Merge pull request #5 from tlenaic/Logged_Out_Indicator

Closes JENKINS-43483
jenkinsci · Apr 11, 2017 · 1228df1 · 1228df1
2 parents 9ac47a6 + 3a4b707
commit 1228df1
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 10 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/zap/ZAPDriver.java b/src/main/java/org/jenkinsci/plugins/zap/ZAPDriver.java
@@ -153,7 +153,7 @@ public ZAPDriver(boolean autoInstall, String toolUsed, String zapHome, String jd
             String zapSettingsDir,
             boolean autoLoadSession, String loadSession, String sessionFilename, boolean removeExternalSites, String internalSites,
             String contextName, String includedURL, String excludedURL,
-            boolean authMode, String username, String password, String loggedInIndicator, String authMethod,
+            boolean authMode, String username, String password, String loggedInIndicator, String loggedOutIndicator, String authMethod,
             String loginURL, String usernameParameter, String passwordParameter, String extraPostData,
             String authScript, List<ZAPAuthScriptParam> authScriptParams,
             String targetURL,
@@ -196,6 +196,7 @@ public ZAPDriver(boolean autoInstall, String toolUsed, String zapHome, String jd
         this.username = username;
         this.password = password;
         this.loggedInIndicator = loggedInIndicator;
+        this.loggedOutIndicator = loggedOutIndicator;
         this.authMethod = authMethod;
 
         /* Session Properties >> Form-Based Authentication */
@@ -315,6 +316,7 @@ public String toString() {
         s += "authMode [" + authMode + "]\n";
         s += "username [" + username + "]\n";
         s += "loggedInIndicator [" + loggedInIndicator + "]\n";
+        s += "loggedOutIndicator [" + loggedOutIndicator + "]\n";
         s += "authMethod [" + authMethod + "]\n";
         s += "Session Properties >> Form-Based Authentication\n";
         s += "loginURL [" + loginURL + "]\n";
@@ -1158,8 +1160,8 @@ public boolean executeZAP(BuildListener listener, FilePath workspace) {
                 Utils.loggerMessage(listener, 0, "[{0}] AUTHENTICATION MODE [ {1} ]", Utils.ZAP, this.authMethod.toUpperCase());
                 Utils.lineBreak(listener);
                 /* SETUP AUTHENICATION */
-                if (this.authMode) if (this.authMethod.equals(FORM_BASED)) this.userId = setUpAuthentication(listener, clientApi, this.contextId, this.loginURL, this.username, this.password, this.loggedInIndicator, this.extraPostData, this.authMethod, this.usernameParameter, this.passwordParameter, null, null);
-                else if (this.authMethod.equals(SCRIPT_BASED)) this.userId = setUpAuthentication(listener, clientApi, this.contextId, this.loginURL, this.username, this.password, this.loggedInIndicator, this.extraPostData, this.authMethod, null, null, this.authScript, this.authScriptParams);
+                if (this.authMode) if (this.authMethod.equals(FORM_BASED)) this.userId = setUpAuthentication(listener, clientApi, this.contextId, this.loginURL, this.username, this.password, this.loggedInIndicator, this.loggedOutIndicator, this.extraPostData, this.authMethod, this.usernameParameter, this.passwordParameter, null, null);
+                else if (this.authMethod.equals(SCRIPT_BASED)) this.userId = setUpAuthentication(listener, clientApi, this.contextId, this.loginURL, this.username, this.password, this.loggedInIndicator, this.loggedOutIndicator, this.extraPostData, this.authMethod, null, null, this.authScript, this.authScriptParams);
 
