From ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 Mon Sep 17 00:00:00 2001 From: st782s Date: Wed, 22 Nov 2017 11:41:10 -0500 Subject: Harden code Issue-ID: PORTAL-145,PORTAL-119 Harden code to address SQL injecton, XSS vulnerabilities; Separate docker images for portal, sdk app and DMaaPBC ui Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204 Signed-off-by: st782s --- .../core/onboarding/rest/RestWebServiceClient.java | 28 +- .../portalsdk/core/onboarding/util/CipherUtil.java | 143 +++++++- .../core/onboarding/util/KeyConstants.java | 46 +++ .../core/onboarding/util/KeyProperties.java | 123 +++++++ .../onap/portalsdk/fw/test/AbstractModelTest.java | 75 +++++ .../org/onap/portalsdk/fw/test/DomainTest.java | 169 ++++++++++ .../org/onap/portalsdk/fw/test/ExceptionTest.java | 73 ++++ .../fw/test/ExtendSessionTimeoutTest.java | 99 ++++++ .../onap/portalsdk/fw/test/InMemoryRestServer.java | 150 +++++++++ .../fw/test/PortalTimeoutHandlerTest.java | 100 ++++++ .../org/onap/portalsdk/fw/test/RestClientTest.java | 112 +++++++ .../fw/test/SessionSlotCheckIntervalTest.java | 103 ++++++ .../java/org/onap/portalsdk/fw/test/UtilTest.java | 80 +++++ .../epsdk-fw/src/test/resources/ESAPI.properties | 367 +++++++++++++++++++++ .../epsdk-fw/src/test/resources/key.properties | 41 +++ .../epsdk-fw/src/test/resources/portal.properties | 3 + .../src/test/resources/validation.properties | 32 ++ 17 files changed, 1709 insertions(+), 35 deletions(-) create mode 100644 ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java create mode 100644 ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/AbstractModelTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/DomainTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExceptionTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExtendSessionTimeoutTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/InMemoryRestServer.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/PortalTimeoutHandlerTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/RestClientTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/SessionSlotCheckIntervalTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/UtilTest.java create mode 100644 ecomp-sdk/epsdk-fw/src/test/resources/ESAPI.properties create mode 100644 ecomp-sdk/epsdk-fw/src/test/resources/key.properties create mode 100644 ecomp-sdk/epsdk-fw/src/test/resources/portal.properties create mode 100644 ecomp-sdk/epsdk-fw/src/test/resources/validation.properties (limited to 'ecomp-sdk/epsdk-fw/src') diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java index 91f019be..a752055f 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java @@ -51,7 +51,6 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; import org.owasp.esapi.ESAPI; - /** * Simple REST client for GET, POST and DELETE operations against the Portal * application. @@ -211,7 +210,9 @@ public class RestWebServiceClient { // add request header con.setRequestProperty("uebkey", appUebKey); - con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId)); + if (loginId != null) { + con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId)); + } con.setRequestProperty("user-agent", appName); con.setRequestProperty("X-ECOMP-RequestID", requestId); con.setRequestProperty("username", appUserName); @@ -527,31 +528,10 @@ public class RestWebServiceClient { int bytes; while ((bytes = in.read(buf)) > 0) sb.append(new String(buf, 0, bytes)); - } - catch (Exception ex) { + } catch (Exception ex) { logger.error("readAndCloseStream", ex); } return sb.toString(); } - /** - * Basic unit test for the client to call Portal app on localhost. - * - * @param args - * Ignored - * @throws IOException - * On failure - */ - public static void main(String[] args) throws IOException { - RestWebServiceClient client = RestWebServiceClient.getInstance(); - final String getUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/analytics"; - String get = client.get(getUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword", null); - System.out.println("Get result:\n" + get); - final String postUrl = "http://www.ecomp.openecomp.org:8080/ecompportal/auxapi/storeAnalytics"; - final String content = " { " + " \"action\" : \"test1\", " + " \"page\" : \"test2\", " - + " \"function\" : \"test3\", " + " \"userid\" : \"ab1234\" " + "}"; - String post = client.post(postUrl, "userId", "appName", null, "appUebKey", "appUserName", "appPassword", - "application/json", content, true); - System.out.println("Post result:\n" + post); - } } diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java index 92d9ffc3..ba95d870 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java @@ -40,14 +40,17 @@ package org.onap.portalsdk.core.onboarding.util; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.ArrayUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; @@ -59,10 +62,19 @@ public class CipherUtil { /** * Default key. */ - private final static String key = "AGLDdG4D04BKm2IxIWEr8o==!"; + private static final String keyString = KeyProperties.getProperty(KeyConstants.CIPHER_ENCRYPTION_KEY); + + private static final String ALGORITHM = "AES"; + private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING"; + private static final int BLOCK_SIZE = 128; + @SuppressWarnings("unused") + private static SecretKeySpec secretKeySpec; + private static IvParameterSpec ivspec; /** - * Encrypts the text using the specified secret key. + * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text. + * + * Encrypts the text using the specified secret key. * * @param plainText * Text to encrypt @@ -71,7 +83,9 @@ public class CipherUtil { * @return encrypted version of plain text. * @throws CipherUtilException * if any encryption step fails + * */ + @Deprecated public static String encrypt(String plainText, String secretKey) throws CipherUtilException { String encryptedString = null; try { @@ -90,7 +104,8 @@ public class CipherUtil { } /** - * Encrypts the text using a default secret key. + * @deprecated Please use {@link #encryptPKC(String)} to encrypt the text. + * Encrypts the text using the secret key in key.properties file. * * @param plainText * Text to encrypt @@ -98,12 +113,29 @@ public class CipherUtil { * @throws CipherUtilException * if any decryption step fails */ + @Deprecated public static String encrypt(String plainText) throws CipherUtilException { - return CipherUtil.encrypt(plainText, key); + return CipherUtil.encrypt(plainText, keyString); } /** - * Decrypts the text using the specified secret key. + * Encrypts the text using a secret key. + * + * @param plainText + * Text to encrypt + * @return Encrypted Text + * @throws CipherUtilException + * if any decryption step fails + */ + public static String encryptPKC(String plainText) throws CipherUtilException { + return CipherUtil.encryptPKC(plainText, keyString); + } + + /** + * + * @deprecated Please use {@link #decryptPKC(String)} to