Merge "XSS Vulnerability fix in AppContactUsController"
diff --git a/ecomp-portal-BE-common/pom.xml b/ecomp-portal-BE-common/pom.xml
index 61f166d..58ae584 100644
--- a/ecomp-portal-BE-common/pom.xml
+++ b/ecomp-portal-BE-common/pom.xml
@@ -180,6 +180,11 @@
<version>${springframework.version}</version>
</dependency>
<dependency>
+ <groupId>javax.xml.bind</groupId>
+ <artifactId>jaxb-api</artifactId>
+ <version>2.4.0-b180830.0359</version>
+ </dependency>
+ <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>1.3.0.RELEASE</version>
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
index 4b401e2..1224be8 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
@@ -2,7 +2,7 @@
* ============LICENSE_START==========================================
* ONAP Portal
* ===================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
* ===================================================================
* Modifications Copyright (c) 2019 Samsung
* ===================================================================
@@ -42,18 +42,12 @@
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
import java.util.List;
-import java.util.Map;
import java.util.Set;
-import java.util.stream.Stream;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
-import org.json.JSONArray;
-import org.json.JSONObject;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.domain.AdminUserApplications;
import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -68,7 +62,6 @@
import org.onap.portalapp.portal.service.AdminRolesService;
import org.onap.portalapp.portal.service.EPAppService;
import org.onap.portalapp.portal.service.EPLeftMenuService;
-import org.onap.portalapp.portal.service.ExternalAccessRolesService;
import org.onap.portalapp.portal.transport.EPAppsManualPreference;
import org.onap.portalapp.portal.transport.EPAppsSortPreference;
import org.onap.portalapp.portal.transport.EPDeleteAppsManualSortPref;
@@ -76,10 +69,10 @@
import org.onap.portalapp.portal.transport.FieldsValidator;
import org.onap.portalapp.portal.transport.LocalRole;
import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.portal.utils.PortalConstants;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.util.SystemProperties;
import org.onap.portalsdk.core.web.support.AppUtils;
@@ -87,7 +80,6 @@
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
@@ -97,27 +89,27 @@
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.client.HttpClientErrorException;
-import org.springframework.web.client.HttpStatusCodeException;
-import org.springframework.web.client.RestTemplate;
@RestController
@EnableAspectJAutoProxy
@EPAuditLog
+@NoArgsConstructor
+@Getter
public class AppsController extends EPRestrictedBaseController {
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+ private static final String GET_RESULT = "GET result =";
+ private static final String PUT_RESULT = "PUT result =";
+ private static final String PORTAL_API_ONBOARDING_APPS = "/portalApi/onboardingApps";
+ private static final String PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF = "/portalApi/userAppsOrderBySortPref";
+
+ private final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+ private final DataValidator dataValidator = new DataValidator();
@Autowired
private AdminRolesService adminRolesService;
-
@Autowired
private EPAppService appService;
-
@Autowired
private EPLeftMenuService leftMenuService;
-
- @Autowired
- private ExternalAccessRolesService externalAccessRolesService;
- RestTemplate template = new RestTemplate();
/**
* RESTful service method to fetch all Applications available to current
@@ -139,7 +131,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getUserApps");
} else {
ecompApps = appService.transformAppsToEcompApps(appService.getUserApps(user));
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", "GET result =", ecompApps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", GET_RESULT, ecompApps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getUserApps failed", e);
@@ -174,7 +166,7 @@
else
apps = appService.getPersUserApps(user);
ecompApps = appService.transformAppsToEcompApps(apps);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", "GET result =", ecompApps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", GET_RESULT, ecompApps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getPersUserApps failed", e);
@@ -203,7 +195,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getAdminApps");
} else {
adminApps = appService.getAdminApps(user);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", "GET result =", adminApps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", GET_RESULT, adminApps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getAdminApps failed", e);
@@ -235,7 +227,7 @@
} else {
adminApps = appService.getAppsForSuperAdminAndAccountAdmin(user);
EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsForSuperAdminAndAccountAdmin",
- "GET result =", adminApps);
+ GET_RESULT, adminApps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getAppsForSuperAdminAndAccountAdmin failed", e);
@@ -245,7 +237,7 @@
}
/**
- * RESTful service method to fetch left menu items from the user's session.
