Search in sources :

Example 31 with ApiException

use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.

the class GenericAuthenticationCredentials method getSetCredentialsForUserApiAction.

/**
	 * Gets the api action for setting a {@link GenericAuthenticationCredentials} for an User.
	 * 
	 * @param methodType the method type for which this is called
	 * @return api action implementation
	 */
public static ApiDynamicActionImplementor getSetCredentialsForUserApiAction(final AuthenticationMethodType methodType) {
    return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, null, new String[] { PARAM_CONFIG_PARAMS }) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
            int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
            // Make sure the type of authentication method is compatible
            if (!methodType.isTypeForMethod(context.getAuthenticationMethod()))
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
            // NOTE: no need to check if extension is loaded as this method is called only if
            // the Users extension is loaded
            ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
            User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
            if (user == null)
                throw new ApiException(ApiException.Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
            // Build and set the credentials
            GenericAuthenticationCredentials credentials = (GenericAuthenticationCredentials) context.getAuthenticationMethod().createAuthenticationCredentials();
            for (String paramName : credentials.paramNames) credentials.setParam(paramName, ApiUtils.getNonEmptyStringParam(params, paramName));
            user.setAuthenticationCredentials(credentials);
        }
    };
}
Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) User(org.zaproxy.zap.users.User) JSONObject(net.sf.json.JSONObject) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 32 with ApiException

use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.

the class ManualAuthenticationMethodType method getSetCredentialsForUserApiAction.

@Override
public ApiDynamicActionImplementor getSetCredentialsForUserApiAction() {
    return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_SESSION_NAME }, null) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
            int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
            // Make sure the type of authentication method is compatible
            if (!isTypeForMethod(context.getAuthenticationMethod())) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
            }
            // NOTE: no need to check if extension is loaded as this method
            // is called only if
            // the Users
            // extension is loaded
            ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
            User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
            if (user == null) {
                throw new ApiException(Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
            }
            String sessionName = ApiUtils.getNonEmptyStringParam(params, PARAM_SESSION_NAME);
            // Get the matching session
            ExtensionHttpSessions extensionHttpSessions = (ExtensionHttpSessions) Control.getSingleton().getExtensionLoader().getExtension(ExtensionHttpSessions.NAME);
            if (extensionHttpSessions == null) {
                throw new ApiException(Type.NO_IMPLEMENTOR, "HttpSessions extension is not loaded.");
            }
            List<HttpSession> sessions = extensionHttpSessions.getHttpSessionsForContext(context);
            HttpSession matchedSession = null;
            for (HttpSession session : sessions) {
                if (session.getName().equals(sessionName)) {
                    matchedSession = session;
                    break;
                }
            }
            if (matchedSession == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SESSION_NAME);
            }
            // Set the credentials
            ManualAuthenticationCredentials credentials = createAuthenticationCredentials();
            credentials.setSelectedSession(matchedSession);
            user.setAuthenticationCredentials(credentials);
        }
    };
}
Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) User(org.zaproxy.zap.users.User) JSONObject(net.sf.json.JSONObject) HttpSession(org.zaproxy.zap.extension.httpsessions.HttpSession) ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 33 with ApiException

use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.

the class UsersAPI method getUser.

/**
	 * Gets the user corresponding to the id provided in the parameters or throws an ApiException id
	 * any problems occurred.
	 * 
	 * @param params the params
	 * @return the user
	 * @throws ApiException the api exception
	 */
private User getUser(JSONObject params) throws ApiException {
    int contextId = getContextId(params);
    int userId = getUserId(params);
    User user = extension.getContextUserAuthManager(contextId).getUserById(userId);
    if (user == null)
        throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
    return user;
}
Also used : User(org.zaproxy.zap.users.User) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 34 with ApiException

use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.

the class SpiderAPI method scanURL.

