Code Review / portal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Persistent XSS vulnerability in basicAuthAccount form fix
[portal.git] / ecomp-portal-BE-common / src / main / java / org / onap / portalapp / portal / service / BasicAuthAccountServiceImpl.java
1 /*-
2  * ============LICENSE_START==========================================
3  * ONAP Portal
4  * ===================================================================
5  * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
6  * ===================================================================
7  *
8  * Unless otherwise specified, all software contained herein is licensed
9  * under the Apache License, Version 2.0 (the "License");
10  * you may not use this software except in compliance with the License.
11  * You may obtain a copy of the License at
12  *
13  *             http://www.apache.org/licenses/LICENSE-2.0
14  *
15  * Unless required by applicable law or agreed to in writing, software
16  * distributed under the License is distributed on an "AS IS" BASIS,
17  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18  * See the License for the specific language governing permissions and
19  * limitations under the License.
20  *
21  * Unless otherwise specified, all documentation contained herein is licensed
22  * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
23  * you may not use this documentation except in compliance with the License.
24  * You may obtain a copy of the License at
25  *
26  *             https://creativecommons.org/licenses/by/4.0/
27  *
28  * Unless required by applicable law or agreed to in writing, documentation
29  * distributed under the License is distributed on an "AS IS" BASIS,
30  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
31  * See the License for the specific language governing permissions and
32  * limitations under the License.
33  *
34  * ============LICENSE_END============================================
35  *
36  * 
37  */
38 package org.onap.portalapp.portal.service;
39
40 import java.util.ArrayList;
41 import java.util.HashMap;
42 import java.util.List;
43 import java.util.Map;
44
45 import org.hibernate.criterion.Criterion;
46 import org.hibernate.criterion.Restrictions;
47 import org.onap.portalapp.portal.domain.BasicAuthCredentials;
48 import org.onap.portalapp.portal.domain.EPEndpoint;
49 import org.onap.portalapp.portal.domain.EPEndpointAccount;
50 import org.onap.portalapp.portal.logging.aop.EPMetricsLog;
51 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
52 import org.onap.portalapp.validation.DataValidator;
53 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
54 import org.onap.portalsdk.core.onboarding.util.CipherUtil;
55 import org.onap.portalsdk.core.service.DataAccessService;
56 import org.onap.portalsdk.core.util.SystemProperties;
57 import org.springframework.beans.factory.annotation.Autowired;
58 import org.springframework.context.annotation.EnableAspectJAutoProxy;
59 import org.springframework.stereotype.Service;
60
61 @Service("basicAuthAccountService")
62 @EnableAspectJAutoProxy
63 @EPMetricsLog
64 public class BasicAuthAccountServiceImpl implements BasicAuthAccountService{
65         EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(MicroserviceServiceImpl.class);
66         private final DataValidator dataValidator = new DataValidator();
67         @Autowired
68         private DataAccessService dataAccessService;
69
70         @Override
71         public Long saveBasicAuthAccount(BasicAuthCredentials newCredential) throws Exception {
72
73                 if(!dataValidator.isValid(newCredential)){
74                         throw new Exception("saveBasicAuthAccount() failed, new credential are not safe");
75                 }
76                 if (newCredential.getPassword() != null)
77                         newCredential.setPassword(encryptedPassword(newCredential.getPassword()));
78                 try{
79                         getDataAccessService().saveDomainObject(newCredential, null);
80                 }catch(Exception e){
81                         logger.error(EELFLoggerDelegate.errorLogger, "saveBasicAuthAccount() failed", e);
82                         throw e;
83                 }
84                 return newCredential.getId();
85         }
86         
87
88         @Override
89         @SuppressWarnings("unchecked")
90         public Long saveEndpoints(EPEndpoint endpoint) throws Exception {
91                 
92                 List<Criterion> restrictionsList = new ArrayList<Criterion>();
93                 Criterion NameCrit = Restrictions.eq("name", endpoint.getName());
94                 restrictionsList.add(NameCrit);
95
96                 List<EPEndpoint> tempList = (List<EPEndpoint>) dataAccessService.getList(EPEndpoint.class, null,
97                                 restrictionsList, null);
98                 if (tempList.size() != 0) {
99                         return tempList.get(0).getId();
100                 } else {
101                         getDataAccessService().saveDomainObject(endpoint, null);
102                         return endpoint.getId();
