# AAF config
org.onap.dmaap.datarouter.provserver.cadi.enabled = false
-org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234#
org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed
org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub
org.onap.dmaap.datarouter.provserver.aaf.instance = legacy
import com.att.eelf.configuration.EELFManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
-import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.sql.Connection;
import java.sql.SQLException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONArray;
import org.onap.dmaap.datarouter.provisioning.beans.Parameters;
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;
import org.onap.dmaap.datarouter.provisioning.beans.Updateable;
-import org.onap.dmaap.datarouter.provisioning.utils.PasswordProcessor;
import org.onap.dmaap.datarouter.provisioning.utils.Poker;
import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils;
import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
static final String START_TIME = "start_time";
static final String END_TIME = "end_time";
static final String REASON_SQL = "reasonSQL";
+ static final String JSON_HASH_STRING = "password";
/**
* A boolean to trigger one time "provisioning changed" event on startup.
try {
jo = new JSONObject(new JSONTokener(req.getInputStream()));
if (intlogger.isDebugEnabled()) {
- intlogger.debug("JSON: " + jo.toString());
+ intlogger.debug("JSON: " + hashPasswords(new JSONObject(jo.toString())).toString());
}
} catch (Exception e) {
intlogger.info("Error reading JSON: " + e);
return jo;
}
- /**
- * This method encrypt/decrypt the key in the JSON passed by user request inside the authorisation
- * header object in request before logging the JSON.
- *
- * @param jo the JSON passed in http request.
- * @param maskKey the key to be masked in the JSON passed.
- * @param action whether to mask the key or unmask it in a JSON passed.
- * @return the JSONObject, or null if the stream cannot be parsed.
- */
- static JSONObject maskJSON(JSONObject jo, String maskKey, boolean action) {
+ public static JSONObject hashPasswords(JSONObject jo) {
if (!jo.isNull("authorization")) {
JSONArray endpointIds = jo.getJSONObject("authorization").getJSONArray("endpoint_ids");
for (int index = 0; index < endpointIds.length(); index++) {
- if ((!endpointIds.getJSONObject(index).isNull(maskKey))) {
- String password = endpointIds.getJSONObject(index).get(maskKey).toString();
- processPassword(maskKey, action, endpointIds, index, password);
+ if ((!endpointIds.getJSONObject(index).isNull(JSON_HASH_STRING))) {
+ String password = endpointIds.getJSONObject(index).get(JSON_HASH_STRING).toString();
+ processPassword(endpointIds, index, password);
}
}
}
+ if (!jo.isNull("delivery")) {
+ JSONObject deliveryObj = jo.getJSONObject("delivery");
+ String password = deliveryObj.get(JSON_HASH_STRING).toString();
+ processPassword(deliveryObj, password);
+ }
return jo;
}
- private static void processPassword(String maskKey, boolean action, JSONArray endpointIds, int index,
- String password) {
+ private static void processPassword(JSONArray endpointIds, int index, String password) {
try {
- if (action) {
- endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.encrypt(password));
- } else {
- endpointIds.getJSONObject(index).put(maskKey, PasswordProcessor.decrypt(password));
- }
- } catch (JSONException | GeneralSecurityException e) {
- intlogger.info("Error reading JSON while masking: " + e);
+ endpointIds.getJSONObject(index).put(JSON_HASH_STRING, DigestUtils.sha256Hex(password));
+ } catch (JSONException e) {
+ intlogger.info("Error reading JSON while hashing: " + e);
+ }
+ }
+
+ private static void processPassword(JSONObject deliveryObj, String password) {
+ try {
+ deliveryObj.put(JSON_HASH_STRING, DigestUtils.sha256Hex(password));
+ } catch (JSONException e) {
+ intlogger.info("Error reading JSON while hashing: " + e);
}
}
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
if (++activeFeeds > maxFeeds) {
activeFeeds--;
message = "Cannot create feed; the maximum number of feeds has been configured.";
import javax.servlet.http.HttpServletResponse;
import org.json.JSONException;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
Feed feed;
