Example 1 with AuthCheckingStrategy
use of org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy in project zaproxy by zaproxy.
the class ContextAPI method buildResponseFromContext.
/**
* Builds the response describing an Context.
*
* @param c the context
* @return the api response
*/
private ApiResponse buildResponseFromContext(Context c) {
Map<String, String> fields = new HashMap<>();
fields.put("name", c.getName());
fields.put("id", Integer.toString(c.getId()));
fields.put("description", c.getDescription());
fields.put("inScope", Boolean.toString(c.isInScope()));
fields.put("excludeRegexs", jsonEncodeList(c.getExcludeFromContextRegexs()));
fields.put("includeRegexs", jsonEncodeList(c.getIncludeInContextRegexs()));
AuthenticationMethod authenticationMethod = c.getAuthenticationMethod();
if (authenticationMethod != null) {
Pattern pattern = authenticationMethod.getLoggedInIndicatorPattern();
fields.put("loggedInPattern", pattern == null ? "" : pattern.toString());
pattern = authenticationMethod.getLoggedOutIndicatorPattern();
fields.put("loggedOutPattern", pattern == null ? "" : pattern.toString());
AuthenticationMethodType type = authenticationMethod.getType();
fields.put("authType", type == null ? "" : type.getName());
AuthCheckingStrategy strategy = authenticationMethod.getAuthCheckingStrategy();
fields.put(PARAM_CHECKING_STRATEGRY, strategy == null ? "" : strategy.name());
if (AuthCheckingStrategy.POLL_URL.equals(strategy)) {
fields.put(PARAM_POLL_URL, authenticationMethod.getPollUrl());
fields.put(PARAM_POLL_DATA, authenticationMethod.getPollData());
fields.put(PARAM_POLL_HEADERS, authenticationMethod.getPollData());
fields.put(PARAM_POLL_FREQ, Integer.toString(authenticationMethod.getPollFrequency()));
AuthPollFrequencyUnits units = authenticationMethod.getPollFrequencyUnits();
fields.put(PARAM_POLL_FREQ_UNITS, units == null ? "" : units.name());
}
}
AuthorizationDetectionMethod authorizationDetectionMethod = c.getAuthorizationDetectionMethod();
if (authorizationDetectionMethod != null) {
fields.put("authenticationDetectionMethodId", String.valueOf(authorizationDetectionMethod.getMethodUniqueIdentifier()));
}
fields.put("urlParameterParserClass", c.getUrlParamParser().getClass().getCanonicalName());
fields.put("urlParameterParserConfig", c.getUrlParamParser().getConfig());
fields.put("postParameterParserClass", c.getPostParamParser().getClass().getCanonicalName());
fields.put("postParameterParserConfig", c.getPostParamParser().getConfig());
return new ApiResponseSet<>("context", fields);
}
Also used :
AuthorizationDetectionMethod(org.zaproxy.zap.extension.authorization.AuthorizationDetectionMethod)
Pattern(java.util.regex.Pattern)
AuthenticationMethodType(org.zaproxy.zap.authentication.AuthenticationMethodType)
HashMap(java.util.HashMap)
AuthPollFrequencyUnits(org.zaproxy.zap.authentication.AuthenticationMethod.AuthPollFrequencyUnits)
AuthCheckingStrategy(org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy)
AuthenticationMethod(org.zaproxy.zap.authentication.AuthenticationMethod)
Example 2 with AuthCheckingStrategy
use of org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy in project zaproxy by zaproxy.
the class ContextAPI method handleApiAction.
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
log.debug("handleApiAction " + name + " " + params.toString());
Context context;
TechSet techSet;
String[] techNames;
String filename;
File f;
switch(name) {
case ACTION_EXCLUDE_FROM_CONTEXT_REGEX:
try {
addExcludeToContext(getContext(params), params.getString(REGEX_PARAM));
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, REGEX_PARAM, e);
}
break;
case ACTION_INCLUDE_IN_CONTEXT_REGEX:
try {
addIncludeToContext(getContext(params), params.getString(REGEX_PARAM));
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, REGEX_PARAM, e);
}
break;
case ACTION_SET_CONTEXT_REGEXS:
context = getContext(params);
JSONArray incRegexs;
JSONArray excRegexs;
try {
incRegexs = JSONArray.fromObject(params.get(INC_REGEXS_PARAM));
context.setIncludeInContextRegexs(JsonUtil.toStringList(incRegexs));
} catch (JSONException e1) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, INC_REGEXS_PARAM);
}
try {
excRegexs = JSONArray.fromObject(params.get(EXC_REGEXS_PARAM));
context.setExcludeFromContextRegexs(JsonUtil.toStringList(excRegexs));
} catch (Exception e1) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, EXC_REGEXS_PARAM);
}
Model.getSingleton().getSession().saveContext(context);
break;
case ACTION_SET_CONTEXT_CHECKING_STRATEGY:
context = getContext(params);
AuthCheckingStrategy checkingStrategy;
try {
checkingStrategy = AuthCheckingStrategy.valueOf(params.getString(PARAM_CHECKING_STRATEGRY));
} catch (Exception e1) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_CHECKING_STRATEGRY);
}
if (AuthCheckingStrategy.POLL_URL.equals(checkingStrategy)) {
AuthPollFrequencyUnits units;
try {
