Merge "XSS Vulnerability fix in ExternalAccessRolesControllerDashboardController"

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java
index 5da3552..b5876af 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java
@@ -37,7 +37,6 @@
  */
 package org.onap.portalapp.portal.controller;
 
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
@@ -53,9 +52,11 @@ import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
 import org.onap.portalapp.portal.logging.aop.EPAuditLog;
 import org.onap.portalapp.portal.service.AppContactUsService;
 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
+import org.onap.portalapp.validation.DataValidator;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -65,42 +66,51 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/portalApi/contactus")
-@org.springframework.context.annotation.Configuration
+@Configuration
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class AppContactUsController extends EPRestrictedBaseController {
 
-       static final String FAILURE = "failure";
+       private static final String FAILURE = "failure";
+       private static final String SUCCESS= "success";
 
-       private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class);
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class);
+       private static final DataValidator dataValidator = new DataValidator();
+       private final Comparator<AppCategoryFunctionsItem> appCategoryFunctionsItemComparator = Comparator
+               .comparing(AppCategoryFunctionsItem::getCategory);
 
-       @Autowired
        private AppContactUsService contactUsService;
 
+       @Autowired
+       public AppContactUsController(AppContactUsService contactUsService) {
+               this.contactUsService = contactUsService;
+       }
+
+
        /**
         * Answers a JSON object with three items from the system.properties file:
         * user self-help ticket URL, email for feedback, and Portal info link.
-        * 
+        *
         * @param request HttpServletRequest
         * @return PortalRestResponse
         */
        @RequestMapping(value = "/feedback", method = RequestMethod.GET, produces = "application/json")
        public PortalRestResponse<String> getPortalDetails(HttpServletRequest request) {
-               PortalRestResponse<String> portalRestResponse = null;
+               PortalRestResponse<String> portalRestResponse;
                try {
                        final String ticketUrl = SystemProperties.getProperty(EPCommonSystemProperties.USH_TICKET_URL);
                        final String portalInfoUrl = SystemProperties.getProperty(EPCommonSystemProperties.PORTAL_INFO_URL);
                        final String feedbackEmail = SystemProperties.getProperty(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS);
-                       HashMap<String, String> map = new HashMap<String, String>();
+                       HashMap<String, String> map = new HashMap<>();
                        map.put(EPCommonSystemProperties.USH_TICKET_URL, ticketUrl);
                        map.put(EPCommonSystemProperties.PORTAL_INFO_URL, portalInfoUrl);
                        map.put(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS, feedbackEmail);
                        JSONObject j = new JSONObject(map);
                        String contactUsPortalResponse = j.toString();
-                       portalRestResponse = new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
-                                       contactUsPortalResponse);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contactUsPortalResponse);
                } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage());
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage());
                }
                return portalRestResponse;
        }
@@ -108,21 +118,21 @@ public class AppContactUsController extends EPRestrictedBaseController {
        /**
         * Answers the contents of the contact-us table, extended with the
         * application name.
-        * 
+        *
         * @param request HttpServletRequest
         * @return PortalRestResponse<List<AppContactUsItem>>
         */
        @RequestMapping(value = "/list", method = RequestMethod.GET, produces = "application/json")
        public PortalRestResponse<List<AppContactUsItem>> getAppContactUsList(HttpServletRequest request) {
-               PortalRestResponse<List<AppContactUsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppContactUsItem>> portalRestResponse;
                try {
                        List<AppContactUsItem> contents = contactUsService.getAppContactUs();
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.OK, "success",
-                                       contents);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contents);
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAppContactUsList failed", e);
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                }
                return portalRestResponse;
        }
@@ -130,35 +140,25 @@ public class AppContactUsController extends EPRestrictedBaseController {
        /**
         * Answers a list of objects, one per application, extended with available
         * data on how to contact that app's organization (possibly none).
-        * 
+        *
         * @param request HttpServletRequest
         * @return PortalRestResponse<List<AppContactUsItem>>
         */
        @RequestMapping(value = "/allapps", method = RequestMethod.GET, produces = "application/json")
        public PortalRestResponse<List<AppContactUsItem>> getAppsAndContacts(HttpServletRequest request) {
-               PortalRestResponse<List<AppContactUsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppContactUsItem>> portalRestResponse;
                try {
                        List<AppContactUsItem> contents = contactUsService.getAppsAndContacts();
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.OK, "success",
-                                       contents);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contents);
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAllAppsAndContacts failed", e);
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                }
                return portalRestResponse;
        }
 
-       /**
-        * Sorts by category name.
-        */
-       private Comparator<AppCategoryFunctionsItem> appCategoryFunctionsItemComparator = new Comparator<AppCategoryFunctionsItem>() {
-               @Override
-               public int compare(AppCategoryFunctionsItem o1, AppCategoryFunctionsItem o2) {
-                       return o1.getCategory().compareTo(o2.getCategory());
-               }
-       };
-       
        /**
         * Answers a list of objects with category-application-function details. Not
         * all applications participate in the functional menu.
@@ -168,20 +168,17 @@ public class AppContactUsController extends EPRestrictedBaseController {
         */
        @RequestMapping(value = "/functions", method = RequestMethod.GET, produces = "application/json")
        public PortalRestResponse<List<AppCategoryFunctionsItem>> getAppCategoryFunctions(HttpServletRequest request) {
-               PortalRestResponse<List<AppCategoryFunctionsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppCategoryFunctionsItem>> portalRestResponse;
                try {
                        List<AppCategoryFunctionsItem> contents = contactUsService.getAppCategoryFunctions();
-                       // logger.debug(EELFLoggerDelegate.debugLogger,
-                       // "getAppCategoryFunctions: result list size is " +
-                       // contents.size());
-                       Collections.sort(contents, appCategoryFunctionsItemComparator);
-                       portalRestResponse = new PortalRestResponse<List<AppCategoryFunctionsItem>>(PortalRestStatusEnum.OK,
-                                       "success", contents);
+                       contents.sort(appCategoryFunctionsItemComparator);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK,
+                               SUCCESS, contents);
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAppCategoryFunctions failed", e);
                        // TODO build JSON error
-                       portalRestResponse = new PortalRestResponse<List<AppCategoryFunctionsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                }
                return portalRestResponse;
        }
@@ -195,29 +192,41 @@ public class AppContactUsController extends EPRestrictedBaseController {
        @RequestMapping(value = "/save", method = RequestMethod.POST, produces = "application/json")
        public PortalRestResponse<String> save(@RequestBody AppContactUsItem contactUs) {
 
-               if (contactUs == null || contactUs.getAppName() == null)
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
-                                       "AppName cannot be null or empty");
+               if (contactUs == null || contactUs.getAppName() == null) {
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
+                               "AppName cannot be null or empty");
+               }else if(!dataValidator.isValid(contactUs)){
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppName is not valid.");
+               }
 
                String saveAppContactUs = FAILURE;
                try {
                        saveAppContactUs = contactUsService.saveAppContactUs(contactUs);
                } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "save failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
        }
 
        @RequestMapping(value = "/saveAll", method = RequestMethod.POST, produces = "application/json")
        public PortalRestResponse<String> save(@RequestBody List<AppContactUsItem> contactUsList) {
 
+               if (contactUsList == null) {
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
+                               "AppNameList cannot be null or empty");
+               }else if(!dataValidator.isValid(contactUsList)){
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppNameList is not valid.");
+               }
+
                String saveAppContactUs = FAILURE;
                try {
                        saveAppContactUs = contactUsService.saveAppContactUs(contactUsList);
                } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "save failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
        }
 
        /**
@@ -234,9 +243,10 @@ public class AppContactUsController extends EPRestrictedBaseController {
                try {
                        saveAppContactUs = contactUsService.deleteContactUs(id);
                } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "delete failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
        }
 
 }
\ No newline at end of file

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
index 4b401e2..1224be8 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START==========================================
  * ONAP Portal
  * ===================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
  * ===================================================================
  * Modifications Copyright (c) 2019 Samsung
  * ===================================================================
@@ -42,18 +42,12 @@ package org.onap.portalapp.portal.controller;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
-import java.util.stream.Stream;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.json.JSONArray;
-import org.json.JSONObject;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
 import org.onap.portalapp.controller.EPRestrictedBaseController;
 import org.onap.portalapp.portal.domain.AdminUserApplications;
 import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -68,7 +62,6 @@ import org.onap.portalapp.portal.logging.logic.EPLogUtil;
 import org.onap.portalapp.portal.service.AdminRolesService;
 import org.onap.portalapp.portal.service.EPAppService;
 import org.onap.portalapp.portal.service.EPLeftMenuService;
-import org.onap.portalapp.portal.service.ExternalAccessRolesService;
 import org.onap.portalapp.portal.transport.EPAppsManualPreference;
 import org.onap.portalapp.portal.transport.EPAppsSortPreference;
 import org.onap.portalapp.portal.transport.EPDeleteAppsManualSortPref;
@@ -76,10 +69,10 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference;
 import org.onap.portalapp.portal.transport.FieldsValidator;
 import org.onap.portalapp.portal.transport.LocalRole;
 import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.portal.utils.PortalConstants;
 import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.onap.portalsdk.core.web.support.AppUtils;
@@ -87,7 +80,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -97,27 +89,27 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.HttpClientErrorException;
-import org.springframework.web.client.HttpStatusCodeException;
-import org.springframework.web.client.RestTemplate;
 
