*Known Security Issues*
- * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 <https://jira.onap.org/browse/OJSI-15>`_]
- * CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 <https://jira.onap.org/browse/OJSI-65>`_]
- * CVE-2019-12121 - ONAP Portal is vulnerable for Padding Oracle attack [`OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_]
- * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 <https://jira.onap.org/browse/OJSI-97>`_]
- * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 <https://jira.onap.org/browse/OJSI-105>`_]
- * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 <https://jira.onap.org/browse/OJSI-106>`_]
- * CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 <https://jira.onap.org/browse/OJSI-174>`_]
- * Portal stores users passwords encrypted instead of hashed [`OJSI-190 <https://jira.onap.org/browse/OJSI-190>`_]
+ * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 <https://jira.onap.org/browse/OJSI-15>`_]
+ * CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 <https://jira.onap.org/browse/OJSI-65>`_]
+ * CVE-2019-12121 - ONAP Portal is vulnerable for Padding Oracle attack [`OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_]
+ * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 <https://jira.onap.org/browse/OJSI-97>`_]
+ * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 <https://jira.onap.org/browse/OJSI-105>`_]
+ * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 <https://jira.onap.org/browse/OJSI-106>`_]
+ * CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 <https://jira.onap.org/browse/OJSI-174>`_]
+ * Portal stores users passwords encrypted instead of hashed [`OJSI-190 <https://jira.onap.org/browse/OJSI-190>`_]
*Known Vulnerabilities in Used Modules*
**Upgrade Notes**
* For https Apps onboarded to portal, a certificate has to be downloaded in the browser when first trying to access the landing page of the App.
* For onboarded Apps using http (since Portal is using https) the browser asks the user to click to Proceed to the unsafe URL.
- * For onboarded Apps using http the icon in the URL bar will appear red, click on it and allow unsafe scripts.
+ * For onboarded Apps using http the icon in the URL bar will appear red, click on it and allow unsafe scripts.
+ * The first time some apps are selected in the Applications panel, an error stating the webpage might be temporarily down, copy the presented URL to a new browser; once that is done, the application will open in the Portal.
**Deprecation Notes**
<artifactId>jackson-jaxrs-json-provider</artifactId>
<version>2.8.10</version>
</dependency>
+ <!-- https://mvnrepository.com/artifact/org.glassfish.web/javax.el -->
+ <dependency>
+ <groupId>org.glassfish.web</groupId>
+ <artifactId>javax.el</artifactId>
+ <version>2.2.6</version>
+ </dependency>
+ <!-- https://mvnrepository.com/artifact/javax.el/el-api -->
+ <dependency>
+ <groupId>javax.el</groupId>
+ <artifactId>el-api</artifactId>
+ <version>2.2.1-b04</version>
+ </dependency>
+ <!-- https://mvnrepository.com/artifact/org.jsoup/jsoup -->
+ <dependency>
+ <groupId>org.jsoup</groupId>
+ <artifactId>jsoup</artifactId>
+ <version>1.12.1</version>
+ </dependency>
<dependency>
<groupId>org.glassfish.jersey.connectors</groupId>
<artifactId>jersey-jetty-connector</artifactId>
import java.util.List;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.portal.domain.EPApp;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
@EnableAspectJAutoProxy
@EPAuditLog
public class AppsControllerExternalRequest implements BasicAuthenticationController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsControllerExternalRequest.class);
private static final String ONBOARD_APP = "/onboardApp";
- // Where is this used?
- public boolean isAuxRESTfulCall() {
- return true;
- }
-
/**
* For testing whether a user is a superadmin.
*/
@RequestMapping(value = "/portalAdmin", method = RequestMethod.POST, produces = "application/json")
@ResponseBody
public PortalRestResponse<String> postPortalAdmin(HttpServletRequest request, HttpServletResponse response,
- @RequestBody EPUser epUser) {
+ @Valid @RequestBody EPUser epUser) {
EcompPortalUtils.logAndSerializeObject(logger, "postPortalAdmin", "request", epUser);
PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
+ if (epUser!=null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<EPUser>> constraintViolations = validator.validate(epUser);
+ if (!constraintViolations.isEmpty()){
+ portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+ portalResponse.setMessage("Data is not valid");
+ return portalResponse;
+ }
+ }
+
// Check mandatory fields.
if (epUser.getEmail() == null || epUser.getEmail().trim().length() == 0 //
|| epUser.getLoginId() == null || epUser.getLoginId().trim().length() == 0 //
@RequestMapping(value = { ONBOARD_APP }, method = RequestMethod.POST, produces = "application/json")
@ResponseBody
public PortalRestResponse<String> postOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
- @RequestBody OnboardingApp newOnboardApp) {
+ @Valid @RequestBody OnboardingApp newOnboardApp) {
EcompPortalUtils.logAndSerializeObject(logger, "postOnboardAppExternal", "request", newOnboardApp);
PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
-
+ if (newOnboardApp != null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<OnboardingApp>> constraintViolations = validator.validate(newOnboardApp);
+ if (!constraintViolations.isEmpty()){
+ portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+ portalResponse.setMessage("Data is not valid");
+ return portalResponse;
+ }
+ }
// Validate fields
if (newOnboardApp.id != null) {
portalResponse.setStatus(PortalRestStatusEnum.ERROR);
@RequestMapping(value = { ONBOARD_APP + "/{appId}" }, method = RequestMethod.PUT, produces = "application/json")
@ResponseBody
public PortalRestResponse<String> putOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
- @PathVariable("appId") Long appId, @RequestBody OnboardingApp oldOnboardApp) {
+ @PathVariable("appId") Long appId, @Valid @RequestBody OnboardingApp oldOnboardApp) {
EcompPortalUtils.logAndSerializeObject(logger, "putOnboardAppExternal", "request", oldOnboardApp);
PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
+
+ if (oldOnboardApp != null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<OnboardingApp>> constraintViolations = validator.validate(oldOnboardApp);
+ if (!constraintViolations.isEmpty()){
+ portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+ portalResponse.setMessage("Data is not valid");
+ return portalResponse;
+ }
+ }
+
// Validate fields.
if (oldOnboardApp.id == null || !appId.equals(oldOnboardApp.id)) {
portalResponse.setStatus(PortalRestStatusEnum.ERROR);
import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.transport.CommonWidget;
import org.onap.portalapp.portal.transport.CommonWidgetMeta;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.support.CollaborateList;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
@RestController
@RequestMapping("/portalApi/search")
public class DashboardSearchResultController extends EPRestrictedBaseController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class);
@RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json")
public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request,
@RequestParam String resourceType) {
- return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success",
- searchService.getWidgetData(resourceType));
+ if (stringIsNotSafeHtml(resourceType)) {
+ return new PortalRestResponse(PortalRestStatusEnum.ERROR, "resourceType: String string is not valid", "");
+ }
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.getWidgetData(resourceType));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) {
+ public PortalRestResponse<String> saveWidgetDataBulk(@Valid @RequestBody CommonWidgetMeta commonWidgetMeta) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta);
- if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Category cannot be null or empty");
+ if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Cateogry cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidgetMeta>> constraintViolations = validator.validate(commonWidgetMeta);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
// validate dates
for (CommonWidget cw : commonWidgetMeta.getItems()) {
String err = validateCommonWidget(cw);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetDataBulk(commonWidgetMeta));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetDataBulk(commonWidgetMeta));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> saveWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget);
- if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Cateogry cannot be null or empty");
+ if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
String err = validateCommonWidget(commonWidget);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetData(commonWidget));
}
/**
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> deleteWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
+ if (commonWidget!=null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "CommonWidget is not valid");
+ }
logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.deleteWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.deleteWidgetData(commonWidget));
}
/**
if (user == null) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
"searchPortal: User object is null? - check logs",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
