Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature 3611 zap wrapper webscan template login #3622

Merged
merged 13 commits into from
Nov 27, 2024
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions gradle/libraries.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ ext {
/* Owasp Zap wrapper */
owaspzap_client_api: "1.14.0",
jcommander: "1.82",
selenium_firefox_driver: "4.26.0",
selenium_support: "4.26.0",
groovy_jsr223: "4.0.24",

thymeleaf_extras_springsecurity5: "3.1.2.RELEASE",

Expand Down Expand Up @@ -195,6 +198,11 @@ ext {

jcommander: "com.beust:jcommander:${libraryVersion.jcommander}",

selenium_firefox_driver: "org.seleniumhq.selenium:selenium-firefox-driver:${libraryVersion.selenium_firefox_driver}",
selenium_support: "org.seleniumhq.selenium:selenium-support:${libraryVersion.selenium_support}",

groovy_jsr223: "org.apache.groovy:groovy-jsr223:${libraryVersion.groovy_jsr223}",

/*
* Needed for Spring Boot WebFlux CSRF protection - see: https://stackoverflow.com/a/53305169
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,14 @@ public ScriptPageEntryBuilder formScripted(String user, String login) {
return builder;
}

public TestWebLoginConfigurationBuilder totp(String seed, int validityInSeconds, TOTPHashAlgorithm hashAlgorithm, int tokenLength) {
public TestWebLoginConfigurationBuilder totp(String seed, int validityInSeconds, TOTPHashAlgorithm hashAlgorithm, int tokenLength,
EncodingType encodingType) {
WebLoginTOTPConfiguration totp = new WebLoginTOTPConfiguration();
totp.setSeed(seed);
totp.setValidityInSeconds(validityInSeconds);
totp.setHashAlgorithm(hashAlgorithm);
totp.setTokenLength(tokenLength);
totp.setEncodingType(encodingType);
loginConfig.setTotp(totp);

return this;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// SPDX-License-Identifier: MIT
package com.mercedesbenz.sechub.commons.model.login;

import com.fasterxml.jackson.annotation.JsonFormat;

public enum EncodingType {

@JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES)
winzj marked this conversation as resolved.
Show resolved Hide resolved
AUTODETECT,

@JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES)
HEX,

@JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES)
BASE32,

@JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES)
BASE64,

@JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES)
PLAIN,

;

}
Original file line number Diff line number Diff line change
Expand Up @@ -13,20 +13,24 @@ public class WebLoginTOTPConfiguration {
public static final String PROPERTY_VALIDITY_IN_SECONDS = "validityInSeconds";
public static final String PROPERTY_TOKEN_LENGTH = "tokenLength";
public static final String PROPERTY_HASH_ALGORITHM = "hashAlgorithm";
public static final String PROPERTY_ENCODING_TYPE = "encodingType";

public static final int DEFAULT_VALIDITY_IN_SECONDS = 30;
public static final int DEFAULT_TOKEN_LENGTH = 6;
public static final TOTPHashAlgorithm DEFAULT_HASH_ALGORITHM = TOTPHashAlgorithm.HMAC_SHA1;
public static final EncodingType DEFAULT_ENCODING_TYPE = EncodingType.AUTODETECT;

private SealedObject seed;
private int validityInSeconds;
private int tokenLength;
private TOTPHashAlgorithm hashAlgorithm;
private EncodingType encodingType;

public WebLoginTOTPConfiguration() {
this.validityInSeconds = DEFAULT_VALIDITY_IN_SECONDS;
this.tokenLength = DEFAULT_TOKEN_LENGTH;
this.hashAlgorithm = DEFAULT_HASH_ALGORITHM;
this.encodingType = DEFAULT_ENCODING_TYPE;
}

public String getSeed() {
Expand Down Expand Up @@ -61,4 +65,12 @@ public void setHashAlgorithm(TOTPHashAlgorithm hashAlgorithm) {
this.hashAlgorithm = hashAlgorithm;
}

public EncodingType getEncodingType() {
return encodingType;
}

public void setEncodingType(EncodingType encodingType) {
this.encodingType = encodingType;
}

