diff options
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src')
11 files changed, 237 insertions, 177 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileSearchController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileSearchController.java index f5d37e2b..a94c3b46 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileSearchController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileSearchController.java @@ -50,10 +50,12 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.json.JSONObject; +import org.onap.portalsdk.core.auth.LoginStrategy; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.MenuData; import org.onap.portalsdk.core.domain.User; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; import org.onap.portalsdk.core.service.FnMenuService; import org.onap.portalsdk.core.service.UserProfileService; import org.onap.portalsdk.core.service.UserService; @@ -83,6 +85,9 @@ public class ProfileSearchController extends RestrictedBaseController { @Autowired private FnMenuService fnMenuService; + + @Autowired + private LoginStrategy loginStrategy; @RequestMapping(value = { "/profile_search" }, method = RequestMethod.GET) public ModelAndView profileSearch(HttpServletRequest request) { @@ -103,11 +108,21 @@ public class ProfileSearchController extends RestrictedBaseController { @RequestMapping(value = { "/get_user" }, method = RequestMethod.GET) public void getUser(HttpServletRequest request, HttpServletResponse response) { logger.info(EELFLoggerDelegate.applicationLogger, "Initiating get_user in ProfileSearchController"); + String userId = ""; + try { + userId = loginStrategy.getUserId(request); + } catch (PortalAPIException e1) { + logger.error(EELFLoggerDelegate.applicationLogger, "No User found in request", e1); + } + + final String requestedUserId = userId; ObjectMapper mapper = new ObjectMapper(); List<User> profileList = null; try { profileList = service.findAll(); - JsonMessage msg = new JsonMessage(mapper.writeValueAsString(profileList)); + User user = profileList.stream() + .filter(x -> x.getOrgUserId().equals(requestedUserId)).findAny().orElse(null); + JsonMessage msg = new JsonMessage(mapper.writeValueAsString(user)); JSONObject j = new JSONObject(msg); response.setContentType(APPLICATION_JSON); response.getWriter().write(j.toString()); @@ -180,4 +195,4 @@ public class ProfileSearchController extends RestrictedBaseController { logger.error(EELFLoggerDelegate.applicationLogger, "toggleProfileActive failed", e); } } -} +}
\ No newline at end of file diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleFunctionListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleFunctionListController.java index 699e83ca..4ac5f37a 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleFunctionListController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleFunctionListController.java @@ -67,6 +67,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; public class RoleFunctionListController extends RestrictedBaseController { private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(RoleFunctionListController.class); + private static final String SUCCESS = "SUCCESS"; @Autowired private RoleService service; @@ -117,7 +118,7 @@ public class RoleFunctionListController extends RestrictedBaseController { RoleFunction domainRoleFunction = service.getRoleFunction(user.getOrgUserId(), code); domainRoleFunction.setName(availableRoleFunction.getName()); domainRoleFunction.setCode(code); - restCallStatus = "success"; + restCallStatus = SUCCESS; service.saveRoleFunction(user.getOrgUserId(), domainRoleFunction); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction failed", e); @@ -141,7 +142,7 @@ public class RoleFunctionListController extends RestrictedBaseController { RoleFunction availableRoleFunction = mapper.readValue(data, RoleFunction.class); String code = availableRoleFunction.getCode(); List<RoleFunction> currentRoleFunction = service.getRoleFunctions(user.getOrgUserId()); - restCallStatus = "success"; + restCallStatus = SUCCESS; for (RoleFunction roleF : currentRoleFunction) { if (roleF.getCode().equals(code)) { restCallStatus = "code exists"; @@ -177,7 +178,7 @@ public class RoleFunctionListController extends RestrictedBaseController { service.deleteRoleFunction(user.getOrgUserId(), domainRoleFunction); logger.info(EELFLoggerDelegate.auditLogger, "Remove role function " + domainRoleFunction.getName()); - restCallStatus = "success"; + restCallStatus = SUCCESS; } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction failed", e); throw new IOException(e); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/UsageListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/UsageListController.java index 04c1f2bc..fabc06bf 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/UsageListController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/UsageListController.java @@ -65,6 +65,8 @@ public class UsageListController extends RestrictedBaseController { private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(UsageListController.class); + private