diff options
author | st782s <statta@research.att.com> | 2017-11-22 11:41:10 -0500 |
---|---|---|
committer | Sunder Tattavarada <statta@research.att.com> | 2017-11-28 20:24:36 +0000 |
commit | ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch) | |
tree | ee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-fw/src/main | |
parent | 418d7273d6d8f6fed2698df89c9910be8498a677 (diff) |
Harden code
Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui
Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-fw/src/main')
4 files changed, 305 insertions, 35 deletions
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java index 91f019be..a752055f 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java @@ -51,7 +51,6 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; import org.owasp.esapi.ESAPI; - /** * Simple REST client for GET, POST and DELETE operations against the Portal * application. @@ -211,7 +210,9 @@ public class RestWebServiceClient { // add request header con.setRequestProperty("uebkey", appUebKey); - con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId)); + if (loginId != null) { + con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId)); + } con.setRequestProperty("user-agent", appName); con.setRequestProperty("X-ECOMP-RequestID", requestId); con.setRequestProperty("username", appUserName); @@ -527,31 +528,10 @@ public class RestWebServiceClient { int bytes; while ((bytes = in.read(buf)) > 0) sb.append(new String(buf, 0, bytes)); - } - catch (Exception ex) { + } catch (Exception ex) { logger.error("readAndCloseStream", ex); } return sb.toString(); } - /** - * Basic unit test for the client to call Portal app on localhost. - * - * @param args - * Ignored - * @throws IOException - * On failure - */ - public static void main(String[] args) throws IOException { - RestWebServiceClient client = RestWebServiceClient.getInstance(); - final String getUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/analytics"; - String get = client.get(getUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword", null); - System.out.println("Get result:\n" + get); - final String postUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/storeAnalytics"; - final String content = " { " + " \"action\" : \"test1\", " + " \"page\" : \"test2\", " - + " \"function\" : \"test3\", " + " \"userid\" : \"ab1234\" " + "}"; - String post = client.post(postUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword", - "application/json", content, true); - System.out.println("Post result:\n" + post); - } } diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java index 92d9ffc3..ba95d870 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java @@ -40,14 +40,17 @@ package org.onap.portalsdk.core.onboarding.util; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.ArrayUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; @@ -59,10 +62,19 @@ public class CipherUtil { /** * Default key. */ - private final static String key = "AGLDdG4D04BKm2IxIWEr8o==!"; + private static final String keyString = KeyProperties.getProperty(KeyConstants.CIPHER_ENCRYPTION_KEY); + + private static final String ALGORITHM = "AES"; + private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING"; + private static final int BLOCK_SIZE = 128; + @SuppressWarnings("unused") + private static SecretKeySpec secretKeySpec; + private static IvParameterSpec ivspec; /** - * Encrypts the text using the specified secret key. + * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text. + * + * Encrypts the text using the specified secret key. * * @param plainText * Text to encrypt @@ -71,7 +83,9 @@ public class CipherUtil { * @return encrypted version of plain text. * @throws CipherUtilException * if any encryption step fails + * */ + @Deprecated public static String encrypt(String plainText, String secretKey) throws CipherUtilException { String encryptedString = null; try { @@ -90,7 +104,8 @@ public class CipherUtil { } /** - * Encrypts the text using a default secret key. + * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text. + * Encrypts the text using the secret key in key.properties file. * * @param plainText * Text to encrypt @@ -98,12 +113,29 @@ public class CipherUtil { * @throws CipherUtilException * if any decryption step fails */ + @Deprecated public static String encrypt(String plainText) throws CipherUtilException { - return CipherUtil.encrypt(plainText, key); + return CipherUtil.encrypt(plainText, keyString); } /** - * Decrypts the text using the specified secret key. + * Encrypts the text using a secret key. + * + * @param plainText + * Text to encrypt + * @return Encrypted Text + * @throws CipherUtilException + * if any decryption step fails + */ + public static String encryptPKC(String plainText) throws CipherUtilException { + return CipherUtil.encryptPKC(plainText, keyString); + } + + /** + * + * @deprecated Please use {@link #decryptPKC(String)} to Decryption the text. + * + * Decrypts the text using the specified secret key. * * @param encryptedText * Text to decrypt @@ -112,7 +144,9 @@ public class CipherUtil { * @return plain text version of encrypted text * @throws CipherUtilException * if any decryption step fails + * */ + @Deprecated public static String decrypt(String encryptedText, String secretKey) throws CipherUtilException { String encryptedString = null; try { @@ -130,8 +164,79 @@ public class CipherUtil { return encryptedString; } + private static SecretKeySpec getSecretKeySpec() { + byte[] key = Base64.decodeBase64(keyString); + return new SecretKeySpec(key, ALGORITHM); + } + + private static SecretKeySpec getSecretKeySpec(String keyString) { + byte[] key = Base64.decodeBase64(keyString); + return new SecretKeySpec(key, ALGORITHM); + } + /** - * Decrypts the text using a default secret key. + * Encrypt the text using the secret key in key.properties file + * + * @param value + * @return The encrypted string + * @throws BadPaddingException + * @throws CipherUtilException + * In case of issue with the encryption + */ + public static String encryptPKC(String