+ * RESTful service method to fetch left menu items from the user'PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF session.
*
* @param request
* HttpServletRequest
@@ -267,7 +259,7 @@
try {
menuList = leftMenuService.getLeftMenuItems(user, menuSet, roleFunctionSet);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", "GET result =", menuList);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", GET_RESULT, menuList);
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getLeftMenuItems failed", e);
}
@@ -275,7 +267,7 @@
}
@RequestMapping(value = {
- "/portalApi/userAppsOrderBySortPref" }, method = RequestMethod.GET, produces = "application/json")
+ PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF }, method = RequestMethod.GET, produces = "application/json")
public List<EcompApp> getUserAppsOrderBySortPref(HttpServletRequest request, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
List<EcompApp> ecompApps = null;
@@ -284,28 +276,28 @@
EcompPortalUtils.setBadPermissions(user, response, "getUserAppsOrderBySortPref");
} else {
String usrSortPref = request.getParameter("mparams");
- if (usrSortPref.equals("")) {
+ if (usrSortPref.isEmpty()) {
usrSortPref = "N";
}
switch (usrSortPref) {
case "N":
ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByName(user));
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
ecompApps);
break;
case "L":
ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByLastUsed(user));
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
ecompApps);
break;
case "F":
ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByMostUsed(user));
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
ecompApps);
break;
case "M":
ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByManual(user));
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
ecompApps);
break;
default:
@@ -335,6 +327,13 @@
public FieldsValidator putUserAppsSortingManual(HttpServletRequest request,
@RequestBody List<EPAppsManualPreference> epAppsManualPref, HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
+
+ if (isNotNullAndNotValid(epAppsManualPref)){
+ fieldsValidator = new FieldsValidator();
+ fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+ return fieldsValidator;
+ }
+
try {
EPUser user = EPUserUtils.getUserSession(request);
fieldsValidator = appService.saveAppsSortManual(epAppsManualPref, user);
@@ -342,7 +341,7 @@
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "putUserAppsSortingManual failed", e);
}
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -352,6 +351,13 @@
public FieldsValidator putUserWidgetsSortManual(HttpServletRequest request,
@RequestBody List<EPWidgetsSortPreference> saveManualWidgetSData, HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
+
+ if (isNotNullAndNotValid(saveManualWidgetSData)){
+ fieldsValidator = new FieldsValidator();
+ fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ return fieldsValidator;
+ }
+
try {
EPUser user = EPUserUtils.getUserSession(request);
fieldsValidator = appService.saveWidgetsSortManual(saveManualWidgetSData, user);
@@ -359,8 +365,7 @@
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortManual failed", e);
}
- // return fieldsValidator;
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -370,6 +375,13 @@
public FieldsValidator putUserWidgetsSortPref(HttpServletRequest request,
@RequestBody List<EPWidgetsSortPreference> delManualWidgetData, HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
+
+ if (isNotNullAndNotValid(delManualWidgetData)){
+ fieldsValidator = new FieldsValidator();
+ fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ return fieldsValidator;
+ }
+
try {
EPUser user = EPUserUtils.getUserSession(request);
fieldsValidator = appService.deleteUserWidgetSortPref(delManualWidgetData, user);
@@ -378,8 +390,7 @@
logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortPref failed", e);
}
- // return fieldsValidator;
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -400,6 +411,7 @@
public FieldsValidator deleteUserAppSortManual(HttpServletRequest request,
@RequestBody EPDeleteAppsManualSortPref delManualAppData, HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
+
try {
EPUser user = EPUserUtils.getUserSession(request);
fieldsValidator = appService.deleteUserAppSortManual(delManualAppData, user);
@@ -408,8 +420,7 @@
logger.error(EELFLoggerDelegate.errorLogger, "deleteUserAppSortManual failed", e);
}
- // return fieldsValidator;
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -428,8 +439,7 @@
}
- // return fieldsValidator;
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -445,7 +455,7 @@
EcompPortalUtils.setBadPermissions(user, response, "userAppsSortTypePreference");
} else {
userSortPreference = appService.getUserAppsSortTypePreference(user);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", GET_RESULT,
userSortPreference);
}
} catch (Exception e) {
@@ -475,7 +485,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getAppsAdministrators");
