diff options
| author |   vasraz <vasyl.razinkov@est.tech> | 2022-10-04 18:16:26 +0100 |
|---|---|---|
| committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2022-10-04 18:54:54 +0000 |
| commit | 0899720f168c09d037e577109d7cab665fe1fb91 (patch) | |
| tree | c6c210914a6fb029841d28de92cb760cdad6088d /catalog-be/src | |
| parent | ca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff) | |
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter)
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87
Issue-ID: SDC-4192
Diffstat (limited to 'catalog-be/src')
5 files changed, 58 insertions, 100 deletions
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb index 83dc113329..a1d0df5037 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb @@ -64,6 +64,7 @@ template "catalog-be-config" do :cassandra_usr => node['cassandra'][:cassandra_user], :cassandra_truststore_password => node['cassandra'][:truststore_password], :cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}", + :permittedAncestors => "#{ENV['permittedAncestors']}", :dmaap_active => node['DMAAP']['active'] }) end diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb index d1f3bd2c60..5706a16553 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb @@ -1289,5 +1289,9 @@ externalCsarStore: secretKey: "password" tempPath: "/home/onap/temp/" uploadPartSize: 200000000 + #This configuration specifies the delimiter used to differentiate instance name and count componentInstanceCounterDelimiter: " " + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..c9871c3c3a --- /dev/null +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,41 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.filters; + +import org.openecomp.sdc.be.config.Configuration; +import org.openecomp.sdc.be.config.ConfigurationManager; +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } + +} diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml index 20014dc7cb..c34d6742a1 100644 --- a/catalog-be/src/main/resources/config/configuration.yaml +++ b/catalog-be/src/main/resources/config/configuration.yaml @@ -927,3 +927,6 @@ directives: - selectable - substitute - substitutable + +#Space separated list of permitted ancestors +permittedAncestors: "" diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml index 64763b27a8..7cbfd1a920 100644 --- a/catalog-be/src/main/webapp/WEB-INF/web.xml +++ b/catalog-be/src/main/webapp/WEB-INF/web.xml @@ -84,30 +84,6 @@ <async-supported>true</async-supported> </servlet> - <!-- <filter>--> - <!-- <filter-name>CadiAuthFilter</filter-name>--> - <!-- <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class>--> - <!-- <init-param>--> - <!-- <param-name>cadi_prop_files</param-name>--> - <!-- <!– Add Absolute path of cadi.properties –>--> - <!-- <param-value>etc/cadi.properties</param-value>--> - <!-- </init-param>--> - <!-- <!–Add param values with comma delimited values –>--> - <!-- <!– for example /api/v3/*,/auxapi/*–>--> - <!-- <init-param>--> - <!-- <param-name>include_url_endpoints</param-name>--> - <!-- <param-value>/api/v3/roles,/api/v3/user/*,/api/v3/user/*/roles,/api/v3/users,/api/v3/sessionTimeOuts,/api/v3/updateSessionTimeOuts</param-value>--> - <!-- </init-param>--> - <!-- <init-param>--> - <!-- <param-name>exclude_url_endpoints</param-name>--> - <!-- <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <!-- <filter-mapping>--> - <!-- <filter-name>CadiAuthFilter</filter-name>--> - <!-- <url-pattern>/api/v3/*</url-pattern>--> - <!-- </filter-mapping>--> - <servlet> <servlet-name>ViewStatusMessages</servlet-name> <servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class> @@ -129,35 +105,15 @@ <url-pattern>/lbClassicStatus</url-pattern> </servlet-mapping> - <!-- <filter> - <filter-name>GzipFilter</filter-name> - <filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class> - <async-supported>true</async-supported> - <init-param> - <param-name>methods</param-name> - <param-value>GET,POST,PUT,DELETE</param-value> - </init-param> - <init-param> - <param-name>mimeTypes</param-name> - <param-value>text/html,text/plain,text/css,application/javascript,application/json</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>GzipFilter</filter-name> - <url-pattern>/sdc2/rest/*</url-pattern> - </filter-mapping> - - --> - <!--<filter>--> - <!--<filter-name>RestrictionAccessFilter</filter-name>--> - <!--<filter-class>org.openecomp.sdc.be.filters.RestrictionAccessFilter</filter-class>--> - <!--<async-supported>true</async-supported>--> - <!--</filter>--> - - <!-- <filter>--> - <!-- <filter-name>gatewayFilter</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.be.filters.GatewayFilter</filter-class>--> - <!-- </filter>--> + <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.be.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter> <filter-name>gatewayFilter</filter-name> @@ -176,53 +132,6 @@ <url-pattern>/sdc/*</url-pattern> </filter-mapping> - <!-- - <filter> - <filter-name>basicAuthFilter</filter-name> - <filter-class> - org.openecomp.sdc.be.filters.BasicAuthenticationFilter - </filter-class> - <init-param> - <param-name>excludedUrls</param-name> - <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value> - </init-param> - </filter> - - <filter-mapping> - <filter-name>basicAuthFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping>--> - - <!-- <filter>--> - <!-- <filter-name>beRestrictionAccessFilter</filter-name>--> - <!-- <filter-class>--> - <!-- org.springframework.web.filter.DelegatingFilterProxy--> - <!-- </filter-class>--> - <!-- <init-param>--> - <!-- <param-name>targetFilterLifecycle</param-name>--> - <!-- <param-value>true</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <!-- <filter-mapping>--> - <!-- <filter-name>beRestrictionAccessFilter</filter-name>--> - <!-- <url-pattern>/sdc2/rest/*</url-pattern>--> - <!-- </filter-mapping>--> - - <!-- <filter>--> - <!-- <filter-name>CADI</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.be.filters.BeCadiServletFilter</filter-class>--> - <!-- <init-param>--> - <!-- <param-name>cadi_prop_files</param-name>--> - <!-- <param-value>etc/cadi.properties</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - - <!-- <filter-mapping>--> - <!-- <filter-name>CADI</filter-name>--> - <!-- <url-pattern>/sdc/*</url-pattern>--> - <!-- <url-pattern>/sdc2/rest/*</url-pattern>--> - <!-- </filter-mapping>--> - <filter> <filter-name>reqValidationFilter</filter-name> <filter-class> |