From 08b9492f3330e93d477a5a5a275ed44755e9f52a Mon Sep 17 00:00:00 2001 From: "Determe, Sebastien (sd378r)" Date: Tue, 27 Mar 2018 10:25:41 +0200 Subject: Security Fix Introduce a centralized ObjectMapper for Resteasy and Clamp code so that the automatic Ser/deserialization of all classes is disabled. Issue-ID: CLAMP-135 Change-Id: I1fb11c8fc8e7a53ef832774fa8c06af1c70d3dad Signed-off-by: Determe, Sebastien (sd378r) --- .../clamp/clds/client/DcaeDispatcherServices.java | 2 + .../clamp/clds/client/DcaeInventoryServices.java | 7 +-- .../clds/client/req/sdc/SdcCatalogServices.java | 64 ++++++++++------------ .../clamp/clds/client/req/sdc/SdcRequests.java | 6 +- .../onap/clamp/clds/config/ClampProperties.java | 12 ++-- .../clamp/clds/config/CldsUserJsonDecoder.java | 7 +-- .../sdc/BlueprintParserMappingConfiguration.java | 5 +- .../config/sdc/SdcControllersConfiguration.java | 4 +- .../java/org/onap/clamp/clds/model/CldsModel.java | 4 +- .../clamp/clds/model/properties/ModelBpmn.java | 15 +++-- .../clds/model/properties/ModelProperties.java | 7 +-- .../org/onap/clamp/clds/service/CldsService.java | 50 ++++++++--------- .../clds/service/JacksonObjectMapperProvider.java | 51 +++++++++++++++++ .../onap/clamp/clds/service/JaxrsApplication.java | 11 ++-- .../org/onap/clamp/clds/util/JacksonUtils.java | 53 ++++++++++++++++++ 15 files changed, 197 insertions(+), 101 deletions(-) create mode 100644 src/main/java/org/onap/clamp/clds/service/JacksonObjectMapperProvider.java create mode 100644 src/main/java/org/onap/clamp/clds/util/JacksonUtils.java (limited to 'src/main/java') diff --git a/src/main/java/org/onap/clamp/clds/client/DcaeDispatcherServices.java b/src/main/java/org/onap/clamp/clds/client/DcaeDispatcherServices.java index 9226604a1..f20668e59 100644 --- a/src/main/java/org/onap/clamp/clds/client/DcaeDispatcherServices.java +++ b/src/main/java/org/onap/clamp/clds/client/DcaeDispatcherServices.java @@ -152,6 +152,8 @@ public class DcaeDispatcherServices { * The deployment ID * @param serviceTypeId * Service type ID + * @param blueprintInput + * The value for each blueprint parameters in a flat JSON * @return The status URL */ public String createNewDeployment(String deploymentId, String serviceTypeId) { diff --git a/src/main/java/org/onap/clamp/clds/client/DcaeInventoryServices.java b/src/main/java/org/onap/clamp/clds/client/DcaeInventoryServices.java index d5015040c..ffc9b8e28 100644 --- a/src/main/java/org/onap/clamp/clds/client/DcaeInventoryServices.java +++ b/src/main/java/org/onap/clamp/clds/client/DcaeInventoryServices.java @@ -26,7 +26,6 @@ package org.onap.clamp.clds.client; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.ObjectNode; import java.io.IOException; @@ -47,6 +46,7 @@ import org.onap.clamp.clds.model.DcaeEvent; import org.onap.clamp.clds.model.dcae.DcaeInventoryResponse; import org.onap.clamp.clds.model.properties.Global; import org.onap.clamp.clds.model.properties.ModelProperties; +import org.onap.clamp.clds.util.JacksonUtils; import org.onap.clamp.clds.util.LoggingUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -182,7 +182,7 @@ public class DcaeInventoryServices { LoggingUtils.setResponseContext("0", "Get Dcae Information success", this.getClass().getName()); LoggingUtils.setTimeContext(startTime, new Date()); metricsLogger.info("getDcaeInformation complete: number services returned=" + numServices); - return new ObjectMapper().readValue(dcaeInventoryResponse, DcaeInventoryResponse.class); + return JacksonUtils.getObjectMapperInstance().readValue(dcaeInventoryResponse, DcaeInventoryResponse.class); } /** @@ -210,8 +210,7 @@ public class DcaeInventoryServices { LoggingUtils.setTargetContext("DCAE", "createDCAEServiceType"); String typeId = null; try { - ObjectMapper mapper = new ObjectMapper(); - ObjectNode dcaeServiceTypeRequest = mapper.createObjectNode(); + ObjectNode dcaeServiceTypeRequest = JacksonUtils.getObjectMapperInstance().createObjectNode(); dcaeServiceTypeRequest.put("blueprintTemplate", blueprintTemplate); dcaeServiceTypeRequest.put("owner", owner); dcaeServiceTypeRequest.put("typeName", typeName); diff --git a/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcCatalogServices.java b/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcCatalogServices.java index fd7d096fa..ce3c8baf4 100644 --- a/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcCatalogServices.java +++ b/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcCatalogServices.java @@ -74,6 +74,7 @@ import org.onap.clamp.clds.model.sdc.SdcServiceDetail; import org.onap.clamp.clds.model.sdc.SdcServiceInfo; import org.onap.clamp.clds.service.CldsService; import org.onap.clamp.clds.util.CryptoUtils; +import org.onap.clamp.clds.util.JacksonUtils; import org.onap.clamp.clds.util.LoggingUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -284,13 +285,12 @@ public class SdcCatalogServices { * an empty list */ private List getCldsSdcServicesListFromJson(String jsonStr) { - ObjectMapper objectMapper = new ObjectMapper(); if (StringUtils.isBlank(jsonStr)) { return new ArrayList<>(); } try { - return objectMapper.readValue(jsonStr, - objectMapper.getTypeFactory().constructCollectionType(List.class, SdcServiceInfo.class)); + return JacksonUtils.getObjectMapperInstance().readValue(jsonStr, JacksonUtils.getObjectMapperInstance() + .getTypeFactory().constructCollectionType(List.class, SdcServiceInfo.class)); } catch (IOException e) { logger.error("Error when attempting to decode the JSON containing CldsSdcServiceInfo", e); return new ArrayList<>(); @@ -306,13 +306,12 @@ public class SdcCatalogServices { * issues */ private List getAllSdcResourcesListFromJson(String jsonStr) { - ObjectMapper objectMapper = new ObjectMapper(); if (StringUtils.isBlank(jsonStr)) { return new ArrayList<>(); } try { - return objectMapper.readValue(jsonStr, - objectMapper.getTypeFactory().constructCollectionType(List.class, SdcResourceBasicInfo.class)); + return JacksonUtils.getObjectMapperInstance().readValue(jsonStr, JacksonUtils.getObjectMapperInstance() + .getTypeFactory().constructCollectionType(List.class, SdcResourceBasicInfo.class)); } catch (IOException e) { logger.error("Exception occurred when attempting to decode the list of CldsSdcResourceBasicInfo JSON", e); return new ArrayList<>(); @@ -326,9 +325,8 @@ public class SdcCatalogServices { * @return */ public SdcServiceDetail decodeCldsSdcServiceDetailFromJson(String jsonStr) { - ObjectMapper objectMapper = new ObjectMapper(); try { - return objectMapper.readValue(jsonStr, SdcServiceDetail.class); + return JacksonUtils.getObjectMapperInstance().readValue(jsonStr, SdcServiceDetail.class); } catch (IOException e) { logger.error("Exception when attempting to decode the CldsSdcServiceDetail JSON", e); return null; @@ -470,12 +468,12 @@ public class SdcCatalogServices { String serviceUuid = getServiceUuidFromServiceInvariantId(invariantServiceUuid); String serviceDetailUrl = url + "/" + serviceUuid + SDC_METADATA_URL_PREFIX; String responseStr = getCldsServicesOrResourcesBasedOnURL(serviceDetailUrl); - ObjectMapper objectMapper = new ObjectMapper(); CldsServiceData cldsServiceData = new CldsServiceData(); if (responseStr != null) { SdcServiceDetail cldsSdcServiceDetail; try { - cldsSdcServiceDetail = objectMapper.readValue(responseStr, SdcServiceDetail.class); + cldsSdcServiceDetail = JacksonUtils.getObjectMapperInstance().readValue(responseStr, + SdcServiceDetail.class); } catch (IOException e) { logger.error("Exception when decoding the CldsServiceData JSON from SDC", e); throw new SdcCommunicationException("Exception when decoding the CldsServiceData JSON from SDC", e); @@ -568,11 +566,10 @@ public class SdcCatalogServices { } } - private List getVfcDataListFromVfResponse(String vfResponse) throws GeneralSecurityException { - ObjectMapper mapper = new ObjectMapper(); + private List getVfcDataListFromVfResponse(String vfResponse) { ObjectNode vfResponseNode; try { - vfResponseNode = (ObjectNode) mapper.readTree(vfResponse); + vfResponseNode = (ObjectNode) JacksonUtils.getObjectMapperInstance().readTree(vfResponse); } catch (IOException e) { logger.error("Exception when decoding the JSON list of CldsVfcData", e); return new ArrayList<>(); @@ -614,8 +611,7 @@ public class SdcCatalogServices { String vfcResourceUUIDUrl = catalogUrl + RESOURCE_URL_PREFIX + "/" + resourceUUID + SDC_METADATA_URL_PREFIX; try { String vfcResponse = getCldsServicesOrResourcesBasedOnURL(vfcResourceUUIDUrl); - ObjectMapper mapper = new ObjectMapper(); - ObjectNode vfResponseNode = (ObjectNode) mapper.readTree(vfcResponse); + ObjectNode vfResponseNode = (ObjectNode) JacksonUtils.getObjectMapperInstance().readTree(vfcResponse); ArrayNode vfcArrayNode = (ArrayNode) vfResponseNode.get("resources"); if (vfcArrayNode != null) { for (JsonNode vfcjsonNode : vfcArrayNode) { @@ -639,10 +635,9 @@ public class SdcCatalogServices { private List getAlarmCondtionsFromVfc(String vfcResponse) throws GeneralSecurityException { List cldsAlarmConditionList = new ArrayList<>(); - ObjectMapper mapper = new ObjectMapper(); ObjectNode vfcResponseNode; try { - vfcResponseNode = (ObjectNode) mapper.readTree(vfcResponse); + vfcResponseNode = (ObjectNode) JacksonUtils.getObjectMapperInstance().readTree(vfcResponse); } catch (IOException e) { logger.error("Exception when decoding the JSON list of CldsAlarmCondition", e); return cldsAlarmConditionList; @@ -684,10 +679,9 @@ public class SdcCatalogServices { // Method to get the artifact for any particular VF private List getFieldPathFromVF(String vfResponse) throws GeneralSecurityException { List cldsVfKPIDataList = new ArrayList<>(); - ObjectMapper mapper = new ObjectMapper(); ObjectNode vfResponseNode; try { - vfResponseNode = (ObjectNode) mapper.readTree(vfResponse); + vfResponseNode = (ObjectNode) JacksonUtils.getObjectMapperInstance().readTree(vfResponse); } catch (IOException e) { logger.error("Exception when decoding the JSON list of CldsVfKPIData", e); return cldsVfKPIDataList; @@ -846,24 +840,23 @@ public class SdcCatalogServices { */ public String createPropertiesObjectByUUID(CldsServiceData cldsServiceData) throws IOException { String totalPropsStr; - ObjectMapper mapper = new ObjectMapper(); + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode globalPropsJson = (ObjectNode) refProp.getJsonTemplate(CldsService.GLOBAL_PROPERTIES_KEY); if (cldsServiceData != null && cldsServiceData.getServiceUUID() != null) { // Objectnode to save all byservice, byvf , byvfc and byalarm nodes ObjectNode byIdObjectNode = mapper.createObjectNode(); // To create vf ResourceUUID node with serviceInvariantUUID - ObjectNode invariantUuidObjectNodeWithVf = createVfObjectNodeByServiceInvariantUuid(mapper, - cldsServiceData); + ObjectNode invariantUuidObjectNodeWithVf = createVfObjectNodeByServiceInvariantUuid(cldsServiceData); byIdObjectNode.putPOJO("byService", invariantUuidObjectNodeWithVf); // To create byVf and vfcResourceNode with vfResourceUUID - ObjectNode vfcObjectNodeByVfUuid = createVfcObjectNodeByVfUuid(mapper, cldsServiceData.getCldsVfs()); + ObjectNode vfcObjectNodeByVfUuid = createVfcObjectNodeByVfUuid(cldsServiceData.getCldsVfs()); byIdObjectNode.putPOJO("byVf", vfcObjectNodeByVfUuid); // To create byKpi ObjectNode kpiObjectNode = mapper.createObjectNode(); if (cldsServiceData.getCldsVfs() != null && !cldsServiceData.getCldsVfs().isEmpty()) { for (CldsVfData currCldsVfData : cldsServiceData.getCldsVfs()) { if (currCldsVfData != null) { - createKpiObjectNodeByVfUuid(mapper, kpiObjectNode, currCldsVfData.getCldsKPIList()); + createKpiObjectNodeByVfUuid(kpiObjectNode, currCldsVfData.getCldsKPIList()); } } } @@ -873,8 +866,7 @@ public class SdcCatalogServices { if (cldsServiceData.getCldsVfs() != null && !cldsServiceData.getCldsVfs().isEmpty()) { for (CldsVfData currCldsVfData : cldsServiceData.getCldsVfs()) { if (currCldsVfData != null) { - createAlarmCondObjectNodeByVfcUuid(mapper, vfcResourceUuidObjectNode, - currCldsVfData.getCldsVfcs()); + createAlarmCondObjectNodeByVfcUuid(vfcResourceUuidObjectNode, currCldsVfData.getCldsVfcs()); } } } @@ -882,12 +874,12 @@ public class SdcCatalogServices { // To create byAlarmCondition with alarmConditionKey List allAlarmConditions = getAllAlarmConditionsFromCldsServiceData(cldsServiceData, "alarmCondition"); - ObjectNode alarmCondObjectNodeByAlarmKey = createAlarmCondObjectNodeByAlarmKey(mapper, allAlarmConditions); + ObjectNode alarmCondObjectNodeByAlarmKey = createAlarmCondObjectNodeByAlarmKey(allAlarmConditions); byIdObjectNode.putPOJO("byAlarmCondition", alarmCondObjectNodeByAlarmKey); // To create byAlertDescription with AlertDescription List allAlertDescriptions = getAllAlarmConditionsFromCldsServiceData(cldsServiceData, "alertDescription"); - ObjectNode alertDescObjectNodeByAlert = createAlarmCondObjectNodeByAlarmKey(mapper, allAlertDescriptions); + ObjectNode alertDescObjectNodeByAlert = createAlarmCondObjectNodeByAlarmKey(allAlertDescriptions); byIdObjectNode.putPOJO("byAlertDescription", alertDescObjectNodeByAlert); globalPropsJson.putPOJO("shared", byIdObjectNode); logger.info("Global properties JSON created with SDC info:" + globalPropsJson); @@ -963,8 +955,8 @@ public class SdcCatalogServices { return alarmCondList; } - private ObjectNode createAlarmCondObjectNodeByAlarmKey(ObjectMapper mapper, - List cldsAlarmCondList) { + private ObjectNode createAlarmCondObjectNodeByAlarmKey(List cldsAlarmCondList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode alarmCondKeyNode = mapper.createObjectNode(); if (cldsAlarmCondList != null && !cldsAlarmCondList.isEmpty()) { for (CldsAlarmCondition currCldsAlarmCondition : cldsAlarmCondList) { @@ -984,7 +976,8 @@ public class SdcCatalogServices { return alarmCondKeyNode; } - private ObjectNode createVfObjectNodeByServiceInvariantUuid(ObjectMapper mapper, CldsServiceData cldsServiceData) { + private ObjectNode createVfObjectNodeByServiceInvariantUuid(CldsServiceData cldsServiceData) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode invariantUuidObjectNode = mapper.createObjectNode(); ObjectNode vfObjectNode = mapper.createObjectNode(); ObjectNode vfUuidNode = mapper.createObjectNode(); @@ -1003,8 +996,9 @@ public class SdcCatalogServices { return invariantUuidObjectNode; } - private void createKpiObjectNodeByVfUuid(ObjectMapper mapper, ObjectNode vfResourceUuidObjectNode, + private void createKpiObjectNodeByVfUuid(ObjectNode vfResourceUuidObjectNode, List cldsVfKpiDataList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); if (cldsVfKpiDataList != null && !cldsVfKpiDataList.isEmpty()) { for (CldsVfKPIData currCldsVfKpiData : cldsVfKpiDataList) { if (currCldsVfKpiData != null) { @@ -1022,8 +1016,9 @@ public class SdcCatalogServices { } } - private void createAlarmCondObjectNodeByVfcUuid(ObjectMapper mapper, ObjectNode vfcResourceUuidObjectNode, + private void createAlarmCondObjectNodeByVfcUuid(ObjectNode vfcResourceUuidObjectNode, List cldsVfcDataList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode vfcObjectNode = mapper.createObjectNode(); ObjectNode alarmCondNode = mapper.createObjectNode(); ObjectNode alertDescNode = mapper.createObjectNode(); @@ -1063,7 +1058,8 @@ public class SdcCatalogServices { * @param cldsVfDataList * @return */ - private ObjectNode createVfcObjectNodeByVfUuid(ObjectMapper mapper, List cldsVfDataList) { + private ObjectNode createVfcObjectNodeByVfUuid(List cldsVfDataList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode vfUuidObjectNode = mapper.createObjectNode(); if (cldsVfDataList != null && !cldsVfDataList.isEmpty()) { for (CldsVfData currCldsVfData : cldsVfDataList) { diff --git a/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcRequests.java b/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcRequests.java index e34b7e907..c76607af6 100644 --- a/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcRequests.java +++ b/src/main/java/org/onap/clamp/clds/client/req/sdc/SdcRequests.java @@ -47,6 +47,7 @@ import org.onap.clamp.clds.model.properties.ModelProperties; import org.onap.clamp.clds.model.properties.Tca; import org.onap.clamp.clds.model.sdc.SdcResource; import org.onap.clamp.clds.model.sdc.SdcServiceDetail; +import org.onap.clamp.clds.util.JacksonUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -95,7 +96,7 @@ public class SdcRequests { * @return SDC Locations request in the JSON Format */ public String formatSdcLocationsReq(ModelProperties prop, String artifactName) { - ObjectMapper objectMapper = new ObjectMapper(); + ObjectMapper objectMapper = JacksonUtils.getObjectMapperInstance(); Global global = prop.getGlobal(); List locationsList = global.getLocation(); ArrayNode locationsArrayNode = objectMapper.createArrayNode(); @@ -203,9 +204,8 @@ public class SdcRequests { * In case of issues with the Json parser */ protected String getYamlvalue(String jsonGlobal) throws IOException { - ObjectMapper objectMapper = new ObjectMapper(); String yamlFileValue = ""; - ObjectNode root = objectMapper.readValue(jsonGlobal, ObjectNode.class); + ObjectNode root = JacksonUtils.getObjectMapperInstance().readValue(jsonGlobal, ObjectNode.class); Iterator> entryItr = root.fields(); while (entryItr.hasNext()) { Entry entry = entryItr.next(); diff --git a/src/main/java/org/onap/clamp/clds/config/ClampProperties.java b/src/main/java/org/onap/clamp/clds/config/ClampProperties.java index 66f35acc6..1c1bd7f2b 100644 --- a/src/main/java/org/onap/clamp/clds/config/ClampProperties.java +++ b/src/main/java/org/onap/clamp/clds/config/ClampProperties.java @@ -24,13 +24,13 @@ package org.onap.clamp.clds.config; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; import java.net.URL; import java.nio.charset.StandardCharsets; import org.apache.commons.io.IOUtils; +import org.onap.clamp.clds.util.JacksonUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.core.env.Environment; @@ -88,9 +88,10 @@ public class ClampProperties { * In case of issues with the JSON parser */ public JsonNode getJsonTemplate(String key) throws IOException { - ObjectMapper objectMapper = new ObjectMapper(); String fileReference = getStringValue(key); - return (fileReference != null) ? objectMapper.readValue(getFileContentFromPath(fileReference), JsonNode.class) + return (fileReference != null) + ? JacksonUtils.getObjectMapperInstance().readValue(getFileContentFromPath(fileReference), + JsonNode.class) : null; } @@ -108,9 +109,10 @@ public class ClampProperties { * In case of issues with the JSON parser */ public JsonNode getJsonTemplate(String key1, String key2) throws IOException { - ObjectMapper objectMapper = new ObjectMapper(); String fileReference = getStringValue(key1, key2); - return (fileReference != null) ? objectMapper.readValue(getFileContentFromPath(fileReference), JsonNode.class) + return (fileReference != null) + ? JacksonUtils.getObjectMapperInstance().readValue(getFileContentFromPath(fileReference), + JsonNode.class) : null; } diff --git a/src/main/java/org/onap/clamp/clds/config/CldsUserJsonDecoder.java b/src/main/java/org/onap/clamp/clds/config/CldsUserJsonDecoder.java index bb1b9d139..28f9e9464 100644 --- a/src/main/java/org/onap/clamp/clds/config/CldsUserJsonDecoder.java +++ b/src/main/java/org/onap/clamp/clds/config/CldsUserJsonDecoder.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,8 +23,6 @@ package org.onap.clamp.clds.config; -import com.fasterxml.jackson.databind.ObjectMapper; - import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; @@ -32,6 +30,7 @@ import java.nio.charset.StandardCharsets; import org.apache.commons.io.IOUtils; import org.onap.clamp.clds.exception.CldsUsersException; import org.onap.clamp.clds.service.CldsUser; +import org.onap.clamp.clds.util.JacksonUtils; public class CldsUserJsonDecoder { @@ -56,7 +55,7 @@ public class CldsUserJsonDecoder { try { // the ObjectMapper readValue method closes the stream no need to do // it - return new ObjectMapper().readValue(cldsUsersString, CldsUser[].class); + return JacksonUtils.getObjectMapperInstance().readValue(cldsUsersString, CldsUser[].class); } catch (IOException e) { throw new CldsUsersException("Exception occurred during the decoding of the clds-users.json", e); } diff --git a/src/main/java/org/onap/clamp/clds/config/sdc/BlueprintParserMappingConfiguration.java