} else {
admins = appService.getAppsAdmins();
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", "GET result =", admins);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", GET_RESULT, admins);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getAppsAdministrators failed", e);
@@ -493,7 +503,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getApps");
} else {
apps = appService.getAllApplications(false);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getApps failed", e);
@@ -522,7 +532,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getApps");
} else {
apps = appService.getAllApps(true);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getAllApps failed", e);
@@ -547,7 +557,7 @@
EcompPortalUtils.setBadPermissions(user, response, "getAppsFullList");
} else {
ecompApps = appService.getEcompAppAppsFullList();
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", "GET result =", ecompApps);
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", GET_RESULT, ecompApps);
}
return ecompApps;
}
@@ -598,7 +608,7 @@
|| (adminRolesService.isSuperAdmin(user) && requestedApp.getId() == PortalConstants.PORTAL_APP_ID))) {
try {
roleList = appService.getAppRoles(appId);
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, "GET result =",
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, GET_RESULT,
roleList);
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getAppRoles failed", e);
@@ -626,8 +636,8 @@
String appName = request.getParameter("appParam");
app = appService.getAppDetailByAppName(appName);
if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
- || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, "GET result =", app);
+ || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, GET_RESULT, app);
else{
app= null;
EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -659,8 +669,8 @@
app.setCentralAuth(false);
}
if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
- || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, "GET result =", app);
+ || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+ EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, GET_RESULT, app);
else{
app= null;
EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -680,7 +690,7 @@
* HTTP servlet response
* @return List<OnboardingApp>
*/
- @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.GET, produces = "application/json")
+ @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.GET, produces = "application/json")
public List<OnboardingApp> getOnboardingApps(HttpServletRequest request, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
List<OnboardingApp> onboardingApps = null;
@@ -697,8 +707,8 @@
//get all his admin apps
onboardingApps = appService.getAdminAppsOfUser(user);
}
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "GET result =",
- "onboardingApps of size " + onboardingApps.size());
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, GET_RESULT,
+ "onboardingApps of size " + (onboardingApps != null ? onboardingApps.size() : 0));
}
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "getOnboardingApps failed", e);
@@ -718,14 +728,12 @@
* @return FieldsValidator
* @throws Exception
*/
- @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.PUT, produces = "application/json")
+ @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.PUT, produces = "application/json")
public FieldsValidator putOnboardingApp(HttpServletRequest request,
- @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) throws Exception {
+ @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
EPUser user = null;
- EPApp oldEPApp = null;
- oldEPApp = appService.getApp(modifiedOnboardingApp.id);
- ResponseEntity<String> res = null;
+ EPApp oldEPApp = appService.getApp(modifiedOnboardingApp.id);
try {
user = EPUserUtils.getUserSession(request);
@@ -734,20 +742,7 @@
} else {
if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
{
- try {
- res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
- } catch (HttpClientErrorException e) {
- logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
- EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
- if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
- fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
- throw new InvalidApplicationException("Invalid NameSpace");
- }else{
- fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
- throw e;
- }
- }
-
+ checkIfNameSpaceIsValid(modifiedOnboardingApp, fieldsValidator, response);
}
modifiedOnboardingApp.normalize();
fieldsValidator = appService.modifyOnboardingApp(modifiedOnboardingApp, user);
@@ -767,7 +762,7 @@
logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApps failed", e);
}
}
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "PUT result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, PUT_RESULT,
response.getStatus());
return fieldsValidator;
}
@@ -784,7 +779,7 @@
* app to add