Decryption the text. + * + * Decrypts the text using the specified secret key. * * @param encryptedText * Text to decrypt @@ -112,7 +144,9 @@ public class CipherUtil { * @return plain text version of encrypted text * @throws CipherUtilException * if any decryption step fails + * */ + @Deprecated public static String decrypt(String encryptedText, String secretKey) throws CipherUtilException { String encryptedString = null; try { @@ -130,8 +164,79 @@ public class CipherUtil { return encryptedString; } + private static SecretKeySpec getSecretKeySpec() { + byte[] key = Base64.decodeBase64(keyString); + return new SecretKeySpec(key, ALGORITHM); + } + + private static SecretKeySpec getSecretKeySpec(String keyString) { + byte[] key = Base64.decodeBase64(keyString); + return new SecretKeySpec(key, ALGORITHM); + } + /** - * Decrypts the text using a default secret key. + * Encrypt the text using the secret key in key.properties file + * + * @param value + * @return The encrypted string + * @throws BadPaddingException + * @throws CipherUtilException + * In case of issue with the encryption + */ + public static String encryptPKC(String value, String skey) throws CipherUtilException { + Cipher cipher = null; + byte[] iv = null, finalByte = null; + + try { + cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE"); + + SecureRandom r = SecureRandom.getInstance("SHA1PRNG"); + iv = new byte[BLOCK_SIZE / 8]; + r.nextBytes(iv); + ivspec = new IvParameterSpec(iv); + cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(skey), ivspec); + finalByte = cipher.doFinal(value.getBytes()); + + } catch (Exception ex) { + logger.error("encrypt failed", ex); + throw new CipherUtilException(ex); + } + return Base64.encodeBase64String(ArrayUtils.addAll(iv, finalByte)); + } + + /** + * Decrypts the text using the secret key in key.properties file. + * + * @param message + * The encrypted string that must be decrypted using the ecomp + * Encryption Key + * @return The String decrypted + * @throws CipherUtilException + * if any decryption step fails + */ + public static String decryptPKC(String message, String skey) throws CipherUtilException { + byte[] encryptedMessage = Base64.decodeBase64(message); + Cipher cipher; + byte[] decrypted = null; + try { + cipher = Cipher.getInstance(ALGORYTHM_DETAILS, "SunJCE"); + ivspec = new IvParameterSpec(ArrayUtils.subarray(encryptedMessage, 0, BLOCK_SIZE / 8)); + byte[] realData = ArrayUtils.subarray(encryptedMessage, BLOCK_SIZE / 8, encryptedMessage.length); + cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(skey), ivspec); + decrypted = cipher.doFinal(realData); + + } catch (Exception ex) { + logger.error("decrypt failed", ex); + throw new CipherUtilException(ex); + } + + return new String(decrypted); + } + + /** + * @deprecated Please use {@link #decryptPKC(String)} to Decrypt the text. + * + * Decrypts the text using the secret key in key.properties file. * * @param encryptedText * Text to decrypt @@ -139,11 +244,26 @@ public class CipherUtil { * @throws CipherUtilException * if any decryption step fails */ + @Deprecated public static String decrypt(String encryptedText) throws CipherUtilException { - return CipherUtil.decrypt(encryptedText, key); + return CipherUtil.decrypt(encryptedText, keyString); + } + + /** + * + * Decrypts the text using the secret key in key.properties file. + * + * @param encryptedText + * Text to decrypt + * @return Decrypted text + * @throws CipherUtilException + * if any decryption step fails + */ + public static String decryptPKC(String encryptedText) throws CipherUtilException { + return CipherUtil.decryptPKC(encryptedText, keyString); } -/* public static void main(String[] args) throws CipherUtilException { + public static void main(String[] args) throws CipherUtilException { String testValue = "Welcome123"; String encrypted; @@ -152,9 +272,9 @@ public class CipherUtil { if (args.length != 2) { System.out.println("Default password testing... "); System.out.println("Plain password: " + testValue); - encrypted = encrypt(testValue); + encrypted = encryptPKC(testValue); System.out.println("Encrypted password: " + encrypted); - decrypted = decrypt(encrypted); + decrypted = decryptPKC(encrypted); System.out.println("Decrypted password: " + decrypted); } else { String whatToDo = args[0]; @@ -170,5 +290,6 @@ public class CipherUtil { System.out.println("Encrypted Text" + encrypted); } } - }*/ + } + } diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java new file mode 100644 index 00000000..096b04dc --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyConstants.java @@ -0,0 +1,46 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalsdk.core.onboarding.util; + +public interface KeyConstants { + + // Names of keys in the key.properties file + public static final String CIPHER_ENCRYPTION_KEY = "cipher.enc.key"; + + +} diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java new file mode 100644 index 00000000..956d3b81 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/KeyProperties.java @@ -0,0 +1,123 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalsdk.core.onboarding.util; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +/** + * Searches the classpath for the file "key.properties". + * + * To put the file "key.properties" on the classpath, it can be in the same + * directory where the first package folder is - 'myClasses' folder in the + * following case as an example: + * + */ +public class KeyProperties { + + private static final Log logger = LogFactory.getLog(KeyProperties.class); + + private static Properties properties; + private static String propertyFileName = "key.properties"; + + private static final Object lockObject = new Object(); + + /** + * Constructor is private. + */ + private KeyProperties() { + } + + /** + * Gets the property value for the specified key. If a value is found, leading + * and trailing space is trimmed. + * + * @param property + * Property key + * @return Value for the named property; null if the property file was not + * loaded or the key was not found. + */ + public static String getProperty(String property) { + if (properties == null) { + synchronized (lockObject) { + try { + if (!initialize()) { + logger.error("Failed to read property file " + propertyFileName); + return null; + } + } catch (IOException e) { + logger.error("Failed to read property file " + propertyFileName, e); + return null; + } + } + } + String value = properties.getProperty(property); + if (value != null) + value = value.trim(); + return value; + } + + /** + * Reads properties from a portal.properties file on the classpath. + * + * Clients do NOT need to call this method. Clients MAY call this method to test + * whether the properties file can be loaded successfully. + * + * @return True if properties were successfully loaded, else false. + * @throws IOException + * On failure + */ + private static boolean