Fix critical cross site scripting

Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6 Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Issue-ID: SDC-3607 Issue-ID: SDC-3755
author: vasraz <vasyl.razinkov@est.tech> 2021-10-21 17:32:16 +0100
committer: Michael Morris <michael.morris@est.tech> 2021-11-15 11:50:33 +0000
commit: b08ac296b31f001c946b1371f213ac302ff9c12e (patch)
tree: 3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-be/src
parent: 7353fb39790b51c593cb0f72c6ab46d906758244 (diff)
2 files changed, 15 insertions, 7 deletions
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
index f90440011d..62232beaf5 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
@@ -33,6 +33,7 @@ import java.util.stream.Collectors;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tinkerpop.gremlin.structure.Edge;
+import org.onap.portalsdk.core.onboarding.util.CipherUtil;
 import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException;
 import org.openecomp.sdc.be.dao.api.ActionStatus;
 import org.openecomp.sdc.be.dao.utils.UserStatusEnum;
@@ -68,6 +69,7 @@ public class UserBusinessLogic {
     }
 
     public User getUser(String userId, boolean inTransaction) {
+        userId = decryptUserId(userId);
         Either<User, ActionStatus> result = userAdminOperation.getUserData(userId, inTransaction);
         if (result.isRight()) {
             handleUserAccessAuditing(userId, result.right().value());
@@ -81,7 +83,19 @@ public class UserBusinessLogic {
         return user;
     }
 
+    private String decryptUserId(final String userId) {
+        if (StringUtils.isNotEmpty(userId)) {
+            try {
+                return CipherUtil.decryptPKC(userId);
+            } catch (final Exception e) {
+                return userId;
+            }
+        }
+        return userId;
+    }
+
     public User getUser(String userId) {
+        userId = decryptUserId(userId);
         UserContext userContext = ThreadLocalsHolder.getUserContext();
         if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
             log.info("USER_NOT_FOUND, user=" + userId);
@@ -106,6 +120,7 @@ public class UserBusinessLogic {
     }
 
     public boolean hasActiveUser(String userId) {
+        userId = decryptUserId(userId);
         UserContext userContext = ThreadLocalsHolder.getUserContext();
         if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
             handleUserAccessAuditing(userId, ActionStatus.USER_NOT_FOUND);
diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
index 9ce2be4dd3..ed3adafe66 100755
--- a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
+++ b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
@@ -7,13 +7,6 @@
     "email": "demo@openecomp.org"
   },
   {
-    "userId": "op0001",
-    "firstName": "Oper",
-    "lastName": "P",
-    "role": "OPS",
-    "email": "op0001@openecomp.org"
-  },
-  {
     "userId": "gv0001",
     "firstName": "Giuseppe",
     "lastName": "Verdi",
author	vasraz <vasyl.razinkov@est.tech>	2021-10-21 17:32:16 +0100
committer	Michael Morris <michael.morris@est.tech>	2021-11-15 11:50:33 +0000
commit	b08ac296b31f001c946b1371f213ac302ff9c12e (patch)
tree	3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-be/src
parent	7353fb39790b51c593cb0f72c6ab46d906758244 (diff)