 @RestController
 @EnableAspectJAutoProxy
 @EPAuditLog
+@NoArgsConstructor
+@Getter
 public class AppsController extends EPRestrictedBaseController {
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+       private static final String GET_RESULT = "GET result =";
+       private static final String PUT_RESULT = "PUT result =";
+       private static final String PORTAL_API_ONBOARDING_APPS = "/portalApi/onboardingApps";
+       private static final String PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF = "/portalApi/userAppsOrderBySortPref";
+
+       private final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+       private final DataValidator dataValidator = new DataValidator();
 
        @Autowired
        private AdminRolesService adminRolesService;
-
        @Autowired
        private EPAppService appService;
-
        @Autowired
        private EPLeftMenuService leftMenuService;
-       
-       @Autowired
-       private ExternalAccessRolesService externalAccessRolesService;
-       RestTemplate template = new RestTemplate();
 
        /**
         * RESTful service method to fetch all Applications available to current
@@ -139,7 +131,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getUserApps");
                        } else {
                                ecompApps = appService.transformAppsToEcompApps(appService.getUserApps(user));
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", "GET result =", ecompApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", GET_RESULT, ecompApps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getUserApps failed", e);
@@ -174,7 +166,7 @@ public class AppsController extends EPRestrictedBaseController {
                                else
                                        apps = appService.getPersUserApps(user);
                                ecompApps = appService.transformAppsToEcompApps(apps);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", "GET result =", ecompApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", GET_RESULT, ecompApps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getPersUserApps failed", e);
@@ -203,7 +195,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getAdminApps");
                        } else {
                                adminApps = appService.getAdminApps(user);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", "GET result =", adminApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", GET_RESULT, adminApps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAdminApps failed", e);
@@ -235,7 +227,7 @@ public class AppsController extends EPRestrictedBaseController {
                        } else {
                                adminApps = appService.getAppsForSuperAdminAndAccountAdmin(user);
                                EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsForSuperAdminAndAccountAdmin",
-                                               "GET result =", adminApps);
+                                               GET_RESULT, adminApps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAppsForSuperAdminAndAccountAdmin failed", e);
@@ -245,7 +237,7 @@ public class AppsController extends EPRestrictedBaseController {
        }
 
        /**
-        * RESTful service method to fetch left menu items from the user's session.
+        * RESTful service method to fetch left menu items from the user'PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF session.
         * 
         * @param request
         *            HttpServletRequest
@@ -267,7 +259,7 @@ public class AppsController extends EPRestrictedBaseController {
 
                try {
                        menuList = leftMenuService.getLeftMenuItems(user, menuSet, roleFunctionSet);
-                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", "GET result =", menuList);
+                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", GET_RESULT, menuList);
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getLeftMenuItems failed", e);
                }
@@ -275,7 +267,7 @@ public class AppsController extends EPRestrictedBaseController {
        }
 
        @RequestMapping(value = {
-                       "/portalApi/userAppsOrderBySortPref" }, method = RequestMethod.GET, produces = "application/json")
+                       PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF }, method = RequestMethod.GET, produces = "application/json")
        public List<EcompApp> getUserAppsOrderBySortPref(HttpServletRequest request, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
                List<EcompApp> ecompApps = null;
@@ -284,28 +276,28 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getUserAppsOrderBySortPref");
                        } else {
                                String usrSortPref = request.getParameter("mparams");
-                               if (usrSortPref.equals("")) {
+                               if (usrSortPref.isEmpty()) {
                                        usrSortPref = "N";
                                }
                                switch (usrSortPref) {
                                case "N":
                                        ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByName(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                        ecompApps);
                                        break;
                                case "L":
                                        ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByLastUsed(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                        ecompApps);
                                        break;
                                case "F":
                                        ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByMostUsed(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                        ecompApps);
                                        break;
                                case "M":
                                        ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByManual(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                        ecompApps);
                                        break;
                                default:
@@ -335,6 +327,13 @@ public class AppsController extends EPRestrictedBaseController {
        public FieldsValidator putUserAppsSortingManual(HttpServletRequest request,
                        @RequestBody List<EPAppsManualPreference> epAppsManualPref, HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(epAppsManualPref)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                try {
                        EPUser user = EPUserUtils.getUserSession(request);
                        fieldsValidator = appService.saveAppsSortManual(epAppsManualPref, user);
@@ -342,7 +341,7 @@ public class AppsController extends EPRestrictedBaseController {
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "putUserAppsSortingManual failed", e);
                }
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -352,6 +351,13 @@ public class AppsController extends EPRestrictedBaseController {
        public FieldsValidator putUserWidgetsSortManual(HttpServletRequest request,
                        @RequestBody List<EPWidgetsSortPreference> saveManualWidgetSData, HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(saveManualWidgetSData)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                try {
                        EPUser user = EPUserUtils.getUserSession(request);
                        fieldsValidator = appService.saveWidgetsSortManual(saveManualWidgetSData, user);
@@ -359,8 +365,7 @@ public class AppsController extends EPRestrictedBaseController {
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortManual failed", e);
                }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -370,6 +375,13 @@ public class AppsController extends EPRestrictedBaseController {
        public FieldsValidator putUserWidgetsSortPref(HttpServletRequest request,
                        @RequestBody List<EPWidgetsSortPreference> delManualWidgetData, HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(delManualWidgetData)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                try {
                        EPUser user = EPUserUtils.getUserSession(request);
                        fieldsValidator = appService.deleteUserWidgetSortPref(delManualWidgetData, user);
@@ -378,8 +390,7 @@ public class AppsController extends EPRestrictedBaseController {
                        logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortPref failed", e);
 
                }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -400,6 +411,7 @@ public class AppsController extends EPRestrictedBaseController {
        public FieldsValidator deleteUserAppSortManual(HttpServletRequest request,
                        @RequestBody EPDeleteAppsManualSortPref delManualAppData, HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
+
                try {
                        EPUser user = EPUserUtils.getUserSession(request);
                        fieldsValidator = appService.deleteUserAppSortManual(delManualAppData, user);
@@ -408,8 +420,7 @@ public class AppsController extends EPRestrictedBaseController {
                        logger.error(EELFLoggerDelegate.errorLogger, "deleteUserAppSortManual failed", e);
 
                }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -428,8 +439,7 @@ public class AppsController extends EPRestrictedBaseController {
 
                }
 
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -445,7 +455,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "userAppsSortTypePreference");
                        } else {
                                userSortPreference = appService.getUserAppsSortTypePreference(user);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", "GET result =",
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", GET_RESULT,
                                                userSortPreference);
                        }
                } catch (Exception e) {
@@ -475,7 +485,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getAppsAdministrators");
                        } else {
                                admins = appService.getAppsAdmins();
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", "GET result =", admins);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", GET_RESULT, admins);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAppsAdministrators failed", e);
@@ -493,7 +503,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getApps");
                        } else {
                                apps = appService.getAllApplications(false);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getApps failed", e);
@@ -522,7 +532,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "getApps");
                        } else {
                                apps = appService.getAllApps(true);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getAllApps failed", e);
@@ -547,7 +557,7 @@ public class AppsController extends EPRestrictedBaseController {
                        EcompPortalUtils.setBadPermissions(user, response, "getAppsFullList");
                } else {
                        ecompApps = appService.getEcompAppAppsFullList();
-                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", "GET result =", ecompApps);
+                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", GET_RESULT, ecompApps);
                }
                return ecompApps;
        }
@@ -598,7 +608,7 @@ public class AppsController extends EPRestrictedBaseController {
                                || (adminRolesService.isSuperAdmin(user) && requestedApp.getId() == PortalConstants.PORTAL_APP_ID))) {
                        try {
                                roleList = appService.getAppRoles(appId);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, "GET result =",
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, GET_RESULT,
                                                roleList);
                        } catch (Exception e) {
                                logger.error(EELFLoggerDelegate.errorLogger, "getAppRoles failed", e);
@@ -626,8 +636,8 @@ public class AppsController extends EPRestrictedBaseController {
                        String appName = request.getParameter("appParam");
                        app = appService.getAppDetailByAppName(appName);
                        if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
-                                       || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, "GET result =", app);
+                                       || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, GET_RESULT, app);
                        else{
                                app= null;
                                EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -659,8 +669,8 @@ public class AppsController extends EPRestrictedBaseController {
                                app.setCentralAuth(false);
                        }
                        if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
-                                       || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, "GET result =", app);
+                                       || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, GET_RESULT, app);
                        else{
                                app= null;
                                EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -680,7 +690,7 @@ public class AppsController extends EPRestrictedBaseController {
         *            HTTP servlet response
         * @return List<OnboardingApp>
         */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.GET, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.GET, produces = "application/json")
        public List<OnboardingApp> getOnboardingApps(HttpServletRequest request, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
                List<OnboardingApp> onboardingApps = null;
@@ -697,8 +707,8 @@ public class AppsController extends EPRestrictedBaseController {
                                        //get all his admin apps
                                        onboardingApps =  appService.getAdminAppsOfUser(user);
                                }
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "GET result =",
-                                               "onboardingApps of size " + onboardingApps.size());
+                               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, GET_RESULT,
+                                               "onboardingApps of size " + (onboardingApps != null ? onboardingApps.size() : 0));
                        }
                } catch (Exception e) {
                        logger.error(EELFLoggerDelegate.errorLogger, "getOnboardingApps failed", e);
@@ -718,14 +728,12 @@ public class AppsController extends EPRestrictedBaseController {
         * @return FieldsValidator
         * @throws Exception 
         */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.PUT, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.PUT, produces = "application/json")
        public FieldsValidator putOnboardingApp(HttpServletRequest request,
-                       @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) throws Exception {
+                       @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
                EPUser user = null;
-               EPApp oldEPApp = null;
-               oldEPApp = appService.getApp(modifiedOnboardingApp.id);
-               ResponseEntity<String> res = null;
+               EPApp oldEPApp = appService.getApp(modifiedOnboardingApp.id);
                
