diff options
author | guangxingwang <gw1218@att.com> | 2018-02-15 11:13:18 -0600 |
---|---|---|
committer | guangxingwang <gw1218@att.com> | 2018-02-19 16:42:19 -0600 |
commit | 5ba143338d6fbc2b4d1e36c0efcbbabe15c65301 (patch) | |
tree | 7b5898632763ee06f09a2fd548107bd4e5750f8f /ONAP-PAP-REST/src/main/java/org | |
parent | e5c628fee6a6e6bb57a34d5b73e092d89ee26a5c (diff) |
Fix Fortify Scan Issue:
1) Fix Fortify Header Manipulation issue by checking the format of the
message before adding it response header.
2) Fix Fortify Hardcoded Password issue by using encryption and decryption
Issue-ID: POLICY-543
Change-Id: I16b44b9b0670b1af75094c9ae9d1f7d352fa894a
Signed-off-by: guangxingwang <gw1218@att.com>
Diffstat (limited to 'ONAP-PAP-REST/src/main/java/org')
4 files changed, 86 insertions, 76 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java index 885e5e888..568830f53 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java @@ -69,6 +69,7 @@ import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathFactory; +import org.apache.commons.io.FileUtils; import org.apache.commons.io.FilenameUtils; import org.apache.commons.io.IOUtils; import org.elasticsearch.common.Strings; @@ -88,11 +89,13 @@ import org.onap.policy.rest.jpa.PdpEntity; import org.onap.policy.rest.jpa.PolicyDBDaoEntity; import org.onap.policy.rest.jpa.PolicyEntity; import org.onap.policy.rest.util.Webapps; +import org.onap.policy.utils.CryptoUtils; import org.onap.policy.xacml.api.pap.OnapPDP; import org.onap.policy.xacml.api.pap.OnapPDPGroup; import org.onap.policy.xacml.api.pap.PAPPolicyEngine; import org.onap.policy.xacml.std.pap.StdPDPGroup; import org.onap.policy.xacml.std.pap.StdPDPPolicy; +import org.onap.policy.xacml.util.XACMLPolicyScanner; import org.onap.policy.xacml.util.XACMLPolicyWriter; import org.w3c.dom.Document; import org.xml.sax.InputSource; @@ -324,7 +327,7 @@ public class PolicyDBDao { } } if(urlUserPass[2] == null || urlUserPass[2].equals("")){ - String passwordPropertyValue = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + String passwordPropertyValue = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); if(passwordPropertyValue != null){ urlUserPass[2] = passwordPropertyValue; } @@ -333,24 +336,6 @@ public class PolicyDBDao { return urlUserPass; } - private static String encryptPassword(String password) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ - Cipher cipher = Cipher.getInstance("AES"); - cipher.init(Cipher.ENCRYPT_MODE, aesKey()); - byte[] encryption = cipher.doFinal(password.getBytes("UTF-8")); - logger.debug("Encryption value is " + encryption); - return new String(Base64.getMimeEncoder().encode(encryption),"UTF-8"); - } - - private static String decryptPassword(String encryptedPassword) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException{ - Cipher cipher = Cipher.getInstance("AES"); - cipher.init(Cipher.DECRYPT_MODE, aesKey()); - byte[] password = cipher.doFinal(Base64.getDecoder().decode(encryptedPassword.getBytes("UTF-8"))); - return new String(password,"UTF-8"); - } - private static Key aesKey(){ - byte[] aesValue = (new String("njrmbklcxtoplawf")).getBytes(); - return new SecretKeySpec(aesValue,"AES"); - } /** * Register the PolicyDBDao instance in the PolicyDBDaoEntity table * @return Boolean, were we able to register? @@ -358,6 +343,11 @@ public class PolicyDBDao { private boolean register(){ logger.debug("register() as register() called"); String[] url = getPapUrlUserPass(); + //--- check URL length + if(url == null || url.length<3){ + return false; + } + EntityManager em = emf.createEntityManager(); try{ startTransactionSynced(em, 1000); @@ -391,18 +381,22 @@ public class PolicyDBDao { PolicyDBDaoEntity foundPolicyDBDaoEntity = em.find(PolicyDBDaoEntity.class, url[0]); Query getPolicyDBDaoEntityQuery = em.createQuery("SELECT e FROM PolicyDBDaoEntity e WHERE