Example 16 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodIndicatorsUnitTest method shouldIdentifyLoggedOutRequestBodyWhenLoggedOutIndicatorIsSet.
@Test
void shouldIdentifyLoggedOutRequestBodyWhenLoggedOutIndicatorIsSet() {
// Given
method.setLoggedOutIndicatorPattern(LOGGED_OUT_INDICATOR);
method.setAuthCheckingStrategy(AuthCheckingStrategy.EACH_REQ);
loginMessage.setRequestBody(LOGGED_OUT_BODY);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
// When/Then
assertThat(method.isAuthenticated(loginMessage, user), is(false));
}
Also used :
User(org.zaproxy.zap.users.User)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Example 17 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodPollUrlUnitTest method shouldPollOnFirstRequest.
@Test
void shouldPollOnFirstRequest() throws NullPointerException, IOException {
// Given
String test = "/shouldPollOnFirstRequest/test";
String pollUrl = "/shouldPollOnFirstRequest/pollUrl";
final List<String> orderedReqs = new ArrayList<>();
this.nano.addHandler(new NanoServerHandler(pollUrl) {
@Override
protected Response serve(IHTTPSession session) {
orderedReqs.add(session.getUri());
return newFixedLengthResponse(LOGGED_IN_BODY);
}
});
HttpMessage testMsg = this.getHttpMessage(test);
HttpMessage pollMsg = this.getHttpMessage(pollUrl);
method.setAuthCheckingStrategy(AuthCheckingStrategy.POLL_URL);
method.setPollUrl(pollMsg.getRequestHeader().getURI().toString());
method.setPollFrequencyUnits(AuthPollFrequencyUnits.REQUESTS);
method.setPollFrequency(5);
method.setLoggedInIndicatorPattern(LOGGED_IN_INDICATOR);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
// When/Then
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqs.size(), is(1));
assertThat(orderedReqs.get(0), is(pollUrl));
}
Also used :
Response(fi.iki.elonen.NanoHTTPD.Response)
NanoHTTPD.newFixedLengthResponse(fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)
User(org.zaproxy.zap.users.User)
NanoServerHandler(org.zaproxy.zap.testutils.NanoServerHandler)
ArrayList(java.util.ArrayList)
IHTTPSession(fi.iki.elonen.NanoHTTPD.IHTTPSession)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Example 18 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodPollUrlUnitTest method shouldPollWhenForced.
@Test
void shouldPollWhenForced() throws NullPointerException, IOException {
// Given
String test = "/shouldPollWhenForced/test";
String pollUrl = "/shouldPollWhenForced/pollUrl";
final List<String> orderedReqs = new ArrayList<>();
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
this.nano.addHandler(new NanoServerHandler(pollUrl) {
@Override
protected Response serve(IHTTPSession session) {
orderedReqs.add(session.getUri());
return newFixedLengthResponse(LOGGED_IN_BODY);
}
});
HttpMessage testMsg = this.getHttpMessage(test);
HttpMessage pollMsg = this.getHttpMessage(pollUrl);
method.setAuthCheckingStrategy(AuthCheckingStrategy.POLL_URL);
method.setPollUrl(pollMsg.getRequestHeader().getURI().toString());
method.setPollFrequencyUnits(AuthPollFrequencyUnits.REQUESTS);
method.setPollFrequency(500);
method.setLoggedInIndicatorPattern(LOGGED_IN_INDICATOR);
// When/Then
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqs.size(), is(1));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqs.size(), is(1));
user.getAuthenticationState().setLastPollResult(false);
assertThat(method.isAuthenticated(testMsg, user), is(true));
assertThat(orderedReqs.size(), is(2));
assertThat(orderedReqs.get(0), is(pollUrl));
assertThat(orderedReqs.get(1), is(pollUrl));
}
Also used :
Response(fi.iki.elonen.NanoHTTPD.Response)
NanoHTTPD.newFixedLengthResponse(fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)
User(org.zaproxy.zap.users.User)
NanoServerHandler(org.zaproxy.zap.testutils.NanoServerHandler)
ArrayList(java.util.ArrayList)
IHTTPSession(fi.iki.elonen.NanoHTTPD.IHTTPSession)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Example 19 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethodPollUrlUnitTest method shouldPollEveryFailingRequest.