* @return FieldsValidator
*/
- @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.POST, produces = "application/json")
+ @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.POST, produces = "application/json")
public FieldsValidator postOnboardingApp(HttpServletRequest request, @RequestBody OnboardingApp newOnboardingApp,
HttpServletResponse response) {
FieldsValidator fieldsValidator = null;
@@ -794,21 +789,7 @@
EcompPortalUtils.setBadPermissions(user, response, "postOnboardingApps");
} else {
newOnboardingApp.normalize();
- ResponseEntity<String> res = null;
- try {
- if( !(newOnboardingApp.nameSpace == null) && !newOnboardingApp.nameSpace.isEmpty())
- res = appService.checkIfNameSpaceIsValid(newOnboardingApp.nameSpace);
- } catch (HttpClientErrorException e) {
- logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
- EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
- if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
- fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
- throw new InvalidApplicationException("Invalid NameSpace");
- }else{
- fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
- throw e;
- }
- }
+ checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response);
fieldsValidator = appService.addOnboardingApp(newOnboardingApp, user);
response.setStatus(fieldsValidator.httpStatusCode.intValue());
}
@@ -824,22 +805,22 @@
logger.error(EELFLoggerDelegate.errorLogger, "postOnboardingApp failed", e);
}
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, "POST result =",
response.getStatus());
return fieldsValidator;
}
- private FieldsValidator setResponse(HttpStatus statusCode,FieldsValidator fieldsValidator,HttpServletResponse response)
+ private FieldsValidator setResponse(HttpStatus statusCode, HttpServletResponse response)
{
- fieldsValidator = new FieldsValidator();
+ FieldsValidator fieldsValidator = new FieldsValidator();
if (statusCode == HttpStatus.NOT_FOUND || statusCode == HttpStatus.FORBIDDEN) {
- fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_NOT_FOUND);
+ fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_NOT_FOUND;
logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "invalid namespace");
}else if (statusCode == HttpStatus.UNAUTHORIZED) {
- fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_UNAUTHORIZED);
+ fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_UNAUTHORIZED;
logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "unauthorized");
} else{
- fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_BAD_REQUEST);
+ fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_BAD_REQUEST;
logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed ",statusCode);
}
@@ -880,7 +861,7 @@
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
- EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps" + appId, "DELETE result =",
+ EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS + appId, "DELETE result =",
response.getStatus());
return fieldsValidator;
}
@@ -918,8 +899,29 @@
HttpHeaders header = new HttpHeaders();
header.setContentType(mediaType);
header.setContentLength(app.getThumbnail().length);
- return new HttpEntity<byte[]>(app.getThumbnail(), header);
+ return new HttpEntity<>(app.getThumbnail(), header);
}
+ private void checkIfNameSpaceIsValid(OnboardingApp modifiedOnboardingApp, FieldsValidator fieldsValidator, HttpServletResponse response)
+ throws InvalidApplicationException {
+ try {
+ ResponseEntity<String> res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
+ } catch (HttpClientErrorException e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
+ EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
+ if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
+ fieldsValidator = setResponse(e.getStatusCode(),response);
+ throw new InvalidApplicationException("Invalid NameSpace");
+ }else{
+ fieldsValidator = setResponse(e.getStatusCode(),response);
+ throw e;
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ private boolean isNotNullAndNotValid(Object o){
+ return o!=null && !dataValidator.isValid(o);
+ }
}
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
index 0bd4db3..1aa4219 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
@@ -37,18 +37,24 @@
*/
package org.onap.portalapp.portal.transport;
+import org.hibernate.validator.constraints.SafeHtml;
+
public class EPAppsManualPreference {
private Long appid;
private int col;
+ @SafeHtml
private String headerText;
+ @SafeHtml
private String imageLink;
private int order;
private boolean restrictedApp;
private int row;
private int sizeX;
private int sizeY;
+ @SafeHtml
private String subHeaderText;
+ @SafeHtml
private String url;
private boolean addRemoveApps;
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
index 85a6a03..796f67f 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
@@ -37,10 +37,14 @@
*/
package org.onap.portalapp.portal.transport;
+import org.hibernate.validator.constraints.SafeHtml;
