PENTEST:Do not display stack trace for the api's

Issue-ID: PORTAL-654 PENTEST:Do not display stack trace for the api's and all users info for get_user api Change-Id: I68a4e3c7eba2628363275d63535290034591aa07 Signed-off-by: Kotta, Shireesha (sk434m) <sk434m@att.com>
author: Kotta, Shireesha (sk434m) <sk434m@att.com> 2019-06-28 15:27:29 -0400
committer: Kotta, Shireesha (sk434m) <sk434m@att.com> 2019-06-28 15:27:29 -0400
commit: 179ff1eb0c1ac9eef4d152c47df5cb12a4584c0f (patch)
tree: b9b744e106d688e807ffb31b6a986230034423d5 /ecomp-sdk/epsdk-fw
parent: d63c87226df57e7bd0513f9b17374716197056fa (diff)
5 files changed, 99 insertions, 48 deletions
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java
index f82e8737..c707d137 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java
@@ -176,8 +176,7 @@ public interface IPortalRestAPIService {
 	 * @throws PortalAPIException
 	 *             If an unexpected error occurs while processing the request.
 	 */
-	public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException;
-
+	public boolean isAppAuthenticated(HttpServletRequest request, Map<String,String> appCredentials) throws PortalAPIException;
 	/**
 	 * Gets and returns the userId for the logged-in user based on the request. If
 	 * any error occurs, the method should throw PortalApiException with an
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java
index d53c0eb6..ab9c608a 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java
@@ -48,6 +48,7 @@ import java.util.stream.Collectors;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.onboarding.exception.CipherUtilException;
 import org.onap.portalsdk.core.onboarding.exception.PortalAPIException;
 import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient;
@@ -114,7 +115,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 			user = mapper.readValue(responseString, EcompUser.class);
 
 		} catch (IOException e) {
-			String response = "PortalRestAPICentralServiceImpl.getUser failed";
+			String response = "Failed to get user from portal";
 			logger.error(response, e);
 			throw new PortalAPIException(response, e);
 		}
@@ -133,7 +134,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 					TypeFactory.defaultInstance().constructCollectionType(List.class, EcompUser.class));
 
 		} catch (IOException e) {
-			String response = "PortalRestAPICentralServiceImpl.getUsers failed";
+			String response = "Failed to get the users from portal";
 			logger.error(response, e);
 			throw new PortalAPIException(response, e);
 		}
@@ -152,7 +153,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 					TypeFactory.defaultInstance().constructCollectionType(List.class, EcompRole.class));
 
 		} catch (IOException e) {
-			String response = "PortalRestAPICentralServiceImpl.getRoles failed";
+			String response = "Failed to get Roles from portal";
 			logger.error(response, e);
 			throw new PortalAPIException(response, e);
 		}
@@ -180,7 +181,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 			userRoles = (List<EcompRole>) roles.stream().collect(Collectors.toList());
 
 		} catch (IOException e) {
-			String response = "PortalRestAPICentralServiceImpl.getUserRoles failed";
+			String response = "Failed to get user roles from portal";
 			logger.error(response, e);
 			throw new PortalAPIException(response, e);
 		}
@@ -188,10 +189,10 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 	}
 
 	@Override
-	public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException {
+	public boolean isAppAuthenticated(HttpServletRequest request, Map<String,String> appCredentials) throws PortalAPIException {
 		boolean accessAllowed = false;
 		try {
-			accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace);
+			accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace, appCredentials);
 		} catch (Exception e) {
 			logger.error(e);
 		}
@@ -213,4 +214,4 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService {
 		return credentialsMap;
 	}
 
