aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-10-04 18:16:26 +0100
committerVasyl Razinkov <vasyl.razinkov@est.tech>2022-10-04 18:54:54 +0000
commit0899720f168c09d037e577109d7cab665fe1fb91 (patch)
treec6c210914a6fb029841d28de92cb760cdad6088d
parentca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff)
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter) Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87 Issue-ID: SDC-4192
-rw-r--r--catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb1
-rw-r--r--catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb4
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java41
-rw-r--r--catalog-be/src/main/resources/config/configuration.yaml3
-rw-r--r--catalog-be/src/main/webapp/WEB-INF/web.xml109
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb1
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb3
-rw-r--r--catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java40
-rw-r--r--catalog-fe/src/main/webapp/WEB-INF/web.xml27
-rw-r--r--common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java1
-rw-r--r--common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java55
-rw-r--r--common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java1
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml11
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml11
-rw-r--r--openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb5
-rw-r--r--openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb3
-rw-r--r--openecomp-be/lib/openecomp-common-lib/pom.xml11
-rw-r--r--openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java35
-rw-r--r--utils/webseal-simulator/pom.xml12
-rw-r--r--utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb4
-rw-r--r--utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb4
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java32
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java100
-rw-r--r--utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml11
24 files changed, 339 insertions, 186 deletions
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
index 83dc113329..a1d0df5037 100644
--- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
+++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
@@ -64,6 +64,7 @@ template "catalog-be-config" do
:cassandra_usr => node['cassandra'][:cassandra_user],
:cassandra_truststore_password => node['cassandra'][:truststore_password],
:cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}",
+ :permittedAncestors => "#{ENV['permittedAncestors']}",
:dmaap_active => node['DMAAP']['active']
})
end
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
index d1f3bd2c60..5706a16553 100644
--- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
+++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
@@ -1289,5 +1289,9 @@ externalCsarStore:
secretKey: "password"
tempPath: "/home/onap/temp/"
uploadPartSize: 200000000
+
#This configuration specifies the delimiter used to differentiate instance name and count
componentInstanceCounterDelimiter: " "
+
+#Space separated list of permitted ancestors
+permittedAncestors: <%= @permittedAncestors %>
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..c9871c3c3a
--- /dev/null
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,41 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.filters;
+
+import org.openecomp.sdc.be.config.Configuration;
+import org.openecomp.sdc.be.config.ConfigurationManager;
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager();
+ if (configurationManager != null) {
+ final Configuration configuration = configurationManager.getConfiguration();
+ if (configuration != null) {
+ return configuration.getPermittedAncestors();
+ }
+ }
+ return "";
+ }
+
+}
diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml
index 20014dc7cb..c34d6742a1 100644
--- a/catalog-be/src/main/resources/config/configuration.yaml
+++ b/catalog-be/src/main/resources/config/configuration.yaml
@@ -927,3 +927,6 @@ directives:
- selectable
- substitute
- substitutable
+
+#Space separated list of permitted ancestors
+permittedAncestors: ""
diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml
index 64763b27a8..7cbfd1a920 100644
--- a/catalog-be/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-be/src/main/webapp/WEB-INF/web.xml
@@ -84,30 +84,6 @@
<async-supported>true</async-supported>
</servlet>
- <!-- <filter>-->
- <!-- <filter-name>CadiAuthFilter</filter-name>-->
- <!-- <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>cadi_prop_files</param-name>-->
- <!-- &lt;!&ndash; Add Absolute path of cadi.properties &ndash;&gt;-->