+
public class EPAppsSortPreference {
private int index;
+ @SafeHtml
private String value;
+ @SafeHtml
private String title;
public int getIndex() {
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
index 03b7c14..e1f5c29 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
@@ -38,15 +38,19 @@
package org.onap.portalapp.portal.transport;
import java.util.List;
+import org.hibernate.validator.constraints.SafeHtml;
public class EPWidgetsSortPreference {
private int SizeX;
private int SizeY;
+ @SafeHtml
private String headerText;
+ @SafeHtml
private String url;
private Long widgetid;
private List<Object> attrb;
+ @SafeHtml
private String widgetIdentifier;
private int row;
private int col;
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
index 46a60c8..9fe3a88 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
@@ -47,15 +47,25 @@
@Component
public class DataValidator {
- private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+ private volatile static ValidatorFactory VALIDATOR_FACTORY;
- public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid){
+ public DataValidator() {
+ if (VALIDATOR_FACTORY == null) {
+ synchronized (DataValidator.class) {
+ if (VALIDATOR_FACTORY == null) {
+ VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+ }
+ }
+ }
+ }
+
+ public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid) {
Validator validator = VALIDATOR_FACTORY.getValidator();
Set<ConstraintViolation<E>> constraintViolations = validator.validate(classToValid);
return constraintViolations;
}
- public <E> boolean isValid(E classToValid){
+ public <E> boolean isValid(E classToValid) {
Set<ConstraintViolation<E>> constraintViolations = getConstraintViolations(classToValid);
return constraintViolations.isEmpty();
}
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
index 4df1c2a..58745d2 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
@@ -58,7 +58,6 @@
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsController;
import org.onap.portalapp.portal.core.MockEPUser;
import org.onap.portalapp.portal.domain.AdminUserApplications;
import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -82,7 +81,6 @@
import org.onap.portalapp.portal.transport.FieldsValidator;
import org.onap.portalapp.portal.transport.LocalRole;
import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.util.EPUserUtils;
import org.onap.portalsdk.core.util.SystemProperties;
import org.onap.portalsdk.core.web.support.AppUtils;
@@ -100,7 +98,7 @@
public class AppsControllerTest extends MockitoTestSuite{
@InjectMocks
- AppsController appsController = new AppsController();
+ AppsController appsController;
@Mock
AdminRolesService adminRolesService = new AdminRolesServiceImpl();
@@ -369,6 +367,38 @@
}
@Test
+ public void putUserAppsSortingManualXSSTest() {
+ EPUser user = mockUser.mockEPUser();
+ EPAppsManualPreference preference = new EPAppsManualPreference();
+ preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ List<EPAppsManualPreference> ePAppsManualPreference = new ArrayList<>();
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ ePAppsManualPreference.add(preference);
+ Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+ FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference,
+ mockedResponse);
+ assertEquals(actualFieldValidator, expectedFieldValidator);
+ }
+
+ @Test
+ public void putUserWidgetsSortManualXSSTest() {
+ EPUser user = mockUser.mockEPUser();
+ EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+ preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ List<EPWidgetsSortPreference> ePAppsManualPreference = new ArrayList<>();
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ ePAppsManualPreference.add(preference);
+ Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+ FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference,
+ mockedResponse);
+ assertEquals(expectedFieldValidator, actualFieldValidator);
+ }
+
+ @Test
public void putUserAppsSortingManualExceptionTest() throws IOException {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
@@ -404,7 +434,7 @@
}
@Test
- public void putUserWidgetsSortPrefTest() throws IOException {
+ public void putUserWidgetsSortPrefTest() {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<EPWidgetsSortPreference>();
@@ -421,6 +451,24 @@
}
@Test
+ public void putUserWidgetsSortPrefXSSTest() {
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<>();
+ EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+ preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+ ePWidgetsSortPreference.add(preference);
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+ FieldsValidator actualFieldValidator;
+ Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user))
+ .thenReturn(expectedFieldValidator);
+ actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference,
+ mockedResponse);
+ assertEquals(actualFieldValidator, expectedFieldValidator);
+ }
+
+ @Test
