XSS Vulnerability fix in RoleManageController

[portal.git] / ecomp-portal-BE-common / src / main / java / org / onap / portalapp / portal / controller / RoleManageController.java

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/RoleManageController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/RoleManageController.java
index 4956e3f..3fda539 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/RoleManageController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/RoleManageController.java
@@ -4,6 +4,8 @@
  * ===================================================================
  * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
  * ===================================================================
+ * Modifications Copyright (c) 2019 Samsung
+ * ===================================================================
  *
  * Unless otherwise specified, all software contained herein is licensed
  * under the Apache License, Version 2.0 (the "License");
@@ -48,6 +50,11 @@ import java.util.TreeSet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
 import org.apache.commons.lang.StringUtils;
 import org.json.JSONObject;
 import org.onap.portalapp.controller.EPRestrictedBaseController;
@@ -77,6 +84,7 @@ import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.portal.utils.PortalConstants;
 import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.domain.AuditLog;
 import org.onap.portalsdk.core.domain.Role;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@@ -109,6 +117,8 @@ import com.fasterxml.jackson.databind.type.TypeFactory;
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class RoleManageController extends EPRestrictedBaseController {
+       private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+
        private static final String PIPE = "|";
 
        private static final String ROLE_INVALID_CHARS = "%=():,\"\"";
@@ -495,8 +505,17 @@ public class RoleManageController extends EPRestrictedBaseController {
        }
 
        @RequestMapping(value = { "/portalApi/role_function_list/saveRoleFunction/{appId}" }, method = RequestMethod.POST)
-       public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @RequestBody CentralV2RoleFunction roleFunc,
+       public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @Valid @RequestBody CentralV2RoleFunction roleFunc,
                        @PathVariable("appId") Long appId) throws Exception {
+               if (roleFunc!=null) {
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<CentralV2RoleFunction>> constraintViolations = validator.validate(roleFunc);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction: Failed");
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+                       }
+               }
                EPUser user = EPUserUtils.getUserSession(request);
                boolean saveOrUpdateResponse = false;
                try {
@@ -592,6 +611,19 @@ public class RoleManageController extends EPRestrictedBaseController {
        public PortalRestResponse<String> removeRoleFunction(HttpServletRequest request, HttpServletResponse response,
                        @RequestBody String roleFunc, @PathVariable("appId") Long appId) throws Exception {
                EPUser user = EPUserUtils.getUserSession(request);
+
+               if (roleFunc!=null) {
+                       SecureString secureString = new SecureString(roleFunc);
+
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+                       }
+               }
+
                try {
                        EPApp requestedApp = appService.getApp(appId);
                        if (isAuthorizedUser(user, requestedApp)) {
@@ -654,9 +686,21 @@ public class RoleManageController extends EPRestrictedBaseController {
 
        @RequestMapping(value = { "/portalApi/centralizedApps" }, method = RequestMethod.GET)
        public List<CentralizedApp> getCentralizedAppRoles(HttpServletRequest request, HttpServletResponse response, String userId) throws IOException {
+               if(userId!=null) {
+                       SecureString secureString = new SecureString(userId);
+
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+                               return null;
+                       }
+               }
+
                EPUser user = EPUserUtils.getUserSession(request);
                List<CentralizedApp> applicationsList = null;
-                       if (adminRolesService.isAccountAdmin(user) || adminRolesService.isSuperAdmin(user)) {
+                       if (adminRolesService.isAccountAdmin(user) || adminRolesService.isSuperAdmin(user) || adminRolesService.isRoleAdmin(user)) {
                                applicationsList = externalAccessRolesService.getCentralizedAppsOfUser(userId);
                        } else {
                                logger.info(EELFLoggerDelegate.auditLogger,
@@ -694,7 +738,7 @@ public class RoleManageController extends EPRestrictedBaseController {
                                externalAccessRolesService.syncApplicationRolesWithEcompDB(app);
                        } else {
                                logger.info(EELFLoggerDelegate.auditLogger,
-                                               "RoleManageController.syncRoles, Unauthorized user:" + user.getOrgUserId());
+                                               "RoleManageController.syncRoles, Unauthorized user:{}", user != null ? user.getOrgUserId() : "");
                                EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
                                return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Unauthorized User", "Failure");
                        }
@@ -713,10 +757,10 @@ public class RoleManageController extends EPRestrictedBaseController {
                        EPApp app = appService.getApp(appId);
                        if (isAuthorizedUser(user, app)) {
                                fieldsValidation(app);
-                               externalAccessRolesService.syncRoleFunctionFromExternalAccessSystem(app);;
+                               externalAccessRolesService.syncRoleFunctionFromExternalAccessSystem(app);
                        } else {
                                logger.info(EELFLoggerDelegate.auditLogger,
-                                               "RoleManageController.syncFunctions, Unauthorized user:" + user.getOrgUserId());
+                                               "RoleManageController.syncFunctions, Unauthorized user:{}", user != null ? user.getOrgUserId() : "");
                                EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
                                return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Unauthorized User", "Failure");
                        }
@@ -769,7 +813,7 @@ public class RoleManageController extends EPRestrictedBaseController {
                app.getUebKey();
                List<EPApp> appInfo = externalAccessRolesService.getApp(app.getUebKey());
                if(appInfo.isEmpty()){
-                       throw new InvalidApplicationException("Invalid uebkey");
+                       throw new InvalidApplicationException("Invalid credentials");
                }
                if(!appInfo.isEmpty() && EcompPortalUtils.checkIfRemoteCentralAccessAllowed() && appInfo.get(0).getCentralAuth()){
                        ResponseEntity<String> response = externalAccessRolesService.getNameSpaceIfExists(appInfo.get(0));
@@ -804,7 +848,7 @@ public class RoleManageController extends EPRestrictedBaseController {
                                logExterlaAuthRoleFunctionActivity(code , user, app, activityCode);
                        } else {
                                logger.info(EELFLoggerDelegate.auditLogger,
-                                               "RoleManageController.syncRoles, Unauthorized user:" + user.getOrgUserId());
+                                               "RoleManageController.syncRoles, Unauthorized user:{}", user != null ? user.getOrgUserId() : "");
                                EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
                                return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Unauthorized User", "Failure");
                        }