Fix Fortify Scan Issue:

1) Fix Fortify Header Manipulation issue by checking the format of the
message before adding it response header.

2) Fix Fortify Hardcoded Password issue by using encryption and decryption

Issue-ID: POLICY-543
Change-Id: I16b44b9b0670b1af75094c9ae9d1f7d352fa894a
Signed-off-by: guangxingwang <gw1218@att.com>

3 files changed, 12 insertions, 9 deletions

diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java
index 507f19820..801d4ec9d 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java
@@ -66,7 +66,7 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.servlet.ModelAndView;
-
+import org.onap.policy.utils.CryptoUtils;
 import com.att.research.xacml.util.XACMLProperties;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.JsonNode;
@@ -195,7 +195,7 @@ public class PolicyRestController extends RestrictedBaseController{
 	private ResponseEntity<?> sendToPAP(String body, String requestURI, HttpMethod method){
 		String papUrl = PolicyController.getPapUrl();
 		String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID);
-		String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS);
+		String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS));
 
 		Base64.Encoder encoder = Base64.getEncoder();
 		String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8));
@@ -245,7 +245,7 @@ public class PolicyRestController extends RestrictedBaseController{
 		String boundary = null;
 		String papUrl = PolicyController.getPapUrl();
 		String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID);
-		String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS);
+		String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS));
 	
 		Base64.Encoder encoder = Base64.getEncoder();
 		String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8));
diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java
index 0e7c0561e..a8831eaaf 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * ONAP Policy Engine
  * ================================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,6 +41,7 @@ import java.util.Set;
 import org.apache.commons.io.IOUtils;
 import org.onap.policy.rest.XACMLRestProperties;
 import org.onap.policy.rest.adapter.PolicyRestAdapter;
+import org.onap.policy.utils.CryptoUtils;
 import org.onap.policy.xacml.api.XACMLErrorConstants;
 import org.onap.policy.xacml.api.pap.OnapPDP;
 import org.onap.policy.xacml.api.pap.OnapPDPGroup;
@@ -51,6 +52,7 @@ import org.onap.policy.xacml.std.pap.StdPDPGroup;
 import org.onap.policy.xacml.std.pap.StdPDPItemSetChangeNotifier;
 import org.onap.policy.xacml.std.pap.StdPDPPolicy;
 import org.onap.policy.xacml.std.pap.StdPDPStatus;
+
 import com.att.research.xacml.api.pap.PAPException;
 import com.att.research.xacml.api.pap.PDPPolicy;
 import com.att.research.xacml.api.pap.PDPStatus;
@@ -58,6 +60,7 @@ import com.att.research.xacml.util.XACMLProperties;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.type.CollectionType;
+
 import org.onap.policy.common.logging.flexlogger.FlexLogger; 
 import org.onap.policy.common.logging.flexlogger.Logger;
 
@@ -350,7 +353,7 @@ public class RESTfulPAPEngine extends StdPDPItemSetChangeNotifier implements PAP
 		HttpURLConnection connection = null;
 		String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID);
 		LOGGER.info("User Id is " + papID);
-		String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS);
+		String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS));
 		Base64.Encoder encoder = Base64.getEncoder();
 		String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8));
 		Object contentObj = content;
diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java
index cbcf06249..1cf2b7648 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * ONAP Policy Engine
  * ================================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -209,7 +209,7 @@ public class XACMLPolicyWriterWithPapNotify{
 					+ "\npolicyToCreateUpdate = " + " ");
 		}
 		Base64.Encoder encoder = Base64.getEncoder();
-		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8));
+		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8));
 		HttpURLConnection connection;
 		UUID requestID = UUID.randomUUID();
 		URL url;
@@ -296,7 +296,7 @@ public class XACMLPolicyWriterWithPapNotify{
 	
 	public static boolean notifyPapOfDelete(String policyToDelete){
 		Base64.Encoder encoder = Base64.getEncoder();
-		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8));
+		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8));
 		HttpURLConnection connection;
 		UUID requestID = UUID.randomUUID();
 		String papUrl = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_URL);
@@ -396,7 +396,7 @@ public class XACMLPolicyWriterWithPapNotify{
 					+ "\npolicyToCreateUpdate = " + policyToCreateUpdate);
 		}
 		Base64.Encoder encoder = Base64.getEncoder();
-		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8));
+		String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8));
 		HttpURLConnection connection;
 		UUID requestID = UUID.randomUUID();
 		URL url;