diff options
11 files changed, 389 insertions, 115 deletions
diff --git a/portal-BE/src/main/java/org/onap/portal/aop/service/PersUserWidgetServiceAOP.java b/portal-BE/src/main/java/org/onap/portal/aop/service/PersUserWidgetServiceAOP.java new file mode 100644 index 00000000..79326618 --- /dev/null +++ b/portal-BE/src/main/java/org/onap/portal/aop/service/PersUserWidgetServiceAOP.java @@ -0,0 +1,72 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * Modifications Copyright (c) 2019 Samsung + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ + +package org.onap.portal.aop.service; + +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.onap.portal.domain.db.fn.FnUser; +import org.onap.portal.domain.dto.transport.WidgetCatalogPersonalization; +import org.onap.portal.validation.DataValidator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Aspect +@Component +public class PersUserWidgetServiceAOP { + + private static final Logger LOGGER = LoggerFactory.getLogger(PersUserWidgetServiceAOP.class); + + private final DataValidator dataValidator; + + @Autowired + public PersUserWidgetServiceAOP(DataValidator dataValidator) { + this.dataValidator = dataValidator; + } + + @Before("execution(* org.onap.portal.service.PersUserWidgetService.setPersUserAppValue(..)) && args(user, personalization)") + public void setOnboardingWidget(FnUser user, WidgetCatalogPersonalization personalization) { + if (!dataValidator.isValid(personalization)) { + throw new IllegalArgumentException(dataValidator.getConstraintViolationsString(personalization)); + } + } +} diff --git a/portal-BE/src/main/java/org/onap/portal/aop/service/WidgetServiceAOP.java b/portal-BE/src/main/java/org/onap/portal/aop/service/WidgetServiceAOP.java index cc168578..14172937 100644 --- a/portal-BE/src/main/java/org/onap/portal/aop/service/WidgetServiceAOP.java +++ b/portal-BE/src/main/java/org/onap/portal/aop/service/WidgetServiceAOP.java @@ -2,7 +2,6 @@ package org.onap.portal.aop.service; import org.aspectj.lang.annotation.Aspect; import org.aspectj.lang.annotation.Before; -import org.onap.portal.domain.db.fn.FnUser; import org.onap.portal.domain.dto.transport.OnboardingWidget; import org.onap.portal.validation.DataValidator; import org.slf4j.Logger; @@ -24,8 +23,8 @@ public class WidgetServiceAOP { this.dataValidator = dataValidator; } - @Before("execution(* org.onap.portal.service.WidgetService.setOnboardingWidget(..)) && args(fnUser, onboardingWidget)") - public void setOnboardingWidget(final FnUser fnUser, OnboardingWidget onboardingWidget) { + @Before("execution(* org.onap.portal.service.WidgetService.setOnboardingWidget(..)) && args(userId, onboardingWidget)") + public void setOnboardingWidget(final Long userId, OnboardingWidget onboardingWidget) { if (!dataValidator.isValid(onboardingWidget)) { throw new IllegalArgumentException(dataValidator.getConstraintViolationsString(onboardingWidget)); } diff --git a/portal-BE/src/main/java/org/onap/portal/controller/WidgetsController.java b/portal-BE/src/main/java/org/onap/portal/controller/WidgetsController.java index 571cbc13..556c7ef3 100644 --- a/portal-BE/src/main/java/org/onap/portal/controller/WidgetsController.java +++ b/portal-BE/src/main/java/org/onap/portal/controller/WidgetsController.java @@ -49,7 +49,6 @@ import org.onap.portal.domain.db.fn.FnUser; import org.onap.portal.domain.dto.transport.FieldsValidator; import org.onap.portal.domain.dto.transport.OnboardingWidget; import org.onap.portal.domain.dto.transport.WidgetCatalogPersonalization; -import org.onap.portal.exception.NotValidDataException; import org.onap.portal.logging.aop.EPAuditLog; import org.onap.portal.service.AdminRolesService; import org.onap.portal.service.PersUserWidgetService; @@ -128,7 +127,7 @@ public class WidgetsController { onboardingWidget.setId(widgetId); onboardingWidget.normalize(); try { - fieldsValidator = widgetService.setOnboardingWidget(user, onboardingWidget); + fieldsValidator = widgetService.setOnboardingWidget(user.getUserId(), onboardingWidget); response.setStatus(fieldsValidator.getHttpStatusCode().intValue()); } catch (IllegalArgumentException e) { fieldsValidator = new FieldsValidator(); @@ -143,37 +142,25 @@ public class WidgetsController { return fieldsValidator; } - private boolean userHasPermissions(FnUser user, HttpServletResponse response, String invocator) { - if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdmin(user)) { - EcompPortalUtils.setBadPermissions(user, response, invocator); - return false; - } - return true; - } - @PostMapping(value = {"/portalApi/widgets"}, produces = MediaType.APPLICATION_JSON_VALUE) + @PreAuthorize("hasRole('System_Administrator') and hasRole('Account_Administrator')") public FieldsValidator postOnboardingWidget(Principal principal, HttpServletResponse response, @RequestBody OnboardingWidget onboardingWidget) { FnUser user = fnUserService.loadUserByUsername(principal.getName()); - FieldsValidator fieldsValidator = new FieldsValidator(); + FieldsValidator fieldsValidator; - if (onboardingWidget != null) { - if (!dataValidator.isValid(onboardingWidget)) { - fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); - return fieldsValidator; - } - } + onboardingWidget.setId(null); + onboardingWidget.normalize(); - if (userHasPermissions(user, response, "postOnboardingWidget")) { - onboardingWidget.setId(null); - onboardingWidget.normalize(); - try { - fieldsValidator = widgetService.setOnboardingWidget(user, onboardingWidget); - } catch (Exception e) { - fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_BAD_REQUEST); - } - response.setStatus(fieldsValidator.getHttpStatusCode().intValue()); + try { + fieldsValidator = widgetService.setOnboardingWidget(user.getUserId(), onboardingWidget); + } catch (IllegalArgumentException e) { + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + fieldsValidator.addProblematicFieldName(e.getMessage()); + return fieldsValidator; } + response.setStatus(fieldsValidator.getHttpStatusCode().intValue()); EcompPortalUtils .logAndSerializeObject(logger, "/portalApi/widgets", "POST result =", response.getStatus()); @@ -181,15 +168,14 @@ public class WidgetsController { } @DeleteMapping(value = {"/portalApi/widgets/{widgetId}"}, produces = MediaType.APPLICATION_JSON_VALUE) + @PreAuthorize("hasRole('System_Administrator') and hasRole('Account_Administrator')") public FieldsValidator deleteOnboardingWidget(Principal principal, HttpServletResponse response, @PathVariable("widgetId") Long widgetId) { FnUser user = fnUserService.loadUserByUsername(principal.getName()); - FieldsValidator fieldsValidator = null; + FieldsValidator fieldsValidator; - if (userHasPermissions(user, response, "deleteOnboardingWidget")) { - fieldsValidator = widgetService.deleteOnboardingWidget(user, widgetId); - response.setStatus(fieldsValidator.getHttpStatusCode().intValue()); - } + fieldsValidator = widgetService.deleteOnboardingWidget(user, widgetId); + response.setStatus(fieldsValidator.getHttpStatusCode().intValue()); EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "DELETE result =", response.getStatus()); @@ -202,23 +188,16 @@ public class WidgetsController { FieldsValidator result = new FieldsValidator(); FnUser user = fnUserService.loadUserByUsername(principal.getName()); - if (persRequest != null) { - if (!dataValidator.isValid(persRequest)) { - result.