} else if (searchString == null || searchString.trim().length() == 0) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null",
- new HashMap<String, List<SearchResultItem>>());
- } else {
+ new HashMap<>());
+ }else if (stringIsNotSafeHtml(searchString)){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is not valid",
+ new HashMap<>());
+ }else {
logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'",
user.getLoginId(), searchString);
Map<String, List<SearchResultItem>> results = searchService.searchResults(user.getLoginId(),
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e);
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
}
}
}
}
+ private boolean stringIsNotSafeHtml(String string){
+ SecureString secureString = new SecureString(string);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+ return !constraintViolations.isEmpty();
+ }
+
}
import java.util.List;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.domain.MicroserviceData;
import org.onap.portalapp.portal.domain.WidgetCatalog;
@EnableAspectJAutoProxy
@EPAuditLog
public class MicroserviceController extends EPRestrictedBaseController {
+ public static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
String whatService = "widgets-service";
RestTemplate template = new RestTemplate();
@RequestMapping(value = { "/portalApi/microservices" }, method = RequestMethod.POST)
public PortalRestResponse<String> createMicroservice(HttpServletRequest request, HttpServletResponse response,
- @RequestBody MicroserviceData newServiceData) throws Exception {
+ @Valid @RequestBody MicroserviceData newServiceData) throws Exception {
if (newServiceData == null) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "FAILURE",
- "MicroserviceData cannot be null or empty");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE",
+ "MicroserviceData cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData);
+ if(!constraintViolations.isEmpty()){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+ "ERROR", "MicroserviceData is not valid");
+ }
}
long serviceId = microserviceService.saveMicroservice(newServiceData);
try {
microserviceService.saveServiceParameters(serviceId, newServiceData.getParameterList());
} catch (Exception e) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "SUCCESS", "");
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "SUCCESS", "");
}
@RequestMapping(value = { "/portalApi/microservices" }, method = RequestMethod.GET)
public List<MicroserviceData> getMicroservice(HttpServletRequest request, HttpServletResponse response)
throws Exception {
- List<MicroserviceData> list = microserviceService.getMicroserviceData();
- return list;
+ return microserviceService.getMicroserviceData();
}
@RequestMapping(value = { "/portalApi/microservices/{serviceId}" }, method = RequestMethod.PUT)
public PortalRestResponse<String> updateMicroservice(HttpServletRequest request, HttpServletResponse response,
- @PathVariable("serviceId") long serviceId, @RequestBody MicroserviceData newServiceData) throws Exception {
+ @PathVariable("serviceId") long serviceId, @Valid @RequestBody MicroserviceData newServiceData) {
if (newServiceData == null) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "FAILURE",
- "MicroserviceData cannot be null or empty");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE",
+ "MicroserviceData cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData);
+ if(!constraintViolations.isEmpty()){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+ "ERROR", "MicroserviceData is not valid");
+ }
}
try {
microserviceService.updateMicroservice(serviceId, newServiceData);
} catch (Exception e) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "SUCCESS", "");
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "SUCCESS", "");
}
@RequestMapping(value = { "/portalApi/microservices/{serviceId}" }, method = RequestMethod.DELETE)
public PortalRestResponse<String> deleteMicroservice(HttpServletRequest request, HttpServletResponse response,
- @PathVariable("serviceId") long serviceId) throws Exception {
+ @PathVariable("serviceId") long serviceId) {
try {
ParameterizedTypeReference<List<WidgetCatalog>> typeRef = new ParameterizedTypeReference<List<WidgetCatalog>>() {
};
// If this service is assoicated with widgets, cannnot be deleted
- ResponseEntity<List<WidgetCatalog>> ans = (ResponseEntity<List<WidgetCatalog>>) template.exchange(
+ ResponseEntity<List<WidgetCatalog>> ans = template.exchange(
EcompPortalUtils.widgetMsProtocol() + "://" + consulHealthService.getServiceLocation(whatService, SystemProperties.getProperty("microservices.widget.local.port"))
+ "/widget/microservices/widgetCatalog/service/" + serviceId,
HttpMethod.GET, new HttpEntity(WidgetServiceHeaders.getInstance()), typeRef);
else{
StringBuilder sb = new StringBuilder();
for(int i = 0; i < widgets.size(); i++){
- sb.append("'" + widgets.get(i).getName() + "' ");
+ sb.append("'").append(widgets.get(i).getName()).append("' ");
if(i < (widgets.size()-1)){
sb.append(",");
}
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.WARN, "SOME WIDGETS ASSOICATE WITH THIS SERVICE", sb.toString());
+ return new PortalRestResponse<>(PortalRestStatusEnum.WARN, "SOME WIDGETS ASSOICATE WITH THIS SERVICE",
+ sb.toString());
}
} catch (Exception e) {
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE", e.getMessage());
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "SUCCESS", "");
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "SUCCESS", "");
}
}
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.apache.commons.lang.StringUtils;
import org.json.JSONObject;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.portal.utils.PortalConstants;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.AuditLog;
import org.onap.portalsdk.core.domain.Role;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@EnableAspectJAutoProxy
@EPAuditLog
public class RoleManageController extends EPRestrictedBaseController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+
private static final String PIPE = "|";
private static final String ROLE_INVALID_CHARS = "%=():,\"\"";
}
@RequestMapping(value = { "/portalApi/role_function_list/saveRoleFunction/{appId}" }, method = RequestMethod.POST)
- public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @RequestBody CentralV2RoleFunction roleFunc,
+ public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @Valid @RequestBody CentralV2RoleFunction roleFunc,
@PathVariable("appId") Long appId) throws Exception {
+ if (roleFunc!=null) {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CentralV2RoleFunction>> constraintViolations = validator.validate(roleFunc);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction: Failed");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+ }
+ }
EPUser user = EPUserUtils.getUserSession(request);
boolean saveOrUpdateResponse = false;
try {
public PortalRestResponse<String> removeRoleFunction(HttpServletRequest request, HttpServletResponse response,
@RequestBody String roleFunc, @PathVariable("appId") Long appId) throws Exception {
EPUser user = EPUserUtils.getUserSession(request);
+
+ if (roleFunc!=null) {
+ SecureString secureString = new SecureString(roleFunc);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+ }
+ }
+
try {
EPApp requestedApp = appService.getApp(appId);
if (isAuthorizedUser(user, requestedApp)) {
@RequestMapping(value = { "/portalApi/centralizedApps" }, method = RequestMethod.GET)
public List<CentralizedApp> getCentralizedAppRoles(HttpServletRequest request, HttpServletResponse response, String userId) throws IOException {
+ if(userId!=null) {
+ SecureString secureString = new SecureString(userId);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+ return null;
+ }
+ }
+
EPUser user = EPUserUtils.getUserSession(request);
List<CentralizedApp> applicationsList = null;
if (adminRolesService.isAccountAdmin(user) || adminRolesService.isSuperAdmin(user) || adminRolesService.isRoleAdmin(user)) {
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
import org.onap.portalapp.portal.transport.EpNotificationItem;
import org.onap.portalapp.portal.transport.EpRoleNotificationItem;
import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
@EnableAspectJAutoProxy
@EPAuditLog
public class TicketEventController implements BasicAuthenticationController {
-
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
@Autowired
private UserNotificationService userNotificationService;
logger.debug(EELFLoggerDelegate.debugLogger, "Ticket Event notification" + ticketEventJson);
PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
+
+ if (ticketEventJson!=null){
+ SecureString secureString = new SecureString(ticketEventJson);
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+ if (!constraintViolations.isEmpty()){
+ portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+ portalResponse.setMessage("Data is not valid");
+ return portalResponse;
+ }
+ }
+
try {
JsonNode ticketEventNotif = mapper.readTree(ticketEventJson);
*/
package org.onap.portalapp.portal.domain;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
import com.fasterxml.jackson.annotation.JsonBackReference;
private static final long serialVersionUID = -2742197830465055134L;
@JsonBackReference private EPApp app;
+ @SafeHtml
private String description;
+ @SafeHtml
private String contactEmail;
+ @SafeHtml
private String contactName;
+ @SafeHtml
private String url;
+ @SafeHtml
private String activeYN;
public EPApp getApp() {
import java.io.Serializable;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
