Merge pull request #3622 from mercedes-benz/feature-3611-webscan-temp…

…late-login Feature 3611 zap wrapper webscan template login
mercedes-benz · Nov 27, 2024 · 639d9f5 · 639d9f5
2 parents 00c53a7 + 024e09e
commit 639d9f5
Show file tree

Hide file tree

Showing 56 changed files with 2,486 additions and 1,239 deletions.
diff --git a/gradle/libraries.gradle b/gradle/libraries.gradle
@@ -87,6 +87,9 @@ ext {
       /* Owasp Zap wrapper */
       owaspzap_client_api:                     "1.14.0",
       jcommander:                              "1.82",
+      selenium_firefox_driver:                 "4.26.0",
+      selenium_support:                        "4.26.0",
+      groovy_jsr223:                           "4.0.24",
 
       thymeleaf_extras_springsecurity5:        "3.1.2.RELEASE",
 
@@ -195,6 +198,11 @@ ext {
 
         jcommander:                            "com.beust:jcommander:${libraryVersion.jcommander}",
 
+        selenium_firefox_driver:               "org.seleniumhq.selenium:selenium-firefox-driver:${libraryVersion.selenium_firefox_driver}",
+        selenium_support:                      "org.seleniumhq.selenium:selenium-support:${libraryVersion.selenium_support}",
+
+        groovy_jsr223:                         "org.apache.groovy:groovy-jsr223:${libraryVersion.groovy_jsr223}",
+
         /*
          * Needed for Spring Boot WebFlux CSRF protection - see: https://stackoverflow.com/a/53305169
          */

diff --git a/...in/java/com/mercedesbenz/sechub/commons/model/login/TestWebLoginConfigurationBuilder.java b/...in/java/com/mercedesbenz/sechub/commons/model/login/TestWebLoginConfigurationBuilder.java
@@ -41,12 +41,14 @@ public ScriptPageEntryBuilder formScripted(String user, String login) {
         return builder;
     }
 
-    public TestWebLoginConfigurationBuilder totp(String seed, int validityInSeconds, TOTPHashAlgorithm hashAlgorithm, int tokenLength) {
+    public TestWebLoginConfigurationBuilder totp(String seed, int validityInSeconds, TOTPHashAlgorithm hashAlgorithm, int tokenLength,
+            EncodingType encodingType) {
         WebLoginTOTPConfiguration totp = new WebLoginTOTPConfiguration();
         totp.setSeed(seed);
         totp.setValidityInSeconds(validityInSeconds);
         totp.setHashAlgorithm(hashAlgorithm);
         totp.setTokenLength(tokenLength);
+        totp.setEncodingType(encodingType);
         loginConfig.setTotp(totp);
 
         return this;

diff --git a/...commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/login/EncodingType.java b/...commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/login/EncodingType.java
@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.commons.model.login;
+
+import static com.fasterxml.jackson.annotation.JsonFormat.Feature.*;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+
+public enum EncodingType {
+
+    @JsonFormat(with = ACCEPT_CASE_INSENSITIVE_PROPERTIES)
+    AUTODETECT,
+
+    @JsonFormat(with = ACCEPT_CASE_INSENSITIVE_PROPERTIES)
+    HEX,
+
+    @JsonFormat(with = ACCEPT_CASE_INSENSITIVE_PROPERTIES)
+    BASE32,
+
+    @JsonFormat(with = ACCEPT_CASE_INSENSITIVE_PROPERTIES)
+    BASE64,
+
+    @JsonFormat(with = ACCEPT_CASE_INSENSITIVE_PROPERTIES)
+    PLAIN,
+
+    ;
+
+}
diff --git a/.../src/main/java/com/mercedesbenz/sechub/commons/model/login/WebLoginTOTPConfiguration.java b/.../src/main/java/com/mercedesbenz/sechub/commons/model/login/WebLoginTOTPConfiguration.java
@@ -13,20 +13,24 @@ public class WebLoginTOTPConfiguration {
     public static final String PROPERTY_VALIDITY_IN_SECONDS = "validityInSeconds";
     public static final String PROPERTY_TOKEN_LENGTH = "tokenLength";
     public static final String PROPERTY_HASH_ALGORITHM = "hashAlgorithm";
+    public static final String PROPERTY_ENCODING_TYPE = "encodingType";
 
     public static final int DEFAULT_VALIDITY_IN_SECONDS = 30;
     public static final int DEFAULT_TOKEN_LENGTH = 6;
     public static final TOTPHashAlgorithm DEFAULT_HASH_ALGORITHM = TOTPHashAlgorithm.HMAC_SHA1;
+    public static final EncodingType DEFAULT_ENCODING_TYPE = EncodingType.AUTODETECT;
 