                 /* SETUP ATTACK MODES */
                 Utils.lineBreak(listener);
@@ -1392,6 +1394,8 @@ private String setUpContext(BuildListener listener, ClientApi clientApi, String
      *            of type String: loging page URL.
      * @param loggedInIndicator
      *            of type String: indicator to signify that a user is logged in.
+     * @param loggedOutIndicator
+     *            of type String: indicator to signify that a user is logged out.
      * @param extraPostData
      *            of type String: other post data (other than credentials).
      * @param usernameParameter
@@ -1401,7 +1405,7 @@ private String setUpContext(BuildListener listener, ClientApi clientApi, String
      * @throws ClientApiException
      * @throws UnsupportedEncodingException
      */
-    private void setUpFormBasedAuth(BuildListener listener, ClientApi clientApi, String contextId, String loginURL, String loggedInIndicator, String extraPostData, String usernameParameter, String passwordParameter) throws ClientApiException, UnsupportedEncodingException {
+    private void setUpFormBasedAuth(BuildListener listener, ClientApi clientApi, String contextId, String loginURL, String loggedInIndicator, String loggedOutIndicator, String extraPostData, String usernameParameter, String passwordParameter) throws ClientApiException, UnsupportedEncodingException {
 
         String loginRequestData = usernameParameter + "={%username%}&" + passwordParameter + "={%password%}";
         if (extraPostData.length() > 0) loginRequestData = loginRequestData + "&" + extraPostData;
@@ -1441,8 +1445,11 @@ private void setUpFormBasedAuth(BuildListener listener, ClientApi clientApi, Str
             Utils.loggerMessage(listener, 1, "{0}", tmp);
 
         Utils.loggerMessage(listener, 1, "loggedInIndicator = {0}", loggedInIndicator);
-
         if (!loggedInIndicator.equals("")) clientApi.authentication.setLoggedInIndicator(contextId, loggedInIndicator); /* Add the logged in indicator */
+
+        Utils.loggerMessage(listener, 1, "loggedOutIndicator = {0}", loggedOutIndicator);
+        if (!loggedOutIndicator.equals("")) clientApi.authentication.setLoggedOutIndicator(contextId, loggedOutIndicator); /* Add the logged out indicator */
+
         Utils.lineBreak(listener);
     }
 
@@ -1461,14 +1468,16 @@ private void setUpFormBasedAuth(BuildListener listener, ClientApi clientApi, Str
      *            of type String: loging page URL.
      * @param loggedInIndicator
      *            of type String: indicator to signify that a user is logged in.
+     * @param loggedOutIndicator
+     *            of type String: indicator to signify that a user is logged out.
      * @param extraPostData
      *            of type String: other post data (other than credentials).
      * @param scriptName
      *            of type String: the name of the authentication script used to authenticate the user.
      * @throws UnsupportedEncodingException
      * @throws ClientApiException
      */
-    private void setUpScriptBasedAuth(BuildListener listener, ClientApi clientApi, ArrayList<ZAPAuthScriptParam> authScriptParams, String contextId, String loginURL, String loggedInIndicator, String extraPostData, String scriptName) throws UnsupportedEncodingException, ClientApiException {
+    private void setUpScriptBasedAuth(BuildListener listener, ClientApi clientApi, ArrayList<ZAPAuthScriptParam> authScriptParams, String contextId, String loginURL, String loggedInIndicator, String loggedOutIndicator, String extraPostData, String scriptName) throws UnsupportedEncodingException, ClientApiException {
 
         /* Prepare the configuration in a format similar to how URL parameters are formed. This means that any value we add for the configuration values has to be URL encoded. */
         StringBuilder scriptBasedConfig = new StringBuilder();
@@ -1507,8 +1516,11 @@ private void setUpScriptBasedAuth(BuildListener listener, ClientApi clientApi, A
             Utils.loggerMessage(listener, 1, "{0}", tmp);
 
         Utils.loggerMessage(listener, 1, "loggedInIndicator = {0}", loggedInIndicator);
-
         if (!loggedInIndicator.equals("")) clientApi.authentication.setLoggedInIndicator(contextId, loggedInIndicator);  /* Add the logged in indicator */
+
+        Utils.loggerMessage(listener, 1, "loggedOutIndicator = {0}", loggedOutIndicator);
+        if (!loggedOutIndicator.equals(""))clientApi.authentication.setLoggedOutIndicator(contextId, loggedOutIndicator);  /* Add the logged out indicator */
+
         Utils.lineBreak(listener);
     }
 