import com.fasterxml.jackson.annotation.JsonIgnore;
*
*/
private static final long serialVersionUID = -4018975640065252688L;
+ @SafeHtml
private String code;
+ @SafeHtml
private String name;
@JsonIgnore
private Long appId;
@JsonIgnore
private Long roleId;
private String type;
+ @SafeHtml
private String action;
+ @SafeHtml
private String editUrl;
import javax.persistence.Lob;
+import javax.validation.Valid;
import org.apache.commons.lang.StringUtils;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
/**
public class EPApp extends DomainVo {
private static final long serialVersionUID = 1L;
-
+ @SafeHtml
private String name;
+ @SafeHtml
private String imageUrl;
+ @SafeHtml
private String description;
+ @SafeHtml
private String notes;
+ @SafeHtml
private String url;
+ @SafeHtml
private String alternateUrl;
+ @SafeHtml
private String appRestEndpoint;
+ @SafeHtml
private String mlAppName;
+ @SafeHtml
private String mlAppAdminId;
private Long motsId;
+ @SafeHtml
private String username;
+ @SafeHtml
private String appPassword;
@Lob
private byte[] thumbnail;
private Boolean open;
private Boolean enabled;
+ @SafeHtml
private String uebTopicName;
+ @SafeHtml
private String uebKey;
+ @SafeHtml
private String uebSecret;
private Integer appType;
+ @Valid
private AppContactUs contactUs;
private Boolean centralAuth;
+ @SafeHtml
private String nameSpace;
public EPApp() {
import java.util.SortedSet;
import java.util.TreeSet;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.RoleFunction;
import org.onap.portalsdk.core.domain.support.DomainVo;
import com.fasterxml.jackson.annotation.JsonIgnore;
public class EPRole extends DomainVo {
private static final long serialVersionUID = 1L;
+ @SafeHtml
private String name;
private boolean active;
private Integer priority;
private Long appRoleId; // used by ONAP only
private SortedSet<RoleFunction> roleFunctions = new TreeSet<RoleFunction>();
-
+ @Valid
private SortedSet<EPRole> childRoles = new TreeSet<EPRole>();
@JsonIgnore
import java.util.SortedSet;
import java.util.TreeSet;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalapp.portal.utils.PortalConstants;
import org.onap.portalsdk.core.domain.User;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
private Long orgId;
private Long managerId;
+ @SafeHtml
private String firstName;
+ @SafeHtml
private String middleInitial;
+ @SafeHtml
private String lastName;
+ @SafeHtml
private String phone;
+ @SafeHtml
private String fax;
+ @SafeHtml
private String cellular;
+ @SafeHtml
private String email;
private Long addressId;
+ @SafeHtml
private String alertMethodCd;
+ @SafeHtml
private String hrid;
+ @SafeHtml
private String orgUserId;
+ @SafeHtml
private String orgCode;
+ @SafeHtml
private String address1;
+ @SafeHtml
private String address2;
+ @SafeHtml
private String city;
+ @SafeHtml
private String state;
+ @SafeHtml
private String zipCode;
+ @SafeHtml
private String country;
+ @SafeHtml
private String orgManagerUserId;
+ @SafeHtml
private String locationClli;
+ @SafeHtml
private String businessCountryCode;
+ @SafeHtml
private String businessCountryName;
+ @SafeHtml
private String businessUnit;
+ @SafeHtml
private String businessUnitName;
+ @SafeHtml
private String department;
+ @SafeHtml
private String departmentName;
+ @SafeHtml
private String companyCode;
+ @SafeHtml
private String company;
+ @SafeHtml
private String zipCodeSuffix;
+ @SafeHtml
private String jobTitle;
+ @SafeHtml
private String commandChain;
+ @SafeHtml
private String siloStatus;
+ @SafeHtml
private String costCenter;
+ @SafeHtml
private String financialLocCode;
-
+ @SafeHtml
private String loginId;
+ @SafeHtml
private String loginPwd;
private Date lastLoginDate;
private boolean active;
private Long selectedProfileId;
private Long timeZoneId;
private boolean online;
+ @SafeHtml
private String chatId;
private Integer languageId;
private static final long serialVersionUID = 1L;
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(EPUser.class);
private static final String ECOMP_PORTAL_NAME = "ECOMP";
private boolean isGuest = false;
-
+ @Valid
private SortedSet<EPUserApp> userApps = new TreeSet<EPUserApp>();
+ @Valid
private SortedSet<EPRole> pseudoRoles = new TreeSet<EPRole>();
public EPUser() {}
*/
package org.onap.portalapp.portal.domain;
+import javax.validation.Valid;
import org.onap.portalsdk.core.domain.support.DomainVo;
@SuppressWarnings("rawtypes")
private static final long serialVersionUID = 1L;
private Long userId;
+ @Valid
private EPApp app;
+ @Valid
private EPRole role;
private Integer priority;
package org.onap.portalapp.portal.domain;
import java.util.List;
-
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Transient;
+import javax.validation.constraints.DecimalMax;
+import javax.validation.constraints.Digits;
+import javax.validation.constraints.Max;
+import javax.validation.constraints.NotNull;
+import lombok.AllArgsConstructor;
+import lombok.NoArgsConstructor;
+import org.hibernate.validator.constraints.SafeHtml;
+
/***
*
* This class is almost identical to org.onap.portalapp.portal.transport.FunctionalMenuItem
*
*/
@Entity
+@NoArgsConstructor
+@AllArgsConstructor
public class FunctionalMenuItemWithAppID{
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy=GenerationType.IDENTITY)
@Column(name = "MENU_ID")
+ @Digits(integer = 11, fraction = 0)
public Long menuId;
@Column(name = "COLUMN_NUM")
+ @Digits(integer = 2, fraction = 0)
+ @NotNull
public Integer column;
@Column(name = "TEXT")
+ @Max(value = 100)
+ @SafeHtml
+ @NotNull
public String text;
@Column(name = "PARENT_MENU_ID")
+ @Digits(integer = 11, fraction = 0)
public Integer parentMenuId;
@Column(name = "URL")
+ @Max(value = 128)
+ @SafeHtml
+ @NotNull
public String url;
@Column(name="ACTIVE_YN")
+ @Max(value = 1)
+ @SafeHtml
+ @NotNull
public String active_yn;
@Column(name="APP_ID")
public void normalize() {
if (this.column == null)
- this.column = new Integer(1);
+ this.column = 1;
this.text = (this.text == null) ? "" : this.text.trim();
if (this.parentMenuId == null)
- this.parentMenuId = new Integer(-1);
+ this.parentMenuId = -1;
this.url = (this.url == null) ? "" : this.url.trim();
}
import javax.persistence.GenerationType;
import javax.persistence.Id;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
public class MicroserviceData extends DomainVo {
}
private Long id;
-
+ @SafeHtml
private String name;
-
+ @SafeHtml
private String active;
-
+ @SafeHtml
private String desc;
private long appId;
-
+ @SafeHtml
private String url;
-
+ @SafeHtml
private String securityType;
-
+ @SafeHtml
private String username;
-
+ @SafeHtml
private String password;
-
+ @Valid
private List<MicroserviceParameter> parameterList;
public Long getId() {
*/
package org.onap.portalapp.portal.domain;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
public class MicroserviceParameter extends DomainVo {
private Long id;
private long serviceId;
-
+ @SafeHtml
private String para_key;
-
+ @SafeHtml
private String para_value;
public Long getId() {
import java.io.Serializable;
import java.util.Set;
+import lombok.Getter;
+import lombok.Setter;
-import javax.persistence.CascadeType;
-import javax.persistence.Column;
-import javax.persistence.FetchType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToMany;
-import javax.persistence.ManyToOne;
-
-import com.fasterxml.jackson.annotation.JsonIgnore;
-
-//@Entity
-//@Table(name = "FN_ROLE")
+@Getter
+@Setter
public class RoleApp implements Serializable{
private static final long serialVersionUID = 1L;
- //@Id
- //@Column(name = "ROLE_ID")
- //@GeneratedValue(strategy=GenerationType.AUTO)
private Long roleId;
-
-
- //@Column(name = "ROLE_Name")
- private String roleName;
-
- //@ManyToOne(fetch = FetchType.EAGER)
- //@JoinColumn(name="APP_ID")
- private App app;
-
- //@JsonIgnore
- //@ManyToMany(fetch = FetchType.EAGER, cascade = {CascadeType.MERGE, CascadeType.PERSIST, CascadeType.REFRESH}, mappedBy="widgetRoles")
- private Set<WidgetCatalog> widgets;
-
- /*@PreRemove
- private void removeGroupsFromUsers() {
- for (WidgetCatalog w : widgets) {
- w.getWidgetRoles().remove(this);
- }
- }*/
-
- /*@ManyToOne
- @JoinColumn(name = "WIDGET_ID", nullable = false)
- WidgetCatalog widgetCatalog;*/
-
- //@JsonIgnore
- //@ManyToMany(mappedBy = "widgetRoles")
- //@ManyToMany(fetch = FetchType.EAGER, mappedBy = "widgetRoles")
- //private Set<WidgetCatalog> widgets = new HashSet<WidgetCatalog>();
-
- public Long getRoleId() {
- return roleId;
- }
-
- public void setRoleId(Long roleId) {
- this.roleId = roleId;
- }
-
- public String getRoleName() {
- return roleName;
- }
-
- public void setRoleName(String roleName) {
- this.roleName = roleName;
- }
-
- public App getApp() {
- return app;
- }
- public void setApp(App app) {
- this.app = app;
- }
-
-
+ private String roleName;
- public Set<WidgetCatalog> getWidgets() {
- return widgets;
- }
+ private App app;
- public void setWidgets(Set<WidgetCatalog> widgets) {
- this.widgets = widgets;
- }
+ private Set<WidgetCatalog> widgets;
@Override
public String toString() {
import java.util.List;
import java.util.Map;
-import javax.crypto.BadPaddingException;
-
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Restrictions;
import org.onap.portalapp.portal.domain.MicroserviceData;
return newService.getId();
}
- public void saveServiceParameters(long serviceId, List<MicroserviceParameter> list) throws Exception {
- for (int i = 0; i < list.size(); i++) {
- MicroserviceParameter para = list.get(i);
+ public void saveServiceParameters(long serviceId, List<MicroserviceParameter> list) {