initialize() throws IOException { + if (properties != null) + return true; + InputStream in = KeyProperties.class.getClassLoader().getResourceAsStream(propertyFileName); + if (in == null) + return false; + properties = new Properties(); + try { + properties.load(in); + } finally { + in.close(); + } + return true; + } +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/AbstractModelTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/AbstractModelTest.java new file mode 100644 index 00000000..ca35446b --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/AbstractModelTest.java @@ -0,0 +1,75 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.util.Date; + +public abstract class AbstractModelTest { + + // Values for properties + final long time = new Date().getTime(); + final boolean b1 = true; + final boolean b2 = false; + final Byte[] by1 = { 0, 1, 2, 3 }; + final Date d1 = new Date(time + 1 * 24 * 60 * 60 * 1000); + final Date d2 = new Date(time + 2 * 24 * 60 * 60 * 1000); + final Date d3 = new Date(time + 3 * 24 * 60 * 60 * 1000); + final Date d4 = new Date(time + 4 * 24 * 60 * 60 * 1000); + final Date d5 = new Date(time + 5 * 24 * 60 * 60 * 1000); + final Integer i1 = 1; + final Integer i2 = 2; + final Integer i3 = 3; + final Integer i4 = 4; + final Integer i5 = 5; + final Long l1 = 1L; + final Long l2 = 2L; + final Long l3 = 3L; + final Long l4 = 4L; + final String s1 = "string1"; + final String s2 = "string2"; + final String s3 = "string3"; + final String s4 = "string4"; + final String s5 = "string5"; + final String s6 = "string6"; + final String s7 = "string7"; + final String s8 = "string8"; + final String s9 = "string9"; + final String s10 = "string10"; + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/DomainTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/DomainTest.java new file mode 100644 index 00000000..700c8b3e --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/DomainTest.java @@ -0,0 +1,169 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.util.HashSet; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.Assert; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; +import org.onap.portalsdk.core.restful.domain.EcompRole; +import org.onap.portalsdk.core.restful.domain.EcompUser; +import org.onap.portalsdk.core.restful.domain.PortalTimeoutVO; +import org.onap.portalsdk.core.restful.domain.SharedContext; + +public class DomainTest extends AbstractModelTest { + + private final Log logger = LogFactory.getLog(DomainTest.class); + + @Test + public void testPortalAPIResponse() { + PortalAPIResponse m = new PortalAPIResponse(true, s1); + Assert.assertEquals("ok", m.getStatus()); + Assert.assertEquals(s1, m.getMessage()); + logger.info(m.toString()); + } + + @Test + public void testEcompRole() { + EcompRole m = new EcompRole(); + m.setId(l1); + m.setName(s1); + Assert.assertEquals(l1, m.getId()); + Assert.assertEquals(s1, m.getName()); + Assert.assertTrue(m.equals(m)); + Assert.assertFalse(m.equals(new EcompRole())); + Assert.assertNotNull(m.hashCode()); + logger.info(m.toString()); + } + + @Test + public void testEcompUser() { + EcompUser m = new EcompUser(); + m.setActive(false); + m.setEmail(s1); + m.setFirstName(s2); + m.setHrid(s3); + m.setJobTitle(s4); + m.setLastName(s5); + m.setLoginId(s6); + m.setManagerId(s7); + m.setMiddleInitial(s8); + m.setOrgCode(s9); + m.setOrgId(l1); + m.setOrgManagerUserId(s10); + // Start over at 1, but double + m.setOrgUserId(s1 + s1); + m.setPhone(s2 + s2); + EcompRole r = new EcompRole(); + HashSet roles = new HashSet<>(); + roles.add(r); + m.setRoles(roles); + Assert.assertEquals(false, m.isActive()); + Assert.assertEquals(s1, m.getEmail()); + Assert.assertEquals(s2, m.getFirstName()); + Assert.assertEquals(s3, m.getHrid()); + Assert.assertEquals(s4, m.getJobTitle()); + Assert.assertEquals(s5, m.getLastName()); + Assert.assertEquals(s6, m.getLoginId()); + Assert.assertEquals(s7, m.getManagerId()); + Assert.assertEquals(s8, m.getMiddleInitial()); + Assert.assertEquals(s9, m.getOrgCode()); + Assert.assertEquals(l1, m.getOrgId()); + Assert.assertEquals(s10, m.getOrgManagerUserId()); + Assert.assertEquals(s1 + s1, m.getOrgUserId()); + Assert.assertEquals(s2 + s2, m.getPhone()); + // this is weak + Assert.assertEquals(roles, m.getRoles()); + Assert.assertTrue(m.equals(m)); + Assert.assertFalse(m.equals(null)); + Assert.assertFalse(m.equals(new EcompUser())); + Assert.assertNotNull(m.hashCode()); + logger.info(m.toString()); + } + + @Test + public void testPortalTimeoutVO() { + PortalTimeoutVO m = new PortalTimeoutVO(); + m.setjSessionId(s1); + m.setSessionTimOutMilliSec(l1); + Assert.assertEquals(s1, m.getjSessionId()); + Assert.assertEquals(l1, m.getSessionTimOutMilliSec()); + Assert.assertTrue(m.equals(m)); + Assert.assertFalse(m.equals(null)); + Assert.assertFalse(m.equals(new PortalTimeoutVO())); + } + + @Test + public void testSharedContext() { + SharedContext m = new SharedContext(); + m.setAuditTrail(s1); + m.setAuditUserId(s2); + m.setCkey(s3); + m.setContext_id(s4); + m.setCreate_time(l1); + m.setCreated(s5); + m.setCreatedId(s6); + m.setCvalue(s7); + m.setId(l2); + m.setModified(s8); + m.setModifiedId(s9); + m.setResponse(s10); + m.setRowNum(s1 + s1); + Assert.assertEquals(s1, m.getAuditTrail()); + Assert.assertEquals(s2, m.getAuditUserId()); + Assert.assertEquals(s3, m.getCkey()); + Assert.assertEquals(s4, m.getContext_id()); + Assert.assertEquals(l1, m.getCreate_time()); + Assert.assertEquals(s5, m.getCreated()); + Assert.assertEquals(s6, m.getCreatedId()); + Assert.assertEquals(s7, m.getCvalue()); + Assert.assertEquals(l2, m.getId()); + Assert.assertEquals(s8, m.getModified()); + Assert.assertEquals(s9, m.getModifiedId()); + Assert.assertEquals(s10, m.getResponse()); + Assert.assertEquals(s1 + s1, m.getRowNum()); + Assert.assertTrue(m.equals(m)); + Assert.assertFalse(m.equals(null)); + Assert.assertFalse(m.equals(new SharedContext())); + } + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExceptionTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExceptionTest.java new file mode 100644 index 00000000..76f8f072 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExceptionTest.java @@ -0,0 +1,73 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.Assert; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; +import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; + +public class ExceptionTest extends AbstractModelTest { + + private final Log logger = LogFactory.getLog(ExceptionTest.class); + + @Test + public void coverCipherUtilException() { + Exception e = new CipherUtilException(); + e = new CipherUtilException("message", new Exception(), false, false); + e = new CipherUtilException("message", new Exception()); + e = new CipherUtilException("message"); + e = new CipherUtilException(new Exception()); + Assert.assertNotNull(e); + logger.info(e); + } + + @Test + public void