}
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: MIT
package com.mercedesbenz.sechub.commons.model.login;

import static org.junit.jupiter.api.Assertions.*;
import static org.junit.jupiter.api.Assertions.assertEquals;

import org.junit.jupiter.api.Test;

Expand All @@ -19,6 +19,7 @@ void default_values_are_as_expected() {
assertEquals(WebLoginTOTPConfiguration.DEFAULT_VALIDITY_IN_SECONDS, defaultConfig.getValidityInSeconds());
assertEquals(WebLoginTOTPConfiguration.DEFAULT_TOKEN_LENGTH, defaultConfig.getTokenLength());
assertEquals(WebLoginTOTPConfiguration.DEFAULT_HASH_ALGORITHM, defaultConfig.getHashAlgorithm());
assertEquals(WebLoginTOTPConfiguration.DEFAULT_ENCODING_TYPE, defaultConfig.getEncodingType());
}

@Test
Expand All @@ -35,6 +36,7 @@ void default_values_are_used_correctly_during_json_serialization_and_deserializa
assertEquals(config.getValidityInSeconds(), expectedConfig.getValidityInSeconds());
assertEquals(config.getTokenLength(), expectedConfig.getTokenLength());
assertEquals(config.getHashAlgorithm(), expectedConfig.getHashAlgorithm());
assertEquals(config.getEncodingType(), expectedConfig.getEncodingType());
}

@Test
Expand All @@ -45,6 +47,7 @@ void custom_values_are_used_correctly_during_json_serialization_and_deserializat
expectedConfig.setValidityInSeconds(45);
expectedConfig.setTokenLength(9);
expectedConfig.setHashAlgorithm(TOTPHashAlgorithm.HMAC_SHA512);
expectedConfig.setEncodingType(EncodingType.BASE64);

/* execute */
String json = JSONConverter.get().toJSON(expectedConfig);
Expand All @@ -55,6 +58,7 @@ void custom_values_are_used_correctly_during_json_serialization_and_deserializat
assertEquals(config.getValidityInSeconds(), expectedConfig.getValidityInSeconds());
assertEquals(config.getTokenLength(), expectedConfig.getTokenLength());
assertEquals(config.getHashAlgorithm(), expectedConfig.getHashAlgorithm());
assertEquals(config.getEncodingType(), expectedConfig.getEncodingType());
}

}
1 change: 1 addition & 0 deletions sechub-doc/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ dependencies {
'sechub-pds-tools', /* only pds tooling + avoid cycles */
'sechub-api-java', /* the api project needs sechub-doc tests (and compile) for open api json files. So we may not have this as relation! */
'sechub-systemtest', /* avoid cyclic dependency, see AdoptedSystemTestDefaultFallbacks javadoc for more information */
'sechub-wrapper-owasp-zap',

]
/* fetch all sub projects, except unwanted and all only used for testing */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,15 @@ The currently available hash algorithms are:
- `HMAC_SHA1`
- `HMAC_SHA256`
- `HMAC_SHA512`
<6> The `encodingType` is an __optional__ field, representing the encoding of the __mandatory__ field `seed`.
Sechub has a default configured if nothing is specified or the encoding type is not known.
winzj marked this conversation as resolved.
Show resolved Hide resolved
The default value is `AUTODETECT` where SecHub tries to detect the encoding of one of the four other available types.
winzj marked this conversation as resolved.
Show resolved Hide resolved
The currently available encoding types for `seed` are, which are treated case-insensitive:
- `BASE64`
- `BASE32`
- `HEX`
- `PLAIN`
- `AUTODETECT`

[[sechub-config-example-webscan-openapi]]
====== Example OpenAPI scan
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@
"seed" : "example-seed", //<2>
"validityInSeconds" : 60, //<3>
"tokenLength" : 8, //<4>
"hashAlgorithm" : "HMAC_SHA256" //<5>
"hashAlgorithm" : "HMAC_SHA256", //<5>
"encodingType" : "base64" //<6>
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,7 @@ void webscan_form_based_script_auth_with_totp_can_be_read_and_contains_expected_
assertEquals(60, totp.getValidityInSeconds());
assertEquals(8, totp.getTokenLength());
assertEquals(TOTPHashAlgorithm.HMAC_SHA256, totp.getHashAlgorithm());
assertEquals(EncodingType.BASE64, totp.getEncodingType());
}