b/src/main/java/org/onap/clamp/clds/config/sdc/BlueprintParserMappingConfiguration.java index a78e895f7..9274f8297 100644 --- a/src/main/java/org/onap/clamp/clds/config/sdc/BlueprintParserMappingConfiguration.java +++ b/src/main/java/org/onap/clamp/clds/config/sdc/BlueprintParserMappingConfiguration.java @@ -24,12 +24,13 @@ package org.onap.clamp.clds.config.sdc; import com.fasterxml.jackson.core.type.TypeReference; -import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; import java.io.InputStream; import java.util.List; +import org.onap.clamp.clds.util.JacksonUtils; + /** * This class is used to decode the configuration found in * application.properties, this is related to the blueprint mapping @@ -65,6 +66,6 @@ public class BlueprintParserMappingConfiguration { public static List createFromJson(InputStream json) throws IOException { TypeReference> mapType = new TypeReference>() { }; - return new ObjectMapper().readValue(json, mapType); + return JacksonUtils.getObjectMapperInstance().readValue(json, mapType); } } diff --git a/src/main/java/org/onap/clamp/clds/config/sdc/SdcControllersConfiguration.java b/src/main/java/org/onap/clamp/clds/config/sdc/SdcControllersConfiguration.java index f5c658cf8..fdc007458 100644 --- a/src/main/java/org/onap/clamp/clds/config/sdc/SdcControllersConfiguration.java +++ b/src/main/java/org/onap/clamp/clds/config/sdc/SdcControllersConfiguration.java @@ -26,7 +26,6 @@ package org.onap.clamp.clds.config.sdc; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; import java.util.HashMap; @@ -35,6 +34,7 @@ import java.util.Map; import javax.annotation.PostConstruct; import org.onap.clamp.clds.exception.sdc.controller.SdcParametersException; +import org.onap.clamp.clds.util.JacksonUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.ApplicationContext; @@ -65,7 +65,7 @@ public class SdcControllersConfiguration { public void loadConfiguration() throws IOException { Resource resource = appContext.getResource(sdcControllerFile); // Try to load json tree - jsonRootNode = new ObjectMapper().readValue(resource.getInputStream(), JsonNode.class); + jsonRootNode = JacksonUtils.getObjectMapperInstance().readValue(resource.getInputStream(), JsonNode.class); } public SdcSingleControllerConfiguration getSdcSingleControllerConfiguration(String controllerName) { diff --git a/src/main/java/org/onap/clamp/clds/model/CldsModel.java b/src/main/java/org/onap/clamp/clds/model/CldsModel.java index 34876bbc0..a2c8f72f7 100644 --- a/src/main/java/org/onap/clamp/clds/model/CldsModel.java +++ b/src/main/java/org/onap/clamp/clds/model/CldsModel.java @@ -26,7 +26,6 @@ package org.onap.clamp.clds.model; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; import java.util.ArrayList; @@ -37,6 +36,7 @@ import javax.ws.rs.BadRequestException; import javax.ws.rs.NotFoundException; import org.onap.clamp.clds.dao.CldsDao; +import org.onap.clamp.clds.util.JacksonUtils; /** * Represent a CLDS Model. @@ -239,7 +239,7 @@ public class CldsModel { boolean result = false; try { if (propText != null) { - JsonNode modelJson = new ObjectMapper().readTree(propText); + JsonNode modelJson = JacksonUtils.getObjectMapperInstance().readTree(propText); JsonNode simpleModelJson = modelJson.get("simpleModel"); if (simpleModelJson != null && simpleModelJson.asBoolean()) { result = true; diff --git a/src/main/java/org/onap/clamp/clds/model/properties/ModelBpmn.java b/src/main/java/org/onap/clamp/clds/model/properties/ModelBpmn.java index 2b86b3fdc..89883c451 100644 --- a/src/main/java/org/onap/clamp/clds/model/properties/ModelBpmn.java +++ b/src/main/java/org/onap/clamp/clds/model/properties/ModelBpmn.java @@ -26,7 +26,6 @@ package org.onap.clamp.clds.model.properties; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.ArrayNode; import com.fasterxml.jackson.databind.node.ObjectNode; @@ -40,6 +39,7 @@ import java.util.Map.Entry; import org.onap.clamp.clds.exception.ModelBpmnException; import org.onap.clamp.clds.service.CldsService; +import org.onap.clamp.clds.util.JacksonUtils; /** * Parse Model BPMN properties. @@ -47,15 +47,15 @@ import org.onap.clamp.clds.service.CldsService; * Example json: {"policy" :[{"id":"Policy_0oxeocn", "from":"StartEvent_1"}]} */ public class ModelBpmn { - protected static final EELFLogger logger = EELFManager.getInstance() - .getLogger(CldsService.class); - protected static final EELFLogger auditLogger = EELFManager.getInstance().getAuditLogger(); + + protected static final EELFLogger logger = EELFManager.getInstance().getLogger(CldsService.class); + protected static final EELFLogger auditLogger = EELFManager.getInstance().getAuditLogger(); // for each type, an array of entries private final Map> entriesByType = new HashMap<>(); // for each id, an array of entries - private final Map> entriesById = new HashMap<>(); + private final Map> entriesById = new HashMap<>(); // List of all elementIds - private List bpmnElementIds; + private List bpmnElementIds; /** * Create ModelBpmn and populate maps from json @@ -66,8 +66,7 @@ public class ModelBpmn { public static ModelBpmn create(String