Merge pull request #21 from motech-implementations/audit_fixes_final

Audit fixes final

Email/NMSReportingSuite/pom.xml

@@ -143,34 +143,35 @@
         </dependency>
 
         <!-- Apache Shiro -->
+<!--        latest versions no longer work with our project, so changed to a version that works-->
         <dependency>
             <groupId>org.apache.shiro.samples</groupId>
             <artifactId>samples-spring-client</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-core</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-ehcache</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-spring</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-web</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>

Email/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/EmailController.java

@@ -62,8 +62,12 @@ String sendPassword(@PathVariable String encoded) throws Exception {
     //changed the 'from' emailId from beehyv domain address to govt domain address
         String email = tokenItems[0];
         String password = tokenItems[1];
-        String subject = "Reset Password for MIS Portal";
-        String message = "\"Dear user,<br/><br/><p>As per your request, your password has been reset to: <b>" +
+        String type = tokenItems[2];
+        String subject = "Password for MIS Portal";
+        String line = "As per your request, your password has been reset to:";
+        if(type.equals("new")) line = "The password for your newly created MIS account is:";
+        else if(type.equals("admin")) line = "The password for your MIS account has been reset by the admin to:";
+        String message = "\"Dear user,<br/><br/><p>"+line+"<b>" +
                password +
               "</b></p><br/><p>Once you login to the MIS portal with the above password, the system will direct you to change the default password as it is mandatory.</p><br/>" +
              "<p>Thanks,</p>" +"<p>NSP Support</p>\"";
@@ -81,19 +85,6 @@ String sendPassword(@PathVariable String encoded) throws Exception {
                 return "failure";
             }
         }catch (InterruptedException e){return "failure";}
-//        EmailInfo newMail = new EmailInfo();
-//        newMail.setFrom("[email protected]");
-//        newMail.setTo(email);
-//        Calendar c = Calendar.getInstance();   // this takes current date
-//        c.add(Calendar.MONTH, -1);
-//        c.set(Calendar.DATE, 1);
-//        newMail.setSubject("Reset Password for MIS Portal");
-//        newMail.setBody("Dear user,<br/><br/><p>As per your request, your password has been reset to: <b>" +
-//                password +
-//                "</b></p><br/><p>Once you login to the MIS portal with the above password, the system will direct you to change the default password as it is mandatory.</p><br/>" +
-//                "<p>Thanks,</p>" +
-//                "<p>NSP Support</p>");
-//        return emailService.sendMailPassword(newMail);
     }
 
     @RequestMapping(value = "/sendCaptcha/{captchaResponse}", method = RequestMethod.GET)

NMSReportingSuite/pom.xml

@@ -159,34 +159,35 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/ma
         </dependency>
 
         <!-- Apache Shiro -->
+<!--        latest versions no longer work with our projects, so switched to the lastest working version-->
         <dependency>
             <groupId>org.apache.shiro.samples</groupId>
             <artifactId>samples-spring-client</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-core</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-ehcache</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-spring</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-web</artifactId>
-            <version>LATEST</version>
+            <version>1.4.1</version>
         </dependency>
 
         <dependency>

NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/CsrfInterceptor.java

@@ -0,0 +1,38 @@
+package com.beehyv.nmsreporting.business.impl;
+
+import com.beehyv.nmsreporting.business.UserService;
+import com.beehyv.nmsreporting.model.User;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class CsrfInterceptor extends HandlerInterceptorAdapter {
+    @Autowired
+    private UserService userService;
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        User currentUser = userService.getCurrentUser();
+
+        if(currentUser == null) {
+            return false;
+        }
+        String token = "dhty" + currentUser.getUserId().toString() + "alkihkf";
+        return request.getHeader("csrfToken").equals(token);
+    }
+
+    @Override
+    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
+    }
+
+    @Override
+    public void afterConcurrentHandlingStarted(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+    }
+}

NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/UserServiceImpl.java

@@ -11,6 +11,7 @@
 import com.beehyv.nmsreporting.enums.ModificationType;
 import com.beehyv.nmsreporting.model.*;
 import com.beehyv.nmsreporting.utils.LoginUser;
+import com.beehyv.nmsreporting.utils.ServiceFunctions;
 import org.apache.shiro.SecurityUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -55,6 +56,8 @@ public class UserServiceImpl implements UserService{
     @Autowired
     private AggregateCumulativeMADao aggregateCumulativeMADao;
 
+    private ServiceFunctions serviceFunctions = new ServiceFunctions();
+
     private Role getAdminRole(){
         return roleDao.findByRoleDescription(AccessType.ADMIN.getAccessType()).get(0);
     }
@@ -140,11 +143,6 @@ public Map<Integer, String> createNewUser(User user) {
             responseMap.put(rowNum, userNameError);
             return responseMap;
         }
-        if (userDao.findByUserName(user.getUsername()) != null) {
-            String userNameError = "Username already exists.";
-            responseMap.put(rowNum, userNameError);
-            return responseMap;
-        }
 
