diff options
author | vasraz <vasyl.razinkov@est.tech> | 2022-10-04 18:16:26 +0100 |
---|---|---|
committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2022-10-04 18:54:54 +0000 |
commit | 0899720f168c09d037e577109d7cab665fe1fb91 (patch) | |
tree | c6c210914a6fb029841d28de92cb760cdad6088d | |
parent | ca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff) |
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter)
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87
Issue-ID: SDC-4192
24 files changed, 339 insertions, 186 deletions
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb index 83dc113329..a1d0df5037 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb @@ -64,6 +64,7 @@ template "catalog-be-config" do :cassandra_usr => node['cassandra'][:cassandra_user], :cassandra_truststore_password => node['cassandra'][:truststore_password], :cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}", + :permittedAncestors => "#{ENV['permittedAncestors']}", :dmaap_active => node['DMAAP']['active'] }) end diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb index d1f3bd2c60..5706a16553 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb @@ -1289,5 +1289,9 @@ externalCsarStore: secretKey: "password" tempPath: "/home/onap/temp/" uploadPartSize: 200000000 + #This configuration specifies the delimiter used to differentiate instance name and count componentInstanceCounterDelimiter: " " + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..c9871c3c3a --- /dev/null +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,41 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.filters; + +import org.openecomp.sdc.be.config.Configuration; +import org.openecomp.sdc.be.config.ConfigurationManager; +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } + +} diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml index 20014dc7cb..c34d6742a1 100644 --- a/catalog-be/src/main/resources/config/configuration.yaml +++ b/catalog-be/src/main/resources/config/configuration.yaml @@ -927,3 +927,6 @@ directives: - selectable - substitute - substitutable + +#Space separated list of permitted ancestors +permittedAncestors: "" diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml index 64763b27a8..7cbfd1a920 100644 --- a/catalog-be/src/main/webapp/WEB-INF/web.xml +++ b/catalog-be/src/main/webapp/WEB-INF/web.xml @@ -84,30 +84,6 @@ <async-supported>true</async-supported> </servlet> - <!-- <filter>--> - <!-- <filter-name>CadiAuthFilter</filter-name>--> - <!-- <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class>--> - <!-- <init-param>--> - <!-- <param-name>cadi_prop_files</param-name>--> - <!-- <!– Add Absolute path of cadi.properties –>--> - <!-- <param-value>etc/cadi.properties</param-value>--> - <!-- </init-param>--> - <!-- <!–Add param values with comma delimited values –>--> - <!-- <!– for example /api/v3/*,/auxapi/*–>--> - <!-- <init-param>--> - <!-- <param-name>include_url_endpoints</param-name>--> - <!-- <param-value>/api/v3/roles,/api/v3/user/*,/api/v3/user/*/roles,/api/v3/users,/api/v3/sessionTimeOuts,/api/v3/updateSessionTimeOuts</param-value>--> - <!-- </init-param>--> - <!-- <init-param>--> - <!-- <param-name>exclude_url_endpoints</param-name>--> - <!-- <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <!-- <filter-mapping>--> - <!-- <filter-name>CadiAuthFilter</filter-name>--> - <!-- <url-pattern>/api/v3/*</url-pattern>--> - <!-- </filter-mapping>--> - <servlet> <servlet-name>ViewStatusMessages</servlet-name> <servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class> @@ -129,35 +105,15 @@ <url-pattern>/lbClassicStatus</url-pattern> </servlet-mapping> - <!-- <filter> - <filter-name>GzipFilter</filter-name> - <filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class> - <async-supported>true</async-supported> - <init-param> - <param-name>methods</param-name> - <param-value>GET,POST,PUT,DELETE</param-value> - </init-param> - <init-param> - <param-name>mimeTypes</param-name> - <param-value>text/html,text/plain,text/css,application/javascript,application/json</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>GzipFilter</filter-name> - <url-pattern>/sdc2/rest/*</url-pattern> - </filter-mapping> - - --> - <!--<filter>--> - <!--<filter-name>RestrictionAccessFilter</filter-name>--> - <!--<filter-class>org.openecomp.sdc.be.filters.RestrictionAccessFilter</filter-class>--> - <!--<async-supported>true</async-supported>--> - <!--</filter>--> - - <!-- <filter>--> - <!-- <filter-name>gatewayFilter</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.be.filters.GatewayFilter</filter-class>--> - <!-- </filter>--> + <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.be.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter> <filter-name>gatewayFilter</filter-name> @@ -176,53 +132,6 @@ <url-pattern>/sdc/*</url-pattern> </filter-mapping> - <!-- - <filter> - <filter-name>basicAuthFilter</filter-name> - <filter-class> - org.openecomp.sdc.be.filters.BasicAuthenticationFilter - </filter-class> - <init-param> - <param-name>excludedUrls</param-name> - <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value> - </init-param> - </filter> - - <filter-mapping> - <filter-name>basicAuthFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping>--> - - <!