From 6104273a0412c73bdbf63f68d88760dada0153d6 Mon Sep 17 00:00:00 2001
From: eramkve <ram.krishna.verma@ericsson.com>
Date: Wed, 21 Mar 2018 20:25:05 +0000
Subject: Fix vulnerabilities and bugs in policy/engine

Code fixes for 1 bug and 17 vulnerabilities reported by Sonar in
policy/engine

Change-Id: I7b641795c790ec15418bd9ae3a414279e1b0f733
Issue-ID: POLICY-662
Signed-off-by: eramkve <ram.krishna.verma@ericsson.com>
---
 .../policy/pap/xacml/rest/XACMLPapServlet.java     | 87 ++++++++++++----------
 .../pap/xacml/rest/components/PolicyDBDao.java     |  5 +-
 2 files changed, 53 insertions(+), 39 deletions(-)

(limited to 'ONAP-PAP-REST/src/main')

diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
index 84cd72fe6..9564acc25 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
@@ -46,7 +46,7 @@ import java.util.Scanner;
 import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.CopyOnWriteArrayList;
-
+import javax.json.JsonException;
 import javax.persistence.EntityManagerFactory;
 import javax.persistence.Persistence;
 import javax.persistence.PersistenceException;
@@ -1017,26 +1017,24 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			im.startTransaction();
 			loggingContext.metricEnded();
 			PolicyLogger.metrics("XACMLPapServlet doPut im startTransaction");
+		} catch(AdministrativeStateException e) {
+		    String message = "PUT interface called for PAP " + papResourceName + 
+		            " but it has an Administrative state of " + im.getStateManager().getAdminState() +
+		            "\n Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
+		} catch(StandbyStatusException e) {
+		    String message = "PUT interface called for PAP " + papResourceName + 
+		            " but it has a Standby Status of " + im.getStateManager().getStandbyStatus() +
+		            "\n Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
 		} catch (IntegrityMonitorException e) {
-			String message = "PUT interface called for PAP " + papResourceName;
-			if (e instanceof AdministrativeStateException) {
-				message += " but it has an Administrative state of "
-					+ im.getStateManager().getAdminState();
-			} else if (e instanceof StandbyStatusException) {
-				message += " but it has a Standby Status of "
-					+ im.getStateManager().getStandbyStatus();
-			} else {
-				message += " but an exception occurred";
-
-			}
-			message += "\n Exception Message: " + e.getMessage();
-
-			LOGGER.info(message, e);
-			PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
-			loggingContext.transactionEnded();
-			PolicyLogger.audit("Transaction Failed - See Error.log");
-			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
-			return;
+		    String message = "PUT interface called for PAP " + papResourceName +
+		            " but an exception occurred" +
+		            "\n Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
 		}
 
 		loggingContext.metricStarted();
@@ -2211,6 +2209,14 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			PolicyLogger.audit("Transaction Failed - See Error.log");
 			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 			return;
+		} catch (IOException | JsonException e) {
+		    LOGGER.debug(e);
+		    acPutTransaction.rollbackTransaction();
+		    PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC PUT exception");
+		    loggingContext.transactionEnded();
+		    PolicyLogger.audit("Transaction Failed - See Error.log");
+		    setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+		    return;
 		}
 	}
 	
@@ -2822,24 +2828,21 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			PolicyLogger.audit("Transaction Failed - See Error.log");
 			response.setStatus(HttpServletResponse.SC_OK);
 			return;
-		}catch (ForwardProgressException | AdministrativeStateException | StandbyStatusException e){
-			String submsg;
-			if (e instanceof ForwardProgressException) {
-				submsg = " is not making forward progress.";
-			} else if (e instanceof AdministrativeStateException) {
-				submsg = " Administrative State is LOCKED.";
-			} else {
-				submsg = " Standby Status is NOT PROVIDING SERVICE.";
-			}
-
-			String message = "GET:/pap/test called and PAP " + papResourceName + submsg
-					+ " Exception Message: " + e.getMessage();
-			LOGGER.info(message, e);
-			PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
-			loggingContext.transactionEnded();
-			PolicyLogger.audit("Transaction Failed - See Error.log");
-			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
-			return;
+		}catch (ForwardProgressException e){
+		    String message = "GET:/pap/test called and PAP " + papResourceName + " is not making forward progress."
+		            + " Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
+		}catch (AdministrativeStateException e){
+		    String message = "GET:/pap/test called and PAP " + papResourceName + " Administrative State is LOCKED."
+		            + " Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
+		}catch (StandbyStatusException e){
+		    String message = "GET:/pap/test called and PAP " + papResourceName + " Standby Status is NOT PROVIDING SERVICE."
+		            + " Exception Message: " + e.getMessage();
+		    logMessage(e, message, loggingContext, response);
+		    return;
 		}catch (Exception e) {
 			//A subsystem is not making progress, is locked, standby or is not responding
 			String eMsg = e.getMessage();
@@ -3014,4 +3017,12 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 	public static void setMsPolicyName(String msPolicyName) {
 		XACMLPapServlet.msPolicyName = msPolicyName;
 	}
+	
+	private void logMessage(Exception e, String message, ONAPLoggingContext loggingContext, HttpServletResponse response) {
+	    LOGGER.info(message, e);
+	    PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+	    loggingContext.transactionEnded();
+	    PolicyLogger.audit("Transaction Failed - See Error.log");
+	    setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+	}
 }
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java
index 9ac858277..8b4651fee 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/components/PolicyDBDao.java
@@ -127,7 +127,7 @@ public class PolicyDBDao {
 	public static final String duplicatePolicyId = "Somehow, more than one policy with the id ";
 	public static final String foundInDB = " were found in the database";
 	
-	public static boolean isJunit = false;
+	private static boolean isJunit = false;
 
 	public static void setJunit(boolean isJunit) {
 		PolicyDBDao.isJunit = isJunit;
@@ -1250,6 +1250,9 @@ public class PolicyDBDao {
 					for(PDPPolicy policy : policies){
 						try{
 							String[] stringArray = getNameScopeAndVersionFromPdpPolicy(policy.getId());
+							if(stringArray == null) {
+							    throw new IllegalArgumentException("Invalid input - policyID must contain name, scope and version");
+							}
 							List<PolicyEntity> policyEntityList;
 							Query getPolicyEntitiesQuery = em.createNamedQuery("PolicyEntity.findByNameAndScope");
 							getPolicyEntitiesQuery.setParameter("name", stringArray[0]);
-- 
cgit 1.2.3-korg