From b08ac296b31f001c946b1371f213ac302ff9c12e Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Thu, 21 Oct 2021 17:32:16 +0100
Subject: Fix critical cross site scripting

Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3607
Issue-ID: SDC-3755
---
 .../java/org/openecomp/sdc/be/user/UserBusinessLogic.java | 15 +++++++++++++++
 .../main/resources/scripts/sdcBePy/users/data/users.json  |  7 -------
 2 files changed, 15 insertions(+), 7 deletions(-)

(limited to 'catalog-be')

diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
index f90440011d..62232beaf5 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
@@ -33,6 +33,7 @@ import java.util.stream.Collectors;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tinkerpop.gremlin.structure.Edge;
+import org.onap.portalsdk.core.onboarding.util.CipherUtil;
 import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException;
 import org.openecomp.sdc.be.dao.api.ActionStatus;
 import org.openecomp.sdc.be.dao.utils.UserStatusEnum;
@@ -68,6 +69,7 @@ public class UserBusinessLogic {
     }
 
     public User getUser(String userId, boolean inTransaction) {
+        userId = decryptUserId(userId);
         Either<User, ActionStatus> result = userAdminOperation.getUserData(userId, inTransaction);
         if (result.isRight()) {
             handleUserAccessAuditing(userId, result.right().value());
@@ -81,7 +83,19 @@ public class UserBusinessLogic {
         return user;
     }
 
+    private String decryptUserId(final String userId) {
+        if (StringUtils.isNotEmpty(userId)) {
+            try {
+                return CipherUtil.decryptPKC(userId);
+            } catch (final Exception e) {
+                return userId;
+            }
+        }
+        return userId;
+    }
+
     public User getUser(String userId) {
+        userId = decryptUserId(userId);
         UserContext userContext = ThreadLocalsHolder.getUserContext();
         if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
             log.info("USER_NOT_FOUND, user=" + userId);
@@ -106,6 +120,7 @@ public class UserBusinessLogic {
     }
 
     public boolean hasActiveUser(String userId) {
+        userId = decryptUserId(userId);
         UserContext userContext = ThreadLocalsHolder.getUserContext();
         if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
             handleUserAccessAuditing(userId, ActionStatus.USER_NOT_FOUND);
diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
index 9ce2be4dd3..ed3adafe66 100755
--- a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
+++ b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
@@ -6,13 +6,6 @@
     "role": "ADMIN",
     "email": "demo@openecomp.org"
   },
-  {
-    "userId": "op0001",
-    "firstName": "Oper",
-    "lastName": "P",
-    "role": "OPS",
-    "email": "op0001@openecomp.org"
-  },
   {
     "userId": "gv0001",
     "firstName": "Giuseppe",
-- 
cgit 1.2.3-korg