diff options
Diffstat (limited to 'ecomp-portal-BE-common')
13 files changed, 182 insertions, 61 deletions
diff --git a/ecomp-portal-BE-common/pom.xml b/ecomp-portal-BE-common/pom.xml index 1a04c40d..070ee05c 100644 --- a/ecomp-portal-BE-common/pom.xml +++ b/ecomp-portal-BE-common/pom.xml @@ -136,7 +136,7 @@ <dependency> <groupId>com.att.eelf</groupId> <artifactId>eelf-core</artifactId> - <version>1.0.0-oss</version> + <version>1.0.1-oss</version> </dependency> <dependency> <groupId>com.google.code.gson</groupId> @@ -204,7 +204,7 @@ <dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate-validator</artifactId> - <version>5.2.5.Final</version> + <version>6.0.17.Final</version> </dependency> <!-- hibernate-core depends on dom4j, which has optional dependencies. On jenkins, contrary to doc, mvn 3.0.5 packages the optional dependencies @@ -284,23 +284,23 @@ <dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-client</artifactId> - <version>3.1.16</version> + <version>3.3.3</version> </dependency> <!-- Mapper --> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-annotations</artifactId> - <version>${fasterxml.version}</version> + <version>2.8.10</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-core</artifactId> - <version>${fasterxml.version}</version> + <version>2.8.10</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>${fasterxml.version}</version> + <version>2.8.11.4</version> </dependency> <dependency> <groupId>postgresql</groupId> @@ -311,7 +311,7 @@ <dependency> <groupId>org.elasticsearch</groupId> <artifactId>elasticsearch</artifactId> - <version>6.8.2</version> + <version>7.4.1</version> <exclusions> <exclusion> <groupId>org.apache.lucene</groupId> @@ -338,7 +338,7 @@ <dependency> <groupId>org.apache.tomcat</groupId> <artifactId>tomcat-websocket</artifactId> - <version>8.0.52</version> + <version>9.0.27</version> <scope>provided</scope> </dependency> <dependency> @@ -361,7 +361,7 @@ <dependency> <groupId>org.apache.poi</groupId> <artifactId>poi</artifactId> - <version>3.17</version> + <version>4.1.1</version> <exclusions> <exclusion> <groupId>commons-logging</groupId> @@ -391,7 +391,7 @@ <dependency> <groupId>org.apache.poi</groupId> <artifactId>poi-scratchpad</artifactId> - <version>3.17</version> + <version>4.1.1</version> <exclusions> <exclusion> <groupId>commons-logging</groupId> @@ -422,7 +422,7 @@ <dependency> <groupId>org.quartz-scheduler</groupId> <artifactId>quartz</artifactId> - <version>2.2.1</version> + <version>2.3.1</version> <exclusions> <!-- SDK brings a new version of c3p0 --> <exclusion> @@ -434,7 +434,7 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> - <version>1.60</version> + <version>1.64</version> </dependency> <dependency> <groupId>commons-codec</groupId> @@ -572,7 +572,7 @@ <dependency> <groupId>com.orbitz.consul</groupId> <artifactId>consul-client</artifactId> - <version>1.3.6</version> + <version>1.3.9</version> </dependency> <dependency> <groupId>commons-fileupload</groupId> @@ -605,17 +605,17 @@ <artifactId>jackson-jaxrs-json-provider</artifactId> <version>2.10.0</version> </dependency> - <!-- https://mvnrepository.com/artifact/org.glassfish.web/javax.el --> + <!-- https://mvnrepository.com/artifact/org.glassfish/javax.el --> <dependency> - <groupId>org.glassfish.web</groupId> + <groupId>org.glassfish</groupId> <artifactId>javax.el</artifactId> - <version>2.2.6</version> + <version>3.0.0</version> </dependency> <!-- https://mvnrepository.com/artifact/javax.el/el-api --> <dependency> <groupId>javax.el</groupId> - <artifactId>el-api</artifactId> - <version>2.2.1-b04</version> + <artifactId>javax.el-api</artifactId> + <version>3.0.0</version> </dependency> <!-- https://mvnrepository.com/artifact/org.jsoup/jsoup --> <dependency> @@ -626,7 +626,7 @@ <dependency> <groupId>org.glassfish.jersey.connectors</groupId> <artifactId>jersey-jetty-connector</artifactId> - <version>2.28</version> + <version>2.29.1</version> </dependency> <!