From 179ff1eb0c1ac9eef4d152c47df5cb12a4584c0f Mon Sep 17 00:00:00 2001
From: "Kotta, Shireesha (sk434m)" <sk434m@att.com>
Date: Fri, 28 Jun 2019 15:27:29 -0400
Subject: PENTEST:Do not display stack trace for the api's

Issue-ID: PORTAL-654

PENTEST:Do not display stack trace for the api's and all users info for
get_user api

Change-Id: I68a4e3c7eba2628363275d63535290034591aa07
Signed-off-by: Kotta, Shireesha (sk434m) <sk434m@att.com>
---
 .../portalsdk/core/onboarding/util/AuthUtil.java   | 83 +++++++++++++++++-----
 1 file changed, 64 insertions(+), 19 deletions(-)

(limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util')

diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
index 14ad234f..e07e4f9d 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java
@@ -39,6 +39,7 @@ package org.onap.portalsdk.core.onboarding.util;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -89,11 +90,10 @@ public class AuthUtil {
 					return match;
 			}
 		} else {
-			if (portalApiPath.matches(urlPattern))
+			if (urlPattern.equals("*"))
 				return true;
-			else if (urlPattern.equals("*"))
+			else if (portalApiPath.matches(urlPattern))
 				return true;
-
 		}
 		return false;
 	}
@@ -172,25 +172,70 @@ public class AuthUtil {
 	 * @return boolean value if the access is allowed
 	 * @throws PortalAPIException
 	 */
-	public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace) throws PortalAPIException {
-		List<AAFPermission> aafPermsList = getAAFPermissions(request);
-		logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: "+ nameSpace);
-		if (nameSpace.isEmpty()) {
-			throw new PortalAPIException("NameSpace not Declared!");
-		}
-		List<AAFPermission> aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList);
-		List<String> finalInstanceList = getAllInstances(aafPermsFinalList);
-		String requestUri =	request.getRequestURI().substring(request.getContextPath().length() + 1);
+	public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace, Map<String,String> appCredentials) throws PortalAPIException {
+		
 		boolean isauthorized = false;
-		for (String str : finalInstanceList) {
-			if (!isauthorized)
-				isauthorized = matchPattern(requestUri, str);
-		}
-		logger.debug(EELFLoggerDelegate.debugLogger, "isAccessAllowed for the request uri: "+requestUri + "is"+ isauthorized);
-		if (isauthorized) {
+		try {
+			CadiWrap wrapReq = (CadiWrap) request;
+			List<AAFPermission> aafPermsList = getAAFPermissions(request);
+			logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: " + nameSpace);
+			if (nameSpace.isEmpty()) {
+				throw new PortalAPIException("NameSpace not Declared!");
+			}
+			List<AAFPermission> aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList);
+			List<String> finalInstanceList = getAllInstances(aafPermsFinalList);
+			finalInstanceList.add("api/v3/timeoutSession");
+			String requestUri = request.getRequestURI().substring(request.getContextPath().length() + 1);
+
+			for (String str : finalInstanceList) {
+				if (!isauthorized)
+					isauthorized = matchPattern(requestUri, str);
+			}
+			logger.debug(EELFLoggerDelegate.debugLogger,
+					"isAccessAllowed for the request uri: " + requestUri + "is" + isauthorized);
+			if (isauthorized) {
+				logger.debug(EELFLoggerDelegate.debugLogger, "Request is Authorized");
+			}
+		} catch (ClassCastException e) {
 			logger.debug(EELFLoggerDelegate.debugLogger,
-					"Request is Authorized");
+					"Given request is not CADI request");
+			
+			if(appCredentials.isEmpty())
+			{
+				logger.debug(EELFLoggerDelegate.debugLogger, "app credentails are empty");
+				return false;
+			}
+			
+			String appUserName = "";
+			String appPassword = "";
+			String appName = "";
+
+			for (Map.Entry<String, String> entry : appCredentials.entrySet()) {
+				if (entry.getKey().equalsIgnoreCase("username")) {
+					appUserName = entry.getValue();
+				} else if (entry.getKey().equalsIgnoreCase("password")) {
+					appPassword = entry.getValue();
+				} else {
+					appName = entry.getValue();
+				}
+			}
+			
+			try {
+				String appUser = request.getHeader("username");
+				String password = request.getHeader("password");
+				
+				if (password.equals(appPassword) && appUserName.equals(appUser)) {
+					isauthorized = true;
+				}
+				logger.debug(EELFLoggerDelegate.debugLogger,
+						"isAccessAllowed for the request " + isauthorized);
+			} catch (Exception e1) {
+				String response = "AuthUtil.isAccessAllowed failed";
+				logger.error(EELFLoggerDelegate.errorLogger, response, e1);
+				throw new PortalAPIException(response, e1);
+			}
 		}
+	
 		return isauthorized;
 	}
 }
\ No newline at end of file
-- 
cgit 1.2.3-korg