Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature 3611 zap wrapper webscan template login #3622

Open
wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

Feature 3611 zap wrapper webscan template login #3622

wants to merge 6 commits into from

Conversation

winzj
Copy link
Member

@winzj winzj commented Nov 18, 2024

@winzj
Add encodingType to totp config #3611
b7d49a8 
- add entry to openapi.yaml
- add field with default
- extend unit tests
- extend examples, documentation and RestDocTest
@winzj
Update totp generator and add seed decoding #3611
7d60008 
- add decoder with autodetect method and unit testcases
- add seed to totp generator and change signature
- update unit testcases
@winzj
Refactoring of usage
6d990f9
@winzj
Implement script login via template handling with some dummy data #3611
f19d26b 
- add parts for script execution with session management
- add script authentication to ZapScanner
- add necessary dependencies to gradle files
- add configuration option via commandline parameter and ENV variable
@winzj winzj marked this pull request as draft November 18, 2024 08:21
@winzj winzj changed the title Feature 3611 webscan template login Feature 3611 zap wrapper webscan template login Nov 18, 2024
@winzj
add groovy example to README.adoc and improve TOTP usability #3611
d0755f5 
- add groovy script example to README.adoc
- add short explanations
- add method to TOTPGenerator to generate a currently valid TOTP
- update examples
@winzj
Remove static mock parts in tests and create new mocks for each test #…
a29183b 
…3622
@winzj winzj marked this pull request as ready for review November 19, 2024 06:51
@winzj winzj requested a review from de-jcup November 19, 2024 06:51
de-jcup
de-jcup requested changes Nov 21, 2024
View reviewed changes
Copy link
Member

@de-jcup de-jcup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job! I found still some parts which should be changed.

If the changes are too big (e.g. refactoring of client wrapper, to use only dedicated values (e.g. booleans, integers ) etc.
feel free to create a new issue to handle this later.

...ub-commons-model/src/main/java/com/mercedesbenz/sechub/commons/model/login/EncodingType.java Show resolved Hide resolved
sechub-doc/src/docs/asciidoc/documents/shared/configuration/sechub_config.adoc Show resolved Hide resolved
sechub-doc/src/docs/asciidoc/documents/shared/configuration/sechub_config.adoc Show resolved Hide resolved
sechub-wrapper-owasp-zap/README.adoc Show resolved Hide resolved
sechub-wrapper-owasp-zap/README.adoc Show resolved Hide resolved
...b-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/util/TOTPGenerator.java
private String hashAlgorithmName;
private int totpLength;
private int tokenValidityTimeInSeconds;
private long digitsTruncate;

public TOTPGenerator() {
this(DEFAULT_TOTP_LENGTH, TOTPHashAlgorithm.HMAC_SHA1, DEFAULT_TOKEN_VALIDITY_TIME_IN_SECONDS);
public TOTPGenerator(String seed) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This constructor is only used inside 2 tests.
Do we really need this one? Or should we create instead a static test helper method inside the tests or something else?

...wasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandlerTest.java
@Test
void file_does_not_exist_and_so_no_scan_is_cancelled() throws IOException {
/* prepare */
String scanContextName = UUID.randomUUID().toString();
ZapPDSEventHandler zapPDSEventHandler = new ZapPDSEventHandler("");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about a parameterized test and
injecting "" ," " and null as value parameters?

...wasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/helper/ZapPDSEventHandlerTest.java

/* execute + test */
assertFalse(zapPDSEventHandler.isScanCancelled());
assertDoesNotThrow(() -> zapPDSEventHandler.cancelScan(scanContextName));
}

@Test
void file_does_exist_and_so_scan_is_cancelled(@TempDir File tempDir) throws IOException {
void file_does_exist_and_so_scan_is_cancelled(@TempDir Path tempDir) throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whabt about file DOES NOT exist case? should we add an additional test here?

...apper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/util/StringDecoderTest.java
private StringDecoder supportToTest = new StringDecoder();

@Test
void when_secret_key_is_null_an_exception_is_thrown() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if secret key is blank ("", " ") -> is this a valid key?
It is not tested in any test, so i am not sure

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when encoding type is null, or different? Should this be tested as well?

sechub-wrapper-owasp-zap/README.adoc Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@de-jcup de-jcup de-jcup requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@de-jcup de-jcup

@winzj winzj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement template login for ZAP wrapper application
2 participants
@winzj @de-jcup