From 944ec97d2b75bf63d596c529dc495c74e2cc7033 Mon Sep 17 00:00:00 2001
From: st398c <st398c@research.att.com>
Date: Wed, 29 May 2019 15:03:01 -0400
Subject: AtomicPutWithDeleteLock Copy Report, SQL Injection

Issue-ID: PORTAL-581, PORTAL-582,PORTAL-583, PORTAL-594

Change-Id: Ibbd7a2a63f41a75109fb3916a5de1ab6a0bacfe2
Signed-off-by: st398c <st398c@research.att.com>
---
 .../system/fusion/adapter/RaptorAdapter.java       |  8 ++-
 .../system/fusion/web/RaptorControllerAsync.java   | 17 +++--
 .../system/fusion/adapter/RaptorAdapterTest.java   | 83 ++++++++++++++++++++++
 .../db-scripts/EcompSdkDMLMySql_2_6_Common.sql     |  5 ++
 ecomp-sdk/epsdk-app-os/README.md                   |  5 +-
 .../ds2-reports/report-step-controller.js          |  7 ++
 .../DS2-view-models/ds2-reports/steps/step1.html   |  2 +-
 .../onap/portalapp/music/service/MusicService.java | 20 +++---
 8 files changed, 125 insertions(+), 22 deletions(-)
 create mode 100644 ecomp-sdk/epsdk-analytics/src/test/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapterTest.java

(limited to 'ecomp-sdk')

diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapter.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapter.java
index fd225246..fc5fdb36 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapter.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapter.java
@@ -37,6 +37,7 @@
  */
 package org.onap.portalsdk.analytics.system.fusion.adapter;
 
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -49,6 +50,8 @@ import java.util.TreeSet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
+import org.hibernate.criterion.Criterion;
+import org.hibernate.criterion.Restrictions;
 import org.onap.portalsdk.analytics.system.AppUtils;
 import org.onap.portalsdk.core.domain.Menu;
 import org.onap.portalsdk.core.domain.MenuData;
@@ -145,7 +148,10 @@ public class RaptorAdapter extends FusionAdapter {
         
         String loginId = "";
         try{
-        	List  list = getDataAccessService().getList(User.class, " where user_id = " + userId, null, null);
+        	List<Criterion> restrictionsList = new ArrayList<Criterion>();
+    		Criterion criterion1 = Restrictions.eq("user_id", userId);
+    		restrictionsList.add(criterion1);
+    		List list = getDataAccessService().getList(User.class, null, restrictionsList, null);
         	if (list != null) {
               if (!list.isEmpty()) {
                 User user = (User)list.get(0);
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
index dbecbbd8..9e11affe 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
@@ -452,6 +452,7 @@ public class RaptorControllerAsync extends RestrictedBaseController {
 			ReportDefinition rdef = rh.loadReportDefinition(request, reportID);
 			rdef.setAsCopy(request);
 			request.getSession().setAttribute(AppConstants.SI_REPORT_DEFINITION, rdef);
+			request.getSession().setAttribute("COPY_REPORT_EVENT", "true");
 			messageJSON.setMessage("Success- Report Copied.");
 			messageJSON.setAnyStacktrace(rdef.getReportID() + " is Modified and added to session and DB.");
 
@@ -671,12 +672,10 @@ public class RaptorControllerAsync extends RestrictedBaseController {
 		ReportRuntime rr = null;
 		boolean newReport = false;
 		MessageJSON messageJSON = new MessageJSON();
-		if("-1".equals(id)) {
-			id = "Create";
-		}
 		try {
-			if (id.equals("InSession")) {
-				rdef = (ReportDefinition) request.getSession().getAttribute(AppConstants.SI_REPORT_DEFINITION);
+			String copyReportEvent = (String)request.getSession().getAttribute("COPY_REPORT_EVENT");
+			if (id.equals("InSession") || "true".equals(copyReportEvent)) {
+			    rdef = (ReportDefinition) request.getSession().getAttribute(AppConstants.SI_REPORT_DEFINITION);
 				newReport = false;
 
 			} else if (id.equals("Create")) {
@@ -833,7 +832,7 @@ public class RaptorControllerAsync extends RestrictedBaseController {
 				persistReportDefinition(request, rdef);
 			messageJSON.setMessage("Success Definition of given report is saved in session.");
 			messageJSON.setAnyStacktrace((newReport ? " New Report info is added to Session "
-					: rdef.getReportID() + " is Modified and added to session and DB."));
+					: rdef.getReportID() + "- is Modified and added to session and DB."));
 
