From a9a8be6107f6b9fdfe1bb477f6d41f8e1d817f84 Mon Sep 17 00:00:00 2001 From: Parshad Patel Date: Mon, 9 Sep 2019 14:45:51 +0900 Subject: [PATCH] Set secure flag & log exception Make sure creating this cookie without the "secure" flag is safe here Either log or rethrow this exception Change this instance-reference to a static reference Issue-ID: PORTAL-562 Change-Id: I4b6e07ec54ec038c0d584816791ed5169e618676 Signed-off-by: Parshad Patel --- .../controller/ECOMPLogoutController.java | 143 +++++++++++---------- .../portalapp/controller/PeerBroadcastSocket.java | 83 ++++++------ .../portal/controller/AppsOSController.java | 132 +++++++++---------- 3 files changed, 179 insertions(+), 179 deletions(-) diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/ECOMPLogoutController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/ECOMPLogoutController.java index 062a2e2a..54fcf3af 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/ECOMPLogoutController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/ECOMPLogoutController.java @@ -33,7 +33,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.controller; @@ -62,72 +62,77 @@ import org.springframework.web.servlet.ModelAndView; @org.springframework.context.annotation.Configuration @EnableAspectJAutoProxy @Profile("src") -public class ECOMPLogoutController extends EPUnRestrictedBaseController{ - - private EPUser user; - private static final String EP_SERVICE = "EPService"; - EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ECOMPLogoutController.class); - - @EPAuditLog - @RequestMapping(value = {"/logout.htm" }, method = RequestMethod.GET) - public ModelAndView logOut(HttpServletRequest request, - HttpServletResponse response) throws Exception { - - ModelAndView modelView = null; - - chatRoomLogout(request); - logger.debug(EELFLoggerDelegate.debugLogger, "ECOMPLogoutController.handleRequestInternal - Logout request received."); - - modelView = new ModelAndView("redirect:login.htm"); - - /** - if (UserUtils.isClientMobileDevice(request)){ - modelView.setViewName(modelView.getViewName().concat("?viewType=mobile")); - } - */ - String cookieDoamin = EPSystemProperties.getProperty(EPSystemProperties.COOKIE_DOMAIN); - Cookie epCookie = new Cookie(EP_SERVICE, ""); - epCookie.setMaxAge(0); - epCookie.setDomain(cookieDoamin); - epCookie.setPath("/"); - - Cookie appHeaderCookie = new Cookie("show_app_header", ""); - appHeaderCookie.setMaxAge(0); - appHeaderCookie.setDomain(cookieDoamin); - appHeaderCookie.setPath("/"); - - Cookie appTabCookie = new Cookie("cookieTabs", ""); - appTabCookie.setMaxAge(0); - appTabCookie.setDomain(cookieDoamin); - appTabCookie.setPath("/"); - - Cookie appVisInvisTabCookie = new Cookie("visInVisCookieTabs", ""); - appVisInvisTabCookie.setMaxAge(0); - appVisInvisTabCookie.setDomain(cookieDoamin); - appVisInvisTabCookie.setPath("/"); - - response.addCookie(epCookie); - response.addCookie(appHeaderCookie); - response.addCookie(appTabCookie); - response.addCookie(appVisInvisTabCookie); - request.getSession().invalidate(); - - logger.debug(EELFLoggerDelegate.debugLogger, "ECOMPLogoutController.handleRequestInternal - Successfully processed the logout request."); - - return modelView; - } - - @EPMetricsLog - public void chatRoomLogout(HttpServletRequest request){ - request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest(); - setUser(EPUserUtils.getUserSession(request)); - } - - public EPUser getUser() { - return user; - } - - public void setUser(EPUser user) { - this.user = user; - } +public class ECOMPLogoutController extends EPUnRestrictedBaseController { + + private EPUser user; + private static final String EP_SERVICE = "EPService"; + EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ECOMPLogoutController.class); + + @EPAuditLog + @RequestMapping(value = { "/logout.htm" }, method = RequestMethod.GET) + public ModelAndView logOut(HttpServletRequest request, + HttpServletResponse response) throws Exception { + + ModelAndView modelView = null; + + chatRoomLogout(request); + logger.debug(EELFLoggerDelegate.debugLogger, + "ECOMPLogoutController.handleRequestInternal - Logout request received."); + + modelView = new ModelAndView("redirect:login.htm"); + + /** + * if (UserUtils.isClientMobileDevice(request)){ + * modelView.setViewName(modelView.getViewName().concat("?viewType=mobile")); } + */ + String cookieDoamin = EPSystemProperties.getProperty(EPSystemProperties.COOKIE_DOMAIN); + Cookie epCookie = new Cookie(EP_SERVICE, ""); + epCookie.setSecure(true); + epCookie.setMaxAge(0); + epCookie.setDomain(cookieDoamin); + epCookie.setPath("/"); + + Cookie appHeaderCookie = new Cookie("show_app_header", ""); + appHeaderCookie.setSecure(true); + appHeaderCookie.setMaxAge(0); + appHeaderCookie.setDomain(cookieDoamin); + appHeaderCookie.setPath("/"); + + Cookie appTabCookie = new Cookie("cookieTabs", ""); + appTabCookie.setSecure(true); + appTabCookie.setMaxAge(0); + appTabCookie.setDomain(cookieDoamin); + appTabCookie.setPath("/"); + + Cookie