Example 1 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class UsersAPI method handleApiAction.
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
log.debug("handleApiAction " + name + " " + params.toString());
User user;
Context context;
switch(name) {
case ACTION_NEW_USER:
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
String userName = ApiUtils.getNonEmptyStringParam(params, PARAM_USER_NAME);
user = new User(context.getId(), userName);
user.setAuthenticationCredentials(context.getAuthenticationMethod().createAuthenticationCredentials());
extension.getContextUserAuthManager(context.getId()).addUser(user);
context.save();
return new ApiResponseElement(PARAM_USER_ID, String.valueOf(user.getId()));
case ACTION_REMOVE_USER:
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
int userId = ApiUtils.getIntParam(params, PARAM_USER_ID);
boolean deleted = extension.getContextUserAuthManager(context.getId()).removeUserById(userId);
if (deleted) {
context.save();
return ApiResponseElement.OK;
} else
return ApiResponseElement.FAIL;
case ACTION_SET_ENABLED:
boolean enabled = false;
try {
enabled = params.getBoolean(PARAM_ENABLED);
} catch (JSONException e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_ENABLED + " - should be boolean");
}
user = getUser(params);
user.setEnabled(enabled);
user.getContext().save();
return ApiResponseElement.OK;
case ACTION_SET_NAME:
String nameSN = params.getString(PARAM_USER_NAME);
if (nameSN == null || nameSN.isEmpty())
throw new ApiException(Type.MISSING_PARAMETER, PARAM_USER_NAME);
user = getUser(params);
user.setName(nameSN);
user.getContext().save();
return ApiResponseElement.OK;
case ACTION_SET_AUTH_CREDENTIALS:
// Prepare the params
JSONObject actionParams;
if (params.has(PARAM_CREDENTIALS_CONFIG_PARAMS))
actionParams = API.getParams(params.getString(PARAM_CREDENTIALS_CONFIG_PARAMS));
else
actionParams = new JSONObject();
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
actionParams.put(PARAM_CONTEXT_ID, context.getId());
actionParams.put(PARAM_USER_ID, getUserId(params));
// Run the method
ApiDynamicActionImplementor a = loadedAuthenticationMethodActions.get(context.getAuthenticationMethod().getType().getUniqueIdentifier());
a.handleAction(actionParams);
context.save();
return ApiResponseElement.OK;
case ACTION_AUTHENTICATE_AS_USER:
user = getUser(params);
int hId1 = user.getAuthenticationState().getLastAuthRequestHistoryId();
user.authenticate();
int hId2 = user.getAuthenticationState().getLastAuthRequestHistoryId();
if (hId2 > hId1) {
// Not all authentication methods result in an authentication request.
// In theory we could get a different one if other reqs are being made, but this
// is probably as safe as we can make it right now
ExtensionHistory extHistory = Control.getSingleton().getExtensionLoader().getExtension(ExtensionHistory.class);
if (extHistory != null) {
HistoryReference href = extHistory.getHistoryReference(hId2);
try {
HttpMessage authMsg = href.getHttpMessage();
ApiResponseSet<String> responseSet = ApiResponseConversionUtils.httpMessageToSet(hId2, authMsg);
responseSet.put("authSuccessful", Boolean.toString(user.getContext().getAuthenticationMethod().evaluateAuthRequest(authMsg, user.getAuthenticationState())));
return responseSet;
} catch (Exception e) {
log.error("Failed to read auth request from db " + hId2, e);
throw new ApiException(Type.INTERNAL_ERROR, e);
}
}
}
return ApiResponseElement.OK;
case ACTION_POLL_AS_USER:
user = getUser(params);
try {
HttpMessage msg = user.getContext().getAuthenticationMethod().pollAsUser(user);
int href = -1;
if (msg.getHistoryRef() != null) {
href = msg.getHistoryRef().getHistoryId();
}
ApiResponseSet<String> responseSet = ApiResponseConversionUtils.httpMessageToSet(href, msg);
responseSet.put("pollSuccessful", Boolean.toString(user.getContext().getAuthenticationMethod().evaluateAuthRequest(msg, user.getAuthenticationState())));
return responseSet;
} catch (IllegalArgumentException e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_CONTEXT_ID);
} catch (IOException e) {
throw new ApiException(Type.INTERNAL_ERROR, e);
}
case ACTION_SET_AUTH_STATE:
user = getUser(params);
AuthenticationState state = user.getAuthenticationState();
String lastPollResultStr = this.getParam(params, PARAM_LAST_POLL_RESULT, "");
if (StringUtils.isNotBlank(lastPollResultStr)) {