try {
feed = new Feed(jo);
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
Group gup;
try {
gup = new Group(jo);
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
-
Group gup;
try {
gup = new Group(jo);
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.util.Properties;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.json.JSONArray;
-import org.onap.dmaap.datarouter.provisioning.utils.Poker;
-import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.LogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Parameters;
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
import org.onap.dmaap.datarouter.provisioning.utils.LogfileLoader;
+import org.onap.dmaap.datarouter.provisioning.utils.Poker;
import org.onap.dmaap.datarouter.provisioning.utils.RLEBitSet;
+import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;
if ("/logs".equals(path) || LOGS.equals(path)) {
String ctype = req.getHeader("Content-Type");
- if (ctype == null || !TEXT_CT.equals(ctype)) {
+ if (!TEXT_CT.equals(ctype)) {
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
elr.setMessage("Bad media type: " + ctype);
resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
}
try {
fs.close();
- } catch (Exception e) {
+ } catch (UnsupportedOperationException | IOException e) {
intlogger.error("PROV0137 InternalServlet.doPost: " + e.getMessage(), e);
}
if (total != 0 && ((avail * 100) / total) < 5) {
if ("/drlogs".equals(path) || "/drlogs/".equals(path)) {
// Receive post request and generate log entries
String ctype = req.getHeader("Content-Type");
- if (ctype == null || !TEXT_CT.equals(ctype)) {
+ if (!TEXT_CT.equals(ctype)) {
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
elr.setMessage("Bad media type: " + ctype);
resp.setStatus(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
-
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
- if (intlogger.isDebugEnabled()) {
- intlogger.debug(jo.toString());
- }
if (++activeSubs > maxSubs) {
activeSubs--;
message = "Cannot create subscription; the maximum number of subscriptions has been configured.";
import org.json.JSONException;\r
import org.json.JSONObject;\r
import org.onap.dmaap.datarouter.authz.AuthorizationResponse;\r
-import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;\r
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;\r
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;\r
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;\r
+import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask;\r
\r
/**\r
* This servlet handles provisioning for the <subscriptionURL> which is generated by the provisioning server to\r
sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);\r
return;\r
}\r
- if (intlogger.isDebugEnabled()) {\r
- intlogger.debug(jo.toString());\r
- }\r
- Subscription sub = null;\r
+ Subscription sub;\r
try {\r
sub = new Subscription(jo);\r
} catch (InvalidObjectException e) {\r
if (fid.getId().length() > 60) {\r
throw new InvalidObjectException("id field is too long (" + fid.getId() + ")");\r
}\r
- if (fid.getPassword().length() > 32) {\r
+ if (fid.getPassword().length() > 100) {\r
//Fortify scan fixes - Privacy Violation\r
throw new InvalidObjectException("password field is too long (" + fid.getPassword() + ")");\r
}\r
+++ /dev/null
-/**\r
- * -\r
- * ============LICENSE_START=======================================================\r
- * Copyright (C) 2019 Nordix Foundation.\r
- * ================================================================================\r
- * Licensed under the Apache License, Version 2.0 (the "License");\r
- * you may not use this file except in compliance with the License.\r
- * You may obtain a copy of the License at\r
- *\r
- * <p>http://www.apache.org/licenses/LICENSE-2.0\r
- *\r
- * <p>* Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- *\r
- * <p>* SPDX-License-Identifier: Apache-2.0\r
- * ============LICENSE_END=========================================================\r
- */\r
-\r
-package org.onap.dmaap.datarouter.provisioning.utils;\r
-\r
-import java.nio.charset.StandardCharsets;\r
-import java.security.GeneralSecurityException;\r
-import java.util.Base64;\r
-\r
-import javax.crypto.Cipher;\r
-import javax.crypto.SecretKey;\r
-import javax.crypto.SecretKeyFactory;\r