+ for (MicroserviceParameter para : list) {
para.setServiceId(serviceId);
getDataAccessService().saveDomainObject(para, null);
}
@Override
public MicroserviceData getMicroserviceDataById(long id) {
- MicroserviceData data = null;
+ MicroserviceData data;
try {
- List<Criterion> restrictionsList = new ArrayList<Criterion>();
+ List<Criterion> restrictionsList = new ArrayList<>();
Criterion idCriterion = Restrictions.eq("id", id);
restrictionsList.add(idCriterion);
data = (MicroserviceData) dataAccessService.getList(MicroserviceData.class, null, restrictionsList, null).get(0);
@SuppressWarnings("unchecked")
@Override
- public List<MicroserviceData> getMicroserviceData() throws Exception {
+ public List<MicroserviceData> getMicroserviceData() {
List<MicroserviceData> list = (List<MicroserviceData>) dataAccessService.getList(MicroserviceData.class, null);
- for (int i = 0; i < list.size(); i++) {
- if (list.get(i).getPassword() != null)
- list.get(i).setPassword(EPCommonSystemProperties.APP_DISPLAY_PASSWORD); //to hide password from get request
- list.get(i).setParameterList(getServiceParameters(list.get(i).getId()));
+ for (MicroserviceData microserviceData : list) {
+ if (microserviceData.getPassword() != null) {
+ microserviceData
+ .setPassword(EPCommonSystemProperties.APP_DISPLAY_PASSWORD); //to hide password from get request
+ }
+ microserviceData.setParameterList(getServiceParameters(microserviceData.getId()));
}
return list;
}
private List<MicroserviceParameter> getServiceParameters(long serviceId) {
- List<MicroserviceParameter> list = getMicroServiceParametersList(serviceId);
- return list;
+ return getMicroServiceParametersList(serviceId);
}
@SuppressWarnings("unchecked")
private List<MicroserviceParameter> getMicroServiceParametersList(long serviceId) {
- List<Criterion> restrictionsList = new ArrayList<Criterion>();
+ List<Criterion> restrictionsList = new ArrayList<>();
Criterion serviceIdCriterion = Restrictions.eq("serviceId", serviceId);
restrictionsList.add(serviceIdCriterion);
return (List<MicroserviceParameter>) dataAccessService.getList(MicroserviceParameter.class, null, restrictionsList, null);
}
@Override
- public void deleteMicroservice(long serviceId) throws Exception {
+ public void deleteMicroservice(long serviceId) {
try {
- Map<String, String> params = new HashMap<String, String>();
+ Map<String, String> params = new HashMap<>();
params.put("serviceId", Long.toString(serviceId));
dataAccessService.executeNamedQuery("deleteMicroserviceParameter", params, null);
getDataAccessService().saveDomainObject(newService, null);
List<MicroserviceParameter> oldService = getServiceParameters(serviceId);
boolean foundParam;
- for (int i = 0; i < oldService.size(); i++) {
+ for (MicroserviceParameter microserviceParameter : oldService) {
foundParam = false;
for (int n = 0; n < newService.getParameterList().size(); n++) {
- if (newService.getParameterList().get(n).getId().equals(oldService.get(i).getId())) {
+ if (newService.getParameterList().get(n).getId().equals(microserviceParameter.getId())) {
foundParam = true;
break;
}
}
- if (foundParam == false) {
- MicroserviceParameter pd = oldService.get(i);
- getDataAccessService().deleteDomainObject(pd, null);
+ if (!foundParam) {
+ getDataAccessService().deleteDomainObject(microserviceParameter, null);
}
}
for (int i = 0; i < newService.getParameterList().size(); i++) {
@Override
@SuppressWarnings("unchecked")
public List<MicroserviceParameter> getParametersById(long serviceId) {
- List<Criterion> restrictionsList = new ArrayList<Criterion>();
+ List<Criterion> restrictionsList = new ArrayList<>();
Criterion contextIdCrit = Restrictions.eq("serviceId", serviceId);
restrictionsList.add(contextIdCrit);
List<MicroserviceParameter> list = (List<MicroserviceParameter>) dataAccessService
private String decryptedPassword(String encryptedPwd) throws Exception {
String result = "";
- if (encryptedPwd != null & encryptedPwd.length() > 0) {
+ if (encryptedPwd != null && !encryptedPwd.isEmpty()) {
try {
result = CipherUtil.decryptPKC(encryptedPwd,
SystemProperties.getProperty(SystemProperties.Decryption_Key));
private String encryptedPassword(String decryptedPwd) throws Exception {
String result = "";
- if (decryptedPwd != null & decryptedPwd.length() > 0) {
+ if (decryptedPwd != null && !decryptedPwd.isEmpty()) {
try {
result = CipherUtil.encryptPKC(decryptedPwd,
SystemProperties.getProperty(SystemProperties.Decryption_Key));
*
* @param userId
*/
- protected void createLocalUserIfNecessary(String userId) {
+ protected boolean createLocalUserIfNecessary(String userId) {
if (StringUtils.isEmpty(userId)) {
logger.error(EELFLoggerDelegate.errorLogger, "createLocalUserIfNecessary : empty userId!");
- return;
+ return false;
}
Session localSession = null;
Transaction transaction = null;
transaction = localSession.beginTransaction();
@SuppressWarnings("unchecked")
List<EPUser> userList = localSession
- .createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+ .createQuery("from :name where orgUserId=:userId")
+ .setParameter("name",EPUser.class.getName())
+ .setParameter("userId",userId)
+ .list();
if (userList.size() == 0) {
EPUser client = searchService.searchUserByUserId(userId);
if (client == null) {
}
}
transaction.commit();
+ return true;
} catch (Exception e) {
EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
EcompPortalUtils.rollbackTransaction(transaction, "searchOrCreateUser rollback, exception = " + e);
+ return false;
} finally {
EcompPortalUtils.closeLocalSession(localSession, "searchOrCreateUser");
}
package org.onap.portalapp.portal.transport;
import java.io.Serializable;
+import java.util.Objects;
@SuppressWarnings("rawtypes")
public class CentralV2UserApp implements Serializable, Comparable{
this.priority = priority;
}
-
+ @Override
+ public boolean equals(Object other) {
+ if (this == other) {
+ return true;
+ }
+ if (!(other instanceof CentralV2UserApp)) {
+ return false;
+ }
+ CentralV2UserApp castOther = (CentralV2UserApp) other;
+ return Objects.equals(this.userId, castOther.userId) &&
+ Objects.equals(this.app, castOther.app) &&
+ Objects.equals(this.role, castOther.role) &&
+ Objects.equals(this.priority, castOther.priority);
+ }
public int compareTo(Object other){
CentralV2UserApp castOther = (CentralV2UserApp) other;
import javax.persistence.Id;
import javax.persistence.Table;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
import com.fasterxml.jackson.annotation.JsonInclude;
private Long id;
@Column(name = "category")
+ @SafeHtml
public String category;
@Column(name = "href")
+ @SafeHtml
public String href;
@Column(name = "title")
+ @SafeHtml
public String title;
@Column(name = "content")
+ @SafeHtml
public String content;
@Column(name = "event_date")
+ @SafeHtml
public String eventDate;
@Column(name = "sort_order")
public Integer sortOrder;
-
+
public CommonWidget(){
-
+
}
-
+
public CommonWidget(String category, String href, String title, String content, String eventDate, Integer sortOrder){
this.category = category;
this.href = href;
package org.onap.portalapp.portal.transport;
import java.util.List;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
public class CommonWidgetMeta {
-
+ @SafeHtml
private String category;
+ @Valid
private List<CommonWidget> items;
-
- public CommonWidgetMeta(){
-
+
+ public CommonWidgetMeta(){
+
}
public CommonWidgetMeta(String category, List<CommonWidget> items){
import javax.persistence.Id;
import javax.persistence.Table;
import javax.persistence.Transient;
+import javax.validation.constraints.Digits;
+import javax.validation.constraints.Max;
+import javax.validation.constraints.NotNull;
+import lombok.AllArgsConstructor;
+import lombok.NoArgsConstructor;
+import org.hibernate.validator.constraints.SafeHtml;
@Entity
@Table(name="fn_menu_functional")
+@NoArgsConstructor
+@AllArgsConstructor
public class FunctionalMenuItem implements Serializable {
- public FunctionalMenuItem(){};
-
private static final long serialVersionUID = 1L;
@Id
- @GeneratedValue(strategy=GenerationType.IDENTITY)
+ @GeneratedValue(strategy=GenerationType.IDENTITY)
@Column(name = "MENU_ID")
+ @Digits(integer = 11, fraction = 0)
public Long menuId;
-
+
@Column(name = "COLUMN_NUM")
+ @Digits(integer = 2, fraction = 0)
+ @NotNull
public Integer column;
-
+
@Column(name = "TEXT")
+ @Max(value = 100)
+ @SafeHtml
+ @NotNull
public String text;
-
+
@Column(name = "PARENT_MENU_ID")
+ @Digits(integer = 11, fraction = 0)
public Integer parentMenuId;
-
+
@Column(name = "URL")
+ @Max(value = 128)
+ @SafeHtml
+ @NotNull
public String url;
-
+
@Column(name="ACTIVE_YN")
+ @Max(value = 1)
+ @SafeHtml
+ @NotNull
public String active_yn;
@Transient
public Integer appid;
+ @Transient
+ private List<Integer> roles;
+
+ @Transient
+ public Boolean restrictedApp;
+
public List<Integer> getRoles() {
return roles;
}
this.roles = roles;
}
- @Transient
- private List<Integer> roles;
-
- @Transient
- public Boolean restrictedApp;
-
public void normalize() {
if (this.column == null)
- this.column = new Integer(1);
+ this.column = 1;
this.text = (this.text == null) ? "" : this.text.trim();
if (this.parentMenuId == null)
- this.parentMenuId = new Integer(-1);
+ this.parentMenuId = -1;
this.url = (this.url == null) ? "" : this.url.trim();
}
*/
package org.onap.portalapp.portal.transport;
+import org.hibernate.validator.constraints.SafeHtml;
+
/**
* Model of rows in the fn_app table; serialized as a message add or update an
* on-boarded application.