103                 }
104                 
105         }
106         
107         @Override
108         public void saveEndpointAccount(Long accountId, Long endpointId) throws Exception {
109                 EPEndpointAccount record = new EPEndpointAccount();
110                 record.setAccount_id(accountId);
111                 record.setEp_id(endpointId);
112                 try {
113                         getDataAccessService().saveDomainObject(record, null);
114                 } catch (Exception e) {
115                         logger.error(EELFLoggerDelegate.errorLogger, "saveEndpointAccount() failed", e);
116                         throw e;
117                 }
118
119         }
120         
121         @Override
122         @SuppressWarnings("unchecked")
123         public void updateBasicAuthAccount(Long accountId, BasicAuthCredentials newCredential) throws Exception {
124                 try {
125                         newCredential.setId(accountId);
126                         if (newCredential.getPassword() != null){
127                                 if(newCredential.getPassword().equals(EPCommonSystemProperties.APP_DISPLAY_PASSWORD)){
128                                         BasicAuthCredentials oldMS = getBasicAuthCredentialsById(accountId);
129                                         newCredential.setPassword(oldMS.getPassword()); // keep the old password
130                                 }else
131                                         newCredential.setPassword(encryptedPassword(newCredential.getPassword())); //new password
132                         }
133                         getDataAccessService().saveDomainObject(newCredential, null);
134                         
135                         List<EPEndpoint> endpoints = newCredential.getEndpoints();
136                         List<EPEndpoint> orig_points = getEPEndpoints(accountId);
137                         
138                         for(EPEndpoint temp_ep: orig_points){
139                                 boolean flag = false;
140                                 for(EPEndpoint temp_ep2: endpoints){
141                                         if(temp_ep2.getId() == temp_ep.getId())
142                                                 flag = true;
143                                 }
144                                 if(!flag){
145                                         Map<String, String> params = new HashMap<String, String>();
146                                         params.put("accountId", Long.toString(accountId));
147                                         params.put("epId", Long.toString(temp_ep.getId()));
148                                         dataAccessService.executeNamedQuery("deleteAccountEndpointRecord", params, null);
149                                 }
150                         }
151                         
152                         
153                         for(int i = 0; i < endpoints.size(); i++){
154                                 
155                                 List<Criterion> restrictionsList = new ArrayList<Criterion>();
156                                 Criterion IdCrit = Restrictions.eq("id", endpoints.get(i).getId());
157                                 restrictionsList.add(IdCrit);
158                                 Criterion NameCrit = Restrictions.eq("name", endpoints.get(i).getName());
159                                 restrictionsList.add(NameCrit);
160                                 List<EPEndpoint> tempList = (List<EPEndpoint>) dataAccessService
161                                                 .getList(EPEndpoint.class, null, restrictionsList, null);
162                                 if(tempList.size() == 0){
163                                         if(endpoints.get(i).getId() != null){
164                                                 //delete the record endpoints.get(i).getId(), accountId                                         
165                                                 Map<String, String> params = new HashMap<String, String>();
166                                                 params.put("accountId", Long.toString(accountId));
167                                                 params.put("epId", Long.toString(endpoints.get(i).getId()));
168                                                 dataAccessService.executeNamedQuery("deleteAccountEndpointRecord", params, null);
169                                                 endpoints.get(i).setId(null);
170                                         }
171                                         //create a new endpoint
172                                         Long ep_id = saveEndpoints(endpoints.get(i));
173                                         saveEndpointAccount(accountId, ep_id);                                           
174                                 }
175                         }
176                 } catch (Exception e) {
177                         logger.error(EELFLoggerDelegate.errorLogger, "updateBasicAuthAccount() failed", e);
178                         throw e;
179                 }
180         }
181