- <!-- <param-value>etc/cadi.properties</param-value>-->
- <!-- </init-param>-->
- <!-- &lt;!&ndash;Add param values with comma delimited values &ndash;&gt;-->
- <!-- &lt;!&ndash; for example /api/v3/*,/auxapi/*&ndash;&gt;-->
- <!-- <init-param>-->
- <!-- <param-name>include_url_endpoints</param-name>-->
- <!-- <param-value>/api/v3/roles,/api/v3/user/*,/api/v3/user/*/roles,/api/v3/users,/api/v3/sessionTimeOuts,/api/v3/updateSessionTimeOuts</param-value>-->
- <!-- </init-param>-->
- <!-- <init-param>-->
- <!-- <param-name>exclude_url_endpoints</param-name>-->
- <!-- <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
- <!-- <filter-mapping>-->
- <!-- <filter-name>CadiAuthFilter</filter-name>-->
- <!-- <url-pattern>/api/v3/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<servlet>
<servlet-name>ViewStatusMessages</servlet-name>
<servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class>
@@ -129,35 +105,15 @@
<url-pattern>/lbClassicStatus</url-pattern>
</servlet-mapping>
- <!-- <filter>
- <filter-name>GzipFilter</filter-name>
- <filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
- <async-supported>true</async-supported>
- <init-param>
- <param-name>methods</param-name>
- <param-value>GET,POST,PUT,DELETE</param-value>
- </init-param>
- <init-param>
- <param-name>mimeTypes</param-name>
- <param-value>text/html,text/plain,text/css,application/javascript,application/json</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>GzipFilter</filter-name>
- <url-pattern>/sdc2/rest/*</url-pattern>
- </filter-mapping>
-
- -->
- <!--<filter>-->
- <!--<filter-name>RestrictionAccessFilter</filter-name>-->
- <!--<filter-class>org.openecomp.sdc.be.filters.RestrictionAccessFilter</filter-class>-->
- <!--<async-supported>true</async-supported>-->
- <!--</filter>-->
-
- <!-- <filter>-->
- <!-- <filter-name>gatewayFilter</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.be.filters.GatewayFilter</filter-class>-->
- <!-- </filter>-->
+ <filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.be.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>gatewayFilter</filter-name>
@@ -176,53 +132,6 @@
<url-pattern>/sdc/*</url-pattern>
</filter-mapping>
- <!--
- <filter>
- <filter-name>basicAuthFilter</filter-name>
- <filter-class>
- org.openecomp.sdc.be.filters.BasicAuthenticationFilter
- </filter-class>
- <init-param>
- <param-name>excludedUrls</param-name>
- <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value>
- </init-param>
- </filter>
-
- <filter-mapping>
- <filter-name>basicAuthFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>-->
-
- <!-- <filter>-->
- <!-- <filter-name>beRestrictionAccessFilter</filter-name>-->
- <!-- <filter-class>-->
- <!-- org.springframework.web.filter.DelegatingFilterProxy-->
- <!-- </filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>targetFilterLifecycle</param-name>-->
- <!-- <param-value>true</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
- <!-- <filter-mapping>-->
- <!-- <filter-name>beRestrictionAccessFilter</filter-name>-->
- <!-- <url-pattern>/sdc2/rest/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
- <!-- <filter>-->
- <!-- <filter-name>CADI</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.be.filters.BeCadiServletFilter</filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>cadi_prop_files</param-name>-->
- <!-- <param-value>etc/cadi.properties</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
-
- <!-- <filter-mapping>-->
- <!-- <filter-name>CADI</filter-name>-->
- <!-- <url-pattern>/sdc/*</url-pattern>-->
- <!-- <url-pattern>/sdc2/rest/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<filter>
<filter-name>reqValidationFilter</filter-name>
<filter-class>
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
index 819638ac08..73176ed1c3 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb
@@ -13,6 +13,7 @@ template "catalog-fe-config" do
:basic_auth_flag => node['basic_auth']['enabled'],
:user_name => node['basic_auth'][:user_name],
:user_pass => node['basic_auth'][:user_pass],
+ :permittedAncestors => "#{ENV['permittedAncestors']}",
:dcae_fe_vip => node['DCAE_FE_VIP']
})
end
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
index 8dc3c51df3..1b10845aaa 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb
@@ -124,3 +124,6 @@ healthStatusExclude:
- PORTAL
- CATALOG_FACADE_MS
- External API
+
+#Space separated list of permitted ancestors
+permittedAncestors: <%= @permittedAncestors %>
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..a49f625e54
--- /dev/null
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,40 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.fe.filters;