-}
+}
+\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
index 71f66168..29095970 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
@@ -202,7 +202,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					response.setStatus(HttpServletResponse.SC_OK);
 				} catch (Exception ex) {
 					logger.error("doPost: " + storeAnalyticsContextPath + " caught exception", ex);
-					responseJson = buildJsonResponse(ex);
+					responseJson = buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 				}
 			}
@@ -212,7 +212,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 
 		boolean secure = false;
 		try {
-			secure = isAppAuthenticated(request);
+			secure = isAppAuthenticated(request, getCredentials());
 		} catch (PortalAPIException ex) {
 			logger.error("doPost: isAppAuthenticated threw exception", ex);
 			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
@@ -282,7 +282,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					responseJson = buildJsonResponse(true, "user saved successfully");
 					response.setStatus(HttpServletResponse.SC_OK);
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson =  buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doPost: pushUser: caught exception", ex);
 				}
@@ -301,7 +301,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					responseJson = buildJsonResponse(true, "user saved successfully");
 					response.setStatus(HttpServletResponse.SC_OK);
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson =  buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doPost: editUser: caught exception", ex);
 				}
@@ -325,7 +325,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 						response.setStatus(HttpServletResponse.SC_OK);
 					}
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson = buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doPost: pushUserRole: caught exception", ex);
 				}
@@ -403,7 +403,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 						logger.debug("doGet: " + webAnalyticsContextPath + ": " + responseString);
 					response.setStatus(HttpServletResponse.SC_OK);
 				} catch (Exception ex) {
-					responseString = buildJsonResponse(ex);
+					responseString = buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doGet: " + webAnalyticsContextPath + " caught exception", ex);
 				}
@@ -414,7 +414,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 
 		boolean secure = false;
 		try {
-			secure = isAppAuthenticated(request);
+			secure = isAppAuthenticated(request, getCredentials());
 		} catch (PortalAPIException ex) {
 			logger.error("doGet: isAppAuthenticated threw exception", ex);
 			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
@@ -452,7 +452,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 				} catch(Exception ex) {
 					String msg = "Failed to get session time outs";
 					logger.error("doGet: " + msg);
-					responseJson = buildJsonResponse(false, msg);
+					responseJson =  buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 				}
 			} else
@@ -478,7 +478,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					if (logger.isDebugEnabled())
 						logger.debug("doGet: getAvailableRoles: " + responseJson);
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson =  buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doGet: getAvailableRoles: caught exception", ex);
 				}
@@ -492,7 +492,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					if (logger.isDebugEnabled())
 						logger.debug("doGet: getUser: " + responseJson);
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson =  buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doGet: getUser: caught exception", ex);
 				}
@@ -507,7 +507,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 					if (logger.isDebugEnabled())
 						logger.debug("doGet: getUserRoles: " + responseJson);
 				} catch (Exception ex) {
-					responseJson = buildJsonResponse(ex);
+					responseJson = buildShortJsonResponse(ex);
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 					logger.error("doGet: getUserRoles: caught exception", ex);
 				}
@@ -573,8 +573,8 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 	}
 
 	@Override
-	public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException {
-		return portalRestApiServiceImpl.isAppAuthenticated(request);
+	public boolean isAppAuthenticated(HttpServletRequest request, Map<String,String> appCredentials) throws PortalAPIException {
+		return portalRestApiServiceImpl.isAppAuthenticated(request, appCredentials);
 	}
 
 	/**
@@ -739,4 +739,4 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 		}
 		return userEcompRoles;
 	}
-}
+}
+\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
index 14ad234f..e07e4f9d 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
@@ -39,6 +39,7 @@ package org.onap.portalsdk.core.onboarding.util;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -89,11 +90,10 @@ public class AuthUtil {
 					return match;
 			}
 		} else {
-			if (portalApiPath.matches(urlPattern))
+			if (urlPattern.equals("*"))
 				return true;
-			else if (urlPattern.equals("*"))
+			else if (portalApiPath.matches(urlPattern))
 				return true;
-
 		}
 		return false;
 	}
@@ -172,25 +172,70 @@ public class AuthUtil {
 	 * @return boolean value if the access is allowed
 	 * @throws PortalAPIException
 	 */
-	public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace) throws PortalAPIException {
-		List<AAFPermission> aafPermsList = getAAFPermissions(request);
-		logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: "+ nameSpace);
-		if (nameSpace.isEmpty()) {
-			throw new PortalAPIException("NameSpace not Declared!");
-		}
-		List<AAFPermission> aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList);
-		List<String> finalInstanceList = getAllInstances(aafPermsFinalList);
-		String requestUri =	request.getRequestURI().substring(request.getContextPath().length() + 1);
+	public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace, Map<String,String> appCredentials) throws PortalAPIException {
+		
 		boolean isauthorized = false;
-		for (String str : finalInstanceList) {
-			if (!isauthorized)
-				isauthorized = matchPattern(requestUri, str);
-		}
-		logger.debug(EELFLoggerDelegate.debugLogger, "isAccessAllowed for the request uri: "+requestUri + "is"+ isauthorized);
-		if (isauthorized) {
+		try {
+			CadiWrap wrapReq = (CadiWrap) request;
+			List<AAFPermission> aafPermsList = getAAFPermissions(request);
+			logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: " + nameSpace);
+			if (nameSpace.isEmpty()) {
+				throw new PortalAPIException("NameSpace not Declared!");
+			}
+			List<AAFPermission> aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList);
+			List<String> finalInstanceList = getAllInstances(aafPermsFinalList);
+			finalInstanceList.add("api/v3/timeoutSession");
+			String requestUri = request.getRequestURI().substring(request.getContextPath().length() + 1);
+
+			for (String str : finalInstanceList) {
+				if (!isauthorized)
+					isauthorized = matchPattern(requestUri, str);
+			}
+			logger.debug(EELFLoggerDelegate.debugLogger,
+					"isAccessAllowed for the request uri: " + requestUri + "is" + isauthorized);
+			if (isauthorized) {
+				logger.debug(EELFLoggerDelegate.debugLogger, "Request is Authorized");
+			}
+		} catch (ClassCastException e) {
 			logger.debug(EELFLoggerDelegate.debugLogger,
-					"Request is Authorized");
+					"Given request is not CADI request");
+			
+			if(appCredentials.isEmpty())
+			{
+				logger.debug(EELFLoggerDelegate.debugLogger, "app credentails are empty");
+				return false;
+			}
+			
+			String appUserName = "";
+			String appPassword = "";
+			String appName = "";
+
+			for (Map.Entry<String, String> entry : appCredentials.entrySet()) {
+				if (entry.getKey().equalsIgnoreCase("username")) {
+					appUserName = entry.getValue();
+				} else if (entry.getKey().equalsIgnoreCase("password")) {
+					appPassword = entry.getValue();
+				} else {
+					appName = entry.getValue();
+				}
+			}
+			
+			try {
+				String appUser = request.getHeader("username");
+				String password = request.getHeader("password");
+				
+				if (password.equals(appPassword) && appUserName.equals(appUser)) {
+					isauthorized = true;
+				}
+				logger.debug(EELFLoggerDelegate.debugLogger,
+						"isAccessAllowed for the request " + isauthorized);
+			} catch (Exception e1) {
+				String response = "AuthUtil.isAccessAllowed failed";
+				logger.error(EELFLoggerDelegate.errorLogger, response, e1);
+				throw new PortalAPIException(response, e1);
+			}
 		}
+	
 		return isauthorized;
 	}
 }
 \ No newline at end of file
diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxyTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxyTest.java
index ce1035e7..897f84a1 100644
--- a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxyTest.java
+++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxyTest.java
@@ -44,6 +44,7 @@ import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.util.HashMap;
+import java.util.Map;
 