                try {
                        user = EPUserUtils.getUserSession(request);
@@ -734,20 +742,7 @@ public class AppsController extends EPRestrictedBaseController {
                        } else {
                                if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
                                {
-                                       try {
-                                               res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
-                                       } catch (HttpClientErrorException e) {
-                                               logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
-                                               EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
-                                               if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
-                                                       fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                                       throw new InvalidApplicationException("Invalid NameSpace");
-                                               }else{
-                                                       fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                                       throw e;
-                                               }
-                                       }
-
+                                       checkIfNameSpaceIsValid(modifiedOnboardingApp, fieldsValidator, response);
                                }       
                                modifiedOnboardingApp.normalize();
                                fieldsValidator = appService.modifyOnboardingApp(modifiedOnboardingApp, user);
@@ -767,7 +762,7 @@ public class AppsController extends EPRestrictedBaseController {
                                logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApps failed", e);
                        }
                }
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, PUT_RESULT,
                                response.getStatus());
                return fieldsValidator;
        }
@@ -784,7 +779,7 @@ public class AppsController extends EPRestrictedBaseController {
         *            app to add
         * @return FieldsValidator
         */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.POST, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.POST, produces = "application/json")
        public FieldsValidator postOnboardingApp(HttpServletRequest request, @RequestBody OnboardingApp newOnboardingApp,
                        HttpServletResponse response) {
                FieldsValidator fieldsValidator = null;
@@ -794,21 +789,7 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "postOnboardingApps");
                        } else {
                                newOnboardingApp.normalize();
-                               ResponseEntity<String> res = null;
-                               try {
-                                       if( !(newOnboardingApp.nameSpace == null) && !newOnboardingApp.nameSpace.isEmpty()) 
-                                           res = appService.checkIfNameSpaceIsValid(newOnboardingApp.nameSpace);
-                               } catch (HttpClientErrorException e) {
-                                       logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
-                                       EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
-                                       if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
-                                               fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                               throw new InvalidApplicationException("Invalid NameSpace");
-                                       }else{
-                                               fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                               throw e;
-                                       }
-                               }
+                               checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response);
                                fieldsValidator = appService.addOnboardingApp(newOnboardingApp, user);
                                response.setStatus(fieldsValidator.httpStatusCode.intValue());
                        }
@@ -824,22 +805,22 @@ public class AppsController extends EPRestrictedBaseController {
                        logger.error(EELFLoggerDelegate.errorLogger, "postOnboardingApp failed", e);                            
                }
 
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, "POST result =",
                                response.getStatus());
                return fieldsValidator;
        }
        
-       private FieldsValidator setResponse(HttpStatus statusCode,FieldsValidator fieldsValidator,HttpServletResponse response)
+       private FieldsValidator setResponse(HttpStatus statusCode, HttpServletResponse response)
        {
-               fieldsValidator = new FieldsValidator();
+               FieldsValidator fieldsValidator = new FieldsValidator();
                if (statusCode == HttpStatus.NOT_FOUND || statusCode == HttpStatus.FORBIDDEN) {
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_NOT_FOUND);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_NOT_FOUND;
                        logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "invalid namespace");
                }else if (statusCode == HttpStatus.UNAUTHORIZED) {
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_UNAUTHORIZED);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_UNAUTHORIZED;
                        logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "unauthorized");
                } else{
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_BAD_REQUEST);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_BAD_REQUEST;
                        logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed ",statusCode);
 
                }
@@ -880,7 +861,7 @@ public class AppsController extends EPRestrictedBaseController {
                        response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                }
                
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps" + appId, "DELETE result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS + appId, "DELETE result =",
                                response.getStatus());
                return fieldsValidator;
        }
@@ -918,8 +899,29 @@ public class AppsController extends EPRestrictedBaseController {
                HttpHeaders header = new HttpHeaders();
                header.setContentType(mediaType);
                header.setContentLength(app.getThumbnail().length);
-               return new HttpEntity<byte[]>(app.getThumbnail(), header);
+               return new HttpEntity<>(app.getThumbnail(), header);
        }
        
+       private void checkIfNameSpaceIsValid(OnboardingApp modifiedOnboardingApp, FieldsValidator fieldsValidator, HttpServletResponse response)
+               throws InvalidApplicationException {
+               try {
+                       ResponseEntity<String> res  = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
+               } catch (HttpClientErrorException e) {
+                       logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
+                       EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
+                       if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
+                               fieldsValidator = setResponse(e.getStatusCode(),response);
+                               throw new InvalidApplicationException("Invalid NameSpace");
+                       }else{
+                               fieldsValidator = setResponse(e.getStatusCode(),response);
+                               throw e;
+                       }
+               } catch (Exception e) {
+                       e.printStackTrace();
+               }
+       }
 
+       private boolean isNotNullAndNotValid(Object o){
+               return o!=null && !dataValidator.isValid(o);
+       }
 }

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java
index 67d7566..cff8245 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java
@@ -43,6 +43,8 @@ import java.util.UUID;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
 import org.slf4j.MDC;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -68,14 +70,18 @@ import org.onap.portalsdk.core.util.SystemProperties;
 @RestController
 @RequestMapping("/portalApi/auditLog")
 public class AuditLogController extends EPRestrictedBaseController {
-       private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class);
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class);
+       private static final DataValidator dataValidator = new DataValidator();
 
-       @Autowired
        private AuditService auditService;
+       @Autowired
+       public AuditLogController(AuditService auditService) {
+               this.auditService = auditService;
+       }
 
        /**
         * Store audit log of the specified access type.
-        * 
+        *
         * @param request
         *            HttpServletRequest
         * @param affectedAppId
@@ -90,34 +96,50 @@ public class AuditLogController extends EPRestrictedBaseController {
                        @RequestParam String comment) {
                logger.debug(EELFLoggerDelegate.debugLogger, "auditLog: appId {}, type {}, comment {}", affectedAppId, type,
                                comment);
-               String cd_type = null;
+               String cdType = null;
+
+               SecureString secureString0 = new SecureString(affectedAppId);
+               SecureString secureString1 = new SecureString(type);
+               SecureString secureString2 = new SecureString(comment);
+               if (  !dataValidator.isValid(secureString0)
+                       ||!dataValidator.isValid(secureString1)
+                       ||!dataValidator.isValid(secureString2)){
+                       return;
+               }
+
                try {
                        EPUser user = EPUserUtils.getUserSession(request);
                        /* Check type of Activity CD */
-                       if (type.equals("app")) {
-                               cd_type = AuditLog.CD_ACTIVITY_APP_ACCESS;
-                       } else if (type.equals("tab")) {
-                               cd_type = AuditLog.CD_ACTIVITY_TAB_ACCESS;
-                       } else if (type.equals("functional")) {
-                               cd_type = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS;
-                       } else if (type.equals("leftMenu")) {
-                               cd_type = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS;
-                       } else {
-                               logger.error(EELFLoggerDelegate.errorLogger,
+                       switch (type) {
+                               case "app":
+                                       cdType = AuditLog.CD_ACTIVITY_APP_ACCESS;
+                                       break;
+                               case "tab":
+                                       cdType = AuditLog.CD_ACTIVITY_TAB_ACCESS;
+                                       break;
+                               case "functional":
+                                       cdType = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS;
+                                       break;
+                               case "leftMenu":
+                                       cdType = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS;
+                                       break;
+                               default:
+                                       logger.error(EELFLoggerDelegate.errorLogger,
                                                "Storing auditLog failed! Activity CD type is not correct.");
+                                       break;
                        }
                        /* Store the audit log only if it contains valid Activity CD */
-                       if (cd_type != null) {
+                       if (cdType != null) {
                                AuditLog auditLog = new AuditLog();
-                               auditLog.setActivityCode(cd_type);
+                               auditLog.setActivityCode(cdType);
                                /*
                                 * Check affectedAppId and comment and see if these two values
                                 * are valid
                                 */
-                               if (comment != null && !comment.equals("") && !comment.equals("undefined"))
+                               if (comment != null && !comment.isEmpty() && !"undefined".equals(comment))
                                        auditLog.setComments(
                                                        EcompPortalUtils.truncateString(comment, PortalConstants.AUDIT_LOG_COMMENT_SIZE));
-                               if (affectedAppId != null && !affectedAppId.equals("") && !affectedAppId.equals("undefined"))
+                               if (affectedAppId != null && !affectedAppId.isEmpty() && !"undefined".equals(affectedAppId))
                                        auditLog.setAffectedRecordId(affectedAppId);
                                long userId = EPUserUtils.getUserId(request);
                                auditLog.setUserId(userId);
@@ -140,7 +162,7 @@ public class AuditLogController extends EPRestrictedBaseController {
                                MDC.put(SystemProperties.MDC_TIMER, timeDifference);
                                MDC.put(EPCommonSystemProperties.STATUS_CODE, "COMPLETE");
                                logger.info(EELFLoggerDelegate.auditLogger, EPLogUtil.formatAuditLogMessage(
-                                               "AuditLogController.auditLog", cd_type, user.getOrgUserId(), affectedAppId, comment));
+                                               "AuditLogController.auditLog", cdType, user.getOrgUserId(), affectedAppId, comment));
                                MDC.remove(EPCommonSystemProperties.AUDITLOG_BEGIN_TIMESTAMP);
                                MDC.remove(EPCommonSystemProperties.AUDITLOG_END_TIMESTAMP);
                        }