public class OnboardingApp {
public Long id;
-
+ @SafeHtml
public String name;
-
+ @SafeHtml
public String imageUrl;
-
+ @SafeHtml
public String imageLink;
-
+ @SafeHtml
public String description;
-
+ @SafeHtml
public String notes;
-
+ @SafeHtml
public String url;
-
+ @SafeHtml
public String alternateUrl;
-
+ @SafeHtml
public String restUrl;
public Boolean isOpen;
public Boolean isEnabled;
public Long motsId;
-
+ @SafeHtml
public String myLoginsAppName;
-
+ @SafeHtml
public String myLoginsAppOwner;
-
+ @SafeHtml
public String username;
-
+ @SafeHtml
public String appPassword;
-
+ @SafeHtml
public String thumbnail;
-
+ @SafeHtml
public String uebTopicName;
-
+ @SafeHtml
public String uebKey;
-
+ @SafeHtml
public String uebSecret;
public Boolean restrictedApp;
public Boolean isCentralAuth;
-
+ @SafeHtml
public String nameSpace;
/**
--- /dev/null
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.validation;
+
+import java.util.Set;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
+import org.springframework.stereotype.Component;
+
+@Component
+public class DataValidator {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+
+ public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<E>> constraintViolations = validator.validate(classToValid);
+ return constraintViolations;
+ }
+
+ public <E> boolean isValid(E classToValid){
+ Set<ConstraintViolation<E>> constraintViolations = getConstraintViolations(classToValid);
+ return constraintViolations.isEmpty();
+ }
+
+}
--- /dev/null
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.validation;
+
+import org.hibernate.validator.constraints.SafeHtml;
+
+public class SecureString {
+
+ @SafeHtml
+ private String data;
+
+ public SecureString(String string) {
+ this.data = string;
+ }
+
+ public String getString() {
+ return data;
+ }
+}
assertEquals(actualPortalRestResponse, expectedportalRestResponse);
}
+ @Test
+ public void postPortalAdminXSSTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ expectedportalRestResponse.setMessage("Data is not valid");
+ expectedportalRestResponse.setResponse(null);
+ PortalRestStatusEnum portalRestStatusEnum = null;
+ expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ EPUser user = mockUser.mockEPUser();
+ user.setEmail("“><script>alert(“XSS”)</script>");
+ user.setLoginPwd("pwd");
+ user.setLoginId("Test");
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(userService.getUserByUserId(user.getOrgUserId())).thenThrow(nullPointerException);
+ PortalRestResponse<String> actualPortalRestResponse = appsControllerExternalRequest
+ .postPortalAdmin(mockedRequest, mockedResponse, user);
+ assertEquals(expectedportalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void postPortalAdminCreateUserIfNotFoundTest() throws Exception {
PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
}
+ @Test
+ public void postOnboardAppExternalXSSTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ expectedportalRestResponse.setMessage(
+ "Data is not valid");
+ expectedportalRestResponse.setResponse(null);
+ PortalRestStatusEnum portalRestStatusEnum = null;
+ expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+
+ OnboardingApp expectedOnboardingApp = new OnboardingApp();;
+ expectedOnboardingApp.name = "test";
+ expectedOnboardingApp.url="test.com";
+ expectedOnboardingApp.restUrl="<script>alert(/XSS”)</script>";
+ expectedOnboardingApp.myLoginsAppOwner="testUser";
+ expectedOnboardingApp.restrictedApp=false;
+ expectedOnboardingApp.isOpen=true;
+ expectedOnboardingApp.isEnabled=true;
+ EPUser user = mockUser.mockEPUser();
+ user.setEmail("guestT@test.portal.onap.org");
+ user.setLoginPwd("pwd");
+ user.setLoginId("Test");
+ List<EPUser> expectedList = new ArrayList<EPUser>();
+ expectedList.add(user);
+
+ PortalRestResponse<String> actualPortalRestResponse = appsControllerExternalRequest
+ .postOnboardAppExternal(mockedRequest, mockedResponse, expectedOnboardingApp);
+ assertEquals(expectedportalRestResponse, actualPortalRestResponse);
+
+ }
+
@Test
public void putOnboardAppExternalifAppNullTest() {
PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
assertEquals(actualPortalRestResponse, expectedportalRestResponse);
}
+ @Test
+ public void putOnboardAppExternalXSSTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ expectedportalRestResponse.setMessage(
+ "Data is not valid");
+ expectedportalRestResponse.setResponse(null);
+ PortalRestStatusEnum portalRestStatusEnum = null;
+ expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+
+ OnboardingApp expectedOnboardingApp = new OnboardingApp();;
+ expectedOnboardingApp.name = "test";
+ expectedOnboardingApp.url="test.com";
+ expectedOnboardingApp.restUrl="<script>alert(/XSS”)</script>";
+ expectedOnboardingApp.myLoginsAppOwner="testUser";
+ expectedOnboardingApp.restrictedApp=false;
+ expectedOnboardingApp.isOpen=true;
+ expectedOnboardingApp.isEnabled=true;
+ EPUser user = mockUser.mockEPUser();
+ user.setEmail("guestT@test.portal.onap.org");
+ user.setLoginPwd("pwd");
+ user.setLoginId("Test");
+ List<EPUser> expectedList = new ArrayList<EPUser>();
+ expectedList.add(user);
+
+ Long appId = (long) 1;
+
+ PortalRestResponse<String> actualPortalRestResponse = appsControllerExternalRequest
+ .putOnboardAppExternal(mockedRequest, mockedResponse, appId, expectedOnboardingApp);
+ assertEquals(expectedportalRestResponse, actualPortalRestResponse);
+
+ }
+
@Test
public void putOnboardAppExternalIfOnboardingAppDetailsNullTest() {
PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
@Test
public void getWidgetDataTest() {
String resourceType = "test";
- PortalRestResponse<CommonWidgetMeta> ecpectedPortalRestResponse = new PortalRestResponse<CommonWidgetMeta>();
+ PortalRestResponse<CommonWidgetMeta> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
}
+ @Test
+ public void getWidgetDataXSSTest() {
+ String resourceType = "\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"";
+ PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("resourceType: String string is not valid");
+ expectedPortalRestResponse.setResponse("");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ Mockito.when(searchService.getWidgetData(resourceType)).thenReturn(null);
+ PortalRestResponse acutualPoratlRestResponse = dashboardSearchResultController
+ .getWidgetData(mockedRequest, resourceType);
+ assertEquals(expectedPortalRestResponse,acutualPoratlRestResponse);
+ }
+
@Test
public void saveWidgetDataBulkTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
commonWidgetMeta.setCategory("test");
- List<CommonWidget> commonWidgetList = new ArrayList<CommonWidget>();
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId((long) 1);
commonWidget.setCategory("test");
assertEquals(actualPortalRestResponse, ecpectedPortalRestResponse);
}
+ @Test
+ public void saveWidgetDataBulkXSSTest() {
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
+ ecpectedPortalRestResponse.setMessage("ERROR");
+ ecpectedPortalRestResponse.setResponse("Category is not valid");
+ ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+
+ CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
+ commonWidgetMeta.setCategory("test");
+
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ commonWidgetList.add(commonWidget);
+
+ commonWidgetMeta.setItems(commonWidgetList);
+
+ Mockito.when(searchService.saveWidgetDataBulk(commonWidgetMeta)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetDataBulk(commonWidgetMeta);
+ assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void saveWidgetDataBulkIfCategoryNullTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("java.text.ParseException: Unparseable date: \"1\"");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
commonWidgetMeta.setCategory("test");
- List<CommonWidget> commonWidgetList = new ArrayList<CommonWidget>();
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId(null);
commonWidget.setCategory(null);
@Test
public void saveWidgetDataTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
}
+ @Test
+ public void saveWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("Category is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ Mockito.when(searchService.saveWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetData(commonWidget);
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+
+ }
+
@Test
public void saveWidgetDataExceptionTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("ERROR");
- ecpectedPortalRestResponse.setResponse("Cateogry cannot be null or empty");
+ ecpectedPortalRestResponse.setResponse("Category cannot be null or empty");
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
CommonWidget commonWidget = new CommonWidget();
commonWidget.setId((long) 1);
@Test
public void saveWidgetDataDateErrorTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("java.text.ParseException: Unparseable date: \"1\"");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
}
+ @Test
public void deleteWidgetDataTest() {
- PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
ecpectedPortalRestResponse.setMessage("success");
ecpectedPortalRestResponse.setResponse(null);
ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.OK);
assertEquals(actualPortalRestResponse, ecpectedPortalRestResponse);
}
+ @Test
+ public void deleteWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("CommonWidget is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("test_href");
+ commonWidget.setTitle("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+ Mockito.when(searchService.deleteWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .deleteWidgetData(commonWidget);
+
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void searchPortalIfUserIsNull() {
EPUser user = null;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("searchPortal: User object is null? - check logs");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController
.searchPortal(mockedRequest, searchString);
@Test
public void searchPortalIfSearchStringNullTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = null;
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("searchPortal: String string is null");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController
@Test
public void searchPortalIfSearchTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- List<SearchResultItem> searchResultItemList = new ArrayList<SearchResultItem>();
+ List<SearchResultItem> searchResultItemList = new ArrayList<>();
SearchResultItem searchResultItem = new SearchResultItem();
searchResultItem.setId((long) 1);
searchResultItem.setTarget("test_target");
searchResultItem.setUuid("test_UUId");
searchResultItemList.add(searchResultItem);
- Map<String, List<SearchResultItem>> expectedResultMap = new HashMap<String, List<SearchResultItem>>();
+ Map<String, List<SearchResultItem>> expectedResultMap = new HashMap<>();
expectedResultMap.put(searchString, searchResultItemList);