 import javax.servlet.ServletException;
 import javax.servlet.ServletInputStream;
@@ -119,7 +120,8 @@ public class PortalRestAPIProxyTest {
         doPost.setAccessible(true);
         doGet = portalRestAPIProxyClass.getDeclaredMethod("doGet", new Class[]{HttpServletRequest.class, HttpServletResponse.class});
         doGet.setAccessible(true);
-        Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request)).thenReturn(true);
+        Map<String,String> appCredentials = new HashMap<>();
+        Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request,appCredentials)).thenReturn(true);
 	}
 	
 	@Test(expected=ServletException.class)
@@ -203,14 +205,16 @@ public class PortalRestAPIProxyTest {
 
 	@Test
 	public void testDoPost_WhenIsAppAuthenticatedIsFalse() throws Exception {
-		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request)).thenReturn(false);
+        Map<String,String> appCredentials = new HashMap<>();
+		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request,appCredentials)).thenReturn(false);
 		Mockito.when(request.getRequestURI()).thenReturn("");
 	    doPost.invoke(portalRestAPIProxyObj, new Object[] {request, response});
 	}
 	
 	@Test
 	public void testDoPost_WhenIsAppAuthenticatedThrowException() throws Exception {
-		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request)).thenThrow(new PortalAPIException());
+		  Map<String,String> appCredentials = new HashMap<>();
+		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request,appCredentials)).thenThrow(new PortalAPIException());
 		Mockito.when(request.getRequestURI()).thenReturn("");
 	    doPost.invoke(portalRestAPIProxyObj, new Object[] {request, response});
 	}
@@ -285,15 +289,17 @@ public class PortalRestAPIProxyTest {
 
 	@Test
 	public void testDoGet_WhenIsAppAuthenticatedIsFalse() throws Exception {
-		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request)).thenReturn(false);
+		Map<String,String> appCredentials = new HashMap<>();
+		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request,appCredentials)).thenReturn(false);
 		Mockito.when(request.getRequestURI()).thenReturn("");
 	    doGet.invoke(portalRestAPIProxyObj, new Object[] {request, response});
 	}
 	
 	@Test
 	public void testDoGet_WhenIsAppAuthenticatedThrowException() throws Exception {
-		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request)).thenThrow(new PortalAPIException());
+		Map<String,String> appCredentials = new HashMap<>();
+		Mockito.when(portalRestAPICentralServiceImpl.isAppAuthenticated(request,appCredentials)).thenThrow(new PortalAPIException());
 		Mockito.when(request.getRequestURI()).thenReturn("");
 	    doGet.invoke(portalRestAPIProxyObj, new Object[] {request, response});
 	}
-}
+}
+\ No newline at end of file
author	Kotta, Shireesha (sk434m) <sk434m@att.com>	2019-06-28 15:27:29 -0400
committer	Kotta, Shireesha (sk434m) <sk434m@att.com>	2019-06-28 15:27:29 -0400
commit	179ff1eb0c1ac9eef4d152c47df5cb12a4584c0f (patch)
tree	b9b744e106d688e807ffb31b6a986230034423d5 /ecomp-sdk/epsdk-fw
parent	d63c87226df57e7bd0513f9b17374716197056fa (diff)