Added methods related to Context, Authentication, User, ForcedUser, and ACSRF

Added methods needed create and setup a context, and its related configuration such as authentication, users, forced user, session management.

Also added methods to manage CSRF tokens.

Author: dmettem

.gitignore

@@ -0,0 +1,4 @@
+# Created by .ignore support plugin (hsz.mobi)
+.idea/
+*.iml
+target/

src/main/java/net/continuumsecurity/proxy/Authentication.java

@@ -0,0 +1,259 @@
+package net.continuumsecurity.proxy;
+
+import net.continuumsecurity.proxy.model.User;
+import org.zaproxy.clientapi.core.ClientApiException;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.util.List;
+import java.util.Map;
+
+public interface Authentication {
+    /**
+     * Returns the supported authentication methods by ZAP.
+     * @return list of supported authentication methods.
+     * @throws ClientApiException
+     */
+    List<String> getSupportedAuthenticationMethods() throws ClientApiException;
+
+    /**
+     * Returns logged in indicator pattern for the given context.
+     * @param contextId Id of the context.
+     * @return Logged in indicator for the given context.
+     * @throws ClientApiException
+     */
+    String getLoggedInIndicator(String contextId) throws ClientApiException;
+
+    /**
+     * Returns logged out indicator pattern for the given context.
+     * @param contextId Id of the context.
+     * @return Logged out indicator for the given context.
+     * @throws ClientApiException
+     */
+    String getLoggedOutIndicator(String contextId) throws ClientApiException;
+
+    /**
+     * Sets the logged in indicator to a given context.
+     * @param contextId Id of a context.
+     * @param loggedInIndicatorRegex Regex pattern for logged in indicator.
+     * @throws ClientApiException
+     */
+    void setLoggedInIndicator(String contextId, String loggedInIndicatorRegex) throws ClientApiException;
+
+    /**
+     * Sets the logged out indicator to a given context.
+     * @param contextId Id of a context.
+     * @param loggedOutIndicatorRegex Regex pattern for logged out indicator.
+     * @throws ClientApiException
+     */
+    void setLoggedOutIndicator(String contextId, String loggedOutIndicatorRegex) throws ClientApiException;
+
+    /**
+     * Returns authentication method for a given context.
+     * @param contextId Id of a context.
+     * @return Authentication method details for the given context id.
+     * @throws ClientApiException
+     */
+    Map<String, String> getAuthenticationMethodInfo(String contextId) throws ClientApiException;
+
+    /**
+     * Returns the list of authentication config parameters.
+     * Each config parameter is a map with keys "name" and "mandatory", holding the values name of the configuration parameter and whether it is mandatory/optional respectively.
+     * @param authMethod Valid authentication method name.
+     * @return List of configuration parameters for the given authentication method name.
+     * @throws ClientApiException
+     */
+    List<Map<String, String>> getAuthMethodConfigParameters(String authMethod) throws ClientApiException;
+
+    /**
+     * Sets the authentication method for a given context with given configuration parameters.
+     * @param contextId Id of a context.
+     * @param authMethodName Valid authentication method name.
+     * @param authMethodConfigParams Authentication method configuration parameters such as loginUrl, loginRequestData formBasedAuthentication method, and hostName, port, realm for httpBasedAuthentication method.
+     * @throws ClientApiException
+     */
+    void setAuthenticationMethod(String contextId, String authMethodName, String authMethodConfigParams) throws ClientApiException;
+
+    /**
+     * Sets the formBasedAuthentication to given context id with the loginUrl and loginRequestData.
+     * Example loginRequestData: "username={%username%}&password={%password%}"
+     * @param contextId Id of the context.
+     * @param loginUrl Login URL.
+     * @param loginRequestData Login request data with form field names for username and password.
+     * @throws ClientApiException
+     * @throws UnsupportedEncodingException
+     */
+    void setFormBasedAuthentication(String contextId, String loginUrl, String loginRequestData) throws ClientApiException, UnsupportedEncodingException;
+
+    /**
+     * Sets the HTTP/NTLM authentication to given context id with hostname, realm and port.
+     * @param contextId Id of the context.
+     * @param hostname Hostname.
+     * @param realm Realm.
+     * @param portNumber Port number.
+     * @throws ClientApiException
+     */
+    void setHttpAuthentication(String contextId, String hostname, String realm, String portNumber) throws ClientApiException, UnsupportedEncodingException;
+
+    /**
+     * Sets the HTTP/NTLM authentication to given context id with hostname, realm.
+     * @param contextId Id of the context.
+     * @param hostname Hostname.
+     * @param realm Realm.
+     * @throws ClientApiException
+     */
+    void setHttpAuthentication(String contextId, String hostname, String realm) throws ClientApiException, UnsupportedEncodingException;
+
+    /**
+     * Sets the manual authentication to the given context id.
+     * @param contextId Id of the context.
+     * @throws ClientApiException
+     */
+    void setManualAuthentication(String contextId) throws ClientApiException;
+
+    /**
+     * Sets the script based authentication to the given context id with the script name and config parameters.
+     * @param contextId Id of the context.
+     * @param scriptName Name of the script.
+     * @param scriptConfigParams Script config parameters.
+     * @throws ClientApiException
+     */
+    void setScriptBasedAuthentication(String contextId, String scriptName, String scriptConfigParams) throws ClientApiException, UnsupportedEncodingException;
