From f9a1944a4b3cda8d9708087902a52baa40c0e2ea Mon Sep 17 00:00:00 2001
From: "r.bogacki" <r.bogacki@samsung.com>
Date: Wed, 22 May 2019 12:27:53 +0200
Subject: [PATCH] Removed user password from portal's profile API

ONAP Portal allowed to retrieve password of currently active user via
"/portalApi/loggedinUser" endpoint. Prefilled "Login Password" field
 has been changed to "*****" and password is not send anymore to the
 frontend. Only after change of this default value
 password will be updated. Confirm Password field has been removed
 from the UI. In the future password change could be additionally also
 checked on the backend side to verify current password
 before updating it.

Issue-ID: OJSI-65
Signed-off-by: Robert Bogacki <r.bogacki@samsung.com>
Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Acked-by: Manoop Talasila <talasila@research.att.com>
Change-Id: I00b7713557247d211927c437f31f118095ad0726
---
 .../java/org/onap/portalapp/portal/controller/UserController.java | 8 ++++++--
 .../views/header/profile-edit-dialogs/profile-edit.controller.js  | 7 +------
 .../src/views/header/profile-edit-dialogs/profile-edit.modal.html | 5 -----
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/UserController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/UserController.java
index f4fab562..fc76a0e6 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/UserController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/UserController.java
@@ -69,6 +69,8 @@ public class UserController extends EPRestrictedBaseController {
 	@Autowired
 	private UserService userService;
 
+	private static final String HIDDEN_DEFAULT_PASSWORD = "*****";
+
 	/**
 	 * RESTful service method to get ONAP Logged in User details.
 	 * 
@@ -83,7 +85,7 @@ public class UserController extends EPRestrictedBaseController {
 		try {
 			EPUser user = EPUserUtils.getUserSession(request);
 			ProfileDetail profileDetail = new ProfileDetail(user.getFirstName(), user.getLastName(),
-					user.getMiddleInitial(), user.getEmail(), user.getLoginId(),  CipherUtil.decryptPKC(user.getLoginPwd()));
+					user.getMiddleInitial(), user.getEmail(), user.getLoginId(),  HIDDEN_DEFAULT_PASSWORD);
 			portalRestResponse = new PortalRestResponse<ProfileDetail>(PortalRestStatusEnum.OK, "success",
 					profileDetail);
 			EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/loggedinUser", "result =", profileDetail);
@@ -124,7 +126,9 @@ public class UserController extends EPRestrictedBaseController {
 				user.setEmail(profileDetail.getEmail());
 				user.setMiddleInitial(profileDetail.getMiddleName());
 				user.setLoginId(profileDetail.getLoginId());
-				user.setLoginPwd(CipherUtil.encryptPKC(profileDetail.getLoginPassword()));
+				if (!HIDDEN_DEFAULT_PASSWORD.equals(profileDetail.getLoginPassword())){
+					user.setLoginPwd(CipherUtil.encryptPKC(profileDetail.getLoginPassword()));
+				}
 				userService.saveUser(user);
 				// Update user info in the session
 				request.getSession().setAttribute(SystemProperties.getProperty(SystemProperties.USER_ATTRIBUTE_NAME),
diff --git a/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.controller.js b/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.controller.js
index 385697fa..597f9b37 100644
--- a/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.controller.js
+++ b/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.controller.js
@@ -45,7 +45,6 @@
         	this.email ='';
         	this.loginId ='';
         	this.loginPwd ='';
-        	this.confirmLoginPwd=''
         	this.isLoading = false;
         	let getUser  = () => {
         		this.isLoading = true;
@@ -75,14 +74,10 @@
                     	loginId :this.loginId,
                     	loginPassword :this.loginPwd
             		}
-        		if (this.firstName =='' || this.lastName == '' || this.email == '' || this.loginId =='' || this.loginPwd ==''|| this.confirmLoginPwd ==''){
+        		if (this.firstName =='' || this.lastName == '' || this.email == '' || this.loginId =='' || this.loginPwd ==''){
         			var warningMsg = "Please enter a value for all fields marked with *.";
         			confirmBoxService.showInformation(warningMsg).then(isConfirmed => {return;});
         			return;
-        		} else if (this.loginPwd != this.confirmLoginPwd) {
-        			var warningMsg = "Passwords do not match, please try again.";
-        			confirmBoxService.showInformation(warningMsg).then(isConfirmed => {return;});
-        			return;
         		} else {
         			// check password length complexity.
         			var warningMsg = adminsService.isComplexPassword(this.loginPwd);
diff --git a/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.modal.html b/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.modal.html
index 79c85a18..2ccb03c6 100644
--- a/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.modal.html
+++ b/ecomp-portal-FE-os/client/src/views/header/profile-edit-dialogs/profile-edit.modal.html
@@ -67,11 +67,6 @@
 						<div class="">*Login Password</div>
 						<input type="password" ng-model="profileDetail.loginPwd" />
 					</div>
-					<div class="profile-edit-div">
-						<div class="">*Confirm Login Password</div>
-						<input type="password"
-							ng-model="profileDetail.confirmLoginPwd" />
-					</div>
 				</div>
 			</div>
 			<div class="dialog-control">
-- 
2.16.6