+
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+import org.openecomp.sdc.fe.config.Configuration;
+import org.openecomp.sdc.fe.config.ConfigurationManager;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager();
+ if (configurationManager != null) {
+ final Configuration configuration = configurationManager.getConfiguration();
+ if (configuration != null) {
+ return configuration.getPermittedAncestors();
+ }
+ }
+ return "";
+ }
+}
diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml
index de133ac8ec..895dfd8690 100644
--- a/catalog-fe/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml
@@ -47,8 +47,6 @@
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
-
-
</servlet>
<servlet-mapping>
@@ -72,6 +70,15 @@
<param-value>false</param-value>
</context-param>
+ <filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.fe.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>AuditLogServletFilter</filter-name>
@@ -79,17 +86,6 @@
<async-supported>true</async-supported>
</filter>
- <!-- <filter>-->
- <!-- <filter-name>SecurityFilter</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>-->
- <!-- <async-supported>true</async-supported>-->
- <!-- <init-param>-->
- <!-- <param-name>excludedUrls</param-name>-->
- <!-- &lt;!&ndash; Comma separated list of excluded servlet URLs &ndash;&gt;-->
- <!-- <param-value>/config,/configmgr,/rest</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
-
<filter>
<filter-name>gzipFilter</filter-name>
<filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class>
@@ -101,11 +97,6 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- <filter-mapping>-->
- <!-- <filter-name>SecurityFilter</filter-name>-->
- <!-- <url-pattern>/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<filter-mapping>
<filter-name>gzipFilter</filter-name>
<url-pattern>*.jsgz</url-pattern>
diff --git a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java
index 5a1eacdb58..da849f385c 100644
--- a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java
+++ b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java
@@ -147,6 +147,7 @@ public class Configuration extends BasicConfiguration {
private ExternalCsarStore externalCsarStore;
private CsarFormat csarFormat;
private String componentInstanceCounterDelimiter;
+ private String permittedAncestors; // Space separated list of permitted ancestors
@SuppressWarnings("unchecked")
private <K, V> Map<K, V> safeGetCapsInsensitiveMap(Map<K, V> map) {
diff --git a/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java
new file mode 100644
index 0000000000..1281f27a11
--- /dev/null
+++ b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java
@@ -0,0 +1,55 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.common.filters;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+
+public abstract class ContentSecurityPolicyHeaderFilterAbstract implements Filter {
+
+ @Override
+ public void init(final FilterConfig filterConfig) throws ServletException {
+ // nothing to override
+ }
+
+ @Override
+ public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
+ final HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+ final String permittedAncestors = getPermittedAncestors();
+ httpServletResponse.setHeader("Content-Security-Policy",
+ "frame-ancestors 'self' " + (StringUtils.isNotBlank(permittedAncestors) ? permittedAncestors : ""));
+ chain.doFilter(request, httpServletResponse);
+ }
+
+ @Override
+ public void destroy() {
+ // nothing to override
+ }
+
+ protected abstract String getPermittedAncestors();
+}
diff --git a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java
index 322c57ccd6..279f183324 100644
--- a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java
+++ b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java
@@ -75,6 +75,7 @@ public class Configuration extends BasicConfiguration {
private List<List<String>> identificationHeaderFields;
private List<List<String>> optionalHeaderFields;
private List<String> forwardHeaderFields;
+ private String permittedAncestors; // Space separated list of permitted ancestors
public Integer getHealthCheckSocketTimeoutInMs(int defaultVal) {
return healthCheckSocketTimeoutInMs == null ? defaultVal : healthCheckSocketTimeoutInMs;
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
index 9191a35786..b51399ca54 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
@@ -4,7 +4,6 @@
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
-
<!-- Spring -->
<context-param>
<param-name>contextConfigLocation</param-name>
@@ -16,6 +15,16 @@
</listener>
<filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