coverPortalAPIException() { + Exception e = new PortalAPIException(); + e = new PortalAPIException("message", new Exception(), false, false); + e = new PortalAPIException("message", new Exception()); + e = new PortalAPIException("message"); + e = new PortalAPIException(new Exception()); + Assert.assertNotNull(e); + logger.info(e); + } +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExtendSessionTimeoutTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExtendSessionTimeoutTest.java new file mode 100644 index 00000000..a87639d8 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/ExtendSessionTimeoutTest.java @@ -0,0 +1,99 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.io.IOException; +import java.net.URL; + +import javax.ws.rs.HeaderParam; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.crossapi.SessionCommunicationService; +import org.onap.portalsdk.core.onboarding.listener.PortalTimeoutHandler; +import org.onap.portalsdk.core.onboarding.listener.PortalTimeoutHandler.SessionCommInf; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; + +public class ExtendSessionTimeoutTest { + + private final Log logger = LogFactory.getLog(ExtendSessionTimeoutTest.class); + private InMemoryRestServer server; + + @Path("extendSessionTimeOuts") + public static class RestResource { + @POST + @Produces(MediaType.APPLICATION_JSON) + public String get( @HeaderParam("username") String username, + @HeaderParam("password") String password, @HeaderParam("uebkey") String uebkey) { + return "{ 'post-session' : '" + username + "' }"; + } + } + + @Before + public void before() throws Exception { + URL url = new URL(PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL)); + server = InMemoryRestServer.create(url.getPort(), new RestResource()); + } + + @After + public void after() throws Exception { + server.close(); + } + + @Test + public void testRequestSessionTimeoutExtension() throws IOException { + String url = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL); + String get = SessionCommunicationService.requestPortalSessionTimeoutExtension(url, "userName", "word", "uebKey", "map"); + Assert.assertNotNull(get); + logger.info("extend session test yields: " + get); + // Similar test via a different path + SessionCommInf sc = new PortalTimeoutHandler.SessionComm(); + sc.extendSessionTimeOuts(url, "userName", "word", "uebKey", "map"); + } + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/InMemoryRestServer.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/InMemoryRestServer.java new file mode 100644 index 00000000..2c37e214 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/InMemoryRestServer.java @@ -0,0 +1,150 @@ +/** + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * https://github.com/mp911de/rest-api-test + * + * Embedded InMemory REST server for RESTEasy. Usage: + *
    + *
  • InMemoryRestServer srv = InMemoryRestServer.create(...) passing your resources and provider classes
    • + *
  • srv.baseUri() for BaseUrl
    • + *
  • srv.newRequest("/relative/resource/path") to issue requests
    • + *
  • srv.close() to stop
    • + *
+ * + */ +package org.onap.portalsdk.fw.test; + +import java.io.IOException; +import java.net.ServerSocket; +import java.util.HashSet; +import java.util.Set; + +import javax.ws.rs.core.Application; + +import org.jboss.resteasy.client.jaxrs.ResteasyClient; +import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget; +import org.jboss.resteasy.plugins.server.embedded.SecurityDomain; +import org.jboss.resteasy.plugins.server.tjws.TJWSEmbeddedJaxrsServer; + + +public class InMemoryRestServer implements AutoCloseable { + + private int port; + + private Set objects = new HashSet(); + @SuppressWarnings("rawtypes") + private Set classes = new HashSet(); + + private TJWSEmbeddedJaxrsServer server; + private SecurityDomain securityDomain; + private ResteasyClient resteasyClient; + private String bindAddress = "localhost"; + + private InMemoryRestServer(Object... objects) { + append(objects); + } + + /** + * Create instance and pass given instances/classes as singletons/providers. + * + * @param port + * Port number to bind + * @param objects + * Resource providers + * @return running instance of {@link InMemoryRestServer} + * @throws IOException + * In case of error + */ + public static InMemoryRestServer create(int port, Object... objects) throws IOException { + InMemoryRestServer inMemoryRestServer = new InMemoryRestServer(objects); + inMemoryRestServer.start(port); + return inMemoryRestServer; + } + + @SuppressWarnings("rawtypes") + private void append(Object... objects) { + for (Object object : objects) { + if (object instanceof Class) { + classes.add((Class) object); + } else { + this.objects.add(object); + } + } + } + + private void start(int requestPort) throws IOException { + if (requestPort <= 0) + port = findFreePort(); + else + port = requestPort; + server = new TJWSEmbeddedJaxrsServer(); + server.setPort(port); + server.setBindAddress(bindAddress); + server.setSecurityDomain(securityDomain); + + for (Object object : objects) { + if (object instanceof Application) { + server.getDeployment().setApplication((Application) object); + } else { + server.getDeployment().getResources().add(object); + } + } + + for (@SuppressWarnings("rawtypes") Class resourceOrProvider : classes) { + if (Application.class.isAssignableFrom(resourceOrProvider)) { + server.getDeployment().setApplicationClass(resourceOrProvider.getName()); + } else { + server.getDeployment().getProviderClasses().add(resourceOrProvider.getName()); + } + } + + server.start(); + } + + /** + * @return baseURI (http://localhost:PORT) to the REST server. + */ + public String baseUri() { + return "http://" + bindAddress + ":" + port; + } + + /** + * Begin a new {@link ResteasyWebTarget} with additional, relative path with leading /. + * + * @param uriTemplate + * URI template + * @return ResteasyWebTarget + */ + public ResteasyWebTarget newRequest(String uriTemplate) { + return resteasyClient.target(baseUri() + uriTemplate); + } + + /** + * Find a free server port. + * + * @return port number. + * @throws IOException + * On failure to create server socket + */ + private static int findFreePort() throws IOException { + ServerSocket server = new ServerSocket(0); + int port = server.getLocalPort(); + server.close(); + return port; + } + + /** + * Close the server and free resources. + */ + @Override + public void close() { + if (server != null) { + server.stop(); + server = null; + } + } +} \ No newline at end of file diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/PortalTimeoutHandlerTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/PortalTimeoutHandlerTest.java new file mode 100644 index 00000000..8826237d --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/PortalTimeoutHandlerTest.java @@ -0,0 +1,100 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.http.HttpSession; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.invocation.InvocationOnMock; +import