Additional security fixes

Issue: PORTAL-135 Change-Id: I8574fbcd73d9a053e8a19d5a8e4219a4034b751e Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
author: Christopher Lott (cl778h) <clott@research.att.com> 2017-10-27 18:29:04 -0400
committer: Christopher Lott (cl778h) <clott@research.att.com> 2017-10-27 18:29:32 -0400
commit: f11362ef34d550f8adff2067a136f660c1959e5e (patch)
tree: 9aa907d57f1aa2be733b567b25f4357ffd8b7f80
parent: e22eec55bf0815dd1c303ac5fb1c6e6f211a70f0 (diff)
3 files changed, 48 insertions, 75 deletions
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml
index dc2e5df2..b2fa88f8 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml
@@ -385,12 +385,7 @@
         
     <query name="getReportSecurityRoles">
       select repId, orderNo, roleId, userId, readOnlyYn from ReportUserRole where repId = :report_id and roleId is not null
-    </query>
-
-<!--     <query name="insertReportSecurityUsers">
-		insert into ReportUserRole (repId, roleId, userId, readOnlyYn) values (:report_id, :role_id, :user_id, :read_only_yn)
-    </query> -->
-    
+    </query>    
 
     <query name="deleteReportSecurityUsers">
       delete from ReportUserRole where repId = :report_id and userId =:user_id
@@ -402,10 +397,22 @@
     
      <query name="getUserByProfileId">
       select orgUserId from User where id = :user_id
-    </query>
+     </query>
     
      <query name="getUserIdByorgUserId">
       select id from User where orgUserId = :orgUserId
-    </query>
+     </query>
+
+     <query name="getUserByOrgUserId">
+		FROM User WHERE orgUserId = :org_user_id
+     </query>
+
+     <query name="getUserByLoginId">
+		FROM User WHERE loginId = :login_id
+     </query>
+
+     <query name="getUserByLoginIdLoginPwd">
+		FROM User WHERE loginId = :login_id and loginPwd = :login_pwd		
+     </query>
 
 </hibernate-mapping>
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java
index 749fdc38..54d1267a 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java
@@ -72,11 +72,8 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
 	@Autowired
 	private UserService userService;
 
-	@SuppressWarnings("unused")
-	private MenuBuilder menuBuilder;
-
 	@Override
-	public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, Map additionalParams) throws IOException {
+	public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, @SuppressWarnings("rawtypes") Map additionalParams) throws IOException {
 		return findUser(bean, menuPropertiesFilename, additionalParams, true);
 	}
 
@@ -122,12 +119,12 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
 					logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex);
 				}
 
-				User appuser = getUser(userCopy);
+				User appuser = findUserWithoutPwd(user.getLoginId());
 
 				appuser.setLastLoginDate(new Date());
 
 				// update the last logged in date for the user
-				getDataAccessService().saveDomainObject(appuser, additionalParams);
+				dataAccessService.saveDomainObject(appuser, additionalParams);
 
 				// update the audit log of the user
 				// Check for the client device type and set log attributes
@@ -154,6 +151,7 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
 
 	private boolean userHasActiveRoles(User user) {
 		boolean hasActiveRole = false;
+		@SuppressWarnings("rawtypes")
 		Iterator roles = user.getRoles().iterator();
 		while (roles.hasNext()) {
 			Role role = (Role) roles.next();
@@ -165,60 +163,43 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
 		return hasActiveRole;
 	}
 
-	public User findUser(LoginBean bean) throws IOException {
+	private User findUser(LoginBean bean) throws IOException {
 		String repsonse = restApiRequestBuilder.getViaREST("/user/" + bean.getUserid(), true, bean.getUserid());
 		User user = userService.userMapper(repsonse);
 		user.setId(getUserIdByOrgUserId(user.getOrgUserId()));
 		return user;
 	}
 
-	public Long getUserIdByOrgUserId(String orgUserId) {
+	private Long getUserIdByOrgUserId(String orgUserId) {
 		Map<String, String> params = new HashMap<>();
 		params.put("orgUserId", orgUserId);
 		@SuppressWarnings("rawtypes")
-		List list = getDataAccessService().executeNamedQuery("getUserIdByorgUserId", params, null);
+		List list = dataAccessService.executeNamedQuery("getUserIdByorgUserId", params, null);
 		Long userId = null;
 		if (list != null && !list.isEmpty())
 			userId = (Long) list.get(0);
 		return userId;
 	}
 
