Search in sources :

Example 36 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class UsernamePasswordAuthenticationCredentials method getSetCredentialsForUserApiAction.

/**
 * Gets the api action for setting a {@link UsernamePasswordAuthenticationCredentials} for an
 * User.
 *
 * @param methodType the method type for which this is called
 * @return the sets the credentials for user api action
 */
public static ApiDynamicActionImplementor getSetCredentialsForUserApiAction(final AuthenticationMethodType methodType) {
    return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_USERNAME, PARAM_PASSWORD }, null) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
            int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
            // Make sure the type of authentication method is compatible
            if (!methodType.isTypeForMethod(context.getAuthenticationMethod()))
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
            // NOTE: no need to check if extension is loaded as this method is called only if
            // the Users
            // extension is loaded
            ExtensionUserManagement extensionUserManagement = Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.class);
            User user = extensionUserManagement.getContextUserAuthManager(context.getId()).getUserById(userId);
            if (user == null)
                throw new ApiException(ApiException.Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
            // Build and set the credentials
            UsernamePasswordAuthenticationCredentials credentials = new UsernamePasswordAuthenticationCredentials();
            credentials.username = ApiUtils.getNonEmptyStringParam(params, PARAM_USERNAME);
            credentials.password = params.optString(PARAM_PASSWORD, "");
            user.setAuthenticationCredentials(credentials);
        }
    };
}
Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) User(org.zaproxy.zap.users.User) JSONObject(net.sf.json.JSONObject) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 37 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ScriptBasedAuthenticationMethodType method getSetMethodForContextApiAction.

@Override
public ApiDynamicActionImplementor getSetMethodForContextApiAction() {
    return new ApiDynamicActionImplementor(API_METHOD_NAME, new String[] { PARAM_SCRIPT_NAME }, new String[] { PARAM_SCRIPT_CONFIG_PARAMS }) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, AuthenticationAPI.PARAM_CONTEXT_ID);
            String scriptName = ApiUtils.getNonEmptyStringParam(params, PARAM_SCRIPT_NAME);
            // Prepare the method
            ScriptBasedAuthenticationMethod method = createAuthenticationMethod(context.getId());
            // Load the script and make sure it exists and follows the required interface
            ScriptWrapper script = getScriptsExtension().getScript(scriptName);
            if (script == null) {
                log.error("Unable to find script while loading Script Based Authentication Method for name: " + scriptName);
                throw new ApiException(ApiException.Type.SCRIPT_NOT_FOUND, scriptName);
            } else
                log.info("Loaded script for API:" + script.getName());
            method.script = script;
            // Check script interface and make sure we load the credentials parameter names
            AuthenticationScript s = getScriptInterfaceV2(script);
            if (s == null) {
                s = getScriptInterface(script);
            }
            if (s == null) {
                log.error("Unable to load Script Based Authentication method. The script " + script.getName() + " does not properly implement the Authentication Script interface.");
                throw new ApiException(ApiException.Type.BAD_SCRIPT_FORMAT, "Does not follow Authentication script interface");
            }
            try {
                if (s instanceof AuthenticationScriptV2) {
                    AuthenticationScriptV2 sV2 = (AuthenticationScriptV2) s;
                    method.setLoggedInIndicatorPattern(sV2.getLoggedInIndicator());
                    method.setLoggedOutIndicatorPattern(sV2.getLoggedOutIndicator());
                }
                method.credentialsParamNames = s.getCredentialsParamsNames();
                // Load config param names + values and make sure all of the required ones
                // are there
                String[] requiredParams = s.getRequiredParamsNames();
                String[] optionalParams = s.getOptionalParamsNames();
                if (log.isDebugEnabled()) {
                    log.debug("Loaded authentication script - required parameters: " + Arrays.toString(requiredParams) + " - optional parameters: " + Arrays.toString(optionalParams));
                }
                Map<String, String> paramValues = new HashMap<>();
                for (String rp : requiredParams) {
                    // If one of the required parameters is not present, it will throw
                    // an exception
                    String val = ApiUtils.getNonEmptyStringParam(params, rp);
                    paramValues.put(rp, val);
                }
                for (String op : optionalParams) paramValues.put(op, ApiUtils.getOptionalStringParam(params, op));
                method.paramValues = paramValues;
                if (log.isDebugEnabled())
                    log.debug("Loaded authentication script parameters:" + paramValues);
            } catch (ApiException e) {
                throw e;
            } catch (Exception e) {
                getScriptsExtension().handleScriptException(script, e);
                log.error("Unable to load Script Based Authentication method. The script " + script.getName() + " contains errors.");
                throw new ApiException(ApiException.Type.BAD_SCRIPT_FORMAT, e.getMessage());
            }
            context.setAuthenticationMethod(method);
        }
    };
}
Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) RecordContext(org.parosproxy.paros.db.RecordContext) HashMap(java.util.HashMap) ScriptException(javax.script.ScriptException) ApiException(org.zaproxy.zap.extension.api.ApiException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) DatabaseException(org.parosproxy.paros.db.DatabaseException) JSONObject(net.sf.json.JSONObject) ScriptWrapper(org.zaproxy.zap.extension.script.ScriptWrapper) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 38 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class Session method open.