@Test
void shouldPollEveryFailingRequest() throws NullPointerException, IOException {
// Given
String test = "/shouldPollEveryFailingRequest/test";
String pollUrl = "/shouldPollEveryFailingRequest/pollUrl";
final List<String> orderedReqs = new ArrayList<>();
this.nano.addHandler(new NanoServerHandler(pollUrl) {
@Override
protected Response serve(IHTTPSession session) {
orderedReqs.add(session.getUri());
return newFixedLengthResponse("");
}
});
HttpMessage testMsg = this.getHttpMessage(test);
HttpMessage pollMsg = this.getHttpMessage(pollUrl);
method.setAuthCheckingStrategy(AuthCheckingStrategy.POLL_URL);
method.setPollUrl(pollMsg.getRequestHeader().getURI().toString());
method.setPollFrequencyUnits(AuthPollFrequencyUnits.REQUESTS);
method.setPollFrequency(5);
method.setLoggedInIndicatorPattern(LOGGED_IN_INDICATOR);
User user = mock(User.class);
given(user.getAuthenticationState()).willReturn(new AuthenticationState());
// When/Then
assertThat(method.isAuthenticated(testMsg, user), is(false));
assertThat(orderedReqs.size(), is(1));
assertThat(method.isAuthenticated(testMsg, user), is(false));
assertThat(orderedReqs.size(), is(2));
assertThat(method.isAuthenticated(testMsg, user), is(false));
assertThat(orderedReqs.size(), is(3));
assertThat(method.isAuthenticated(testMsg, user), is(false));
assertThat(orderedReqs.size(), is(4));
}
Also used :
Response(fi.iki.elonen.NanoHTTPD.Response)
NanoHTTPD.newFixedLengthResponse(fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)
User(org.zaproxy.zap.users.User)
NanoServerHandler(org.zaproxy.zap.testutils.NanoServerHandler)
ArrayList(java.util.ArrayList)
IHTTPSession(fi.iki.elonen.NanoHTTPD.IHTTPSession)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Test(org.junit.jupiter.api.Test)
Example 20 with AuthenticationState
use of org.zaproxy.zap.users.AuthenticationState in project zaproxy by zaproxy.
the class AuthenticationMethod method isAuthenticated.
/**
* Checks if the response received by the Http Message corresponds to an authenticated Web
* Session.
*
* <p>If none of the indicators are set up, the method defaults to returning true, so that no
* authentications are tried when there is no way to check authentication. A message is also
* shown on the output console in this case.
*
* @param msg the http message
* @param force always check even if the polling strategy is being used
* @return true, if is authenticated or no indicators have been set, and false otherwise
*/
public boolean isAuthenticated(HttpMessage msg, User user, boolean force) {
if (msg == null || user == null) {
return false;
}
AuthenticationState authState = user.getAuthenticationState();
// Assume logged in if nothing was set up
if (loggedInIndicatorPattern == null && loggedOutIndicatorPattern == null) {
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_NO_INDICATOR_STATS);
} catch (URIException e) {
// Ignore
}
if (View.isInitialised()) {
// Let the user know this
View.getSingleton().getOutputPanel().append(Constant.messages.getString("authentication.output.indicatorsNotSet", msg.getRequestHeader().getURI()) + "\n");
}
return true;
}
HttpMessage msgToTest;
switch(this.authCheckingStrategy) {
case EACH_REQ:
case EACH_REQ_RESP:
case EACH_RESP:
msgToTest = msg;
break;
case POLL_URL:
if (!force && authState.getLastPollResult() != null && authState.getLastPollResult()) {
// Check if we really need to poll the relevant URL again
switch(pollFrequencyUnits) {
case SECONDS:
if ((System.currentTimeMillis() - authState.getLastPollTime()) / 1000 < pollFrequency) {
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
} catch (URIException e) {
// Ignore
}
return true;
}
break;
case REQUESTS:
default:
if (authState.getRequestsSincePoll() < pollFrequency) {
authState.incRequestsSincePoll();
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
} catch (URIException e) {
// Ignore
}
return true;
}
break;
}
}
// Make the poll request
try {
HttpMessage pollMsg = pollAsUser(user);
msgToTest = pollMsg;
} catch (Exception e1) {
LOGGER.warn("Failed sending poll request to " + this.getPollUrl(), e1);
return false;
}
break;
default:
return false;
}
return evaluateAuthRequest(msgToTest, authState);
}
Also used :
URIException(org.apache.commons.httpclient.URIException)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
URIException(org.apache.commons.httpclient.URIException)
IOException(java.io.IOException)
AuthenticationState(org.zaproxy.zap.users.AuthenticationState)
Aggregations
AuthenticationState (org.zaproxy.zap.users.AuthenticationState)36
User (org.zaproxy.zap.users.User)34
Test (org.junit.jupiter.api.Test)33
HttpMessage (org.parosproxy.paros.network.HttpMessage)14
IHTTPSession (fi.iki.elonen.NanoHTTPD.IHTTPSession)11
Response (fi.iki.elonen.NanoHTTPD.Response)11
NanoHTTPD.newFixedLengthResponse (fi.iki.elonen.NanoHTTPD.newFixedLengthResponse)11
ArrayList (java.util.ArrayList)11
NanoServerHandler (org.zaproxy.zap.testutils.NanoServerHandler)11
IOException (java.io.IOException)8
HashMap (java.util.HashMap)6
WithConfigsTest (org.zaproxy.zap.WithConfigsTest)6
JSONException (net.sf.json.JSONException)1
JSONObject (net.sf.json.JSONObject)1
Cookie (org.apache.commons.httpclient.Cookie)1
URI (org.apache.commons.httpclient.URI)1
URIException (org.apache.commons.httpclient.URIException)1
ExtensionHistory (org.parosproxy.paros.extension.history.ExtensionHistory)1
HistoryReference (org.parosproxy.paros.model.HistoryReference)1
ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)1
