use of org.zaproxy.zap.users.User in project zaproxy by zaproxy.
the class ActiveScanAPI method handleApiAction.
@SuppressWarnings({ "fallthrough" })
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
log.debug("handleApiAction " + name + " " + params.toString());
ScanPolicy policy;
int policyId;
User user = null;
Context context = null;
try {
switch(name) {
case ACTION_SCAN_AS_USER:
// These are not mandatory parameters on purpose, to keep the same order
// of the parameters while having PARAM_URL as (now) optional.
validateParamExists(params, PARAM_CONTEXT_ID);
validateParamExists(params, PARAM_USER_ID);
int userID = ApiUtils.getIntParam(params, PARAM_USER_ID);
ExtensionUserManagement usersExtension = Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.class);
if (usersExtension == null) {
throw new ApiException(Type.NO_IMPLEMENTOR, ExtensionUserManagement.NAME);
}
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
if (!context.isIncluded(params.getString(PARAM_URL))) {
throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_CONTEXT_ID);
}
user = usersExtension.getContextUserAuthManager(context.getIndex()).getUserById(userID);
if (user == null) {
throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
}
// $FALL-THROUGH$
case ACTION_SCAN:
String url = ApiUtils.getOptionalStringParam(params, PARAM_URL);
if (context == null && params.has(PARAM_CONTEXT_ID) && !params.getString(PARAM_CONTEXT_ID).isEmpty()) {
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
}
boolean scanJustInScope = context != null ? false : this.getParam(params, PARAM_JUST_IN_SCOPE, false);
String policyName = null;
policy = null;
try {
policyName = params.getString(PARAM_SCAN_POLICY_NAME);
} catch (Exception e1) {
// Ignore
}
try {
if (policyName != null && policyName.length() > 0) {
// Not specified, use the default one
log.debug("handleApiAction scan policy =" + policyName);
policy = controller.getPolicyManager().getPolicy(policyName);
}
} catch (ConfigurationException e) {
throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_POLICY_NAME);
}
String method = this.getParam(params, PARAM_METHOD, HttpRequestHeader.GET);
if (method.trim().length() == 0) {
method = HttpRequestHeader.GET;
}
if (!Arrays.asList(HttpRequestHeader.METHODS).contains(method)) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_METHOD);
}
int scanId = scanURL(url, user, this.getParam(params, PARAM_RECURSE, true), scanJustInScope, method, this.getParam(params, PARAM_POST_DATA, ""), policy, context);
return new ApiResponseElement(name, Integer.toString(scanId));
case ACTION_PAUSE_SCAN:
getActiveScan(params).pauseScan();
break;
case ACTION_RESUME_SCAN:
getActiveScan(params).resumeScan();
break;
case ACTION_STOP_SCAN:
getActiveScan(params).stopScan();
break;
case ACTION_REMOVE_SCAN:
GenericScanner2 activeScan = controller.removeScan(Integer.valueOf(params.getInt(PARAM_SCAN_ID)));
if (activeScan == null) {
throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
}
break;
case ACTION_PAUSE_ALL_SCANS:
controller.pauseAllScans();
break;
case ACTION_RESUME_ALL_SCANS:
controller.resumeAllScans();
break;
case ACTION_STOP_ALL_SCANS:
controller.stopAllScans();
break;
case ACTION_REMOVE_ALL_SCANS:
controller.removeAllScans();
break;
case ACTION_CLEAR_EXCLUDED_FROM_SCAN:
try {
Session session = Model.getSingleton().getSession();
session.setExcludeFromScanRegexs(new ArrayList<String>());
} catch (DatabaseException e) {
log.error(e.getMessage(), e);
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
break;
case ACTION_EXCLUDE_FROM_SCAN:
String regex = params.getString(PARAM_REGEX);
try {
Session session = Model.getSingleton().getSession();
session.addExcludeFromScanRegexs(regex);
} catch (DatabaseException e) {
log.error(e.getMessage(), e);
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
} catch (PatternSyntaxException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_REGEX);
}
break;
case ACTION_ENABLE_ALL_SCANNERS:
policy = getScanPolicyFromParams(params);
policy.getPluginFactory().setAllPluginEnabled(true);
policy.save();
break;
case ACTION_DISABLE_ALL_SCANNERS:
policy = getScanPolicyFromParams(params);
policy.getPluginFactory().setAllPluginEnabled(false);
policy.save();
break;
case ACTION_ENABLE_SCANNERS:
policy = getScanPolicyFromParams(params);
setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), true);
policy.save();
break;
case ACTION_DISABLE_SCANNERS:
policy = getScanPolicyFromParams(params);
setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), false);
policy.save();
break;
case ACTION_SET_ENABLED_POLICIES:
policy = getScanPolicyFromParams(params);
setEnabledPolicies(policy, getParam(params, PARAM_IDS, "").split(","));
policy.save();
break;
case ACTION_SET_POLICY_ATTACK_STRENGTH:
policyId = getPolicyIdFromParamId(params);
policy = getScanPolicyFromParams(params);
Plugin.AttackStrength attackStrength = getAttackStrengthFromParamAttack(params);
for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
if (scanner.getCategory() == policyId) {
scanner.setAttackStrength(attackStrength);
}
}
policy.save();
break;
case ACTION_SET_POLICY_ALERT_THRESHOLD:
policyId = getPolicyIdFromParamId(params);
policy = getScanPolicyFromParams(params);
Plugin.AlertThreshold alertThreshold1 = getAlertThresholdFromParamAlertThreshold(params);
for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
if (scanner.getCategory() == policyId) {
scanner.setAlertThreshold(alertThreshold1);
}
}
policy.save();
break;
case ACTION_SET_SCANNER_ATTACK_STRENGTH:
policy = getScanPolicyFromParams(params);
Plugin scanner = getScannerFromParamId(policy, params);
scanner.setAttackStrength(getAttackStrengthFromParamAttack(params));
policy.save();
break;
case ACTION_SET_SCANNER_ALERT_THRESHOLD:
policy = getScanPolicyFromParams(params);
AlertThreshold alertThreshold2 = getAlertThresholdFromParamAlertThreshold(params);
getScannerFromParamId(policy, params).setAlertThreshold(alertThreshold2);
policy.save();
break;
case ACTION_ADD_SCAN_POLICY:
String newPolicyName = params.getString(PARAM_SCAN_POLICY_NAME);
if (controller.getPolicyManager().getAllPolicyNames().contains(newPolicyName)) {
throw new ApiException(ApiException.Type.ALREADY_EXISTS, PARAM_SCAN_POLICY_NAME);
}
if (!controller.getPolicyManager().isLegalPolicyName(newPolicyName)) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_SCAN_POLICY_NAME);
}
policy = controller.getPolicyManager().getTemplatePolicy();
policy.setName(newPolicyName);
setAlertThreshold(policy, params);
setAttackStrength(policy, params);
controller.getPolicyManager().savePolicy(policy);
break;
case ACTION_REMOVE_SCAN_POLICY:
// Check it exists
policy = getScanPolicyFromParams(params);
if (controller.getPolicyManager().getAllPolicyNames().size() == 1) {
// Dont remove the last one
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "You are not allowed to remove the last scan policy");
}
controller.getPolicyManager().deletePolicy(policy.getName());
break;
case ACTION_UPDATE_SCAN_POLICY:
policy = getScanPolicyFromParams(params);
if (!isParamsChanged(policy, params)) {
break;
}
updateAlertThreshold(policy, params);
updateAttackStrength(policy, params);
controller.getPolicyManager().savePolicy(policy);
break;
case ACTION_ADD_EXCLUDED_PARAM:
int type = getParam(params, PARAM_TYPE, NameValuePair.TYPE_UNDEFINED);
if (!ScannerParamFilter.getTypes().containsKey(type)) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
}
url = getParam(params, PARAM_URL, "*");
if (url.isEmpty()) {
url = "*";
}
ScannerParamFilter excludedParam = new ScannerParamFilter(params.getString(PARAM_NAME), type, url);
List<ScannerParamFilter> excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
excludedParams.add(excludedParam);
controller.getScannerParam().setExcludedParamList(excludedParams);
break;
case ACTION_MODIFY_EXCLUDED_PARAM:
try {
int idx = params.getInt(PARAM_IDX);
if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
}
ScannerParamFilter oldExcludedParam = controller.getScannerParam().getExcludedParamList().get(idx);
String epName = getParam(params, PARAM_NAME, oldExcludedParam.getParamName());
if (epName.isEmpty()) {
epName = oldExcludedParam.getParamName();
}
type = getParam(params, PARAM_TYPE, oldExcludedParam.getType());
if (!ScannerParamFilter.getTypes().containsKey(type)) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
}
url = getParam(params, PARAM_URL, oldExcludedParam.getWildcardedUrl());
if (url.isEmpty()) {
url = "*";
}
ScannerParamFilter newExcludedParam = new ScannerParamFilter(epName, type, url);
if (oldExcludedParam.equals(newExcludedParam)) {
break;
}
excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
excludedParams.set(idx, newExcludedParam);
controller.getScannerParam().setExcludedParamList(excludedParams);
} catch (JSONException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
}
break;
case ACTION_REMOVE_EXCLUDED_PARAM:
try {
int idx = params.getInt(PARAM_IDX);
if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
}
excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
excludedParams.remove(idx);
controller.getScannerParam().setExcludedParamList(excludedParams);
} catch (JSONException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
}
break;
default:
throw new ApiException(ApiException.Type.BAD_ACTION);
}
} catch (ConfigurationException e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
return ApiResponseElement.OK;
}
use of org.zaproxy.zap.users.User in project zaproxy by zaproxy.
the class ExtensionForcedUser method onHttpRequestSend.