org.mockito.runners.MockitoJUnitRunner; +import org.mockito.stubbing.Answer; +import org.onap.portalsdk.core.onboarding.listener.PortalTimeoutHandler; + +@RunWith(MockitoJUnitRunner.class) +public class PortalTimeoutHandlerTest extends AbstractModelTest { + + private final Log logger = LogFactory.getLog(PortalTimeoutHandlerTest.class); + + @Mock + private HttpSession mockHttpSession; + private Map attributes = new HashMap(); + + @Before + public void before() { + Mockito.doAnswer(new Answer() { + @Override + public Object answer(InvocationOnMock invocation) throws Throwable { + String key = (String) invocation.getArguments()[0]; + logger.debug("get for key " + key); + return attributes.get(key); + } + }).when(mockHttpSession).getAttribute(Mockito.anyString()); + + Mockito.doAnswer(new Answer() { + @Override + public Object answer(InvocationOnMock invocation) throws Throwable { + String key = (String) invocation.getArguments()[0]; + logger.debug("set for key " + key); + Object value = invocation.getArguments()[1]; + attributes.put(key, value); + return null; + } + }).when(mockHttpSession).setAttribute(Mockito.anyString(), Mockito.any()); + } + + @Test + public void testPortalTimeoutHandler() { + Assert.assertNotNull(PortalTimeoutHandler.getInstance()); + Assert.assertNotNull(PortalTimeoutHandler.getSessionMap()); + PortalTimeoutHandler.sessionCreated("portalJSessionId", "jSessionId", mockHttpSession); + PortalTimeoutHandler.invalidateSession("portalJSessionId"); + PortalTimeoutHandler.sessionDestroyed(mockHttpSession); + PortalTimeoutHandler.gatherSessionExtensions(); + } +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/RestClientTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/RestClientTest.java new file mode 100644 index 00000000..d36ee79d --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/RestClientTest.java @@ -0,0 +1,112 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.io.IOException; +import java.net.URL; + +import javax.ws.rs.DELETE; +import javax.ws.rs.GET; +import javax.ws.rs.HeaderParam; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; + +public class RestClientTest { + + private final Log logger = LogFactory.getLog(RestClientTest.class); + private InMemoryRestServer server; + + @Path("portal") + public static class RestResource { + @GET + @Produces(MediaType.APPLICATION_JSON) + public String get(@HeaderParam("LoginId") String loginId, @HeaderParam("username") String username, + @HeaderParam("password") String password) { + return "{ 'get' : '" + loginId + "' }"; + } + @POST + public String post(@HeaderParam("LoginId") String loginId, @HeaderParam("username") String username, + @HeaderParam("password") String password) { + return "{ 'post' : '" + loginId + "' }"; + } + @DELETE + public String delete(@HeaderParam("LoginId") String loginId, @HeaderParam("username") String username, + @HeaderParam("password") String password) { + return "{ 'delete' : '" + loginId + "' }"; + } + } + + @Before + public void before() throws Exception { + URL url = new URL(PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL)); + server = InMemoryRestServer.create(url.getPort(), new RestResource()); + } + + @After + public void after() throws Exception { + server.close(); + } + + @Test + public void testRestClient() throws IOException { + RestWebServiceClient client = RestWebServiceClient.getInstance(); + String get = client.getPortalContent("/portal", "userid", "appName", "requestId", "appUserName", "appPassword", true); + Assert.assertNotNull(get); + logger.info("Get test yields: " + get); + String post = client.postPortalContent("/portal", "userid", "appName", "requestId", "appUserName", "appPassword", MediaType.APPLICATION_JSON, "content", true); + Assert.assertNotNull(post); + logger.info("Post test yields: " + post); + String delete = client.deletePortalContent("/portal", "userid", "appName", "requestId", "appUserName", "appPassword", MediaType.APPLICATION_JSON, "content", true); + Assert.assertNotNull(delete); + logger.info("Delete test yields: " + delete); + } + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/SessionSlotCheckIntervalTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/SessionSlotCheckIntervalTest.java new file mode 100644 index 00000000..79e87532 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/SessionSlotCheckIntervalTest.java @@ -0,0 +1,103 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import java.io.IOException; +import java.net.URL; + +import javax.ws.rs.GET; +import javax.ws.rs.HeaderParam; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.crossapi.SessionCommunicationService; +import org.onap.portalsdk.core.onboarding.listener.PortalTimeoutHandler; +import org.onap.portalsdk.core.onboarding.listener.PortalTimeoutHandler.SessionCommInf; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; + +public class SessionSlotCheckIntervalTest { + + private final Log logger = LogFactory.getLog(SessionSlotCheckIntervalTest.class); + private static final String timeoutValue = "1"; + private InMemoryRestServer server; + + @Path("getSessionSlotCheckInterval") + public static class RestResource { + @GET + @Produces(MediaType.APPLICATION_JSON) + public String get( @HeaderParam("username") String username, + @HeaderParam("password") String password, @HeaderParam("uebkey") String uebkey) { + // Expects only an integer, not even a POJO/JSON model. + return timeoutValue; + } + } + + @Before + public void before() throws Exception { + URL url = new URL(PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL)); + server = InMemoryRestServer.create(url.getPort(), new RestResource()); + } + + @After + public void after() throws Exception { + server.close(); + } + + @Test + public void testSessionSlot() throws IOException { + String url = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL); + String get = SessionCommunicationService.getSessionSlotCheckInterval(url, "userName", "word", "uebKey"); + Assert.assertTrue(get.equals(timeoutValue)); + logger.info("Get test yields: " + get); + // Similar test via a different path + SessionCommInf sc = new PortalTimeoutHandler.SessionComm(); + Integer i = sc.fetchSessionSlotCheckInterval(url, "userName", "word", "uebKey"); + Assert.assertTrue(i.toString().equals(timeoutValue)); + logger.info("Fetched slot-check interval: " + i); + } + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/UtilTest.java b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/UtilTest.java new file mode 100644 index 00000000..66a81a04 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/java/org/onap/portalsdk/fw/test/UtilTest.java @@ -0,0 +1,80 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.portalsdk.fw.test; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.junit.Assert; +import org.junit.Test; +import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; +import