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java
index ba77c56..9e3428e 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java
@@ -48,10 +48,13 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.onap.portalapp.controller.EPRestrictedRESTfulBaseController;
 import org.onap.portalapp.portal.domain.SharedContext;
+import org.onap.portalapp.portal.exceptions.NotValidDataException;
 import org.onap.portalapp.portal.logging.aop.EPAuditLog;
 import org.onap.portalapp.portal.service.SharedContextService;
 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
@@ -85,33 +88,20 @@ import io.swagger.annotations.ApiOperation;
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class SharedContextRestController extends EPRestrictedRESTfulBaseController {
+       private static final DataValidator dataValidator = new DataValidator();
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SharedContextRestController.class);
+       private static final ObjectMapper mapper = new ObjectMapper();
 
-       /**
-        * Model for a one-element JSON object returned by many methods.
-        */
-       class SharedContextJsonResponse {
-               String response;
-       }
-
-       /**
-        * Access to the database
-        */
-       @Autowired
        private SharedContextService contextService;
 
-       /**
-        * Logger for debug etc.
-        */
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SharedContextRestController.class);
-
-       /**
-        * Reusable JSON (de)serializer
-        */
-       private final ObjectMapper mapper = new ObjectMapper();
+       @Autowired
+       public SharedContextRestController(SharedContextService contextService) {
+               this.contextService = contextService;
+       }
 
        /**
         * Gets a value for the specified context and key (RESTful service method).
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param context_id
@@ -127,13 +117,18 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
        @RequestMapping(value = { "/get" }, method = RequestMethod.GET, produces = "application/json")
        public String getContext(HttpServletRequest request, @RequestParam String context_id, @RequestParam String ckey)
                        throws Exception {
-
                logger.debug(EELFLoggerDelegate.debugLogger, "getContext for ID " + context_id + ", key " + ckey);
                if (context_id == null || ckey == null)
                        throw new Exception("Received null for context_id and/or ckey");
+               SecureString secureContextId = new SecureString(context_id);
+               SecureString secureCKey = new SecureString(ckey);
+
+               if(!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey)){
+                       throw new NotValidDataException("Received not valid for context_id and/or ckey");
+               }
 
                SharedContext context = contextService.getSharedContext(context_id, ckey);
-               String jsonResponse = "";
+               String jsonResponse;
                if (context == null)
                        jsonResponse = convertResponseToJSON(context);
                else
@@ -144,7 +139,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
 
        /**
         * Gets user information for the specified context (RESTful service method).
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param context_id
@@ -162,8 +157,11 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                logger.debug(EELFLoggerDelegate.debugLogger, "getUserContext for ID " + context_id);
                if (context_id == null)
                        throw new Exception("Received null for context_id");
+               SecureString secureContextId = new SecureString(context_id);
+               if (!dataValidator.isValid(secureContextId))
+                       throw new NotValidDataException("context_id is not valid");
 
-               List<SharedContext> listSharedContext = new ArrayList<SharedContext>();
+               List<SharedContext> listSharedContext = new ArrayList<>();
                SharedContext firstNameContext = contextService.getSharedContext(context_id,
                                EPCommonSystemProperties.USER_FIRST_NAME);
                SharedContext lastNameContext = contextService.getSharedContext(context_id,
@@ -179,14 +177,13 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                        listSharedContext.add(emailContext);
                if (orgUserIdContext != null)
                        listSharedContext.add(orgUserIdContext);
-               String jsonResponse = convertResponseToJSON(listSharedContext);
-               return jsonResponse;
+               return convertResponseToJSON(listSharedContext);
        }
 
        /**
         * Tests for presence of the specified key in the specified context (RESTful
         * service method).
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param context_id
@@ -208,19 +205,24 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                if (context_id == null || ckey == null)
                        throw new Exception("Received null for contextId and/or key");
 
+               SecureString secureContextId = new SecureString(context_id);
+               SecureString secureCKey = new SecureString(ckey);
+
+               if (!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey))
+                       throw new NotValidDataException("Not valid data for contextId and/or key");
+
                String response = null;
                SharedContext context = contextService.getSharedContext(context_id, ckey);
                if (context != null)
                        response = "exists";
 
-               String jsonResponse = convertResponseToJSON(response);
-               return jsonResponse;
+               return convertResponseToJSON(response);
        }
 
        /**
         * Removes the specified key in the specified context (RESTful service
         * method).
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param context_id
@@ -242,6 +244,12 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                if (context_id == null || ckey == null)
                        throw new Exception("Received null for contextId and/or key");
 
+               SecureString secureContextId = new SecureString(context_id);
+               SecureString secureCKey = new SecureString(ckey);
+
+               if (!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey))
+                       throw new NotValidDataException("Not valid data for contextId and/or key");
+
                SharedContext context = contextService.getSharedContext(context_id, ckey);
                String response = null;
                if (context != null) {
@@ -249,14 +257,13 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                        response = "removed";
                }
 
-               String jsonResponse = convertResponseToJSON(response);
-               return jsonResponse;
+               return convertResponseToJSON(response);
        }
 
        /**
         * Clears all key-value pairs in the specified context (RESTful service
         * method).
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param context_id
@@ -275,16 +282,20 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                if (context_id == null)
                        throw new Exception("clearContext: Received null for contextId");
 
+               SecureString secureContextId = new SecureString(context_id);
+
+               if (!dataValidator.isValid(secureContextId))
+                       throw new NotValidDataException("Not valid data for contextId");
+
                int count = contextService.deleteSharedContexts(context_id);
-               String jsonResponse = convertResponseToJSON(Integer.toString(count));
-               return jsonResponse;
+               return convertResponseToJSON(Integer.toString(count));
        }
 
        /**
         * Sets a context value for the specified context and key (RESTful service
         * method). Creates the context if no context with the specified ID-key pair
         * exists, overwrites the value if it exists already.
-        * 
+        *
         * @param request
         *            HTTP servlet request
         * @param userJson
@@ -302,6 +313,11 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
        @ApiOperation(value = "Sets a context value for the specified context and key. Creates the context if no context with the specified ID-key pair exists, overwrites the value if it exists already.", response = SharedContextJsonResponse.class)
        @RequestMapping(value = { "/set" }, method = RequestMethod.POST, produces = "application/json")
        public String setContext(HttpServletRequest request, @RequestBody String userJson) throws Exception {
+               if (userJson !=null){
+               SecureString secureUserJson = new SecureString(userJson);
+               if (!dataValidator.isValid(secureUserJson))
+                       throw new NotValidDataException("Not valid data for userJson");
+               }
 
                @SuppressWarnings("unchecked")
                Map<String, Object> userData = mapper.readValue(userJson, Map.class);
@@ -313,7 +329,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                        throw new Exception("setContext: received null for contextId and/or key");
 
                logger.debug(EELFLoggerDelegate.debugLogger, "setContext: ID " + contextId + ", key " + key + "->" + value);
-               String response = null;
+               String response;
                SharedContext existing = contextService.getSharedContext(contextId, key);
                if (existing == null) {
                        contextService.addSharedContext(contextId, key, value);
@@ -322,53 +338,49 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
                        contextService.saveSharedContext(existing);
                }
                response = existing == null ? "added" : "replaced";
-               String jsonResponse = convertResponseToJSON(response);
-               return jsonResponse;
+               return convertResponseToJSON(response);
        }
 
        /**
         * Creates a two-element JSON object tagged "response".
-        * 
+        *
         * @param responseBody
         * @return JSON object as String
         * @throws JsonProcessingException
         */
        private String convertResponseToJSON(String responseBody) throws JsonProcessingException {
-               Map<String, String> responseMap = new HashMap<String, String>();
+               Map<String, String> responseMap = new HashMap<>();
                responseMap.put("response", responseBody);
-               String response = mapper.writeValueAsString(responseMap);
-               return response;
+               return mapper.writeValueAsString(responseMap);
        }
 
        /**
         * Converts a list of SharedContext objects to a JSON array.
-        * 
+        *
         * @param contextList
         * @return JSON array as String
         * @throws JsonProcessingException
         */
        private String convertResponseToJSON(List<SharedContext> contextList) throws JsonProcessingException {
-               String jsonArray = mapper.writeValueAsString(contextList);
-               return jsonArray;
+               return mapper.writeValueAsString(contextList);
        }
 
        /**
         * Creates a JSON object with the content of the shared context; null is ok.
-        * 
+        *
         * @param context
         * @return tag "response" with collection of context object's fields
         * @throws JsonProcessingException
         */
        private String convertResponseToJSON(SharedContext context) throws JsonProcessingException {
-               Map<String, Object> responseMap = new HashMap<String, Object>();
+               Map<String, Object> responseMap = new HashMap<>();
                responseMap.put("response", context);
-               String responseBody = mapper.writeValueAsString(responseMap);
-               return responseBody;
+               return mapper.writeValueAsString(responseMap);
        }
 
