Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'

Add new Filter (ContentSecurityPolicyHeaderFilter)

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87
Issue-ID: SDC-4192

6 files changed, 101 insertions, 62 deletions

diff --git a/utils/webseal-simulator/pom.xml b/utils/webseal-simulator/pom.xml
index 9aba026299..8b2fa980a8 100644
--- a/utils/webseal-simulator/pom.xml
+++ b/utils/webseal-simulator/pom.xml
@@ -23,6 +23,18 @@
 
     <dependencies>
         <dependency>
+            <groupId>org.openecomp.sdc</groupId>
+            <artifactId>common-app-api</artifactId>
+            <version>${project.version}</version>
+            <scope>compile</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpcore</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>javax.servlet-api</artifactId>
             <version>${javax.servlet.version}</version>
diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
index 3769a1f723..9ee166364c 100644
--- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
+++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb
@@ -6,7 +6,6 @@ else
     fe_url="http://#{node['Nodes']['FE']}:#{node['FE'][:http_port]}"
 end
 
-
 template "webseal.conf" do
    path "#{ENV['JETTY_BASE']}/config/sdc-simulator/webseal.conf"
    source "SDC-Simulator-webseal.conf.erb"
@@ -14,6 +13,7 @@ template "webseal.conf" do
    group "#{ENV['JETTY_GROUP']}"
    mode "0755"
    variables({
-      :fe_url  =>"#{fe_url}"
+      :fe_url  =>"#{fe_url}",
+      :permittedAncestors => "#{ENV['permittedAncestors']}"
    })
 end
diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
index f6e634481f..f72c3ae270 100644
--- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
+++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb
@@ -2,6 +2,8 @@
 	webseal {
 		fe="<%= @fe_url %>"
 		portalCookieName="EPService"
+		#Space separated list of permitted ancestors
+		permittedAncestors="<%= @permittedAncestors %>"
 		users = [
 			{
 				userId="cs0008"
@@ -9,7 +11,7 @@
 				firstName="Carlos"
 				lastName="Santana"
 				role="Designer"
-				email="csantana@sdc.com"			
+				email="csantana@sdc.com"
 			},
 			{
 				userId="jh0003"
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java
new file mode 100644
index 0000000000..ed4b4c1c39
--- /dev/null
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java
@@ -0,0 +1,32 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.webseal.simulator;
+
+import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
+
+public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract {
+
+    @Override
+    protected String getPermittedAncestors() {
+        return Conf.getInstance().getPermittedAncestors();
+    }
+}
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
index 449fe62f49..eb498c975e 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
@@ -7,9 +7,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -22,75 +22,59 @@ package org.openecomp.sdc.webseal.simulator.conf;
 
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
-import org.openecomp.sdc.webseal.simulator.User;
-
 import java.io.File;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import lombok.Getter;
+import lombok.Setter;
+import org.openecomp.sdc.webseal.simulator.User;
 
+@Getter
+@Setter
 public class Conf {
 
-	private static Conf conf = new Conf();
-	private String feHost;
-	private Map<String,User> users = new HashMap<String,User>();
+    private static Conf conf = new Conf();
+    private String feHost;
+    private Map<String, User> users = new HashMap<String, User>();
     private String portalCookieName;
+    private String permittedAncestors; // Space separated list of permitted ancestors
 
-    private void setPortalCookieName(String portalCookieName) {
-        this.portalCookieName = portalCookieName;
+    private Conf() {
+        initConf();
     }
 
-    public String getPortalCookieName() {
-        return portalCookieName;
-    }
+    private void initConf() {
+        try {
+            String confPath = System.getProperty("config.resource");
+            if (confPath == null) {
+                System.out.println("config.resource is empty - goint to get it from config.home");
+                confPath = System.getProperty("config.home") + "/webseal.conf";
+            }
+            System.out.println("confPath=" + confPath);
+            final Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath));
+            final Config resolve = confFile.resolve();
+            setFeHost(resolve.getString("webseal.fe"));
+            setPortalCookieName(resolve.getString("webseal.portalCookieName"));
+            final List<? extends Config> list = resolve.getConfigList("webseal.users");
 
-	private Conf(){	
-		initConf();
-	}
-	
-	private void initConf() {
-		try{
-			String confPath = System.getProperty("config.resource");			
-			if (confPath == null){
-				System.out.println("config.resource is empty - goint to get it from config.home");
-				confPath = System.getProperty("config.home") + "/webseal.conf";
-			}
-			System.out.println("confPath=" + confPath );
-			Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath));
-			Config resolve = confFile.resolve();		
-			setFeHost(resolve.getString("webseal.fe"));
-			setPortalCookieName(resolve.getString("webseal.portalCookieName"));
-			List<? extends Config> list = resolve.getConfigList("webseal.users");
+            for (final Config config : list) {
+                String userId = config.getString("userId");
+                String password = config.getString("password");
+                String firstName = config.getString("firstName");
+                String lastName = config.getString("lastName");
+                String email = config.getString("email");
+                String role = config.getString("role");
+                users.put(userId, new User(firstName, lastName, email, userId, role, password));
+            }
 
-			for (Config conf : list  ){
-				String userId = conf.getString("userId");
-				String password = conf.getString("password");
-				String firstName = conf.getString("firstName");
-				String lastName = conf.getString("lastName");
-				String email = conf.getString("email");
-				String role = conf.getString("role");
-				users.put(userId,new User(firstName,lastName,email,userId,role,password));				
-			}
-					
-		}catch(Exception e){
-			e.printStackTrace();
-		}
-	}
-
-	public static Conf getInstance(){
-		return conf;
-	}
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
 
-	public String getFeHost() {
-		return feHost;
-	}
+    public static Conf getInstance() {
+        return conf;
+    }
 
-	public void setFeHost(String feHost) {
-		this.feHost = feHost;
-	}
-	
-	public Map<String,User> getUsers() {
-		return users;
-	}	
-	
 }
diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
index a293d3c883..c23e265aae 100644
--- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
+++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
@@ -38,9 +38,18 @@
         <url-pattern>/create</url-pattern>
     </servlet-mapping>
 
+    <filter>
+        <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+        <filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class>
+        <async-supported>true</async-supported>
+    </filter>
+    <filter-mapping>
+        <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <welcome-file-list>
         <welcome-file>login</welcome-file>
     </welcome-file-list>
 
 </web-app>
-