value, String skey) throws CipherUtilException { + Cipher cipher = null; + byte[] iv = null, finalByte = null; + + try { + cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE"); + + SecureRandom r = SecureRandom.getInstance("SHA1PRNG"); + iv = new byte[BLOCK_SIZE / 8]; + r.nextBytes(iv); + ivspec = new IvParameterSpec(iv); + cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(skey), ivspec); + finalByte = cipher.doFinal(value.getBytes()); + + } catch (Exception ex) { + logger.error("encrypt failed", ex); + throw new CipherUtilException(ex); + } + return Base64.encodeBase64String(ArrayUtils.addAll(iv, finalByte)); + } + + /** + * Decrypts the text using the secret key in key.properties file. + * + * @param message + * The encrypted string that must be decrypted using the ecomp + * Encryption Key + * @return The String decrypted + * @throws CipherUtilException + * if any decryption step fails + */ + public static String decryptPKC(String message, String skey) throws CipherUtilException { + byte[] encryptedMessage = Base64.decodeBase64(message); + Cipher cipher; + byte[] decrypted = null; + try { + cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE"); + ivspec = new IvParameterSpec(ArrayUtils.subarray(encryptedMessage, 0, BLOCK_SIZE / 8)); + byte[] realData = ArrayUtils.subarray(encryptedMessage, BLOCK_SIZE / 8, encryptedMessage.length); + cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(skey), ivspec); + decrypted = cipher.doFinal(realData); + + } catch (Exception ex) { + logger.error("decrypt failed", ex); + throw new CipherUtilException(ex); + } + + return new String(decrypted); + } + + /** + * @deprecated Please use {@link #decryptPKC(String)} to Decrypt the text. + * + * Decrypts the text using the secret key in key.properties file. * * @param encryptedText * Text to decrypt @@ -139,11 +244,26 @@ public class CipherUtil { * @throws CipherUtilException * if any decryption step fails */ + @Deprecated public static String decrypt(String encryptedText) throws CipherUtilException { - return CipherUtil.decrypt(encryptedText, key); + return CipherUtil.decrypt(encryptedText, keyString); + } + + /** + * + * Decrypts the text using the secret key in key.properties file. + * + * @param encryptedText + * Text to decrypt + * @return Decrypted text + * @throws CipherUtilException + * if any decryption step fails + */ + public static String decryptPKC(String encryptedText) throws CipherUtilException { + return CipherUtil.decryptPKC(encryptedText, keyString); } -/* public static void main(String[] args) throws CipherUtilException { + public static void main(String[] args) throws CipherUtilException { String testValue = "Welcome123"; String encrypted; @@ -152,9 +272,9 @@ public class CipherUtil { if (args.length != 2) { System.out.println("Default password testing... "); System.out.println("Plain password: " + testValue); - encrypted = encrypt(testValue); + encrypted = encryptPKC(testValue); System.out.println("Encrypted password: " + encrypted); - decrypted = decrypt(encrypted); + decrypted = decryptPKC(encrypted); System.out.println("Decrypted password: " + decrypted); } else { String whatToDo = args[0]; @@ -170,5 +290,6 @@ public class CipherUtil { System.out.println("Encrypted Text" + encrypted); } } - }*/ + } + } diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java new file mode 100644 index 00000000..096b04dc --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java @@ -0,0 +1,46 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalsdk.core.onboarding.util; + +public interface KeyConstants { + + // Names of keys in the key.properties file + public static final String CIPHER_ENCRYPTION_KEY = "cipher.enc.key"; + + +} diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java new file mode 100644 index 00000000..956d3b81 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java @@ -0,0 +1,123 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalsdk.core.onboarding.util; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +/** + * Searches the classpath for the file "key.properties". + * + * To put the file "key.properties" on the classpath, it can be in the same + * directory where the first package folder is - 'myClasses' folder in the + * following case as an example: + * + */ +public class KeyProperties { + + private static final Log logger = LogFactory.getLog(KeyProperties.class); + + private static Properties properties; + private static String propertyFileName = "key.properties"; + + private static final Object lockObject = new Object(); + + /** + * Constructor is private. + */ + private KeyProperties() { + } + + /** + * Gets the property value for the specified key. If a value is found, leading + * and trailing space is trimmed. + * + * @param property + * Property key + * @return Value for the named property; null if the property file was not + * loaded or the key was not found. + */ + public static String getProperty(String property) { + if (properties == null) { + synchronized (lockObject) { + try { + if (!initialize()) { + logger.error("Failed to read property file " + propertyFileName); + return null; + } + } catch (IOException e) { + logger.error("Failed to read property file " + propertyFileName, e); + return null; + } + } + } + String value = properties.getProperty(property); + if (value != null) + value = value.trim(); + return value; + } + + /** + * Reads properties from a portal.properties file on the classpath. + * + * Clients do NOT need to call this method. Clients MAY call this method to test + * whether the properties file can be loaded successfully. + * + * @return True if properties were successfully loaded, else false. + * @throws IOException + * On failure + */ + private static boolean initialize() throws IOException { + if (properties != null) + return true; + InputStream in = KeyProperties.class.getClassLoader().getResourceAsStream(propertyFileName); + if (in == null) + return false; + properties = new Properties(); + try { + properties.load(in); + } finally { + in.close(); + } + return true; + } +} |