        /**
         * Handles any exception thrown by a method in this controller.
-        * 
+        *
         * @param e
         *            Exception
         * @param response
@@ -382,3 +394,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll
        }
 
 }
+class SharedContextJsonResponse {
+       String response;
+}
+

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
index f2bba8b..45035a2 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
@@ -52,10 +52,13 @@ import org.onap.portalapp.portal.service.PersUserWidgetService;
 import org.onap.portalapp.portal.service.WidgetService;
 import org.onap.portalapp.portal.transport.FieldsValidator;
 import org.onap.portalapp.portal.transport.OnboardingWidget;
+import org.onap.portalapp.portal.transport.WidgetCatalogPersonalization;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -64,30 +67,36 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class WidgetsController extends EPRestrictedBaseController {
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class);
-       
-       @Autowired
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class);
+       private static final DataValidator dataValidator = new DataValidator();
+
        private AdminRolesService adminRolesService;
-       @Autowired
        private WidgetService widgetService;
-       @Autowired
        private PersUserWidgetService persUserWidgetService;
 
+       @Autowired
+       public WidgetsController(AdminRolesService adminRolesService,
+               WidgetService widgetService, PersUserWidgetService persUserWidgetService) {
+               this.adminRolesService = adminRolesService;
+               this.widgetService = widgetService;
+               this.persUserWidgetService = persUserWidgetService;
+       }
+
        @RequestMapping(value = { "/portalApi/widgets" }, method = RequestMethod.GET, produces = "application/json")
        public List<OnboardingWidget> getOnboardingWidgets(HttpServletRequest request, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
                List<OnboardingWidget> onboardingWidgets = null;
-               
+
                if (user == null || user.isGuest()) {
                        EcompPortalUtils.setBadPermissions(user, response, "getOnboardingWidgets");
                } else {
                        String getType = request.getHeader("X-Widgets-Type");
-                       if (!StringUtils.isEmpty(getType) && (getType.equals("managed") || getType.equals("all"))) {
-                               onboardingWidgets = widgetService.getOnboardingWidgets(user, getType.equals("managed"));
+                       if (!StringUtils.isEmpty(getType) && ("managed".equals(getType) || "all".equals(getType))) {
+                               onboardingWidgets = widgetService.getOnboardingWidgets(user, "managed".equals(getType));
                        } else {
                                logger.debug(EELFLoggerDelegate.debugLogger, "WidgetsController.getOnboardingApps - request must contain header 'X-Widgets-Type' with 'all' or 'managed'");
                                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
@@ -112,6 +121,14 @@ public class WidgetsController extends EPRestrictedBaseController {
                        @RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
                FieldsValidator fieldsValidator = null;
+               if (onboardingWidget!=null){
+                       if(!dataValidator.isValid(onboardingWidget)){
+                               fieldsValidator = new FieldsValidator();
+                               fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                               return fieldsValidator;
+                       }
+               }
+
                if (userHasPermissions(user, response, "putOnboardingWidget")) {
                        onboardingWidget.id = widgetId; // !
                        onboardingWidget.normalize();
@@ -119,7 +136,7 @@ public class WidgetsController extends EPRestrictedBaseController {
                        response.setStatus(fieldsValidator.httpStatusCode.intValue());
                }
                EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "GET result =", response.getStatus());
-               
+
                return fieldsValidator;
        }
 
@@ -127,15 +144,23 @@ public class WidgetsController extends EPRestrictedBaseController {
        @RequestMapping(value = { "/portalApi/widgets" }, method = { RequestMethod.POST }, produces = "application/json")
        public FieldsValidator postOnboardingWidget(HttpServletRequest request, @RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
-               FieldsValidator fieldsValidator = null; ;
-               
+               FieldsValidator fieldsValidator = null;
+
+               if (onboardingWidget!=null){
+                       if(!dataValidator.isValid(onboardingWidget)){
+                               fieldsValidator = new FieldsValidator();
+                               fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                               return fieldsValidator;
+                       }
+               }
+
                if (userHasPermissions(user, response, "postOnboardingWidget")) {
                        onboardingWidget.id = null; // !
                        onboardingWidget.normalize();
                        fieldsValidator = widgetService.setOnboardingWidget(user, onboardingWidget);
                        response.setStatus(fieldsValidator.httpStatusCode.intValue());
                }
-               
+
                EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets", "POST result =", response.getStatus());
                return fieldsValidator;
        }
@@ -143,17 +168,17 @@ public class WidgetsController extends EPRestrictedBaseController {
        @RequestMapping(value = { "/portalApi/widgets/{widgetId}" }, method = { RequestMethod.DELETE }, produces = "application/json")
        public FieldsValidator deleteOnboardingWidget(HttpServletRequest request, @PathVariable("widgetId") Long widgetId, HttpServletResponse response) {
                EPUser user = EPUserUtils.getUserSession(request);
-               FieldsValidator fieldsValidator = null; ;
-               
+               FieldsValidator fieldsValidator = null;
+
                if (userHasPermissions(user, response, "deleteOnboardingWidget")) {
                        fieldsValidator = widgetService.deleteOnboardingWidget(user, widgetId);
                        response.setStatus(fieldsValidator.httpStatusCode.intValue());
                }
-               
+
                EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "DELETE result =", response.getStatus());
                return fieldsValidator;
        }
-       
+
        /**
         * service to accept a user's action made on the application
         * catalog.
@@ -167,9 +192,18 @@ public class WidgetsController extends EPRestrictedBaseController {
         */
        @RequestMapping(value = { "portalApi/widgetCatalogSelection" }, method = RequestMethod.PUT, produces = "application/json")
        public FieldsValidator putWidgetCatalogSelection(HttpServletRequest request,
-                       @RequestBody org.onap.portalapp.portal.transport.WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException {
+                       @RequestBody WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException {
                FieldsValidator result = new FieldsValidator();
                EPUser user = EPUserUtils.getUserSession(request);
+
+               if (persRequest!=null){
+                       if(!dataValidator.isValid(persRequest)){
+                               result.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+                               return result;
+                       }
+               }
+
+
                try {
                        if (persRequest.getWidgetId() == null || user == null) {
                                EcompPortalUtils.setBadPermissions(user, response, "putWidgetCatalogSelection");
@@ -180,7 +214,7 @@ public class WidgetsController extends EPRestrictedBaseController {
                        logger.error(EELFLoggerDelegate.errorLogger, "Failed in putAppCatalogSelection", e);
                        response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.toString());
                }
-               result.httpStatusCode = new Long(HttpServletResponse.SC_OK);
+               result.httpStatusCode = (long) HttpServletResponse.SC_OK;
                return result;
        }
 }
\ No newline at end of file

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java
index c7c8ebc..2d52626 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java
@@ -40,6 +40,7 @@ package org.onap.portalapp.portal.ecomp.model;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 
+import org.hibernate.validator.constraints.SafeHtml;
 import org.onap.portalsdk.core.domain.support.DomainVo;
 import com.fasterxml.jackson.annotation.JsonInclude;
 
@@ -55,11 +56,17 @@ public class AppContactUsItem extends DomainVo {
 
        @Id
        private Long appId;
+       @SafeHtml
        private String appName;
+       @SafeHtml
        private String description;
+       @SafeHtml
        private String contactName;
+       @SafeHtml
        private String contactEmail;
+       @SafeHtml
        private String url;
+       @SafeHtml
        private String activeYN;
 
        public Long getAppId() {

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java
new file mode 100644 (file)
index 0000000..2a26ab3
--- /dev/null
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java
@@ -0,0 +1,51 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.portal.exceptions;
+
+public class NotValidDataException extends Exception {
+
+       public NotValidDataException(String msg) {
+              super(msg);
+       }
+
+       @Override
+       public String toString() {
+              return "NotValidDataException{}: " + this.getMessage();
+       }
+}

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
index 0bd4db3..1aa4219 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
@@ -37,18 +37,24 @@
  */
 package org.onap.portalapp.portal.transport;
 
+import org.hibernate.validator.constraints.SafeHtml;
+
 public class EPAppsManualPreference {
        
        private Long appid;
        private int col;
+       @SafeHtml
        private String headerText;
+       @SafeHtml
        private String imageLink;
        private int order;
        private boolean restrictedApp;
        private int row;
        private int sizeX;
        private int sizeY;
+       @SafeHtml
        private String subHeaderText;
+       @SafeHtml
        private String url;
        private boolean addRemoveApps;
        

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
index 85a6a03..796f67f 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
@@ -37,10 +37,14 @@
  */
 package org.onap.portalapp.portal.transport;
 
+import org.hibernate.validator.constraints.SafeHtml;
+
 public class EPAppsSortPreference {
        
        private int index;
+       @SafeHtml
        private String value;
+       @SafeHtml
        private String title;
        
        public int getIndex() {

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
index 03b7c14..e1f5c29 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
@@ -38,15 +38,19 @@
 package org.onap.portalapp.portal.transport;
 
 import java.util.List;
+import org.hibernate.validator.constraints.SafeHtml;
 
 public class EPWidgetsSortPreference {
        
        private int SizeX;
        private int SizeY;
+       @SafeHtml
        private String headerText;
+       @SafeHtml
        private String url;
        private Long widgetid;
        private List<Object> attrb;
+       @SafeHtml
        private String widgetIdentifier;
        private int row;
        private int col;

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
index 4f0a7d6..4046079 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
@@ -42,6 +42,7 @@ import java.io.Serializable;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.Id;
+import org.hibernate.validator.constraints.SafeHtml;
 