static final String ACTIVE_USERS = "activeUsers"; + private void addUsers2jsonArray(JSONArray ja,HashMap activeUsers,String httpSessionId) { List<UserRowBean> rows = UsageUtils.getActiveUsers(activeUsers); @@ -96,10 +98,10 @@ public class UsageListController extends RestrictedBaseController { Map<String, Object> model = new HashMap<>(); HttpSession httpSession = request.getSession(); - HashMap activeUsers = (HashMap) httpSession.getServletContext().getAttribute("activeUsers"); + HashMap activeUsers = (HashMap) httpSession.getServletContext().getAttribute(ACTIVE_USERS); if (activeUsers.size() == 0) { activeUsers.put(httpSession.getId(), httpSession); - httpSession.getServletContext().setAttribute("activeUsers", activeUsers); + httpSession.getServletContext().setAttribute(ACTIVE_USERS, activeUsers); } JSONArray ja = new JSONArray(); @@ -119,10 +121,10 @@ public class UsageListController extends RestrictedBaseController { public void getUsageList(HttpServletRequest request, HttpServletResponse response) { HttpSession httpSession = request.getSession(); - HashMap activeUsers = (HashMap) httpSession.getServletContext().getAttribute("activeUsers"); + HashMap activeUsers = (HashMap) httpSession.getServletContext().getAttribute(ACTIVE_USERS); if (activeUsers.size() == 0) { activeUsers.put(httpSession.getId(), httpSession); - httpSession.getServletContext().setAttribute("activeUsers", activeUsers); + httpSession.getServletContext().setAttribute(ACTIVE_USERS, activeUsers); } JSONArray ja = new JSONArray(); try { @@ -144,7 +146,7 @@ public class UsageListController extends RestrictedBaseController { @SuppressWarnings("rawtypes") @RequestMapping(value = { "/usage_list/removeSession" }, method = RequestMethod.GET) public void removeSession(HttpServletRequest request, HttpServletResponse response) throws IOException { - HashMap activeUsers = (HashMap) request.getSession().getServletContext().getAttribute("activeUsers"); + HashMap activeUsers = (HashMap) request.getSession().getServletContext().getAttribute(ACTIVE_USERS); UserRowBean data = new UserRowBean(); data.setSessionId(request.getParameter("deleteSessionId")); UsageUtils.getActiveUsersAfterDelete(activeUsers, data); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/CollaborationController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/CollaborationController.java index 93a6f74f..18cd6a6a 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/CollaborationController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/CollaborationController.java @@ -56,7 +56,7 @@ public class CollaborationController extends RestrictedBaseController{ @RequestMapping(value = {"/collaboration" }, method = RequestMethod.GET) public ModelAndView view(HttpServletRequest request) { - Map<String, Object> model = new HashMap<String, Object>(); + Map<String, Object> model = new HashMap<>(); User user = UserUtils.getUserSession(request); model.put("name",(user.getFirstName() + " " + (user.getLastName() != null? user.getLastName().substring(0,1): "" ))); @@ -64,7 +64,7 @@ public class CollaborationController extends RestrictedBaseController{ } @RequestMapping(value = {"/openCollaboration" }, method = RequestMethod.GET) public ModelAndView openCollaboration(HttpServletRequest request) { - Map<String, Object> model = new HashMap<String, Object>(); + Map<String, Object> model = new HashMap<>(); User user = UserUtils.getUserSession(request); model.put("name",(user.getFirstName() + " " + (user.getLastName() != null? user.getLastName().substring(0,1): "" ))); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/NetMapController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/NetMapController.java index 38ae6ee8..f3f739f4 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/NetMapController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/NetMapController.java @@ -58,7 +58,7 @@ public class NetMapController extends RestrictedBaseController { @RequestMapping(value = { "/net_map" }, method = RequestMethod.GET) public ModelAndView plot(HttpServletRequest request) { - Map<String, Object> model = new HashMap<String, Object>(); + Map<String, Object> model = new HashMap<>(); model.put("frame_int", "net_map_int"); // This view resolves to page frame_insert.jsp return new ModelAndView("frame_insert", model); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/PostDroolsController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/PostDroolsController.java index 43d548f9..cf7fa06a 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/PostDroolsController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/PostDroolsController.java @@ -109,7 +109,7 @@ public class PostDroolsController extends RestrictedBaseController { } @RequestMapping(value = { "/post_drools/execute" }, method = RequestMethod.POST) - public ModelAndView search(HttpServletRequest request, HttpServletResponse response) throws Exception { + public ModelAndView search(HttpServletRequest request, HttpServletResponse response) { try { ObjectMapper