try {
state.setLastPollResult(Boolean.parseBoolean(lastPollResultStr));
} catch (Exception e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_LAST_POLL_RESULT);
}
}
String lastPollTimeStr = this.getParam(params, PARAM_LAST_POLL_TIME_IN_MS, "");
if (StringUtils.isNotBlank(lastPollTimeStr)) {
try {
long lastPollTime;
if (lastPollTimeStr.equals(TIME_NOW)) {
lastPollTime = System.currentTimeMillis();
} else {
lastPollTime = Long.parseLong(lastPollTimeStr);
}
state.setLastPollTime(lastPollTime);
} catch (Exception e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_LAST_POLL_TIME_IN_MS);
}
}
int reqsSinceLastPoll = this.getParam(params, PARAM_REQUESTS_SINCE_LAST_POLL, -1);
if (reqsSinceLastPoll >= 0) {
state.setRequestsSincePoll(reqsSinceLastPoll);
}
return ApiResponseElement.OK;
case ACTION_SET_COOKIE:
user = getUser(params);
if (user.getAuthenticatedSession() == null) {
user.setAuthenticatedSession(user.getContext().getSessionManagementMethod().createEmptyWebSession());
}
String cookiePath = this.getParam(params, PARAM_COOKIE_PATH, "");
if (cookiePath.isEmpty()) {
cookiePath = null;
}
user.getAuthenticatedSession().getHttpState().addCookie(new Cookie(params.getString(PARAM_COOKIE_DOMAIN), params.getString(PARAM_COOKIE_NAME), params.getString(PARAM_COOKIE_VALUE), cookiePath, // Setting this to a valid date means it never gets
null, // returned :/
this.getParam(params, PARAM_COOKIE_SECURE, false)));
return ApiResponseElement.OK;
default:
throw new ApiException(Type.BAD_ACTION);
}
}
Also used :
Context(org.zaproxy.zap.model.Context)
ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)
Cookie(org.apache.commons.httpclient.Cookie)
User(org.zaproxy.zap.users.User)
ExtensionHistory(org.parosproxy.paros.extension.history.ExtensionHistory)
JSONException(net.sf.json.JSONException)
IOException(java.io.IOException)
JSONException(net.sf.json.JSONException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
IOException(java.io.IOException)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
HistoryReference(org.parosproxy.paros.model.HistoryReference)
JSONObject(net.sf.json.JSONObject)
ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 2 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class JsonBasedAuthenticationMethodTypeUnitTest method shouldNotUrlEncodeUsernameInPollRequestBody.
@Test
void shouldNotUrlEncodeUsernameInPollRequestBody() throws NullPointerException, IOException {
// Given
String test = "/shouldEncodeSpacesInBody/test";
String pollUrl = "/shouldEncodeSpacesInBody/pollUrl";
String pollData = "{ \"user\": \"" + PostBasedAuthenticationMethod.MSG_USER_PATTERN + "\" }";
String username = "user name";
final List<String> orderedReqData = new ArrayList<>();
this.nano.addHandler(new NanoServerHandler(pollUrl) {
@Override
protected Response serve(IHTTPSession session) {
HashMap<String, String> map = new HashMap<>();
try {
session.parseBody(map);
orderedReqData.add(map.get("postData"));
} catch (Exception e) {
}
return newFixedLengthResponse(LOGGED_IN_BODY);
}
});
HttpMessage testMsg = this.getHttpMessage(test);
HttpMessage pollMsg = this.getHttpMessage(pollUrl);
method.setPollUrl(pollMsg.getRequestHeader().getURI().toString());
method.setPollData(pollData);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
given(user.getAuthenticationCredentials()).willReturn(new UsernamePasswordAuthenticationCredentials(username, ""));
// When/Then
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqData.size(), is(1));
assertThat(orderedReqData.get(0), is(pollData.replace(PostBasedAuthenticationMethod.MSG_USER_PATTERN, username)));
}
Also used :
User(org.zaproxy.zap.users.User)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
IHTTPSession(fi.iki.elonen.NanoHTTPD.IHTTPSession)
IOException(java.io.IOException)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Response(fi.iki.elonen.NanoHTTPD.Response)
NanoHTTPD.newFixedLengthResponse(fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)
NanoServerHandler(org.zaproxy.zap.testutils.NanoServerHandler)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
Test(org.junit.jupiter.api.Test)
WithConfigsTest(org.zaproxy.zap.WithConfigsTest)
Example 3 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class FormBasedAuthenticationMethodTypeUnitTest method shouldUrlEncodeUsernameInPollRequestBody.