 @Entity
 public class OnboardingWidget implements Serializable {
@@ -53,12 +54,14 @@ public class OnboardingWidget implements Serializable {
        public Long id;
 
        @Column(name = "WDG_NAME")
+       @SafeHtml
        public String name;
 
        @Column(name = "APP_ID")
        public Long appId;
 
        @Column(name = "APP_NAME")
+       @SafeHtml
        public String appName;
 
        @Column(name = "WDG_WIDTH")
@@ -68,15 +71,16 @@ public class OnboardingWidget implements Serializable {
        public Integer height;
 
        @Column(name = "WDG_URL")
+       @SafeHtml
        public String url;
 
        public void normalize() {
                this.name = (this.name == null) ? "" : this.name.trim();
                this.appName = (this.appName == null) ? "" : this.appName.trim();
                if (this.width == null)
-                       this.width = new Integer(0);
+                       this.width = 0;
                if (this.height == null)
-                       this.height = new Integer(0);
+                       this.height = 0;
                this.url = (this.url == null) ? "" : this.url.trim();
        }
 

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
index 46a60c8..9fe3a88 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
@@ -47,15 +47,25 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class DataValidator {
-       private static final ValidatorFactory VALIDATOR_FACTORY  = Validation.buildDefaultValidatorFactory();
+       private volatile static ValidatorFactory VALIDATOR_FACTORY;
 
-       public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid){
+       public DataValidator() {
+              if (VALIDATOR_FACTORY == null) {
+                     synchronized (DataValidator.class) {
+                            if (VALIDATOR_FACTORY == null) {
+                                   VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+                            }
+                     }
+              }
+       }
+
+       public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid) {
               Validator validator = VALIDATOR_FACTORY.getValidator();
               Set<ConstraintViolation<E>> constraintViolations = validator.validate(classToValid);
               return constraintViolations;
        }
 
-       public <E> boolean isValid(E classToValid){
+       public <E> boolean isValid(E classToValid) {
               Set<ConstraintViolation<E>> constraintViolations = getConstraintViolations(classToValid);
               return constraintViolations.isEmpty();
        }

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
index b08a876..f2b2d3d 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
@@ -78,7 +78,7 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
        AppContactUsService contactUsService = new AppContactUsServiceImpl();
 
        @InjectMocks
-       AppContactUsController appContactUsController = new AppContactUsController();
+       AppContactUsController appContactUsController;
 
        @Before
        public void setup() {
@@ -232,6 +232,25 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
                assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
        }
 
+       @Test
+       public void saveXSSTest() throws Exception {
+               PortalRestResponse<String> actualSaveAppContactUS = null;
+
+               AppContactUsItem contactUs = new AppContactUsItem();
+               contactUs.setAppId((long) 1);
+               contactUs.setAppName("<meta content=\"&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)\" http-equiv=\"refresh\"/>");
+               contactUs.setDescription("Test");
+               contactUs.setContactName("Test");
+               contactUs.setContactEmail("person@onap.org");
+               contactUs.setUrl("Test_URL");
+               contactUs.setActiveYN("Y");
+
+               Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("FAILURE");
+               actualSaveAppContactUS = appContactUsController.save(contactUs);
+               assertEquals("AppName is not valid.", actualSaveAppContactUS.getResponse());
+               assertEquals("failure", actualSaveAppContactUS.getMessage());
+       }
+
        @Test
        public void saveExceptionTest() throws Exception {
                PortalRestResponse<String> actualSaveAppContactUS = null;
@@ -269,6 +288,19 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
                assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
        }
 
+       @Test
+       public void saveAllXSSTest() throws Exception {
+
+               List<AppContactUsItem> contactUs = mockResponse();
+               AppContactUsItem appContactUsItem = new AppContactUsItem();
+               appContactUsItem.setActiveYN("<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>");
+               contactUs.add(appContactUsItem);
+               PortalRestResponse<String> actualSaveAppContactUS = null;
+               Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("failure");
+               actualSaveAppContactUS = appContactUsController.save(contactUs);
+               assertEquals("failure", actualSaveAppContactUS.getMessage());
+       }
+
        @Test
        public void saveAllExceptionTest() throws Exception {
 

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
index 4df1c2a..58745d2 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
@@ -58,7 +58,6 @@ import org.mockito.Matchers;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsController;
 import org.onap.portalapp.portal.core.MockEPUser;
 import org.onap.portalapp.portal.domain.AdminUserApplications;
 import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -82,7 +81,6 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference;
 import org.onap.portalapp.portal.transport.FieldsValidator;
 import org.onap.portalapp.portal.transport.LocalRole;
 import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.util.EPUserUtils;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.onap.portalsdk.core.web.support.AppUtils;
@@ -100,7 +98,7 @@ import org.springframework.web.client.HttpClientErrorException;
 public class AppsControllerTest extends MockitoTestSuite{
 
        @InjectMocks
-       AppsController appsController = new AppsController();
+       AppsController appsController;
 
        @Mock
        AdminRolesService adminRolesService = new AdminRolesServiceImpl();
@@ -368,6 +366,38 @@ public class AppsControllerTest extends MockitoTestSuite{
                assertEquals(actualFieldValidator, expectedFieldValidator);
        }
 
+       @Test
+       public void putUserAppsSortingManualXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               EPAppsManualPreference preference = new EPAppsManualPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPAppsManualPreference> ePAppsManualPreference = new ArrayList<>();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+               ePAppsManualPreference.add(preference);
+               Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+               FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
+       @Test
+       public void putUserWidgetsSortManualXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPWidgetsSortPreference> ePAppsManualPreference = new ArrayList<>();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+               ePAppsManualPreference.add(preference);
+               Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+               FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference,
+                       mockedResponse);
+               assertEquals(expectedFieldValidator, actualFieldValidator);
+       }
+
        @Test
        public void putUserAppsSortingManualExceptionTest() throws IOException {
                EPUser user = mockUser.mockEPUser();
@@ -404,7 +434,7 @@ public class AppsControllerTest extends MockitoTestSuite{
        }
 
        @Test
-       public void putUserWidgetsSortPrefTest() throws IOException {
+       public void putUserWidgetsSortPrefTest() {
                EPUser user = mockUser.mockEPUser();
                Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
                List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<EPWidgetsSortPreference>();
@@ -420,6 +450,24 @@ public class AppsControllerTest extends MockitoTestSuite{
                assertEquals(actualFieldValidator, expectedFieldValidator);
        }
 
+       @Test
+       public void putUserWidgetsSortPrefXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<>();
+               EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               ePWidgetsSortPreference.add(preference);
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               FieldsValidator actualFieldValidator;
+               Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user))
+                       .thenReturn(expectedFieldValidator);
+               actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
        @Test
        public void putUserWidgetsSortPrefExceptionTest() throws IOException {
                EPUser user = mockUser.mockEPUser();
@@ -475,6 +523,23 @@ public class AppsControllerTest extends MockitoTestSuite{
                assertEquals(actualFieldValidator, expectedFieldValidator);
        }
 
+       @Test
+       public void putUserAppsSortingPreferenceXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               EPAppsSortPreference userAppsValue = new EPAppsSortPreference();
+               userAppsValue.setTitle("</script><script>alert(1)</script>");
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               expectedFieldValidator.setFields(null);
+               expectedFieldValidator.setErrorCode(null);
+               FieldsValidator actualFieldValidator;
+               Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator);
+               actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
        @Test
        public void putUserAppsSortingPreferenceExceptionTest() throws IOException {
                EPUser user = mockUser.mockEPUser();

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java
index d8ed8c8..dfee854 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java
@@ -66,7 +66,7 @@ public class AuditLogControllerTest {
        AuditService auditService;
        
        @InjectMocks
-     AuditLogController auditLogController = new AuditLogController();
+     AuditLogController auditLogController;
 
        @Before
        public void setup() {

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
index 1607f42..49cccae 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
@@ -38,24 +38,19 @@ package org.onap.portalapp.portal.controller;
  */
 
 
-import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
-import java.io.IOException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.drools.core.command.assertion.AssertEquals;
 import org.json.JSONObject;
-import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -64,24 +59,15 @@ import org.mockito.Matchers;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.SharedContextRestClient;
-import org.onap.portalapp.portal.controller.SharedContextTestProperties;
 import org.onap.portalapp.portal.core.MockEPUser;
-import org.onap.portalapp.portal.domain.CentralV2RoleFunction;
 import org.onap.portalapp.portal.domain.SharedContext;
+import org.onap.portalapp.portal.exceptions.NotValidDataException;
 import org.onap.portalapp.portal.framework.MockitoTestSuite;
-import org.onap.portalapp.portal.scheduler.SchedulerProperties;
 import org.onap.portalapp.portal.service.SharedContextService;
 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.onap.portalsdk.core.web.support.UserUtils;
 import org.powermock.api.mockito.PowerMockito;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
 
 /**
  * Tests the endpoints exposed by the Shared Context controller in Portal.
@@ -95,7 +81,7 @@ public class SharedContextRestControllerTest {
        SharedContextService contextService;
 
        @InjectMocks
-       SharedContextRestController sharedContextRestController=new SharedContextRestController();
+       SharedContextRestController sharedContextRestController=new SharedContextRestController(contextService);
        