units = AuthPollFrequencyUnits.valueOf(params.getString(PARAM_POLL_FREQ_UNITS));
} catch (Exception e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_POLL_FREQ_UNITS);
}
int freq;
String pollUrl = params.getString(PARAM_POLL_URL);
String pollData = params.getString(PARAM_POLL_DATA);
String pollHeaders = params.getString(PARAM_POLL_HEADERS);
if (pollUrl == null || pollUrl.isEmpty()) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_POLL_URL);
}
try {
new URI(pollUrl, true);
} catch (Exception e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_POLL_URL);
}
try {
freq = params.getInt(PARAM_POLL_FREQ);
} catch (Exception e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_POLL_FREQ);
}
if (freq <= 0) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_POLL_FREQ);
}
context.getAuthenticationMethod().setPollUrl(pollUrl);
context.getAuthenticationMethod().setPollData(pollData);
context.getAuthenticationMethod().setPollHeaders(pollHeaders);
context.getAuthenticationMethod().setPollFrequency(freq);
context.getAuthenticationMethod().setPollFrequencyUnits(units);
}
context.getAuthenticationMethod().setAuthCheckingStrategy(checkingStrategy);
Model.getSingleton().getSession().saveContext(context);
break;
case ACTION_NEW_CONTEXT:
String contextName = params.getString(CONTEXT_NAME);
try {
context = Model.getSingleton().getSession().getNewContext(contextName);
} catch (IllegalContextNameException e) {
throw new ApiException(ApiException.Type.ALREADY_EXISTS, contextName, e);
}
Model.getSingleton().getSession().saveContext(context);
return new ApiResponseElement(CONTEXT_ID, String.valueOf(context.getId()));
case ACTION_REMOVE_CONTEXT:
context = getContext(params);
Model.getSingleton().getSession().deleteContext(context);
break;
case ACTION_SET_CONTEXT_IN_SCOPE:
context = getContext(params);
context.setInScope(params.getBoolean(IN_SCOPE));
Model.getSingleton().getSession().saveContext(context);
break;
case ACTION_IMPORT_CONTEXT:
filename = params.getString(CONTEXT_FILE_PARAM);
f = new File(filename);
if (!f.exists()) {
// Try relative to the contexts dir
f = new File(Constant.getContextsDir(), filename);
}
if (!f.exists()) {
throw new ApiException(ApiException.Type.DOES_NOT_EXIST, f.getAbsolutePath());
} else {
try {
context = Model.getSingleton().getSession().importContext(f);
} catch (IllegalContextNameException e) {
throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, e);
} catch (Exception e) {
log.error(e.getMessage(), e);
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
}
return new ApiResponseElement(CONTEXT_ID, String.valueOf(context.getId()));
case ACTION_EXPORT_CONTEXT:
filename = params.getString(CONTEXT_FILE_PARAM);
context = getContext(params);
f = new File(filename);
if (!f.getAbsolutePath().equals(filename)) {
// Not an absolute filename, use one relative to the contexts dir
f = new File(Constant.getContextsDir(), filename);
}
if (!f.getParentFile().canWrite()) {
// Cant write to the parent dir so not looking good
throw new ApiException(ApiException.Type.NO_ACCESS, f.getAbsolutePath());
} else {
try {
Model.getSingleton().getSession().exportContext(context, f);
} catch (Exception e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
}
break;
case ACTION_INCLUDE_TECHS:
context = getContext(params);
techSet = context.getTechSet();
techNames = getParam(params, PARAM_TECH_NAMES, "").split(",");
for (String techName : techNames) {
techSet.include(getTech(techName));
}
context.save();
break;
case ACTION_INCLUDE_ALL_TECHS:
context = getContext(params);
techSet = new TechSet(Tech.getAll());
context.setTechSet(techSet);
context.save();
break;
case ACTION_EXCLUDE_TECHS:
context = getContext(params);
techSet = context.getTechSet();
techNames = getParam(params, PARAM_TECH_NAMES, "").split(",");
for (String techName : techNames) {
techSet.exclude(getTech(techName));
}
context.save();
break;
case ACTION_EXCLUDE_ALL_TECHS:
context = getContext(params);
techSet = context.getTechSet();
for (Tech tech : Tech.getAll()) {
techSet.exclude(tech);
}
context.save();
break;
default:
throw new ApiException(Type.BAD_ACTION);
}
return ApiResponseElement.OK;
}
Also used :
Context(org.zaproxy.zap.model.Context)
TechSet(org.zaproxy.zap.model.TechSet)
AuthPollFrequencyUnits(org.zaproxy.zap.authentication.AuthenticationMethod.AuthPollFrequencyUnits)
JSONArray(net.sf.json.JSONArray)
AuthCheckingStrategy(org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy)
JSONException(net.sf.json.JSONException)
URI(org.apache.commons.httpclient.URI)
JSONException(net.sf.json.JSONException)
IllegalContextNameException(org.zaproxy.zap.model.IllegalContextNameException)
Tech(org.zaproxy.zap.model.Tech)
IllegalContextNameException(org.zaproxy.zap.model.IllegalContextNameException)
File(java.io.File)
Example 3 with AuthCheckingStrategy
use of org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy in project zaproxy by zaproxy.
the class ExtensionAuthentication method importContextData.
