From 0899720f168c09d037e577109d7cab665fe1fb91 Mon Sep 17 00:00:00 2001 From: vasraz Date: Tue, 4 Oct 2022 18:16:26 +0100 Subject: [PATCH] Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection' Add new Filter (ContentSecurityPolicyHeaderFilter) Signed-off-by: Vasyl Razinkov Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87 Issue-ID: SDC-4192 --- .../recipes/BE_2_setup_configuration.rb | 1 + .../templates/default/BE-configuration.yaml.erb | 4 + .../filters/ContentSecurityPolicyHeaderFilter.java | 41 ++++++++ .../src/main/resources/config/configuration.yaml | 3 + catalog-be/src/main/webapp/WEB-INF/web.xml | 109 ++------------------- .../recipes/FE_2_setup_configuration.rb | 1 + .../templates/default/FE-configuration.yaml.erb | 3 + .../filters/ContentSecurityPolicyHeaderFilter.java | 40 ++++++++ catalog-fe/src/main/webapp/WEB-INF/web.xml | 27 ++--- .../org/openecomp/sdc/be/config/Configuration.java | 1 + .../ContentSecurityPolicyHeaderFilterAbstract.java | 55 +++++++++++ .../org/openecomp/sdc/fe/config/Configuration.java | 1 + .../src/main/webapp/WEB-INF/web.xml | 11 ++- .../src/main/webapp/WEB-INF/web.xml | 11 ++- .../recipes/ON_5_setup_configuration.rb | 5 +- .../templates/default/configuration.yaml.erb | 3 + openecomp-be/lib/openecomp-common-lib/pom.xml | 11 +++ .../filters/ContentSecurityPolicyHeaderFilter.java | 35 +++++++ utils/webseal-simulator/pom.xml | 12 +++ .../recipes/SDC_Simulator_2_setup_configuration.rb | 4 +- .../default/SDC-Simulator-webseal.conf.erb | 4 +- .../ContentSecurityPolicyHeaderFilter.java | 32 ++++++ .../openecomp/sdc/webseal/simulator/conf/Conf.java | 100 ++++++++----------- .../src/main/webapp/WEB-INF/web.xml | 11 ++- 24 files changed, 339 insertions(+), 186 deletions(-) create mode 100644 catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java create mode 100644 catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java create mode 100644 common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java create mode 100644 openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java create mode 100644 utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb index 83dc113329..a1d0df5037 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb @@ -64,6 +64,7 @@ template "catalog-be-config" do :cassandra_usr => node['cassandra'][:cassandra_user], :cassandra_truststore_password => node['cassandra'][:truststore_password], :cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}", + :permittedAncestors => "#{ENV['permittedAncestors']}", :dmaap_active => node['DMAAP']['active'] }) end diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb index d1f3bd2c60..5706a16553 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb @@ -1289,5 +1289,9 @@ externalCsarStore: secretKey: "password" tempPath: "/home/onap/temp/" uploadPartSize: 200000000 + #This configuration specifies the delimiter used to differentiate instance name and count componentInstanceCounterDelimiter: " " + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..c9871c3c3a --- /dev/null +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,41 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.filters; + +import org.openecomp.sdc.be.config.Configuration; +import org.openecomp.sdc.be.config.ConfigurationManager; +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } + +} diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml index 20014dc7cb..c34d6742a1 100644 --- a/catalog-be/src/main/resources/config/configuration.yaml +++ b/catalog-be/src/main/resources/config/configuration.yaml @@ -927,3 +927,6 @@ directives: - selectable - substitute - substitutable + +#Space separated list of permitted ancestors +permittedAncestors: "" diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml index 64763b27a8..7cbfd1a920 100644 --- a/catalog-be/src/main/webapp/WEB-INF/web.xml +++ b/catalog-be/src/main/webapp/WEB-INF/web.xml @@ -84,30 +84,6 @@ true - - - - - - - - - - - - - - - - - - - - - - - - ViewStatusMessages ch.qos.logback.classic.ViewStatusMessagesServlet @@ -129,35 +105,15 @@ /lbClassicStatus - - - - - - - - - - - + + contentSecurityPolicyHeaderFilter + org.openecomp.sdc.be.filters.ContentSecurityPolicyHeaderFilter + true + + + contentSecurityPolicyHeaderFilter + /* + gatewayFilter @@ -176,53 +132,6 @@ /sdc/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - reqValidationFilter diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb index 819638ac08..73176ed1c3 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb @@ -13,6 +13,7 @@ template "catalog-fe-config" do :basic_auth_flag => node['basic_auth']['enabled'], :user_name => node['basic_auth'][:user_name], :user_pass => node['basic_auth'][:user_pass], + :permittedAncestors => "#{ENV['permittedAncestors']}", :dcae_fe_vip => node['DCAE_FE_VIP'] }) end diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb index 8dc3c51df3..1b10845aaa 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb @@ -124,3 +124,6 @@ healthStatusExclude: - PORTAL - CATALOG_FACADE_MS - External API + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..a49f625e54 --- /dev/null +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,40 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.fe.filters; + +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; +import org.openecomp.sdc.fe.config.Configuration; +import org.openecomp.sdc.fe.config.ConfigurationManager; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } +} diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml index de133ac8ec..895dfd8690 100644 --- a/catalog-fe/src/main/webapp/WEB-INF/web.xml +++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml @@ -47,8 +47,6 @@ 1 true - - @@ -72,6 +70,15 @@ false + + contentSecurityPolicyHeaderFilter + org.openecomp.sdc.fe.filters.ContentSecurityPolicyHeaderFilter + true + + + contentSecurityPolicyHeaderFilter + /* + AuditLogServletFilter @@ -79,17 +86,6 @@ true - - - - - - - - - - - gzipFilter org.openecomp.sdc.fe.filters.GzipFilter @@ -101,11 +97,6 @@ /* - - - - - gzipFilter *.jsgz diff --git a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java index 5a1eacdb58..da849f385c 100644 --- a/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java +++ b/common-app-api/src/main/java/org/openecomp/sdc/be/config/Configuration.java @@ -147,6 +147,7 @@ public class Configuration extends BasicConfiguration { private ExternalCsarStore externalCsarStore; private CsarFormat csarFormat; private String componentInstanceCounterDelimiter; + private String permittedAncestors; // Space separated list of permitted ancestors @SuppressWarnings("unchecked") private Map safeGetCapsInsensitiveMap(Map map) { diff --git a/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java new file mode 100644 index 0000000000..1281f27a11 --- /dev/null +++ b/common-app-api/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilterAbstract.java @@ -0,0 +1,55 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; + +public abstract class ContentSecurityPolicyHeaderFilterAbstract implements Filter { + + @Override + public void init(final FilterConfig filterConfig) throws ServletException { + // nothing to override + } + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { + final HttpServletResponse httpServletResponse = (HttpServletResponse) response; + final String permittedAncestors = getPermittedAncestors(); + httpServletResponse.setHeader("Content-Security-Policy", + "frame-ancestors 'self' " + (StringUtils.isNotBlank(permittedAncestors) ? permittedAncestors : "")); + chain.doFilter(request, httpServletResponse); + } + + @Override + public void destroy() { + // nothing to override + } + + protected abstract String getPermittedAncestors(); +} diff --git a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java index 322c57ccd6..279f183324 100644 --- a/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java +++ b/common-app-api/src/main/java/org/openecomp/sdc/fe/config/Configuration.java @@ -75,6 +75,7 @@ public class Configuration extends BasicConfiguration { private List> identificationHeaderFields; private List> optionalHeaderFields; private List forwardHeaderFields; + private String permittedAncestors; // Space separated list of permitted ancestors public Integer getHealthCheckSocketTimeoutInMs(int defaultVal) { return healthCheckSocketTimeoutInMs == null ? defaultVal : healthCheckSocketTimeoutInMs; diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml index 9191a35786..b51399ca54 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml @@ -4,7 +4,6 @@ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> - contextConfigLocation @@ -15,6 +14,16 @@ org.openecomp.server.listeners.OnboardingAppStartupListener + + contentSecurityPolicyHeaderFilter + org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter + true + + + contentSecurityPolicyHeaderFilter + /* + + cross-origin org.eclipse.jetty.servlets.CrossOriginFilter diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml index 3cbfb1325e..eb8bd9e93f 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml @@ -4,7 +4,6 @@ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> - contextConfigLocation @@ -25,6 +24,16 @@ org.openecomp.server.listeners.OnboardingAppStartupListener + + contentSecurityPolicyHeaderFilter + org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter + true + + + contentSecurityPolicyHeaderFilter + /* + + PermissionsFilter org.openecomp.sdc.itempermissions.servlet.PermissionsFilter diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb index 1cd2ed284f..526f2dd4b4 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb @@ -23,12 +23,11 @@ template "onboard-be-config" do :catalog_notification_url => node['ONBOARDING_BE']['catalog_notification_url'], :catalog_be_http_port => node['BE'][:http_port], :catalog_be_ssl_port => node['BE'][:https_port], + :permittedAncestors => "#{ENV['permittedAncestors']}", :catalog_be_fqdn => node['Nodes']['BE'] }) end - - template "VnfrepoConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-vnfrepo.yaml" source "vnfrepo-configuration.yaml.erb" @@ -41,7 +40,6 @@ template "VnfrepoConfiguration" do }) end - template "HelmValidatorConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/config-helmvalidator.yaml" source "helmvalidator-configuration.yaml.erb" @@ -58,7 +56,6 @@ template "HelmValidatorConfiguration" do }) end - template "ExternalTestingConfiguration" do path "#{ENV['JETTY_BASE']}/config/onboarding-be/externaltesting-configuration.yaml" source "externaltesting-configuration.yaml.erb" diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb index ae07857585..93e0be9467 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb @@ -69,3 +69,6 @@ externalCsarStore: thresholdEntries: 10000 tempPath: "/home/onap/temp/" uploadPartSize: 200000000 + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/openecomp-be/lib/openecomp-common-lib/pom.xml b/openecomp-be/lib/openecomp-common-lib/pom.xml index 43ec9c25f6..cb41e44001 100644 --- a/openecomp-be/lib/openecomp-common-lib/pom.xml +++ b/openecomp-be/lib/openecomp-common-lib/pom.xml @@ -25,6 +25,17 @@ openecomp-sdc-datatypes-lib ${project.version} + + javax.servlet + javax.servlet-api + ${servlet-api.version} + provided + + + javax.inject + javax.inject + ${javax.inject.version} + javax.ws.rs javax.ws.rs-api diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..f7aa6f2da0 --- /dev/null +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,35 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import org.openecomp.sdc.common.CommonConfigurationManager; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance(); + if (commonConfigurationManager != null) { + return commonConfigurationManager.getConfigValue("permittedAncestors", ""); + } + return ""; + } +} diff --git a/utils/webseal-simulator/pom.xml b/utils/webseal-simulator/pom.xml index 9aba026299..8b2fa980a8 100644 --- a/utils/webseal-simulator/pom.xml +++ b/utils/webseal-simulator/pom.xml @@ -22,6 +22,18 @@ + + org.openecomp.sdc + common-app-api + ${project.version} + compile + + + org.apache.httpcomponents + httpcore + + + javax.servlet javax.servlet-api diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb index 3769a1f723..9ee166364c 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb @@ -6,7 +6,6 @@ else fe_url="http://#{node['Nodes']['FE']}:#{node['FE'][:http_port]}" end - template "webseal.conf" do path "#{ENV['JETTY_BASE']}/config/sdc-simulator/webseal.conf" source "SDC-Simulator-webseal.conf.erb" @@ -14,6 +13,7 @@ template "webseal.conf" do group "#{ENV['JETTY_GROUP']}" mode "0755" variables({ - :fe_url =>"#{fe_url}" + :fe_url =>"#{fe_url}", + :permittedAncestors => "#{ENV['permittedAncestors']}" }) end diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb index f6e634481f..f72c3ae270 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-webseal.conf.erb @@ -2,6 +2,8 @@ webseal { fe="<%= @fe_url %>" portalCookieName="EPService" + #Space separated list of permitted ancestors + permittedAncestors="<%= @permittedAncestors %>" users = [ { userId="cs0008" @@ -9,7 +11,7 @@ firstName="Carlos" lastName="Santana" role="Designer" - email="csantana@sdc.com" + email="csantana@sdc.com" }, { userId="jh0003" diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..ed4b4c1c39 --- /dev/null +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,32 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.webseal.simulator; + +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; +import org.openecomp.sdc.webseal.simulator.conf.Conf; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + return Conf.getInstance().getPermittedAncestors(); + } +} diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java index 449fe62f49..eb498c975e 100644 --- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -22,75 +22,59 @@ package org.openecomp.sdc.webseal.simulator.conf; import com.typesafe.config.Config; import com.typesafe.config.ConfigFactory; -import org.openecomp.sdc.webseal.simulator.User; - import java.io.File; import java.util.HashMap; import java.util.List; import java.util.Map; +import lombok.Getter; +import lombok.Setter; +import org.openecomp.sdc.webseal.simulator.User; +@Getter +@Setter public class Conf { - private static Conf conf = new Conf(); - private String feHost; - private Map users = new HashMap(); + private static Conf conf = new Conf(); + private String feHost; + private Map users = new HashMap(); private String portalCookieName; + private String permittedAncestors; // Space separated list of permitted ancestors - private void setPortalCookieName(String portalCookieName) { - this.portalCookieName = portalCookieName; + private Conf() { + initConf(); } - public String getPortalCookieName() { - return portalCookieName; - } + private void initConf() { + try { + String confPath = System.getProperty("config.resource"); + if (confPath == null) { + System.out.println("config.resource is empty - goint to get it from config.home"); + confPath = System.getProperty("config.home") + "/webseal.conf"; + } + System.out.println("confPath=" + confPath); + final Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath)); + final Config resolve = confFile.resolve(); + setFeHost(resolve.getString("webseal.fe")); + setPortalCookieName(resolve.getString("webseal.portalCookieName")); + final List list = resolve.getConfigList("webseal.users"); - private Conf(){ - initConf(); - } - - private void initConf() { - try{ - String confPath = System.getProperty("config.resource"); - if (confPath == null){ - System.out.println("config.resource is empty - goint to get it from config.home"); - confPath = System.getProperty("config.home") + "/webseal.conf"; - } - System.out.println("confPath=" + confPath ); - Config confFile = ConfigFactory.parseFileAnySyntax(new File(confPath)); - Config resolve = confFile.resolve(); - setFeHost(resolve.getString("webseal.fe")); - setPortalCookieName(resolve.getString("webseal.portalCookieName")); - List list = resolve.getConfigList("webseal.users"); + for (final Config config : list) { + String userId = config.getString("userId"); + String password = config.getString("password"); + String firstName = config.getString("firstName"); + String lastName = config.getString("lastName"); + String email = config.getString("email"); + String role = config.getString("role"); + users.put(userId, new User(firstName, lastName, email, userId, role, password)); + } - for (Config conf : list ){ - String userId = conf.getString("userId"); - String password = conf.getString("password"); - String firstName = conf.getString("firstName"); - String lastName = conf.getString("lastName"); - String email = conf.getString("email"); - String role = conf.getString("role"); - users.put(userId,new User(firstName,lastName,email,userId,role,password)); - } - - }catch(Exception e){ - e.printStackTrace(); - } - } - - public static Conf getInstance(){ - return conf; - } + } catch (Exception e) { + e.printStackTrace(); + } + } - public String getFeHost() { - return feHost; - } + public static Conf getInstance() { + return conf; + } - public void setFeHost(String feHost) { - this.feHost = feHost; - } - - public Map getUsers() { - return users; - } - } diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml index a293d3c883..c23e265aae 100644 --- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml +++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml @@ -38,9 +38,18 @@ /create + + contentSecurityPolicyHeaderFilter + org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter + true + + + contentSecurityPolicyHeaderFilter + /* + + login - -- 2.16.6