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("success");
expectedResult.setResponse(expectedResultMap);
expectedResult.setStatus(PortalRestStatusEnum.OK);
@Test
public void searchPortalIfSearchExcptionTest() {
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String searchString = "test";
- PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("null - check logs.");
- expectedResult.setResponse(new HashMap<String, List<SearchResultItem>>());
+ expectedResult.setResponse(new HashMap<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
Mockito.when(searchService.searchResults(user.getLoginId(), searchString)).thenThrow(nullPointerException);
@Test
public void getActiveUsersTest() {
- List<String> expectedActiveUsers = new ArrayList<String>();
+ List<String> expectedActiveUsers = new ArrayList<>();
EPUser user = mockUser.mockEPUser();
- ;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String userId = user.getOrgUserId();
Mockito.when(searchService.getRelatedUsers(userId)).thenReturn(expectedActiveUsers);
@Test
public void getActiveUsersExceptionTest() {
- List<String> expectedActiveUsers = new ArrayList<String>();
+ List<String> expectedActiveUsers = new ArrayList<>();
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
String userId = user.getOrgUserId();
public void activeUsersTest() {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("success");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.OK);
public void activeUsersIfUserNullTest() {
EPUser user = null;
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("User object is null? - check logs");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
public void activeUsersExceptionTest() {
EPUser user = mockUser.mockEPUser();
Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
- PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<List<String>>();
+ PortalRestResponse<List<String>> expectedResult = new PortalRestResponse<>();
expectedResult.setMessage("null - check logs.");
expectedResult.setResponse(new ArrayList<>());
expectedResult.setStatus(PortalRestStatusEnum.ERROR);
@SuppressWarnings("rawtypes")
@Mock
- ResponseEntity<List<WidgetCatalog>> ans = new ResponseEntity<List<WidgetCatalog>>(HttpStatus.OK);
+ ResponseEntity<List<WidgetCatalog>> ans = new ResponseEntity<>(HttpStatus.OK);
@Before
public void setup() {
@Test
public void createMicroserviceIfServiceDataNullTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("FAILURE");
expectedportalRestResponse.setResponse("MicroserviceData cannot be null or empty");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
MicroserviceData microserviceData = null;
PortalRestResponse<String> actualportalRestResponse = microserviceController.createMicroservice(mockedRequest,
mockedResponse, microserviceData);
@Test
public void createMicroserviceTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("SUCCESS");
expectedportalRestResponse.setResponse("");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.OK);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK);
PortalRestResponse<String> actualportalRestResponse = microserviceController.createMicroservice(mockedRequest,
mockedResponse, microserviceData);
assertEquals(actualportalRestResponse, expectedportalRestResponse);
}
+ @Test
+ public void createMicroserviceXSSTest() throws Exception {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
+ expectedportalRestResponse.setMessage("ERROR");
+ expectedportalRestResponse.setResponse("MicroserviceData is not valid");
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ MicroserviceData XSSMicroserviceData = new MicroserviceData();
+ XSSMicroserviceData.setActive("<script>alert(123);</script>");
+ XSSMicroserviceData.setName("<script>alert(/XSS”)</script>");
+ PortalRestResponse<String> actualportalRestResponse = microserviceController.createMicroservice(mockedRequest,
+ mockedResponse, XSSMicroserviceData);
+ assertEquals(expectedportalRestResponse, actualportalRestResponse);
+ }
+
@Test
public void createMicroserviceExceptionTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("FAILURE");
expectedportalRestResponse.setResponse(null);
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
Mockito.when(microserviceService.saveMicroservice(microserviceData)).thenReturn((long) 1);
Mockito.when(microserviceData.getParameterList()).thenThrow(nullPointerException);
PortalRestResponse<String> actualportalRestResponse = microserviceController.createMicroservice(mockedRequest,
}
@Test
- public void updateMicroserviceIfServiceISNullTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ public void updateMicroserviceIfServiceISNullTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("FAILURE");
expectedportalRestResponse.setResponse("MicroserviceData cannot be null or empty");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
MicroserviceData microserviceData = null;
PortalRestResponse<String> actualportalRestResponse = microserviceController.updateMicroservice(mockedRequest,
mockedResponse, 1, microserviceData);
}
@Test
- public void updateMicroserviceTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ public void updateMicroserviceTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("SUCCESS");
expectedportalRestResponse.setResponse("");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.OK);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK);
PortalRestResponse<String> actualportalRestResponse = microserviceController.updateMicroservice(mockedRequest,
- mockedResponse, 1, microserviceData);
+ mockedResponse, 1, microserviceData);
assertEquals(actualportalRestResponse, expectedportalRestResponse);
}
@Test
- public void updateMicroserviceExceptionTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ public void updateMicroserviceXSSTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
+ expectedportalRestResponse.setMessage("ERROR");
+ expectedportalRestResponse.setResponse("MicroserviceData is not valid");
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ MicroserviceData XSSMicroserviceData = new MicroserviceData();
+ XSSMicroserviceData.setActive("<script>alert(123);</script>");
+ XSSMicroserviceData.setName("<script>alert(/XSS”)</script>");
+ PortalRestResponse<String> actualportalRestResponse = microserviceController.updateMicroservice(mockedRequest,
+ mockedResponse, 1, XSSMicroserviceData);
+ assertEquals(expectedportalRestResponse, actualportalRestResponse);
+ }
+
+ @Test
+ public void updateMicroserviceExceptionTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("FAILURE");
expectedportalRestResponse.setResponse(null);
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
Mockito.when(microserviceController.updateMicroservice(mockedRequest, mockedResponse, 1, microserviceData))
.thenThrow(nullPointerException);
PortalRestResponse<String> actualportalRestResponse = microserviceController.updateMicroservice(mockedRequest,
}
@Test
- public void deleteMicroserviceExceptionTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ public void deleteMicroserviceExceptionTest() {
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("FAILURE");
PowerMockito.mockStatic(EcompPortalUtils.class);
expectedportalRestResponse.setResponse(
- "I/O error on GET request for \"" + EcompPortalUtils.widgetMsProtocol() + "://null/widget/microservices/widgetCatalog/service/1\":null; nested exception is java.net.UnknownHostException: null");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.ERROR);
+ "I/O error on GET request for \"" + org.onap.portalapp.portal.utils.EcompPortalUtils.widgetMsProtocol()
+ + "://null/widget/microservices/widgetCatalog/service/1\":null; nested exception is java.net.UnknownHostException: null");
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
PowerMockito.mockStatic(WidgetServiceHeaders.class);
PortalRestResponse<String> actuaPportalRestResponse = microserviceController.deleteMicroservice(mockedRequest,
mockedResponse, 1);
@SuppressWarnings("unchecked")
@Test
public void deleteMicroserviceTest() throws Exception {
- String HTTPS = "https://";
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("SOME WIDGETS ASSOICATE WITH THIS SERVICE");
expectedportalRestResponse.setResponse("'null' ,'null' ");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.WARN);
- List<WidgetCatalog> List = new ArrayList<WidgetCatalog>();
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.WARN);
+ List<WidgetCatalog> List = new ArrayList<>();
WidgetCatalog widgetCatalog = new WidgetCatalog();
widgetCatalog.setId(1);
WidgetCatalog widgetCatalog1 = new WidgetCatalog();
ParameterizedTypeReference<List<WidgetCatalog>> typeRef = new ParameterizedTypeReference<List<WidgetCatalog>>() {
};
Mockito.when(template.exchange(
- EcompPortalUtils.widgetMsProtocol() + "://" + consulHealthService.getServiceLocation(whatService, SystemProperties.getProperty("microservices.widget.local.port"))
+ org.onap.portalapp.portal.utils.EcompPortalUtils.widgetMsProtocol() + "://" + consulHealthService.getServiceLocation(whatService, SystemProperties.getProperty("microservices.widget.local.port"))
+ "/widget/microservices/widgetCatalog/service/" + 1,
HttpMethod.GET, new HttpEntity(WidgetServiceHeaders.getInstance()), typeRef)).thenReturn(ans);
@SuppressWarnings("unchecked")
@Test
public void deleteMicroserviceWhenNoWidgetsAssociatedTest() throws Exception {
- PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>();
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
expectedportalRestResponse.setMessage("SUCCESS");
expectedportalRestResponse.setResponse("");
- PortalRestStatusEnum portalRestStatusEnum = null;
- expectedportalRestResponse.setStatus(portalRestStatusEnum.OK);
- List<WidgetCatalog> List = new ArrayList<WidgetCatalog>();
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK);
+ List<WidgetCatalog> List = new ArrayList<>();
PowerMockito.mockStatic(WidgetServiceHeaders.class);
PowerMockito.mockStatic(EcompPortalUtils.class);
String whatService = "widgets-service";
ParameterizedTypeReference<List<WidgetCatalog>> typeRef = new ParameterizedTypeReference<List<WidgetCatalog>>() {
};
Mockito.when(template.exchange(
- EcompPortalUtils.widgetMsProtocol() + "://" + consulHealthService.getServiceLocation(whatService, SystemProperties.getProperty("microservices.widget.local.port"))
+ org.onap.portalapp.portal.utils.EcompPortalUtils.widgetMsProtocol() + "://" + consulHealthService.getServiceLocation(whatService, SystemProperties.getProperty("microservices.widget.local.port"))
+ "/widget/microservices/widgetCatalog/service/" + 1,
HttpMethod.GET, new HttpEntity(WidgetServiceHeaders.getInstance()), typeRef)).thenReturn(ans);
PortalRestResponse<String> actuaPportalRestResponse = microserviceController.deleteMicroservice(mockedRequest,
assertEquals(expected, actual);
}
+ @Test
+ public void saveRoleFunctionXSSTest() throws Exception {
