Example 31 with ApiException
use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.
the class GenericAuthenticationCredentials method getSetCredentialsForUserApiAction.
/**
* Gets the api action for setting a {@link GenericAuthenticationCredentials} for an User.
*
* @param methodType the method type for which this is called
* @return api action implementation
*/
public static ApiDynamicActionImplementor getSetCredentialsForUserApiAction(final AuthenticationMethodType methodType) {
return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, null, new String[] { PARAM_CONFIG_PARAMS }) {
@Override
public void handleAction(JSONObject params) throws ApiException {
Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
// Make sure the type of authentication method is compatible
if (!methodType.isTypeForMethod(context.getAuthenticationMethod()))
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
// NOTE: no need to check if extension is loaded as this method is called only if
// the Users extension is loaded
ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
if (user == null)
throw new ApiException(ApiException.Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
// Build and set the credentials
GenericAuthenticationCredentials credentials = (GenericAuthenticationCredentials) context.getAuthenticationMethod().createAuthenticationCredentials();
for (String paramName : credentials.paramNames) credentials.setParam(paramName, ApiUtils.getNonEmptyStringParam(params, paramName));
user.setAuthenticationCredentials(credentials);
}
};
}
Also used :
ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)
Context(org.zaproxy.zap.model.Context)
ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement)
User(org.zaproxy.zap.users.User)
JSONObject(net.sf.json.JSONObject)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 32 with ApiException
use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.
the class ManualAuthenticationMethodType method getSetCredentialsForUserApiAction.
@Override
public ApiDynamicActionImplementor getSetCredentialsForUserApiAction() {
return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_SESSION_NAME }, null) {
@Override
public void handleAction(JSONObject params) throws ApiException {
Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
// Make sure the type of authentication method is compatible
if (!isTypeForMethod(context.getAuthenticationMethod())) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
}
// NOTE: no need to check if extension is loaded as this method
// is called only if
// the Users
// extension is loaded
ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
if (user == null) {
throw new ApiException(Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
}
String sessionName = ApiUtils.getNonEmptyStringParam(params, PARAM_SESSION_NAME);
// Get the matching session
ExtensionHttpSessions extensionHttpSessions = (ExtensionHttpSessions) Control.getSingleton().getExtensionLoader().getExtension(ExtensionHttpSessions.NAME);
if (extensionHttpSessions == null) {
throw new ApiException(Type.NO_IMPLEMENTOR, "HttpSessions extension is not loaded.");
}
List<HttpSession> sessions = extensionHttpSessions.getHttpSessionsForContext(context);
HttpSession matchedSession = null;
for (HttpSession session : sessions) {
if (session.getName().equals(sessionName)) {
matchedSession = session;
break;
}
}
if (matchedSession == null) {
throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SESSION_NAME);
}
// Set the credentials
ManualAuthenticationCredentials credentials = createAuthenticationCredentials();
credentials.setSelectedSession(matchedSession);
user.setAuthenticationCredentials(credentials);
}
};
}
Also used :
ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)
Context(org.zaproxy.zap.model.Context)
ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement)
User(org.zaproxy.zap.users.User)
JSONObject(net.sf.json.JSONObject)
HttpSession(org.zaproxy.zap.extension.httpsessions.HttpSession)
ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 33 with ApiException
use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.
the class UsersAPI method getUser.
/**
* Gets the user corresponding to the id provided in the parameters or throws an ApiException id
* any problems occurred.
*
* @param params the params
* @return the user
* @throws ApiException the api exception
*/
private User getUser(JSONObject params) throws ApiException {
int contextId = getContextId(params);
int userId = getUserId(params);
User user = extension.getContextUserAuthManager(contextId).getUserById(userId);
if (user == null)
throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
return user;
}
Also used :
User(org.zaproxy.zap.users.User)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 34 with ApiException
use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.
the class SpiderAPI method scanURL.
/**
* Starts a spider scan at the given {@code url} and, optionally, with the perspective of the given {@code user}.