protected void open(String fileName) throws DatabaseException, IOException, Exception {
    // TODO extract into db specific classes??
    if (Database.DB_TYPE_HSQLDB.equals(model.getDb().getType())) {
        configuration = new ZapXmlConfiguration(new File(fileName));
        sessionId = configuration.getLong(SESSION_ID);
        sessionName = configuration.getString(SESSION_NAME, "");
        sessionDesc = configuration.getString(SESSION_DESC, "");
    } else {
        this.setSessionId(Long.parseLong(fileName));
    }
    model.getDb().close(false, isCleanUpRequired());
    model.getDb().open(fileName);
    this.fileName = fileName;
    if (View.isInitialised()) {
        // Detach the siteTree model from the Sites tree, to reduce notification changes to the
        // UI while loading
        View.getSingleton().getSiteTreePanel().getTreeSite().setModel(new SiteMap(null, null));
    }
    if (!Constant.isLowMemoryOptionSet()) {
        SiteNode newRoot = new SiteNode(siteTree, -1, Constant.messages.getString("tab.sites"));
        siteTree.setRoot(newRoot);
    }
    // update history reference
    List<Integer> list = model.getDb().getTableHistory().getHistoryIdsOfHistType(getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER);
    HistoryReference historyRef = null;
    discardContexts();
    // Load the session urls
    this.setExcludeFromProxyRegexs(sessionUrlListToStingList(model.getDb().getTableSessionUrl().getUrlsForType(RecordSessionUrl.TYPE_EXCLUDE_FROM_PROXY)));
    this.setExcludeFromScanRegexs(sessionUrlListToStingList(model.getDb().getTableSessionUrl().getUrlsForType(RecordSessionUrl.TYPE_EXCLUDE_FROM_SCAN)));
    this.setExcludeFromSpiderRegexs(sessionUrlListToStingList(model.getDb().getTableSessionUrl().getUrlsForType(RecordSessionUrl.TYPE_EXCLUDE_FROM_SPIDER)));
    for (int i = 0; i < list.size(); i++) {
        // ZAP: Removed unnecessary cast.
        int historyId = list.get(i);
        try {
            historyRef = new HistoryReference(historyId);
            if (View.isInitialised()) {
                final HistoryReference hRef = historyRef;
                final HttpMessage msg = historyRef.getHttpMessage();
                EventQueue.invokeAndWait(new Runnable() {

                    @Override
                    public void run() {
                        SiteNode sn = getSiteTree().addPath(hRef, msg);
                        if (sn != null) {
                            sn.setIncludedInScope(isIncludedInScope(sn), false);
                            sn.setExcludedFromScope(isExcludedFromScope(sn), false);
                        }
                    }
                });
            } else {
                SiteNode sn = getSiteTree().addPath(historyRef);
                if (sn != null) {
                    sn.setIncludedInScope(this.isIncludedInScope(sn), false);
                    sn.setExcludedFromScope(this.isExcludedFromScope(sn), false);
                }
            }
            // ZAP: Load alerts from db
            historyRef.loadAlerts();
            if (i % 100 == 99)
                Thread.yield();
        } catch (Exception e) {
            // ZAP: Log exceptions
            log.warn(e.getMessage(), e);
        }
    }
    // update siteTree reference
    list = model.getDb().getTableHistory().getHistoryIdsOfHistType(getSessionId(), HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_BRUTE_FORCE, HistoryReference.TYPE_SPIDER_AJAX, HistoryReference.TYPE_SCANNER);
    for (int i = 0; i < list.size(); i++) {
        // ZAP: Removed unnecessary cast.
        int historyId = list.get(i);
        try {
            historyRef = new HistoryReference(historyId);
            if (View.isInitialised()) {
                final HistoryReference hRef = historyRef;
                final HttpMessage msg = historyRef.getHttpMessage();
                EventQueue.invokeAndWait(new Runnable() {