e.policyDBDaoUrl=:url"); getPolicyDBDaoEntityQuery.setParameter("url", url[0]); + // encrypt the password + String txt = null; + try{ + txt = CryptoUtils.encryptTxt(url[2].getBytes(StandardCharsets.UTF_8)); + } catch(Exception e){ + logger.debug(e); + PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "PolicyDBDao", "Could not encrypt PAP password"); + } if(foundPolicyDBDaoEntity == null){ PolicyDBDaoEntity newPolicyDBDaoEntity = new PolicyDBDaoEntity(); em.persist(newPolicyDBDaoEntity); newPolicyDBDaoEntity.setPolicyDBDaoUrl(url[0]); newPolicyDBDaoEntity.setDescription("PAP server at "+url[0]); newPolicyDBDaoEntity.setUsername(url[1]); - try{ - newPolicyDBDaoEntity.setPassword(encryptPassword(url[2])); - } catch(Exception e){ - logger.debug(e); - PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "PolicyDBDao", "Could not encrypt PAP password"); - } + newPolicyDBDaoEntity.setPassword(txt); + try{ em.getTransaction().commit(); } catch(Exception e){ @@ -416,19 +410,14 @@ public class PolicyDBDao { } } else { //just want to update in order to change modified date - String encryptedPassword = null; - try{ - encryptedPassword = encryptPassword(url[2]); - } catch(Exception e){ - logger.debug(e); - PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "PolicyDBDao", "Could not encrypt PAP password"); - } + if(url[1] != null && !stringEquals(url[1], foundPolicyDBDaoEntity.getUsername())){ foundPolicyDBDaoEntity.setUsername(url[1]); } - if(encryptedPassword != null && !stringEquals(encryptedPassword, foundPolicyDBDaoEntity.getPassword())){ - foundPolicyDBDaoEntity.setPassword(encryptedPassword); + if(txt != null && !stringEquals(txt, foundPolicyDBDaoEntity.getPassword())){ + foundPolicyDBDaoEntity.setPassword(txt); } + foundPolicyDBDaoEntity.preUpdate(); try{ em.getTransaction().commit(); @@ -492,16 +481,17 @@ public class PolicyDBDao { PolicyDBDaoEntity dbdEntity = (PolicyDBDaoEntity)obj; String o = dbdEntity.getPolicyDBDaoUrl(); String username = dbdEntity.getUsername(); - String password; + String txt; try{ - password = decryptPassword(dbdEntity.getPassword()); + txt = new String(CryptoUtils.decryptTxt(dbdEntity.getPassword()), StandardCharsets.UTF_8); } catch(Exception e){ logger.debug(e); //if we can't decrypt, might as well try it anyway - password = dbdEntity.getPassword(); + txt = dbdEntity.getPassword(); } + Base64.Encoder encoder = Base64.getEncoder(); - String encoding = encoder.encodeToString((username+":"+password).getBytes(StandardCharsets.UTF_8)); + String encoding = encoder.encodeToString((username+":"+txt).getBytes(StandardCharsets.UTF_8)); HttpURLConnection connection = null; UUID requestID = UUID.randomUUID(); URL url; @@ -597,6 +587,7 @@ public class PolicyDBDao { logger.warn("Caught Exception on: connection.getResponseCode() ", e); } + connection.disconnect(); } } @@ -690,7 +681,7 @@ public class PolicyDBDao { case GROUP_NOTIFICATION: for(int i=0; i<retries;i++){ try{ - handleIncomingGroupChange(entityId, extraData, transaction, xacmlPapServlet); + handleIncomingGroupChange(url, entityId, extraData, transaction, xacmlPapServlet); break; }catch(Exception e){ logger.debug(e); @@ -708,7 +699,7 @@ public class PolicyDBDao { //no changes should be being made in this function, we still need to close transaction.rollbackTransaction(); } - private void handleIncomingGroupChange(String groupId, String extraData,PolicyDBDaoTransaction transaction,XACMLPapServlet xacmlPapServlet) throws PAPException, PolicyDBException{ + private void handleIncomingGroupChange(String url, String groupId, String extraData,PolicyDBDaoTransaction transaction,XACMLPapServlet xacmlPapServlet) throws PAPException, PolicyDBException{ GroupEntity groupRecord = null; long groupIdLong = -1; try{ @@ -896,8 +887,9 @@ public class PolicyDBDao { } else { //convert PolicyEntity object to PDPPolicy - String name = pdpPolicyId.replace(".xml", ""); - name = name.substring(0, name.lastIndexOf('.')); + String