From 5ba143338d6fbc2b4d1e36c0efcbbabe15c65301 Mon Sep 17 00:00:00 2001 From: guangxingwang Date: Thu, 15 Feb 2018 11:13:18 -0600 Subject: Fix Fortify Scan Issue: 1) Fix Fortify Header Manipulation issue by checking the format of the message before adding it response header. 2) Fix Fortify Hardcoded Password issue by using encryption and decryption Issue-ID: POLICY-543 Change-Id: I16b44b9b0670b1af75094c9ae9d1f7d352fa894a Signed-off-by: guangxingwang --- .../src/main/java/org/onap/policy/admin/PolicyRestController.java | 6 +++--- .../src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java | 7 +++++-- .../org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java | 8 ++++---- 3 files changed, 12 insertions(+), 9 deletions(-) (limited to 'POLICY-SDK-APP/src/main/java') diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java index 507f19820..801d4ec9d 100644 --- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java +++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyRestController.java @@ -66,7 +66,7 @@ import org.springframework.web.bind.annotation.RestController; import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.RestTemplate; import org.springframework.web.servlet.ModelAndView; - +import org.onap.policy.utils.CryptoUtils; import com.att.research.xacml.util.XACMLProperties; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.JsonNode; @@ -195,7 +195,7 @@ public class PolicyRestController extends RestrictedBaseController{ private ResponseEntity sendToPAP(String body, String requestURI, HttpMethod method){ String papUrl = PolicyController.getPapUrl(); String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); - String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); Base64.Encoder encoder = Base64.getEncoder(); String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8)); @@ -245,7 +245,7 @@ public class PolicyRestController extends RestrictedBaseController{ String boundary = null; String papUrl = PolicyController.getPapUrl(); String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); - String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); Base64.Encoder encoder = Base64.getEncoder(); String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8)); diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java index 0e7c0561e..a8831eaaf 100644 --- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java +++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/RESTfulPAPEngine.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP Policy Engine * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,6 +41,7 @@ import java.util.Set; import org.apache.commons.io.IOUtils; import org.onap.policy.rest.XACMLRestProperties; import org.onap.policy.rest.adapter.PolicyRestAdapter; +import org.onap.policy.utils.CryptoUtils; import org.onap.policy.xacml.api.XACMLErrorConstants; import org.onap.policy.xacml.api.pap.OnapPDP; import org.onap.policy.xacml.api.pap.OnapPDPGroup; @@ -51,6 +52,7 @@ import org.onap.policy.xacml.std.pap.StdPDPGroup; import org.onap.policy.xacml.std.pap.StdPDPItemSetChangeNotifier; import org.onap.policy.xacml.std.pap.StdPDPPolicy; import org.onap.policy.xacml.std.pap.StdPDPStatus; + import com.att.research.xacml.api.pap.PAPException; import com.att.research.xacml.api.pap.PDPPolicy; import com.att.research.xacml.api.pap.PDPStatus; @@ -58,6 +60,7 @@ import com.att.research.xacml.util.XACMLProperties; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.type.CollectionType; + import org.onap.policy.common.logging.flexlogger.FlexLogger; import org.onap.policy.common.logging.flexlogger.Logger; @@ -350,7 +353,7 @@ public class RESTfulPAPEngine extends StdPDPItemSetChangeNotifier implements PAP HttpURLConnection connection = null; String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); LOGGER.info("User Id is " + papID); - String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + String papPass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); Base64.Encoder encoder = Base64.getEncoder(); String encoding = encoder.encodeToString((papID+":"+papPass).getBytes(StandardCharsets.UTF_8)); Object contentObj = content; diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java index cbcf06249..1cf2b7648 100644 --- a/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java +++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/utils/XACMLPolicyWriterWithPapNotify.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP Policy Engine * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -209,7 +209,7 @@ public class XACMLPolicyWriterWithPapNotify{ + "\npolicyToCreateUpdate = " + " "); } Base64.Encoder encoder = Base64.getEncoder(); - String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8)); + String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8)); HttpURLConnection connection; UUID requestID = UUID.randomUUID(); URL url; @@ -296,7 +296,7 @@ public class XACMLPolicyWriterWithPapNotify{ public static boolean notifyPapOfDelete(String policyToDelete){ Base64.Encoder encoder = Base64.getEncoder(); - String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8)); + String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8)); HttpURLConnection connection; UUID requestID = UUID.randomUUID(); String papUrl = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_URL); @@ -396,7 +396,7 @@ public class XACMLPolicyWriterWithPapNotify{ + "\npolicyToCreateUpdate = " + policyToCreateUpdate); } Base64.Encoder encoder = Base64.getEncoder(); - String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)).getBytes(StandardCharsets.UTF_8)); + String encoding = encoder.encodeToString((XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID)+":"+CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS))).getBytes(StandardCharsets.UTF_8)); HttpURLConnection connection; UUID requestID = UUID.randomUUID(); URL url; -- cgit 1.2.3-korg