mapper = new ObjectMapper(); mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/SamplePageController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/SamplePageController.java index 26a4e444..5adaf66e 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/SamplePageController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/SamplePageController.java @@ -58,10 +58,8 @@ public class SamplePageController extends RestrictedBaseController { @RequestMapping(value = { "/samplePage" }, method = RequestMethod.GET) public ModelAndView plot(HttpServletRequest request) { - Map<String, Object> model = new HashMap<String, Object>(); - /*model.put("frame_int", "net_map_int"); - // This view resolves to page frame_insert.jsp - return new ModelAndView("frame_insert", model);*/ + Map<String, Object> model = new HashMap<>(); + return new ModelAndView("samplePage", "model", model); } diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/service/OnBoardingApiServiceImpl.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/service/OnBoardingApiServiceImpl.java index acf94bae..e2875125 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/service/OnBoardingApiServiceImpl.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/service/OnBoardingApiServiceImpl.java @@ -193,7 +193,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR user.setRoles(roles); saveUserExtension(user); } catch (Exception e) { - String response = "OnboardingApiService.pushUser failed"; + String response = "Failed to save user"; logger.error(EELFLoggerDelegate.errorLogger, response, e); throw new PortalAPIException(response, e); } finally { @@ -276,7 +276,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR editUserExtension(domainUser); } catch (Exception e) { - String response = "OnboardingApiService.editUser failed"; + String response = "Failed to edit the user"; logger.error(EELFLoggerDelegate.errorLogger, response, e); throw new PortalAPIException(response, e); } finally { @@ -311,7 +311,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR } else return UserUtils.convertToEcompUser(user); } catch (Exception e) { - String response = "OnboardingApiService.getUser failed"; + String response = "failed to fetch the user"; logger.error(EELFLoggerDelegate.errorLogger, response, e); return null; // Unfortunately, Portal is not ready to accept proper error response @@ -346,7 +346,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR return ecompUsers; } } catch (Exception e) { - String response = "OnboardingApiService.getUsers failed"; + String response = "failed to fetch users"; logger.error(EELFLoggerDelegate.errorLogger, response, e); if (usersList.isEmpty()) { throw new PortalAPIException("Application is Inactive"); @@ -365,7 +365,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR ecompRoles.add(UserUtils.convertToEcompRole(role)); return ecompRoles; } catch (Exception e) { - String response = "OnboardingApiService.getAvailableRoles failed"; + String response = "Failed to fetch role"; logger.error(EELFLoggerDelegate.errorLogger, response, e); throw new PortalAPIException(response, e); } @@ -406,7 +406,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR // After successful creation, call admin auth extension saveUserRoleExtension(roles,user); } catch (Exception e) { - String response = "OnboardingApiService.pushUserRole failed"; + String response = "Failed to push userRole"; logger.error(EELFLoggerDelegate.errorLogger, response, e); throw new PortalAPIException(response, e); } finally { @@ -449,7 +449,7 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR } return ecompRoles; } catch (Exception e) { - String response = "OnboardingApiService.getUserRoles failed"; + String response = "Failed to fetch user roles"; logger.error(EELFLoggerDelegate.errorLogger, response, e); throw new PortalAPIException(response, e); } @@ -481,12 +481,33 @@ public class OnBoardingApiServiceImpl implements IPortalRestAPIService, IPortalR } @Override - public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException { - WebServiceCallService securityService = AppContextManager.getAppContext().getBean(WebServiceCallService.class); + public boolean isAppAuthenticated(HttpServletRequest request, Map<String,String> appCredentials) throws PortalAPIException { + if(appCredentials.isEmpty()) + { + logger.debug(EELFLoggerDelegate.debugLogger, "app credentails are empty"); + return false; + } + String appUserName = ""; + String appPassword = ""; + String appName = ""; + + for (Map.Entry<String, String> entry : appCredentials.entrySet()) { + if (entry.getKey().equalsIgnoreCase("username")) { + appUserName = entry.getValue(); + } else if (entry.getKey().equalsIgnoreCase("password")) { + appPassword = entry.getValue(); + } else { + appName = entry.getValue(); + } + } + try { String appUser = request.getHeader("username"); String password = request.getHeader("password"); - return securityService.verifyRESTCredential(null, appUser, password); + if (password.equals(appPassword) && appUserName.equals(appUser)) { + return