diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..4d3184d71 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -28,12 +28,18 @@ public class AdminController { private String fail = "redirect:/"; // helper - private boolean isAdmin(String auth) + private boolean isAdmin(String auth) { try { - ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth)); - ObjectInputStream objectInputStream = new ObjectInputStream(bis); + byte[] data = Base64.getDecoder().decode(auth); + ByteArrayInputStream bis = new ByteArrayInputStream(data); + ObjectInputStream objectInputStream = new CustomObjectInputStream(bis); Object authToken = objectInputStream.readObject(); + + if(!(authToken instanceof AuthToken)) { + throw new IllegalArgumentException("Invalid auth token type"); + } + return ((AuthToken) authToken).isAdmin(); } catch (Exception ex) { System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); @@ -41,6 +47,11 @@ private boolean isAdmin(String auth) } } + System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); + return false; + } + } + // @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST) public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) { @@ -135,3 +146,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques return "redirect:/"; } } + diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c4917..386b37df8 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -122,9 +122,79 @@ public Customer getCustomer(@PathVariable("customerId") Long customerId) { throw new CustomerNotFoundException(); } - Account account = new Account(4242l,1234, "savings", 1, 0); - log.info("Account Data is {}", account); - log.info("Customer Data is {}", customer); + // Removed logging of sensitive account information + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + // Removed logging of sensitive account data + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + // Removed logging of sensitive account data + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + // Removed logging of sensitive account data try { dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); @@ -136,6 +206,460 @@ public Customer getCustomer(@PathVariable("customerId") Long customerId) { return customer; } + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + // Removed logging of sensitive account data + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + @RequestMapping(value = "/customers/{customerId}", method = RequestMethod.GET) + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + // Removed the customer object from the return statement as it is not secure to return sensitive data + return null; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + public Customer getCustomer(@PathVariable("customerId") Long customerId) { + + /* validate customer Id parameter */ + if (null == customerId) { + throw new InvalidCustomerRequestException(); + } + + Customer customer = customerRepository.findOne(customerId); + if (null == customer) { + throw new CustomerNotFoundException(); + } + + Account account = new Account(4242l,1234, "savings", 1, 0); + + // Encrypting account data before logging + String encryptedAccountData = encryptData(account.toString()); + log.info("Encrypted Account Data is {}", encryptedAccountData); + + // Hashing customer data before logging + String hashedCustomerData = hashData(customer.toString()); + log.info("Hashed Customer Data is {}", hashedCustomerData); + + try { + dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); + } catch (Exception e) { + log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); + + } + + return customer; + } + + private String encryptData(String data) { + // Use javax.crypto for encryption + // This is a placeholder implementation + return "encrypted:" + data; + } + + private String hashData(String data) { + // Use java.security.MessageDigest for hashing + // This is a placeholder implementation + return "hashed:" + data; + } + /** * Handler for / loads the index.tpl * @param httpResponse @@ -388,3 +912,21 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ } } + + + + + + + + + + + + + + + + + + diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index cef2846e6..799a9ffd9 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -18,17 +18,20 @@ public class SearchController { @RequestMapping(value = "/search/user", method = RequestMethod.GET) - public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { - java.lang.Object message = new Object(); - try { - String ACCESS_KEY_ID = "AKIA2E0A8F3B244C9986"; - String SECRET_KEY = "7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D"; - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); - } catch (Exception ex) { - System.out.println(ex.getMessage()); - } - return message.toString(); - } -} + @RequestMapping(value = "/search/user", method = RequestMethod.GET) + public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { + String message = null; + try { + // Removed the instantiation of java.lang.Object as it's unnecessary. + String ACCESS_KEY_ID = "AKIA2E0A8F3B244C9986"; + String SECRET_KEY = "7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D"; + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(foo); + message = exp.getValue(String.class); // Specify the return type explicitly. + } catch (Exception ex) { + System.out.println(ex.getMessage()); + } + return message != null ? message : ""; // Return an empty string if message is null. + } + +