Skip to content

Commit

Permalink
Merge pull request #6142 from kingthorin/authhelper-dedupe
Browse files Browse the repository at this point in the history 
authhelper: Deduplicate the handler used by BBA and CSA
  • Loading branch information
@thc202
thc202 authored Jan 31, 2025
2 parents 0cff107 + 0c64f16 commit de5ec0a
Show file tree
Hide file tree
Showing 3 changed files with 135 additions and 149 deletions.
86 changes: 7 additions & 79 deletions ...lper/src/main/java/org/zaproxy/addon/authhelper/BrowserBasedAuthenticationMethodType.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.swing.ImageIcon;
import javax.swing.JButton;
Expand All @@ -52,24 +51,21 @@
import org.openqa.selenium.WebDriver;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.control.Control;
import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.db.DatabaseException;
import org.parosproxy.paros.db.RecordContext;
import org.parosproxy.paros.extension.ExtensionHook;
import org.parosproxy.paros.model.Model;
import org.parosproxy.paros.model.Session;
import org.parosproxy.paros.model.SiteNode;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpRequestHeader;
import org.parosproxy.paros.network.HttpSender;
import org.parosproxy.paros.view.View;
import org.zaproxy.addon.authhelper.internal.AuthenticationStep;
import org.zaproxy.addon.authhelper.internal.AuthenticationStep.ValidationResult;
import org.zaproxy.addon.authhelper.internal.ClientSideHandler;
import org.zaproxy.addon.authhelper.internal.StepsPanel;
import org.zaproxy.addon.network.ExtensionNetwork;
import org.zaproxy.addon.network.internal.client.apachev5.HttpSenderContextApache;
import org.zaproxy.addon.network.server.HttpMessageHandler;
import org.zaproxy.addon.network.server.HttpMessageHandlerContext;
import org.zaproxy.addon.network.server.Server;
import org.zaproxy.zap.authentication.AbstractAuthenticationMethodOptionsPanel;
import org.zaproxy.zap.authentication.AbstractCredentialsOptionsPanel;
Expand Down Expand Up @@ -131,10 +127,7 @@ public class BrowserBasedAuthenticationMethodType extends AuthenticationMethodTy
private int proxyPort;
private Server proxy;

private HttpMessageHandler handler;
private HttpMessage authMsg;
private HttpMessage fallbackMsg;
private int firstHrefId;
private ClientSideHandler handler;

private static List<Server> proxies = new ArrayList<>();

Expand All @@ -149,73 +142,7 @@ public BrowserBasedAuthenticationMethodType(HttpSender httpSender) {
private Server getProxy(Context context) {
if (proxy == null) {
ExtensionNetwork extNet = AuthUtils.getExtension(ExtensionNetwork.class);

handler =
new HttpMessageHandler() {

@Override
public void handleMessage(HttpMessageHandlerContext ctx, HttpMessage msg) {
if (ctx.isFromClient()) {
return;
}

AuthenticationHelper.addAuthMessageToHistory(msg);

if (HttpRequestHeader.POST.equals(msg.getRequestHeader().getMethod())
&& context.isIncluded(
msg.getRequestHeader().getURI().toString())) {
// Record the last in scope POST as a fallback
fallbackMsg = msg;
}

SessionManagementRequestDetails smReqDetails = null;
Map<String, SessionToken> sessionTokens =
AuthUtils.getResponseSessionTokens(msg);
if (!sessionTokens.isEmpty()) {
authMsg = msg;
smReqDetails =
new SessionManagementRequestDetails(
authMsg,
new ArrayList<>(sessionTokens.values()),
Alert.CONFIDENCE_HIGH);
} else {
Set<SessionToken> reqSessionTokens =
AuthUtils.getRequestSessionTokens(msg);
if (!reqSessionTokens.isEmpty()) {
// The request has at least one auth token we missed - try
// to find one of them
for (SessionToken st : reqSessionTokens) {
smReqDetails =
AuthUtils.findSessionTokenSource(
st.getValue(), firstHrefId);
if (smReqDetails != null) {
authMsg = smReqDetails.getMsg();
LOGGER.debug(
"Session token found in href {}",
authMsg.getHistoryRef().getHistoryId());
break;
}
}
}

if (authMsg != null && View.isInitialised()) {
String hrefId = "?";
if (msg.getHistoryRef() != null) {
hrefId = "" + msg.getHistoryRef().getHistoryId();
}
AuthUtils.logUserMessage(
Level.INFO,
Constant.messages.getString(
"authhelper.auth.method.browser.output.sessionid",
hrefId));
}
}
if (firstHrefId == 0 && msg.getHistoryRef() != null) {
firstHrefId = msg.getHistoryRef().getHistoryId();
}
}
};

handler = new ClientSideHandler(context);
proxy = extNet.createHttpProxy(getHttpSender(), handler);
}
return proxy;
Expand Down Expand Up @@ -340,7 +267,7 @@ public WebSession authenticate(
AuthenticationCredentials credentials,
User user)
throws UnsupportedAuthenticationCredentialsException {
authMsg = null;
handler.resetAuthMsg();
if (this.loginPageWait > 0) {
AuthUtils.setTimeToWaitMs(TimeUnit.SECONDS.toMillis(loginPageWait));
}
Expand Down Expand Up @@ -381,7 +308,7 @@ public WebSession authenticate(
authenticationSteps)) {
// Wait until the authentication request is identified
for (int i = 0; i < AuthUtils.getWaitLoopCount(); i++) {
if (authMsg != null) {
if (handler.getAuthMsg() != null) {
break;
}
AuthUtils.sleep(AuthUtils.TIME_TO_SLEEP_IN_MSECS);
Expand All @@ -393,6 +320,7 @@ public WebSession authenticate(
}
}