modelBpmnPropText) { try { ModelBpmn modelBpmn = new ModelBpmn(); - ObjectMapper objectMapper = new ObjectMapper(); - ObjectNode root = objectMapper.readValue(modelBpmnPropText, ObjectNode.class); + ObjectNode root = JacksonUtils.getObjectMapperInstance().readValue(modelBpmnPropText, ObjectNode.class); // iterate over each entry like: // "Policy":[{"id":"Policy","from":"StartEvent_1"}] Iterator> entryItr = root.fields(); diff --git a/src/main/java/org/onap/clamp/clds/model/properties/ModelProperties.java b/src/main/java/org/onap/clamp/clds/model/properties/ModelProperties.java index f9b1c25a4..cc6f02de3 100644 --- a/src/main/java/org/onap/clamp/clds/model/properties/ModelProperties.java +++ b/src/main/java/org/onap/clamp/clds/model/properties/ModelProperties.java @@ -26,7 +26,6 @@ package org.onap.clamp.clds.model.properties; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; import java.lang.reflect.InvocationTargetException; @@ -41,6 +40,7 @@ import org.onap.clamp.clds.exception.ModelBpmnException; import org.onap.clamp.clds.model.CldsEvent; import org.onap.clamp.clds.model.CldsModel; import org.onap.clamp.clds.service.CldsService; +import org.onap.clamp.clds.util.JacksonUtils; /** * Parse model properties. @@ -96,7 +96,7 @@ public class ModelProperties { this.actionCd = actionCd; this.testOnly = isATest; modelBpmn = ModelBpmn.create(modelBpmnText); - modelJson = new ObjectMapper().readTree(modelPropText); + modelJson = JacksonUtils.getObjectMapperInstance().readTree(modelPropText); instantiateMissingModelElements(); } catch (IOException e) { throw new ModelBpmnException("Exception occurred when trying to decode the BPMN Properties JSON", e); @@ -141,8 +141,7 @@ public class ModelProperties { public static String getVf(CldsModel model) { List vfs = null; try { - ObjectMapper mapper = new ObjectMapper(); - JsonNode modelJson = mapper.readTree(model.getPropText()); + JsonNode modelJson = JacksonUtils.getObjectMapperInstance().readTree(model.getPropText()); Global global = new Global(modelJson); vfs = global.getResourceVf(); } catch (IOException e) { diff --git a/src/main/java/org/onap/clamp/clds/service/CldsService.java b/src/main/java/org/onap/clamp/clds/service/CldsService.java index c23d2ec87..e828f844f 100644 --- a/src/main/java/org/onap/clamp/clds/service/CldsService.java +++ b/src/main/java/org/onap/clamp/clds/service/CldsService.java @@ -85,6 +85,7 @@ import org.onap.clamp.clds.model.sdc.SdcResource; import org.onap.clamp.clds.model.sdc.SdcServiceDetail; import org.onap.clamp.clds.model.sdc.SdcServiceInfo; import org.onap.clamp.clds.transform.XslTransformer; +import org.onap.clamp.clds.util.JacksonUtils; import org.onap.clamp.clds.util.LoggingUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -426,7 +427,8 @@ public class CldsService extends SecureServiceBase { if (template != null) { model.setTemplateId(template.getId()); model.setDocText(template.getPropText()); - // This is to provide the Bpmn XML when Template part in UI is + // This is to provide the Bpmn XML when Template part in UI + // is // disabled model.setBpmnText(template.getBpmnText()); } @@ -441,7 +443,8 @@ public class CldsService extends SecureServiceBase { String controlName = model.getControlName(); String bpmnJson = cldsBpmnTransformer.doXslTransformToString(bpmn); logger.info("PUT bpmnJson={}", bpmnJson); - // Flag indicates whether it is triggered by Validation Test button from + // Flag indicates whether it is triggered by Validation Test button + // from // UI boolean isTest = false; if (test != null && test.equalsIgnoreCase("true")) { @@ -466,8 +469,8 @@ public class CldsService extends SecureServiceBase { logger.info("modelProp - " + prop); logger.info("docText - " + docText); try { - String result = camelProxy.submit(actionCd, prop, bpmnJson, modelName, controlName, docText, isTest, userId, - isInsertTestEvent); + String result = camelProxy.submit(actionCd, prop, bpmnJson, modelName, controlName, docText, isTest, + userId, isInsertTestEvent); logger.info("Starting Camel flow on request, result is: ", result); } catch (SdcCommunicationException | PolicyClientException | BadRequestException e) { errorCase = true; @@ -478,7 +481,8 @@ public class CldsService extends SecureServiceBase { if (!isTest && (actionCd.equalsIgnoreCase(CldsEvent.ACTION_SUBMIT) || actionCd.equalsIgnoreCase(CldsEvent.ACTION_RESUBMIT) || actionCd.equalsIgnoreCase(CldsEvent.ACTION_SUBMITDCAE))) { - // To verify inventory status and modify model status to distribute + // To verify inventory status and modify model status to + // distribute dcaeInventoryServices.setEventInventory(retrievedModel, getUserId()); retrievedModel.save(cldsDao, getUserId()); } @@ -490,7 +494,6 @@ public class CldsService extends SecureServiceBase { errorCase = true; logger.error("Exception occured during putModelAndProcessAction", e); } - if (errorCase) { return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(retrievedModel).build(); } @@ -675,7 +678,7 @@ public class CldsService extends SecureServiceBase { if (StringUtils.isBlank(responseStr)) { return ""; } - ObjectMapper objectMapper = new ObjectMapper(); + ObjectMapper objectMapper = JacksonUtils.getObjectMapperInstance(); List rawList = objectMapper.readValue(responseStr, objectMapper.getTypeFactory().constructCollectionType(List.class, SdcServiceInfo.class)); ObjectNode invariantIdServiceNode = objectMapper.createObjectNode(); @@ -695,26 +698,26 @@ public class CldsService extends SecureServiceBase { } private String createPropertiesObjectByUUID(String cldsResponseStr) throws IOException { - ObjectMapper mapper = new ObjectMapper(); + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); SdcServiceDetail cldsSdcServiceDetail = mapper.readValue(cldsResponseStr, SdcServiceDetail.class); ObjectNode globalPropsJson = (ObjectNode) refProp.getJsonTemplate(GLOBAL_PROPERTIES_KEY); if (cldsSdcServiceDetail != null && cldsSdcServiceDetail.getUuid() != null) { /** * to create json with vf, alarm and locations */ - ObjectNode serviceObjectNode = createEmptyVfAlarmObject(mapper); + ObjectNode serviceObjectNode = createEmptyVfAlarmObject(); ObjectNode vfObjectNode = mapper.createObjectNode(); /** * to create json with vf and vfresourceId */ - createVfObjectNode(vfObjectNode, mapper, cldsSdcServiceDetail.getResources()); + createVfObjectNode(vfObjectNode, cldsSdcServiceDetail.getResources()); serviceObjectNode.putPOJO(cldsSdcServiceDetail.getInvariantUUID(), vfObjectNode); ObjectNode byServiceBasicObjetNode = mapper.createObjectNode(); byServiceBasicObjetNode.putPOJO("byService", serviceObjectNode); /** * to create json with VFC Node */ - ObjectNode emptyvfcobjectNode = createByVFCObjectNode(mapper, cldsSdcServiceDetail.getResources()); + ObjectNode emptyvfcobjectNode = createByVFCObjectNode(cldsSdcServiceDetail.getResources()); byServiceBasicObjetNode.putPOJO("byVf", emptyvfcobjectNode); globalPropsJson.putPOJO("shared", byServiceBasicObjetNode); logger.info("valuie of objNode: {}", globalPropsJson); @@ -722,7 +725,8 @@ public class CldsService extends SecureServiceBase { return globalPropsJson.toString(); } - private ObjectNode createEmptyVfAlarmObject(ObjectMapper mapper) { + private ObjectNode createEmptyVfAlarmObject() { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode emptyObjectNode = mapper.createObjectNode(); emptyObjectNode.put("", ""); ObjectNode vfObjectNode = mapper.createObjectNode(); @@ -734,8 +738,8 @@ public class CldsService extends SecureServiceBase { return emptyServiceObjectNode; } - private void createVfObjectNode(ObjectNode vfObjectNode2, ObjectMapper mapper, - List rawCldsSdcResourceList) { + private void createVfObjectNode(ObjectNode vfObjectNode2, List rawCldsSdcResourceList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode vfNode = mapper.createObjectNode(); vfNode.put("", ""); // To remove repeated resource instance name from @@ -782,7 +786,8 @@ public class CldsService extends SecureServiceBase { vfObjectNode2.putPOJO("alarmCondition", alarmStringJsonNode); } - private ObjectNode createByVFCObjectNode(ObjectMapper mapper, List cldsSdcResourceList) { + private ObjectNode createByVFCObjectNode(List cldsSdcResourceList) { + ObjectMapper mapper = JacksonUtils.getObjectMapperInstance(); ObjectNode emptyObjectNode = mapper.createObjectNode(); ObjectNode emptyvfcobjectNode = mapper.createObjectNode(); ObjectNode vfCObjectNode = mapper.createObjectNode(); @@ -804,8 +809,7 @@ public class CldsService extends SecureServiceBase { @Path("/deploy/{modelName}") @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) - public Response deployModel(@PathParam("modelName") String modelName, - CldsModel model) { + public Response deployModel(@PathParam("modelName") String modelName, CldsModel model) { Date startTime = new Date(); LoggingUtils.setRequestContext("CldsService: Deploy model", getPrincipalName()); Boolean errorCase = false; @@ -861,7 +865,6 @@ public class CldsService extends SecureServiceBase { errorCase = true; logger.error("Exception occured during deployModel", e); } - if (errorCase) { return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(model).build(); } @@ -872,11 +875,9 @@ public class CldsService extends SecureServiceBase { @Path("/undeploy/{modelName}") @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) - public Response unDeployModel(@PathParam("modelName") String modelName, - CldsModel model) { + public Response unDeployModel(@PathParam("modelName") String modelName, CldsModel model) { Date startTime = new Date(); LoggingUtils.setRequestContext("CldsService: Undeploy model", getPrincipalName()); - Boolean errorCase = false; try { String operationStatusUndeployUrl = dcaeDispatcherServices.deleteExistingDeployment(model.getDeploymentId(), @@ -916,7 +917,6 @@ public class CldsService extends SecureServiceBase { errorCase = true; logger.error("Exception occured during unDeployModel", e); } - if (errorCase) { return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(model).build(); } @@ -924,15 +924,13 @@ public class CldsService extends SecureServiceBase { } private void checkForDuplicateServiceVf(String modelName, String