/**
	 * Starts a spider scan at the given {@code url} and, optionally, with the perspective of the given {@code user}.
	 * 
	 * @param url the url to start the spider scan
	 * @param user the user to scan as, or null if the scan is done without the perspective of any user
	 * @param maxChildren Max number of children to scan
	 * @param recurse Whether or not to scan recursively
	 * @param context the context that will be used during spider process, might be {@code null}
	 * @param subtreeOnly if the scan should be done only under a site's subtree
	 * @return the ID of the newly started scan
	 * @throws ApiException if the {@code url} is not valid
	 */
private int scanURL(String url, User user, int maxChildren, boolean recurse, Context context, boolean subtreeOnly) throws ApiException {
    log.debug("API Spider scanning url: " + url);
    boolean useUrl = true;
    if (url == null || url.isEmpty()) {
        if (context == null || !context.hasNodesInContextFromSiteTree()) {
            throw new ApiException(Type.MISSING_PARAMETER, PARAM_URL);
        }
        useUrl = false;
    } else if (context != null && !context.isInContext(url)) {
        throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_URL);
    }
    StructuralNode node = null;
    URI startURI = null;
    if (useUrl) {
        try {
            // Try to build uri
            startURI = new URI(url, true);
        } catch (URIException e) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
        }
        String scheme = startURI.getScheme();
        if (scheme == null || (!scheme.equalsIgnoreCase("http") && !scheme.equalsIgnoreCase("https"))) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
        }
        try {
            node = SessionStructure.find(Model.getSingleton().getSession().getSessionId(), new URI(url, false), "GET", "");
        } catch (Exception e) {
            throw new ApiException(ApiException.Type.INTERNAL_ERROR);
        }
    }
    Target target;
    if (useUrl) {
        target = new Target(node);
        target.setContext(context);
    } else {
        target = new Target(context);
    }
    target.setRecurse(recurse);
    switch(Control.getSingleton().getMode()) {
        case safe:
            throw new ApiException(ApiException.Type.MODE_VIOLATION);
        case protect:
            if ((useUrl && !Model.getSingleton().getSession().isInScope(url)) || (context != null && !context.isInScope())) {
                throw new ApiException(ApiException.Type.MODE_VIOLATION);
            }
            // No problem
            break;
        case standard:
            // No problem
            break;
        case attack:
            // No problem
            break;
    }
    List<Object> objs = new ArrayList<>(4);
    if (startURI != null) {
        objs.add(startURI);
        if (subtreeOnly) {
            objs.add(new HttpPrefixFetchFilter(startURI));
        }
    }
    if (maxChildren > 0) {
        // Add the filters to filter on maximum number of children
        MaxChildrenFetchFilter maxChildrenFetchFilter = new MaxChildrenFetchFilter();
        maxChildrenFetchFilter.setMaxChildren(maxChildren);
        maxChildrenFetchFilter.setModel(extension.getModel());
        MaxChildrenParseFilter maxChildrenParseFilter = new MaxChildrenParseFilter();
        maxChildrenParseFilter.setMaxChildren(maxChildren);
        maxChildrenParseFilter.setModel(extension.getModel());
        objs.add(maxChildrenFetchFilter);
        objs.add(maxChildrenParseFilter);
    }
    return extension.startScan(target, user, objs.toArray(new Object[objs.size()]));
}
Also used : StructuralNode(org.zaproxy.zap.model.StructuralNode) MaxChildrenParseFilter(org.zaproxy.zap.spider.filters.MaxChildrenParseFilter) MaxChildrenFetchFilter(org.zaproxy.zap.spider.filters.MaxChildrenFetchFilter) ArrayList(java.util.ArrayList) URI(org.apache.commons.httpclient.URI) URIException(org.apache.commons.httpclient.URIException) HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException) JSONException(net.sf.json.JSONException) PatternSyntaxException(java.util.regex.PatternSyntaxException) ApiException(org.zaproxy.zap.extension.api.ApiException) DatabaseException(org.parosproxy.paros.db.DatabaseException) Target(org.zaproxy.zap.model.Target) URIException(org.apache.commons.httpclient.URIException) HttpPrefixFetchFilter(org.zaproxy.zap.spider.filters.HttpPrefixFetchFilter) JSONObject(net.sf.json.JSONObject) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 35 with ApiException

use of org.zaproxy.zap.extension.api.ApiException in project zaproxy by zaproxy.

the class SessionManagementAPI method handleApiAction.

@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    log.debug("handleApiAction " + name + " " + params.toString());
    switch(name) {
        case ACTION_SET_METHOD:
            // Prepare the params
            JSONObject actionParams;
            if (params.has(PARAM_METHOD_CONFIG_PARAMS))
                actionParams = API.getParams(params.getString(PARAM_METHOD_CONFIG_PARAMS));
            else
                actionParams = new JSONObject();
            Context context = getContext(params);
            actionParams.put(PARAM_CONTEXT_ID, context.getIndex());
            // Run the method
            getSetMethodActionImplementor(params).handleAction(actionParams);
            context.save();
            return ApiResponseElement.OK;
        default:
            throw new ApiException(Type.BAD_ACTION);
    }
}
Also used : Context(org.zaproxy.zap.model.Context) JSONObject(net.sf.json.JSONObject) ApiException(org.zaproxy.zap.extension.api.ApiException)

Aggregations

ApiException (org.zaproxy.zap.extension.api.ApiException)44 Context (org.zaproxy.zap.model.Context)18 ApiResponseElement (org.zaproxy.zap.extension.api.ApiResponseElement)12 ApiResponseList (org.zaproxy.zap.extension.api.ApiResponseList)12 JSONObject (net.sf.json.JSONObject)11 DatabaseException (org.parosproxy.paros.db.DatabaseException)10 User (org.zaproxy.zap.users.User)9 ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)8 HashMap (java.util.HashMap)7 PatternSyntaxException (java.util.regex.PatternSyntaxException)6 JSONException (net.sf.json.JSONException)6 HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)6 ApiResponse (org.zaproxy.zap.extension.api.ApiResponse)6 GenericScanner2 (org.zaproxy.zap.model.GenericScanner2)6 ArrayList (java.util.ArrayList)5 ConfigurationException (org.apache.commons.configuration.ConfigurationException)5 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)5 URIException (org.apache.commons.httpclient.URIException)4 Plugin (org.parosproxy.paros.core.scanner.Plugin)4 Session (org.parosproxy.paros.model.Session)4