+ PowerMockito.mockStatic(EPUserUtils.class);
+ PowerMockito.mockStatic(EcompPortalUtils.class);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+ Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+ Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+ Mockito.doNothing().when(roleFunctionListController).saveRoleFunction(mockedRequest, mockedResponse, "test");
+ CentralV2RoleFunction addNewFunc = new CentralV2RoleFunction();
+ addNewFunc.setCode("“><script>alert(“XSS”)</script>");
+ addNewFunc.setType("Test");
+ addNewFunc.setAction("Test");
+ addNewFunc.setName("Test");
+ CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+ roleFunction.setCode("Test|Test|Test");
+ Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+ Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.anyObject(), Matchers.anyObject()))
+ .thenReturn(true);
+ Mockito.when(EcompPortalUtils.getFunctionCode(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EcompPortalUtils.getFunctionType(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EcompPortalUtils.getFunctionAction(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ List<EPUser> userList = new ArrayList<>();
+ userList.add(user);
+ List<EPApp> appList = new ArrayList<>();
+ appList.add(CentralApp());
+ Mockito.when(externalAccessRolesService.getUser("guestT")).thenReturn(userList);
+ StringWriter sw = new StringWriter();
+ PrintWriter writer = new PrintWriter(sw);
+ Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+ ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+ Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+ Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+ PortalRestResponse<String> actual = roleManageController.saveRoleFunction(mockedRequest, mockedResponse,
+ addNewFunc, (long) 1);
+ PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+ "Data is not valid", "ERROR");
+ assertEquals(expected, actual);
+ }
+
@Test
public void saveRoleFunctionExceptionTest() throws Exception {
Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
assertEquals(expected, actual);
}
+ @Test
+ public void removeRoleFunctionXSSTest() throws Exception {
+ PowerMockito.mockStatic(EPUserUtils.class);
+ PowerMockito.mockStatic(EcompPortalUtils.class);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+ Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+ String roleFun = "<script>alert(/XSS”)</script>";
+ CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+ Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+ StringWriter sw = new StringWriter();
+ PrintWriter writer = new PrintWriter(sw);
+ Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+ Mockito.when(externalAccessRolesService.deleteCentralRoleFunction(Matchers.anyString(), Matchers.anyObject()))
+ .thenReturn(true);
+ List<EPApp> appList = new ArrayList<>();
+ appList.add(CentralApp());
+ ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+ Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+ Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+ PortalRestResponse<String> actual = roleManageController.removeRoleFunction(mockedRequest, mockedResponse,
+ roleFun, (long) 1);
+ PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+ "Data is not valid", "ERROR");
+ assertEquals(expected, actual);
+ }
+
@Test
public void removeRoleFunctionExceptionTest() throws Exception {
EPUser user = mockUser.mockEPUser();
List<CentralizedApp> actual = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, user.getOrgUserId());
assertEquals(cenApps.size(), actual.size());
}
+
+ @Test
+ public void getCentralizedAppRolesXSSTest() throws IOException {
+ String id = ("<ScRipT>alert(\"XSS\");</ScRipT>");
+ List<CentralizedApp> actual = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, id);
+ assertNull(actual);
+ }
@Test
public void getCentralizedAppRolesExceptionTest() throws IOException {
assertTrue(actualPortalRestResponse.getStatus().compareTo(PortalRestStatusEnum.OK) == 0);
}
+ @Test
+ public void saveXSSTest() throws Exception {
+ String ticketEventJson = "<iframe %00 src=\"	javascript:prompt(1)	\"%00>";
+ PortalRestResponse<String> actualPortalRestResponse;
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ expectedPortalRestResponse.setMessage("Data is not valid");
+ actualPortalRestResponse = ticketEventController.handleRequest(mockedRequest,
+ mockedResponse, ticketEventJson);
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void saveTestForException() throws Exception {
String ticketEventJson = "\"event\": {\"body\": {\"ticketStatePhrase\": \"We recently detected a problem with the equipment at your site. The event is in queue for immediate work.\", \"ivrNotificationFlag\": \"1\",\"expectedRestoreDate\": 0,\"bridgeTransport\": \"AOTS\", \"reptRequestType\": 0,\"ticketNum\": \"000002000857405\",\"assetID\": \"CISCO_1921C1_ISR_G2\", \"eventDate\": 1490545134601,\"eventAbstract\": \"ospfIfConfigError trap received from Cisco_1921c1_ISR_G2 with arguments: ospfRouterId=Cisco_1921c1_ISR_G2; ospfIfIpAddress=1921c1_288266; ospfAddressLessIf=0; ospfPacketSrc=172.17.0.11; ospfConfigErrorType=2; ospfPacketType=1\",\"severity\": \"2 - Major\",\"ticketPriority\": \"3\",\"reportedCustomerImpact\": 0,\"testAutoIndicator\": 0,\"supportGroupName\": \"US-TEST-ORT\",\"lastModifiedDate\": \"1487687703\",\"messageGroup\": \"SNMP\",\"csi\": 0,\"mfabRestoredTime\": 0},\"header\": {\"timestamp\": \"2017-02-21T14:35:05.219+0000\",\"eventSource\": \"aotstm\",\"entityId\": \"000002000857405\", \"sequenceNumber\": 2 },\"blinkMsgId\": \"f38c071e-1a47-4b55-9e72-1db830100a61\",\"sourceIP\": \"130.4.165.158\"},\"SubscriberInfo\": {\"UserList\": [\"hk8777\"] }}";
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.transport.http.HTTPException;
+import org.drools.core.command.assertion.AssertEquals;
import org.hibernate.Query;
import org.hibernate.SQLQuery;
import org.hibernate.Session;
return mockRoleInAppForUserList;
}
+ @SuppressWarnings("unchecked")
+ @Test
+ public void checkTheProtectionAgainstSQLInjection() throws Exception {
+ EPUser user = mockUser.mockEPUser();
+ user.setId(1l);
+ user.setOrgId(2l);
+ Query epUserQuery = Mockito.mock(Query.class);
+ List<EPUser> mockEPUserList = new ArrayList<>();
+ mockEPUserList.add(user);
+
+ // test with SQL injection, should return false
+ Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery);
+ boolean ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+ assertFalse(ret);
+
+ // test without SQL injection, should return true
+ Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+ Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery);
+ ret = userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId());
+ assertTrue(ret);
+ }
+
@SuppressWarnings("unchecked")
@Test
public void getAppRolesForUserNonCentralizedForPortal() throws Exception {
assertEquals(centralV2UserApp.getApp(), app1);
assertEquals(centralV2UserApp.getRole(), role1);
}
+
+ @Test
+ public void centralUserAppEqualsTest(){
+ CentralV2UserApp centralV2UserApp = mockCentralUserApp();
+ CentralV2UserApp centralV2UserApp2 = mockCentralUserApp();
+
+ assertTrue(centralV2UserApp.equals(centralV2UserApp));
+ assertTrue(centralV2UserApp.equals(centralV2UserApp2));
+ assertFalse(centralV2UserApp.equals(new Long(1)));
+ centralV2UserApp2.setPriority(213);
+ assertFalse(centralV2UserApp.equals(centralV2UserApp2));
+ }
@Test
public void unt_hashCodeTest(){
--- /dev/null
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.validation;
+
+import static org.junit.Assert.*;
+
+import java.util.Set;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
+import org.drools.core.command.assertion.AssertEquals;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.onap.portalapp.portal.domain.EPUser;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.springframework.beans.factory.annotation.Autowired;
+
+@RunWith(PowerMockRunner.class)
+public class DataValidatorTest {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+ @InjectMocks
+ DataValidator dataValidator;
+
+ @Test
+ public void getConstraintViolationsSecureString() {
+ SecureString secureString = new SecureString("<script>alert(“XSS”);</script>");
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<SecureString>> expectedConstraintViolations = validator.validate(secureString);
+ Set<ConstraintViolation<SecureString>> actualConstraintViolations = dataValidator.getConstraintViolations(secureString);
+ assertEquals(expectedConstraintViolations, actualConstraintViolations);
+ }
+
+ @Test
+ public void isValidSecureString() {
+ SecureString secureString = new SecureString("<script>alert(“XSS”);</script>");
+ assertFalse(dataValidator.isValid(secureString));
+ }
+
+ @Test
+ public void getConstraintViolationsEPUser() {
+ EPUser user = new EPUser();
+ user.setEmail("“><script>alert(“XSS”)</script>");
+ user.setLoginId("<IMG SRC=”javascript:alert(‘XSS’);”>");
+ user.setFinancialLocCode("<IMG SRC=javascript:alert(‘XSS’)> ");
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<EPUser>> expectedConstraintViolations = validator.validate(user);
+ Set<ConstraintViolation<EPUser>> actualConstraintViolations = dataValidator.getConstraintViolations(user);
+ assertEquals(expectedConstraintViolations, actualConstraintViolations);
+ }
+
+ @Test
+ public void isValidEPUser() {
+ EPUser user = new EPUser();
+ user.setEmail("“><script>alert(“XSS”)</script>");
+ user.setLoginId("<IMG SRC=”javascript:alert(‘XSS’);”>");
+ user.setFinancialLocCode("<IMG SRC=javascript:alert(‘XSS’)> ");
+ assertFalse(dataValidator.isValid(user));
+ }
+
+}
import java.util.HashMap;
import java.util.Map;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.json.JSONObject;
import org.onap.portalapp.portal.controller.AppsController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.service.PersUserAppService;
import org.onap.portalapp.portal.service.UserService;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
@EnableAspectJAutoProxy
@EPAuditLog
public class AppsOSController extends AppsController {
+ private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
static final String FAILURE = "failure";
EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
@RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) {
+
+ if(loginId != null){
+ Validator validator = validatorFactory.getValidator();
+ SecureString secureString = new SecureString(loginId);
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if (!constraintViolations.isEmpty()){
+ return "loginId is not valid";
+ }
+ }
+
- Map<String,String> map = new HashMap<String,String>();
- EPUser user = null;
+ Map<String,String> map = new HashMap<>();
+ EPUser user;
try {
user = (EPUser) userService.getUserByUserId(loginId).get(0);
map.put("firstName", user.getFirstName());
logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e);
}
- JSONObject j = new JSONObject(map);;
+ JSONObject j = new JSONObject(map);