appVisInvisTabCookie = new Cookie("visInVisCookieTabs", ""); + appVisInvisTabCookie.setSecure(true); + appVisInvisTabCookie.setMaxAge(0); + appVisInvisTabCookie.setDomain(cookieDoamin); + appVisInvisTabCookie.setPath("/"); + + response.addCookie(epCookie); + response.addCookie(appHeaderCookie); + response.addCookie(appTabCookie); + response.addCookie(appVisInvisTabCookie); + request.getSession().invalidate(); + + logger.debug(EELFLoggerDelegate.debugLogger, + "ECOMPLogoutController.handleRequestInternal - Successfully processed the logout request."); + + return modelView; + } + + @EPMetricsLog + public void chatRoomLogout(HttpServletRequest request) { + request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); + setUser(EPUserUtils.getUserSession(request)); + } + + public EPUser getUser() { + return user; + } + + public void setUser(EPUser user) { + this.user = user; + } } diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/PeerBroadcastSocket.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/PeerBroadcastSocket.java index c80419f9..de8524e0 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/PeerBroadcastSocket.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/PeerBroadcastSocket.java @@ -35,7 +35,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.controller; @@ -53,51 +53,50 @@ import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; @ServerEndpoint("/opencontact") public class PeerBroadcastSocket { - private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(PeerBroadcastSocket.class); - private static final ObjectMapper mapper = new ObjectMapper(); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(PeerBroadcastSocket.class); + private static final ObjectMapper mapper = new ObjectMapper(); - protected static final Map channelMap = new HashMap<>(); - private Map sessionMap = new HashMap<>(); + private static final Map channelMap = new HashMap<>(); + private Map sessionMap = new HashMap<>(); - @OnMessage - public void message(String message, Session session) { - try { - Map jsonObject = mapper.readValue(message, Map.class); - save(jsonObject, session); - } catch (Exception ex) { - logger.error(EELFLoggerDelegate.errorLogger, "Failed" + ex.getMessage()); - } - } + @OnMessage + public void message(String message, Session session) { + try { + Map jsonObject = mapper.readValue(message, Map.class); + save(jsonObject, session); + } catch (Exception ex) { + logger.error(EELFLoggerDelegate.errorLogger, "Failed", ex); + } + } - @OnOpen - public void open(Session session) { - logger.info(EELFLoggerDelegate.debugLogger, "Channel opened"); - } + @OnOpen + public void open(Session session) { + logger.info(EELFLoggerDelegate.debugLogger, "Channel opened"); + } - @OnClose - public void close(Session session) { - String channel = sessionMap.get(session.getId()); - if (channel != null) { - Object sessObj = channelMap.get(channel); - if (sessObj != null) { - try { - ((Session) sessObj).close(); - } catch (IOException e) { - logger.error(EELFLoggerDelegate.errorLogger, "Failed to close" + e.getMessage()); - } - } - channelMap.remove(channel); - } - logger.info(EELFLoggerDelegate.debugLogger, "Channel closed"); - } + @OnClose + public void close(Session session) { + String channel = sessionMap.get(session.getId()); + if (channel != null) { + Object sessObj = channelMap.get(channel); + if (sessObj != null) { + try { + ((Session) sessObj).close(); + } catch (IOException e) { + logger.error(EELFLoggerDelegate.errorLogger, "Failed to close", e); + } + } + channelMap.remove(channel); + } + logger.info(EELFLoggerDelegate.debugLogger, "Channel closed"); + } - private void save(Map jsonObject, Session session) { - final Optional from = Optional.of(jsonObject.get("from").toString()); - if (from.isPresent() && channelMap.get(from.get()) == null) { - this.channelMap.put(from.toString(), session); - this.sessionMap.put(session.getId(), from.toString()); - } - } + private void save(Map jsonObject, Session session) { + final Optional from = Optional.of(jsonObject.get("from").toString()); + if (from.isPresent() && channelMap.get(from.get()) == null) { + channelMap.put(from.toString(), session); + this.sessionMap.put(session.getId(), from.toString()); + } + } } - diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java index e109ef5d..b1154aa3 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java @@ -39,23 +39,17 @@ package org.onap.portalapp.portal.controller; import java.util.HashMap; import java.util.Map; - import java.util.Set; import javax.servlet.http.HttpServletRequest; - import javax.validation.ConstraintViolation; import javax.validation.Validation; import javax.validation.Validator; import javax.validation.ValidatorFactory; -import lombok.NoArgsConstructor; import org.json.JSONObject; import org.onap.portalapp.portal.domain.EPUser; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; import org.onap.portalapp.portal.logging.aop.EPAuditLog; -import