        @Before
        public void setup() {
@@ -220,11 +206,31 @@ public class SharedContextRestControllerTest {
        public void getContextTestWithException() throws Exception{
                sharedContextRestController.getContext(mockedRequest, null,null);
        }
+
+       @Test(expected=NotValidDataException.class)
+       public void getContextTestNotValidDataException() throws Exception{
+               sharedContextRestController.getContext(mockedRequest, "<script>alert(\"hellox worldss\");</script>","test");
+       }
+
+       @Test(expected=NotValidDataException.class)
+       public void getContextTest2NotValidDataException() throws Exception{
+               sharedContextRestController.getContext(mockedRequest, "test","“><script>alert(“XSS”)</script>");
+       }
+
+       @Test(expected=NotValidDataException.class)
+       public void getContextTest3NotValidDataException() throws Exception{
+               sharedContextRestController.getContext(mockedRequest, "<ScRipT>alert(\"XSS\");</ScRipT>","“><script>alert(“XSS”)</script>");
+       }
        
-       @Test(expected=Exception.class)
+       @Test(expected= Exception.class)
        public void getUserContextTest() throws Exception{
                sharedContextRestController.getUserContext(mockedRequest, null);
        }
+
+       @Test(expected= NotValidDataException.class)
+       public void getUserContextXSSTest() throws Exception{
+               sharedContextRestController.getUserContext(mockedRequest, "<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}");
+       }
        
        @Test
        public void getUserContextTestWithContext() throws Exception{
@@ -257,6 +263,16 @@ public class SharedContextRestControllerTest {
                Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
                sharedContextRestController.checkContext(mockedRequest, null,null);
        }
+
+       @Test(expected=NotValidDataException.class)
+       public void checkContextTestWithContextXSSl() throws Exception{
+               SharedContext sharedContext=new SharedContext();
+               sharedContext.setContext_id("test_contextid");
+               sharedContext.setCkey("test_ckey");
+               Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+               sharedContextRestController.checkContext(mockedRequest,
+                       "<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?","<script>alert(123);</script>");
+       }
        
        @Test
        public void removeContextTest() throws Exception{
@@ -283,6 +299,20 @@ public class SharedContextRestControllerTest {
                assertNotNull(actual);
 
        }
+
+       @Test(expected=NotValidDataException.class)
+       public void removeContextTestWithContextXSS() throws Exception{
+               SharedContext sharedContext=new SharedContext();
+               sharedContext.setContext_id("test_contextid");
+               sharedContext.setCkey("test_ckey");
+               Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+
+               //Mockito.when(contextService.deleteSharedContext(sharedContext));
+               String actual=sharedContextRestController.removeContext(mockedRequest,
+                       "<script>alert(“XSS”)</script> ","<script>alert(/XSS/)</script>");
+               assertNotNull(actual);
+
+       }
        
        @Test(expected=Exception.class)
        public void clearContextTestwithContextIdNull() throws Exception{
@@ -293,6 +323,16 @@ public class SharedContextRestControllerTest {
                assertNotNull(actual);
 
        }
+
+       @Test(expected=NotValidDataException.class)
+       public void clearContextTestwithContextXSS() throws Exception{
+
+               Mockito.when(contextService.deleteSharedContexts(Matchers.any())).thenReturn(12);
+
+               String actual=sharedContextRestController.clearContext(mockedRequest,"<script>alert(123)</script>");
+               assertNotNull(actual);
+
+       }
        
        @Test
        public void clearContextTest() throws Exception{
@@ -350,4 +390,27 @@ public class SharedContextRestControllerTest {
                String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString());
 
        }
+
+       @Test(expected=NotValidDataException.class)
+       public void setContextTestWithContextXSS() throws Exception{
+               ObjectMapper mapper = new ObjectMapper();
+               Map<String, Object> userData = new HashMap<String, Object>();
+               userData.put("context_id", "test_contextId");
+               userData.put("ckey", "<script>alert(‘XSS’)</script>");
+               userData.put("cvalue", "test_cvalue");
+               //String testUserJson=Matchers.anyString();
+               JSONObject testUserJson = new JSONObject();
+               testUserJson.put("context_id", "test1ContextId");
+               testUserJson.put("ckey", "testCkey");
+               testUserJson.put("cvalue", "<script>alert(‘XSS’)</script>");
+               Map<String, Object> userData1 = mapper.readValue(testUserJson.toString(), Map.class);
+               SharedContext sharedContext=new SharedContext();
+               sharedContext.setContext_id("test_contextid");
+               sharedContext.setCkey("test_ckey");
+               Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+               // Mockito.when(mapper.readValue("true", Map.class)).thenReturn(userData);
+               String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString());
+
+       }
+
 }

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
index c6bd800..f69ac99 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
@@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException;
 public class WidgetsControllerTest  extends MockitoTestSuite{
 
        @InjectMocks
-       WidgetsController widgetsController = new WidgetsController();
+       WidgetsController widgetsController;
        
        @Mock
        private AdminRolesService rolesService;
@@ -150,7 +150,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
                OnboardingWidget onboardingWidget=new OnboardingWidget();
                onboardingWidget.id=12L;
                onboardingWidget.normalize();
-               //Mockito.doNothing().when(onboardingWidget).normalize();       
+               //Mockito.doNothing().when(onboardingWidget).normalize();
                FieldsValidator expectedFieldValidator = new FieldsValidator();
                List<FieldName> fields = new ArrayList<>();
 
@@ -161,6 +161,24 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
                actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
                
        }
+
+       @Test
+       public void putOnboardingWidgetXSSTest() {
+               FieldsValidator actualFieldsValidator = null;
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               OnboardingWidget onboardingWidget=new OnboardingWidget();
+               onboardingWidget.id=12L;
+               onboardingWidget.name = "<script>alert(/XSS”)</script>";
+               onboardingWidget.normalize();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+               actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
+
+               assertEquals(expectedFieldValidator, actualFieldsValidator);
+
+       }
        
        @Test
        public void putOnboardingWidgetWithUserPermissionTest() {
@@ -172,7 +190,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
                OnboardingWidget onboardingWidget=new OnboardingWidget();
                onboardingWidget.id=12L;
                onboardingWidget.normalize();
-               //Mockito.doNothing().when(onboardingWidget).normalize();       
+               //Mockito.doNothing().when(onboardingWidget).normalize();
                FieldsValidator expectedFieldValidator = new FieldsValidator();
                List<FieldName> fields = new ArrayList<>();
 
@@ -209,6 +227,31 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
                assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
                assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
        }
+
+       @Test
+       public void postOnboardingWidgetXSSTest(){
+               EPUser user=mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               FieldsValidator actualFieldsValidator = null;
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true);
+               Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true);
+               OnboardingWidget onboardingWidget=new OnboardingWidget();
+               onboardingWidget.id=12L;
+               onboardingWidget.appName="<script>alert(/XSS”)</script>";
+               onboardingWidget.normalize();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               List<FieldName> fields = new ArrayList<>();
+
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               expectedFieldValidator.setFields(fields);
+               expectedFieldValidator.setErrorCode(null);
+               Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+               actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse);
+               assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode());
+               assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
+               assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
+       }
        
        @Test
        public void postOnboardingWidgetTestwiThoutUserPermission() {
@@ -218,7 +261,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
                OnboardingWidget onboardingWidget=new OnboardingWidget();
                onboardingWidget.id=12L;
                onboardingWidget.normalize();
-               //Mockito.doNothing().when(onboardingWidget).normalize();       
+               //Mockito.doNothing().when(onboardingWidget).normalize();
                FieldsValidator expectedFieldValidator = new FieldsValidator();
                List<FieldName> fields = new ArrayList<>();
 

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
deleted file mode 100644 (file)
index 703019f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * Modifications Copyright (c) 2019 Samsung
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-
-package org.onap.portalapp.filter;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Enumeration;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletInputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.http.HttpStatus;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-public class SecurityXssFilter extends OncePerRequestFilter {
-
-       private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
-       private static final String APPLICATION_JSON = "application/json";
-
-       private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
-
-       private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
-       public class RequestWrapper extends HttpServletRequestWrapper {
-
-               private ByteArrayOutputStream cachedBytes;
-
-               public RequestWrapper(HttpServletRequest request) {
-                       super(request);
-               }
-
-               @Override
-               public ServletInputStream getInputStream() throws IOException {
-                       if (cachedBytes == null)
-                               cacheInputStream();
-
-                       return new CachedServletInputStream();
-               }
-
-               @Override
-               public BufferedReader getReader() throws IOException {
-                       return new BufferedReader(new InputStreamReader(getInputStream()));
-               }
-
-               private void cacheInputStream() throws IOException {
-                       cachedBytes = new ByteArrayOutputStream();
-                       IOUtils.copy(super.getInputStream(), cachedBytes);
-               }
-
-               public class CachedServletInputStream extends ServletInputStream {
-                       private ByteArrayInputStream input;
-
-                       public CachedServletInputStream() {
-                               input = new ByteArrayInputStream(cachedBytes.toByteArray());
-                       }
-
-                       @Override
-                       public int read() throws IOException {
-                               return input.read();
-                       }
-
-                       @Override
-                       public boolean isFinished() {
-                               return false;
-                       }
-
-                       @Override
-                       public boolean isReady() {
-                               return false;
-                       }
-
-                       @Override
-                       public void setReadListener(ReadListener readListener) {
-                               // do nothing
-                       }
-               }
-       }
-
-       @Override
-       protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
-                       throws IOException {
-               StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
-               String queryString = request.getQueryString();
-               String requestUrl;
-
-               if (queryString == null) {
-                       requestUrl = requestURL.toString();
-               } else {
-                       requestUrl = requestURL.append('?').append(queryString).toString();
-               }
-
-               validateRequest(requestUrl, response);
-               StringBuilder headerValues = new StringBuilder();
-               Enumeration<String> headerNames = request.getHeaderNames();
-
-               while (headerNames.hasMoreElements()) {
-                       String key = headerNames.nextElement();
-                       String value = request.getHeader(key);
-                       headerValues.append(value);
-               }
-
-               validateRequest(headerValues.toString(), response);
-
-               if (validateRequestType(request)) {
-                       request = new RequestWrapper(request);
-                       String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
-                       validateRequest(requestData, response);
-               }
-
-               try {
-                       filterChain.doFilter(request, response);
-               } catch (Exception e) {
-                       sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
-                       response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
-               }
-       }
-
-       private boolean validateRequestType(HttpServletRequest request) {
-               return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
-                               || request.getMethod().equalsIgnoreCase("DELETE"));
-       }
-       
-       private void validateRequest(String text, HttpServletResponse response) throws IOException {
-               try {
-                       if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
-                               response.setContentType(APPLICATION_JSON);
-                               response.setStatus(HttpStatus.SC_BAD_REQUEST);
-                               response.getWriter().write(ERROR_BAD_REQUEST);
-                               throw new SecurityException(ERROR_BAD_REQUEST);
-                       }
-               } catch (Exception e) {
-                       sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
-                       response.getWriter().close();
-               }
-       }
-}

