Skip to content

Commit

Permalink
Implement handle api import from URL on ZAP wrapper #1436
Browse files Browse the repository at this point in the history
  • Loading branch information
@winzj
winzj committed Apr 2, 2024
1 parent 006eb44 commit 8792070
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 8 deletions.
13 changes: 13 additions & 0 deletions ...p-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/internal/scan/ClientApiFacade.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: MIT
package com.mercedesbenz.sechub.zapwrapper.internal.scan;

import java.net.URL;
import java.util.ArrayList;
import java.util.List;

Expand Down Expand Up @@ -234,6 +235,18 @@ public ApiResponse importOpenApiFile(String openApiFile, String url, String cont
return clientApi.openapi.importFile(openApiFile, url, contextId);
}

/**
*
* @param apiDefinitionUrl
* @param targetUrl
* @param contextId
* @return
* @throws ClientApiException
*/
public ApiResponse importOpenApiDefintionFromUrl(URL apiDefinitionUrl, String targetUrl, String contextId) throws ClientApiException {
return clientApi.openapi.importUrl(apiDefinitionUrl.toString(), targetUrl, contextId);
}

/**
* Import the given PKCS12 client certificate using the optional client
* certificates password if necessary.
Expand Down
14 changes: 9 additions & 5 deletions ...b-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
Expand Down Expand Up @@ -257,18 +258,21 @@ void addIncludedAndExcludedUrlsToContext() throws ClientApiException {
}

void loadApiDefinitions(String zapContextId) throws ClientApiException {
if (scanContext.getApiDefinitionFiles().isEmpty()) {
LOG.info("For scan {}: No file with API definition found!", scanContext.getContextName());
return;
}
Optional<SecHubWebScanApiConfiguration> apiConfig = scanContext.getSecHubWebScanConfiguration().getApi();
if (!apiConfig.isPresent()) {
LOG.info("For scan {}: No API definition was found!", scanContext.getContextName());
return;
}

switch (apiConfig.get().getType()) {
SecHubWebScanApiConfiguration secHubWebScanApiConfiguration = apiConfig.get();

switch (secHubWebScanApiConfiguration.getType()) {
case OPEN_API:
URL apiDefinitionUrl = secHubWebScanApiConfiguration.getApiDefinitionUrl();
if (apiDefinitionUrl != null) {
LOG.info("For scan {}: Loading openAPI definition from : {}", scanContext.getContextName(), apiDefinitionUrl.toString());
clientApiFacade.importOpenApiDefintionFromUrl(apiDefinitionUrl, scanContext.getTargetUrlAsString(), zapContextId);
}
for (File apiFile : scanContext.getApiDefinitionFiles()) {
LOG.info("For scan {}: Loading openAPI file: {}", scanContext.getContextName(), apiFile.toString());
clientApiFacade.importOpenApiFile(apiFile.toString(), scanContext.getTargetUrlAsString(), zapContextId);
Expand Down
53 changes: 50 additions & 3 deletions ...apper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
import java.net.URL;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
Expand Down Expand Up @@ -359,16 +358,18 @@ void set_includes_and_excludes_api_facade_is_called_once_for_each_include_and_on
void import_openapi_file_but_api_file_is_null_api_facade_is_never_called() throws ClientApiException {
/* prepare */
String contextId = "context-id";
when(scanContext.getApiDefinitionFiles()).thenReturn(Collections.emptyList());

ApiResponse response = mock(ApiResponse.class);
when(scanContext.getSecHubWebScanConfiguration()).thenReturn(new SecHubWebScanConfiguration());
when(clientApiFacade.importOpenApiFile(any(), any(), any())).thenReturn(response);
when(clientApiFacade.importOpenApiDefintionFromUrl(any(), any(), any())).thenReturn(response);

/* execute */
scannerToTest.loadApiDefinitions(contextId);

/* test */
verify(clientApiFacade, never()).importOpenApiFile(any(), any(), any());
verify(clientApiFacade, never()).importOpenApiDefintionFromUrl(any(), any(), any());
}