182         @Override
183         public List<BasicAuthCredentials> getAccountData() throws Exception {
184                 @SuppressWarnings("unchecked")
185                 List<BasicAuthCredentials> list = (List<BasicAuthCredentials>) dataAccessService.getList(BasicAuthCredentials.class, null);
186                 for (int i = 0; i < list.size(); i++) {
187                         if (list.get(i).getPassword() != null)
188                                 list.get(i).setPassword(EPCommonSystemProperties.APP_DISPLAY_PASSWORD);
189                         list.get(i).setEndpoints(getEPEndpoints(list.get(i).getId()));
190                 }
191                 return list;
192         }
193         
194         @SuppressWarnings("unchecked")
195         private List<EPEndpoint> getEPEndpoints(long accountId) {
196                 List<EPEndpoint> result = new ArrayList<>();
197                 List<EPEndpointAccount> list = null;
198                 Map<String, Long> params = new HashMap<>();
199                 params.put("account_id", accountId);
200                 try {
201                         list = this.getDataAccessService().executeNamedQuery("getEPEndpointAccountByAccountId", params, null);
202                 } catch (Exception e) {
203                         logger.error(EELFLoggerDelegate.errorLogger, "getEPEndpointAccountByAccountId failed", e);                      
204                 }
205                 
206                 for(int i = 0; list != null && i < list.size(); i++){
207                         result.add((EPEndpoint) dataAccessService.getDomainObject(EPEndpoint.class, list.get(i).getEp_id(), null));
208                 }
209                 return result;
210         }
211         
212         @Override
213         public void deleteEndpointAccout(Long accountId) throws Exception {
214                 try{
215                         Map<String, String> params = new HashMap<String, String>();
216                         params.put("accountId", Long.toString(accountId));
217                         
218                         dataAccessService.executeNamedQuery("deleteAccountEndpoint", params, null);
219                         dataAccessService.executeNamedQuery("deleteBasicAuthAccount", params, null);
220                         
221                 }catch(Exception e){
222                         logger.error(EELFLoggerDelegate.errorLogger, "deleteEndpointAccout() failed", e);
223                         throw e;
224                 }
225         }
226         
227         private String decryptedPassword(String encryptedPwd) throws Exception {
228                 String result = "";
229                 if (encryptedPwd != null && encryptedPwd.length() > 0) {
230                         try {
231                                 result = CipherUtil.decryptPKC(encryptedPwd,
232                                                 SystemProperties.getProperty(SystemProperties.Decryption_Key));
233                         } catch (Exception e) {
234                                 logger.error(EELFLoggerDelegate.errorLogger, "decryptedPassword() failed", e);
235                                 throw e;
236                         }
237                 }
238                 return result;
239         }
240
241         private String encryptedPassword(String decryptedPwd) throws Exception {
242                 String result = "";
243                 if (decryptedPwd != null && decryptedPwd.length() > 0) {
244                         try {
245                                 result = CipherUtil.encryptPKC(decryptedPwd,
246                                                 SystemProperties.getProperty(SystemProperties.Decryption_Key));
247                         } catch (Exception e) {
248                                 logger.error(EELFLoggerDelegate.errorLogger, "encryptedPassword() failed", e);
249                                 throw e;
250                         }
251                 }
252                 return result;
253         }
254         
255         public DataAccessService getDataAccessService() {
256                 return dataAccessService;
257         }
258         
259         @Override
260         public BasicAuthCredentials getBasicAuthCredentialsById(long id) throws Exception {
261                 try {
262                         @SuppressWarnings("unchecked")
263                         List<BasicAuthCredentials> list = (List<BasicAuthCredentials>) dataAccessService
264                                         .getList(BasicAuthCredentials.class, null);
265                         for (BasicAuthCredentials auth : list) {
266                                 if (auth != null && auth.getId() == id)
267                                         return auth;
268                         }
269                 } catch (Exception e) {
270                         logger.error(EELFLoggerDelegate.errorLogger, "getBasicAuthCredentialsDataById failed", e);
271                         throw e;
272                 }
273                 return null;
274
275         }
276 }
ARCHIVED- 2022-02-15 at the request of the project