private void assertDefaultValue(PDSProductSetup setup, boolean isMandatory, String parameterKey, String expectedDefault) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,17 @@

import static com.mercedesbenz.sechub.commons.core.CommonConstants.*;
import static com.mercedesbenz.sechub.commons.model.SecHubConfigurationModel.*;
import static com.mercedesbenz.sechub.commons.model.TestSecHubConfigurationBuilder.*;
import static com.mercedesbenz.sechub.restdoc.RestDocumentation.*;
import static com.mercedesbenz.sechub.commons.model.TestSecHubConfigurationBuilder.configureSecHub;
import static com.mercedesbenz.sechub.restdoc.RestDocumentation.defineRestService;
import static com.mercedesbenz.sechub.test.RestDocPathParameter.*;
import static com.mercedesbenz.sechub.test.SecHubTestURLBuilder.*;
import static com.mercedesbenz.sechub.test.SecHubTestURLBuilder.https;
import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.*;
import static org.springframework.restdocs.headers.HeaderDocumentation.*;
import static org.springframework.restdocs.mockmvc.RestDocumentationRequestBuilders.*;
import static org.springframework.restdocs.payload.PayloadDocumentation.*;
import static org.springframework.restdocs.request.RequestDocumentation.*;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.*;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;

import java.io.InputStream;
Expand Down Expand Up @@ -42,57 +42,24 @@
import org.springframework.util.StringUtils;