         String userPhone = user.getPhoneNumber();
         String regexStr1 = "^[0-9]*$";
@@ -311,8 +309,13 @@ else if (user.getAccessLevel().equalsIgnoreCase(AccessLevel.DISTRICT.getAccessLe
 //                return responseMap;
 //            }
         }
-
-        user.setPassword(passwordEncoder.encode(user.getPhoneNumber()));
+        if (userDao.findByUserName(user.getUsername()) != null) {
+            String userNameError = "Username already exists.";
+            responseMap.put(rowNum, userNameError);
+            return responseMap;
+        }
+        String password = serviceFunctions.generatePassword();
+        user.setPassword(passwordEncoder.encode(password));
         user.setCreationDate(new Date());
         user.setCreatedByUser(currentUser);
         user.setAccountStatus(AccountStatus.ACTIVE.getAccountStatus());
@@ -321,6 +324,7 @@ else if (user.getAccessLevel().equalsIgnoreCase(AccessLevel.DISTRICT.getAccessLe
         userDao.saveUser(user);
         String authorityError = "User Created";
         responseMap.put(rowNum, authorityError);
+        responseMap.put(1,password);
         return responseMap;
     }
 
@@ -609,10 +613,13 @@ public Map<Integer, String> updatePassword(PasswordDto passwordDto) {
             responseMap.put(rowNum, authorityError);
             return responseMap;
         }
-        entity.setPassword(passwordEncoder.encode(entity.getPhoneNumber()));
+        String password = serviceFunctions.generatePassword();
+        entity.setPassword(passwordEncoder.encode(password));
         entity.setDefault(true);
 
         responseMap.put(rowNum, "Password changed successfully");
+        responseMap.put(1,password);
+        responseMap.put(2, entity.getEmailId());
         return responseMap;
     }
 

NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/AdminController.java

@@ -11,6 +11,7 @@
 import com.beehyv.nmsreporting.model.ModificationTracker;
 import com.beehyv.nmsreporting.model.State;
 import com.beehyv.nmsreporting.model.User;
+import org.apache.commons.codec.binary.Base64;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.expression.ParseException;
 import org.springframework.stereotype.Controller;
@@ -19,6 +20,8 @@
 
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.*;
 
 import static com.beehyv.nmsreporting.enums.ReportType.maCourse;
@@ -104,7 +107,12 @@ public Map uploadFileHandler(@RequestParam("bulkCsv") MultipartFile file) {
     @ResponseBody
     public String getBulkDataImportCSV(HttpServletResponse response) throws ParseException, java.text.ParseException{
 
-       response.setContentType("APPLICATION/OCTECT-STREAM");
+        User user = userService.getCurrentUser();
+        if(user==null||!(user.getRoleName().equals("MASTER ADMIN"))&&!(user.getRoleName().equals("ADMIN"))){
+            return "Not Authorized";
+        }
+
+        response.setContentType("APPLICATION/OCTECT-STREAM");
         try {
             PrintWriter out=response.getWriter();
             String filename="BulkImportData.csv";
@@ -137,7 +145,7 @@ public String getCumulativeCourseCompletion(@PathVariable("state") String State,
     }*/
 
     @RequestMapping(value = {"/changePassword"}, method = RequestMethod.POST)
-    @ResponseBody public Map resetPassword(@RequestBody PasswordDto passwordDto){
+    @ResponseBody public Map resetPassword(@RequestBody PasswordDto passwordDto) throws Exception{
         //        String trackModification = mapper.convertValue(node.get("modification"), String.class);
 //
 //        ModificationTracker modification = new ModificationTracker();
@@ -148,9 +156,39 @@ public String getCumulativeCourseCompletion(@PathVariable("state") String State,
 //        modification.setModifiedField(trackModification);
 //        modificationTrackerService.saveModification(modification);
 
-//        return "redirect:http://localhost:8080/app/#!/";
+//        return "redirect:https://rchivrreports.in/app/#!/";
         Map<Integer, String> map= userService.updatePassword(passwordDto);
         if(map.get(0).equals("Password changed successfully")){
+            String password = map.get(1);
+            String email = map.get(2);
+            byte[] encoded = Base64.encodeBase64((email + "||" + password + "||admin").getBytes());
+            String encrypted = new String(encoded);
+            String url = "http://192.168.200.4:8080/NMSReportingSuite/nms/mail/sendPassword/" + encrypted;
+            URL obj = new URL(url);
+            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+
+            // optional default is GET
+            con.setRequestMethod("GET");
+
+            //add request header
+            con.setRequestProperty("User-Agent", "Mozilla/5.0");
+
+            int responseCode = con.getResponseCode();
+            System.out.println("\nSending 'GET' request to URL : " + url);
+            System.out.println("Response Code : " + responseCode);
+
+            BufferedReader in = new BufferedReader(
+                    new InputStreamReader(con.getInputStream()));
+            String inputLine;
+            StringBuffer response = new StringBuffer();
+
+            while ((inputLine = in.readLine()) != null) {
+                response.append(inputLine);
+            }
+            in.close();
+
+            //print result
+            System.out.println(response.toString());
             ModificationTracker modification = new ModificationTracker();
             modification.setModificationDate(new Date(System.currentTimeMillis()));
             modification.setModificationType(ModificationType.UPDATE.getModificationType());
@@ -159,7 +197,9 @@ public String getCumulativeCourseCompletion(@PathVariable("state") String State,
             modification.setModifiedByUserId(userService.getCurrentUser().getUserId());
             modificationTrackerService.saveModification(modification);
         }
-        return map;
+        Map<Integer, String> requiredmap=new HashMap<>();
+        requiredmap.put(0,map.get(0));
+        return requiredmap;
     }
     @RequestMapping(value = "/create", method = RequestMethod.GET)
     @ResponseBody