org.onap.portalapp.portal.service.AdminRolesService; -import org.onap.portalapp.portal.service.EPAppService; -import org.onap.portalapp.portal.service.PersUserAppService; import org.onap.portalapp.portal.service.UserService; import org.onap.portalapp.util.EPUserUtils; import org.onap.portalapp.validation.SecureString; @@ -68,6 +62,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; +import lombok.NoArgsConstructor; @RestController @Configuration @@ -75,73 +70,74 @@ import org.springframework.web.bind.annotation.RestController; @EPAuditLog @NoArgsConstructor public class AppsOSController extends AppsController { - private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); - - private static final String FAILURE = "failure"; - private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); + private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); - @Autowired - UserService userService; + private static final String FAILURE = "failure"; + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); + + @Autowired + UserService userService; + + /** + * Create new application's contact us details. + * + * @param contactUs + * @return + */ + @RequestMapping(value = "/portalApi/saveNewUser", method = RequestMethod.POST, produces = "application/json") + public PortalRestResponse saveNewUser(HttpServletRequest request, @RequestBody EPUser newUser) { + EPUser user = EPUserUtils.getUserSession(request); + if (newUser == null) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, + "New User cannot be null or empty"); + + if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user)) + && !user.getLoginId().equalsIgnoreCase(newUser.getLoginId())) { + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, + "UnAuthorized"); + } - /** - * Create new application's contact us details. - * - * @param contactUs - * @return - */ - @RequestMapping(value = "/portalApi/saveNewUser", method = RequestMethod.POST, produces = "application/json") - public PortalRestResponse saveNewUser(HttpServletRequest request,@RequestBody EPUser newUser) { - EPUser user = EPUserUtils.getUserSession(request); - if (newUser == null) - return new PortalRestResponse(PortalRestStatusEnum.ERROR, FAILURE, - "New User cannot be null or empty"); - - if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))){ - if(!user.getLoginId().equalsIgnoreCase(newUser.getLoginId())) - return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, - "UnAuthorized"); - } - String checkDuplicate = request.getParameter("isCheck"); - String saveNewUser = FAILURE; - try { - saveNewUser = userService.saveNewUser(newUser,checkDuplicate); - } catch (Exception e) { - return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage()); - } - return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, ""); - } - - @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json") - public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) { + String saveNewUser = FAILURE; + try { + saveNewUser = userService.saveNewUser(newUser, checkDuplicate); + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "Exception in saveNewUser", e); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage()); + } + return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, ""); + } + + @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, + produces = "application/json") + public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) { - if(loginId != null){ - Validator validator = validatorFactory.getValidator(); - SecureString secureString = new SecureString(loginId); - Set> constraintViolations = validator.validate(secureString); + if (loginId != null) { + Validator validator = validatorFactory.getValidator(); + SecureString secureString = new SecureString(loginId); + Set> constraintViolations = validator.validate(secureString); - if (!constraintViolations.isEmpty()){ - return "loginId is not valid"; - } - } + if (!constraintViolations.isEmpty()) { + return "loginId is not valid"; + } + } - - Map map = new HashMap<>(); - EPUser user; - try { - user = (EPUser) userService.getUserByUserId(loginId).get(0); - map.put("firstName", user.getFirstName()); - map.put("lastName", user.getLastName()); - map.put("email", user.getEmail()); - map.put("loginId", user.getLoginId()); - map.put("loginPwd",user.getLoginPwd()); - map.put("middleInitial",user.getMiddleInitial()); - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e); - } + Map map = new HashMap<>(); + EPUser user; + try { + user = (EPUser) userService.getUserByUserId(loginId).get(0); + map.put("firstName", user.getFirstName()); + map.put("lastName", user.getLastName()); + map.put("email", user.getEmail()); + map.put("loginId", user.getLoginId()); + map.put("loginPwd", user.getLoginPwd()); + map.put("middleInitial", user.getMiddleInitial()); + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e); + } - JSONObject j = new JSONObject(map); - return j.toString(); - } + JSONObject j = new JSONObject(map); + return j.toString(); + } -} \ No newline at end of file +} -- 2.16.6