Vulnerability fixes

pom.xml

@@ -330,11 +330,7 @@
 			<!-- <scope>runtime</scope> -->
 		</dependency>
 		<!-- Excel -->
-		<dependency>
-			<groupId>com.github.ulisesbocchio</groupId>
-			<artifactId>jasypt-spring-boot-starter</artifactId>
-			<version>2.0.0</version>
-		</dependency>
+
 
 <dependency>
     <groupId>org.apache.poi</groupId>

src/main/environment/common_dev.properties

@@ -3,14 +3,14 @@
 spring.jpa.database=default
 
 ## Primary db
-encDbUserName=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPass=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserName=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPass=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 spring.datasource.url=jdbc:mysql://10.208.122.32:3306/db_iemr?autoReconnect=true&useSSL=false
 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
 
 ## Secondary db
-encDbUserNameSec=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPassSec=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserNameSec=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPassSec=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 secondary.datasource.url=jdbc:mysql://10.208.122.32:3306/db_reporting?autoReconnect=true&useSSL=false
 secondary.datasource.driver-class-name=com.mysql.jdbc.Driver
 

src/main/environment/common_local.properties

@@ -1,8 +1,8 @@
 # dev env 
 # DB Connections 
 spring.datasource.url=jdbc:mysql://localhost:3306/db_iemr?autoReconnect=true&useSSL=false
-encDbUserName=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPass=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserName=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPass=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
 
 # KM config

src/main/environment/common_test.properties

@@ -5,15 +5,15 @@ spring.jpa.database=default
 ##--------------------------------------------## Primary db-------------------------------------------------------------------
 
 
-encDbUserName=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPass=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserName=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPass=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 spring.datasource.url=jdbc:mysql://10.208.122.38:3306/db_iemr?autoReconnect=true&useSSL=false
 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
 
 
 
-encDbUserNameSec=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPassSec=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserNameSec=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPassSec=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 secondary.datasource.url=jdbc:mysql://10.208.122.38:3306/db_reporting?autoReconnect=true&useSSL=false
 secondary.datasource.driver-class-name=com.mysql.jdbc.Driver
 ##-------------------------------------------------------------# KM config--------------------------------------------------

src/main/environment/common_uat.properties

@@ -2,8 +2,8 @@
 # UAT env 
 # DB Connections 
 spring.datasource.url=jdbc:mysql://172.16.19.43:3306/db_iemr?autoReconnect=true&useSSL=false
-encDbUserName=0YaEPoKpzM3TrEAHTLYQaf+DfR4mdaeP
-encDbPass=V+g/nL6/+ely0bgD7Du0yX83xNRl1H9Y
+encDbUserName=zFlYsp9Z0s+lRvLM15A3g/Ba0w8VGs/1usuW7EsGF3k=
+encDbPass=JGGAGn5wTlrbTLUHY+5BzfBa0w8VGs/1usuW7EsGF3k=
 spring.datasource.driver-class-name=com.mysql.jdbc.Driver
 
 # KM config

src/main/java/com/iemr/common/config/PrimaryDBConfig.java

@@ -5,9 +5,9 @@
 
 import org.apache.tomcat.jdbc.pool.PoolConfiguration;
 import org.apache.tomcat.jdbc.pool.PoolProperties;
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.orm.jpa.EntityManagerFactoryBuilder;
@@ -20,13 +20,17 @@
 import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.config.ConfigProperties;
 
 @Configuration
 @EnableTransactionManagement
 @EnableJpaRepositories(entityManagerFactoryRef = "entityManagerFactory", basePackages = { "com.iemr.common.repository",
 		"com.iemr.common.repo", "com.iemr.common.notification.agent", "com.iemr.common.covidVaccination" })
 public class PrimaryDBConfig {
+
+	@Autowired
+	private CryptoUtil cryptoUtil;
 	Logger logger = LoggerFactory.getLogger(this.getClass().getName());
 
 	@Primary
@@ -48,16 +52,10 @@ public DataSource dataSource() {
 		org.apache.tomcat.jdbc.pool.DataSource datasource = new org.apache.tomcat.jdbc.pool.DataSource();
 		datasource.setPoolProperties(p);
 
-		StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-		encryptor.setAlgorithm("PBEWithMD5AndDES");
+
 