                    @Override
                    public void run() {
                        getSiteTree().addPath(hRef, msg);
                    }
                });
            } else {
                getSiteTree().addPath(historyRef);
            }
            historyRef.loadAlerts();
            if (i % 100 == 99)
                Thread.yield();
        } catch (Exception e) {
            // ZAP: Log exceptions
            log.warn(e.getMessage(), e);
        }
    }
    List<RecordContext> contextData = model.getDb().getTableContext().getAllData();
    for (RecordContext data : contextData) {
        Context ctx = this.getContext(data.getContextId());
        if (ctx == null) {
            ctx = new Context(this, data.getContextId());
            this.addContext(ctx);
            if (nextContextId <= data.getContextId()) {
                nextContextId = data.getContextId() + 1;
            }
        }
        switch(data.getType()) {
            case RecordContext.TYPE_NAME:
                ctx.setName(data.getData());
                if (View.isInitialised() && !ctx.getName().equals(String.valueOf(ctx.getId()))) {
                    View.getSingleton().renameContext(ctx);
                }
                break;
            case RecordContext.TYPE_DESCRIPTION:
                ctx.setDescription(data.getData());
                break;
            case RecordContext.TYPE_INCLUDE:
                ctx.addIncludeInContextRegex(data.getData());
                break;
            case RecordContext.TYPE_EXCLUDE:
                ctx.addExcludeFromContextRegex(data.getData());
                break;
            case RecordContext.TYPE_IN_SCOPE:
                ctx.setInScope(Boolean.parseBoolean(data.getData()));
                break;
            case RecordContext.TYPE_INCLUDE_TECH:
                ctx.getTechSet().include(new Tech(data.getData()));
                break;
            case RecordContext.TYPE_EXCLUDE_TECH:
                ctx.getTechSet().exclude(new Tech(data.getData()));
                break;
        }
    }
    for (Context ctx : contexts) {
        try {
            // Set up the URL parameter parser
            List<String> strs = this.getContextDataStrings(ctx.getId(), RecordContext.TYPE_URL_PARSER_CLASSNAME);
            if (strs.size() == 1) {
                Class<?> c = ExtensionFactory.getAddOnLoader().loadClass(strs.get(0));
                if (c == null) {
                    log.error("Failed to load URL parser for context " + ctx.getId() + " : " + strs.get(0));
                } else {
                    ParameterParser parser = (ParameterParser) c.getConstructor().newInstance();
                    strs = this.getContextDataStrings(ctx.getId(), RecordContext.TYPE_URL_PARSER_CONFIG);
                    if (strs.size() == 1) {
                        parser.init(strs.get(0));
                    }
                    parser.setContext(ctx);
                    ctx.setUrlParamParser(parser);
                }
            }
        } catch (Exception e) {
            log.error("Failed to load URL parser for context " + ctx.getId(), e);
        }
        try {
            // Set up the URL parameter parser
            List<String> strs = this.getContextDataStrings(ctx.getId(), RecordContext.TYPE_POST_PARSER_CLASSNAME);
            if (strs.size() == 1) {
                Class<?> c = ExtensionFactory.getAddOnLoader().loadClass(strs.get(0));
                if (c == null) {
                    log.error("Failed to load POST parser for context " + ctx.getId() + " : " + strs.get(0));
                } else {
                    ParameterParser parser = (ParameterParser) c.getConstructor().newInstance();
                    strs = this.getContextDataStrings(ctx.getId(), RecordContext.TYPE_POST_PARSER_CONFIG);
                    if (strs.size() == 1) {
                        parser.init(strs.get(0));
                    }
                    parser.setContext(ctx);
                    ctx.setPostParamParser(parser);
                }
            }
        } catch (Exception e) {
            log.error("Failed to load POST parser for context " + ctx.getId(), e);
        }
        try {
            // Set up the Data Driven Nodes
            List<String> strs = this.getContextDataStrings(ctx.getId(), RecordContext.TYPE_DATA_DRIVEN_NODES);
            for (String str : strs) {
                ctx.addDataDrivenNodes(new StructuralNodeModifier(str));
            }
        } catch (Exception e) {
            log.error("Failed to load data driven nodes for context " + ctx.getId(), e);
        }
        ctx.restructureSiteTree();
    }
    if (View.isInitialised()) {
        View.getSingleton().getSiteTreePanel().getTreeSite().setModel(siteTree);
        View.getSingleton().getSiteTreePanel().expandRoot();
    }
    this.refreshScope();
    Stats.clearAll();
    System.gc();
}
Also used : Context(org.zaproxy.zap.model.Context) RecordContext(org.parosproxy.paros.db.RecordContext) StandardParameterParser(org.zaproxy.zap.model.StandardParameterParser) ParameterParser(org.zaproxy.zap.model.ParameterParser) StructuralNodeModifier(org.zaproxy.zap.model.StructuralNodeModifier) RecordContext(org.parosproxy.paros.db.RecordContext) URIException(org.apache.commons.httpclient.URIException) InvalidParameterException(java.security.InvalidParameterException) IllegalContextNameException(org.zaproxy.zap.model.IllegalContextNameException) IOException(java.io.IOException) DatabaseException(org.parosproxy.paros.db.DatabaseException) InvocationTargetException(java.lang.reflect.InvocationTargetException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) Tech(org.zaproxy.zap.model.Tech) ZapXmlConfiguration(org.zaproxy.zap.utils.ZapXmlConfiguration) HttpMessage(org.parosproxy.paros.network.HttpMessage) File(java.io.File)

