summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-fw/src/main
diff options
context:
space:
mode:
authorst782s <statta@research.att.com>2017-11-22 11:41:10 -0500
committerSunder Tattavarada <statta@research.att.com>2017-11-28 20:24:36 +0000
commited07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch)
treeee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-fw/src/main
parent418d7273d6d8f6fed2698df89c9910be8498a677 (diff)
Harden code
Issue-ID: PORTAL-145,PORTAL-119 Harden code to address SQL injecton, XSS vulnerabilities; Separate docker images for portal, sdk app and DMaaPBC ui Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204 Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-fw/src/main')
-rw-r--r--ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java28
-rw-r--r--ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java143
-rw-r--r--ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java46
-rw-r--r--ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java123
4 files changed, 305 insertions, 35 deletions
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
index 91f019be..a752055f 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
@@ -51,7 +51,6 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
import org.owasp.esapi.ESAPI;
-
/**
* Simple REST client for GET, POST and DELETE operations against the Portal
* application.
@@ -211,7 +210,9 @@ public class RestWebServiceClient {
// add request header
con.setRequestProperty("uebkey", appUebKey);
- con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId));
+ if (loginId != null) {
+ con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId));
+ }
con.setRequestProperty("user-agent", appName);
con.setRequestProperty("X-ECOMP-RequestID", requestId);
con.setRequestProperty("username", appUserName);
@@ -527,31 +528,10 @@ public class RestWebServiceClient {
int bytes;
while ((bytes = in.read(buf)) > 0)
sb.append(new String(buf, 0, bytes));
- }
- catch (Exception ex) {
+ } catch (Exception ex) {
logger.error("readAndCloseStream", ex);
}
return sb.toString();
}
- /**
- * Basic unit test for the client to call Portal app on localhost.
- *
- * @param args
- * Ignored
- * @throws IOException
- * On failure
- */
- public static void main(String[] args) throws IOException {
- RestWebServiceClient client = RestWebServiceClient.getInstance();
- final String getUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/analytics";
- String get = client.get(getUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword", null);
- System.out.println("Get result:\n" + get);
- final String postUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/storeAnalytics";
- final String content = " { " + " \"action\" : \"test1\", " + " \"page\" : \"test2\", "
- + " \"function\" : \"test3\", " + " \"userid\" : \"ab1234\" " + "}";
- String post = client.post(postUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword",
- "application/json", content, true);
- System.out.println("Post result:\n" + post);
- }
}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
index 92d9ffc3..ba95d870 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
@@ -40,14 +40,17 @@ package org.onap.portalsdk.core.onboarding.util;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.onap.portalsdk.core.onboarding.exception.CipherUtilException;
@@ -59,10 +62,19 @@ public class CipherUtil {
/**
* Default key.
*/
- private final static String key = "AGLDdG4D04BKm2IxIWEr8o==!";
+ private static final String keyString = KeyProperties.getProperty(KeyConstants.CIPHER_ENCRYPTION_KEY);
+
+ private static final String ALGORITHM = "AES";
+ private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+ private static final int BLOCK_SIZE = 128;
+ @SuppressWarnings("unused")
+ private static SecretKeySpec secretKeySpec;
+ private static IvParameterSpec ivspec;
/**
- * Encrypts the text using the specified secret key.
+ * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text.
+ *
+ * Encrypts the text using the specified secret key.
*
* @param plainText
* Text to encrypt
@@ -71,7 +83,9 @@ public class CipherUtil {
* @return encrypted version of plain text.
* @throws CipherUtilException
* if any encryption step fails
+ *
*/
+ @Deprecated
public static String encrypt(String plainText, String secretKey) throws CipherUtilException {
String encryptedString = null;
try {
@@ -90,7 +104,8 @@ public class CipherUtil {
}
/**
- * Encrypts the text using a default secret key.
+ * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text.
+ * Encrypts the text using the secret key in key.properties file.
*
* @param plainText
* Text to encrypt
@@ -98,12 +113,29 @@ public class CipherUtil {
* @throws CipherUtilException
* if any decryption step fails
*/
+ @Deprecated
public static String encrypt(String plainText) throws CipherUtilException {
- return CipherUtil.encrypt(plainText, key);
+ return CipherUtil.encrypt(plainText, keyString);
}
/**
- * Decrypts the text using the specified secret key.