     private SealedObject seed;
     private int validityInSeconds;
     private int tokenLength;
     private TOTPHashAlgorithm hashAlgorithm;
+    private EncodingType encodingType;
 
     public WebLoginTOTPConfiguration() {
         this.validityInSeconds = DEFAULT_VALIDITY_IN_SECONDS;
         this.tokenLength = DEFAULT_TOKEN_LENGTH;
         this.hashAlgorithm = DEFAULT_HASH_ALGORITHM;
+        this.encodingType = DEFAULT_ENCODING_TYPE;
     }
 
     public String getSeed() {
@@ -61,4 +65,12 @@ public void setHashAlgorithm(TOTPHashAlgorithm hashAlgorithm) {
         this.hashAlgorithm = hashAlgorithm;
     }
 
+    public EncodingType getEncodingType() {
+        return encodingType;
+    }
+
+    public void setEncodingType(EncodingType encodingType) {
+        this.encodingType = encodingType;
+    }
+
 }
diff --git a/.../test/java/com/mercedesbenz/sechub/commons/model/login/WebLoginTOTPConfigurationTest.java b/.../test/java/com/mercedesbenz/sechub/commons/model/login/WebLoginTOTPConfigurationTest.java
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT
 package com.mercedesbenz.sechub.commons.model.login;
 
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import org.junit.jupiter.api.Test;
 
@@ -19,6 +19,7 @@ void default_values_are_as_expected() {
         assertEquals(WebLoginTOTPConfiguration.DEFAULT_VALIDITY_IN_SECONDS, defaultConfig.getValidityInSeconds());
         assertEquals(WebLoginTOTPConfiguration.DEFAULT_TOKEN_LENGTH, defaultConfig.getTokenLength());
         assertEquals(WebLoginTOTPConfiguration.DEFAULT_HASH_ALGORITHM, defaultConfig.getHashAlgorithm());
+        assertEquals(WebLoginTOTPConfiguration.DEFAULT_ENCODING_TYPE, defaultConfig.getEncodingType());
     }
 
     @Test
@@ -35,6 +36,7 @@ void default_values_are_used_correctly_during_json_serialization_and_deserializa
         assertEquals(config.getValidityInSeconds(), expectedConfig.getValidityInSeconds());
         assertEquals(config.getTokenLength(), expectedConfig.getTokenLength());
         assertEquals(config.getHashAlgorithm(), expectedConfig.getHashAlgorithm());
+        assertEquals(config.getEncodingType(), expectedConfig.getEncodingType());
     }
 
     @Test
@@ -45,6 +47,7 @@ void custom_values_are_used_correctly_during_json_serialization_and_deserializat
         expectedConfig.setValidityInSeconds(45);
         expectedConfig.setTokenLength(9);
         expectedConfig.setHashAlgorithm(TOTPHashAlgorithm.HMAC_SHA512);
+        expectedConfig.setEncodingType(EncodingType.BASE64);
 
         /* execute */
         String json = JSONConverter.get().toJSON(expectedConfig);
@@ -55,6 +58,7 @@ void custom_values_are_used_correctly_during_json_serialization_and_deserializat
         assertEquals(config.getValidityInSeconds(), expectedConfig.getValidityInSeconds());
         assertEquals(config.getTokenLength(), expectedConfig.getTokenLength());
         assertEquals(config.getHashAlgorithm(), expectedConfig.getHashAlgorithm());
+        assertEquals(config.getEncodingType(), expectedConfig.getEncodingType());
     }
 
 }
diff --git a/sechub-doc/build.gradle b/sechub-doc/build.gradle
@@ -17,6 +17,7 @@ dependencies {
         'sechub-pds-tools', /* only pds tooling + avoid cycles */
         'sechub-api-java', /* the api project needs sechub-doc tests (and compile) for open api json files. So we may not have this as relation! */
         'sechub-systemtest', /* avoid cyclic dependency, see AdoptedSystemTestDefaultFallbacks javadoc for more information */
+        'sechub-wrapper-owasp-zap',
 
         ]
     /* fetch all sub projects, except unwanted and all only used for testing */

diff --git a/sechub-doc/src/docs/asciidoc/documents/shared/configuration/sechub_config.adoc b/sechub-doc/src/docs/asciidoc/documents/shared/configuration/sechub_config.adoc
@@ -328,6 +328,15 @@ The currently available hash algorithms are:
 - `HMAC_SHA1`
 - `HMAC_SHA256`
 - `HMAC_SHA512`
+<6> The `encodingType` is an __optional__ field, representing the encoding of the __mandatory__ field `seed`.
+{sechub} has a default configured if nothing is specified or the encoding type is not known.
+The default value is `AUTODETECT` where {sechub} tries to detect the encoding of one of the four other available types.
+ The currently available encoding types for `seed` are, which are treated case-insensitive:
+- `BASE64`
+- `BASE32`
+- `HEX`
+- `PLAIN`
+- `AUTODETECT`
 