public void putUserWidgetsSortPrefExceptionTest() throws IOException {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
@@ -476,6 +524,23 @@
}
@Test
+ public void putUserAppsSortingPreferenceXSSTest() {
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ EPAppsSortPreference userAppsValue = new EPAppsSortPreference();
+ userAppsValue.setTitle("</script><script>alert(1)</script>");
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+ expectedFieldValidator.setFields(null);
+ expectedFieldValidator.setErrorCode(null);
+ FieldsValidator actualFieldValidator;
+ Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator);
+ actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue,
+ mockedResponse);
+ assertEquals(actualFieldValidator, expectedFieldValidator);
+ }
+
+ @Test
public void putUserAppsSortingPreferenceExceptionTest() throws IOException {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
deleted file mode 100644
index 703019f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * Modifications Copyright (c) 2019 Samsung
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
- */
-
-package org.onap.portalapp.filter;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Enumeration;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletInputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.http.HttpStatus;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-public class SecurityXssFilter extends OncePerRequestFilter {
-
- private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
- private static final String APPLICATION_JSON = "application/json";
-
- private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
-
- private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
- public class RequestWrapper extends HttpServletRequestWrapper {
-
- private ByteArrayOutputStream cachedBytes;
-
- public RequestWrapper(HttpServletRequest request) {
- super(request);
- }
-
- @Override
- public ServletInputStream getInputStream() throws IOException {
- if (cachedBytes == null)
- cacheInputStream();
-
- return new CachedServletInputStream();
- }
-
- @Override
- public BufferedReader getReader() throws IOException {
- return new BufferedReader(new InputStreamReader(getInputStream()));
- }
-
- private void cacheInputStream() throws IOException {
- cachedBytes = new ByteArrayOutputStream();
- IOUtils.copy(super.getInputStream(), cachedBytes);
- }
-
- public class CachedServletInputStream extends ServletInputStream {
- private ByteArrayInputStream input;
-
- public CachedServletInputStream() {
- input = new ByteArrayInputStream(cachedBytes.toByteArray());
- }
-
- @Override
- public int read() throws IOException {
- return input.read();
- }
-
- @Override
- public boolean isFinished() {
- return false;
- }
-
- @Override
- public boolean isReady() {
- return false;
- }
-
- @Override
- public void setReadListener(ReadListener readListener) {
- // do nothing
- }
- }
- }
-
- @Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
- throws IOException {
- StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
- String queryString = request.getQueryString();
- String requestUrl;
-
- if (queryString == null) {
- requestUrl = requestURL.toString();
- } else {
- requestUrl = requestURL.append('?').append(queryString).toString();
- }
-
- validateRequest(requestUrl, response);
- StringBuilder headerValues = new StringBuilder();
- Enumeration<String> headerNames = request.getHeaderNames();
-
- while (headerNames.hasMoreElements()) {
- String key = headerNames.nextElement();
- String value = request.getHeader(key);
- headerValues.append(value);
- }
-
- validateRequest(headerValues.toString(), response);
-
- if (validateRequestType(request)) {
- request = new RequestWrapper(request);
- String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
- validateRequest(requestData, response);
- }
-
- try {
- filterChain.doFilter(request, response);
- } catch (Exception e) {
- sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
- response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
- }
- }
-
- private boolean validateRequestType(HttpServletRequest request) {
- return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
- || request.getMethod().equalsIgnoreCase("DELETE"));
- }
-
- private void validateRequest(String text, HttpServletResponse response) throws IOException {
- try {
- if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
- response.setContentType(APPLICATION_JSON);
- response.setStatus(HttpStatus.SC_BAD_REQUEST);
- response.getWriter().write(ERROR_BAD_REQUEST);
- throw new SecurityException(ERROR_BAD_REQUEST);
- }
- } catch (Exception e) {
- sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
- response.getWriter().close();
- }
- }
-}
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
deleted file mode 100644
index c203f1f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
- */
-package org.onap.portalapp.filter;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-import java.util.regex.Pattern;