-- Jacoco for offline instrumentation --> <dependency> @@ -672,7 +672,7 @@ <dependency> <groupId>com.thoughtworks.xstream</groupId> <artifactId>xstream</artifactId> - <version>1.4.11</version> + <version>1.4.11.1</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> @@ -752,7 +752,7 @@ <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> - <version>1.2.25</version> + <version>1.2.62</version> </dependency> </dependencies> diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java index 0be0d357..c34311c3 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java @@ -739,6 +739,11 @@ public class AppsController extends EPRestrictedBaseController { user = EPUserUtils.getUserSession(request); if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdminOfAnyActiveorInactiveApplication(user, oldEPApp) ) { EcompPortalUtils.setBadPermissions(user, response, "putOnboardingApp"); + } else if(!dataValidator.isValid(modifiedOnboardingApp)){ + logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApp is not valid"); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =", + response.getStatus()); + return fieldsValidator; } else { if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null)) { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java index 9024570c..f655d352 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java @@ -53,6 +53,7 @@ import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.AdminRolesService; import org.onap.portalapp.portal.service.BasicAuthAccountService; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; @@ -74,6 +75,7 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { private static final String ADMIN_ONLY_OPERATIONS = "Admin Only Operation! "; private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BasicAuthAccountController.class); + private final DataValidator dataValidator = new DataValidator(); @Autowired private BasicAuthAccountService basicAuthAccountService; @@ -98,6 +100,8 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { public PortalRestResponse<String> createBasicAuthAccount(HttpServletRequest request, HttpServletResponse response, @RequestBody BasicAuthCredentials newBasicAuthAccount) throws Exception { + + EPUser user = EPUserUtils.getUserSession(request); if (!adminRolesService.isSuperAdmin(user)) { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, AUTHORIZATION_REQUIRED, @@ -108,7 +112,18 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "newBasicAuthAccount cannot be null or empty"); } - long accountId = basicAuthAccountService.saveBasicAuthAccount(newBasicAuthAccount); + + if(!dataValidator.isValid(newBasicAuthAccount)){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "createBasicAuthAccount() failed, new credential are not safe", + ""); + } + + long accountId; + try { + accountId = basicAuthAccountService.saveBasicAuthAccount(newBasicAuthAccount); + } catch (Exception e){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage()); + } List<Long> endpointIdList = new ArrayList<>(); try { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java index 4326eac3..97af4373 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java @@ -33,7 +33,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.portal.controller; @@ -71,9 +71,11 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItemWithRoles; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.util.SystemProperties; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -86,12 +88,13 @@ import org.springframework.web.bind.annotation.RestController; * Supports menus at the top of the Portal app landing page. */ @RestController -@org.springframework.context.annotation.Configuration +@Configuration @EnableAspectJAutoProxy @EPAuditLog public class FunctionalMenuController extends EPRestrictedBaseController { private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(FunctionalMenuController.class); + private final DataValidator dataValidator = new DataValidator(); @Autowired private AdminRolesService adminRolesService; @@ -104,7 +107,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch all the FunctionalMenuItems. - * + * * @param request * HttpServletRequest * @param response @@ -127,7 +130,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to get ONAP Portal Title. - * + * * @param request * HttpServletRequest * @param response @@ -152,7 +155,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { * RESTful service method to fetch all the FunctionalMenuItems, both active and * inactive, for the EditFunctionalMenu feature. Can only be accessed by the * portal admin. - * + * * @param request * HttpServletRequest * @param response @@ -182,7 +185,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch all the FunctionalMenuItems, active , for the * Functional menu in notification Tree feature. - * + * * @param request * HttpServletRequest * @param response @@ -209,7 +212,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch all FunctionalMenuItems associated with an * application. - * + * * @param request * HttpServletRequest * @param appId @@ -236,7 +239,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch all FunctionalMenuItems associated with the * applications and roles that a user has access to. - * + * * @param request * HttpServletRequest * @param orgUserId @@ -264,7 +267,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch all FunctionalMenuItems associated with the * applications and roles that the authenticated user has access to. - * + * * @param request * HttpServletRequest * @param response @@ -299,7 +302,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to fetch the details for a functional menu item. * Requirement: you must be the ONAP portal super admin user. - * + * * @param request * HttpServletRequest * @param response @@ -333,9 +336,9 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to create a new menu item. - * + * * Requirement: you must be the ONAP portal super admin user. - * + * * @param request * HttpServletRequest * @param response @@ -349,6 +352,14 @@ public class FunctionalMenuController extends EPRestrictedBaseController { @RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); FieldsValidator fieldsValidator = null; + + if(!dataValidator.isValid(menuItemJson)){ + fieldsValidator = new FieldsValidator(); + logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object"); + fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE; + return fieldsValidator; + } + if (!adminRolesService.isSuperAdmin(user)) { logger.debug(EELFLoggerDelegate.debugLogger, "FunctionalMenuController.createFunctionalMenuItem bad permissions"); @@ -365,9 +376,9 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to update an existing menu item - * + * * Requirement: you must be the ONAP portal super admin user. - * + * * @param request * HttpServletRequest * @param response @@ -381,6 +392,14 @@ public class FunctionalMenuController extends EPRestrictedBaseController { @RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); FieldsValidator fieldsValidator = null; + + if(!dataValidator.isValid(menuItemJson)){ + fieldsValidator = new FieldsValidator(); + logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object"); + fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE; + return fieldsValidator; + } + if (!adminRolesService.isSuperAdmin(user)) { EcompPortalUtils.setBadPermissions(user, response, "editFunctionalMenuItem"); } else { @@ -395,7 +414,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service method to delete a menu item - * + * * @param request * HttpServletRequest * @param response @@ -423,7 +442,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service to regenerate table - * + * * @param request * HttpServletRequest * @param response @@ -450,7 +469,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESful service to set a favorite item. - * + * * @param request * HttpServletRequest * @param response @@ -476,7 +495,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service to get favorites for the current user as identified in the * session - * + * * @param request * HttpServletRequest * @param response @@ -499,7 +518,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { /** * RESTful service to delete a favorite menu item for the current user as * identified in the session. - * + * * @param request * HttpServletRequest * @param response @@ -528,7 +547,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { * session (i.e., the CSP cookie); if that fails, calls the shared context * service to read the information from the database. Gives back what it found, * any of which may be null, as a JSON collection. - * + * * @param request * HttpServletRequest * @param response @@ -611,7 +630,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController { }; /** - * + * * @param request * HttpServletRequest * @param userId diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java index 3f507726..2e1a2b46 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java @@ -58,6 +58,7 @@ import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.WidgetMService; import org.onap.portalapp.portal.service.MicroserviceService; import org.onap.portalapp.portal.utils.EcompPortalUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.util.SystemProperties; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; @@ -78,7 +79,7 @@ import org.springframework.web.client.RestTemplate; @EnableAspectJAutoProxy @EPAuditLog public class MicroserviceController extends EPRestrictedBaseController { - public static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory(); + private final DataValidator dataValidator = new DataValidator(); String whatService = "widgets-service"; RestTemplate template = new RestTemplate(); @@ -96,10 +97,7 @@ public class MicroserviceController extends EPRestrictedBaseController { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE", "MicroserviceData cannot be null or empty"); }else { - Validator validator = VALIDATOR_FACTORY.getValidator(); - - Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData); - if(!constraintViolations.isEmpty()){ + if(!dataValidator.isValid(newServiceData)){ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR", "MicroserviceData is not valid"); } @@ -129,10 +127,7 @@ public class MicroserviceController extends EPRestrictedBaseController { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE", "MicroserviceData cannot be null or empty"); }else { - Validator validator = VALIDATOR_FACTORY.getValidator(); - - Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData); - if(!constraintViolations.isEmpty()){ + if(!dataValidator.isValid(newServiceData)){ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR", "MicroserviceData is not valid"); } diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java index f0e93bcb..6d8a3f87 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java @@ -39,21 +39,24 @@ package org.onap.portalapp.portal.domain; import java.util.List; +import javax.validation.Valid; +import org.hibernate.validator.constraints.SafeHtml; import org.onap.portalsdk.core.domain.support.DomainVo; public class BasicAuthCredentials extends DomainVo { private static final long serialVersionUID = 1L; - public BasicAuthCredentials() { - - } - private Long id; + @SafeHtml private String applicationName; + @SafeHtml private String username; + @SafeHtml private String password; + @SafeHtml private String isActive; + @Valid private List<EPEndpoint> endpoints; public Long getId() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java index 92c8572b..97ecbcbe 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java @@ -37,6 +37,7 @@ */ package org.onap.portalapp.portal.domain; +import org.hibernate.validator.constraints.SafeHtml; import org.onap.portalsdk.core.domain.support.DomainVo; public class EPEndpoint extends DomainVo { @@ -48,6 +49,7 @@ public class EPEndpoint extends DomainVo { } private Long id; + @SafeHtml private String name; public Long getId() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java index 74cf1726..98b0f127 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java @@ -49,6 +49,7 @@ import org.onap.portalapp.portal.domain.EPEndpoint; import org.onap.portalapp.portal.domain.EPEndpointAccount; import org.onap.portalapp.portal.logging.aop.EPMetricsLog; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.util.CipherUtil; import org.onap.portalsdk.core.service.DataAccessService; @@ -62,12 +63,16 @@ import org.springframework.stereotype.Service; @EPMetricsLog public class BasicAuthAccountServiceImpl implements BasicAuthAccountService{ EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(MicroserviceServiceImpl.class); - + private final DataValidator dataValidator = new DataValidator(); @Autowired private DataAccessService dataAccessService; @Override public Long saveBasicAuthAccount(BasicAuthCredentials newCredential) throws Exception { + + if(!dataValidator.isValid(newCredential)){ + throw new Exception("saveBasicAuthAccount() failed, new credential are not safe"); + } if (newCredential.getPassword() != null) newCredential.setPassword(encryptedPassword(newCredential.getPassword())); try{ diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java index 825cad46..9226f220 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java @@ -39,6 +39,7 @@ package org.onap.portalapp.portal.transport; import java.io.Serializable; import java.util.List; +import org.hibernate.validator.constraints.SafeHtml; // This type is used to read the Json in from the API call from the Front End public class FunctionalMenuItemWithRoles implements Serializable { @@ -47,11 +48,11 @@ public class FunctionalMenuItemWithRoles implements Serializable { public Long menuId; public Integer column; - + @SafeHtml public String text; public Integer parentMenuId; - + @SafeHtml public String url; public Integer appid; diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java index 58745d22..f622faca 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java @@ -129,6 +129,33 @@ public class AppsControllerTest extends MockitoTestSuite{ MockEPUser mockUser = new MockEPUser(); @Test + public void putOnboardingAppXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + OnboardingApp onboardingApp = new OnboardingApp(); + onboardingApp.setUebTopicName("test<img src=‘~‘ onerror=prompt(123)>"); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(appService.modifyOnboardingApp(onboardingApp, user)).thenReturn(null); + Mockito.when(mockedResponse.getStatus()).thenReturn(200); + FieldsValidator actualFieldValidator = appsController.putOnboardingApp(mockedRequest, onboardingApp, + mockedResponse); + assertNull(actualFieldValidator); + } + + @Test + public void postOnboardingAppXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + OnboardingApp onboardingApp = new OnboardingApp(); + onboardingApp.setUebKey("test<img src=‘~‘ onerror=prompt(123)>"); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(appService.addOnboardingApp(onboardingApp, user)).thenReturn(null); + FieldsValidator actualFieldValidator = appsController.postOnboardingApp(mockedRequest, onboardingApp, + mockedResponse); + assertNull(actualFieldValidator); + } + + @Test public void getUserAppsTest() { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java index c9d3c2fd..ff056d0d 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java @@ -135,6 +135,28 @@ public class BasicAuthAccountControllerTest extends MockitoTestSuite { } @Test + public void createBasicAuthAccountXSSTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); + basicAuthCredentials.setPassword("<script>alert(“XSS”);</script>"); + + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + PortalRestResponse<String> expectedResponse = new PortalRestResponse<String>(); + expectedResponse.setMessage("createBasicAuthAccount() failed, new credential are not safe"); + expectedResponse.setResponse(""); + PortalRestStatusEnum portalRestStatusEnum = null; + expectedResponse.setStatus(portalRestStatusEnum.ERROR); + long accountd = 1; + + Mockito.when(basicAuthAccountService.saveBasicAuthAccount(basicAuthCredentials)).thenReturn(accountd); + + PortalRestResponse<String> actualResponse = basicAuthAccountController.createBasicAuthAccount(mockedRequest, + mockedResponse, basicAuthCredentials); + assertEquals(actualResponse, expectedResponse); + } + + @Test public void createBasicAuthAccountAdminTest() throws Exception { BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); EPUser user = mockUser.mockEPUser(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java index 84ee691e..79c85672 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java @@ -175,6 +175,24 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite { } + @Test + public void editFunctionalMenuItemXSSTest(){ + FunctionalMenuItemWithRoles menuItemJson = new FunctionalMenuItemWithRoles(); + menuItemJson.url = "1<b>tes<img src=‘~‘ onerror=prompt(32)>t_menu"; + FieldsValidator actualFieldsValidator = new FieldsValidator(); + FieldsValidator expectedFieldsValidator = new FieldsValidator(); + List<FieldName> fields = new ArrayList<>(); + expectedFieldsValidator.setHttpStatusCode(406L); + expectedFieldsValidator.setFields(fields); + expectedFieldsValidator.setErrorCode(null); + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator); + actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse); + assertEquals(actualFieldsValidator, expectedFieldsValidator); + } + @Test public void getAppListTestIfAppDoesnotExistsInBusinessCardApplicationRolesList() throws IOException { @@ -459,7 +477,7 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite { Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false); Mockito.when(functionalMenuService.createFunctionalMenuItem(menuItemJson)).thenReturn(expectedFieldsValidator); actualFieldsValidator = functionalMenuController.createFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse); - assertEquals(actualFieldsValidator, expectedFieldsValidator); + assertEquals(expectedFieldsValidator, actualFieldsValidator); } @Test @@ -574,7 +592,7 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite { Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false); Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator); actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse); - assertEquals(actualFieldsValidator, expectedFieldsValidator); + assertEquals(expectedFieldsValidator, actualFieldsValidator); } @Test diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java index 4409a4fc..6382bef4 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java @@ -79,6 +79,15 @@ public class BasicAuthAccountServiceImplTest { basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); } + + @Test(expected= Exception.class) + public void saveBasicAuthAccountValidTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = new BasicAuthCredentials(); + basicAuthCredentials.setPassword("<IMG SRC=\"jav\tascript:alert('XSS');\">"); + Mockito.doNothing().when(dataAccessService).saveDomainObject(basicAuthCredentials, null); + basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); + + } @Test public void saveBasicAuthAccountTest_password() throws Exception{ |