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); - return result; - } - } try { assert persRequest != null; - if (persRequest.getWidgetId() == null || user == null) { - EcompPortalUtils.setBadPermissions(user, response, "putWidgetCatalogSelection"); - } else { - persUserWidgetService - .setPersUserAppValue(user, persRequest.getWidgetId(), persRequest.getSelect()); - } + persUserWidgetService + .setPersUserAppValue(user, persRequest); + } catch (IllegalArgumentException iae) { + logger.error(EELFLoggerDelegate.errorLogger, "Failed in putAppCatalogSelection", iae); + response.sendError(HttpServletResponse.SC_NOT_ACCEPTABLE, iae.getMessage()); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "Failed in putAppCatalogSelection", e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.toString()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); } result.setHttpStatusCode((long) HttpServletResponse.SC_OK); return result; diff --git a/portal-BE/src/main/java/org/onap/portal/dao/fn/FnUserRoleDao.java b/portal-BE/src/main/java/org/onap/portal/dao/fn/FnUserRoleDao.java new file mode 100644 index 00000000..ee1ebdd0 --- /dev/null +++ b/portal-BE/src/main/java/org/onap/portal/dao/fn/FnUserRoleDao.java @@ -0,0 +1,58 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * Modifications Copyright (c) 2019 Samsung + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ + +package org.onap.portal.dao.fn; + +import java.util.List; +import java.util.Optional; +import org.onap.portal.domain.db.fn.FnUserRole; +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.data.jpa.repository.Query; +import org.springframework.data.repository.query.Param; +import org.springframework.stereotype.Repository; +import org.springframework.transaction.annotation.Transactional; + +@Repository +@Transactional +public interface FnUserRoleDao extends JpaRepository<FnUserRole, Long> { + + @Query + Optional<List<FnUserRole>> getAdminUserRoles(final @Param("USERID") Long userId, final @Param("ROLEID") Long roleId, final @Param("APPID") Long appId); +} diff --git a/portal-BE/src/main/java/org/onap/portal/domain/db/ep/EpPersUserWidgetSel.java b/portal-BE/src/main/java/org/onap/portal/domain/db/ep/EpPersUserWidgetSel.java index 9cee72a3..4b2785f1 100644 --- a/portal-BE/src/main/java/org/onap/portal/domain/db/ep/EpPersUserWidgetSel.java +++ b/portal-BE/src/main/java/org/onap/portal/domain/db/ep/EpPersUserWidgetSel.java @@ -82,7 +82,7 @@ CREATE TABLE `ep_pers_user_widget_sel` ( @NamedQueries({ @NamedQuery( name = "EpPersUserWidgetSel.getEpPersUserWidgetSelForUserIdAndWidgetId", - query = "FROM EpPersUserWidgetSel WHERE userId = :USERID and widgetId = :WIDGETID") + query = "FROM EpPersUserWidgetSel WHERE userId.userId = :USERID and widgetId.widgetId = :WIDGETID") }) @Table(name = "ep_pers_user_widget_sel", uniqueConstraints = { @UniqueConstraint(columnNames = {"user_id", "widget_id"}) diff --git a/portal-BE/src/main/java/org/onap/portal/domain/db/fn/FnUserRole.java b/portal-BE/src/main/java/org/onap/portal/domain/db/fn/FnUserRole.java index 390ef8b4..4e783764 100644 --- a/portal-BE/src/main/java/org/onap/portal/domain/db/fn/FnUserRole.java +++ b/portal-BE/src/main/java/org/onap/portal/domain/db/fn/FnUserRole.java @@ -53,6 +53,8 @@ import javax.persistence.JoinColumn; import javax.persistence.ManyToOne; import javax.persistence.NamedNativeQueries; import javax.persistence.NamedNativeQuery; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.OneToOne; import javax.persistence.Table; import javax.persistence.UniqueConstraint; @@ -82,16 +84,25 @@ CREATE TABLE `fn_user_role` ( @NamedNativeQueries({ @NamedNativeQuery( name = "FnUserRole.retrieveUserRoleOnUserIdAndRoleIdAndAppId", - query = "select * from FnUserRole where user_id= :userId" + query = "FROM FnUserRole where user_id= :userId" + " and role_id= :roleId" + " and app_id= :appId"), @NamedNativeQuery( name = "FnUserRole.retrieveCachedAppRolesForUser", - query = "select * from FnUserRole where user_id= :userId" + query = "FROM FnUserRole where user_id= :userId" + " and