@ParameterizedTest
Expand All @@ -380,7 +381,7 @@ void import_openapi_file_api_facade_is_called_once(String sechubConfigFile) thro
SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get();

List<File> apiFiles = new ArrayList<>();
apiFiles.add(new File("examplefile.json"));
apiFiles.add(new File("openapi3.json"));

when(scanContext.getApiDefinitionFiles()).thenReturn(apiFiles);
when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig);
Expand All @@ -395,6 +396,52 @@ void import_openapi_file_api_facade_is_called_once(String sechubConfigFile) thro
verify(clientApiFacade, times(1)).importOpenApiFile(any(), any(), any());
}

@ParameterizedTest
@ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-with-openapi-from-url.json" })
void import_openapi_defintion_from_url_api_facade_is_called_once(String sechubConfigFile) throws ClientApiException {
/* prepare */
String contextId = "context-id";
String json = TestFileReader.loadTextFile(sechubConfigFile);
SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get();
when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig);

ApiResponse response = mock(ApiResponse.class);
when(clientApiFacade.importOpenApiFile(any(), any(), any())).thenReturn(response);
when(clientApiFacade.importOpenApiDefintionFromUrl(any(), any(), any())).thenReturn(response);

/* execute */
scannerToTest.loadApiDefinitions(contextId);

/* test */
verify(clientApiFacade, never()).importOpenApiFile(any(), any(), any());
verify(clientApiFacade, times(1)).importOpenApiDefintionFromUrl(any(), any(), any());
}

@ParameterizedTest
@ValueSource(strings = { "src/test/resources/sechub-config-examples/no-auth-with-openapi-from-file-and-url.json" })
void import_openapi_from_file_and_from_url_api_facade_is_called_once(String sechubConfigFile) throws ClientApiException {
/* prepare */
String contextId = "context-id";
String json = TestFileReader.loadTextFile(sechubConfigFile);
SecHubWebScanConfiguration sechubWebScanConfig = SecHubScanConfiguration.createFromJSON(json).getWebScan().get();

List<File> apiFiles = new ArrayList<>();
apiFiles.add(new File("openapi3.json"));

when(scanContext.getApiDefinitionFiles()).thenReturn(apiFiles);
when(scanContext.getSecHubWebScanConfiguration()).thenReturn(sechubWebScanConfig);

ApiResponse response = mock(ApiResponse.class);
when(clientApiFacade.importOpenApiFile(any(), any(), any())).thenReturn(response);

/* execute */
scannerToTest.loadApiDefinitions(contextId);

/* test */
verify(clientApiFacade, times(1)).importOpenApiFile(any(), any(), any());
verify(clientApiFacade, times(1)).importOpenApiDefintionFromUrl(any(), any(), any());
}

@Test
void import_client_certificate_file_but_client_certificate_file_is_null_api_facade_is_never_called() throws ClientApiException {
/* prepare */
Expand Down
19 changes: 19 additions & 0 deletions ...zap/src/test/resources/sechub-config-examples/no-auth-with-openapi-from-file-and-url.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"apiVersion" : "1.0",
"data" : {
"sources" : [ {
"name" : "open-api-file-reference",
"fileSystem" : {
"files" : [ "openapi3.json" ]
}
} ]
},
"webScan" : {
"url" : "https://localhost:8443",
"api" : {
"type" : "openApi",
"apiDefinitionUrl" : "https://example.com/api/v1/swagger/?format=openapi",
"use" : [ "open-api-file-reference" ]
}
}
}
10 changes: 10 additions & 0 deletions ...er-owasp-zap/src/test/resources/sechub-config-examples/no-auth-with-openapi-from-url.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"apiVersion" : "1.0",
"webScan" : {
"url" : "https://localhost:8443",
"api" : {
"type" : "openApi",
"apiDefinitionUrl" : "https://example.com/api/v1/swagger/?format=openapi"
}
}
}

0 comments on commit 8792070

Please sign in to comment.