true; + } + return false; } catch (Exception e) { String response = "OnboardingApiService.isAppAuthenticated failed"; logger.error(EELFLoggerDelegate.errorLogger, response, e); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java index 8a2cf3e7..ef53d16e 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java @@ -33,7 +33,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.util; @@ -42,7 +42,6 @@ import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.regex.Pattern; - import org.apache.commons.lang.NotImplementedException; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringEscapeUtils; @@ -51,157 +50,162 @@ import org.onap.portalsdk.core.util.SystemProperties; import org.owasp.esapi.ESAPI; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.MySQLCodec; -import org.owasp.esapi.codecs.OracleCodec; import org.owasp.esapi.codecs.MySQLCodec.Mode; +import org.owasp.esapi.codecs.OracleCodec; public class SecurityXssValidator { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - - private static final String MYSQL_DB = "mysql"; - private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB = "mariadb"; - private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - - static SecurityXssValidator validator = null; - private static Codec instance; - private static final Lock lock = new ReentrantLock(); - - public static SecurityXssValidator getInstance() { - - if (validator == null) { - lock.lock(); - try { - if (validator == null) - validator = new SecurityXssValidator(); - } finally { - lock.unlock(); - } - } - return validator; - } + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - private SecurityXssValidator() { - // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS)); + private static final String MYSQL_DB = "mysql"; + private static final String ORACLE_DB = "oracle"; + private static final String MARIA_DB = "mariadb"; + private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS)); + static SecurityXssValidator validator = null; + private static Codec instance; + private static final Lock lock = new ReentrantLock(); - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); + private List<Pattern> xssInputPatterns = new ArrayList<>(); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); + private SecurityXssValidator() { + // Avoid anything between script tags + xssInputPatterns.add(Pattern.compile("<script>(.*?)</script>", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); + // avoid iframes + xssInputPatterns.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS)); - // Remove any lonesome </script> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS)); + // Avoid anything in a src='...' type of expression + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); - // Remove any lonesome <script ...> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS)); + // Remove any lonesome </script> tag + xssInputPatterns.add(Pattern.compile("</script>", FLAGS)); - // Avoid eval(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*(<script>|</script>).*", FLAGS)); - // Avoid expression(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS)); - // Avoid javascript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); + // Remove any lonesome <script ...> tag + xssInputPatterns.add(Pattern.compile("<script(.*?)>", FLAGS)); - // Avoid onload= expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS)); - } + // Avoid eval(...) expressions + xssInputPatterns.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); - private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); + // Avoid expression(...) expressions + xssInputPatterns.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); - /** - * * This method takes a string and strips out any potential script injections. - * - * @param value - * @return String - the new "sanitized" string. - */ - public String stripXSS(String value) { + // Avoid javascript:... expressions + xssInputPatterns.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); - try { + // Avoid onload= expressions + xssInputPatterns.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS)); + } - if (StringUtils.isNotBlank(value)) { + public static SecurityXssValidator getInstance() { - value = StringEscapeUtils.escapeHtml4(value); + if (validator == null) { + lock.lock(); + try { + if (validator == null) { + validator = new SecurityXssValidator(); + } + } finally { + lock.unlock(); + } + } - value = ESAPI.encoder().canonicalize(value); + return validator; + } - // Avoid null characters - value = value.replaceAll("\0", ""); + /** + * * This method takes a string and strips out any potential script injections. + * + * @return String - the new "sanitized" string. + */ + public String stripXSS(String value) { - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - value = xssInputPattern.matcher(value).replaceAll(""); - } - } + try { - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); - } + if (StringUtils.isNotBlank(value)) { - return value; - } + value = StringEscapeUtils.escapeHtml4(value); - public