return j.toString();
}
import javax.servlet.http.HttpServletRequest;
import org.onap.portalapp.controller.EPRestrictedBaseController;
-import org.onap.portalapp.portal.controller.DashboardSearchResultController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
import org.onap.portalapp.portal.transport.CommonWidget;
import org.onap.portalapp.portal.transport.CommonWidgetMeta;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.support.CollaborateList;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
public class DashboardSearchResultController extends EPRestrictedBaseController {
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class);
+ private DataValidator dataValidator = new DataValidator();
@Autowired
private DashboardSearchService searchService;
@RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json")
public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request,
@RequestParam String resourceType) {
- return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success",
+ if (resourceType !=null){
+ SecureString secureString = new SecureString(resourceType);
+ if (!dataValidator.isValid(secureString))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is invalid", null);
+ }
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
searchService.getWidgetData(resourceType));
}
@RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json")
public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta);
- if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals(""))
+ if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){
return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
"Category cannot be null or empty");
+ }else {
+ if(!dataValidator.isValid(commonWidgetMeta))
+ return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
// validate dates
for (CommonWidget cw : commonWidgetMeta.getItems()) {
String err = validateCommonWidget(cw);
@RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json")
public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget);
- if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
+ if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
"Cateogry cannot be null or empty");
+ }else {
+ if(!dataValidator.isValid(commonWidget))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
String err = validateCommonWidget(commonWidget);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
searchService.saveWidgetData(commonWidget));
}
@RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json")
public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) {
logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
+ if(!dataValidator.isValid(commonWidget))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Data is not valid");
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
searchService.deleteWidgetData(commonWidget));
}
@RequestMapping(value = "/allPortal", method = RequestMethod.GET, produces = "application/json")
public PortalRestResponse<Map<String, List<SearchResultItem>>> searchPortal(HttpServletRequest request,
@RequestParam String searchString) {
+ if(searchString!=null){
+ SecureString secureString = new SecureString(searchString);
+ if(!dataValidator.isValid(secureString)){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+ "searchPortal: User object is invalid",
+ null);
+ }
+ }
EPUser user = EPUserUtils.getUserSession(request);
try {
if (user == null) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
"searchPortal: User object is null? - check logs",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
} else if (searchString == null || searchString.trim().length() == 0) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
} else {
logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'",
user.getLoginId(), searchString);
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e);
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
}
}
assertEquals("{\"firstName\":\"test\",\"lastName\":\"test\"}", expectedString);
}
+ @Test
+ public void getCurrentUserProfileXSSTest() {
+ String loginId = "<iframe/src=\"data:text/html,<svg onload=alert(1)>\">";
+ EPUser user = mockUser.mockEPUser();
+ List<EPUser> expectedList = new ArrayList<>();
+ expectedList.add(user);
+ Mockito.when(userService.getUserByUserId(loginId)).thenReturn(expectedList);
+ String expectedString = appsOSController.getCurrentUserProfile(mockedRequest, loginId);
+ assertEquals("loginId is not valid", expectedString);
+ }
+
@Test
public void getCurrentUserProfileExceptionTest() {
String loginId = "guestT";
assertEquals(ecpectedPortalRestResponse.getStatus(), actualPortalRestResponse.getStatus());
}
+ @Test
+ public void getWidgetDataXSSTest() {
+ String resourceType = "\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"";
+ PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("Provided data is invalid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ Mockito.when(searchService.getWidgetData(resourceType)).thenReturn(null);
+ PortalRestResponse acutualPoratlRestResponse = dashboardSearchResultController
+ .getWidgetData(mockedRequest, resourceType);
+ assertEquals(acutualPoratlRestResponse, expectedPortalRestResponse);
+ }
+
@Test
public void saveWidgetDataBulkIfCatrgoryNullTest() {
PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse);
}
+ @Test
+ public void saveWidgetDataBulkXSSTest() {
+ PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>();
+ ecpectedPortalRestResponse.setMessage("ERROR");
+ ecpectedPortalRestResponse.setResponse("Category is not valid");
+ ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+
+ CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta();
+ commonWidgetMeta.setCategory("test");
+
+ List<CommonWidget> commonWidgetList = new ArrayList<>();
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ commonWidgetList.add(commonWidget);
+
+ commonWidgetMeta.setItems(commonWidgetList);
+
+ Mockito.when(searchService.saveWidgetDataBulk(commonWidgetMeta)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetDataBulk(commonWidgetMeta);
+ assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse);
+ }
+
+ @Test
+ public void saveWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("Category is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setTitle("test_title");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+
+ Mockito.when(searchService.saveWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .saveWidgetData(commonWidget);
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+
+ }
+
+ @Test
+ public void deleteWidgetDataXSSTest() {
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setMessage("ERROR");
+ expectedPortalRestResponse.setResponse("Data is not valid");
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ CommonWidget commonWidget = new CommonWidget();
+ commonWidget.setId((long) 1);
+ commonWidget.setCategory("test");
+ commonWidget.setHref("test_href");
+ commonWidget.setTitle("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\"");
+ commonWidget.setContent("test_content");
+ commonWidget.setEventDate(null);
+ commonWidget.setSortOrder(1);
+ Mockito.when(searchService.deleteWidgetData(commonWidget)).thenReturn(null);
+
+ PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController
+ .deleteWidgetData(commonWidget);
+
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void saveWidgetDataIfCatagoryNullTest() {
PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>();
}
+ @Test
+ public void searchPortalXSS() {
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ String searchString = "<script>alert(“XSS”)</script> ";
+
+ PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>();
+ expectedResult.setMessage("searchPortal: User object is invalid");
+ expectedResult.setStatus(PortalRestStatusEnum.ERROR);
+
+ PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController
+ .searchPortal(mockedRequest, searchString);
+ assertEquals(actualResult, expectedResult);
+
+ }
+
@Test
public void searchPortalIfSearchExcptionTest() {
EPUser user = mockUser.mockEPUser();
<artifactId>spring-security-web</artifactId>
<version>4.1.4.RELEASE</version>
</dependency>
+ <dependency>
+ <groupId>org.projectlombok</groupId>
+ <artifactId>lombok</artifactId>
+ <version>1.18.4</version>
+ </dependency>
</dependencies>
<build>
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
+import javax.validation.constraints.Digits;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Size;
+import org.hibernate.validator.constraints.SafeHtml;
@Entity
@Table(name = "FN_APP")
@Id
@Column(name = "APP_ID")
@GeneratedValue(strategy=GenerationType.AUTO)
+ @Digits(integer = 11, fraction = 0)
private Long appId;
-
+
@Column(name = "APP_Name")
+ @SafeHtml
+ @Size(max = 100)
+ @NotNull
private String appName;
public Long getAppId() {
import javax.persistence.Table;
import com.fasterxml.jackson.annotation.JsonIgnore;
+import javax.validation.Valid;
+import javax.validation.constraints.Digits;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Size;
+import lombok.Getter;
+import lombok.Setter;
+import org.hibernate.validator.constraints.SafeHtml;
@Entity
@Table(name = "FN_ROLE")
+@Getter
+@Setter
public class RoleApp implements Serializable{
private static final long serialVersionUID = 1L;
@Id
@Column(name = "ROLE_ID")
@GeneratedValue(strategy=GenerationType.AUTO)
+ @Digits(integer = 11, fraction = 0)
private Long roleId;
-
-
+
@Column(name = "ROLE_Name")
+ @SafeHtml
+ @Size(max = 300)
+ @NotNull
private String roleName;
@ManyToOne(fetch = FetchType.EAGER)
@JoinColumn(name="APP_ID")
+ @Valid
private App app;
@JsonIgnore
@ManyToMany(fetch = FetchType.EAGER, cascade = {CascadeType.MERGE, CascadeType.PERSIST, CascadeType.REFRESH}, mappedBy="widgetRoles")
+ @Valid
private Set<WidgetCatalog> widgets;
- /*@PreRemove
- private void removeGroupsFromUsers() {
- for (WidgetCatalog w : widgets) {
- w.getWidgetRoles().remove(this);
- }
- }*/
-
- /*@ManyToOne
- @JoinColumn(name = "WIDGET_ID", nullable = false)
- WidgetCatalog widgetCatalog;*/
-
- //@JsonIgnore
- //@ManyToMany(mappedBy = "widgetRoles")
- //@ManyToMany(fetch = FetchType.EAGER, mappedBy = "widgetRoles")
- //private Set<WidgetCatalog> widgets = new HashSet<WidgetCatalog>();
-
- public Long getRoleId() {
- return roleId;
- }
-
- public void setRoleId(Long roleId) {
- this.roleId = roleId;
- }
-
- public String getRoleName() {
- return roleName;
- }
-
- public void setRoleName(String roleName) {
- this.roleName = roleName;
- }
-
- public App getApp() {
- return app;
- }
-
- public void setApp(App app) {
- this.app = app;
- }
-
- public Set<WidgetCatalog> getWidgets() {
- return widgets;
- }
-
- public void setWidgets(Set<WidgetCatalog> widgets) {
- this.widgets = widgets;
- }
-
@Override
public String toString() {
return "RoleApp [roleId=" + roleId + ", roleName=" + roleName + ", app=" + app + "]";
Code Review / portal.git / commitdiff