From e726afaf55f17431f94c6eff1d7c4f0edd76ede1 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 20 Sep 2021 21:45:03 +0200 Subject: [PATCH] Adding missing zap-advanced scripts again #656 Bugfixing zap authentication script. Signed-off-by: Robert Seedorff --- scanners/zap-advanced/.helmignore | 8 +++++++- .../scb-oidc-password-grand-type.js | 4 ++-- .../scanner/zapclient/context/zap_context.py | 18 +++++------------- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/scanners/zap-advanced/.helmignore b/scanners/zap-advanced/.helmignore index fb9c1d2d6f..34db6cdbc3 100644 --- a/scanners/zap-advanced/.helmignore +++ b/scanners/zap-advanced/.helmignore @@ -33,7 +33,13 @@ Dockerfile .dockerignore *.tar parser/* -scanner/* +# this doesn't look too good but is required so that the scanners/scripts folder is included +scanner/*.* +scanner/zapclient/ +scanner/tests/ +scanner/venv/ +scanner/.pytest_cache/ +scanner/.idea/ integration-tests/* examples/* docs/* diff --git a/scanners/zap-advanced/scanner/scripts/authentication/scb-oidc-password-grand-type.js b/scanners/zap-advanced/scanner/scripts/authentication/scb-oidc-password-grand-type.js index 49b9b48b86..969dcef19f 100644 --- a/scanners/zap-advanced/scanner/scripts/authentication/scb-oidc-password-grand-type.js +++ b/scanners/zap-advanced/scanner/scripts/authentication/scb-oidc-password-grand-type.js @@ -21,8 +21,8 @@ var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeade * * - Authentication method: ScriptBased Authentication * - Login FORM target URL: https://$keycloak-url/auth/realms/$app/protocol/openid-connect/token - * - Username Parameter: your-username-to-get-tokens - * - Password Parameter: your-password-to-get-tokens + * - username parameter: your-username-to-get-tokens + * - password parameter: your-password-to-get-tokens * - Logged out regex: ".*Credentials are required to access this resource.*" * * NOTE: Any message sent in the function should be obtained using the 'helper.prepareMessage()' diff --git a/scanners/zap-advanced/scanner/zapclient/context/zap_context.py b/scanners/zap-advanced/scanner/zapclient/context/zap_context.py index 8589fb6e2f..98676f0501 100644 --- a/scanners/zap-advanced/scanner/zapclient/context/zap_context.py +++ b/scanners/zap-advanced/scanner/zapclient/context/zap_context.py @@ -179,19 +179,11 @@ def _configure_context_create_user(self, user: collections.OrderedDict, auth_typ userid=user_id, name=user_name) - # TODO: Open a new issue at ZAP GitHub: Why (or) is this difference (camelCase vs. pascalCase) here really necessary? - if auth_type == "script-based": - self.get_zap.users.set_authentication_credentials( - contextid=context_id, - userid=user_id, - authcredentialsconfigparams='Username=' + user_name + '&Password=' + user_password) - self.get_zap.users.set_user_enabled(contextid=context_id, userid=user_id, enabled=True) - else: - self.get_zap.users.set_authentication_credentials( - contextid=context_id, - userid=user_id, - authcredentialsconfigparams='username=' + user_name + '&password=' + user_password) - self.get_zap.users.set_user_enabled(contextid=context_id, userid=user_id, enabled=True) + self.get_zap.users.set_authentication_credentials( + contextid=context_id, + userid=user_id, + authcredentialsconfigparams='username=' + user_name + '&password=' + user_password) + self.get_zap.users.set_user_enabled(contextid=context_id, userid=user_id, enabled=True) if ("forced" in user and user["forced"]): logging.debug("Configuring a forced user '%s' with id, for context(%s)'", user_id, context_id)