From 69062c0ec148ccadaced3ef1d6eff63ba422c055 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 3 Jan 2018 14:30:16 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119,PORTAL-118

Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui; Missing error page

Change-Id: I1818fbf86c601dd41b274729038e731fb2ec8f7d
Signed-off-by: st782s <statta@research.att.com>
---
 .../onap/portalsdk/core/service/UrlAccessImpl.java | 82 ++++++++++++++++++++--
 1 file changed, 75 insertions(+), 7 deletions(-)

(limited to 'ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java')

diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
index 4dde6116..ddadc101 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
@@ -37,12 +37,15 @@
  */
 package org.onap.portalsdk.core.service;
 
-import java.util.HashMap;
+import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.hibernate.criterion.Criterion;
+import org.hibernate.criterion.Restrictions;
 import org.onap.portalsdk.core.domain.UrlsAccessible;
 import org.onap.portalsdk.core.web.support.UserUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -59,17 +62,18 @@ public class UrlAccessImpl implements UrlAccessService {
 	@Override
 	public boolean isUrlAccessible(HttpServletRequest request, String currentUrl) {
 		boolean isAccessible = false;
-		Map<String, String> params = new HashMap<>();
-		params.put("current_url", currentUrl);
-		List list = dataAccessService.executeNamedQuery("restrictedUrls", params, null);
+		List<?> list = getAccessUrlList(currentUrl);
 
 		// loop through the list of restricted URL's
 		if (list != null && !list.isEmpty()) {
 			for (int i = 0; i < list.size(); i++) {
-				UrlsAccessible urlFunctions = (UrlsAccessible) list.get(i);
-				String functionCd = urlFunctions.getFunctionCd();
+				UrlsAccessible urlFunction = (UrlsAccessible) list.get(i);
+				if (!matchPattern(currentUrl, urlFunction.getUrl()))
+					continue;
+				String functionCd = urlFunction.getFunctionCd();
 				if (UserUtils.isAccessible(request, functionCd)) {
 					isAccessible = true;
+					break;
 				}
 			}
 			return isAccessible;
@@ -77,4 +81,68 @@ public class UrlAccessImpl implements UrlAccessService {
 		return true;
 	}
 
+	/*
+	 * This Method returns all the entries in the database that start with the
+	 * first part of the currentUrl split at the "/" character. 
+	 * 
+	 * Example: if currentUrl
+	 * is "xyz/abc/1", all the entries in the corresponding tables that match
+	 * with "xyz" are returned
+	 */
+	private List<?> getAccessUrlList(String currentUrl) {
+		List<?> list = null;
+
+		if (currentUrl != null) {
+			int indexOfSlash = currentUrl.indexOf("/");
+			String currentFirstUrl = (indexOfSlash > 0) ? currentUrl.substring(0, indexOfSlash) : currentUrl;
+
+			if (currentFirstUrl != null) {
+
+				List<Criterion> restrictionsList = new ArrayList<Criterion>();
+				Criterion criterion1 = Restrictions.like("urlsAccessibleKey.url", currentFirstUrl + "%");
+				restrictionsList.add(criterion1);
+				list = dataAccessService.getList(UrlsAccessible.class, null, restrictionsList, null);
+
+			}
+		}
+		return list;
+	}
+
+	/*
+	 * This method compares the portalApiPath against the urlPattern; splits the
+	 * portalApiPath by "/" and compares each part with that of the urlPattern.
+	 * 
+	 * Example: "xyz/1/abc" matches with the pattern "xyz/* /abc" but not with
+	 * "xyz/*"
+	 * 
+	 */
+
+	private Boolean matchPattern(String portalApiPath, String urlPattern) {
+		String[] path = portalApiPath.split("/");
+		if (path.length > 1) {
+
+			String[] roleFunctionArray = urlPattern.split("/");
+			boolean match = true;
+			if (roleFunctionArray.length == path.length) {
+				for (int i = 0; i < roleFunctionArray.length; i++) {
+					if (match) {
+						if (!roleFunctionArray[i].equals("*")) {
+							Pattern p = Pattern.compile(path[i], Pattern.CASE_INSENSITIVE);
+							Matcher m = p.matcher(roleFunctionArray[i]);
+							match = m.matches();
+
+						}
+					}
+				}
+				if (match)
+					return match;
+			}
+		} else {
+			if (portalApiPath.matches(urlPattern))
+				return true;
+
+		}
+		return false;
+	}
+
 }
-- 
cgit 1.2.3-korg