Example 39 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class Session method importContext.

/**
 * Imports a context from the specified (XML) file.
 *
 * @param file the (XML) file that contains the context data
 * @return the imported {@code Context}, already added to the session.
 * @throws ConfigurationException
 * @throws ClassNotFoundException
 * @throws InstantiationException
 * @throws IllegalAccessException
 * @throws IllegalArgumentException
 * @throws InvocationTargetException
 * @throws NoSuchMethodException
 * @throws SecurityException
 * @throws IllegalContextNameException (since 2.6.0) if context's name is not provided or it's
 *     empty or if a context with the same name already exists.
 */
public Context importContext(File file) throws ConfigurationException, ClassNotFoundException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException, NoSuchMethodException, SecurityException {
    ZapXmlConfiguration config = new ZapXmlConfiguration(file);
    String name = config.getString(Context.CONTEXT_CONFIG_NAME);
    validateContextName(name);
    Context c = createContext(name);
    c.setDescription(config.getString(Context.CONTEXT_CONFIG_DESC));
    c.setInScope(config.getBoolean(Context.CONTEXT_CONFIG_INSCOPE, false));
    for (Object obj : config.getList(Context.CONTEXT_CONFIG_INC_REGEXES)) {
        c.addIncludeInContextRegex(obj.toString());
    }
    for (Object obj : config.getList(Context.CONTEXT_CONFIG_EXC_REGEXES)) {
        c.addExcludeFromContextRegex(obj.toString());
    }
    TechSet techSet = new TechSet();
    for (Object obj : config.getList(Context.CONTEXT_CONFIG_TECH_INCLUDE)) {
        techSet.include(new Tech(obj.toString()));
    }
    for (Object obj : config.getList(Context.CONTEXT_CONFIG_TECH_EXCLUDE)) {
        techSet.exclude(new Tech(obj.toString()));
    }
    c.setTechSet(techSet);
    String urlParserClass = config.getString(Context.CONTEXT_CONFIG_URLPARSER_CLASS);
    if (urlParserClass == null) {
        // Can happen due to a bug in 2.4.0 where is was saved using the wrong name :(
        urlParserClass = config.getString(Context.CONTEXT_CONFIG_URLPARSER);
    }
    if (urlParserClass == null) {
        urlParserClass = StandardParameterParser.class.getCanonicalName();
    }
    Class<?> cl = ExtensionFactory.getAddOnLoader().loadClass(urlParserClass);
    if (cl == null) {
        throw new ConfigurationException("Failed to load URL parser for context " + urlParserClass);
    } else {
        ParameterParser parser = (ParameterParser) cl.getConstructor().newInstance();
        parser.init(config.getString(Context.CONTEXT_CONFIG_URLPARSER_CONFIG));
        parser.setContext(c);
        c.setUrlParamParser(parser);
    }
    String postParserClass = config.getString(Context.CONTEXT_CONFIG_POSTPARSER_CLASS);
    String postParserConfig = config.getString(Context.CONTEXT_CONFIG_POSTPARSER_CONFIG);
    if (postParserClass == null) {
        // Can happen due to a bug in 2.4.0 where is was saved using the wrong name :(
        postParserClass = config.getString(urlParserClass);
        postParserConfig = config.getString(Context.CONTEXT_CONFIG_URLPARSER_CONFIG);
    }
    if (postParserClass == null) {
        postParserClass = StandardParameterParser.class.getCanonicalName();
    }
    cl = ExtensionFactory.getAddOnLoader().loadClass(postParserClass);
    if (cl == null) {
        throw new ConfigurationException("Failed to load POST parser for context " + postParserClass);
    } else {
        ParameterParser parser = (ParameterParser) cl.getConstructor().newInstance();
        parser.init(postParserConfig);
        parser.setContext(c);
        c.setPostParamParser(parser);
    }
    for (Object obj : config.getList(Context.CONTEXT_CONFIG_DATA_DRIVEN_NODES)) {
        c.addDataDrivenNodes(new StructuralNodeModifier(obj.toString()));
    }
    model.importContext(c, config);
    c.restructureSiteTree();
    addContext(c);
    saveContext(c);
    return c;
}
Also used : Context(org.zaproxy.zap.model.Context) RecordContext(org.parosproxy.paros.db.RecordContext) Tech(org.zaproxy.zap.model.Tech) TechSet(org.zaproxy.zap.model.TechSet) StandardParameterParser(org.zaproxy.zap.model.StandardParameterParser) ParameterParser(org.zaproxy.zap.model.ParameterParser) StructuralNodeModifier(org.zaproxy.zap.model.StructuralNodeModifier) ConfigurationException(org.apache.commons.configuration.ConfigurationException) StandardParameterParser(org.zaproxy.zap.model.StandardParameterParser) ZapXmlConfiguration(org.zaproxy.zap.utils.ZapXmlConfiguration)