-import javax.crypto.spec.PBEKeySpec;\r
-import javax.crypto.spec.PBEParameterSpec;\r
-import org.onap.dmaap.datarouter.provisioning.ProvRunner;\r
-\r
-/**\r
- * The Processing of a Password. Password can be encrypted and decrypted.\r
- * @author Vikram Singh\r
- * @version $Id: PasswordProcessor.java,v 1.0 2016/12/14 10:16:52 EST\r
- */\r
-public class PasswordProcessor {\r
-\r
- private static final String SECRET_KEY_FACTORY_TYPE = "PBEWithMD5AndDES";\r
- private static final String PASSWORD_ENCRYPTION_STRING =\r
- ProvRunner.getProvProperties().getProperty("org.onap.dmaap.datarouter.provserver.passwordencryption");\r
- private static final char[] PASSWORD = PASSWORD_ENCRYPTION_STRING.toCharArray();\r
- private static final byte[] SALT = {(byte) 0xde, (byte) 0x33, (byte) 0x10,\r
- (byte) 0x12, (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,};\r
-\r
- private PasswordProcessor(){\r
- }\r
-\r
- /**\r
- * Encrypt password.\r
- * @param property the Password\r
- * @return Encrypted password.\r
- */\r
- public static String encrypt(String property) throws GeneralSecurityException {\r
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);\r
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));\r
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);\r
- pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 32));\r
- return Base64.getEncoder().encodeToString(pbeCipher.doFinal(property.getBytes(StandardCharsets.UTF_8)));\r
- }\r
-\r
- /**\r
- * Decrypt password.\r
- * @param property the Password\r
- * @return Decrypt password.\r
- */\r
- public static String decrypt(String property) throws GeneralSecurityException {\r
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_TYPE);\r
- SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));\r
- Cipher pbeCipher = Cipher.getInstance(SECRET_KEY_FACTORY_TYPE);\r
- pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 32));\r
- return new String(pbeCipher.doFinal(Base64.getDecoder().decode(property)), StandardCharsets.UTF_8);\r
- }\r
-\r
-}\r
# AAF config
org.onap.dmaap.datarouter.provserver.cadi.enabled = false
-org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234#
org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed
org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub
org.onap.dmaap.datarouter.provserver.aaf.instance = legacy
package org.onap.dmaap.datarouter.provisioning;
-import java.security.NoSuchAlgorithmException;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Matchers.anyInt;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.powermock.api.mockito.PowerMockito.mockStatic;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.UUID;
import javax.crypto.SecretKeyFactory;
+import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.reflect.FieldUtils;
import org.json.JSONObject;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
-import org.mockito.Mockito;
import org.onap.dmaap.datarouter.provisioning.beans.Feed;
import org.onap.dmaap.datarouter.provisioning.beans.FeedAuthorization;
import org.onap.dmaap.datarouter.provisioning.beans.Group;
import org.powermock.modules.junit4.PowerMockRunner;
import org.slf4j.MDC;
-import javax.servlet.http.HttpServletRequest;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.UUID;
-
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.nullValue;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertThat;
-import static org.mockito.Matchers.anyInt;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-import static org.powermock.api.mockito.PowerMockito.mockStatic;
-
@RunWith(PowerMockRunner.class)
@SuppressStaticInitializationFor({"org.onap.dmaap.datarouter.provisioning.beans.Feed",
"org.onap.dmaap.datarouter.provisioning.beans.Subscription",
Assert.assertEquals("456", MDC.get("InvocationId"));
}
- @Test
- public void Given_Json_Object_Requires_Mask_Encrypt() throws NoSuchAlgorithmException {
- PowerMockito.mockStatic(SecretKeyFactory.class);
- SecretKeyFactory secretKeyFactory = PowerMockito.mock(SecretKeyFactory.class);
- PowerMockito.when(SecretKeyFactory.getInstance(Mockito.anyString())).thenReturn(secretKeyFactory);
- BaseServlet.maskJSON(getJsonObject(), "password", true);
- }
-
- @Test
- public void Given_Json_Object_Requires_Mask_Decrypt() throws NoSuchAlgorithmException {