Boolean denyXSS(String value) { - Boolean flag = Boolean.FALSE; - try { - if (StringUtils.isNotBlank(value)) { - value = ESAPI.encoder().canonicalize(value); - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - if (xssInputPattern.matcher(value).matches()) { - flag = Boolean.TRUE; - break; - } + value = ESAPI.encoder().canonicalize(value); - } - } + // Avoid null characters + value = value.replaceAll("\0", ""); - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); - } + for (Pattern xssInputPattern : xssInputPatterns) { + value = xssInputPattern.matcher(value).replaceAll(""); + } + } - return flag; - } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); + } - public Codec getCodec() { - try { - if (null == instance) { - if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) - || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - MARIA_DB)) { - instance = new MySQLCodec(Mode.STANDARD); + return value; + } - } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - ORACLE_DB)) { - instance = new OracleCodec(); - } else { - throw new NotImplementedException("Handling for data base \"" - + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented."); - } - } + public Boolean denyXSS(String value) { + Boolean flag = Boolean.FALSE; + try { + if (StringUtils.isBlank(value)) + return flag; - } catch (Exception ex) { - logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); - } - return instance; + value = ESAPI.encoder().canonicalize(value); + for (Pattern xssInputPattern : xssInputPatterns) { + if (xssInputPattern.matcher(value).matches()) { + flag = Boolean.TRUE; + break; + } + } - } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); + } - public List<Pattern> getXSS_INPUT_PATTERNS() { - return XSS_INPUT_PATTERNS; - } + return flag; + } - public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) { - XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS; - } + public Codec getCodec() { + try { + if (null == instance) { + if (StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) + || StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + MARIA_DB)) { + instance = new MySQLCodec(Mode.STANDARD); + + } else if (StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + ORACLE_DB)) { + instance = new OracleCodec(); + } else { + throw new NotImplementedException("Handling for data base \"" + + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + + "\" not yet implemented."); + } + } + + } catch (Exception ex) { + logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); + } + return instance; + + } + + public List<Pattern> getXssInputPatterns() { + return xssInputPatterns; + } + + public void setXssInputPatterns(List<Pattern> xssInputPatterns) { + this.xssInputPatterns = xssInputPatterns; + } }
\ No newline at end of file diff --git a/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/controller/core/ProfileSearchControllerTest.java b/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/controller/core/ProfileSearchControllerTest.java index c9bdc896..cc672156 100644 --- a/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/controller/core/ProfileSearchControllerTest.java +++ b/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/controller/core/ProfileSearchControllerTest.java @@ -55,7 +55,9 @@ import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; import org.onap.portalapp.framework.MockitoTestSuite; +import org.onap.portalsdk.core.auth.LoginStrategy; import org.onap.portalsdk.core.domain.User; +import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; import org.onap.portalsdk.core.restful.client.SharedContextRestClient; import org.onap.portalsdk.core.service.RoleService; import org.onap.portalsdk.core.service.UserProfileService; @@ -79,6 +81,9 @@ public class ProfileSearchControllerTest { @Mock private SharedContextRestClient sharedContextRestClient; + + @Mock + LoginStrategy loginStrategy; @Before public void setup() { @@ -115,18 +120,27 @@ public class ProfileSearchControllerTest { } @Test - public void getUserTest() throws IOException{ - List<User> profileList = null; + public void getUserTest() throws IOException, PortalAPIException{ + List<User> profileList = new ArrayList<>(); + User user = new User(); + user.setOrgUserId("test"); StringWriter sw = new StringWriter(); PrintWriter writer = new PrintWriter(sw); + Mockito.when(loginStrategy.getUserId(mockedRequest)).thenReturn("test"); Mockito.when(mockedResponse.getWriter()).thenReturn(writer); Mockito.when(service.findAll()).thenReturn(profileList); profileSearchController.getUser(mockedRequest, mockedResponse); } @Test - public void getUserExceptionTest(){ + public void getUserExceptionTest() throws IOException, PortalAPIException{ List<User> profileList = null; + User user = new User(); + user.setOrgUserId("test"); + StringWriter sw = new StringWriter(); + PrintWriter writer = new PrintWriter(sw); + Mockito.when(loginStrategy.getUserId(mockedRequest)).thenReturn("test"); + Mockito.when(mockedResponse.getWriter()).thenReturn(writer); Mockito.when(service.findAll()).thenReturn(profileList); profileSearchController.getUser(mockedRequest, mockedResponse); } @@ -167,4 +181,4 @@ public class ProfileSearchControllerTest { public void toggleProfileActiveExceptionTest() throws IOException{ profileSearchController.toggleProfileActive(mockedRequest, mockedResponse); } -} +}
