diff --git a/addOns/dev/CHANGELOG.md b/addOns/dev/CHANGELOG.md index 8e3364fb27c..5d60a3783f3 100644 --- a/addOns/dev/CHANGELOG.md +++ b/addOns/dev/CHANGELOG.md @@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Update minimum ZAP version to 2.13.0. +- Added TestAuthDirectory abstract class to reduce duplicated code. ## [0.2.0] - 2023-05-09 diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/TestAuthDirectory.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/TestAuthDirectory.java new file mode 100644 index 00000000000..20e9076fb9d --- /dev/null +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/TestAuthDirectory.java @@ -0,0 +1,55 @@ +/* + * Zed Attack Proxy (ZAP) and its related class files. + * + * ZAP is an HTTP/HTTPS proxy for assessing web application security. + * + * Copyright 2023 The ZAP Development Team + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.zaproxy.addon.dev; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.Map; +import org.apache.commons.lang.RandomStringUtils; + +/** A test directory which uses authentication. */ +public abstract class TestAuthDirectory extends TestDirectory { + + // These are test credentials, so hardcoding them is fine ;) + private static final String[][] USERS = {{"test@test.com", "password123"}}; + + private Map sessions = new HashMap<>(); + + public TestAuthDirectory(TestProxyServer server, String name) { + super(server, name); + } + + public boolean isValid(String username, String password) { + return Arrays.stream(USERS) + .filter(c -> (c[0].equals(username) && c[1].equals(password))) + .findAny() + .isPresent(); + } + + public String getToken(String username) { + String token = RandomStringUtils.randomAlphanumeric(32); + sessions.put(token, username); + return token; + } + + public String getUser(String token) { + return sessions.get(token); + } +} diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/jsonMultipleCookies/JsonMultipleCookiesDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/jsonMultipleCookies/JsonMultipleCookiesDir.java index fffb2a7ab31..14482988308 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/jsonMultipleCookies/JsonMultipleCookiesDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/jsonMultipleCookies/JsonMultipleCookiesDir.java @@ -19,23 +19,17 @@ */ package org.zaproxy.addon.dev.auth.jsonMultipleCookies; -import java.util.Arrays; import java.util.HashMap; import java.util.Map; import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field but is submitted with the "Bearer" prefix and in a cookie. */ -public class JsonMultipleCookiesDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class JsonMultipleCookiesDir extends TestAuthDirectory { private Map tempTokens = new HashMap<>(); @@ -46,29 +40,12 @@ public JsonMultipleCookiesDir(TestProxyServer server, String name) { this.addPage(new JsonMultipleCookiesVerificationPage(server)); } - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - public String getTempToken(String username) { String token = RandomStringUtils.randomAlphanumeric(32); tempTokens.put(token, username); return token; } - public String getUser(String token) { - return sessions.get(token); - } - public String getTempUser(String token) { return tempTokens.get(token); } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/nonStdJsonBearer/NonStdJsonBearerDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/nonStdJsonBearer/NonStdJsonBearerDir.java index fc935a625e1..5298ea1080e 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/nonStdJsonBearer/NonStdJsonBearerDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/nonStdJsonBearer/NonStdJsonBearerDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.nonStdJsonBearer; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a non * standard JSON field. */ -public class NonStdJsonBearerDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class NonStdJsonBearerDir extends TestAuthDirectory { public NonStdJsonBearerDir(TestProxyServer server, String name) { super(server, name); this.addPage(new NonStdJsonBearerLoginPage(server)); this.addPage(new NonStdJsonBearerVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passswordAddedNoSubmit/PasswordAddedNoSubmitDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passswordAddedNoSubmit/PasswordAddedNoSubmitDir.java index a2f524b492c..cbe3f24ac78 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passswordAddedNoSubmit/PasswordAddedNoSubmitDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passswordAddedNoSubmit/PasswordAddedNoSubmitDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.passswordAddedNoSubmit; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field. The submit key does not work so buttons have to be pressed. */ -public class PasswordAddedNoSubmitDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class PasswordAddedNoSubmitDir extends TestAuthDirectory { public PasswordAddedNoSubmitDir(TestProxyServer server, String name) { super(server, name); this.addPage(new PasswordAddedNoSubmitLoginPage(server)); this.addPage(new PasswordAddedNoSubmitVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordAddedJson/PasswordAddedJsonDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordAddedJson/PasswordAddedJsonDir.java index 3dd4b529704..52ec1bffa49 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordAddedJson/PasswordAddedJsonDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordAddedJson/PasswordAddedJsonDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.passwordAddedJson; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field. */ -public class PasswordAddedJsonDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class PasswordAddedJsonDir extends TestAuthDirectory { public PasswordAddedJsonDir(TestProxyServer server, String name) { super(server, name); this.addPage(new PasswordAddedJsonLoginPage(server)); this.addPage(new PasswordAddedJsonVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordHiddenJson/PasswordHiddenJsonDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordHiddenJson/PasswordHiddenJsonDir.java