org.onap.portalsdk.core.onboarding.util.CipherUtil; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; + +public class UtilTest extends AbstractModelTest { + + private final Log logger = LogFactory.getLog(UtilTest.class); + + + @Test + public void testCipherUtil() throws CipherUtilException { + String cipher; + + cipher = CipherUtil.encryptPKC(s1); + Assert.assertNotNull(cipher); + Assert.assertNotEquals(cipher, s1); + Assert.assertEquals(s1, CipherUtil.decryptPKC(cipher)); + + cipher = CipherUtil.encryptPKC(s2); + Assert.assertNotNull(cipher); + Assert.assertNotEquals(cipher, s2); + Assert.assertEquals(s2, CipherUtil.decryptPKC(cipher)); + + logger.info("CipherUtils tested"); + } + + @Test + public void testProperties() { + // Relies on portal.properties file in src/test/resources + String val = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REST_URL); + Assert.assertNotNull(val); + logger.info("PortalApiProperties tested"); + } + +} diff --git a/ecomp-sdk/epsdk-fw/src/test/resources/ESAPI.properties b/ecomp-sdk/epsdk-fw/src/test/resources/ESAPI.properties new file mode 100644 index 00000000..52c39161 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/resources/ESAPI.properties @@ -0,0 +1,367 @@ +#=========================================================================== +# ESAPI Configuration +# +# If true, then print all the ESAPI properties set here when they are loaded. +# If false, they are not printed. Useful to reduce output when running JUnit tests. +# If you need to troubleshoot a properties related problem, turning this on may help. +# This is 'false' in the src/test/resources/.esapi version. It is 'true' by +# default for reasons of backward compatibility with earlier ESAPI versions. +ESAPI.printProperties=true + +# ESAPI is designed to be easily extensible. You can use the reference implementation +# or implement your own providers to take advantage of your enterprise's security +# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: +# +# String ciphertext = +# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 +# CipherText cipherText = +# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred +# +# Below you can specify the classname for the provider that you wish to use in your +# application. The only requirement is that it implement the appropriate ESAPI interface. +# This allows you to switch security implementations in the future without rewriting the +# entire application. +# +# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory +ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController +# FileBasedAuthenticator requires users.txt file in .esapi directory +ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor + +ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor +ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities +ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector +ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory +ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer +ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator + +#=========================================================================== +# ESAPI Authenticator +# +Authenticator.AllowedLoginAttempts=3 +Authenticator.MaxOldPasswordHashes=13 +Authenticator.UsernameParameterName=username +Authenticator.PasswordParameterName=password +# RememberTokenDuration (in days) +Authenticator.RememberTokenDuration=14 +# Session Timeouts (in minutes) +Authenticator.IdleTimeoutDuration=20 +Authenticator.AbsoluteTimeoutDuration=120 + +#=========================================================================== +# ESAPI Encoder +# +# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. +# Failure to canonicalize input is a very common mistake when implementing validation schemes. +# Canonicalization is automatic when using the ESAPI Validator, but you can also use the +# following code to canonicalize data. +# +# ESAPI.Encoder().canonicalize( "%22hello world"" ); +# +# Multiple encoding is when a single encoding format is applied multiple times. Allowing +# multiple encoding is strongly discouraged. +Encoder.AllowMultipleEncoding=false + +# Mixed encoding is when multiple different encoding formats are applied, or when +# multiple formats are nested. Allowing multiple encoding is strongly discouraged. +Encoder.AllowMixedEncoding=false + +# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs +# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or +# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + + +#=========================================================================== +# ESAPI Encryption +# +# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. +# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# There is not currently any support for key rotation, so be careful when changing your key and salt as it +# will invalidate all signed, encrypted, and hashed data. +# +# WARNING: Not all combinations of algorithms and key lengths are supported. +# If you choose to use a key length greater than 128, you MUST download the +# unlimited strength policy files and install in the lib directory of your JRE/JDK. +# See http://java.sun.com/javase/downloads/index.jsp for more information. +# +# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API +# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever +# possible, these methods should be avoided as they use ECB cipher mode, which in almost +# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default +# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you +# should only use this compatibility setting if you have persistent data encrypted with +# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL +# you have decrypted all of your old encrypted data and then re-encrypted it with +# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode +# with the new 2.0 methods, make sure that you use the same cipher algorithm for both +# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for +# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods +# where you can specify a SecretKey. (Note that if you are using the 256-bit AES, +# that requires downloading the special jurisdiction policy files mentioned above.) +# +# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** +# To calculate these values, you can run: +# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# +Encryptor.MasterKey=tzfztf56ftv +Encryptor.MasterSalt=123456ztrewq + +# Provides the default JCE provider that ESAPI will "prefer" for its symmetric +# encryption and hashing. (That is it will look to this provider first, but it +# will defer to other providers if the requested algorithm is not implemented +# by this provider.) If left unset, ESAPI will just use your Java VM's current +# preferred JCE provider, which is generally set in the file +# "$JAVA_HOME/jre/lib/security/java.security". +# +# The