 [[sechub-config-example-webscan-openapi]]
 ====== Example OpenAPI scan

diff --git a/.../documents/shared/configuration/sechub_config_example21_webscan_login_form_with_totp.json b/.../documents/shared/configuration/sechub_config_example21_webscan_login_form_with_totp.json
@@ -27,7 +27,8 @@
         "seed" : "example-seed", //<2>
         "validityInSeconds" : 60, //<3>
         "tokenLength" : 8, //<4>
-        "hashAlgorithm" : "HMAC_SHA256" //<5>
+        "hashAlgorithm" : "HMAC_SHA256", //<5>
+        "encodingType" : "base64" //<6>
       }
     }
   }

diff --git a/sechub-doc/src/test/java/com/mercedesbenz/sechub/ExampleFilesValidTest.java b/sechub-doc/src/test/java/com/mercedesbenz/sechub/ExampleFilesValidTest.java
@@ -307,6 +307,7 @@ void webscan_form_based_script_auth_with_totp_can_be_read_and_contains_expected_
         assertEquals(60, totp.getValidityInSeconds());
         assertEquals(8, totp.getTokenLength());
         assertEquals(TOTPHashAlgorithm.HMAC_SHA256, totp.getHashAlgorithm());
+        assertEquals(EncodingType.BASE64, totp.getEncodingType());
     }
 
     private void assertDefaultValue(PDSProductSetup setup, boolean isMandatory, String parameterKey, String expectedDefault) {

diff --git a/...doc/src/test/java/com/mercedesbenz/sechub/restdoc/SchedulerRestControllerRestDocTest.java b/...doc/src/test/java/com/mercedesbenz/sechub/restdoc/SchedulerRestControllerRestDocTest.java
@@ -3,17 +3,17 @@
 
 import static com.mercedesbenz.sechub.commons.core.CommonConstants.*;
 import static com.mercedesbenz.sechub.commons.model.SecHubConfigurationModel.*;
-import static com.mercedesbenz.sechub.commons.model.TestSecHubConfigurationBuilder.*;
-import static com.mercedesbenz.sechub.restdoc.RestDocumentation.*;
+import static com.mercedesbenz.sechub.commons.model.TestSecHubConfigurationBuilder.configureSecHub;
+import static com.mercedesbenz.sechub.restdoc.RestDocumentation.defineRestService;
 import static com.mercedesbenz.sechub.test.RestDocPathParameter.*;
-import static com.mercedesbenz.sechub.test.SecHubTestURLBuilder.*;
+import static com.mercedesbenz.sechub.test.SecHubTestURLBuilder.https;
 import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.*;
 import static org.springframework.restdocs.headers.HeaderDocumentation.*;
 import static org.springframework.restdocs.mockmvc.RestDocumentationRequestBuilders.*;
 import static org.springframework.restdocs.payload.PayloadDocumentation.*;
 import static org.springframework.restdocs.request.RequestDocumentation.*;
-import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
 
 import java.io.InputStream;
@@ -42,57 +42,24 @@
 import org.springframework.util.StringUtils;
 
