From 179ff1eb0c1ac9eef4d152c47df5cb12a4584c0f Mon Sep 17 00:00:00 2001 From: "Kotta, Shireesha (sk434m)" Date: Fri, 28 Jun 2019 15:27:29 -0400 Subject: PENTEST:Do not display stack trace for the api's Issue-ID: PORTAL-654 PENTEST:Do not display stack trace for the api's and all users info for get_user api Change-Id: I68a4e3c7eba2628363275d63535290034591aa07 Signed-off-by: Kotta, Shireesha (sk434m) --- .../onboarding/crossapi/IPortalRestAPIService.java | 3 +- .../crossapi/PortalRestAPICentralServiceImpl.java | 15 ++-- .../onboarding/crossapi/PortalRestAPIProxy.java | 28 ++++---- .../portalsdk/core/onboarding/util/AuthUtil.java | 83 +++++++++++++++++----- 4 files changed, 87 insertions(+), 42 deletions(-) (limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core') diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java index f82e8737..c707d137 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/IPortalRestAPIService.java @@ -176,8 +176,7 @@ public interface IPortalRestAPIService { * @throws PortalAPIException * If an unexpected error occurs while processing the request. */ - public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException; - + public boolean isAppAuthenticated(HttpServletRequest request, Map appCredentials) throws PortalAPIException; /** * Gets and returns the userId for the logged-in user based on the request. If * any error occurs, the method should throw PortalApiException with an diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java index d53c0eb6..ab9c608a 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java @@ -48,6 +48,7 @@ import java.util.stream.Collectors; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient; @@ -114,7 +115,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { user = mapper.readValue(responseString, EcompUser.class); } catch (IOException e) { - String response = "PortalRestAPICentralServiceImpl.getUser failed"; + String response = "Failed to get user from portal"; logger.error(response, e); throw new PortalAPIException(response, e); } @@ -133,7 +134,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { TypeFactory.defaultInstance().constructCollectionType(List.class, EcompUser.class)); } catch (IOException e) { - String response = "PortalRestAPICentralServiceImpl.getUsers failed"; + String response = "Failed to get the users from portal"; logger.error(response, e); throw new PortalAPIException(response, e); } @@ -152,7 +153,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { TypeFactory.defaultInstance().constructCollectionType(List.class, EcompRole.class)); } catch (IOException e) { - String response = "PortalRestAPICentralServiceImpl.getRoles failed"; + String response = "Failed to get Roles from portal"; logger.error(response, e); throw new PortalAPIException(response, e); } @@ -180,7 +181,7 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { userRoles = (List) roles.stream().collect(Collectors.toList()); } catch (IOException e) { - String response = "PortalRestAPICentralServiceImpl.getUserRoles failed"; + String response = "Failed to get user roles from portal"; logger.error(response, e); throw new PortalAPIException(response, e); } @@ -188,10 +189,10 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { } @Override - public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException { + public boolean isAppAuthenticated(HttpServletRequest request, Map appCredentials) throws PortalAPIException { boolean accessAllowed = false; try { - accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace); + accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace, appCredentials); } catch (Exception e) { logger.error(e); } @@ -213,4 +214,4 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { return credentialsMap; } -} +} \ No newline at end of file diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java index 71f66168..29095970 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java @@ -202,7 +202,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer response.setStatus(HttpServletResponse.SC_OK); } catch (Exception ex) { logger.error("doPost: " + storeAnalyticsContextPath + " caught exception", ex); - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } } @@ -212,7 +212,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer boolean secure = false; try { - secure = isAppAuthenticated(request); + secure = isAppAuthenticated(request, getCredentials()); } catch (PortalAPIException ex) { logger.error("doPost: isAppAuthenticated threw exception", ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); @@ -282,7 +282,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer responseJson = buildJsonResponse(true, "user saved successfully"); response.setStatus(HttpServletResponse.SC_OK); } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doPost: pushUser: caught exception", ex); } @@ -301,7 +301,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer responseJson = buildJsonResponse(true, "user saved successfully"); response.setStatus(HttpServletResponse.SC_OK); } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doPost: editUser: caught exception", ex); } @@ -325,7 +325,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer response.setStatus(HttpServletResponse.SC_OK); } } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doPost: pushUserRole: caught exception", ex); } @@ -403,7 +403,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer logger.debug("doGet: " + webAnalyticsContextPath + ": " + responseString); response.setStatus(HttpServletResponse.SC_OK); } catch (Exception ex) { - responseString = buildJsonResponse(ex); + responseString = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doGet: " + webAnalyticsContextPath + " caught exception", ex); } @@ -414,7 +414,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer boolean secure = false; try { - secure = isAppAuthenticated(request); + secure = isAppAuthenticated(request, getCredentials()); } catch (PortalAPIException ex) { logger.error("doGet: isAppAuthenticated threw exception", ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); @@ -452,7 +452,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer } catch(Exception ex) { String msg = "Failed to get session time outs"; logger.error("doGet: " + msg); - responseJson = buildJsonResponse(false, msg); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } } else @@ -478,7 +478,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer if (logger.isDebugEnabled()) logger.debug("doGet: getAvailableRoles: " + responseJson); } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doGet: getAvailableRoles: caught exception", ex); } @@ -492,7 +492,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer if (logger.isDebugEnabled()) logger.debug("doGet: getUser: " + responseJson); } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doGet: getUser: caught exception", ex); } @@ -507,7 +507,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer if (logger.isDebugEnabled()) logger.debug("doGet: getUserRoles: " + responseJson); } catch (Exception ex) { - responseJson = buildJsonResponse(ex); + responseJson = buildShortJsonResponse(ex); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); logger.error("doGet: getUserRoles: caught exception", ex); } @@ -573,8 +573,8 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer } @Override - public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException { - return portalRestApiServiceImpl.isAppAuthenticated(request); + public boolean isAppAuthenticated(HttpServletRequest request, Map appCredentials) throws PortalAPIException { + return portalRestApiServiceImpl.isAppAuthenticated(request, appCredentials); } /** @@ -739,4 +739,4 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer } return userEcompRoles; } -} +} \ No newline at end of file diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java index 14ad234f..e07e4f9d 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java @@ -39,6 +39,7 @@ package org.onap.portalsdk.core.onboarding.util; import java.util.ArrayList; import java.util.List; +import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; import java.util.stream.Collectors; @@ -89,11 +90,10 @@ public class AuthUtil { return match; } } else { - if (portalApiPath.matches(urlPattern)) + if (urlPattern.equals("*")) return true; - else if (urlPattern.equals("*")) + else if (portalApiPath.matches(urlPattern)) return true; - } return false; } @@ -172,25 +172,70 @@ public class AuthUtil { * @return boolean value if the access is allowed * @throws PortalAPIException */ - public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace) throws PortalAPIException { - List aafPermsList = getAAFPermissions(request); - logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: "+ nameSpace); - if (nameSpace.isEmpty()) { - throw new PortalAPIException("NameSpace not Declared!"); - } - List aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList); - List finalInstanceList = getAllInstances(aafPermsFinalList); - String requestUri = request.getRequestURI().substring(request.getContextPath().length() + 1); + public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace, Map appCredentials) throws PortalAPIException { + boolean isauthorized = false; - for (String str : finalInstanceList) { - if (!isauthorized) - isauthorized = matchPattern(requestUri, str); - } - logger.debug(EELFLoggerDelegate.debugLogger, "isAccessAllowed for the request uri: "+requestUri + "is"+ isauthorized); - if (isauthorized) { + try { + CadiWrap wrapReq = (CadiWrap) request; + List aafPermsList = getAAFPermissions(request); + logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: " + nameSpace); + if (nameSpace.isEmpty()) { + throw new PortalAPIException("NameSpace not Declared!"); + } + List aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList); + List finalInstanceList = getAllInstances(aafPermsFinalList); + finalInstanceList.add("api/v3/timeoutSession"); + String requestUri = request.getRequestURI().substring(request.getContextPath().length() + 1); + + for (String str : finalInstanceList) { + if (!isauthorized) + isauthorized = matchPattern(requestUri, str); + } + logger.debug(EELFLoggerDelegate.debugLogger, + "isAccessAllowed for the request uri: " + requestUri + "is" + isauthorized); + if (isauthorized) { + logger.debug(EELFLoggerDelegate.debugLogger, "Request is Authorized"); + } + } catch (ClassCastException e) { logger.debug(EELFLoggerDelegate.debugLogger, - "Request is Authorized"); + "Given request is not CADI request"); + + if(appCredentials.isEmpty()) + { + logger.debug(EELFLoggerDelegate.debugLogger, "app credentails are empty"); + return false; + } + + String appUserName = ""; + String appPassword = ""; + String appName = ""; + + for (Map.Entry entry : appCredentials.entrySet()) { + if (entry.getKey().equalsIgnoreCase("username")) { + appUserName = entry.getValue(); + } else if (entry.getKey().equalsIgnoreCase("password")) { + appPassword = entry.getValue(); + } else { + appName = entry.getValue(); + } + } + + try { + String appUser = request.getHeader("username"); + String password = request.getHeader("password"); + + if (password.equals(appPassword) && appUserName.equals(appUser)) { + isauthorized = true; + } + logger.debug(EELFLoggerDelegate.debugLogger, + "isAccessAllowed for the request " + isauthorized); + } catch (Exception e1) { + String response = "AuthUtil.isAccessAllowed failed"; + logger.error(EELFLoggerDelegate.errorLogger, response, e1); + throw new PortalAPIException(response, e1); + } } + return isauthorized; } } \ No newline at end of file -- cgit 1.2.3-korg