main intent of this is to allow ESAPI symmetric encryption to be +# used with a FIPS 140-2 compliant crypto-module. For details, see the section +# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in +# the ESAPI 2.0 Symmetric Encryption User Guide, at: +# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# However, this property also allows you to easily use an alternate JCE provider +# such as "Bouncy Castle" without having to make changes to "java.security". +# See Javadoc for SecurityProviderLoader for further details. If you wish to use +# a provider that is not known to SecurityProviderLoader, you may specify the +# fully-qualified class name of the JCE provider class that implements +# java.security.Provider. If the name contains a '.', this is interpreted as +# a fully-qualified class name that implements java.security.Provider. +# +# NOTE: Setting this property has the side-effect of changing it in your application +# as well, so if you are using JCE in your application directly rather than +# through ESAPI (you wouldn't do that, would you? ;-), it will change the +# preferred JCE provider there as well. +# +# Default: Keeps the JCE provider set to whatever JVM sets it to. +Encryptor.PreferredJCEProvider= + +# AES is the most widely used and strongest encryption algorithm. This +# should agree with your Encryptor.CipherTransformation property. +# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is +# very weak. It is essentially a password-based encryption key, hashed +# with MD5 around 1K times and then encrypted with the weak DES algorithm +# (56-bits) using ECB mode and an unspecified padding (it is +# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses +# "AES/CBC/PKCSPadding". If you want to change these, change them here. +# Warning: This property does not control the default reference implementation for +# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped +# in the future. +# @deprecated +Encryptor.EncryptionAlgorithm=AES +# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. +Encryptor.CipherTransformation=AES/CBC/PKCS5Padding + +# Applies to ESAPI 2.0 and later only! +# Comma-separated list of cipher modes that provide *BOTH* +# confidentiality *AND* message authenticity. (NIST refers to such cipher +# modes as "combined modes" so that's what we shall call them.) If any of these +# cipher modes are used then no MAC is calculated and stored +# in the CipherText upon encryption. Likewise, if one of these +# cipher modes is used with decryption, no attempt will be made +# to validate the MAC contained in the CipherText object regardless +# of whether it contains one or not. Since the expectation is that +# these cipher modes support support message authenticity already, +# injecting a MAC in the CipherText object would be at best redundant. +# +# Note that as of JDK 1.5, the SunJCE provider does not support *any* +# of these cipher modes. Of these listed, only GCM and CCM are currently +# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports +# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other +# padding modes. +Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC + +# Applies to ESAPI 2.0 and later only! +# Additional cipher modes allowed for ESAPI 2.0 encryption. These +# cipher modes are in _addition_ to those specified by the property +# 'Encryptor.cipher_modes.combined_modes'. +# Note: We will add support for streaming modes like CFB & OFB once +# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' +# (probably in ESAPI 2.1). +# DISCUSS: Better name? +Encryptor.cipher_modes.additional_allowed=CBC + +# 128-bit is almost always sufficient and appears to be more resistant to +# related key attacks than is 256-bit AES. Use '_' to use default key size +# for cipher algorithms (where it makes sense because the algorithm supports +# a variable key size). Key length must agree to what's provided as the +# cipher transformation, otherwise this will be ignored after logging a +# warning. +# +# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing! +Encryptor.EncryptionKeyLength=128 + +# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) There are two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While +# the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Also, random IVs are generally much more +# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes +# such as CFB and OFB use a different IV for each encryption with a given key so +# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random +# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and +# uncomment the Encryptor.fixedIV. +# +# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +Encryptor.ChooseIVMethod=random +# If you choose to use a fixed IV, then you must place a fixed IV here that +# is known to all others who are sharing your secret key. The format should +# be a hex string that is the same length as the cipher block size for the +# cipher algorithm that you are using. The following is an *example* for AES +# from an AES test vector for AES-128/CBC as described in: +# NIST Special Publication 800-38A (2001 Edition) +# "Recommendation for Block Cipher Modes of Operation". +# (Note that the block size for AES is 16 bytes == 128 bits.) +# +Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f + +# Whether or not CipherText should use a message authentication code (MAC) with it. +# This prevents an adversary from altering the IV as well as allowing a more +# fool-proof way of determining the decryption failed because of an incorrect +# key being supplied. This refers to the "separate" MAC calculated and stored +# in CipherText, not part of any MAC that is calculated as a result of a +# "combined mode" cipher mode. +# +# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also +# set this property to false. +Encryptor.CipherText.useMAC=true + +# Whether or not the PlainText object may be overwritten and then marked +# eligible for garbage collection. If not set, this is still treated as 'true'. +Encryptor.PlainText.overwrite=true + +# Do not use DES except in a legacy situations. 