name = null; + name = pdpPolicyId.replace(".xml", ""); + name = name.substring(0, name.lastIndexOf(".")); InputStream policyStream = new ByteArrayInputStream(policy.getPolicyData().getBytes()); pdpGroup.copyPolicyToFile(pdpPolicyId,name,policyStream); URI location = Paths.get(pdpGroup.getDirectory().toAbsolutePath().toString(), pdpPolicyId).toUri(); @@ -1213,28 +1205,34 @@ public class PolicyDBDao { EntityManager em = emf.createEntityManager(); em.getTransaction().begin(); - StdPDPGroup updatedGroup = null; - try { - Query groupQuery = em.createQuery("SELECT g FROM GroupEntity g WHERE g.groupId=:groupId AND g.deleted=:deleted"); - groupQuery.setParameter("groupId", group.getId()); - groupQuery.setParameter("deleted", false); - List<?> groupQueryList = groupQuery.getResultList(); - if(groupQueryList!=null && !groupQueryList.isEmpty()){ - GroupEntity dbgroup = (GroupEntity)groupQueryList.get(0); - updatedGroup = synchronizeGroupPoliciesInFileSystem(group, dbgroup); - logger.info("Group was updated during file system audit: " + updatedGroup.toString()); - } - } catch (PAPException | PolicyDBException e) { - logger.error(e); - } catch (Exception e) { - logger.error(e); + Query groupQuery = em.createQuery("SELECT g FROM GroupEntity g WHERE g.groupId=:groupId AND g.deleted=:deleted"); + groupQuery.setParameter("groupId", group.getId()); + groupQuery.setParameter("deleted", false); + List<?> groupQueryList; + try{ + groupQueryList = groupQuery.getResultList(); + }catch(Exception e){ PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "PolicyDBDao", "Caught Exception trying to check if group exists groupQuery.getResultList()"); throw new PersistenceException("Query failed trying to check if group "+group.getId()+" exists"); } + GroupEntity dbgroup = null; + if(groupQueryList!=null){ + dbgroup = (GroupEntity)groupQueryList.get(0); + } + em.getTransaction().commit(); em.close(); + StdPDPGroup updatedGroup = null; + try { + updatedGroup = synchronizeGroupPoliciesInFileSystem(group, dbgroup); + } catch (PAPException e) { + logger.error(e); + } catch (PolicyDBException e) { + logger.error(e); + } + logger.info("Group was updated during file system audit: " + updatedGroup.toString()); return updatedGroup; } @@ -2879,15 +2877,17 @@ public class PolicyDBDao { em.flush(); // After adding policy to the db group we need to make sure the filesytem group is in sync with the db group + StdPDPGroup pdpGroup = null; + StdPDPGroup updatedGroup = null; try { - StdPDPGroup pdpGroup = (StdPDPGroup) papEngine.getGroup(group.getGroupId()); - return synchronizeGroupPoliciesInFileSystem(pdpGroup, group); + pdpGroup = (StdPDPGroup) papEngine.getGroup(group.getGroupId()); + updatedGroup = synchronizeGroupPoliciesInFileSystem(pdpGroup, group); } catch (PAPException e) { logger.debug(e); PolicyLogger.error("PolicyDBDao: Could not synchronize the filesystem group with the database group. " + e.getMessage()); } - - return null; + + return updatedGroup; } } @@ -2945,12 +2945,6 @@ public class PolicyDBDao { String computeScope(String fullPath, String pathToExclude){ return PolicyDBDao.computeScope(fullPath, pathToExclude); } - String encryptPassword(String password) throws InvalidKeyException, UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException{ - return PolicyDBDao.encryptPassword(password); - } - String decryptPassword(String password) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException{ - return PolicyDBDao.decryptPassword(password); - } String getDescriptionFromXacml(String xacmlData){ return PolicyDBDao.getDescriptionFromXacml(xacmlData); } @@ -2959,4 +2953,4 @@ public class PolicyDBDao { } } -} +}