-- <filter>--> - <!-- <filter-name>beRestrictionAccessFilter</filter-name>--> - <!-- <filter-class>--> - <!-- org.springframework.web.filter.DelegatingFilterProxy--> - <!-- </filter-class>--> - <!-- <init-param>--> - <!-- <param-name>targetFilterLifecycle</param-name>--> - <!-- <param-value>true</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <!-- <filter-mapping>--> - <!-- <filter-name>beRestrictionAccessFilter</filter-name>--> - <!-- <url-pattern>/sdc2/rest/*</url-pattern>--> - <!-- </filter-mapping>--> - - <!-- <filter>--> - <!-- <filter-name>CADI</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.be.filters.BeCadiServletFilter</filter-class>--> - <!-- <init-param>--> - <!-- <param-name>cadi_prop_files</param-name>--> - <!-- <param-value>etc/cadi.properties</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - - <!-- <filter-mapping>--> - <!-- <filter-name>CADI</filter-name>--> - <!-- <url-pattern>/sdc/*</url-pattern>--> - <!-- <url-pattern>/sdc2/rest/*</url-pattern>--> - <!-- </filter-mapping>--> - <filter> <filter-name>reqValidationFilter</filter-name> <filter-class> diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb index 819638ac08..73176ed1c3 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb @@ -13,6 +13,7 @@ template "catalog-fe-config" do :basic_auth_flag => node['basic_auth']['enabled'], :user_name => node['basic_auth'][:user_name], :user_pass => node['basic_auth'][:user_pass], + :permittedAncestors => "#{ENV['permittedAncestors']}", :dcae_fe_vip => node['DCAE_FE_VIP'] }) end diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb index 8dc3c51df3..1b10845aaa 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb @@ -124,3 +124,6 @@ healthStatusExclude: - PORTAL - CATALOG_FACADE_MS - External API + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..a49f625e54 --- /dev/null +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,40 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.fe.filters; + +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; +import org.openecomp.sdc.fe.config.Configuration; +import org.openecomp.sdc.fe.config.ConfigurationManager; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } +} diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml index de133ac8ec..895dfd8690 100644 --- a/catalog-fe/src/main/webapp/WEB-INF/web.xml +++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml @@ -47,8 +47,6 @@ <load-on-startup>1</load-on-startup> <async-supported>true</async-supported> - - </servlet> <servlet-mapping> @@ -72,6 +70,15 @@ <param-value>false</param-value> </context-param> + <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.fe.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter> <filter-name>AuditLogServletFilter</filter-name> @@ -79,17 +86,6 @@ <async-supported>true</async-supported> </filter> - <!-- <filter>--> - <!-- <filter-name>SecurityFilter</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>--> - <!-- <async-supported>true</async-supported>--> - <!-- <init-param>--> - <!-- <param-name>excludedUrls</param-name>--> - <!-- <!– Comma separated list of excluded servlet URLs –>--> - <!-- <param-value>/config,/configmgr,/rest</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <filter> <filter-name>gzipFilter</filter-name> <filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class> @@ -101,11 +97,6 @@ <url-pattern>/*</url-pattern> </filter-mapping> - <!-- <filter-mapping>--> - <!-- <filter-name>SecurityFilter</filter-name>--> - <!-- <url-pattern>/*</url-pattern>--> - <!-- </filter-mapping>--> - <filter-mapping> <filter-name>gzipFilter</filter-name> <url-pattern>*.jsgz</url-pattern> diff --git a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java index 5a1eacdb58..da849f385c 100644 --- a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java +++ b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java @@ -147,6 +147,7 @@ public class Configuration extends BasicConfiguration { private ExternalCsarStore externalCsarStore; private CsarFormat csarFormat; private String componentInstanceCounterDelimiter; + private String permittedAncestors; // Space separated list of permitted ancestors @SuppressWarnings("unchecked") private <K, V> Map<K, V> safeGetCapsInsensitiveMap(Map<K, V> map) { diff --git a/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java new file mode 100644 index 0000000000..1281f27a11 --- /dev/null +++ b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java @@ -0,0 +1,55 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; + +public abstract class ContentSecurityPolicyHeaderFilterAbstract implements Filter { + + @Override + public void init(final FilterConfig filterConfig) throws ServletException { + // nothing to override + } + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { + final HttpServletResponse httpServletResponse = (HttpServletResponse) response; + final String permittedAncestors = getPermittedAncestors(); + httpServletResponse.setHeader("Content-Security-Policy", + "frame-ancestors 'self' " + (StringUtils.isNotBlank(permittedAncestors) ? permittedAncestors : "")); + chain.doFilter(request, httpServletResponse); + } + + @Override + public void destroy() { + // nothing to override + } + + protected abstract String getPermittedAncestors(); +} diff --git a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java index 322c57ccd6..279f183324 100644 --- a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java +++ b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java @@ -75,6 +75,7 @@ public class Configuration extends BasicConfiguration { private List<List<String>> identificationHeaderFields; private List<List<String>> optionalHeaderFields; private List<String> forwardHeaderFields; + private String permittedAncestors; // Space separated list of permitted ancestors public Integer getHealthCheckSocketTimeoutInMs(int defaultVal) { return healthCheckSocketTimeoutInMs == null ? defaultVal : healthCheckSocketTimeoutInMs; diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml index 9191a35786..b51399ca54 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml @@ -4,7 +4,6 @@ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> - <!-- Spring --> <context-param> <param-name>contextConfigLocation</param-name> @@ -16,6 +15,16 @@ </listener> <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>cross-origin</filter-name> <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> <init-param> diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml index 3cbfb1325e..eb8bd9e93f 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml @@ -4,7 +4,6 @@ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> - <!-- Spring --> <context-param> <param-name>contextConfigLocation</param-name> @@ -26,6 +25,16 @@ </listener> <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>PermissionsFilter</filter-name> <filter-class>org.openecomp.sdc.itempermissions.servlet.PermissionsFilter</filter-class> </filter> diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb index 1cd2ed284f..526f2dd4b4 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb @@ -23,12 +23,11 @@ template "onboard-be-config" do :catalog_notification_url => node['ONBOARDING_BE']['catalog_notification_url'], :catalog_be_http_port => node['BE'][:http_port], :catalog_be_ssl_port => node['BE'][:https_port], + :permittedAncestors => "#{ENV['permittedAncestors']}", :catalog_be_fqdn => node['Nodes']['BE'] }) end - - template "VnfrepoConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-vnfrepo.yaml" source "vnfrepo-configuration.yaml.erb" @@ -41,7 +40,6 @@ template "VnfrepoConfiguration" do }) end - template "HelmValidatorConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-helmvalidator.yaml" source "helmvalidator-configuration.yaml.erb" @@ -58,7 +56,6 @@ template "HelmValidatorConfiguration" do }) end - template "ExternalTestingConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/externaltesting-configuration.yaml" source "externaltesting-configuration.yaml.erb" diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb index ae07857585..93e0be9467 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb @@ -69,3 +69,6 @@ externalCsarStore: thresholdEntries: 10000 tempPath: "/home/onap/temp/" uploadPartSize: 200000000 + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/openecomp-be/lib/openecomp-common-lib/pom.xml b/openecomp-be/lib/openecomp-common-lib/pom.xml index 43ec9c25f6..cb41e44001 100644 --- a/openecomp-be/lib/openecomp-common-lib/pom.xml +++ b/openecomp-be/lib/openecomp-common-lib/pom.xml @@ -26,6 +26,17 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>javax.servlet</groupId> + <artifactId>javax.servlet-api</artifactId> + <version>${servlet-api.version}</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>javax.inject</groupId> + <artifactId>javax.inject</artifactId> + <version>${javax.inject.version}</version> + </dependency> + <dependency> <groupId>javax.ws.rs</groupId> <artifactId>javax.ws.rs-api</artifactId> <scope>provided</scope> diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..f7aa6f2da0 --- /dev/null +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,35 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import org.openecomp.sdc.common.CommonConfigurationManager; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance(); + if (commonConfigurationManager != null) { + return commonConfigurationManager.getConfigValue("permittedAncestors", ""); + } + return ""; + } +} diff --git a/utils/webseal-simulator/pom.xml b/utils/webseal-simulator/pom.xml index 9aba026299..8b2fa980a8 100644 --- a/utils/webseal-simulator/pom.xml +++ b/utils/webseal-simulator/pom.xml @@ -23,6 +23,18 @@ <dependencies> <dependency> + <groupId>org.openecomp.sdc</groupId> + <artifactId>common-app-api</artifactId> + <version>${project.version}</version> + <scope>compile</scope> + <exclusions> + <exclusion> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>${javax.servlet.version}</version> diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb index 3769a1f723..9ee166364c 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb @@ -6,7 +6,6 @@ else fe_url="http://#{node['Nodes']['FE']}:#{node['FE'][:http_port]}" end - template "webseal.conf" do path "#{ENV['JETTY_BASE']}/config/sdc-simulator/webseal.conf" source "SDC-Simulator-webseal.conf.erb" @@ -14,6 +13,7 @@ template "webseal.conf" do group "#{ENV['JETTY_GROUP']}" mode "0755" variables({ - :fe_url =>"#{fe_url}" + :fe_url =>"#{fe_url}", + :permittedAncestors => "#{ENV['permittedAncestors']}" }) end diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb index f6e634481f..f72c3ae270 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb @@ -2,6 +2,8 @@ webseal { fe="<%= @fe_url %>" portalCookieName="EPService" + #Space separated list of permitted ancestors + permittedAncestors="<%= @permittedAncestors %>" users = [ { userId="cs0008" @@ -9,7 +11,7 @@ firstName="Carlos" lastName="Santana" role="Designer" - email="csantana@sdc.com" + email="csantana@sdc.com" }, { userId="jh0003" diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..ed4b4c1c39 --- /dev/null +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,32 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.webseal.simulator; + +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; +import org.openecomp.sdc.webseal.simulator.conf.Conf; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + return Conf.getInstance().getPermittedAncestors(); + } +} diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java index 449fe62f49..eb498c975e 100644 --- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -22,75 +22,59 @@ package org.openecomp.sdc.webseal.simulator.conf; import com.typesafe.config.Config; import com.typesafe.config.ConfigFactory; -import org.openecomp.sdc.webseal.simulator.User; - import java.io.File; import java.util.HashMap; import java.util.List; import java.util.Map; +import lombok.Getter; +import lombok.Setter; +import org.openecomp.sdc.webseal.simulator.User; +@Getter +@Setter public class Conf { - private static Conf conf = new Conf(); - private String feHost; - private Map<String,User> users = new HashMap<String,User>(); + private static Conf conf = new Conf(); + private String feHost; + private Map<String, User> users = new HashMap<String, User>(); private String portalCookieName; + private String permittedAncestors; // Space separated list of permitted ancestors - private void setPortalCookieName(String portalCookieName) { - this.portalCookieName = portalCookieName; + private Conf() { + initConf(); } - public String getPortalCookieName() { - return portalCookieName; - } + private void initConf() { + try { + String confPath = System.getProperty("config.resource"); + if (confPath == null) { + System.out.println("config.resource is empty - goint to get it from config.home"); + confPath = System.getProperty("config.home") + "/webseal.conf"; + } + System.out.println("confPath=" + confPath); + final Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath)); + final Config resolve = confFile.resolve(); + setFeHost(resolve.getString("webseal.fe")); + setPortalCookieName(resolve.getString("webseal.portalCookieName")); + final List<? extends Config> list = resolve.getConfigList("webseal.users"); - private Conf(){ - initConf(); - } - - private void initConf() { - try{ - String confPath = System.getProperty("config.resource"); - if (confPath == null){ - System.out.println("config.resource is empty - goint to get it from config.home"); - confPath = System.getProperty("config.home") + "/webseal.conf"; - } - System.out.println("confPath=" + confPath ); - Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath)); - Config resolve = confFile.resolve(); - setFeHost(resolve.getString("webseal.fe")); - setPortalCookieName(resolve.getString("webseal.portalCookieName")); - List<? extends Config> list = resolve.getConfigList("webseal.users"); + for (final Config config : list) { + String userId = config.getString("userId"); + String password = config.getString("password"); + String firstName = config.getString("firstName"); + String lastName = config.getString("lastName"); + String email = config.getString("email"); + String role = config.getString("role"); + users.put(userId, new User(firstName, lastName, email, userId, role, password)); + } - for (Config conf : list ){ - String userId = conf.getString("userId"); - String password = conf.getString("password"); - String firstName = conf.getString("firstName"); - String lastName = conf.getString("lastName"); - String email = conf.getString("email"); - String role = conf.getString("role"); - users.put(userId,new User(firstName,lastName,email,userId,role,password)); - } - - }catch(Exception e){ - e.printStackTrace(); - } - } - - public static Conf getInstance(){ - return conf; - } + } catch (Exception e) { + e.printStackTrace(); + } + } - public String getFeHost() { - return feHost; - } + public static Conf getInstance() { + return conf; + } - public void setFeHost(String feHost) { - this.feHost = feHost; - } - - public Map<String,User> getUsers() { - return users; - } - } diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml index a293d3c883..c23e265aae 100644 --- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml +++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml @@ -38,9 +38,18 @@ <url-pattern>/create</url-pattern> </servlet-mapping> + <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + <welcome-file-list> <welcome-file>login</welcome-file> </welcome-file-list> </web-app> - |