index 32be7daa54c..63b05627665 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordHiddenJson/PasswordHiddenJsonDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordHiddenJson/PasswordHiddenJsonDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.passwordHiddenJson; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field. */ -public class PasswordHiddenJsonDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class PasswordHiddenJsonDir extends TestAuthDirectory { public PasswordHiddenJsonDir(TestProxyServer server, String name) { super(server, name); this.addPage(new PasswordHiddenJsonLoginPage(server)); this.addPage(new PasswordHiddenJsonVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordNewPage/PasswordNewPageDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordNewPage/PasswordNewPageDir.java index 23a1bfb308f..396f98189f8 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordNewPage/PasswordNewPageDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/passwordNewPage/PasswordNewPageDir.java @@ -19,23 +19,14 @@ */ package org.zaproxy.addon.dev.auth.passwordNewPage; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field. */ -public class PasswordNewPageDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class PasswordNewPageDir extends TestAuthDirectory { public PasswordNewPageDir(TestProxyServer server, String name) { super(server, name); @@ -43,21 +34,4 @@ public PasswordNewPageDir(TestProxyServer server, String name) { this.addPage(new PasswordNewPageNextPage(server)); this.addPage(new PasswordNewPageVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJson/SimpleJsonDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJson/SimpleJsonDir.java index be1fa82c22e..a9502992893 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJson/SimpleJsonDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJson/SimpleJsonDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.simpleJson; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field. */ -public class SimpleJsonDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class SimpleJsonDir extends TestAuthDirectory { public SimpleJsonDir(TestProxyServer server, String name) { super(server, name); this.addPage(new SimpleJsonLoginPage(server)); this.addPage(new SimpleJsonVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearer/SimpleJsonBearerDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearer/SimpleJsonBearerDir.java index da0145da039..8e654f91f00 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearer/SimpleJsonBearerDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearer/SimpleJsonBearerDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.simpleJsonBearer; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field but is submitted with the "Bearer" prefix. */ -public class SimpleJsonBearerDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class SimpleJsonBearerDir extends TestAuthDirectory { public SimpleJsonBearerDir(TestProxyServer server, String name) { super(server, name); this.addPage(new SimpleJsonBearerLoginPage(server)); this.addPage(new SimpleJsonBearerVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearerCookie/SimpleJsonBearerCookieDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearerCookie/SimpleJsonBearerCookieDir.java index 3568cc9c4c0..e7e73a0b02a 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearerCookie/SimpleJsonBearerCookieDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonBearerCookie/SimpleJsonBearerCookieDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.simpleJsonBearerCookie; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field but is submitted with the "Bearer" prefix and in a cookie. */ -public class SimpleJsonBearerCookieDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class SimpleJsonBearerCookieDir extends TestAuthDirectory { public SimpleJsonBearerCookieDir(TestProxyServer server, String name) { super(server, name); this.addPage(new SimpleJsonBearerCookieLoginPage(server)); this.addPage(new SimpleJsonBearerCookieVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } } diff --git a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonCookie/SimpleJsonCookieDir.java b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonCookie/SimpleJsonCookieDir.java index 649f1bae674..b9e77bc9b89 100644 --- a/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonCookie/SimpleJsonCookieDir.java +++ b/addOns/dev/src/main/java/org/zaproxy/addon/dev/auth/simpleJsonCookie/SimpleJsonCookieDir.java @@ -19,44 +19,18 @@ */ package org.zaproxy.addon.dev.auth.simpleJsonCookie; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; -import org.apache.commons.lang.RandomStringUtils; -import org.zaproxy.addon.dev.TestDirectory; +import org.zaproxy.addon.dev.TestAuthDirectory; import org.zaproxy.addon.dev.TestProxyServer; /** * A login page which uses one JSON request to login endpoint. The token is returned in a standard * field but is submitted with the "Bearer" prefix and in a cookie. */ -public class SimpleJsonCookieDir extends TestDirectory { - - // These are test credentials, so hardcoding them is fine ;) - private static final String[][] USERS = {{"test@test.com", "password123"}}; - - private Map sessions = new HashMap<>(); +public class SimpleJsonCookieDir extends TestAuthDirectory { public SimpleJsonCookieDir(TestProxyServer server, String name) { super(server, name); this.addPage(new SimpleJsonCookieLoginPage(server)); this.addPage(new SimpleJsonCookieVerificationPage(server)); } - - public boolean isValid(String username, String password) { - return Arrays.stream(USERS) - .filter(c -> (c[0].equals(username) && c[1].equals(password))) - .findAny() - .isPresent(); - } - - public String getToken(String username) { - String token = RandomStringUtils.randomAlphanumeric(32); - sessions.put(token, username); - return token; - } - - public String getUser(String token) { - return sessions.get(token); - } }