+ <filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
index 3cbfb1325e..eb8bd9e93f 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
@@ -4,7 +4,6 @@
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
-
<!-- Spring -->
<context-param>
<param-name>contextConfigLocation</param-name>
@@ -26,6 +25,16 @@
</listener>
<filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
+ <filter>
<filter-name>PermissionsFilter</filter-name>
<filter-class>org.openecomp.sdc.itempermissions.servlet.PermissionsFilter</filter-class>
</filter>
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
index 1cd2ed284f..526f2dd4b4 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
@@ -23,12 +23,11 @@ template "onboard-be-config" do
:catalog_notification_url => node['ONBOARDING_BE']['catalog_notification_url'],
:catalog_be_http_port => node['BE'][:http_port],
:catalog_be_ssl_port => node['BE'][:https_port],
+ :permittedAncestors => "#{ENV['permittedAncestors']}",
:catalog_be_fqdn => node['Nodes']['BE']
})
end
-
-
template "VnfrepoConfiguration" do
path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-vnfrepo.yaml"
source "vnfrepo-configuration.yaml.erb"
@@ -41,7 +40,6 @@ template "VnfrepoConfiguration" do
})
end
-
template "HelmValidatorConfiguration" do
path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-helmvalidator.yaml"
source "helmvalidator-configuration.yaml.erb"
@@ -58,7 +56,6 @@ template "HelmValidatorConfiguration" do
})
end
-
template "ExternalTestingConfiguration" do
path "#{ENV['JETTY_BASE']}/config/onboarding-be/externaltesting-configuration.yaml"
source "externaltesting-configuration.yaml.erb"
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
index ae07857585..93e0be9467 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
@@ -69,3 +69,6 @@ externalCsarStore:
thresholdEntries: 10000
tempPath: "/home/onap/temp/"
uploadPartSize: 200000000
+
+#Space separated list of permitted ancestors
+permittedAncestors: <%= @permittedAncestors %>
diff --git a/openecomp-be/lib/openecomp-common-lib/pom.xml b/openecomp-be/lib/openecomp-common-lib/pom.xml
index 43ec9c25f6..cb41e44001 100644
--- a/openecomp-be/lib/openecomp-common-lib/pom.xml
+++ b/openecomp-be/lib/openecomp-common-lib/pom.xml
@@ -26,6 +26,17 @@
<version>${project.version}</version>
</dependency>
<dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
+ <version>${servlet-api.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.inject</groupId>
+ <artifactId>javax.inject</artifactId>
+ <version>${javax.inject.version}</version>
+ </dependency>
+ <dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
<scope>provided</scope>
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..f7aa6f2da0
--- /dev/null
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,35 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.common.filters;
+
+import org.openecomp.sdc.common.CommonConfigurationManager;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance();
+ if (commonConfigurationManager != null) {
+ return commonConfigurationManager.getConfigValue("permittedAncestors", "");
+ }
+ return "";
+ }
+}
diff --git a/utils/webseal-simulator/pom.xml b/utils/webseal-simulator/pom.xml
index 9aba026299..8b2fa980a8 100644
--- a/utils/webseal-simulator/pom.xml
+++ b/utils/webseal-simulator/pom.xml
@@ -23,6 +23,18 @@
<dependencies>
<dependency>
+ <groupId>org.openecomp.sdc</groupId>
+ <artifactId>common-app-api</artifactId>
+ <version>${project.version}</version>
+ <scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpcore</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${javax.servlet.version}</version>
diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
index 3769a1f723..9ee166364c 100644
--- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
+++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
@@ -6,7 +6,6 @@ else
fe_url="http://#{node['Nodes']['FE']}:#{node['FE'][:http_port]}"
end
-
template "webseal.conf" do
path "#{ENV['JETTY_BASE']}/config/sdc-simulator/webseal.conf"
source "SDC-Simulator-webseal.conf.erb"
@@ -14,6 +13,7 @@ template "webseal.conf" do
group "#{ENV['JETTY_GROUP']}"
mode "0755"
variables({
- :fe_url =>"#{fe_url}"
+ :fe_url =>"#{fe_url}",
+ :permittedAncestors => "#{ENV['permittedAncestors']}"
})
end
diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
index f6e634481f..f72c3ae270 100644
--- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
+++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
@@ -2,6 +2,8 @@
webseal {
fe="<%= @fe_url %>"
portalCookieName="EPService"
+ #Space separated list of permitted ancestors
