From 048c655b281c0b65ecb710afb4024261d2114b9b Mon Sep 17 00:00:00 2001 From: sebdet Date: Fri, 16 Apr 2021 17:44:09 +0200 Subject: Fix Sonar security HotSpot Fix sec issues reported by Sonar Issue-ID: POLICY-3200 Signed-off-by: sebdet Change-Id: I6cdd3ff24d150333ab69e959bae39e3f0c30263f --- .../clds/config/DefaultUserConfiguration.java | 6 +++--- .../clds/sdc/controller/SdcSingleController.java | 23 +++++++++++++--------- .../policy/microservice/MicroServicePolicy.java | 3 ++- .../policy/operational/OperationalPolicy.java | 5 +++-- 4 files changed, 22 insertions(+), 15 deletions(-) (limited to 'src/main/java/org') diff --git a/src/main/java/org/onap/policy/clamp/clds/config/DefaultUserConfiguration.java b/src/main/java/org/onap/policy/clamp/clds/config/DefaultUserConfiguration.java index 015868141..74aeccda5 100644 --- a/src/main/java/org/onap/policy/clamp/clds/config/DefaultUserConfiguration.java +++ b/src/main/java/org/onap/policy/clamp/clds/config/DefaultUserConfiguration.java @@ -1,8 +1,8 @@ /*- * ============LICENSE_START======================================================= - * ONAP CLAMP + * ONAP POLICY-CLAMP * ================================================================================ - * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * Copyright (C) 2017-2018, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Modifications Copyright (c) 2019 Samsung @@ -73,7 +73,7 @@ public class DefaultUserConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { try { - http.csrf().disable().httpBasic().and().authorizeRequests().antMatchers("/restservices/clds/v1/user/**") + http.httpBasic().and().authorizeRequests().antMatchers("/restservices/clds/v1/user/**") .authenticated().anyRequest().permitAll().and().sessionManagement() .maximumSessions(1); diff --git a/src/main/java/org/onap/policy/clamp/clds/sdc/controller/SdcSingleController.java b/src/main/java/org/onap/policy/clamp/clds/sdc/controller/SdcSingleController.java index 4ca6b1cf4..39e64e46b 100644 --- a/src/main/java/org/onap/policy/clamp/clds/sdc/controller/SdcSingleController.java +++ b/src/main/java/org/onap/policy/clamp/clds/sdc/controller/SdcSingleController.java @@ -1,8 +1,8 @@ /*- * ============LICENSE_START======================================================= - * ONAP CLAMP + * ONAP POLICY-CLAMP * ================================================================================ - * Copyright (C) 2018-2019 AT&T Intellectual Property. All rights + * Copyright (C) 2018-2019, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,9 +26,9 @@ package org.onap.policy.clamp.clds.sdc.controller; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import java.security.SecureRandom; import java.util.Date; import java.util.Map.Entry; -import java.util.concurrent.ThreadLocalRandom; import org.onap.policy.clamp.clds.config.ClampProperties; import org.onap.policy.clamp.clds.config.sdc.SdcSingleControllerConfiguration; import org.onap.policy.clamp.clds.exception.sdc.controller.BlueprintParserException; @@ -261,7 +261,7 @@ public class SdcSingleController { try { // wait for a random time, so that 2 running Clamp will not treat // the same Notification at the same time - Thread.sleep(ThreadLocalRandom.current().nextInt(1, 10) * 1000L); + Thread.sleep((new SecureRandom().nextInt(10) + 1) * 1000L); logger.info("Notification received for service UUID:" + notificationData.getServiceUUID()); this.changeControllerStatus(SdcSingleControllerStatus.BUSY); csar = new CsarHandler(notificationData, this.sdcConfig.getSdcControllerName(), @@ -383,23 +383,28 @@ public class SdcSingleController { try { IComponentDoneStatusMessage message = new IComponentDoneStatusMessage() { - @Override