-		encryptor.setPassword("dev-env-secret");
-
-//		logger.info(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbUserName")));
-//		logger.info(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbPass")));
-
-		datasource.setUsername(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbUserName")));
-		datasource.setPassword(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbPass")));
+		datasource.setUsername(cryptoUtil.decrypt(ConfigProperties.getPropertyByName("encDbUserName")));
+		datasource.setPassword(cryptoUtil.decrypt(ConfigProperties.getPropertyByName("encDbPass")));
 
 		return datasource;
 	}

src/main/java/com/iemr/common/config/SecondaryDBConfig.java

@@ -5,7 +5,9 @@
 
 import org.apache.tomcat.jdbc.pool.PoolConfiguration;
 import org.apache.tomcat.jdbc.pool.PoolProperties;
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.jdbc.DataSourceBuilder;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -18,6 +20,7 @@
 import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.config.ConfigProperties;
 
 @Configuration
@@ -28,6 +31,11 @@
   basePackages = { "com.iemr.common.secondary.repository.callreport" }
 )
 public class SecondaryDBConfig {
+
+	@Autowired
+	private CryptoUtil cryptoUtil;
+
+	Logger logger = LoggerFactory.getLogger(this.getClass().getName());
 	@Bean(name = "secondaryDataSource")
 	  @ConfigurationProperties(prefix = "secondary.datasource")
 	  public DataSource dataSource() {
@@ -46,16 +54,9 @@ public DataSource dataSource() {
 		  org.apache.tomcat.jdbc.pool.DataSource datasource = new org.apache.tomcat.jdbc.pool.DataSource();
 		  datasource.setPoolProperties(p);
 
-		  StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-			encryptor.setAlgorithm("PBEWithMD5AndDES");
 
-			encryptor.setPassword("dev-env-secret");
-
-//			logger.info(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbUserNameSec")));
-//			logger.info(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbPassSec")));
-
-			datasource.setUsername(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbUserNameSec")));
-			datasource.setPassword(encryptor.decrypt(ConfigProperties.getPropertyByName("encDbPassSec")));
+			datasource.setUsername(cryptoUtil.decrypt(ConfigProperties.getPropertyByName("encDbUserNameSec")));
+			datasource.setPassword(cryptoUtil.decrypt(ConfigProperties.getPropertyByName("encDbPassSec")));
 
 	    return datasource;
 	  }

src/main/java/com/iemr/common/controller/users/IEMRAdminController.java

@@ -36,6 +36,7 @@
 import com.iemr.common.model.user.LoginRequestModel;
 import com.iemr.common.model.user.LoginResponseModel;
 import com.iemr.common.service.users.IEMRAdminUserService;
+import com.iemr.common.utils.encryption.AESUtil;
 import com.iemr.common.utils.exception.IEMRException;
 import com.iemr.common.utils.mapper.InputMapper;
 import com.iemr.common.utils.mapper.OutputMapper;
@@ -54,6 +55,13 @@ public class IEMRAdminController {
 	private InputMapper inputMapper = new InputMapper();
 
 	private IEMRAdminUserService iemrAdminUserServiceImpl;
+
+	private AESUtil aesUtil;
+
+	@Autowired
+	public void setAesUtil(AESUtil aesUtil) {
+	this.aesUtil = aesUtil;
+	}
 