+ * Encrypts the text using a secret key.
+ *
+ * @param plainText
+ * Text to encrypt
+ * @return Encrypted Text
+ * @throws CipherUtilException
+ * if any decryption step fails
+ */
+ public static String encryptPKC(String plainText) throws CipherUtilException {
+ return CipherUtil.encryptPKC(plainText, keyString);
+ }
+
+ /**
+ *
+ * @deprecated Please use {@link #decryptPKC(String)} to Decryption the text.
+ *
+ * Decrypts the text using the specified secret key.
*
* @param encryptedText
* Text to decrypt
@@ -112,7 +144,9 @@ public class CipherUtil {
* @return plain text version of encrypted text
* @throws CipherUtilException
* if any decryption step fails
+ *
*/
+ @Deprecated
public static String decrypt(String encryptedText, String secretKey) throws CipherUtilException {
String encryptedString = null;
try {
@@ -130,8 +164,79 @@ public class CipherUtil {
return encryptedString;
}
+ private static SecretKeySpec getSecretKeySpec() {
+ byte[] key = Base64.decodeBase64(keyString);
+ return new SecretKeySpec(key, ALGORITHM);
+ }
+
+ private static SecretKeySpec getSecretKeySpec(String keyString) {
+ byte[] key = Base64.decodeBase64(keyString);
+ return new SecretKeySpec(key, ALGORITHM);
+ }
+
/**
- * Decrypts the text using a default secret key.
+ * Encrypt the text using the secret key in key.properties file
+ *
+ * @param value
+ * @return The encrypted string
+ * @throws BadPaddingException
+ * @throws CipherUtilException
+ * In case of issue with the encryption
+ */
+ public static String encryptPKC(String value, String skey) throws CipherUtilException {
+ Cipher cipher = null;
+ byte[] iv = null, finalByte = null;
+
+ try {
+ cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE");
+
+ SecureRandom r = SecureRandom.getInstance("SHA1PRNG");
+ iv = new byte[BLOCK_SIZE / 8];
+ r.nextBytes(iv);
+ ivspec = new IvParameterSpec(iv);
+ cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(skey), ivspec);
+ finalByte = cipher.doFinal(value.getBytes());
+
+ } catch (Exception ex) {
+ logger.error("encrypt failed", ex);
+ throw new CipherUtilException(ex);
+ }
+ return Base64.encodeBase64String(ArrayUtils.addAll(iv, finalByte));
+ }
+
+ /**
+ * Decrypts the text using the secret key in key.properties file.
+ *
+ * @param message
+ * The encrypted string that must be decrypted using the ecomp
+ * Encryption Key
+ * @return The String decrypted
+ * @throws CipherUtilException
+ * if any decryption step fails
+ */
+ public static String decryptPKC(String message, String skey) throws CipherUtilException {
+ byte[] encryptedMessage = Base64.decodeBase64(message);
+ Cipher cipher;
+ byte[] decrypted = null;
+ try {
+ cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE");
+ ivspec = new IvParameterSpec(ArrayUtils.subarray(encryptedMessage, 0, BLOCK_SIZE / 8));
+ byte[] realData = ArrayUtils.subarray(encryptedMessage, BLOCK_SIZE / 8, encryptedMessage.length);
+ cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(skey), ivspec);
+ decrypted = cipher.doFinal(realData);
+
+ } catch (Exception ex) {
+ logger.error("decrypt failed", ex);
+ throw new CipherUtilException(ex);
+ }
+
+ return new String(decrypted);
+ }
+
+ /**
+ * @deprecated Please use {@link #decryptPKC(String)} to Decrypt the text.
+ *
+ * Decrypts the text using the secret key in key.properties file.