*
* @param url the url to start the spider scan
* @param user the user to scan as, or null if the scan is done without the perspective of any user
* @param maxChildren Max number of children to scan
* @param recurse Whether or not to scan recursively
* @param context the context that will be used during spider process, might be {@code null}
* @param subtreeOnly if the scan should be done only under a site's subtree
* @return the ID of the newly started scan
* @throws ApiException if the {@code url} is not valid
*/
private int scanURL(String url, User user, int maxChildren, boolean recurse, Context context, boolean subtreeOnly) throws ApiException {
log.debug("API Spider scanning url: " + url);
boolean useUrl = true;
if (url == null || url.isEmpty()) {
if (context == null || !context.hasNodesInContextFromSiteTree()) {
throw new ApiException(Type.MISSING_PARAMETER, PARAM_URL);
}
useUrl = false;
} else if (context != null && !context.isInContext(url)) {
throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_URL);
}
StructuralNode node = null;
URI startURI = null;
if (useUrl) {
try {
// Try to build uri
startURI = new URI(url, true);
} catch (URIException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
String scheme = startURI.getScheme();
if (scheme == null || (!scheme.equalsIgnoreCase("http") && !scheme.equalsIgnoreCase("https"))) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
try {
node = SessionStructure.find(Model.getSingleton().getSession().getSessionId(), new URI(url, false), "GET", "");
} catch (Exception e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR);
}
}
Target target;
if (useUrl) {
target = new Target(node);
target.setContext(context);
} else {
target = new Target(context);
}
target.setRecurse(recurse);
switch(Control.getSingleton().getMode()) {
case safe:
throw new ApiException(ApiException.Type.MODE_VIOLATION);
case protect:
if ((useUrl && !Model.getSingleton().getSession().isInScope(url)) || (context != null && !context.isInScope())) {
throw new ApiException(ApiException.Type.MODE_VIOLATION);
}
// No problem
break;
case standard:
// No problem
break;
case attack:
// No problem
break;
}
List<Object> objs = new ArrayList<>(4);
if (startURI != null) {
objs.add(startURI);
if (subtreeOnly) {
objs.add(new HttpPrefixFetchFilter(startURI));
}
}
if (maxChildren > 0) {
// Add the filters to filter on maximum number of children
MaxChildrenFetchFilter maxChildrenFetchFilter = new MaxChildrenFetchFilter();
maxChildrenFetchFilter.setMaxChildren(maxChildren);
maxChildrenFetchFilter.setModel(extension.getModel());
MaxChildrenParseFilter maxChildrenParseFilter = new MaxChildrenParseFilter();
maxChildrenParseFilter.setMaxChildren(maxChildren);
maxChildrenParseFilter.setModel(extension.getModel());
objs.add(maxChildrenFetchFilter);
objs.add(maxChildrenParseFilter);
}
return extension.startScan(target, user, objs.toArray(new Object[objs.size()]));
}
Also used :
StructuralNode(org.zaproxy.zap.model.StructuralNode)
MaxChildrenParseFilter(org.zaproxy.zap.spider.filters.MaxChildrenParseFilter)
MaxChildrenFetchFilter(org.zaproxy.zap.spider.filters.MaxChildrenFetchFilter)
ArrayList(java.util.ArrayList)
URI(org.apache.commons.httpclient.URI)
URIException(org.apache.commons.httpclient.URIException)
HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException)
JSONException(net.sf.json.JSONException)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
Target(org.zaproxy.zap.model.Target)
URIException(org.apache.commons.httpclient.URIException)
HttpPrefixFetchFilter(org.zaproxy.zap.spider.filters.HttpPrefixFetchFilter)
JSONObject(net.sf.json.JSONObject)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 35 with ApiException
use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.
the class SessionManagementAPI method handleApiAction.
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
log.debug("handleApiAction " + name + " " + params.toString());
switch(name) {
case ACTION_SET_METHOD:
// Prepare the params
JSONObject actionParams;
if (params.has(PARAM_METHOD_CONFIG_PARAMS))
actionParams = API.getParams(params.getString(PARAM_METHOD_CONFIG_PARAMS));
else
actionParams = new JSONObject();
Context context = getContext(params);
actionParams.put(PARAM_CONTEXT_ID, context.getIndex());
// Run the method
getSetMethodActionImplementor(params).handleAction(actionParams);
context.save();
return ApiResponseElement.OK;
default:
throw new ApiException(Type.BAD_ACTION);
}
}
Also used :
Context(org.zaproxy.zap.model.Context)
JSONObject(net.sf.json.JSONObject)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Aggregations
ApiException (org.zaproxy.zap.extension.api.ApiException)44
Context (org.zaproxy.zap.model.Context)18
ApiResponseElement (org.zaproxy.zap.extension.api.ApiResponseElement)12
ApiResponseList (org.zaproxy.zap.extension.api.ApiResponseList)12
JSONObject (net.sf.json.JSONObject)11
DatabaseException (org.parosproxy.paros.db.DatabaseException)10
User (org.zaproxy.zap.users.User)9
ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)8
HashMap (java.util.HashMap)7
PatternSyntaxException (java.util.regex.PatternSyntaxException)6
JSONException (net.sf.json.JSONException)6
HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)6
ApiResponse (org.zaproxy.zap.extension.api.ApiResponse)6
GenericScanner2 (org.zaproxy.zap.model.GenericScanner2)6
ArrayList (java.util.ArrayList)5
ConfigurationException (org.apache.commons.configuration.ConfigurationException)5
ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)5
URIException (org.apache.commons.httpclient.URIException)4
Plugin (org.parosproxy.paros.core.scanner.Plugin)4
Session (org.parosproxy.paros.model.Session)4