- PowerMockito.mockStatic(SecretKeyFactory.class);
- SecretKeyFactory secretKeyFactory = PowerMockito.mock(SecretKeyFactory.class);
- PowerMockito.when(SecretKeyFactory.getInstance(Mockito.anyString())).thenReturn(secretKeyFactory);
- BaseServlet.maskJSON(getJsonObject(), "password", false);
- }
-
- public JSONObject getJsonObject() {
+ public JSONObject getFeedJsonObject() {
return new JSONObject("{\"authorization\": {\n" + " \"endpoint_addrs\": [\n" + " ],\n"
+ " \"classification\": \"unclassified\",\n"
+ " \"endpoint_ids\": [\n" + " {\n"
+ " \"id\": \"onap\"\n" + " }\n" + " ]\n" + " }}");
}
+ public JSONObject getSubJsonObject() {
+ return new JSONObject("{\"delivery\": {\"url\": \"http://172.18.0.3:7070/\", \"user\": "
+ + "\"LOGIN\", \"password\": \"PASSWORD\", \"use100\": true}, \"metadataOnly\": false, "
+ + "\"suspend\": false, \"groupid\": 29, \"subscriber\": \"sg481n\"}");
+ }
+
+ @Test
+ public void Given_Debug_Is_Enabled_Hash_Feed_Passwords_Successful() {
+ JSONObject hashed_feed_pass = BaseServlet.hashPasswords(getFeedJsonObject());
+ assertNotEquals(hashed_feed_pass.getJSONObject("authorization").getJSONArray("endpoint_ids")
+ .getJSONObject(0).get("password").toString(), "demo123456!");
+
+ }
+
+ @Test
+ public void Given_Debug_Is_Enabled_Hash_Sub_Passwords_Successful() {
+ JSONObject hashed_sub_pass = BaseServlet.hashPasswords(getSubJsonObject());
+ assertNotEquals(hashed_sub_pass.getJSONObject("delivery").get("password").toString(), "PASSWORD");
+
+ }
+
@Test
public void Given_BaseServlet_Verify_Cadi_Feed_Permission() {
assertEquals("org.onap.dmaap-dr.feed|legacy|publish", baseServlet.getFeedPermission("legacy", "publish"));
props.setProperty("org.onap.dmaap.datarouter.provserver.accesslog.dir", "unit-test-logs");
props.setProperty("org.onap.dmaap.datarouter.provserver.spooldir", "unit-test-logs/spool");
props.setProperty("org.onap.dmaap.datarouter.provserver.https.relaxation", "false");
- props.setProperty("org.onap.dmaap.datarouter.provserver.passwordencryption", "PasswordEncryptionKey#@$%^&1234#");
FieldUtils.writeDeclaredStaticField(ProvRunner.class, "provProperties", props, true);
FieldUtils.writeDeclaredStaticField(BaseServlet.class, "startmsgFlag", false, true);
SynchronizerTask synchronizerTask = mock(SynchronizerTask.class);
import org.onap.dmaap.datarouter.provisioning.beans.SubDelivery;
import org.onap.dmaap.datarouter.provisioning.beans.Subscription;
import org.onap.dmaap.datarouter.provisioning.beans.Updateable;
-import org.onap.dmaap.datarouter.provisioning.utils.PasswordProcessor;
import org.onap.dmaap.datarouter.provisioning.utils.Poker;
import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils;
import org.powermock.api.mockito.PowerMockito;
@RunWith(PowerMockRunner.class)
-@PrepareForTest(PasswordProcessor.class)
public class SubscriptionServletTest extends DrServletTestBase {
private static EntityManagerFactory emf;
private static EntityManager em;
when(request.getHeader("Content-Type")).thenReturn("application/vnd.dmaap-dr.subscription; version=1.0");
when(request.getPathInfo()).thenReturn("/3");
when(request.isUserInRole("org.onap.dmaap-dr.sub|*|edit")).thenReturn(true);
- PowerMockito.mockStatic(PasswordProcessor.class);
JSONObject JSObject = buildRequestJsonObject();
SubscriptionServlet subscriptionServlet = new SubscriptionServlet() {
public JSONObject getJSONfromInput(HttpServletRequest req) {
when(response.getOutputStream()).thenReturn(outStream);
when(request.getHeader("X-DMAAP-DR-ON-BEHALF-OF-GROUP")).thenReturn("stub_subjectGroup");
when(request.getHeader("Content-Type")).thenReturn("application/vnd.dmaap-dr.subscription; version=1.0");
- PowerMockito.mockStatic(PasswordProcessor.class);
JSONObject JSObject = buildRequestJsonObject();
SubscriptionServlet subscriptionServlet = new SubscriptionServlet() {
public JSONObject getJSONfromInput(HttpServletRequest req) {
org.onap.dmaap.datarouter.provserver.spooldir = src/test/resources
org.onap.dmaap.datarouter.provserver.dbscripts = src/test/resources
org.onap.dmaap.datarouter.provserver.localhost = 127.0.0.1
-org.onap.dmaap.datarouter.provserver.passwordencryption = PasswordEncryptionKey#@$%^&1234#
\ No newline at end of file
Code Review / dmaap / datarouter.git / commitdiff