From: Christopher Lott (cl778h) <clott@research.att.com>
Date: Sat, 28 Oct 2017 00:25:51 +0000 (-0400)
Subject: Enhance authentication to fix a vulnerability
X-Git-Tag: v1.3.0~3
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=53335559e46f5037fdb562e53e06c828aed6e83a

Enhance authentication to fix a vulnerability

Issue: PORTAL-137
Change-Id: I7e2a5544653ac2067da7231d878009b260dc740f
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
(cherry picked from commit 6f2918cc2a4f67b692f91e4e5a40c122a75ed402)
---

diff --git a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
index f4710478..a06d89ac 100644
--- a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
@@ -41,25 +41,25 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.EnableAspectJAutoProxy;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-
-import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.openecomp.portalsdk.core.menu.MenuBuilder;
-import org.openecomp.portalsdk.core.service.DataAccessService;
-import org.openecomp.portalsdk.core.service.support.FusionService;
-import org.openecomp.portalsdk.core.util.SystemProperties;
-import org.openecomp.portalsdk.core.web.support.AppUtils;
 import org.openecomp.portalapp.command.EPLoginBean;
 import org.openecomp.portalapp.portal.domain.EPUser;
 import org.openecomp.portalapp.portal.logging.aop.EPMetricsLog;
 import org.openecomp.portalapp.portal.logging.format.EPAppMessagesEnum;
 import org.openecomp.portalapp.portal.logging.logic.EPLogUtil;
 import org.openecomp.portalapp.util.EPUserUtils;
+import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.openecomp.portalsdk.core.menu.MenuBuilder;
+import org.openecomp.portalsdk.core.service.DataAccessService;
+import org.openecomp.portalsdk.core.service.support.FusionService;
+import org.openecomp.portalsdk.core.util.SystemProperties;
+import org.openecomp.portalsdk.core.web.support.AppUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
 @Service("eploginService")
 @Transactional
@@ -179,43 +179,33 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService
 	 * @param password
 	 * @return EPUser object; null on error or if no match.
 	 */
+	@SuppressWarnings("rawtypes")
 	private EPUser findUser(String loginId, String password) {
-		List<?> list = null;
-
-		StringBuffer criteria = new StringBuffer();
-		criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password)
-				.append("'");
-
+		Map<String, String> params = new HashMap<>();
+		params.put("login_id", loginId);
+		params.put("login_pwd", password);
+		List list = null;
 		try {
-			list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+			list = dataAccessService.executeNamedQuery("getEPUserByLoginIdLoginPwd", params, new HashMap());
 		} catch (Exception e) {
 			EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
-			logger.error(EELFLoggerDelegate.errorLogger, "findUser(String) failed on " + loginId, e);
+			logger.error(EELFLoggerDelegate.errorLogger, "findUser failed on " + loginId, e);
 		}
-
-		return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+		return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
 	}
 
-	/*
-	 * (non-Javadoc)
-	 * @see org.openecomp.portalapp.portal.service.EPLoginService#findUserWithoutPwd(java.lang.String)
-	 */
-	@Override
+	@SuppressWarnings("rawtypes")
 	public EPUser findUserWithoutPwd(String loginId) {
-		List<?> list = null;
-
-		StringBuffer criteria = new StringBuffer();
-		criteria.append(" where login_id = '").append(loginId).append("'");
-
+		Map<String, String> params = new HashMap<>();
+		params.put("login_id", loginId);
+		List list = null;
 		try {
-			list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+			list = dataAccessService.executeNamedQuery("getEPUserByLoginId", params, new HashMap());
 		} catch (Exception e) {
 			EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
-			String message = "findUserWithoutPwd failed on " + loginId;
-			logger.error(EELFLoggerDelegate.errorLogger, message, e);
+			logger.error(EELFLoggerDelegate.errorLogger, "findUserWithoutPwd failed on " + loginId, e);
 		}
-
-		return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+		return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
 	}
 
 	/**
@@ -225,20 +215,18 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService
 	 * @param bean
 	 * @return EPUser object; null on error or if no match.
 	 */
+	@SuppressWarnings("rawtypes")
 	private EPUser findUser(EPLoginBean bean) {
-		List<?> list = null;
-
-		StringBuffer criteria = new StringBuffer();
-		criteria.append(" where orgUserId = '").append(bean.getOrgUserId()).append("'");
-
+		Map<String, String> params = new HashMap<>();
+		params.put("org_user_id", bean.getOrgUserId());
+		List list = null;
 		try {
-			list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+			list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap());
 		} catch (Exception e) {
 			EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
 			logger.error(EELFLoggerDelegate.errorLogger, "findUser(EPLoginBean) failed", e);
 		}
-
-		return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+		return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
 	}
 
 	public DataAccessService getDataAccessService() {
diff --git a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
index 8fa11e01..8fe369fa 100644
--- a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
+++ b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
@@ -1961,4 +1961,23 @@ where fn_role.app_id = fn_app.app_id and fn_app.enabled='Y' and fn_role.active_y
             ;
 		]]>
 	</sql-query>
+	
+    <query name="getEPUserByOrgUserId">
+	<![CDATA[
+		FROM EPUser WHERE orgUserId = :org_user_id
+	]]>
+    </query>
+
+	<query name="getEPUserByLoginId">
+	<![CDATA[
+		FROM EPUser WHERE loginId = :login_id
+	]]>
+    </query>
+
+    <query name="getEPUserByLoginIdLoginPwd">
+	<![CDATA[
+		FROM EPUser WHERE loginId = :login_id and loginPwd = :login_pwd		
+	]]>
+    </query>
+
 </hibernate-mapping>