import com.mercedesbenz.sechub.commons.core.CommonConstants;
import com.mercedesbenz.sechub.commons.model.ClientCertificateConfiguration;
import com.mercedesbenz.sechub.commons.model.HTTPHeaderConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubCodeScanConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubConfigurationMetaData;
import com.mercedesbenz.sechub.commons.model.SecHubDataConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubDataConfigurationUsageByName;
import com.mercedesbenz.sechub.commons.model.SecHubFileSystemConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubInfrastructureScanConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubSourceDataConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubTimeUnit;
import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiConfiguration;
import com.mercedesbenz.sechub.commons.model.SecHubWebScanApiType;
import com.mercedesbenz.sechub.commons.model.SecHubWebScanConfiguration;
import com.mercedesbenz.sechub.commons.model.TrafficLight;
import com.mercedesbenz.sechub.commons.model.WebScanDurationConfiguration;
import com.mercedesbenz.sechub.commons.model.*;
import com.mercedesbenz.sechub.commons.model.job.ExecutionResult;
import com.mercedesbenz.sechub.commons.model.job.ExecutionState;
import com.mercedesbenz.sechub.commons.model.login.ActionType;
import com.mercedesbenz.sechub.commons.model.login.FormLoginConfiguration;
import com.mercedesbenz.sechub.commons.model.login.TOTPHashAlgorithm;
import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration;
import com.mercedesbenz.sechub.commons.model.login.WebLoginTOTPConfiguration;
import com.mercedesbenz.sechub.commons.model.login.*;
import com.mercedesbenz.sechub.docgen.util.RestDocFactory;
import com.mercedesbenz.sechub.docgen.util.RestDocTestFileSupport;
import com.mercedesbenz.sechub.domain.schedule.ScheduleJobStatus;
import com.mercedesbenz.sechub.domain.schedule.SchedulerApproveJobService;
import com.mercedesbenz.sechub.domain.schedule.SchedulerBinariesUploadService;
import com.mercedesbenz.sechub.domain.schedule.SchedulerCreateJobService;
import com.mercedesbenz.sechub.domain.schedule.SchedulerGetJobStatusService;
import com.mercedesbenz.sechub.domain.schedule.SchedulerRestController;
import com.mercedesbenz.sechub.domain.schedule.SchedulerResult;
import com.mercedesbenz.sechub.domain.schedule.SchedulerSourcecodeUploadService;
import com.mercedesbenz.sechub.domain.schedule.*;
import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccess;
import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccess.ProjectAccessCompositeKey;
import com.mercedesbenz.sechub.domain.schedule.access.ScheduleAccessRepository;
import com.mercedesbenz.sechub.domain.schedule.job.ScheduleSecHubJob;
import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUser;
import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUserListPage;
import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobInfoForUserService;
import com.mercedesbenz.sechub.domain.schedule.job.SecHubJobRepository;
import com.mercedesbenz.sechub.domain.schedule.job.*;
import com.mercedesbenz.sechub.sharedkernel.Profiles;
import com.mercedesbenz.sechub.sharedkernel.configuration.AbstractSecHubAPISecurityConfiguration;
import com.mercedesbenz.sechub.sharedkernel.configuration.SecHubConfiguration;
import com.mercedesbenz.sechub.sharedkernel.configuration.SecHubConfigurationValidator;
import com.mercedesbenz.sechub.sharedkernel.usecases.UseCaseRestDoc;
import com.mercedesbenz.sechub.sharedkernel.usecases.job.UseCaseUserListsJobsForProject;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserApprovesJob;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserChecksJobStatus;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserCreatesNewJob;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserUploadsBinaries;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.UseCaseUserUploadsSourceCode;
import com.mercedesbenz.sechub.sharedkernel.usecases.user.execute.*;
import com.mercedesbenz.sechub.test.ExampleConstants;
import com.mercedesbenz.sechub.test.TestIsNecessaryForDocumentation;
import com.mercedesbenz.sechub.test.TestPortProvider;
Expand Down Expand Up @@ -755,7 +722,7 @@ public void restDoc_userCreatesNewJob_webScan_login_form_script_and_totp_as_seco
webConfig().
addURI("https://localhost/mywebapp").
login("https://localhost/mywebapp/login").
totp("example-seed", 30, TOTPHashAlgorithm.HMAC_SHA1, 6).
totp("example-seed", 30, TOTPHashAlgorithm.HMAC_SHA1, 6, EncodingType.BASE32).
formScripted("username1","password1").
createPage().
createAction().
Expand Down Expand Up @@ -817,6 +784,7 @@ public void restDoc_userCreatesNewJob_webScan_login_form_script_and_totp_as_seco
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_VALIDITY_IN_SECONDS).description("The time in seconds the generated TOTP is valid. In most cases nothing is specified and the default of '"+WebLoginTOTPConfiguration.DEFAULT_VALIDITY_IN_SECONDS+"' seconds is used.").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_TOKEN_LENGTH).description("The length of the generated TOTP. In most cases nothing is specified and the default length '"+WebLoginTOTPConfiguration.DEFAULT_TOKEN_LENGTH+"' is used.").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_HASH_ALGORITHM).description("The hash algorithm to generate the TOTP. In most cases nothing is specified and the default hash algorithm '"+WebLoginTOTPConfiguration.DEFAULT_HASH_ALGORITHM+"' is used. Currently available values are: 'HMAC_SHA1', 'HMAC_SHA256', 'HMAC_SHA512'").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+WebLoginConfiguration.PROPERTY_TOTP+"."+WebLoginTOTPConfiguration.PROPERTY_ENCODING_TYPE).description("The encoding type of the 'seed'. The default value is '"+WebLoginTOTPConfiguration.DEFAULT_ENCODING_TYPE+"'. Currently available values are: 'BASE64', 'BASE32', 'HEX', 'PLAIN', 'AUTODETECT'").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+".url").description("Login URL").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+FORM).description("form login definition").optional(),
fieldWithPath(PROPERTY_WEB_SCAN+"."+SecHubWebScanConfiguration.PROPERTY_LOGIN+"."+FORM+"."+SCRIPT).description("script").optional(),
Expand Down
12 changes: 12 additions & 0 deletions sechub-openapi-java/src/main/resources/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -650,6 +650,8 @@ components:
format: int32
hashAlgorithm:
$ref: '#/components/schemas/TOTPHashAlgorithm'
encodingType:
$ref: '#/components/schemas/EncodingType'
required:
- seed

Expand All @@ -661,6 +663,16 @@ components:
- HmacSHA512
description: Representing the TOTP hash algorithms.
default: HmacSHA1

EncodingType:
enum:
- AUTODETECT
- HEX
- BASE32
- BASE64
- PLAIN
description: Representing the encoding of the TOTP seed.
default: AUTODETECT

WebLoginConfiguration:
title: WebLoginConfiguration
Expand Down
Loading
Loading