*
* @param encryptedText
* Text to decrypt
@@ -139,11 +244,26 @@ public class CipherUtil {
* @throws CipherUtilException
* if any decryption step fails
*/
+ @Deprecated
public static String decrypt(String encryptedText) throws CipherUtilException {
- return CipherUtil.decrypt(encryptedText, key);
+ return CipherUtil.decrypt(encryptedText, keyString);
+ }
+
+ /**
+ *
+ * Decrypts the text using the secret key in key.properties file.
+ *
+ * @param encryptedText
+ * Text to decrypt
+ * @return Decrypted text
+ * @throws CipherUtilException
+ * if any decryption step fails
+ */
+ public static String decryptPKC(String encryptedText) throws CipherUtilException {
+ return CipherUtil.decryptPKC(encryptedText, keyString);
}
-/* public static void main(String[] args) throws CipherUtilException {
+ public static void main(String[] args) throws CipherUtilException {
String testValue = "Welcome123";
String encrypted;
@@ -152,9 +272,9 @@ public class CipherUtil {
if (args.length != 2) {
System.out.println("Default password testing... ");
System.out.println("Plain password: " + testValue);
- encrypted = encrypt(testValue);
+ encrypted = encryptPKC(testValue);
System.out.println("Encrypted password: " + encrypted);
- decrypted = decrypt(encrypted);
+ decrypted = decryptPKC(encrypted);
System.out.println("Decrypted password: " + decrypted);
} else {
String whatToDo = args[0];
@@ -170,5 +290,6 @@ public class CipherUtil {
System.out.println("Encrypted Text" + encrypted);
}
}
- }*/
+ }
+
}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java
new file mode 100644
index 00000000..096b04dc
--- /dev/null
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java
@@ -0,0 +1,46 @@
+/*
+ * ============LICENSE_START==========================================
+ * ONAP Portal SDK
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalsdk.core.onboarding.util;
+
+public interface KeyConstants {
+
+ // Names of keys in the key.properties file
+ public static final String CIPHER_ENCRYPTION_KEY = "cipher.enc.key";
+
+
+}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java
new file mode 100644
index 00000000..956d3b81
--- /dev/null
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java
@@ -0,0 +1,123 @@
+/*
+ * ============LICENSE_START==========================================
+ * ONAP Portal SDK
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalsdk.core.onboarding.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Searches the classpath for the file "key.properties".
+ *
+ * To put the file "key.properties" on the classpath, it can be in the same
+ * directory where the first package folder is - 'myClasses' folder in the
+ * following case as an example:
+ *
+ */
+public class KeyProperties {
+
+ private static final Log logger = LogFactory.getLog(KeyProperties.class);
+
+ private static Properties properties;
+ private static String propertyFileName = "key.properties";
+
+ private static final Object lockObject = new Object();
+
+ /**
+ * Constructor is private.
+ */
+ private KeyProperties() {
+ }
+
+ /**
+ * Gets the property value for the specified key. If a value is found, leading
+ * and trailing space is trimmed.
+ *
+ * @param property
+ * Property key
+ * @return Value for the named property; null if the property file was not
+ * loaded or the key was not found.
+ */
+ public static String getProperty(String property) {
+ if (properties == null) {
+ synchronized (lockObject) {
+ try {
+ if (!initialize()) {
+ logger.error("Failed to read property file " + propertyFileName);
+ return null;
+ }
+ } catch (IOException e) {
+ logger.error("Failed to read property file " + propertyFileName, e);
+ return null;
+ }
+ }
+ }
+ String value = properties.getProperty(property);
+ if (value != null)
+ value = value.trim();
+ return value;
+ }
+
+ /**
+ * Reads properties from a portal.properties file on the classpath.
+ *
+ * Clients do NOT need to call this method. Clients MAY call this method to test
+ * whether the properties file can be loaded successfully.
+ *
+ * @return True if properties were successfully loaded, else false.
+ * @throws IOException
+ * On failure
+ */
+ private static boolean initialize() throws IOException {
+ if (properties != null)
+ return true;
+ InputStream in = KeyProperties.class.getClassLoader().getResourceAsStream(propertyFileName);
+ if (in == null)
+ return false;
+ properties = new Properties();
+ try {
+ properties.load(in);
+ } finally {
+ in.close();
+ }
+ return true;
+ }
+}