public String getDistributionID() { + @Override + public String getDistributionID() { return notificationData.getDistributionID(); } - @Override public String getConsumerID() { + @Override + public String getConsumerID() { return sdcConfig.getConsumerID(); } - @Override public long getTimestamp() { + @Override + public long getTimestamp() { return System.currentTimeMillis(); } - @Override public DistributionStatusEnum getStatus() { + @Override + public DistributionStatusEnum getStatus() { return status; } - @Override public String getComponentName() { + @Override + public String getComponentName() { return sdcConfig.getUser(); } }; diff --git a/src/main/java/org/onap/policy/clamp/policy/microservice/MicroServicePolicy.java b/src/main/java/org/onap/policy/clamp/policy/microservice/MicroServicePolicy.java index 2e5db8e24..be5e7917c 100644 --- a/src/main/java/org/onap/policy/clamp/policy/microservice/MicroServicePolicy.java +++ b/src/main/java/org/onap/policy/clamp/policy/microservice/MicroServicePolicy.java @@ -26,6 +26,7 @@ package org.onap.policy.clamp.policy.microservice; import com.google.gson.JsonObject; import com.google.gson.annotations.Expose; import java.io.Serializable; +import java.security.SecureRandom; import java.util.HashSet; import java.util.Set; import javax.persistence.Column; @@ -130,7 +131,7 @@ public class MicroServicePolicy extends Policy implements Serializable { this(Policy.generatePolicyName("MICROSERVICE", service.getName(), service.getVersion(), loopElementModel.getPolicyModels().first().getPolicyAcronym() + '_' + loopElementModel.getPolicyModels().first().getVersion(), - RandomStringUtils.randomAlphanumeric(3)), + RandomStringUtils.random(3, 0, 0, true, true, null, new SecureRandom())), loopElementModel.getPolicyModels().first(), false, new JsonObject(), loopElementModel, null, null); this.updateJsonRepresentation(toscaConverter, service); } diff --git a/src/main/java/org/onap/policy/clamp/policy/operational/OperationalPolicy.java b/src/main/java/org/onap/policy/clamp/policy/operational/OperationalPolicy.java index 5b29f319c..1646a7cc7 100644 --- a/src/main/java/org/onap/policy/clamp/policy/operational/OperationalPolicy.java +++ b/src/main/java/org/onap/policy/clamp/policy/operational/OperationalPolicy.java @@ -30,6 +30,7 @@ import com.google.gson.JsonObject; import com.google.gson.annotations.Expose; import java.io.Serializable; import java.io.UnsupportedEncodingException; +import java.security.SecureRandom; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.FetchType; @@ -114,7 +115,7 @@ public class OperationalPolicy extends Policy implements Serializable { this(Policy.generatePolicyName("OPERATIONAL", service.getName(), service.getVersion(), loopElementModel.getPolicyModels().first().getPolicyAcronym() + '_' + loopElementModel.getPolicyModels().first().getVersion(), - RandomStringUtils.randomAlphanumeric(3)), new JsonObject(), + RandomStringUtils.random(3, 0, 0, true, true, null, new SecureRandom())), new JsonObject(), new JsonObject(), loopElementModel.getPolicyModels().first(), loopElementModel, null, null); this.setLoop(loop); this.updateJsonRepresentation(toscaConverter, service); @@ -132,7 +133,7 @@ public class OperationalPolicy extends Policy implements Serializable { ToscaConverterWithDictionarySupport toscaConverter) { this(Policy.generatePolicyName("OPERATIONAL", service.getName(), service.getVersion(), policyModel.getPolicyAcronym() + '_' + policyModel.getVersion(), - RandomStringUtils.randomAlphanumeric(3)), + RandomStringUtils.random(3, 0, 0, true, true, null, new SecureRandom())), new JsonObject(), new JsonObject(), policyModel, null, null, null); this.setLoop(loop); -- cgit 1.2.3-korg