From ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 22 Nov 2017 11:41:10 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui

Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
---
 .../portalsdk/core/onboarding/util/CipherUtil.java | 143 +++++++++++++++++++--
 .../core/onboarding/util/KeyConstants.java         |  46 +++++++
 .../core/onboarding/util/KeyProperties.java        | 123 ++++++++++++++++++
 3 files changed, 301 insertions(+), 11 deletions(-)
 create mode 100644 ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java
 create mode 100644 ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java

(limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util')

diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
index 92d9ffc3..ba95d870 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java
@@ -40,14 +40,17 @@ package org.onap.portalsdk.core.onboarding.util;
 import java.io.UnsupportedEncodingException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.onap.portalsdk.core.onboarding.exception.CipherUtilException;
@@ -59,10 +62,19 @@ public class CipherUtil {
 	/**
 	 * Default key.
 	 */
-	private final static String key = "AGLDdG4D04BKm2IxIWEr8o==!";
+	private static final String keyString = KeyProperties.getProperty(KeyConstants.CIPHER_ENCRYPTION_KEY);
+
+	private static final String ALGORITHM = "AES";
+	private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+	private static final int BLOCK_SIZE = 128;
+	@SuppressWarnings("unused")
+	private static SecretKeySpec secretKeySpec;
+	private static IvParameterSpec ivspec;
 
 	/**
-	 * Encrypts the text using the specified secret key.
+	 * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text.
+	 * 
+	 *             Encrypts the text using the specified secret key.
 	 * 
 	 * @param plainText
 	 *            Text to encrypt
@@ -71,7 +83,9 @@ public class CipherUtil {
 	 * @return encrypted version of plain text.
 	 * @throws CipherUtilException
 	 *             if any encryption step fails
+	 *
 	 */
+	@Deprecated
 	public static String encrypt(String plainText, String secretKey) throws CipherUtilException {
 		String encryptedString = null;
 		try {
@@ -90,7 +104,8 @@ public class CipherUtil {
 	}
 
 	/**
-	 * Encrypts the text using a default secret key.
+	 * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text.
+	 *             Encrypts the text using the secret key in key.properties file.
 	 * 
 	 * @param plainText
 	 *            Text to encrypt
@@ -98,12 +113,29 @@ public class CipherUtil {
 	 * @throws CipherUtilException
 	 *             if any decryption step fails
 	 */
+	@Deprecated
 	public static String encrypt(String plainText) throws CipherUtilException {
-		return CipherUtil.encrypt(plainText, key);
+		return CipherUtil.encrypt(plainText, keyString);
 	}
 
 	/**
-	 * Decrypts the text using the specified secret key.
+	 * Encrypts the text using a secret key.
+	 * 
+	 * @param plainText
+	 *            Text to encrypt
+	 * @return Encrypted Text
+	 * @throws CipherUtilException
+	 *             if any decryption step fails
+	 */
+	public static String encryptPKC(String plainText) throws CipherUtilException {
+		return CipherUtil.encryptPKC(plainText, keyString);
+	}
+
+	/**
+	 * 
+	 * @deprecated Please use {@link #decryptPKC(String)} to Decryption the text.
+	 * 
+	 *             Decrypts the text using the specified secret key.
 	 * 
 	 * @param encryptedText
 	 *            Text to decrypt
@@ -112,7 +144,9 @@ public class CipherUtil {
 	 * @return plain text version of encrypted text
 	 * @throws CipherUtilException
 	 *             if any decryption step fails
+	 * 
 	 */
+	@Deprecated
 	public static String decrypt(String encryptedText, String secretKey) throws CipherUtilException {
 		String encryptedString = null;
 		try {
@@ -130,8 +164,79 @@ public class CipherUtil {
 		return encryptedString;
 	}
 