 		} catch (Exception ex) {
 			messageJSON.setMessage("Error occured while saving definition Tab");
@@ -1389,9 +1388,9 @@ public class RaptorControllerAsync extends RestrictedBaseController {
 		if (!Globals.isSystemInitialized()) {
 			Globals.initializeSystem(servletContext);
 		}
-
-		if (tabId.equals("Def") && id.equals("InSession")) {
-			rdef = (ReportDefinition) request.getSession().getAttribute(AppConstants.SI_REPORT_DEFINITION);
+		String copyReportEvent = (String)request.getSession().getAttribute("COPY_REPORT_EVENT");
+		if (tabId.equals("Def") && id.equals("InSession") || "true".equals(copyReportEvent)) {
+		    rdef = (ReportDefinition) request.getSession().getAttribute(AppConstants.SI_REPORT_DEFINITION);
 			newReport = false;
 
 		} else if (tabId.equals("Def") && id.equals("Create")) {
diff --git a/ecomp-sdk/epsdk-analytics/src/test/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapterTest.java b/ecomp-sdk/epsdk-analytics/src/test/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapterTest.java
new file mode 100644
index 00000000..34bdd787
--- /dev/null
+++ b/ecomp-sdk/epsdk-analytics/src/test/java/org/onap/portalsdk/analytics/system/fusion/adapter/RaptorAdapterTest.java
@@ -0,0 +1,83 @@
+/*
+ * ============LICENSE_START==========================================
+ * ONAP Portal SDK
+ * ===================================================================
+ * Copyright © 2019 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * 
+ */
+
+package org.onap.portalsdk.analytics.system.fusion.adapter;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.onap.portalsdk.core.domain.User;
+import org.onap.portalsdk.core.service.DataAccessService;
+import org.onap.portalsdk.core.web.support.AppUtils;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest(AppUtils.class)
+public class RaptorAdapterTest {
+	
+	@Test
+	public void testGetUserLoginId() {
+		User user = new User();
+		user.setLoginId("test");
+		List<User> userList = new ArrayList<>();
+		userList.add(user);
+		DataAccessService mockDataAccessService = Mockito.mock(DataAccessService.class);
+		PowerMockito.mockStatic(AppUtils.class);
+	    PowerMockito.when(AppUtils.getDataAccessService()).thenReturn(mockDataAccessService);
+	    Mockito.doReturn(userList).when(mockDataAccessService).getList(Mockito.eq(User.class), Mockito.eq(null), Mockito.anyList(), Mockito.eq(null));
+	    String loginID = RaptorAdapter.getUserLoginId("1");
+	    assertEquals("test",loginID);
+	}
+	
+	@Test
+	public void testGetUserLoginIdWithNullList() {
+		DataAccessService mockDataAccessService = Mockito.mock(DataAccessService.class);
+		PowerMockito.mockStatic(AppUtils.class);
+	    PowerMockito.when(AppUtils.getDataAccessService()).thenReturn(mockDataAccessService);
+	    Mockito.doReturn(null).when(mockDataAccessService).getList(Mockito.eq(User.class), Mockito.eq(null), Mockito.anyList(), Mockito.eq(null));
+	    String loginID = RaptorAdapter.getUserLoginId("1");
+	    assertEquals("",loginID);
+	}
+}
diff --git a/ecomp-sdk/epsdk-app-common/db-scripts/EcompSdkDMLMySql_2_6_Common.sql b/ecomp-sdk/epsdk-app-common/db-scripts/EcompSdkDMLMySql_2_6_Common.sql
index 2ff2dc26..66637e62 100644
--- a/ecomp-sdk/epsdk-app-common/db-scripts/EcompSdkDMLMySql_2_6_Common.sql
+++ b/ecomp-sdk/epsdk-app-common/db-scripts/EcompSdkDMLMySql_2_6_Common.sql
@@ -135,6 +135,11 @@ INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('tab3.htm','
 INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('tab4.htm','menu_tab');
 INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('raptor.htm','view_reports');
 INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('raptor_blob_extract.htm','view_reports');
+INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('report/wizard/add_formfield_tab_data/*','menu_reports');
+INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('report/wizard/save_formfield_tab_data/*','menu_reports');
+INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('report/wizard/retrieve_form_tab_wise_data/*/delete','menu_reports');
+INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('report/wizard/list_child_report_col/*','menu_reports');
+INSERT INTO fn_restricted_url (restricted_url, function_cd) VALUES ('report/wizard/list_child_report_ff/*','menu_reports');
 INSERT INTO fn_restricted_url VALUES('admin','menu_admin');
 INSERT INTO fn_restricted_url VALUES('get_role','menu_admin');
 INSERT INTO fn_restricted_url VALUES('get_role_functions','menu_admin');
diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md
index 1034949d..3ab427e3 100644
--- a/ecomp-sdk/epsdk-app-os/README.md
+++ b/ecomp-sdk/epsdk-app-os/README.md
@@ -17,7 +17,10 @@ Version 2.6.0-SNAPSHOT
 - PORTAL-543 Fix fortify scan security vulnerability issues
 - PORTAL-273 Raise JUnit test coverage of Portal/SDK repos to 50% Including JavaScript
 - PORTAL-544 Fix for Raptor issues
-
+- PORTAL-545 Copied report is not saved due to report id -1
+- PORTAL-581 Fix for edited copy report name save issue
+- PORTAL-582 Handled SQL injection for user Login Id, Added JUNIT test case for RaptorAdapter.java, Added AT&Tlicense and fixed compilation issue.
+- PORTAL-583 Added portal/SDK 2_6 Scripts to fix Raptor UI issues
 Version 2.5.0
 - PORTAL-356 Bootstrapping hybrid applications (Angular and AngularJS)
 
