From 0bf1e8c65fb6b3c2a011e25587500fa45d50d6c0 Mon Sep 17 00:00:00 2001 From: elinuxhenrik Date: Wed, 11 Mar 2020 15:28:46 +0100 Subject: [PATCH] Remove Security issue and bug and fix copyrights Change-Id: I3190a0fbca8df4e861edd82b1c900e19c1b6c24a Issue-ID: NONRTRIC-141 Signed-off-by: elinuxhenrik --- .../oransc/ric/portal/dashboard/DashboardApplication.java | 1 + .../oransc/ric/portal/dashboard/DashboardUserManager.java | 1 + .../ric/portal/dashboard/config/SpringContextCache.java | 1 + .../controller/CustomResponseEntityExceptionHandler.java | 4 +++- .../portal/dashboard/controller/SimpleErrorController.java | 1 + .../oransc/ric/portal/dashboard/model/EcompUserDetails.java | 12 ++++++++++-- .../ric/portal/dashboard/policyagentapi/PolicyAgentApi.java | 2 +- .../portal/dashboard/policyagentapi/PolicyAgentApiImpl.java | 2 +- .../ric/portal/dashboard/portalapi/PortalAuthManager.java | 1 + .../dashboard/portalapi/PortalAuthenticationFilter.java | 1 + .../dashboard/portalapi/PortalRestCentralServiceImpl.java | 1 + .../portal/dashboard/portalapi/PortalSdkDecryptorAes.java | 1 + .../ric/portal/dashboard/util/HttpsURLConnectionUtils.java | 8 ++++---- .../org/oransc/ric/portal/dashboard/DashboardTestServer.java | 1 + .../dashboard/config/PolicyControllerMockConfiguration.java | 1 + 15 files changed, 29 insertions(+), 9 deletions(-) diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardApplication.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardApplication.java index b492ebd1..7602c06d 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardApplication.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardApplication.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardUserManager.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardUserManager.java index ee5f3e10..0de3ae2b 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardUserManager.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/DashboardUserManager.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/SpringContextCache.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/SpringContextCache.java index aaf46650..3887e53e 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/SpringContextCache.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/SpringContextCache.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/CustomResponseEntityExceptionHandler.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/CustomResponseEntityExceptionHandler.java index 52a51fb0..b113d644 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/CustomResponseEntityExceptionHandler.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/CustomResponseEntityExceptionHandler.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -69,7 +70,8 @@ public class CustomResponseEntityExceptionHandler extends ResponseEntityExceptio @ExceptionHandler({RestClientResponseException.class}) public final ResponseEntity handleProxyMethodException(Exception ex, WebRequest request) { // Capture the full stack trace in the log. - log.error("handleProxyMethodException: request {}, exception {}", request.getDescription(false), ex); + log.error("handleProxyMethodException: request {}, exception {}", request.getDescription(false), + ex.getMessage()); if (ex instanceof HttpStatusCodeException) { HttpStatusCodeException hsce = (HttpStatusCodeException) ex; return new ResponseEntity<>(new ErrorTransport(hsce.getRawStatusCode(), hsce.getResponseBodyAsString(), diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/SimpleErrorController.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/SimpleErrorController.java index 78f5ca98..23af7860 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/SimpleErrorController.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/controller/SimpleErrorController.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/model/EcompUserDetails.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/model/EcompUserDetails.java index bfeb7d1e..f58dae8e 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/model/EcompUserDetails.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/model/EcompUserDetails.java @@ -3,13 +3,14 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -46,6 +47,7 @@ public class EcompUserDetails implements UserDetails { * Gets a list of authorities (roles) for this user. To keep Spring happy, every * item has prefix ROLE_. */ + @Override public Collection getAuthorities() { List roleList = new ArrayList<>(); Iterator roleIter = ecompUser.getRoles().iterator(); @@ -58,26 +60,32 @@ public class EcompUserDetails implements UserDetails { return roleList; } + @Override public String getPassword() { return null; } + @Override public String getUsername() { return ecompUser.getLoginId(); } + @Override public boolean isAccountNonExpired() { return true; } + @Override public boolean isAccountNonLocked() { return true; } + @Override public boolean isCredentialsNonExpired() { return true; } + @Override public boolean isEnabled() { return ecompUser.isActive(); } diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApi.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApi.java index 78554644..25144cd1 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApi.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApi.java @@ -2,7 +2,7 @@ * ========================LICENSE_START================================= * O-RAN-SC * %% - * Copyright (C) 2019 AT&T Intellectual Property + * Copyright (C) 2019 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApiImpl.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApiImpl.java index b41c30e3..a2d8c3ed 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApiImpl.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/policyagentapi/PolicyAgentApiImpl.java @@ -2,7 +2,7 @@ * ========================LICENSE_START================================= * O-RAN-SC * %% - * Copyright (C) 2019 AT&T Intellectual Property + * Copyright (C) 2019 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthManager.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthManager.java index a94332b1..d1e7adf9 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthManager.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthManager.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthenticationFilter.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthenticationFilter.java index fee668f2..5c1f75cb 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthenticationFilter.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalAuthenticationFilter.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalRestCentralServiceImpl.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalRestCentralServiceImpl.java index 02a27d7f..b8f3e894 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalRestCentralServiceImpl.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalRestCentralServiceImpl.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalSdkDecryptorAes.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalSdkDecryptorAes.java index 4cbcf382..09b4dfea 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalSdkDecryptorAes.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/portalapi/PortalSdkDecryptorAes.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java index b86bbfe1..92c552f9 100644 --- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java +++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -44,10 +45,9 @@ public final class HttpsURLConnectionUtils { private static final HostnameVerifier trivialHostnameVerifier = (hostname, sslSession) -> true; private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[] {new X509TrustManager() { - @SuppressWarnings("squid:S1168") // Must return null to get wanted behaviour. @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return null; + return new java.security.cert.X509Certificate[0]; } @Override @@ -64,7 +64,7 @@ public final class HttpsURLConnectionUtils { public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException { HttpsURLConnection.setDefaultHostnameVerifier(trivialHostnameVerifier); // Install the all-trusting trust manager - SSLContext sc = SSLContext.getInstance("SSL"); + SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, UNQUESTIONING_TRUST_MANAGER, null); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } @@ -72,7 +72,7 @@ public final class HttpsURLConnectionUtils { public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException { HttpsURLConnection.setDefaultHostnameVerifier(jvmHostnameVerifier); // Return it to the initial state (discovered by reflection, now hardcoded) - SSLContext sc = SSLContext.getInstance("SSL"); + SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, null, null); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } diff --git a/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/DashboardTestServer.java b/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/DashboardTestServer.java index 9ed38692..80a272f3 100644 --- a/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/DashboardTestServer.java +++ b/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/DashboardTestServer.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 AT&T Intellectual Property + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/config/PolicyControllerMockConfiguration.java b/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/config/PolicyControllerMockConfiguration.java index 9c6d40cc..836463db 100644 --- a/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/config/PolicyControllerMockConfiguration.java +++ b/dashboard/webapp-backend/src/test/java/org/oransc/ric/portal/dashboard/config/PolicyControllerMockConfiguration.java @@ -3,6 +3,7 @@ * O-RAN-SC * %% * Copyright (C) 2019 Nordix Foundation + * Modifications Copyright (C) 2020 Nordix Foundation * %% * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. -- 2.16.6