-	public User findUser(String loginId, String password) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password)
-				.append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+	@SuppressWarnings("rawtypes")
+	private User findUser(String loginId, String password) {
+		Map<String,String> params = new HashMap<>();
+		params.put("login_id", loginId);
+		params.put("login_pwd", password);
+		List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap());
 		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
 	}
 
+	@SuppressWarnings("rawtypes")
 	private User findUserWithoutPwd(String loginId) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where login_id = '").append(loginId).append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+		Map<String,String> params = new HashMap<>();
+		params.put("login_id", loginId);		
+		List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap());
 		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
 	}
 
-	public DataAccessService getDataAccessService() {
-		return dataAccessService;
-	}
-
-	public void setDataAccessService(DataAccessService dataAccessService) {
-		this.dataAccessService = dataAccessService;
-	}
-
-	public MenuBuilder getMenuBuilder() {
+	private MenuBuilder getMenuBuilder() {
 		return new MenuBuilder();
 	}
 
-	public void setMenuBuilder(MenuBuilder menuBuilder) {
-		this.menuBuilder = menuBuilder;
-	}
-
-	public User getUser(User user) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where login_id = '").append(user.getLoginId()).append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
-		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
-	}
-
 }
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java
index 4d240972..d16a86d8 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java
@@ -38,6 +38,7 @@
 package org.onap.portalsdk.core.service;
 
 import java.util.Date;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -61,9 +62,6 @@ public class LoginServiceImpl extends FusionService implements LoginService {
 
 	private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceImpl.class);
 
-	@SuppressWarnings("unused")
-	private MenuBuilder menuBuilder;
-
 	@Autowired
 	private DataAccessService dataAccessService;
 
@@ -89,7 +87,6 @@ public class LoginServiceImpl extends FusionService implements LoginService {
 		}
 
 		if (user != null) {
-
 			// raise an error if the application is locked and the user does not have system
 			// administrator privileges
 			if (AppUtils.isApplicationLocked()
@@ -120,7 +117,7 @@ public class LoginServiceImpl extends FusionService implements LoginService {
 
 				// update the last logged in date for the user
 				user.setLastLoginDate(new Date());
-				getDataAccessService().saveDomainObject(user, additionalParams);
+				dataAccessService.saveDomainObject(user, additionalParams);
 
 				// update the audit log of the user
 				// Check for the client device type and set log attributes appropriately
@@ -159,44 +156,32 @@ public class LoginServiceImpl extends FusionService implements LoginService {
 	}
 
 	@SuppressWarnings("rawtypes")
-	public User findUser(String loginId, String password) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password)
-				.append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+	private User findUser(String loginId, String password) {
+		Map<String, String> params = new HashMap<>();
+		params.put("login_id", loginId);
+		params.put("login_pwd", password);
+		List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap());
 		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
 	}
 
 	@SuppressWarnings("rawtypes")
 	private User findUserWithoutPwd(String loginId) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where login_id = '").append(loginId).append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+		Map<String, String> params = new HashMap<>();
+		params.put("login_id", loginId);
+		List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap());
 		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
 	}
 
 	@SuppressWarnings("rawtypes")
-	public User findUser(LoginBean bean) {
-		StringBuilder criteria = new StringBuilder();
-		criteria.append(" where org_user_id = '").append(bean.getUserid()).append("'");
-		List list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+	private User findUser(LoginBean bean) {
+		Map<String, String> params = new HashMap<>();
+		params.put("org_user_id", bean.getUserid());
+		List list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap());
 		return (list == null || list.isEmpty()) ? null : (User) list.get(0);
 	}
 
-	public MenuBuilder getMenuBuilder() {
+	private MenuBuilder getMenuBuilder() {
 		return new MenuBuilder();
 	}
 
-	public void setMenuBuilder(MenuBuilder menuBuilder) {
-		this.menuBuilder = menuBuilder;
-	}
-
-	public DataAccessService getDataAccessService() {
-		return dataAccessService;
-	}
-
-	public void setDataAccessService(DataAccessService dataAccessService) {
-		this.dataAccessService = dataAccessService;
-	}
-
 }
author	Christopher Lott (cl778h) <clott@research.att.com>	2017-10-27 18:29:04 -0400
committer	Christopher Lott (cl778h) <clott@research.att.com>	2017-10-27 18:29:32 -0400
commit	f11362ef34d550f8adff2067a136f660c1959e5e (patch)
tree	9aa907d57f1aa2be733b567b25f4357ffd8b7f80
parent	e22eec55bf0815dd1c303ac5fb1c6e6f211a70f0 (diff)