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
deleted file mode 100644 (file)
index c203f1f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-package org.onap.portalapp.filter;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-import java.util.regex.Pattern;
-
-import org.apache.commons.lang.NotImplementedException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.MySQLCodec.Mode;
-import org.owasp.esapi.codecs.OracleCodec;
-
-public class SecurityXssValidator {
-
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
-       private static final String MYSQL_DB = "mysql";
-       private static final String ORACLE_DB = "oracle";
-       private static final String MARIA_DB = "mariadb";
-       private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
-       static SecurityXssValidator validator = null;
-       private static Codec instance;
-       private static final Lock lock = new ReentrantLock();
-
-       public static SecurityXssValidator getInstance() {
-
-               if (validator == null) {
-                       lock.lock();
-                       try {
-                               if (validator == null)
-                                       validator = new SecurityXssValidator();
-                       } finally {
-                               lock.unlock();
-                       }
-               }
-
-               return validator;
-       }
-
-       private SecurityXssValidator() {
-               // Avoid anything between script tags
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
-
-               // avoid iframes
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
-
-               // Avoid anything in a src='...' type of expression
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
-
-               // Remove any lonesome </script> tag
-               XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
-
-               // Remove any lonesome <script ...> tag
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
-
-               // Avoid eval(...) expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
-
-               // Avoid expression(...) expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
-
-               // Avoid javascript:... expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
-
-               // Avoid onload= expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
-       }
-
-       private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-
-       /**
-        * * This method takes a string and strips out any potential script injections.
-        * 
-        * @param value
-        * @return String - the new "sanitized" string.
-        */
-       public String stripXSS(String value) {
-
-               try {
-
-                       if (StringUtils.isNotBlank(value)) {
-
-                               value = StringEscapeUtils.escapeHtml4(value);
-
-                               value = ESAPI.encoder().canonicalize(value);
-
-                               // Avoid null characters
-                               value = value.replaceAll("\0", "");
-
-                               for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-                                       value = xssInputPattern.matcher(value).replaceAll("");
-                               }
-                       }
-
-               } catch (Exception e) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
-               }
-
-               return value;
-       }
-
-       public Boolean denyXSS(String value) {
-               Boolean flag = Boolean.FALSE;
-               try {
-                       if (StringUtils.isNotBlank(value)) {
-                               value = ESAPI.encoder().canonicalize(value);
-                               for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-                                       if (xssInputPattern.matcher(value).matches()) {
-                                               flag = Boolean.TRUE;
-                                               break;
-                                       }
-
-                               }
-                       }
-
-               } catch (Exception e) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
-               }
-
-               return flag;
-       }
-
-       public Codec getCodec() {
-               try {
-                       if (null == instance) {
-                               if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
-                                               || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-                                                               MARIA_DB)) {
-                                       instance = new MySQLCodec(Mode.STANDARD);
-
-                               } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-                                               ORACLE_DB)) {
-                                       instance = new OracleCodec();
-                               } else {
-                                       throw new NotImplementedException("Handling for data base \""
-                                                       + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
-                               }
-                       }
-
-               } catch (Exception ex) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
-               }
-               return instance;
-
-       }
-
-       public List<Pattern> getXSS_INPUT_PATTERNS() {
-               return XSS_INPUT_PATTERNS;
-       }
-
-       public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
-               XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
-       }
-
-}
\ No newline at end of file

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
index 915c5e0..e109ef5 100644 (file)
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -47,8 +47,8 @@ import javax.validation.ConstraintViolation;
 import javax.validation.Validation;
 import javax.validation.Validator;
 import javax.validation.ValidatorFactory;
+import lombok.NoArgsConstructor;
 import org.json.JSONObject;
-import org.onap.portalapp.portal.controller.AppsController;
 import org.onap.portalapp.portal.domain.EPUser;
 import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
 import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -61,6 +61,7 @@ import org.onap.portalapp.util.EPUserUtils;
 import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -69,27 +70,20 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
 @EnableAspectJAutoProxy
 @EPAuditLog
+@NoArgsConstructor
 public class AppsOSController extends AppsController {
        private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
        
-       static final String FAILURE = "failure";
-       EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
+       private static final String FAILURE = "failure";
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
 
-       @Autowired
-       AdminRolesService adminRolesService;
-       @Autowired
-       EPAppService appService;
-       @Autowired
-       PersUserAppService persUserAppService;
        @Autowired
        UserService userService;
 
-       
-       
-       /**
+       /**
         * Create new application's contact us details.
         * 
         * @param contactUs
@@ -102,9 +96,9 @@ public class AppsOSController extends AppsController {
                        return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
                                        "New User cannot be null or empty");
                
-               if (!(adminRolesService.isSuperAdmin(user) || adminRolesService.isAccountAdmin(user))){
+               if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))){
                        if(!user.getLoginId().equalsIgnoreCase(newUser.getLoginId()))
-                               return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
                                                "UnAuthorized");
                }
                        
@@ -113,9 +107,9 @@ public class AppsOSController extends AppsController {
                try {
                        saveNewUser = userService.saveNewUser(newUser,checkDuplicate);
                } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
                }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveNewUser, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, "");
        }
        
        @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")

diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java
deleted file mode 100644 (file)
index 7a4eac8..0000000
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-package org.onap.portalapp.filter;
-
-import org.junit.Assert;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mockito;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
-
-@RunWith(PowerMockRunner.class)
-@PrepareForTest({ESAPI.class, SystemProperties.class})
-public class SecurityXssValidatorTest {
-       @InjectMocks
-       SecurityXssValidator securityXssValidator;
-
-       @Test
-       public void stripXSSTest() {
-        securityXssValidator=  SecurityXssValidator.getInstance();
-               String value ="Test";
-               securityXssValidator.stripXSS(value);
-       }
-       
-       @Test
-       public void testDenyXss() {
-        securityXssValidator=  SecurityXssValidator.getInstance();
-               String value ="Test";
-               securityXssValidator.denyXSS(value);
-       }
-       
-       @Test
-               public void getCodecMySqlTest() {
-                       PowerMockito.mockStatic(SystemProperties.class);
-                       Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
-                       SecurityXssValidator validator = SecurityXssValidator.getInstance();
-                       Codec codec = validator.getCodec();
-                       Assert.assertNotNull(codec);
-               }
-       
-       /*//@Test
-       public void stripXSSExceptionTest() {
-               String value ="Test";
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               String reponse = validator.stripXSS(value);
-               Assert.assertEquals(value, reponse);;
-       }
-       
-       //@Test
-       public void denyXSSTest() {
-               String value ="<script>Test</script>";
-               PowerMockito.mockStatic(ESAPI.class);
-               Encoder mockEncoder = Mockito.mock(Encoder.class);
-               Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
-               Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Boolean flag = validator.denyXSS(value);
-               Assert.assertTrue(flag);
-       }
-       
-       //@Test
-       public void denyXSSFalseTest() {
-               String value ="test";
-               PowerMockito.mockStatic(ESAPI.class);
-               Encoder mockEncoder = Mockito.mock(Encoder.class);
-               Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
-               Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Boolean flag = validator.denyXSS(value);
-               Assert.assertFalse(flag);
-       }
-
-       //@Test
-       public void getCodecMySqlTest() {
-               PowerMockito.mockStatic(SystemProperties.class);
-               Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Codec codec = validator.getCodec();
-               Assert.assertNotNull(codec);
-       }*/
-                               
-}

diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
index 15fe1dd..1083aed 100644 (file)
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -41,10 +41,8 @@ import static org.junit.Assert.assertEquals;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -52,7 +50,6 @@ import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsOSController;
 import org.onap.portalapp.portal.domain.EPUser;
 import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
 import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -87,7 +84,7 @@ public class AppsOSControllerTest {
        }
 
        @InjectMocks
-       AppsOSController appsOSController = new AppsOSController();
+       AppsOSController appsOSController;
 
        MockitoTestSuite mockitoTestSuite = new MockitoTestSuite();