@@ -1660,6 +1672,8 @@ private void setUpForcedUser(BuildListener listener, ClientApi clientApi, String
      *            of type String: password for the authentication user.
      * @param loggedInIndicator
      *            of type String: indicator to signify that a user is logged in.
+     * @param loggedOutIndicator
+     *            of type String: indicator to signify that a user is logged Out.
      * @param extraPostData
      *            of type String: other post data (other than credentials).
      * @param authMethod
@@ -1676,9 +1690,9 @@ private void setUpForcedUser(BuildListener listener, ClientApi clientApi, String
      * @throws ClientApiException
      * @throws UnsupportedEncodingException
      */
-    private String setUpAuthentication(BuildListener listener, ClientApi clientApi, String contextId, String loginURL, String username, String password, String loggedInIndicator, String extraPostData, String authMethod, String usernameParameter, String passwordParameter, String scriptName, ArrayList<ZAPAuthScriptParam> authScriptParams) throws ClientApiException, UnsupportedEncodingException {
-        if (authMethod.equals(FORM_BASED)) setUpFormBasedAuth(listener, clientApi, contextId, loginURL, loggedInIndicator, extraPostData, usernameParameter, passwordParameter);
-        else if (authMethod.equals(SCRIPT_BASED)) setUpScriptBasedAuth(listener, clientApi, authScriptParams, contextId, loginURL, loggedInIndicator, extraPostData, scriptName);
+    private String setUpAuthentication(BuildListener listener, ClientApi clientApi, String contextId, String loginURL, String username, String password, String loggedInIndicator, String loggedOutIndicator, String extraPostData, String authMethod, String usernameParameter, String passwordParameter, String scriptName, ArrayList<ZAPAuthScriptParam> authScriptParams) throws ClientApiException, UnsupportedEncodingException {
+        if (authMethod.equals(FORM_BASED)) setUpFormBasedAuth(listener, clientApi, contextId, loginURL, loggedInIndicator, loggedOutIndicator, extraPostData, usernameParameter, passwordParameter);
+        else if (authMethod.equals(SCRIPT_BASED)) setUpScriptBasedAuth(listener, clientApi, authScriptParams, contextId, loginURL, loggedInIndicator, loggedOutIndicator, extraPostData, scriptName);
 
         return setUpUser(listener, clientApi, contextId, username, password);
     }
@@ -2740,6 +2754,10 @@ private void getAvailableFormats(ZAPDriverDescriptorImpl zapDriver) {
 
     public String getLoggedInIndicator() { return loggedInIndicator; }
 
+    private final String loggedOutIndicator; /* Logged out indication. */
+
+    public String getLoggedOutIndicator() { return loggedOutIndicator; }
+
     private final String authMethod; /* the authentication method type (FORM_BASED or SCRIPT_BASED). */
 
     public String getAuthMethod() { return authMethod; }

diff --git a/src/main/resources/org/jenkinsci/plugins/zap/ZAPDriver/config.jelly b/src/main/resources/org/jenkinsci/plugins/zap/ZAPDriver/config.jelly
@@ -128,6 +128,9 @@ SOFTWARE.
             <f:entry title="${%Logged in Indicator}" field="loggedInIndicator">
               <f:textbox clazz="required" />
             </f:entry>
+            <f:entry title="${%Logged out Indicator}" field="loggedOutIndicator">
+              <f:textbox />
+            </f:entry>
 
             <f:entry title="------------------------------------------------------------"></f:entry>
             <f:radioBlock title="${%Form-based Authentication}" name="authMethod" value="FORM_BASED" checked="${instance == null || instance.isAuthMethod('FORM_BASED')}" inline="true">

diff --git a/src/main/resources/org/jenkinsci/plugins/zap/ZAPDriver/help-loggedOutIndicator.html b/src/main/resources/org/jenkinsci/plugins/zap/ZAPDriver/help-loggedOutIndicator.html
@@ -0,0 +1,3 @@
+The Logged out indicator, when present in a response message (either the header or the body), signifies that the response message corresponds to an unauthenticated request.</br></br>
+e.g. presence of a 'login link'</br></br><hr/></br>
+Indicator should be a Regex in the form of: .*\Qlogin\E.*