 	@Autowired
 	public void setIemrAdminUserService(IEMRAdminUserService iemrAdminUserService) {
@@ -92,7 +100,9 @@ public String userAuthenticate(
 		OutputResponse response = new OutputResponse();
 		logger.info("userAuthenticate request - " + m_User + " " + m_User.getUserName() + " " + m_User.getPassword());
 		try {
-			List<User> mUser = iemrAdminUserServiceImpl.userAuthenticate(m_User.getUserName(), m_User.getPassword());
+			String decryptPassword = aesUtil.decrypt("Piramal12Piramal", m_User.getPassword());
+			logger.info("decryptPassword : " + decryptPassword);
+			List<User> mUser = iemrAdminUserServiceImpl.userAuthenticate(m_User.getUserName(), decryptPassword);
 			JSONObject resMap = new JSONObject();
 			JSONObject serviceRoleMultiMap = new JSONObject();
 			JSONObject serviceRoleMap = new JSONObject();
@@ -275,7 +285,8 @@ public String superUserAuthenticate(
 			if (!m_User.getUserName().equalsIgnoreCase("SuperAdmin")) {
 				throw new IEMRException("Please log with admin credentials");
 			}
-			User mUser = iemrAdminUserServiceImpl.superUserAuthenticate(m_User.getUserName(), m_User.getPassword());
+			String decryptPassword = aesUtil.decrypt("Piramal12Piramal", m_User.getPassword());
+			User mUser = iemrAdminUserServiceImpl.superUserAuthenticate(m_User.getUserName(), decryptPassword);
 			JSONObject resMap = new JSONObject();
 			JSONObject previlegeObj = new JSONObject();
 			//condition added to check for concurrent login
@@ -429,8 +440,9 @@ public String setPassword(
 			}
 			User mUser = mUsers.get(0);
 			String setStatus;
-			noOfRowModified = iemrAdminUserServiceImpl.setForgetPassword(mUser, m_user.getPassword(),
-					m_user.getTransactionId(),m_user.getIsAdmin());
+			String decryptPassword = aesUtil.decrypt("Piramal12Piramal", m_user.getPassword());
+			noOfRowModified = iemrAdminUserServiceImpl.setForgetPassword(mUser, decryptPassword,
+			m_user.getTransactionId(), m_user.getIsAdmin());
 			if (noOfRowModified > 0) {
 				setStatus = "Password Changed";
 			} else {

src/main/java/com/iemr/common/service/door_to_door_app/DoorToDoorServiceImpl.java

@@ -8,7 +8,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,11 +30,15 @@
 import com.iemr.common.data.door_to_door_app.V_doortodooruserdetails;
 import com.iemr.common.model.user.LoginRequestModel;
 import com.iemr.common.repo.door_to_door_app.V_doortodooruserdetailsRepo;
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.mapper.InputMapper;
 
 @Service
 @PropertySource("classpath:application.properties")
 public class DoorToDoorServiceImpl implements DoorToDoorService {
+
+	@Autowired
+	private CryptoUtil cryptoUtil;
 
 	@Value("${avniRegistrationLimit}")
 	private String avniRegistrationLimit;
@@ -264,11 +268,13 @@ public void scheduleJobForRegisterAvniBeneficiary() throws Exception {
 
 	public String amritUserAuthenticate() {
 		String authorization = "";
-		StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-		encryptor.setAlgorithm("PBEWithMD5AndDES");
-		encryptor.setPassword("dev-env-secret");
-		String amritUser = encryptor.decrypt(amritUserName);
-		String amritPass = encryptor.decrypt(amritPassword);
+		/*
+		 * StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
+		 * encryptor.setAlgorithm("PBEWithMD5AndDES");
+		 * encryptor.setPassword("dev-env-secret");
+		 */
+		String amritUser = cryptoUtil.decrypt(amritUserName);
+		String amritPass = cryptoUtil.decrypt(amritPassword);
 		LoginRequestModel loginCredentials = new LoginRequestModel(amritUser, amritPass);
 		loginCredentials.setDoLogout(true);
 		MultiValueMap<String, String> headersLogin = new LinkedMultiValueMap<String, String>();

src/main/java/com/iemr/common/service/email/EmailServiceImpl.java

@@ -11,7 +11,6 @@
 import javax.mail.internet.MimeMessage;
 import javax.mail.util.ByteArrayDataSource;
 
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -36,13 +35,17 @@
 import com.iemr.common.repository.email.StockAlertDataRepo;
 import com.iemr.common.repository.feedback.FeedbackRepository;
 import com.iemr.common.service.beneficiary.IEMRSearchUserService;
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.config.ConfigProperties;
 import com.iemr.common.utils.http.HttpUtils;
 import com.iemr.common.utils.mapper.InputMapper;
 