 import com.mercedesbenz.sechub.commons.core.CommonConstants;
-import com.mercedesbenz.sechub.commons.model.ClientCertificateConfiguration;
-import com.mercedesbenz.sechub.commons.model.HTTPHeaderConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubCodeScanConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubConfigurationMetaData;
-import com.mercedesbenz.sechub.commons.model.SecHubDataConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubDataConfigurationUsageByName;
-import com.mercedesbenz.sechub.commons.model.SecHubFileSystemConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubInfrastructureScanConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubSourceDataConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubTimeUnit;
-import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiConfiguration;
-import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiType;
-import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration;
-import com.mercedesbenz.sechub.commons.model.TrafficLight;
-import com.mercedesbenz.sechub.commons.model.WebScanDurationConfiguration;
+import com.mercedesbenz.sechub.commons.model.*;
 import com.mercedesbenz.sechub.commons.model.job.ExecutionResult;
 import com.mercedesbenz.sechub.commons.model.job.ExecutionState;
-import com.mercedesbenz.sechub.commons.model.login.ActionType;
-import com.mercedesbenz.sechub.commons.model.login.FormLoginConfiguration;
-import com.mercedesbenz.sechub.commons.model.login.TOTPHashAlgorithm;
-import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration;
-import com.mercedesbenz.sechub.commons.model.login.WebLoginTOTPConfiguration;
+import com.mercedesbenz.sechub.commons.model.login.*;
 import com.mercedesbenz.sechub.docgen.util.RestDocFactory;
 import com.mercedesbenz.sechub.docgen.util.RestDocTestFileSupport;
-import com.mercedesbenz.sechub.domain.schedule.ScheduleJobStatus;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerApproveJobService;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerBinariesUploadService;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerCreateJobService;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerGetJobStatusService;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerRestController;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerResult;
-import com.mercedesbenz.sechub.domain.schedule.SchedulerSourcecodeUploadService;
+import com.mercedesbenz.sechub.domain.schedule.*;
 import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccess;
 import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccess.ProjectAccessCompositeKey;
 import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccessRepository;
-import com.mercedesbenz.sechub.domain.schedule.job.ScheduleSecHubJob;
-import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUser;
-import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUserListPage;
-import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUserService;
-import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobRepository;
+import com.mercedesbenz.sechub.domain.schedule.job.*;
 import com.mercedesbenz.sechub.sharedkernel.Profiles;
 import com.mercedesbenz.sechub.sharedkernel.configuration.SecHubConfiguration;
 import com.mercedesbenz.sechub.sharedkernel.configuration.SecHubConfigurationValidator;
 import com.mercedesbenz.sechub.sharedkernel.security.AbstractSecHubAPISecurityConfiguration;
 import com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc;
 import com.mercedesbenz.sechub.sharedkernel.usecases.job.UseCaseUserListsJobsForProject;
-import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserApprovesJob;
-import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserChecksJobStatus;
-import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserCreatesNewJob;
-import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserUploadsBinaries;
-import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserUploadsSourceCode;
+import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.*;
 import com.mercedesbenz.sechub.test.ExampleConstants;
 import com.mercedesbenz.sechub.test.TestIsNecessaryForDocumentation;
 import com.mercedesbenz.sechub.test.TestPortProvider;
@@ -755,7 +722,7 @@ public void restDoc_userCreatesNewJob_webScan_login_form_script_and_totp_as_seco
 	    					webConfig().
 	    						addURI("https://localhost/mywebapp").
 	    						login("https://localhost/mywebapp/login").
-	    						  totp("example-seed", 30, TOTPHashAlgorithm.HMAC_SHA1, 6).
+	    						  totp("example-seed", 30, TOTPHashAlgorithm.HMAC_SHA1, 6, EncodingType.BASE32).
 	    						  formScripted("username1","password1").
 	    						    createPage().
     	    						    createAction().
@@ -817,6 +784,7 @@ public void restDoc_userCreatesNewJob_webScan_login_form_script_and_totp_as_seco
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_VALIDITY_IN_SECONDS).description("The time in seconds the generated TOTP is valid. In most cases nothing is specified and the default of '"+WebLoginTOTPConfiguration.DEFAULT_VALIDITY_IN_SECONDS+"' seconds is used.").optional(),
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_TOKEN_LENGTH).description("The length of the generated TOTP. In most cases nothing is specified and the default length '"+WebLoginTOTPConfiguration.DEFAULT_TOKEN_LENGTH+"' is used.").optional(),
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_HASH_ALGORITHM).description("The hash algorithm to generate the TOTP. In most cases nothing is specified and the  default hash algorithm '"+WebLoginTOTPConfiguration.DEFAULT_HASH_ALGORITHM+"' is used. Currently available values are: 'HMAC_SHA1', 'HMAC_SHA256', 'HMAC_SHA512'").optional(),
+    										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_ENCODING_TYPE).description("The encoding type of the 'seed'. The default value is '"+WebLoginTOTPConfiguration.DEFAULT_ENCODING_TYPE+"'. Currently available values are: 'BASE64', 'BASE32', 'HEX', 'PLAIN', 'AUTODETECT'").optional(),
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+".url").description("Login URL").optional(),
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+FORM).description("form login definition").optional(),
     										fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+FORM+"."+SCRIPT).description("script").optional(),

diff --git a/sechub-openapi-java/src/main/resources/openapi.yaml b/sechub-openapi-java/src/main/resources/openapi.yaml
@@ -673,6 +673,8 @@ components:
           format: int32
         hashAlgorithm:
           $ref: '#/components/schemas/TOTPHashAlgorithm'
+        encodingType:
+          $ref: '#/components/schemas/EncodingType'
       required:
         - seed
 
@@ -684,6 +686,16 @@ components:
         - HmacSHA512
       description: Representing the TOTP hash algorithms.
       default: HmacSHA1
+
+    EncodingType:
+      enum:
+        - AUTODETECT
+        - HEX
+        - BASE32
+        - BASE64
+        - PLAIN
+      description: Representing the encoding of the TOTP seed.
+      default: AUTODETECT
 
     WebLoginConfiguration:
       title: WebLoginConfiguration