aboutsummaryrefslogtreecommitdiffstats
path: root/catalog-be
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-10-04 18:16:26 +0100
committerVasyl Razinkov <vasyl.razinkov@est.tech>2022-10-04 18:54:54 +0000
commit0899720f168c09d037e577109d7cab665fe1fb91 (patch)
treec6c210914a6fb029841d28de92cb760cdad6088d /catalog-be
parentca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff)
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter) Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87 Issue-ID: SDC-4192
Diffstat (limited to 'catalog-be')
-rw-r--r--catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb1
-rw-r--r--catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb4
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java41
-rw-r--r--catalog-be/src/main/resources/config/configuration.yaml3
-rw-r--r--catalog-be/src/main/webapp/WEB-INF/web.xml109
5 files changed, 58 insertions, 100 deletions
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
index 83dc113329..a1d0df5037 100644
--- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
+++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
@@ -64,6 +64,7 @@ template "catalog-be-config" do
:cassandra_usr => node['cassandra'][:cassandra_user],
:cassandra_truststore_password => node['cassandra'][:truststore_password],
:cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}",
+ :permittedAncestors => "#{ENV['permittedAncestors']}",
:dmaap_active => node['DMAAP']['active']
})
end
diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
index d1f3bd2c60..5706a16553 100644
--- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
+++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb
@@ -1289,5 +1289,9 @@ externalCsarStore:
secretKey: "password"
tempPath: "/home/onap/temp/"
uploadPartSize: 200000000
+
#This configuration specifies the delimiter used to differentiate instance name and count
componentInstanceCounterDelimiter: " "
+
+#Space separated list of permitted ancestors
+permittedAncestors: <%= @permittedAncestors %>
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..c9871c3c3a
--- /dev/null
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,41 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.filters;
+
+import org.openecomp.sdc.be.config.Configuration;
+import org.openecomp.sdc.be.config.ConfigurationManager;
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+ @Override
+ protected String getPermittedAncestors() {
+ final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager();
+ if (configurationManager != null) {
+ final Configuration configuration = configurationManager.getConfiguration();
+ if (configuration != null) {
+ return configuration.getPermittedAncestors();
+ }
+ }
+ return "";
+ }
+
+}
diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml
index 20014dc7cb..c34d6742a1 100644
--- a/catalog-be/src/main/resources/config/configuration.yaml
+++ b/catalog-be/src/main/resources/config/configuration.yaml
@@ -927,3 +927,6 @@ directives:
- selectable
- substitute
- substitutable
+
+#Space separated list of permitted ancestors
+permittedAncestors: ""
diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml
index 64763b27a8..7cbfd1a920 100644
--- a/catalog-be/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-be/src/main/webapp/WEB-INF/web.xml
@@ -84,30 +84,6 @@
<async-supported>true</async-supported>
</servlet>
- <!-- <filter>-->
- <!-- <filter-name>CadiAuthFilter</filter-name>-->
- <!-- <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>cadi_prop_files</param-name>-->
- <!-- &lt;!&ndash; Add Absolute path of cadi.properties &ndash;&gt;-->
- <!-- <param-value>etc/cadi.properties</param-value>-->
- <!-- </init-param>-->
- <!-- &lt;!&ndash;Add param values with comma delimited values &ndash;&gt;-->
- <!-- &lt;!&ndash; for example /api/v3/*,/auxapi/*&ndash;&gt;-->
- <!-- <init-param>-->
- <!-- <param-name>include_url_endpoints</param-name>-->
- <!-- <param-value>/api/v3/roles,/api/v3/user/*,/api/v3/user/*/roles,/api/v3/users,/api/v3/sessionTimeOuts,/api/v3/updateSessionTimeOuts</param-value>-->
- <!-- </init-param>-->
- <!-- <init-param>-->
- <!-- <param-name>exclude_url_endpoints</param-name>-->
- <!-- <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
- <!-- <filter-mapping>-->
- <!-- <filter-name>CadiAuthFilter</filter-name>-->
- <!-- <url-pattern>/api/v3/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<servlet>
<servlet-name>ViewStatusMessages</servlet-name>
<servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class>
@@ -129,35 +105,15 @@
<url-pattern>/lbClassicStatus</url-pattern>
</servlet-mapping>
- <!-- <filter>
- <filter-name>GzipFilter</filter-name>
- <filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
- <async-supported>true</async-supported>
- <init-param>
- <param-name>methods</param-name>
- <param-value>GET,POST,PUT,DELETE</param-value>
- </init-param>
- <init-param>
- <param-name>mimeTypes</param-name>
- <param-value>text/html,text/plain,text/css,application/javascript,application/json</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>GzipFilter</filter-name>
- <url-pattern>/sdc2/rest/*</url-pattern>
- </filter-mapping>
-
- -->
- <!--<filter>-->
- <!--<filter-name>RestrictionAccessFilter</filter-name>-->
- <!--<filter-class>org.openecomp.sdc.be.filters.RestrictionAccessFilter</filter-class>-->
- <!--<async-supported>true</async-supported>-->
- <!--</filter>-->
-
- <!-- <filter>-->
- <!-- <filter-name>gatewayFilter</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.be.filters.GatewayFilter</filter-class>-->
- <!-- </filter>-->
+ <filter>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <filter-class>org.openecomp.sdc.be.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+ <filter-mapping>
+ <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>gatewayFilter</filter-name>
@@ -176,53 +132,6 @@
<url-pattern>/sdc/*</url-pattern>
</filter-mapping>
- <!--
- <filter>
- <filter-name>basicAuthFilter</filter-name>
- <filter-class>
- org.openecomp.sdc.be.filters.BasicAuthenticationFilter
- </filter-class>
- <init-param>
- <param-name>excludedUrls</param-name>
- <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value>
- </init-param>
- </filter>
-
- <filter-mapping>
- <filter-name>basicAuthFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>-->
-
- <!-- <filter>-->
- <!-- <filter-name>beRestrictionAccessFilter</filter-name>-->
- <!-- <filter-class>-->
- <!-- org.springframework.web.filter.DelegatingFilterProxy-->
- <!-- </filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>targetFilterLifecycle</param-name>-->
- <!-- <param-value>true</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
- <!-- <filter-mapping>-->
- <!-- <filter-name>beRestrictionAccessFilter</filter-name>-->
- <!-- <url-pattern>/sdc2/rest/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
- <!-- <filter>-->
- <!-- <filter-name>CADI</filter-name>-->
- <!-- <filter-class>org.openecomp.sdc.be.filters.BeCadiServletFilter</filter-class>-->
- <!-- <init-param>-->
- <!-- <param-name>cadi_prop_files</param-name>-->
- <!-- <param-value>etc/cadi.properties</param-value>-->
- <!-- </init-param>-->
- <!-- </filter>-->
-
- <!-- <filter-mapping>-->
- <!-- <filter-name>CADI</filter-name>-->
- <!-- <url-pattern>/sdc/*</url-pattern>-->
- <!-- <url-pattern>/sdc2/rest/*</url-pattern>-->
- <!-- </filter-mapping>-->
-
<filter>
<filter-name>reqValidationFilter</filter-name>
<filter-class>