HttpMessage authMsg = handler.getAuthMsg();
if (authMsg != null) {
// Update the session as it may have changed
for (int i = 0; i < AuthUtils.getWaitLoopCount(); i++) {
Expand Down Expand Up @@ -449,7 +377,7 @@ public WebSession authenticate(
+ "\n");

// We don't expect this to work, but it will prevent some NPEs
return sessionManagementMethod.extractWebSession(fallbackMsg);
return sessionManagementMethod.extractWebSession(handler.getFallbackMsg());
}

@Override
Expand Down
76 changes: 6 additions & 70 deletions ...src/main/java/org/zaproxy/addon/authhelper/ClientScriptBasedAuthenticationMethodType.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import javax.swing.DefaultComboBoxModel;
import javax.swing.JButton;
import javax.swing.JLabel;
Expand All @@ -38,18 +37,16 @@
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jdesktop.swingx.JXComboBox;
import org.jdesktop.swingx.decorator.FontHighlighter;
import org.jdesktop.swingx.renderer.DefaultListRenderer;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.control.Control;
import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpRequestHeader;
import org.parosproxy.paros.view.View;
import org.zaproxy.addon.authhelper.internal.ClientSideHandler;
import org.zaproxy.addon.network.server.HttpMessageHandler;
import org.zaproxy.zap.authentication.AbstractAuthenticationMethodOptionsPanel;
import org.zaproxy.zap.authentication.AuthenticationCredentials;
Expand Down Expand Up @@ -81,75 +78,13 @@ public class ClientScriptBasedAuthenticationMethodType extends ScriptBasedAuthen

private ExtensionScript extensionScript;

private HttpMessageHandler handler;
private HttpMessage authMsg;
private HttpMessage fallbackMsg;
private int firstHrefId;
private ClientSideHandler handler;

public ClientScriptBasedAuthenticationMethodType() {}

private HttpMessageHandler getHandler(Context context) {
if (handler == null) {
handler =
(ctx, msg) -> {
if (ctx.isFromClient()) {
return;
}

AuthenticationHelper.addAuthMessageToHistory(msg);

if (HttpRequestHeader.POST.equals(msg.getRequestHeader().getMethod())
&& context.isIncluded(msg.getRequestHeader().getURI().toString())) {
// Record the last in scope POST as a fallback
fallbackMsg = msg;
}

SessionManagementRequestDetails smReqDetails = null;
Map<String, SessionToken> sessionTokens =
AuthUtils.getResponseSessionTokens(msg);
if (!sessionTokens.isEmpty()) {
authMsg = msg;
smReqDetails =
new SessionManagementRequestDetails(
authMsg,
new ArrayList<>(sessionTokens.values()),
Alert.CONFIDENCE_HIGH);
} else {
Set<SessionToken> reqSessionTokens =
AuthUtils.getRequestSessionTokens(msg);
if (!reqSessionTokens.isEmpty()) {
// The request has at least one auth token we missed - try
// to find one of them
for (SessionToken st : reqSessionTokens) {
smReqDetails =
AuthUtils.findSessionTokenSource(
st.getValue(), firstHrefId);
if (smReqDetails != null) {
authMsg = smReqDetails.getMsg();
LOGGER.debug(
"Session token found in href {}",
authMsg.getHistoryRef().getHistoryId());
break;
}
}
}

if (authMsg != null && View.isInitialised()) {
String hrefId = "?";
if (msg.getHistoryRef() != null) {
hrefId = "" + msg.getHistoryRef().getHistoryId();
}
AuthUtils.logUserMessage(
Level.INFO,
Constant.messages.getString(
"authhelper.auth.method.browser.output.sessionid",
hrefId));
}
}
if (firstHrefId == 0 && msg.getHistoryRef() != null) {
firstHrefId = msg.getHistoryRef().getHistoryId();
}
};
handler = new ClientSideHandler(context);
}
return handler;
}
Expand Down Expand Up @@ -388,12 +323,13 @@ public WebSession authenticate(

// Wait until the authentication request is identified
for (int i = 0; i < AuthUtils.getWaitLoopCount(); i++) {
if (authMsg != null) {
if (handler.getAuthMsg() != null) {
break;
}
AuthUtils.sleep(AuthUtils.TIME_TO_SLEEP_IN_MSECS);
}

HttpMessage authMsg = handler.getAuthMsg();
if (authMsg != null) {
// Update the session as it may have changed
WebSession session = sessionManagementMethod.extractWebSession(authMsg);
Expand All @@ -411,7 +347,7 @@ public WebSession authenticate(
}

// We don't expect this to work, but it will prevent some NPEs
return sessionManagementMethod.extractWebSession(fallbackMsg);
return sessionManagementMethod.extractWebSession(handler.getFallbackMsg());
}

@Override
Expand Down
Loading

0 comments on commit de5ec0a

Please sign in to comment.