modelPropText) throws IOException { - JsonNode modelJson = new ObjectMapper().readTree(modelPropText); - JsonNode globalNode = modelJson.get("global"); + JsonNode globalNode = JacksonUtils.getObjectMapperInstance().readTree(modelPropText).get("global"); String service = AbstractModelElement.getValueByName(globalNode, "service"); List resourceVf = AbstractModelElement.getValuesByName(globalNode, "vf"); if (service != null && resourceVf != null && !resourceVf.isEmpty()) { List cldsModelPropList = cldsDao.getDeployedModelProperties(); for (CldsModelProp cldsModelProp : cldsModelPropList) { - JsonNode currentJson = new ObjectMapper().readTree(cldsModelProp.getPropText()); - JsonNode currentNode = currentJson.get("global"); + JsonNode currentNode = JacksonUtils.getObjectMapperInstance().readTree(cldsModelProp.getPropText()).get("global"); String currentService = AbstractModelElement.getValueByName(currentNode, "service"); List currentVf = AbstractModelElement.getValuesByName(currentNode, "vf"); if (currentVf != null && !currentVf.isEmpty()) { diff --git a/src/main/java/org/onap/clamp/clds/service/JacksonObjectMapperProvider.java b/src/main/java/org/onap/clamp/clds/service/JacksonObjectMapperProvider.java new file mode 100644 index 000000000..87f827316 --- /dev/null +++ b/src/main/java/org/onap/clamp/clds/service/JacksonObjectMapperProvider.java @@ -0,0 +1,51 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.clamp.clds.service; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import javax.ws.rs.ext.ContextResolver; + +import org.onap.clamp.clds.util.JacksonUtils; + +/** + * This class is to restrcit the class type that can be de-serialized. + */ +public class JacksonObjectMapperProvider implements ContextResolver { + + private final ObjectMapper defaultObjectMapper; + + public JacksonObjectMapperProvider() { + defaultObjectMapper = createDefaultMapper(); + } + + @Override + public ObjectMapper getContext(Class type) { + return defaultObjectMapper; + } + + private static ObjectMapper createDefaultMapper() { + return JacksonUtils.getObjectMapperInstance(); + } +} diff --git a/src/main/java/org/onap/clamp/clds/service/JaxrsApplication.java b/src/main/java/org/onap/clamp/clds/service/JaxrsApplication.java index 702e06499..d3c212c24 100644 --- a/src/main/java/org/onap/clamp/clds/service/JaxrsApplication.java +++ b/src/main/java/org/onap/clamp/clds/service/JaxrsApplication.java @@ -32,6 +32,7 @@ import java.util.Optional; import java.util.Set; import java.util.function.Function; import java.util.stream.Collectors; + import javax.ws.rs.ApplicationPath; import javax.ws.rs.core.Application; @@ -45,7 +46,6 @@ import org.springframework.stereotype.Component; public class JaxrsApplication extends Application { private static final EELFLogger logger = EELFManager.getInstance().getLogger(JaxrsApplication.class); - private Function>> beanDefinitionToClass = b -> { try { return Optional.of(Class.forName(b.getBeanClassName())); @@ -58,6 +58,7 @@ public class JaxrsApplication extends Application { @Override public Set> getClasses() { Set> resources = new HashSet<>(); + resources.add(JacksonObjectMapperProvider.class); resources.add(io.swagger.v3.jaxrs2.integration.resources.OpenApiResource.class); resources.addAll(scan()); return resources; @@ -66,11 +67,7 @@ public class JaxrsApplication extends Application { private List> scan() { ClassPathScanningCandidateComponentProvider scanner = new ClassPathScanningCandidateComponentProvider(false); scanner.addIncludeFilter(new AnnotationTypeFilter(javax.ws.rs.Path.class)); - return scanner.findCandidateComponents("org.onap.clamp.clds").stream() - .map(beanDefinitionToClass) - .filter(Optional::isPresent) - .map(Optional::get) - .collect(Collectors.toList()); + return scanner.findCandidateComponents("org.onap.clamp.clds").stream().map(beanDefinitionToClass) + .filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList()); } - } \ No newline at end of file diff --git a/src/main/java/org/onap/clamp/clds/util/JacksonUtils.java b/src/main/java/org/onap/clamp/clds/util/JacksonUtils.java new file mode 100644 index 000000000..9d743f2a6 --- /dev/null +++ b/src/main/java/org/onap/clamp/clds/util/JacksonUtils.java @@ -0,0 +1,53 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.clamp.clds.util; + +import com.fasterxml.jackson.databind.ObjectMapper; + +/** + * This class is used to access the jackson with restricted type access. + */ +public class JacksonUtils { + + private static ObjectMapper objectMapper; + + private JacksonUtils() { + } + + /** + * Call this method to retrieve a secure ObjectMapper. + * + * @return an ObjectMapper instance (same for clamp) + */ + public static synchronized ObjectMapper getObjectMapperInstance() { + if (objectMapper == null) { + objectMapper = new ObjectMapper(); + // This is to disable the security hole that could be opened for + // json deserialization, if needed do this + // objectMapper.enableDefaultTyping(DefaultTyping.NON_FINAL); + objectMapper.disableDefaultTyping(); + } + return objectMapper; + } +} -- cgit 1.2.3-korg