@Override
public void onHttpRequestSend(HttpMessage msg, int initiator, HttpSender sender) {
if (!forcedUserModeEnabled || msg.getResponseBody() == null || msg.getRequestHeader().isImage() || (initiator == HttpSender.AUTHENTICATION_INITIATOR || initiator == HttpSender.CHECK_FOR_UPDATES_INITIATOR)) {
// Not relevant
return;
}
// The message is already being sent from the POV of another user
if (msg.getRequestingUser() != null)
return;
// Is the message in any of the contexts?
List<Context> contexts = Model.getSingleton().getSession().getContexts();
User requestingUser = null;
for (Context context : contexts) {
if (context.isInContext(msg.getRequestHeader().getURI().toString())) {
// Is there enough info
if (contextForcedUsersMap.containsKey(context.getIndex())) {
requestingUser = contextForcedUsersMap.get(context.getIndex());
break;
}
}
}
if (requestingUser == null || !requestingUser.isEnabled())
return;
if (log.isDebugEnabled()) {
log.debug("Modifying request message (" + msg.getRequestHeader().getURI() + ") to match user: " + requestingUser);
}
msg.setRequestingUser(requestingUser);
}
use of org.zaproxy.zap.users.User in project zaproxy by zaproxy.
the class CustomScanDialog method setUsers.
private void setUsers() {
Context context = this.getSelectedContext();
List<String> userNames = new ArrayList<>();
if (context != null) {
List<User> users = this.extUserMgmt.getContextUserAuthManager(context.getIndex()).getUsers();
// The default should always be 'not specified'
userNames.add("");
for (User user : users) {
userNames.add(user.getName());
}
}
this.setComboFields(FIELD_USER, userNames, "");
// Theres always 1..
this.getField(FIELD_USER).setEnabled(userNames.size() > 1);
}
use of org.zaproxy.zap.users.User in project zaproxy by zaproxy.
the class UsernamePasswordAuthenticationCredentials method getSetCredentialsForUserApiAction.
/**
* Gets the api action for setting a {@link UsernamePasswordAuthenticationCredentials} for an
* User.
*
* @param methodType the method type for which this is called
* @return the sets the credentials for user api action
*/
public static ApiDynamicActionImplementor getSetCredentialsForUserApiAction(final AuthenticationMethodType methodType) {
return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_USERNAME, PARAM_PASSWORD }, null) {
@Override
public void handleAction(JSONObject params) throws ApiException {
Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
// Make sure the type of authentication method is compatible
if (!methodType.isTypeForMethod(context.getAuthenticationMethod()))
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
// NOTE: no need to check if extension is loaded as this method is called only if
// the Users
// extension is loaded
ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
if (user == null)
throw new ApiException(ApiException.Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
// Build and set the credentials
UsernamePasswordAuthenticationCredentials credentials = new UsernamePasswordAuthenticationCredentials();
credentials.username = ApiUtils.getNonEmptyStringParam(params, PARAM_USERNAME);
credentials.password = ApiUtils.getNonEmptyStringParam(params, PARAM_PASSWORD);
user.setAuthenticationCredentials(credentials);
}
};
}
use of org.zaproxy.zap.users.User in project zaproxy by zaproxy.
the class HttpSender method sendAuthenticated.
// ZAP: Make sure a message that needs to be authenticated is authenticated
private void sendAuthenticated(HttpMessage msg, boolean isFollowRedirect) throws IOException {
// Modify the request message if a 'Requesting User' has been set
User forceUser = this.getUser(msg);
if (initiator != AUTHENTICATION_INITIATOR && forceUser != null)
forceUser.processMessageToMatchUser(msg);
log.debug("Sending message to: " + msg.getRequestHeader().getURI().toString());
// Send the message
send(msg, isFollowRedirect);
// session and, if not, attempt a reauthentication and try again
if (initiator != AUTHENTICATION_INITIATOR && forceUser != null && !msg.getRequestHeader().isImage() && !forceUser.isAuthenticated(msg)) {
log.debug("First try to send authenticated message failed for " + msg.getRequestHeader().getURI() + ". Authenticating and trying again...");
forceUser.queueAuthentication(msg);
forceUser.processMessageToMatchUser(msg);
send(msg, isFollowRedirect);
} else
log.debug("SUCCESSFUL");
}
Aggregations