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-controllers/ds2-reports/report-step-controller.js b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-controllers/ds2-reports/report-step-controller.js
index 54a14242..a23823e3 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-controllers/ds2-reports/report-step-controller.js
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-controllers/ds2-reports/report-step-controller.js
@@ -2,6 +2,7 @@ appDS2.controller('reportStepController', function($scope,$http,$location, $rout
 	/*****************Init values*********************/
 	$scope.reportIdURL = $routeParams.reportId;
 	$scope.isEdit = ($scope.reportIdURL==null||$scope.reportIdURL=='')?false:true;
+	$scope.isCopy = false;
 	$scope.isDefReady = $scope.isEdit;
 	$scope.activeTabsId = 'definition';
 	$scope.pageMsg =''
@@ -260,6 +261,11 @@ appDS2.controller('reportStepController', function($scope,$http,$location, $rout
 				$scope.stepTabs[x].disabled=false;
 			}
 			$scope.showLoader=false;
+			if(isCopy){
+				var newReportId = data.anyStacktrace.split("-")[0];
+				if(newReportId!=null && newReportId!='' && newReportId!=-1)
+					$window.location.href = "#/report_wizard/"+newReportId;
+			}
 		},function(error){
 			$scope.errorPopUp(error);
 			$log.error("report-step-controller: updateDefinition by Id failed.");
@@ -710,6 +716,7 @@ appDS2.controller('reportStepController', function($scope,$http,$location, $rout
 	/********************Init*************/
 	$scope.init = function(){
 		if ($routeParams.reportMode=="copy") {
+			$scope.isCopy = true;
 			raptorReportFactory.copyReportById($routeParams.reportId).then(function(data){
 				$scope.isEdit = true;
 				$scope.reportId = -1;				
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-reports/steps/step1.html b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-reports/steps/step1.html
index 64d31d97..0ad05d24 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-reports/steps/step1.html
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-reports/steps/step1.html
@@ -7,7 +7,7 @@
 
 <div class="span6" ng-hide="showLoader">
 		
-	<div class="form-row" ng-if="isEdit">
+	<div class="form-row" ng-if="isEdit && !isCopy">
 		<label for="textinputID-2a">Report ID</label>
 		<div class="field-group">
 			<input id="textinputID-2a" ddh-reset="" class="span12" type="text"	data-ng-model="definitionData.reportId"	ng-disabled="true">
diff --git a/ecomp-sdk/epsdk-music/src/main/java/org/onap/portalapp/music/service/MusicService.java b/ecomp-sdk/epsdk-music/src/main/java/org/onap/portalapp/music/service/MusicService.java
index c8d15884..2cbc5a94 100644
--- a/ecomp-sdk/epsdk-music/src/main/java/org/onap/portalapp/music/service/MusicService.java
+++ b/ecomp-sdk/epsdk-music/src/main/java/org/onap/portalapp/music/service/MusicService.java
@@ -120,7 +120,7 @@ public class MusicService {
 