+	private static SecretKeySpec getSecretKeySpec() {
+		byte[] key = Base64.decodeBase64(keyString);
+		return new SecretKeySpec(key, ALGORITHM);
+	}
+
+	private static SecretKeySpec getSecretKeySpec(String keyString) {
+		byte[] key = Base64.decodeBase64(keyString);
+		return new SecretKeySpec(key, ALGORITHM);
+	}
+
 	/**
-	 * Decrypts the text using a default secret key.
+	 * Encrypt the text using the secret key in key.properties file
+	 * 
+	 * @param value
+	 * @return The encrypted string
+	 * @throws BadPaddingException
+	 * @throws CipherUtilException
+	 *             In case of issue with the encryption
+	 */
+	public static String encryptPKC(String value, String skey) throws CipherUtilException {
+		Cipher cipher = null;
+		byte[] iv = null, finalByte = null;
+
+		try {
+			cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE");
+
+			SecureRandom r = SecureRandom.getInstance("SHA1PRNG");
+			iv = new byte[BLOCK_SIZE / 8];
+			r.nextBytes(iv);
+			ivspec = new IvParameterSpec(iv);
+			cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(skey), ivspec);
+			finalByte = cipher.doFinal(value.getBytes());
+
+		} catch (Exception ex) {
+			logger.error("encrypt failed", ex);
+			throw new CipherUtilException(ex);
+		}
+		return Base64.encodeBase64String(ArrayUtils.addAll(iv, finalByte));
+	}
+
+	/**
+	 * Decrypts the text using the secret key in key.properties file.
+	 * 
+	 * @param message
+	 *            The encrypted string that must be decrypted using the ecomp
+	 *            Encryption Key
+	 * @return The String decrypted
+	 * @throws CipherUtilException
+	 *             if any decryption step fails
+	 */
+	public static String decryptPKC(String message, String skey) throws CipherUtilException {
+		byte[] encryptedMessage = Base64.decodeBase64(message);
+		Cipher cipher;
+		byte[] decrypted = null;
+		try {
+			cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE");
+			ivspec = new IvParameterSpec(ArrayUtils.subarray(encryptedMessage, 0, BLOCK_SIZE / 8));
+			byte[] realData = ArrayUtils.subarray(encryptedMessage, BLOCK_SIZE / 8, encryptedMessage.length);
+			cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(skey), ivspec);
+			decrypted = cipher.doFinal(realData);
+
+		} catch (Exception ex) {
+			logger.error("decrypt failed", ex);
+			throw new CipherUtilException(ex);
+		}
+
+		return new String(decrypted);
+	}
+
+	/**
+	 * @deprecated Please use {@link #decryptPKC(String)} to Decrypt the text.
+	 * 
+	 *             Decrypts the text using the secret key in key.properties file.
 	 * 
 	 * @param encryptedText
 	 *            Text to decrypt
@@ -139,11 +244,26 @@ public class CipherUtil {
 	 * @throws CipherUtilException
 	 *             if any decryption step fails
 	 */
+	@Deprecated
 	public static String decrypt(String encryptedText) throws CipherUtilException {
-		return CipherUtil.decrypt(encryptedText, key);
+		return CipherUtil.decrypt(encryptedText, keyString);
+	}
+
+	/**
+	 * 
+	 * Decrypts the text using the secret key in key.properties file.
+	 * 
+	 * @param encryptedText
+	 *            Text to decrypt
+	 * @return Decrypted text
+	 * @throws CipherUtilException
+	 *             if any decryption step fails
+	 */
+	public static String decryptPKC(String encryptedText) throws CipherUtilException {
+		return CipherUtil.decryptPKC(encryptedText, keyString);
 	}
 
-/*	public static void main(String[] args) throws CipherUtilException {
+	public static void main(String[] args) throws CipherUtilException {
 
 		String testValue = "Welcome123";
 		String encrypted;
@@ -152,9 +272,9 @@ public class CipherUtil {
 		if (args.length != 2) {
 			System.out.println("Default password testing... ");
 			System.out.println("Plain password: " + testValue);
-			encrypted = encrypt(testValue);
+			encrypted = encryptPKC(testValue);
 			System.out.println("Encrypted password: " + encrypted);
-			decrypted = decrypt(encrypted);
+			decrypted = decryptPKC(encrypted);
 			System.out.println("Decrypted  password: " + decrypted);
 		} else {
 			String whatToDo = args[0];
@@ -170,5 +290,6 @@ public class CipherUtil {
 				System.out.println("Encrypted Text" + encrypted);
 			}
 		}
-	}*/
+	}
+
 }
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java
new file mode 100644
index 00000000..096b04dc
--- /dev/null
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java
@@ -0,0 +1,46 @@
+/*
+ * ============LICENSE_START==========================================
+ * ONAP Portal SDK
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalsdk.core.onboarding.util;
+
+public interface KeyConstants {
+	
+	// Names of keys in the key.properties file
+	public static final String CIPHER_ENCRYPTION_KEY = "cipher.enc.key";
+	
+	
+}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java
new file mode 100644
index 00000000..956d3b81
--- /dev/null
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java
@@ -0,0 +1,123 @@
+/*
+ * ============LICENSE_START==========================================
+ * ONAP Portal SDK
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalsdk.core.onboarding.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Searches the classpath for  the file "key.properties".
+ * 
+ * To put the file "key.properties" on the classpath, it can be in the same
+ * directory where the first package folder is - 'myClasses' folder in the
+ * following case as an example:
+ * 
+ */
+public class KeyProperties {
+
+	private static final Log logger = LogFactory.getLog(KeyProperties.class);
+
+	private static Properties properties;
+	private static String propertyFileName = "key.properties";
+
+	private static final Object lockObject = new Object();
+	
+	/**
+	 * Constructor is private.
+	 */
+	private KeyProperties() {
+	}
+
+	/**
+	 * Gets the property value for the specified key. If a value is found, leading
+	 * and trailing space is trimmed.
+	 *
+	 * @param property
+	 *            Property key
+	 * @return Value for the named property; null if the property file was not
+	 *         loaded or the key was not found.
+	 */
+	public static String getProperty(String property) {
+		if (properties == null) {
+			synchronized (lockObject) {
+				try {
+					if (!initialize()) {
+						logger.error("Failed to read property file " + propertyFileName);
+						return null;
+					}
+				} catch (IOException e) {
+					logger.error("Failed to read property file " + propertyFileName, e);
+					return null;
+				}
+			}
+		}
+		String value = properties.getProperty(property);
+		if (value != null)
+			value = value.trim();
+		return value;
+	}
+
+	/**
+	 * Reads properties from a portal.properties file on the classpath.
+	 * 
+	 * Clients do NOT need to call this method. Clients MAY call this method to test
+	 * whether the properties file can be loaded successfully.
+	 * 
+	 * @return True if properties were successfully loaded, else false.
+	 * @throws IOException
+	 *             On failure
+	 */
+	private static boolean initialize() throws IOException {
+		if (properties != null)
+			return true;
+		InputStream in = KeyProperties.class.getClassLoader().getResourceAsStream(propertyFileName);
+		if (in == null)
+			return false;
+		properties = new Properties();
+		try {
+			properties.load(in);
+		} finally {
+			in.close();
+		}
+		return true;
+	}
+}
-- 
cgit 1.2.3-korg