X-Git-Url: https://gerrit.onap.org/r/gitweb?p=policy%2Fengine.git;a=blobdiff_plain;f=ONAP-PAP-REST%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fpolicy%2Fpap%2Fxacml%2Frest%2FXACMLPapServlet.java;h=bedc212a20eacbbd31b4a2d796d8df39b22e04a4;hp=b43254e51345d151c882f1f9ec549ee08fe99a27;hb=e5c628fee6a6e6bb57a34d5b73e092d89ee26a5c;hpb=321417267ab93b0a8f0244aef07c45cdc37dbef4

diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
index b43254e51..bedc212a2 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
@@ -64,6 +64,7 @@ import org.onap.policy.common.ia.IntegrityAudit;
 import org.onap.policy.common.im.AdministrativeStateException;
 import org.onap.policy.common.im.ForwardProgressException;
 import org.onap.policy.common.im.IntegrityMonitor;
+import org.onap.policy.common.im.IntegrityMonitorException;
 import org.onap.policy.common.im.IntegrityMonitorProperties;
 import org.onap.policy.common.im.StandbyStatusException;
 import org.onap.policy.common.logging.ONAPLoggingContext;
@@ -81,6 +82,7 @@ import org.onap.policy.pap.xacml.restAuth.CheckPDP;
 import org.onap.policy.rest.XACMLRest;
 import org.onap.policy.rest.XACMLRestProperties;
 import org.onap.policy.rest.dao.PolicyDBException;
+import org.onap.policy.utils.CryptoUtils;
 import org.onap.policy.utils.PolicyUtils;
 import org.onap.policy.xacml.api.XACMLErrorConstants;
 import org.onap.policy.xacml.api.pap.ONAPPapEngineFactory;
@@ -121,6 +123,11 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 	private static final String AUDIT_PAP_PERSISTENCE_UNIT = "auditPapPU";
 	// Client Headers. 
 	private static final String ENVIRONMENT_HEADER = "Environment";
+	private static final String ADD_GROUP_ERROR = "addGroupError";
+	private static final String PERSISTENCE_JDBC_PWD = "javax.persistence.jdbc.password";
+	
+	private static final String REGEX = "[0-9a-zA-Z._ ]*";
+	
 	/*
 	 * List of Admin Console URLs.
 	 * Used to send notifications when configuration changes.
@@ -235,7 +242,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 					+ "\n   papDbDriver = " + papDbDriver
 					+ "\n   papDbUrl = " + papDbUrl
 					+ "\n   papDbUser = " + papDbUser
-					+ "\n   papDbPassword = " + papDbPassword
 					+ "\n   papTransWait = " + papTransWait
 					+ "\n   papTransTimeout = " + papTransTimeout
 					+ "\n   papAuditTimeout = " + papAuditTimeout
@@ -267,6 +273,9 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 				throw new ServletException(e.getMessage(), e.getCause());
 			}
 			// Create an IntegrityMonitor
+			if(properties.getProperty(PERSISTENCE_JDBC_PWD) != null ){
+				properties.setProperty(PERSISTENCE_JDBC_PWD, CryptoUtils.decryptTxtNoExStr(properties.getProperty(PERSISTENCE_JDBC_PWD, "")));
+			}
 			im = IntegrityMonitor.getInstance(papResourceName,properties);
 			// Create an IntegrityAudit
 			ia = new IntegrityAudit(papResourceName, AUDIT_PAP_PERSISTENCE_UNIT, properties);
@@ -434,7 +443,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
             throw new PAPException("papDbUser is null");
         }
         setPapDbUser(papDbUser);
-        papDbPassword = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_DB_PASSWORD);
+        papDbPassword = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_DB_PASSWORD, ""));
         if(papDbPassword == null){
             PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE,"XACMLPapServlet", " ERROR: Bad papDbPassword property entry");
             throw new PAPException("papDbPassword is null");
@@ -530,7 +539,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 		} catch (AdministrativeStateException ae){
 			String message = "POST interface called for PAP " + papResourceName + " but it has an Administrative"
 					+ " state of " + im.getStateManager().getAdminState()
-					+ "\n Exception Message: " + ae.getMessage();
+					+ "\n Exception Message: " +  PolicyUtils.CATCH_EXCEPTION;
 			LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message, ae);
 			loggingContext.metricEnded();
 			PolicyLogger.metrics("XACMLPapServlet doPost im startTransaction");
@@ -549,6 +558,16 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			PolicyLogger.audit("Transaction Failed - See Error.log");
 			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
 			return;
+		} catch (IntegrityMonitorException e) {
+			String message = "POST interface called for PAP " + papResourceName + " but an exception occurred"
+					+ "\n Exception Message: " + e.getMessage();
+			LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message, e);
+			loggingContext.metricEnded();
+			PolicyLogger.metrics("XACMLPapServlet doPost im startTransaction");
+			loggingContext.transactionEnded();
+			PolicyLogger.audit("Transaction Failed - See Error.log");
+			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+			return;
 		}
 		try {
 			loggingContext.metricStarted();
@@ -750,7 +769,9 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 
 	private void setResponseError(HttpServletResponse response,int responseCode, String message) {
 	    try {
-            response.sendError(responseCode, message);
+	    	if(message != null && !message.isEmpty()){
+	               response.sendError(responseCode, message);
+	    	}
         } catch (IOException e) {
             LOGGER.error("Error setting Error response Header ", e);
         }
@@ -815,6 +836,15 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 				PolicyLogger.audit("Transaction Failed - See Error.log");
 				setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
 				return;
+			} catch (IntegrityMonitorException e) {
+				String message = "GET interface called for PAP " + papResourceName + " but an exception occurred"
+						+ "\n Exception Message: " + e.getMessage();
+				LOGGER.info(message, e);
+				PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+				loggingContext.transactionEnded();
+				PolicyLogger.audit("Transaction Failed - See Error.log");
+				setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+				return;
 			}
 			// Request from the API to get the gitPath
 			String apiflag = request.getParameter("apiflag");
@@ -987,7 +1017,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			im.startTransaction();
 			loggingContext.metricEnded();