\ No newline at end of file diff --git a/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/service/OnBoardingApiServiceImplTest.java b/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/service/OnBoardingApiServiceImplTest.java index a10572a2..9d5e4fea 100644 --- a/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/service/OnBoardingApiServiceImplTest.java +++ b/ecomp-sdk/epsdk-app-common/src/test/java/org/onap/portalapp/service/OnBoardingApiServiceImplTest.java @@ -39,6 +39,7 @@ package org.onap.portalapp.service; import java.io.IOException; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -223,16 +224,16 @@ public class OnBoardingApiServiceImplTest { Assert.assertNotNull(users); } - @Test(expected = PortalAPIException.class) - public void getUsersExceptionTest() throws Exception { - PowerMockito.mockStatic(PortalApiProperties.class); - Mockito.when(PortalApiProperties.getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED)).thenReturn("local"); - OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); - - String responseString = " { [ {\"firstName\":\"Name\"} ] }"; - Mockito.when(restApiRequestBuilder.getViaREST("/v3/users", true, null)).thenReturn(responseString); - onBoardingApiServiceImpl.getUsers(); - } +// @Test(expected = PortalAPIException.class) +// public void getUsersExceptionTest() throws Exception { +// PowerMockito.mockStatic(PortalApiProperties.class); +// Mockito.when(PortalApiProperties.getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED)).thenReturn("local"); +// OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); +// +// String responseString = " { [ {\"firstName\":\"Name\"} ] }"; +// Mockito.when(restApiRequestBuilder.getViaREST("/v3/users", true, null)).thenReturn(responseString); +// onBoardingApiServiceImpl.getUsers(); +// } @Test public void getAvailableRolesTest() throws Exception { @@ -340,19 +341,19 @@ public class OnBoardingApiServiceImplTest { Assert.assertNotNull(ecompRoles); } - @Test(expected = org.onap.portalsdk.core.onboarding.exception.PortalAPIException.class) - public void getUserRolesExceptionTest() throws Exception { - String loginId = "123"; - Mockito.when(restApiRequestBuilder.getViaREST("/v3/user/" + loginId, true, loginId)).thenThrow(IOException.class); - OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); - onBoardingApiServiceImpl.getUserRoles(loginId); - } +// @Test(expected = org.onap.portalsdk.core.onboarding.exception.PortalAPIException.class) +// public void getUserRolesExceptionTest() throws Exception { +// String loginId = "123"; +// Mockito.when(restApiRequestBuilder.getViaREST("/v3/user/" + loginId, true, loginId)).thenThrow(IOException.class); +// OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); +// onBoardingApiServiceImpl.getUserRoles(loginId); +// } @Test public void isAppAuthenticatedTest() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - String userName = "UserName"; - String password = "Password"; + String userName = "test"; + String password = "test"; Mockito.when(request.getHeader("username")).thenReturn(userName); Mockito.when(request.getHeader("password")).thenReturn(password); @@ -362,23 +363,27 @@ public class OnBoardingApiServiceImplTest { Mockito.when(appContext.getBean(WebServiceCallService.class)).thenReturn(webService); Mockito.when(webService.verifyRESTCredential(null, userName, password)).thenReturn(true); OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); - boolean status = onBoardingApiServiceImpl.isAppAuthenticated(request); + Map<String,String> appCreds = new HashMap<>(); + appCreds.put("username", "test"); + appCreds.put("password", "test"); + boolean status = onBoardingApiServiceImpl.isAppAuthenticated(request,appCreds); Assert.assertTrue(status); } - @Test(expected =PortalAPIException.class) + @Test public void isAppAuthenticatedExceptionTest() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - String userName = "UserName"; - String password = "Password"; + String userName = "test"; + String password = "Password1"; Mockito.when(request.getHeader("username")).thenReturn(userName); Mockito.when(request.getHeader("password")).thenReturn(password); - - ApplicationContext appContext = Mockito.mock(ApplicationContext.class); - Mockito.when(AppContextManager.getAppContext()).thenReturn(appContext); - Mockito.when(appContext.getBean(WebServiceCallService.class)).thenReturn(null); + OnBoardingApiServiceImpl onBoardingApiServiceImpl = new OnBoardingApiServiceImpl(); - onBoardingApiServiceImpl.isAppAuthenticated(request); + Map<String,String> appCreds = new HashMap<>(); + appCreds.put("username", "test"); + appCreds.put("password", "test1"); + onBoardingApiServiceImpl.isAppAuthenticated(request,appCreds); + } @Test |