\ No newline at end of file diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PushPolicyController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PushPolicyController.java index 9c25b3aee..107983562 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PushPolicyController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PushPolicyController.java @@ -62,6 +62,9 @@ public class PushPolicyController { private static String errorMsg = "error"; private static String operation = "operation"; private static String messageContent = "message"; + + private static final String REGEX = "[0-9a-zA-Z._ ]*"; + @Autowired public PushPolicyController(CommonClassDao commonClassDao){ PushPolicyController.commonClassDao = commonClassDao; @@ -128,12 +131,12 @@ public class PushPolicyController { } if(selectedPDPGroup==null){ String message = "Unknown groupId '" + selectedPDPGroup + "'"; + if(!message.matches(REGEX) ){ + message = "Unknown groupId"; + } PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message); response.addHeader(errorMsg, "unknownGroupId"); response.addHeader(operation, "push"); - //for fixing Header Manipulation of Fortify issue - message = message.replace("\n", ""); - message = message.replace("\r", ""); response.addHeader(messageContent, message); response.setStatus(HttpServletResponse.SC_NOT_FOUND); return; diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/service/ImportService.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/service/ImportService.java index e942e6b3b..c804f2b20 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/service/ImportService.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/service/ImportService.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP-PAP-REST * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,11 +48,23 @@ public class ImportService { private static String service = "service"; private static String extractDir = "ExtractDir"; private static String successMessage = "success"; + private static String invalidServiceName = "Invalid ServiceName"; + private static final String REGEX = "[0-9a-zA-Z._ ]*"; + public void doImportMicroServicePut(HttpServletRequest request, HttpServletResponse response) { - String importServiceCreation = request.getParameter("importService");; + String importServiceCreation = request.getParameter("importService"); String fileName = request.getParameter("fileName"); String version = request.getParameter("version"); String serviceName = request.getParameter("serviceName"); + + if(serviceName == null || serviceName.isEmpty() || !serviceName.matches(REGEX)){ + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.addHeader(errorMsg, "missing"); + response.addHeader(operation, importHeader); + response.addHeader(service, invalidServiceName); + return; + } + String description = request.getParameter("description"); Map<String, String> successMap = new HashMap<>(); if(("BRMSPARAM").equals(importServiceCreation)){ @@ -165,4 +177,4 @@ public class ImportService { } } -} +}
\ No newline at end of file diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/restAuth/AuthenticationService.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/restAuth/AuthenticationService.java index d0bfa2f8d..352505ec5 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/restAuth/AuthenticationService.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/restAuth/AuthenticationService.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP-PAP-REST * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,12 +26,13 @@ import java.util.StringTokenizer; import org.onap.policy.common.logging.eelf.MessageCodes; import org.onap.policy.common.logging.eelf.PolicyLogger; import org.onap.policy.rest.XACMLRestProperties; +import org.onap.policy.utils.CryptoUtils; import com.att.research.xacml.util.XACMLProperties; public class AuthenticationService { private String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); - private String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + private String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); public boolean authenticate(String authCredentials) { |