-
-import org.apache.commons.lang.NotImplementedException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.MySQLCodec.Mode;
-import org.owasp.esapi.codecs.OracleCodec;
-
-public class SecurityXssValidator {
-
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
- private static final String MYSQL_DB = "mysql";
- private static final String ORACLE_DB = "oracle";
- private static final String MARIA_DB = "mariadb";
- private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
- static SecurityXssValidator validator = null;
- private static Codec instance;
- private static final Lock lock = new ReentrantLock();
-
- public static SecurityXssValidator getInstance() {
-
- if (validator == null) {
- lock.lock();
- try {
- if (validator == null)
- validator = new SecurityXssValidator();
- } finally {
- lock.unlock();
- }
- }
-
- return validator;
- }
-
- private SecurityXssValidator() {
- // Avoid anything between script tags
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
-
- // avoid iframes
- XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
-
- // Avoid anything in a src='...' type of expression
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
-
- // Remove any lonesome </script> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
-
- // Remove any lonesome <script ...> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
-
- // Avoid eval(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
-
- // Avoid expression(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
-
- // Avoid javascript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
-
- // Avoid onload= expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
- }
-
- private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-
- /**
- * * This method takes a string and strips out any potential script injections.
- *
- * @param value
- * @return String - the new "sanitized" string.
- */
- public String stripXSS(String value) {
-
- try {
-
- if (StringUtils.isNotBlank(value)) {
-
- value = StringEscapeUtils.escapeHtml4(value);
-
- value = ESAPI.encoder().canonicalize(value);
-
- // Avoid null characters
- value = value.replaceAll("\0", "");
-
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- value = xssInputPattern.matcher(value).replaceAll("");
- }
- }
-
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
- }
-
- return value;
- }
-
- public Boolean denyXSS(String value) {
- Boolean flag = Boolean.FALSE;
- try {
- if (StringUtils.isNotBlank(value)) {
- value = ESAPI.encoder().canonicalize(value);
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- if (xssInputPattern.matcher(value).matches()) {
- flag = Boolean.TRUE;
- break;
- }
-
- }
- }
-
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
- }
-
- return flag;
- }
-
- public Codec getCodec() {
- try {
- if (null == instance) {
- if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
- || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- MARIA_DB)) {
- instance = new MySQLCodec(Mode.STANDARD);
-
- } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- ORACLE_DB)) {
- instance = new OracleCodec();
- } else {
- throw new NotImplementedException("Handling for data base \""
- + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
- }
- }
-
- } catch (Exception ex) {
- logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
- }
- return instance;
-
- }
-
- public List<Pattern> getXSS_INPUT_PATTERNS() {
- return XSS_INPUT_PATTERNS;
- }
-
- public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
- XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
- }
-
-}
\ No newline at end of file
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
index 915c5e0..e109ef5 100644
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -47,8 +47,8 @@
import javax.validation.Validation;
import javax.validation.Validator;
import javax.validation.ValidatorFactory;
+import lombok.NoArgsConstructor;
import org.json.JSONObject;
-import org.onap.portalapp.portal.controller.AppsController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -61,6 +61,7 @@
import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
@@ -69,27 +70,20 @@
import org.springframework.web.bind.annotation.RestController;
@RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
@EnableAspectJAutoProxy
@EPAuditLog
+@NoArgsConstructor
public class AppsOSController extends AppsController {
private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
- static final String FAILURE = "failure";
- EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
+ private static final String FAILURE = "failure";
+ private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
@Autowired
- AdminRolesService adminRolesService;
- @Autowired
- EPAppService appService;
- @Autowired
- PersUserAppService persUserAppService;
- @Autowired
UserService userService;
-
-
- /**
+ /**
* Create new application's contact us details.