+
+    /**
+     * Returns list of {@link User}s for a given context.
+     * @param contextId Id of the context.
+     * @return List of {@link User}s
+     * @throws ClientApiException
+     * @throws IOException
+     */
+    List<User> getUsersList(String contextId) throws ClientApiException, IOException;
+
+    /**
+     * Returns the {@link User} info for a given context id and user id.
+     * @param contextId Id of a context.
+     * @param userId Id of a user.
+     * @return {@link User} info.
+     * @throws ClientApiException
+     * @throws IOException
+     */
+    User getUserById(String contextId, String userId) throws ClientApiException, IOException;
+
+    /**
+     * Returns list of config parameters of authentication credentials for a given context id.
+     * Each item in the list is a map with keys "name" and "mandatory".
+     * @param contextId Id of a context.
+     * @return List of authentication credentials configuration parameters.
+     * @throws ClientApiException
+     */
+    List<Map<String, String>> getAuthenticationCredentialsConfigParams(String contextId) throws ClientApiException;
+
+    /**
+     * Returns the authentication credentials as a map with key value pairs for a given context id and user id.
+     * @param contextId Id of a context.
+     * @param userId Id of a user.
+     * @return Authentication credentials.
+     * @throws ClientApiException
+     */
+    Map<String, String> getAuthenticationCredentials(String contextId, String userId) throws ClientApiException;
+
+    /**
+     * Creates a new {@link User} for a given context and returns the user id.
+     * @param contextId Id of a context.
+     * @param name Name of the user.
+     * @return User id.
+     * @throws ClientApiException
+     */
+    String newUser(String contextId, String name) throws ClientApiException;
+
+    /**
+     * Removes a {@link User} using the given context id and user id.
+     * @param contextId Id of a {@link net.continuumsecurity.proxy.model.Context}
+     * @param userId Id of a {@link User}
+     * @throws ClientApiException
+     */
+    void removeUser(String contextId, String userId) throws ClientApiException;
+
+    /**
+     * Sets the authCredentialsConfigParams to the given context and user.
+     * Bu default, authCredentialsConfigParams uses key value separator "=" and key value pair separator "&".
+     * Make sure that values provided for authCredentialsConfigParams are URL encoded using "UTF-8".
+     * @param contextId Id of the context.
+     * @param userId Id of the user.
+     * @param authCredentialsConfigParams Authentication credentials config parameters.
+     * @throws ClientApiException
+     */
+    void setAuthenticationCredentials(String contextId, String userId, String authCredentialsConfigParams) throws ClientApiException;
+
+    /**
+     * Enables a {@link User} for a given {@link net.continuumsecurity.proxy.model.Context} id and user id.
+     * @param contextId Id of a {@link net.continuumsecurity.proxy.model.Context}
+     * @param userId Id of a {@link User}
+     * @param enabled Boolean value to enable/disable the user.
+     * @throws ClientApiException
+     */
+    void setUserEnabled(String contextId, String userId, boolean enabled) throws ClientApiException;
+
+    /**
+     * Sets a name to the user for the given context id and user id.
+     * @param contextId Id of a {@link net.continuumsecurity.proxy.model.Context}
+     * @param userId Id of a {@link User}
+     * @param name User name.
+     * @throws ClientApiException
+     */
+    void setUserName(String contextId, String userId, String name) throws ClientApiException;
+
+    /**
+     * Returns the forced user id for a given context.
+     * @param contextId Id of a context.
+     * @return Id of a forced {@link User}
+     * @throws ClientApiException
+     */
+    String getForcedUserId(String contextId) throws ClientApiException;
+
+    /**
+     * Returns true if forced user mode is enabled. Otherwise returns false.
+     * @return true if forced user mode is enabled.
+     * @throws ClientApiException
+     */
+    boolean isForcedUserModeEnabled() throws ClientApiException;
+
+    /**
+     * Enables/disables the forced user mode.
+     * @param forcedUserModeEnabled flag to enable/disable forced user mode.
+     * @throws ClientApiException
+     */
+    void setForcedUserModeEnabled(boolean forcedUserModeEnabled) throws ClientApiException;
+
+    /**
+     * Sets a {@link User} id as forced user for the given {@link net.continuumsecurity.proxy.model.Context}
+     * @param contextId Id of a context.
+     * @param userId Id of a user.
+     * @throws ClientApiException
+     */
+    void setForcedUser(String contextId, String userId) throws ClientApiException;
+
+    /**
+     * Returns list of supported session management methods.
+     * @return List of supported session management methods.
+     * @throws ClientApiException
+     */
+    List<String> getSupportedSessionManagementMethods() throws ClientApiException;
+
+    /**
+     * Returns session management method selected for the given context.
+     * @param contextId Id of a context.
+     * @return Session management method for a given context.
+     * @throws ClientApiException
+     */
+    String getSessionManagementMethod(String contextId) throws ClientApiException;
+
+    /**
+     * Sets the given session management method and config params for a given context.
+     * @param contextId Id of a context.
+     * @param sessionManagementMethodName Session management method name.
+     * @param methodConfigParams Session management method config parameters.
+     * @throws ClientApiException
+     */
+    void setSessionManagementMethod(String contextId, String sessionManagementMethodName, String methodConfigParams) throws ClientApiException;
+}