+ permittedAncestors="<%= @permittedAncestors %>"
users = [
{
userId="cs0008"
@@ -9,7 +11,7 @@
firstName="Carlos"
lastName="Santana"
role="Designer"
- email="csantana@sdc.com"
+ email="csantana@sdc.com"
},
{
userId="jh0003"
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..ed4b4c1c39
--- /dev/null
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,32 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.webseal.simulator;
+
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ return Conf.getInstance().getPermittedAncestors();
+ }
+}
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
index 449fe62f49..eb498c975e 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
@@ -7,9 +7,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -22,75 +22,59 @@ package org.openecomp.sdc.webseal.simulator.conf;
import com.typesafe.config.Config;
import com.typesafe.config.ConfigFactory;
-import org.openecomp.sdc.webseal.simulator.User;
-
import java.io.File;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import lombok.Getter;
+import lombok.Setter;
+import org.openecomp.sdc.webseal.simulator.User;
+@Getter
+@Setter
public class Conf {
- private static Conf conf = new Conf();
- private String feHost;
- private Map<String,User> users = new HashMap<String,User>();
+ private static Conf conf = new Conf();
+ private String feHost;
+ private Map<String, User> users = new HashMap<String, User>();
private String portalCookieName;
+ private String permittedAncestors; // Space separated list of permitted ancestors
- private void setPortalCookieName(String portalCookieName) {
- this.portalCookieName = portalCookieName;
+ private Conf() {
+ initConf();
}
- public String getPortalCookieName() {
- return portalCookieName;
- }
+ private void initConf() {
+ try {
+ String confPath = System.getProperty("config.resource");
+ if (confPath == null) {
+ System.out.println("config.resource is empty - goint to get it from config.home");
+ confPath = System.getProperty("config.home") + "/webseal.conf";
+ }
+ System.out.println("confPath=" + confPath);
+ final Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath));
+ final Config resolve = confFile.resolve();
+ setFeHost(resolve.getString("webseal.fe"));
+ setPortalCookieName(resolve.getString("webseal.portalCookieName"));
+ final List<? extends Config> list = resolve.getConfigList("webseal.users");
- private Conf(){
- initConf();
- }
-
- private void initConf() {
- try{
- String confPath = System.getProperty("config.resource");
- if (confPath == null){
- System.out.println("config.resource is empty - goint to get it from config.home");
- confPath = System.getProperty("config.home") + "/webseal.conf";
- }
- System.out.println("confPath=" + confPath );
- Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath));
- Config resolve = confFile.resolve();
- setFeHost(resolve.getString("webseal.fe"));
- setPortalCookieName(resolve.getString("webseal.portalCookieName"));
- List<? extends Config> list = resolve.getConfigList("webseal.users");
+ for (final Config config : list) {
+ String userId = config.getString("userId");
+ String password = config.getString("password");
+ String firstName = config.getString("firstName");
+ String lastName = config.getString("lastName");
+ String email = config.getString("email");
+ String role = config.getString("role");
+ users.put(userId, new User(firstName, lastName, email, userId, role, password));
+ }
- for (Config conf : list ){
- String userId = conf.getString("userId");
- String password = conf.getString("password");
- String firstName = conf.getString("firstName");
- String lastName = conf.getString("lastName");
- String email = conf.getString("email");
- String role = conf.getString("role");
- users.put(userId,new User(firstName,lastName,email,userId,role,password));
- }
-
- }catch(Exception e){
- e.printStackTrace();
- }
- }
-
- public static Conf getInstance(){
- return conf;
- }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
- public String getFeHost() {
- return feHost;
- }
+ public static Conf getInstance() {
+ return conf;
+ }
- public void setFeHost(String feHost) {
- this.feHost = feHost;
- }
-
- public Map<String,User> getUsers() {
- return users;
- }
-
}
diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
index a293d3c883..c23e265aae 100644
--- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
+++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
@@ -38,9 +38,18 @@
<url-pattern>/create</url-pattern>
</servlet-mapping>
+ <filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<welcome-file-list>
<welcome-file>login</welcome-file>
</welcome-file-list>
</web-app>
-