@Override
public void importContextData(Context ctx, Configuration config) throws ConfigurationException {
int typeId = config.getInt(AuthenticationMethod.CONTEXT_CONFIG_AUTH_TYPE, NO_AUTH_METHOD);
if (typeId == NO_AUTH_METHOD) {
return;
}
AuthenticationMethodType authMethodType = getAuthenticationMethodTypeForIdentifier(typeId);
if (authMethodType == null) {
log.warn("No authentication method type found for ID: " + typeId);
return;
}
ctx.setAuthenticationMethod(authMethodType.createAuthenticationMethod(ctx.getId()));
AuthenticationMethod method = ctx.getAuthenticationMethod();
AuthCheckingStrategy strategy = AuthCheckingStrategy.valueOf(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_STRATEGY, AuthCheckingStrategy.EACH_RESP.name()));
method.setAuthCheckingStrategy(strategy);
method.setPollUrl(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_POLL_URL, ""));
method.setPollData(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_POLL_DATA, ""));
method.setPollHeaders(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_POLL_HEADERS, ""));
method.setPollFrequency(config.getInt(AuthenticationMethod.CONTEXT_CONFIG_AUTH_POLL_FREQ, AuthenticationMethod.DEFAULT_POLL_FREQUENCY));
AuthPollFrequencyUnits units = AuthPollFrequencyUnits.valueOf(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_POLL_UNITS, AuthPollFrequencyUnits.REQUESTS.name()));
method.setPollFrequencyUnits(units);
method.setLoggedInIndicatorPattern(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_LOGGEDIN, ""));
method.setLoggedOutIndicatorPattern(config.getString(AuthenticationMethod.CONTEXT_CONFIG_AUTH_LOGGEDOUT, ""));
method.getType().importData(config, method);
}
Also used :
HttpAuthenticationMethodType(org.zaproxy.zap.authentication.HttpAuthenticationMethodType)
JsonBasedAuthenticationMethodType(org.zaproxy.zap.authentication.JsonBasedAuthenticationMethodType)
FormBasedAuthenticationMethodType(org.zaproxy.zap.authentication.FormBasedAuthenticationMethodType)
ScriptBasedAuthenticationMethodType(org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType)
ManualAuthenticationMethodType(org.zaproxy.zap.authentication.ManualAuthenticationMethodType)
AuthenticationMethodType(org.zaproxy.zap.authentication.AuthenticationMethodType)
AuthPollFrequencyUnits(org.zaproxy.zap.authentication.AuthenticationMethod.AuthPollFrequencyUnits)
AuthCheckingStrategy(org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy)
AuthenticationMethod(org.zaproxy.zap.authentication.AuthenticationMethod)
FormBasedAuthenticationMethod(org.zaproxy.zap.authentication.FormBasedAuthenticationMethodType.FormBasedAuthenticationMethod)
Aggregations
AuthCheckingStrategy (org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy)3
AuthPollFrequencyUnits (org.zaproxy.zap.authentication.AuthenticationMethod.AuthPollFrequencyUnits)3
AuthenticationMethod (org.zaproxy.zap.authentication.AuthenticationMethod)2
AuthenticationMethodType (org.zaproxy.zap.authentication.AuthenticationMethodType)2
File (java.io.File)1
HashMap (java.util.HashMap)1
Pattern (java.util.regex.Pattern)1
JSONArray (net.sf.json.JSONArray)1
JSONException (net.sf.json.JSONException)1
URI (org.apache.commons.httpclient.URI)1
FormBasedAuthenticationMethodType (org.zaproxy.zap.authentication.FormBasedAuthenticationMethodType)1
FormBasedAuthenticationMethod (org.zaproxy.zap.authentication.FormBasedAuthenticationMethodType.FormBasedAuthenticationMethod)1
HttpAuthenticationMethodType (org.zaproxy.zap.authentication.HttpAuthenticationMethodType)1
JsonBasedAuthenticationMethodType (org.zaproxy.zap.authentication.JsonBasedAuthenticationMethodType)1
ManualAuthenticationMethodType (org.zaproxy.zap.authentication.ManualAuthenticationMethodType)1
ScriptBasedAuthenticationMethodType (org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType)1
AuthorizationDetectionMethod (org.zaproxy.zap.extension.authorization.AuthorizationDetectionMethod)1
Context (org.zaproxy.zap.model.Context)1
IllegalContextNameException (org.zaproxy.zap.model.IllegalContextNameException)1
Tech (org.zaproxy.zap.model.Tech)1