user_id= :userId" + " and app_id= :appId") }) +@NamedQueries({ + @NamedQuery( + name = "FnUserRole.getAdminUserRoles", + query = "FROM FnUserRole fn " + + "WHERE fn.userId.userId = :USERID " + + "AND fn.roleId.roleId = :ROLEID " + + "AND fn.appId.appId = :APPID") +}) + @Table( name = "fn_user_role", indexes = { diff --git a/portal-BE/src/main/java/org/onap/portal/domain/dto/transport/WidgetCatalogPersonalization.java b/portal-BE/src/main/java/org/onap/portal/domain/dto/transport/WidgetCatalogPersonalization.java index b9e54bfc..d9053f03 100644 --- a/portal-BE/src/main/java/org/onap/portal/domain/dto/transport/WidgetCatalogPersonalization.java +++ b/portal-BE/src/main/java/org/onap/portal/domain/dto/transport/WidgetCatalogPersonalization.java @@ -40,6 +40,7 @@ package org.onap.portal.domain.dto.transport; +import javax.validation.constraints.NotNull; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.NoArgsConstructor; @@ -51,7 +52,9 @@ import lombok.Setter; @AllArgsConstructor public class WidgetCatalogPersonalization { + @NotNull private Long widgetId; + @NotNull private Boolean select; } diff --git a/portal-BE/src/main/java/org/onap/portal/service/PersUserWidgetService.java b/portal-BE/src/main/java/org/onap/portal/service/PersUserWidgetService.java index 364085c4..38a0a408 100644 --- a/portal-BE/src/main/java/org/onap/portal/service/PersUserWidgetService.java +++ b/portal-BE/src/main/java/org/onap/portal/service/PersUserWidgetService.java @@ -46,14 +46,22 @@ import java.util.stream.Collectors; import org.onap.portal.dao.ep.EpPersUserWidgetSelDao; import org.onap.portal.dao.fn.EpWidgetCatalogDao; import org.onap.portal.domain.db.ep.EpPersUserWidgetSel; +import org.onap.portal.domain.db.ep.EpWidgetCatalog; import org.onap.portal.domain.db.fn.FnUser; import org.onap.portal.domain.dto.ecomp.PersUserWidgetSelection; +import org.onap.portal.domain.dto.transport.WidgetCatalogPersonalization; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import org.springframework.transaction.annotation.Transactional; @Service +@Transactional public class PersUserWidgetService { + private static final Logger LOGGER = LoggerFactory.getLogger(PersUserWidgetService.class); private final EpPersUserWidgetSelDao epPersUserWidgetSelDao; private final EpWidgetCatalogDao epWidgetCatalogDao; @@ -64,44 +72,36 @@ public class PersUserWidgetService { this.epWidgetCatalogDao = epWidgetCatalogDao; } - public void setPersUserAppValue(FnUser user, Long widgetId, Boolean select) { - if (user == null || widgetId == null) { - throw new IllegalArgumentException("setPersUserAppValue: Null values"); - } - - List<PersUserWidgetSelection> persList = getUserWidgetSelction(user, widgetId); + public void setPersUserAppValue(FnUser user, WidgetCatalogPersonalization personalization) { + List<PersUserWidgetSelection> persList = getUserWidgetSelction(user, personalization.getWidgetId()); + LOGGER.info("Error: " + persList.size()); // Key constraint limits to 1 row - PersUserWidgetSelection persRow = null; + PersUserWidgetSelection persRow; if (persList.size() == 1) { persRow = persList.get(0); } else { - persRow = new PersUserWidgetSelection(null, user.getId(), widgetId, null); + persRow = new PersUserWidgetSelection(null, user.getUserId(), personalization.getWidgetId(), null); } - if (select) { - if (persRow.getId() != null) { - epPersUserWidgetSelDao.deleteById(persRow.getId()); - } - persRow.setStatusCode("S"); // show - EpPersUserWidgetSel epPersUserWidgetSel = new EpPersUserWidgetSel(); - epPersUserWidgetSel.setUserId(user); - epPersUserWidgetSel.setWidgetId(epWidgetCatalogDao.findById(widgetId).get()); - epPersUserWidgetSelDao.saveAndFlush(epPersUserWidgetSel); - } else { - if (persRow.getId() != null) { - epPersUserWidgetSelDao.deleteById(persRow.getId()); - } - persRow.setStatusCode("H"); // Hide - EpPersUserWidgetSel epPersUserWidgetSel = new EpPersUserWidgetSel(); - epPersUserWidgetSel.setUserId(user); - epPersUserWidgetSel.setWidgetId(epWidgetCatalogDao.findById(widgetId).get()); - epPersUserWidgetSelDao.saveAndFlush(epPersUserWidgetSel); + + if (persRow.getId() != null) { + epPersUserWidgetSelDao.deleteById(persRow.getId()); } + + persRow.setStatusCode(personalization.getSelect() ? "S" : "H"); // Show / Hide + EpPersUserWidgetSel epPersUserWidgetSel = new EpPersUserWidgetSel(); + epPersUserWidgetSel.setUserId(user); + epPersUserWidgetSel.setWidgetId( + epWidgetCatalogDao.findById(personalization.getWidgetId()).orElse(new EpWidgetCatalog())); + epPersUserWidgetSelDao.saveAndFlush(epPersUserWidgetSel); } private List<PersUserWidgetSelection> getUserWidgetSelction(FnUser user, Long widgetId) { - return epPersUserWidgetSelDao.getEpPersUserWidgetSelForUserIdAndWidgetId(user.getId(), widgetId) - .orElse(new ArrayList<>()).stream().map( - this::epPersUserWidgetSelToPersUserWidgetSelection).collect(Collectors.toList()); + return epPersUserWidgetSelDao + .getEpPersUserWidgetSelForUserIdAndWidgetId(user.getId(), widgetId) + .orElse(new ArrayList<>()) + .stream() + .map(this::epPersUserWidgetSelToPersUserWidgetSelection) + .collect(Collectors.toList()); } private PersUserWidgetSelection epPersUserWidgetSelToPersUserWidgetSelection(EpPersUserWidgetSel widgetSel) { diff --git a/portal-BE/src/main/java/org/onap/portal/service/WidgetService.java b/portal-BE/src/main/java/org/onap/portal/service/WidgetService.java index 90d6ab78..ba5deaa4 100644 --- a/portal-BE/src/main/java/org/onap/portal/service/WidgetService.java +++ b/portal-BE/src/main/java/org/onap/portal/service/WidgetService.java @@ -44,14 +44,14 @@ import java.util.ArrayList; import java.util.List; import javax.persistence.EntityManager; import javax.servlet.http.HttpServletResponse; -import javax.validation.constraints.NotNull; import org.onap.portal.dao.fn.FnWidgetDao; import org.onap.portal.domain.db.fn.FnUser; +import org.onap.portal.domain.db.fn.FnUserRole; import org.onap.portal.domain.db.fn.FnWidget; import org.onap.portal.domain.dto.ecomp.EPUserApp; -import org.onap.portal.domain.dto.ecomp.Widget; import org.onap.portal.domain.dto.transport.FieldsValidator; import org.onap.portal.domain.dto.transport.OnboardingWidget; +import org.onap.portal.service.fn.FnUserRoleService; import org.onap.portal.utils.EPCommonSystemProperties; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; @@ -82,13 +82,15 @@ public class WidgetService { private final AdminRolesService adminRolesService; private final EntityManager entityManager; private final FnWidgetDao fnWidgetDao; + private final FnUserRoleService fnUserRoleService; @Autowired public WidgetService(final AdminRolesService adminRolesService, final EntityManager entityManager, - final FnWidgetDao fnWidgetDao) { + final FnWidgetDao fnWidgetDao, FnUserRoleService fnUserRoleService) { this.adminRolesService = adminRolesService; this.entityManager = entityManager; this.fnWidgetDao = fnWidgetDao; + this.fnUserRoleService = fnUserRoleService; } private static final Object syncRests = new Object(); @@ -127,8 +129,8 @@ public class WidgetService { } @PreAuthorize("hasRole('System_Administrator')") - public FieldsValidator setOnboardingWidget(final FnUser user, final OnboardingWidget onboardingWidget) { - return this.updateOrSaveWidget(true, user.getId(), onboardingWidget); + public FieldsValidator setOnboardingWidget(final Long userId, final OnboardingWidget onboardingWidget) { + return this.updateOrSaveWidget(true, userId, onboardingWidget); } private FieldsValidator updateOrSaveWidget(boolean superAdmin, Long userId, OnboardingWidget onboardingWidget) { @@ -157,22 +159,14 @@ public class WidgetService { private boolean isUserAdminOfAppForWidget(boolean superAdmin, Long userId, Long appId) { if (!superAdmin) { - List<EPUserApp> userRoles = getAdminUserRoles(userId, appId); + List<FnUserRole> userRoles = getAdminUserRoles(userId, appId); return (userRoles.size() > 0); } return true; } - private List<EPUserApp> getAdminUserRoles(Long userId, Long appId) { - return entityManager.createQuery( - "SELECT new org.onap.portal.domain.dto.ecomp.EPUserApp(fn.userId, fn.roleId, fn.appId) FROM FnUserRole fn" - + "WHERE fn.userId = :USERID " - + "AND fn.roleId = :ROLEID " - + "AND fn.appId = :APPID", EPUserApp.class) - .setParameter("USERID", userId) - .setParameter("ROLEID", ACCOUNT_ADMIN_ROLE_ID) - .setParameter("APPID", appId) - .getResultList(); + private List<FnUserRole> getAdminUserRoles(Long userId, Long appId) { + return fnUserRoleService.getAdminUserRoles(userId, ACCOUNT_ADMIN_ROLE_ID, appId); } private void applyOnboardingWidget(OnboardingWidget onboardingWidget, FieldsValidator fieldsValidator) { @@ -238,7 +232,7 @@ public class WidgetService { synchronized (syncRests) { FnWidget widget = fnWidgetDao.getOne(onboardingWidgetId); if (widget != null && widget.getAppId() != null) { // widget exists - if (!this.isUserAdminOfAppForWidget(adminRolesService.isSuperAdmin(user), user.getId(), + if (!this.isUserAdminOfAppForWidget(adminRolesService.isSuperAdmin(user), user.getUserId(), widget.getAppId())) { fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_FORBIDDEN); } else { diff --git a/portal-BE/src/main/java/org/onap/portal/service/fn/FnUserRoleService.java b/portal-BE/src/main/java/org/onap/portal/service/fn/FnUserRoleService.java new file mode 100644 index 00000000..4b24f9f3 --- /dev/null +++ b/portal-BE/src/main/java/org/onap/portal/service/fn/FnUserRoleService.java @@ -0,0 +1,65 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * Modifications Copyright (c) 2019 Samsung + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ + +package org.onap.portal.service.fn; + +import java.util.ArrayList; +import java.util.List; +import org.onap.portal.dao.fn.FnUserRoleDao; +import org.onap.portal.domain.db.fn.FnUserRole; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import org.springframework.transaction.annotation.Transactional; + +@Service +@Transactional +public class FnUserRoleService { + + private final FnUserRoleDao fnUserRoleDao; + + @Autowired + public FnUserRoleService(FnUserRoleDao fnUserRoleDao) { + this.fnUserRoleDao = fnUserRoleDao; + } + + public List<FnUserRole> getAdminUserRoles(final Long userId, final Long roleId, final Long appId) { + return fnUserRoleDao.getAdminUserRoles(userId, roleId, appId).orElse(new ArrayList<>()); + } +} diff --git a/portal-BE/src/test/java/org/onap/portal/controller/WidgetsControllerTest.java b/portal-BE/src/test/java/org/onap/portal/controller/WidgetsControllerTest.java index 0f277471..48035908 100644 --- a/portal-BE/src/test/java/org/onap/portal/controller/WidgetsControllerTest.java +++ b/portal-BE/src/test/java/org/onap/portal/controller/WidgetsControllerTest.java @@ -44,6 +44,7 @@ import static junit.framework.TestCase.assertEquals; import static junit.framework.TestCase.assertNull; import static org.mockito.Mockito.when; +import java.io.IOException; import java.time.LocalDateTime; import java.util.ArrayList; import java.util.List; @@ -58,6 +59,7 @@ import org.onap.portal.domain.db.fn.FnUser; import org.onap.portal.domain.db.fn.FnWidget; import org.onap.portal.domain.dto.transport.FieldsValidator; import org.onap.portal.domain.dto.transport.OnboardingWidget; +import org.onap.portal.domain.dto.transport.WidgetCatalogPersonalization; import org.onap.portal.framework.MockitoTestSuite; import org.onap.portal.service.WidgetService; import org.springframework.beans.factory.annotation.Autowired; @@ -118,7 +120,8 @@ public class WidgetsControllerTest { @Test public void getOnboardingWidgetsUserTest() { - UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken("notQuestUser", + UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken( + "notQuestUser", "demo123"); fnUserDao.save(notQuestUser); List<OnboardingWidget> expected = new ArrayList<>(); @@ -133,7 +136,8 @@ public class WidgetsControllerTest { @Test public void getOnboardingWidgetsWrongHeaderTest() { - UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken("notQuestUser", + UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken( + "notQuestUser", "demo123"); fnUserDao.save(notQuestUser); when(request.getHeader("X-Widgets-Type")).thenReturn("test"); @@ -147,8 +151,6 @@ public class WidgetsControllerTest { @Test public void putOnboardingWidgetSameWidget() { //Given - UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken("cs0008", - "demo123"); fnUserDao.save(notQuestUser); when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); @@ -162,7 +164,6 @@ public class WidgetsControllerTest { .url("testurl") .build(); - FnWidget fnWidget = FnWidget.builder() .name("Application") .appId(453L) @@ -175,7 +176,8 @@ public class WidgetsControllerTest { FieldsValidator expected = new FieldsValidator(); //When - FieldsValidator actual = widgetsController.putOnboardingWidget(principal, fnWidget.getWidgetId(), onboardingWidget, response); + FieldsValidator actual = widgetsController + .putOnboardingWidget(principal, fnWidget.getWidgetId(), onboardingWidget, response); //Then assertEquals(expected.getErrorCode(), actual.getErrorCode()); assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); @@ -185,8 +187,6 @@ public class WidgetsControllerTest { @Test public void putOnboardingWidgetAOP() { //Given - UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken("cs0008", - "demo123"); fnUserDao.save(notQuestUser); when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); @@ -200,7 +200,6 @@ public class WidgetsControllerTest { .url("testurl") .build(); - FnWidget fnWidget = FnWidget.builder() .name("Application") .appId(1421L) @@ -215,7 +214,8 @@ public class WidgetsControllerTest { expected.setHttpStatusCode(406L); expected.addProblematicFieldName("appName can't be blank, appId value must be higher than 1"); //When - FieldsValidator actual = widgetsController.putOnboardingWidget(principal, fnWidget.getWidgetId(), onboardingWidget, response); + FieldsValidator actual = widgetsController + .putOnboardingWidget(principal, fnWidget.getWidgetId(), onboardingWidget, response); //Then assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); assertEquals(expected.getFields().size(), actual.getFields().size()); @@ -224,8 +224,6 @@ public class WidgetsControllerTest { @Test public void putOnboardingWidgetAOPXSSTest() { //Given - UsernamePasswordAuthenticationToken notQuestprincipal = new UsernamePasswordAuthenticationToken("cs0008", - "demo123"); fnUserDao.save(notQuestUser); when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); @@ -241,9 +239,37 @@ public class WidgetsControllerTest { FieldsValidator expected = new FieldsValidator(); expected.setHttpStatusCode(406L); - expected.addProblematicFieldName("appName may have unsafe html content, name may have unsafe html content"); + expected.addProblematicFieldName( + "appName may have unsafe html content, name may have unsafe html content"); //When - FieldsValidator actual = widgetsController.putOnboardingWidget(principal, 15L, onboardingWidget, response); + FieldsValidator actual = widgetsController + .putOnboardingWidget(principal, 15L, onboardingWidget, response); + //Then + assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); + assertEquals(expected.getFields().size(), actual.getFields().size()); + } + + @Test + public void postOnboardingWidgetXSS() { + //Given + fnUserDao.save(notQuestUser); + when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); + + OnboardingWidget onboardingWidget = OnboardingWidget.builder() + .id(123L) + .name("<script>alert(“XSS”);</script>\n") + .appId(34L) + .appName("<ScRipT>alert(\"XSS\");</ScRipT>") + .width(123) + .height(45) + .url("testurl") + .build(); + + FieldsValidator expected = new FieldsValidator(); + expected.setHttpStatusCode(406L); + expected.addProblematicFieldName("appName may have unse html content, name may have unsafe html content"); + //When + FieldsValidator actual = widgetsController.postOnboardingWidget(principal, response, onboardingWidget); //Then assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); assertEquals(expected.getFields().size(), actual.getFields().size()); @@ -251,17 +277,84 @@ public class WidgetsControllerTest { @Test public void postOnboardingWidget() { + //Given + fnUserDao.save(notQuestUser); + when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); + + OnboardingWidget onboardingWidget = OnboardingWidget.builder() + .id(123L) + .name("appname") + .appId(34L) + .appName("appname") + .width(123) + .height(45) + .url("testurl") + .build(); + + FieldsValidator expected = new FieldsValidator(); + expected.setHttpStatusCode(200L); + //When + FieldsValidator actual = widgetsController.postOnboardingWidget(principal, response, onboardingWidget); + //Then + assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); + assertEquals(expected.getFields().size(), actual.getFields().size()); } @Test - public void deleteOnboardingWidget() { + public void deleteOnboardingWidgetSCFORBIDDEN() { + //Given + fnUserDao.save(notQuestUser); + when(request.getHeader("X-Widgets-Type")).thenReturn("managed"); + + OnboardingWidget onboardingWidget = OnboardingWidget.builder() + .id(123L) + .name("") + .appId(1L) + .appName("rtyrty") + .width(123) + .height(45) + .url("testurl") + .build(); + + FnWidget fnWidget = FnWidget.builder() + .name("Application") + .appId(1421L) + .width(123) + .height(45) + .url("testurl") + .build(); + + widgetService.saveOne(fnWidget); + + + + FieldsValidator expected = new FieldsValidator(); + expected.setHttpStatusCode(403L); + expected.addProblematicFieldName("appName can't be blank, appId value must be higher than 1"); + + //When + widgetsController.putOnboardingWidget(principal, fnWidget.getWidgetId(), onboardingWidget, response); + + FieldsValidator actual = widgetsController.deleteOnboardingWidget(principal, response, fnWidget.getWidgetId()); + //Then + assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); } @Test - public void putWidgetCatalogSelection() { + public void putWidgetCatalogSelection() throws IOException { + //Give + WidgetCatalogPersonalization personalization = new WidgetCatalogPersonalization(7L, true); + + FieldsValidator expected = new FieldsValidator(); + expected.setHttpStatusCode(200L); + expected.addProblematicFieldName(""); + //When + FieldsValidator actual = widgetsController.putWidgetCatalogSelection(principal, personalization, response); + //Then + assertEquals(expected.getHttpStatusCode(), actual.getHttpStatusCode()); } - private FnUser getQuestUser(){ + private FnUser getQuestUser() { return FnUser.builder() .loginId("questUser") .loginPwd("demo123") @@ -275,7 +368,7 @@ public class WidgetsControllerTest { .build(); } - private FnUser getNotQuestUser(){ + private FnUser getNotQuestUser() { return FnUser.builder() .loginId("notQuestUser") .loginPwd("demo123") @@ -289,7 +382,7 @@ public class WidgetsControllerTest { .build(); } - private FnLanguage getFnLanguage(){ + private FnLanguage getFnLanguage() { return FnLanguage.builder().languageName("Polish").languageAlias("Pl").build(); } }
\ No newline at end of file |