javax.servlet.http.HttpServletResponse;
import org.json.JSONException;
import org.json.JSONObject;
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
-import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
+import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
/**
* This servlet handles provisioning for the &lt;subscriptionURL&gt; which is generated by the provisioning server to
@@ -315,10 +315,7 @@ public class SubscriptionServlet extends ProxyServlet {
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
- Subscription sub = null;
+ Subscription sub;
try {
sub = new Subscription(jo);
} catch (InvalidObjectException e) {
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java
index ac1f70af..c6344301 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java
@@ -185,7 +185,7 @@ public class Feed extends Syncable {
if (fid.getId().length() > 60) {
throw new InvalidObjectException("id field is too long (" + fid.getId() + ")");
}
- if (fid.getPassword().length() > 32) {
+ if (fid.getPassword().length() > 100) {
//Fortify scan fixes - Privacy Violation
throw new InvalidObjectException("password field is too long (" + fid.getPassword() + ")");
}
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java
deleted file mode 100644
index a6a3e2b5..00000000
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/PasswordProcessor.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * -
- * ============LICENSE_START=======================================================
- * Copyright (C) 2019 Nordix Foundation.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * <p>http://www.apache.org/licenses/LICENSE-2.0
- *
- * <p>* Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * <p>* SPDX-License-Identifier: Apache-2.0
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.dmaap.datarouter.provisioning.utils;
-
-import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.util.Base64;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.PBEParameterSpec;
-import org.onap.dmaap.datarouter.provisioning.ProvRunner;
-
-/**
- * The Processing of a Password. Password can be encrypted and decrypted.
- * @author Vikram Singh
- * @version $Id: PasswordProcessor.java,v 1.0 2016/12/14 10:16:52 EST
- */
-public class PasswordProcessor {
-
- private static final String SECRET_KEY_FACTORY_TYPE = "PBEWithMD5AndDES";
- private static final String PASSWORD_ENCRYPTION_STRING =
- ProvRunner.getProvProperties().getProperty("org.onap.dmaap.datarouter.provserver.passwordencryption");
- private static final char[] PASSWORD = PASSWORD_ENCRYPTION_STRING.toCharArray();
- private static final byte[] SALT = {(byte) 0xde, (byte) 0x33, (byte) 0x10,
- (byte) 0x12, (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,};
-
- private PasswordProcessor(){
- }
-
- /**
- * Encrypt password.
- * @param property the Password
- * @return Encrypted password.
- */
- public static String encrypt(String property) throws GeneralSecurityException {
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);
- pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 32));
- return Base64.getEncoder().encodeToString(pbeCipher.doFinal(property.getBytes(StandardCharsets.UTF_8)));
- }
-
- /**
- * Decrypt password.
- * @param property the Password
- * @return Decrypt password.
- */
- public static String decrypt(String property) throws GeneralSecurityException {
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);
- pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 32));
- return new String(pbeCipher.doFinal(Base64.getDecoder().decode(property)), StandardCharsets.UTF_8);
- }
-
-}
diff --git a/datarouter-prov/src/main/resources/provserver.properties b/datarouter-prov/src/main/resources/provserver.properties
index 20b5cb92..ad9a19e3 100755
--- a/datarouter-prov/src/main/resources/provserver.properties
+++ b/datarouter-prov/src/main/resources/provserver.properties
@@ -52,7 +52,6 @@ org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2
# AAF config
org.onap.dmaap.datarouter.provserver.cadi.enabled = false
-org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234#
org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed
org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub
org.onap.dmaap.datarouter.provserver.aaf.instance = legacy