 			PolicyLogger.metrics("XACMLPapServlet doPut im startTransaction");
-		} catch (AdministrativeStateException | StandbyStatusException e) {
+		} catch (IntegrityMonitorException e) {
 			String message = "PUT interface called for PAP " + papResourceName;
 			if (e instanceof AdministrativeStateException) {
 				message += " but it has an Administrative state of "
@@ -995,6 +1025,8 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			} else if (e instanceof StandbyStatusException) {
 				message += " but it has a Standby Status of "
 					+ im.getStateManager().getStandbyStatus();
+			} else {
+				message += " but an exception occurred";
 
 			}
 			message += "\n Exception Message: " + e.getMessage();
@@ -1269,6 +1301,15 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			PolicyLogger.audit("Transaction Failed - See Error.log");
 			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
 			return;
+		} catch (IntegrityMonitorException e) {
+			String message = "PUT interface called for PAP " + papResourceName + " but an exception occurred"
+					+ "\n Exception Message: " + e.getMessage();
+			LOGGER.info(message, e);
+			PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+			loggingContext.transactionEnded();
+			PolicyLogger.audit("Transaction Failed - See Error.log");
+			setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+			return;
 		}
 		loggingContext.metricStarted();
 		XACMLRest.dumpRequest(request);
@@ -1440,11 +1481,16 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			
 			LOGGER.info("Calling updatGroup() with new group");
 			papEngine.updateGroup(group);
-			
 			String policyId = "empty";
-			if(policy!=null){
+			if(policy !=null && policy.getId() != null){
 				policyId = policy.getId();
 			}
+			if(!policyId.matches(REGEX) ){
+				response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+				response.addHeader("error",ADD_GROUP_ERROR);
+				response.addHeader("message", "Policy Id is not valid");
+				return;
+			}
 			response.setStatus(HttpServletResponse.SC_NO_CONTENT);
 			response.addHeader("operation", "push");
 			response.addHeader("policyId", policyId);
@@ -1483,7 +1529,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			String message = XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception in request to update group from API - See Error.log on on the PAP.";
 			setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
-			response.addHeader("error","addGroupError");
+			response.addHeader("error",ADD_GROUP_ERROR);
 			response.addHeader("message", message);
 			return;
 		}
@@ -1557,6 +1603,13 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			}
 			if (group == null) {
 				String message = "Unknown groupId '" + groupId + "'";
+				//for fixing Header Manipulation of Fortify issue
+				if(!message.matches(REGEX)){
+					response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+					response.addHeader("error",ADD_GROUP_ERROR);
+					response.addHeader("message", "GroupId Id is not valid");
+					return;
+				}
 				PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
 				loggingContext.transactionEnded();
 				PolicyLogger.audit("Transaction Failed - See Error.log");
@@ -1598,6 +1651,13 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 				} catch (Exception e) {
 					addPolicyToGroupTransaction.rollbackTransaction();
 					String message = "Policy '" + policyId + "' not copied to group '" + groupId +"': " + e;
+					//for fixing Header Manipulation of Fortify issue
+					if(!message.matches(REGEX)){
+						response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+						response.addHeader("error",ADD_GROUP_ERROR);
+						response.addHeader("message", "Policy Id is not valid");
+						return;
+					}
 					PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW + " " + message);
 					loggingContext.transactionEnded();
 					PolicyLogger.audit("Transaction Failed - See Error.log");
@@ -1683,7 +1743,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 						LOGGER.error(message);
 						setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 						response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
-						response.addHeader("error","addGroupError");
+						response.addHeader("error",ADD_GROUP_ERROR);
 						response.addHeader("message", message);
 						return;
 					}
@@ -1911,6 +1971,13 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 			}
 			if (group == null) {
 				String message = "Unknown groupId '" + groupId + "'";
+				//for fixing Header Manipulation of Fortify issue
+				if(!message.matches(REGEX)){
+					response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+					response.addHeader("error",ADD_GROUP_ERROR);
+					response.addHeader("message", "Group Id is not valid");
+					return;
+				}
 				PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
 				loggingContext.transactionEnded();
 				PolicyLogger.audit("Transaction Failed - See Error.log");
@@ -2032,7 +2099,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 					PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " PDP new/update had bad input. pdpId=" + pdpId + " objectFromJSON="+objectFromJSON);
 					loggingContext.transactionEnded();
 					PolicyLogger.audit("Transaction Failed - See Error.log");
-					setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Bad input, pdpid="+pdpId+" object="+objectFromJSON);
+					setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Bad input pdpid for object:"+objectFromJSON);
 				}
 				StdPDP pdp = (StdPDP) objectFromJSON;
 				if(pdp != null){
@@ -2134,7 +2201,7 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
 					PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Group update had bad input. id=" + group.getId() + " objectFromJSON="+objectFromJSON);
 					loggingContext.transactionEnded();
 					PolicyLogger.audit("Transaction Failed - See Error.log");
-					setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Bad input, id="+group.getId() +" object="+objectFromJSON);
+					setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Bad input id for object:"+objectFromJSON);
 				}
 				// The Path on the PAP side is not carried on the RESTful interface with the AC
 				// (because it is local to the PAP)