56-bit is way too small key size. +#Encryptor.EncryptionKeyLength=56 +#Encryptor.EncryptionAlgorithm=DES + +# TripleDES is considered strong enough for most purposes. +# Note: There is also a 112-bit version of DESede. Using the 168-bit version +# requires downloading the special jurisdiction policy from Sun. +#Encryptor.EncryptionKeyLength=168 +#Encryptor.EncryptionAlgorithm=DESede + +Encryptor.HashAlgorithm=SHA-512 +Encryptor.HashIterations=1024 +Encryptor.DigitalSignatureAlgorithm=SHA1withDSA +Encryptor.DigitalSignatureKeyLength=1024 +Encryptor.RandomAlgorithm=SHA1PRNG +Encryptor.CharacterEncoding=UTF-8 + +# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function +# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and +# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for +# the MAC, mostly to keep the overall size at a minimum.) +# +# Currently supported choices for JDK 1.5 and 1.6 are: +# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and +# HmacSHA512 (512 bits). +# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though +# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide +# further details. +Encryptor.KDF.PRF=HmacSHA256 +#=========================================================================== +# ESAPI Logging +# Set the application name if these logs are combined with other applications +Logger.ApplicationName=Ecompportal_application +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true +Logger.LogEncodingRequired=false +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. +Logger.LogApplicationName=true +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. +Logger.LogServerIP=true +# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you +# want to place it in a specific directory. +Logger.LogFileName=Ecompportal_ESAPI_logging_file +# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) +Logger.MaxLogFileSize=10000000 + + +#=========================================================================== +# ESAPI Intrusion Detection +# +# Each event has a base to which .count, .interval, and .action are added +# The IntrusionException will fire if we receive "count" events within "interval" seconds +# The IntrusionDetector is configurable to take the following actions: log, logout, and disable +# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable +# +# Custom Events +# Names must start with "event." as the base +# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here +# You can also disable intrusion detection completely by changing +# the following parameter to true +# +IntrusionDetector.Disable=false +# +IntrusionDetector.event.test.count=2 +IntrusionDetector.event.test.interval=10 +IntrusionDetector.event.test.actions=disable,log + +# Exception Events +# All EnterpriseSecurityExceptions are registered automatically +# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException +# Use the fully qualified classname of the exception as the base + +# any intrusion is an attack +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout + +# for test purposes +# CHECKME: Shouldn't there be something in the property name itself that designates +# that these are for testing??? +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout + +# rapid validation errors indicate scans or attacks in progress +# org.owasp.esapi.errors.ValidationException.count=10 +# org.owasp.esapi.errors.ValidationException.interval=10 +# org.owasp.esapi.errors.ValidationException.actions=log,logout + +# sessions jumping between hosts indicates session hijacking +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout + + +#=========================================================================== +# ESAPI Validation +# +# The ESAPI Validator works on regular expressions with defined names. You can define names +# either here, or you may define application specific patterns in a separate file defined below. +# This allows enterprises to specify both organizational standards as well as application specific +# validation rules. +# +Validator.ConfigurationFile=validation.properties +Validator.ConfigurationFile.MultiValued=false + +# Validators used by ESAPI +Validator.AccountName=^[a-zA-Z0-9]{3,20}$ +Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ +Validator.RoleName=^[a-z]{1,20}$ + +#the word TEST below should be changed to your application +#name - only relative URL's are supported +Validator.Redirect=^\\/test.*$ + +# Global HTTP Validation Rules +# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] +Validator.HTTPScheme=^(http|https)$ +Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ +Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ +Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ +Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ +Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ +Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ +Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ +Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ +Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ +Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ +Validator.HTTPURL=^.*$ +Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ + +# Validation of file related input +Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ +Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ diff --git a/ecomp-sdk/epsdk-fw/src/test/resources/key.properties b/ecomp-sdk/epsdk-fw/src/test/resources/key.properties new file mode 100644 index 00000000..aa3355d1 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/resources/key.properties @@ -0,0 +1,41 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +### + +# Properties read by the ECOMP Framework library (epsdk-fw) + +cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o== \ No newline at end of file diff --git a/ecomp-sdk/epsdk-fw/src/test/resources/portal.properties b/ecomp-sdk/epsdk-fw/src/test/resources/portal.properties new file mode 100644 index 00000000..15bedc9a --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/resources/portal.properties @@ -0,0 +1,3 @@ +# for testing only +ecomp_rest_url = http://localhost:55155 +ueb_app_key = 123abc diff --git a/ecomp-sdk/epsdk-fw/src/test/resources/validation.properties b/ecomp-sdk/epsdk-fw/src/test/resources/validation.properties new file mode 100644 index 00000000..b275093f --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/test/resources/validation.properties @@ -0,0 +1,32 @@ +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); +# Where maxLength and allowNull are set for you needs, respectively. +# +# But note, when you use boolean variants of validation functions, you lose critical +# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and +# and use the returned user input which is in canonical form. Consider the following: +# +# try { +# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); +# +Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ +#Given the discussion: https://github.com/ESAPI/esapi-java-legacy/issues/374, a better upper-bound for domain name +#was selected as 62. This is slightly under the length in RFC-1035 +Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,62}$ +Validator.Gmail=^[A-Za-z0-9._%'-+]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,62}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +#Validator.URL=^(?:ht|f)tp(s?+)\\:\\/\\/[0-9a-zA-Z](?:[-.\\w]*[0-9a-zA-Z])*(?::(?:0-9)*)*(?:\\/?+)(?:[a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?+$ +Validator.URL=^(?:ht|f)tp(?:s?)(?:[:A-Za-z0-9%/#?&.=-]*)$ +Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ +Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ \ No newline at end of file -- cgit 1.2.3-korg