 		}
 		if (isAtomicPut)
-			result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, tableName, sessionId, queryObject, null);
+			result = MusicCore.atomicPut(musicKeySpace, tableName, sessionId, queryObject, null);
 		else
 			result = MusicCore.eventualPut(queryObject);
 		logger.debug(EELFLoggerDelegate.debugLogger, "setAttribute: attributeName: " + attributeName
@@ -152,7 +152,7 @@ public class MusicService {
 		queryObject.addValue(String.valueOf(session.getMaxInactiveInterval()));
 		queryObject.addValue(session.getId());
 		if (isAtomicPut)
-			result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, musicMetaTable, session.getId(), queryObject, null);
+			result = MusicCore.atomicPut(musicKeySpace, musicMetaTable, session.getId(), queryObject, null);
 		else
 			result = MusicCore.eventualPut(queryObject);
 		logger.debug(EELFLoggerDelegate.debugLogger,
@@ -178,7 +178,7 @@ public class MusicService {
 		queryObject.appendQueryString(querySB.toString());
 		queryObject.addValue(sessionId);
 		if (isAtomicGet)
-			result = MusicCore.atomicGetWithDeleteLock(musicKeySpace, musicMetaTable, sessionId, queryObject);
+			result = MusicCore.atomicGet(musicKeySpace, musicMetaTable, sessionId, queryObject);
 		else
 			result = MusicCore.get(queryObject);
 		logger.debug(EELFLoggerDelegate.debugLogger, "getMetaAttribute: with session id: " + sessionId);
@@ -234,7 +234,7 @@ public class MusicService {
 
 		queryObject.appendQueryString(querySB.toString());
 		if (isAtomicGet)
-			result = MusicCore.atomicGetWithDeleteLock(musicKeySpace, tableName, sessionId, queryObject);
+			result = MusicCore.atomicGet(musicKeySpace, tableName, sessionId, queryObject);
 		else
 			result = MusicCore.get(queryObject);
 		return MusicUtil.musicRestResponseDataParsing(result, attributeName);
@@ -270,7 +270,7 @@ public class MusicService {
 			tableName = musicMetaTable;
 		queryObject.appendQueryString(querySB.toString());
 		if (isAtomicPut)
-			result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, tableName, sessionId, queryObject, null);
+			result = MusicCore.atomicPut(musicKeySpace, tableName, sessionId, queryObject, null);
 		else
 			result = MusicCore.eventualPut(queryObject);
 		logger.debug(EELFLoggerDelegate.debugLogger,
@@ -298,7 +298,7 @@ public class MusicService {
 		queryObject.appendQueryString(querySB.toString());
 		queryObject.addValue(sessionId);
 		if (isAtomic)
-			result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, musicMetaTable, sessionId, queryObject, null);
+			result = MusicCore.atomicPut(musicKeySpace, musicMetaTable, sessionId, queryObject, null);
 		else
 			result = MusicCore.eventualPut(queryObject);
 		logger.debug(EELFLoggerDelegate.debugLogger, REMOVE_SESSION + musicMetaTable + WITH_SESSION_ID
@@ -311,7 +311,7 @@ public class MusicService {
 		queryObject.appendQueryString(querySB.toString());
 		queryObject.addValue(sessionId);
 		if (isAtomic)
-			result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, musicAttrTable, sessionId, queryObject, null);
+			result = MusicCore.atomicPut(musicKeySpace, musicAttrTable, sessionId, queryObject, null);
 		else
 			result = MusicCore.eventualPut(queryObject);
 
@@ -575,7 +575,7 @@ public class MusicService {
 
 		try{
 			if (isAtomicGet)
-				result = MusicCore.atomicGetWithDeleteLock(musicKeySpace, musicMetaTable, null, queryObject);
+				result = MusicCore.atomicGet(musicKeySpace, musicMetaTable, null, queryObject);
 			else
 				result = MusicCore.get(queryObject);
 			Row row = result.one();
@@ -621,7 +621,7 @@ public class MusicService {
 				queryObject.appendQueryString(querySB.toString());
 				try{
 					if (isAtomicPut)
-						result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, null, null, queryObject, null);
+						result = MusicCore.atomicPut(musicKeySpace, null, null, queryObject, null);
 					else
 						result = MusicCore.eventualPut(queryObject);
 				}catch(Exception e){
@@ -639,7 +639,7 @@ public class MusicService {
 				queryObject.appendQueryString(querySB.toString());
 				try{
 					if (isAtomicPut)
-						result = MusicCore.atomicPutWithDeleteLock(musicKeySpace, null, null, queryObject, null);
+						result = MusicCore.atomicPut(musicKeySpace, null, null, queryObject, null);
 					else
 						result = MusicCore.eventualPut(queryObject);
 				}catch(Exception e){
-- 
cgit 1.2.3-korg