*
* @param contactUs
@@ -102,9 +96,9 @@
return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
"New User cannot be null or empty");
- if (!(adminRolesService.isSuperAdmin(user) || adminRolesService.isAccountAdmin(user))){
+ if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))){
if(!user.getLoginId().equalsIgnoreCase(newUser.getLoginId()))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
"UnAuthorized");
}
@@ -113,9 +107,9 @@
try {
saveNewUser = userService.saveNewUser(newUser,checkDuplicate);
} catch (Exception e) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveNewUser, "");
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, "");
}
@RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java
deleted file mode 100644
index 7a4eac8..0000000
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
- */
-package org.onap.portalapp.filter;
-
-import org.junit.Assert;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mockito;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
-
-@RunWith(PowerMockRunner.class)
-@PrepareForTest({ESAPI.class, SystemProperties.class})
-public class SecurityXssValidatorTest {
- @InjectMocks
- SecurityXssValidator securityXssValidator;
-
- @Test
- public void stripXSSTest() {
- securityXssValidator= SecurityXssValidator.getInstance();
- String value ="Test";
- securityXssValidator.stripXSS(value);
- }
-
- @Test
- public void testDenyXss() {
- securityXssValidator= SecurityXssValidator.getInstance();
- String value ="Test";
- securityXssValidator.denyXSS(value);
- }
-
- @Test
- public void getCodecMySqlTest() {
- PowerMockito.mockStatic(SystemProperties.class);
- Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
- SecurityXssValidator validator = SecurityXssValidator.getInstance();
- Codec codec = validator.getCodec();
- Assert.assertNotNull(codec);
- }
-
- /*//@Test
- public void stripXSSExceptionTest() {
- String value ="Test";
- SecurityXssValidator validator = SecurityXssValidator.getInstance();
- String reponse = validator.stripXSS(value);
- Assert.assertEquals(value, reponse);;
- }
-
- //@Test
- public void denyXSSTest() {
- String value ="<script>Test</script>";
- PowerMockito.mockStatic(ESAPI.class);
- Encoder mockEncoder = Mockito.mock(Encoder.class);
- Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
- Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
- SecurityXssValidator validator = SecurityXssValidator.getInstance();
- Boolean flag = validator.denyXSS(value);
- Assert.assertTrue(flag);
- }
-
- //@Test
- public void denyXSSFalseTest() {
- String value ="test";
- PowerMockito.mockStatic(ESAPI.class);
- Encoder mockEncoder = Mockito.mock(Encoder.class);
- Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
- Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
- SecurityXssValidator validator = SecurityXssValidator.getInstance();
- Boolean flag = validator.denyXSS(value);
- Assert.assertFalse(flag);
- }
-
- //@Test
- public void getCodecMySqlTest() {
- PowerMockito.mockStatic(SystemProperties.class);
- Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
- SecurityXssValidator validator = SecurityXssValidator.getInstance();
- Codec codec = validator.getCodec();
- Assert.assertNotNull(codec);
- }*/
-
-}
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
index 15fe1dd..1083aed 100644
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -41,10 +41,8 @@
import java.util.ArrayList;
import java.util.List;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
@@ -52,7 +50,6 @@
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsOSController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -87,7 +84,7 @@
}
@InjectMocks
- AppsOSController appsOSController = new AppsOSController();
+ AppsOSController appsOSController;
MockitoTestSuite mockitoTestSuite = new MockitoTestSuite();