@Test
void shouldUrlEncodeUsernameInPollRequestBody() throws NullPointerException, IOException {
// Given
String test = "/shouldEncodeSpacesInBody/test";
String pollUrl = "/shouldEncodeSpacesInBody/pollUrl";
String pollData = "user=" + PostBasedAuthenticationMethod.MSG_USER_PATTERN;
String username = "user name";
final List<String> orderedReqData = new ArrayList<>();
this.nano.addHandler(new NanoServerHandler(pollUrl) {
@Override
protected Response serve(IHTTPSession session) {
HashMap<String, String> map = new HashMap<>();
try {
session.parseBody(map);
orderedReqData.add(map.get("postData"));
} catch (Exception e) {
}
return newFixedLengthResponse(LOGGED_IN_BODY);
}
});
HttpMessage testMsg = this.getHttpMessage(test);
HttpMessage pollMsg = this.getHttpMessage(pollUrl);
method.setPollUrl(pollMsg.getRequestHeader().getURI().toString());
method.setPollData(pollData);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
given(user.getAuthenticationCredentials()).willReturn(new UsernamePasswordAuthenticationCredentials(username, ""));
// When/Then
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqData.size(), is(1));
assertThat(orderedReqData.get(0), is(pollData.replace(PostBasedAuthenticationMethod.MSG_USER_PATTERN, URLEncoder.encode(username, StandardCharsets.UTF_8.name()))));
}
Also used :
User(org.zaproxy.zap.users.User)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
IHTTPSession(fi.iki.elonen.NanoHTTPD.IHTTPSession)
IOException(java.io.IOException)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Response(fi.iki.elonen.NanoHTTPD.Response)
NanoHTTPD.newFixedLengthResponse(fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)
NanoServerHandler(org.zaproxy.zap.testutils.NanoServerHandler)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
Test(org.junit.jupiter.api.Test)
WithConfigsTest(org.zaproxy.zap.WithConfigsTest)
Example 4 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodIndicatorsUnitTest method shouldIdentifyLoggedInResponseHeaderWhenLoggedOutIndicatorIsSet.
@Test
void shouldIdentifyLoggedInResponseHeaderWhenLoggedOutIndicatorIsSet() {
// Given
method.setLoggedOutIndicatorPattern(LOGGED_OUT_INDICATOR);
loginMessage.getResponseHeader().addHeader("test", LOGGED_IN_INDICATOR);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
// When/Then
assertThat(method.isAuthenticated(loginMessage, user), is(true));
}
Also used :
User(org.zaproxy.zap.users.User)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Example 5 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodIndicatorsUnitTest method shouldIdentifyLoggedOutResponseBodyWhenLoggedInIndicatorIsSet.
@Test
void shouldIdentifyLoggedOutResponseBodyWhenLoggedInIndicatorIsSet() {
// Given
method.setLoggedInIndicatorPattern(LOGGED_IN_INDICATOR);
loginMessage.setResponseBody(LOGGED_OUT_BODY);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
// When/Then
assertThat(method.isAuthenticated(loginMessage, user), is(false));
}
Also used :
User(org.zaproxy.zap.users.User)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Aggregations
AuthenticationState (org.zaproxy.zap.users.AuthenticationState)36
User (org.zaproxy.zap.users.User)34
Test (org.junit.jupiter.api.Test)33
HttpMessage (org.parosproxy.paros.network.HttpMessage)14
IHTTPSession (fi.iki.elonen.NanoHTTPD.IHTTPSession)11
Response (fi.iki.elonen.NanoHTTPD.Response)11
NanoHTTPD.newFixedLengthResponse (fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)11
ArrayList (java.util.ArrayList)11
NanoServerHandler (org.zaproxy.zap.testutils.NanoServerHandler)11
IOException (java.io.IOException)8
HashMap (java.util.HashMap)6
WithConfigsTest (org.zaproxy.zap.WithConfigsTest)6
JSONException (net.sf.json.JSONException)1
JSONObject (net.sf.json.JSONObject)1
Cookie (org.apache.commons.httpclient.Cookie)1
URI (org.apache.commons.httpclient.URI)1
URIException (org.apache.commons.httpclient.URIException)1
ExtensionHistory (org.parosproxy.paros.extension.history.ExtensionHistory)1
HistoryReference (org.parosproxy.paros.model.HistoryReference)1
ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)1