src/main/java/net/continuumsecurity/proxy/ScanningProxy.java

@@ -1,8 +1,12 @@
 package net.continuumsecurity.proxy;
 
+import net.continuumsecurity.proxy.model.Context;
 import org.zaproxy.clientapi.core.Alert;
+import org.zaproxy.clientapi.core.ClientApiException;
 
+import java.io.IOException;
 import java.util.List;
+import java.util.regex.Pattern;
 
 public interface ScanningProxy extends LoggingProxy {
 
@@ -57,4 +61,105 @@ public interface ScanningProxy extends LoggingProxy {
      * @throws ProxyException
      */
     public void shutdown() throws ProxyException;
+
+    /**
+     * Creates a new context with given context name and sets it in scope if @param inScope is true.
+     *
+     * @param contextName Name of the context.
+     * @param inScope     true to set context in scope.
+     * @throws ClientApiException
+     */
+    void createContext(String contextName, boolean inScope) throws ClientApiException;
+
+    /**
+     * Adds include regex to the given context.
+     *
+     * @param contextName Name of the context.
+     * @param regex        Regex to include in context.
+     * @throws ClientApiException
+     */
+    void includeRegexInContext(String contextName, Pattern regex) throws ClientApiException;
+
+    /**
+     * Adds include parent url to the given content.
+     * @param contextName Name of the context.
+     * @param parentUrl Parent URL to include in context.
+     * @throws ClientApiException
+     */
+    void includeUrlTreeInContext(String contextName, String parentUrl) throws ClientApiException;
+
+    /**
+     * Add exclude regex to the given context.
+     * @param contextName Name of the context.
+     * @param regex Regex to exclude from context.
+     * @throws ClientApiException
+     */
+    void excludeRegexFromContext(String contextName, Pattern regex) throws ClientApiException;
+
+    /**
+     * Add exclude regex to the given context.
+     * @param contextName Name of the context.
+     * @param parentUrl Parent URL to exclude from context.
+     * @throws ClientApiException
+     */
+    void excludeParentUrlFromContext(String contextName, String parentUrl) throws ClientApiException;
+
+    /**
+     * Returns Context details for a given context name.
+     * @param contextName Name of context.
+     * @return Context details for the given context
+     * @throws ClientApiException
+     */
+    Context getContextInfo(String contextName) throws ClientApiException, IOException;
+
+    /**
+     * Returns list of context names.
+     * @return List of context names.
+     */
+    List<String> getContexts() throws ClientApiException;
+
+    /**
+     * Sets the given context in or out of scope.
+     * @param contextName Name of the context.
+     * @param inScope true - Sets the context in scope. false - Sets the context out of scope.
+     * @throws ClientApiException
+     */
+    void setContextInScope(String contextName, boolean inScope) throws ClientApiException;
+
+    /**
+     * Returns the list of included regexs for the given context.
+     * @param contextName Name of the context.
+     * @return List of include regexs.
+     * @throws ClientApiException
+     */
+    List<String> getIncludedRegexs(String contextName) throws ClientApiException;
+
+    /**
+     * Returns the list of excluded regexs for the given context.
+     * @param contextName Name of the context.
+     * @return List of exclude regexs.
+     * @throws ClientApiException
+     */
+    List<String> getExcludedRegexs(String contextName) throws ClientApiException;
+
+    /**
+     * Returns the list of Anti CSRF token names.
+     * @return List of Anti CSRF token names.
+     * @throws ClientApiException
+     */
+    List<String> getAntiCsrfTokenNames() throws ClientApiException;
+
+    /**
+     * Adds an anti CSRF token with the given name, enabled by default.
+     * @param tokenName Anti CSRF token name.
+     * @throws ClientApiException
+     */
+    void addAntiCsrfToken(String tokenName) throws ClientApiException;
+
+    /**
+     * Removes the anti CSRF token with the given name.
+     * @param tokenName Anti CSRF token name.
+     * @throws ClientApiException
+     */
+    void removeAntiCsrfToken(String tokenName) throws ClientApiException;
 }