Example 40 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ApiUtils method getContextByParamId.

/**
 * Gets the {@link Context} whose id is provided as a parameter with the given name. Throws an
 * exception accordingly if not found or valid.
 *
 * @param params the params
 * @param contextIdParamName the context id param name
 * @return the context
 * @throws ApiException the api exception
 */
public static Context getContextByParamId(JSONObject params, String contextIdParamName) throws ApiException {
    int contextId = getIntParam(params, contextIdParamName);
    Context context = Model.getSingleton().getSession().getContext(contextId);
    if (context == null) {
        throw new ApiException(Type.CONTEXT_NOT_FOUND, contextIdParamName);
    }
    return context;
}
Also used : Context(org.zaproxy.zap.model.Context) ApiException(org.zaproxy.zap.extension.api.ApiException)

Aggregations

Context (org.zaproxy.zap.model.Context)89 ApiException (org.zaproxy.zap.extension.api.ApiException)22 Test (org.junit.jupiter.api.Test)21 ZapXmlConfiguration (org.zaproxy.zap.utils.ZapXmlConfiguration)17 WithConfigsTest (org.zaproxy.zap.WithConfigsTest)16 User (org.zaproxy.zap.users.User)15 JSONObject (net.sf.json.JSONObject)14 Configuration (org.apache.commons.configuration.Configuration)14 Session (org.parosproxy.paros.model.Session)14 ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)13 RecordContext (org.parosproxy.paros.db.RecordContext)12 DatabaseException (org.parosproxy.paros.db.DatabaseException)10 ConfigurationException (org.apache.commons.configuration.ConfigurationException)9 HttpMessage (org.parosproxy.paros.network.HttpMessage)9 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)9 ArrayList (java.util.ArrayList)8 JMenuItem (javax.swing.JMenuItem)7 ExtensionPopupMenuItem (org.parosproxy.paros.extension.ExtensionPopupMenuItem)7 SiteNode (org.parosproxy.paros.model.SiteNode)7 IOException (java.io.IOException)6