 @Service
 public class EmailServiceImpl implements EmailService {
-
+
+	@Autowired
+	private CryptoUtil cryptoUtil;
+
 	private InputMapper inputMapper = new InputMapper();
 	@Autowired
 	private JavaMailSender javaMailSender;
@@ -485,11 +488,9 @@ int sendEmailWithAttachment(String recipient, ByteArrayDataSource attachment) th
 			 JavaMailSenderImpl mailSender = new JavaMailSenderImpl();
 	            mailSender.setHost(host);
 	            mailSender.setPort(Integer.parseInt(port));
-	            StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-	    		encryptor.setAlgorithm("PBEWithMD5AndDES");
-	    		encryptor.setPassword("dev-env-secret");
-	    		String decryptSender = encryptor.decrypt(sender);
-	    		String decryptPass = encryptor.decrypt(password);
+
+	    		String decryptSender = cryptoUtil.decrypt(sender);
+	    		String decryptPass = cryptoUtil.decrypt(password);
 
 	           mailSender.setUsername(decryptSender);
 	            mailSender.setPassword(decryptPass);

src/main/java/com/iemr/common/service/everwell/EverwellRegistrationServiceImpl.java

@@ -8,7 +8,6 @@
 import java.util.Date;
 import java.util.List;
 
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -36,12 +35,15 @@
 import com.iemr.common.repository.everwell.EverwellFetchAndSync;
 import com.iemr.common.repository.location.LocationDistrictRepository;
 import com.iemr.common.repository.location.LocationStateRepository;
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.mapper.InputMapper;
 import com.iemr.common.utils.response.OutputResponse;
 
 @Service
 @PropertySource("classpath:application.properties")
 public class EverwellRegistrationServiceImpl implements EverwellRegistrationService {
+	@Autowired
+	private CryptoUtil cryptoUtil;
 
 	private InputMapper inputMapper = new InputMapper();
 
@@ -124,11 +126,9 @@ public void registerBeneficiary() {
 		try {
 
 			// 1097 user authentication
-			StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-			encryptor.setAlgorithm("PBEWithMD5AndDES");
-			encryptor.setPassword("dev-env-secret");
-			String amritUser = encryptor.decrypt(amritUserName);
-			String amritPass = encryptor.decrypt(amritPassword);
+
+			String amritUser = cryptoUtil.decrypt(amritUserName);
+			String amritPass = cryptoUtil.decrypt(amritPassword);
 			LoginRequestModel loginCredentials1097 = new LoginRequestModel(amritUser, amritPass);
 
 			MultiValueMap<String, String> headersLogin = new LinkedMultiValueMap<String, String>();

src/main/java/com/iemr/common/service/otp/OTPHandlerImpl.java

@@ -5,7 +5,6 @@
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
 
-import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
 import org.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -19,6 +18,7 @@
 import com.google.common.primitives.Ints;
 import com.iemr.common.data.otp.OTPRequestParsor;
 import com.iemr.common.service.users.IEMRAdminUserServiceImpl;
+import com.iemr.common.utils.CryptoUtil;
 import com.iemr.common.utils.config.ConfigProperties;
 import com.iemr.common.utils.http.HttpUtils;
 
@@ -32,7 +32,10 @@
 
 @Service
 public class OTPHandlerImpl implements OTPHandler {
-
+
+	@Autowired
+	private CryptoUtil cryptoUtil;
+
 	@Autowired
 	HttpUtils httpUtils;
 	@Autowired
@@ -135,13 +138,11 @@ private String getEncryptedOTP(int otp) throws Exception {
 	// send SMS to user
 	private void sendSMS(int otp, String phoneNo, String msgText) throws Exception {
 		// Boolean doSendSMS = ConfigProperties.getBoolean("send-sms");
-		StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
-		encryptor.setAlgorithm("PBEWithMD5AndDES");
-		encryptor.setPassword("dev-env-secret");
+
 		String sendSMSURL = ConfigProperties.getPropertyByName("send-message-url");
 		String sendSMSAPI = OTPHandlerImpl.SMS_GATEWAY_URL + "/" + sendSMSURL;
-		String senderName = encryptor.decrypt(ConfigProperties.getPropertyByName("sms-username"));
-		String senderPassword = encryptor.decrypt(ConfigProperties.getPropertyByName("sms-password"));
+		String senderName = cryptoUtil.decrypt(ConfigProperties.getPropertyByName("sms-username"));
+		String senderPassword = cryptoUtil.decrypt(ConfigProperties.getPropertyByName("sms-password"));
 		String senderNumber = ConfigProperties.getPropertyByName("sms-sender-number");
 
 		sendSMSAPI = sendSMSAPI.replace("USERNAME", senderName).replace("PASSWORD", senderPassword)