Add API scanning

Add support for OpenApi, GraphQl, SOAP import URL APIs.
Add authentication support for JWT strategy.
Add API support to Emissary (zap).
Create Cucumber feature file and steps.
Move existing app feature file and steps.
Split Cucumber world into BrowserApp and Api.
Moved percentEncode from browser to strings as Api SUTs also need it.

Author: binarymist

config/config.example.json

@@ -15,7 +15,6 @@
     }
   },
   "cucumber": {
-    "tagExpression": "@app_scan",
     "timeout": 1800000
   },
   "results": {

config/config.js

@@ -219,11 +219,6 @@ const schema = {
       format: String,
       default: 'src/steps'
     },
-    tagExpression: {
-      doc: 'The tag expression without the \'--tag\' to run Cucumber with.',
-      format: String,
-      default: 'not @simple_math'
-    },
     binary: {
       doc: 'The location of the Cucumber binary.',
       format: String,

src/api/app/do/sUt.aPi.js

@@ -29,7 +29,61 @@ class Api extends Sut {
   // ...
 
   #createSchema() {
-    this.#sutSchema = Joi.object({ });
+    this.#sutSchema = Joi.object({
+      sUtType: Joi.string().required().valid('Api'),
+      protocol: Joi.string().required().valid('https', 'http'),
+      ip: Joi.string().hostname().required(),
+      port: Joi.number().port().required(),
+      // eslint-disable-next-line no-underscore-dangle
+      browser: Joi.string().valid(...this.#configSchemaProps.sut._cvtProperties.browser.format).lowercase().default(this.config.get('sut.browser')), // Todo: Remove once selenium containers are removed.
+      loggedInIndicator: Joi.string(),
+      loggedOutIndicator: Joi.string(),
+      context: Joi.object({ // Zap context
+        id: Joi.number().integer().positive(), // Provided by Zap.
+        name: Joi.string().token() // Created in the app.js model.
+      }),
+      userId: Joi.number().integer().positive(), // Provided by Zap.
+      authentication: Joi.object({
+        emissaryAuthenticationStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('MaintainJwt'),
+        route: Joi.string().min(2).regex(/^\/[-?&=\w/]{1,1000}$/)
+      }),
+      testSession: Joi.object({
+        type: Joi.string().valid('appScanner').required(),
+        id: Joi.string().alphanum().required(),
+        attributes: Joi.object({
+          sitesTreePopulationStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('ImportUrls'),
+          spiderStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
+          scannersStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('ApiStandard'),
+          scanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('ApiStandard'),
+          postScanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('ApiStandard'),
+          reportingStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
+          username: Joi.string().min(2).required(),
+          openApi: Joi.object({
+            importFileContentBase64: Joi.string().base64({ paddingRequired: true }),
+            importUrl: Joi.string().uri({ scheme: ['https', 'http'], domain: { allowUnicode: false } })
+          }).xor('importFileContentBase64', 'importUrl'),
+          soap: Joi.object({
+            importFileContentBase64: Joi.string().base64({ paddingRequired: true }),
+            importUrl: Joi.string().uri({ scheme: ['https', 'http'], domain: { allowUnicode: false } })
+          }).xor('importFileContentBase64', 'importUrl'),
+          graphQl: Joi.object({
+            importFileContentBase64: Joi.string().base64({ paddingRequired: true }),
+            importUrl: Joi.string().uri({ scheme: ['https', 'http'], domain: { allowUnicode: false } }),
+            maxQueryDepth: Joi.number().integer().positive(), // Zaproxy default: 5
+            maxArgsDepth: Joi.number().integer().positive(), // Zaproxy default: 5
+            optionalArgsEnabled: Joi.boolean().default(true), // Zaproxy default: true
+            argsType: Joi.string().valid('INLINE', 'VARIABLES', 'BOTH'), // Zaproxy default: 'BOTH'
+            querySplitType: Joi.string().valid('LEAF', 'ROOT_FIELD', 'OPERATION'), // Zaproxy default: 'LEAF'
+            requestMethod: Joi.string().valid('POST_JSON', 'POST_GRAPHQL', 'GET') // Zaproxy default: 'POST_JSON'
+          }).xor('importFileContentBase64', 'importUrl'),
+          importUrls: Joi.object({ importFileContentBase64: Joi.string().base64({ paddingRequired: true }).required() }),
+          aScannerAttackStrength: Joi.string().valid(...this.#configSchemaProps.sut._cvtProperties.aScannerAttackStrength.format).uppercase().default(this.config.get('sut.aScannerAttackStrength')), // eslint-disable-line no-underscore-dangle
+          aScannerAlertThreshold: Joi.string().valid(...this.#configSchemaProps.sut._cvtProperties.aScannerAlertThreshold.format).uppercase().default(this.config.get('sut.aScannerAlertThreshold')), // eslint-disable-line no-underscore-dangle
+          alertThreshold: Joi.number().integer().min(0).max(1000).default(this.config.get('sut.alertThreshold')),
+          excludedRoutes: Joi.array().items(Joi.string()).default([])
+        }).xor('openApi', 'graphQl', 'soap', 'importUrls')
+      })
+    }).xor('loggedInIndicator', 'loggedOutIndicator');
   }
 
   async #selectStrategies() {
@@ -38,8 +92,6 @@ class Api extends Sut {
 
   async initialise() { // eslint-disable-line class-methods-use-this
     // Todo: Populate as required.
-
-
   }
 
   constructor({ log, publisher, sutProperties }) {
@@ -57,49 +109,83 @@ class Api extends Sut {
   getSitesTreePopulationStrategy() {
     return {
       ...super.getSitesTreePopulationStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        log: this.log,
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties(['testSession', 'context']),
+        setContextId: (id) => { this.properties.context.id = id; }
+      }
     };
   }
 
   getEmissaryAuthenticationStrategy() {
     return {
       ...super.getEmissaryAuthenticationStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        log: this.log,
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties(['authentication', 'loggedInIndicator', 'loggedOutIndicator', 'testSession', 'context']),
+        setUserId: (id) => { this.properties.userId = id; }
+      }
     };
   }
 
   getSpiderStrategy() {
     return {
       ...super.getSpiderStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties('testSession')
+      }
     };
   }
 
   getScannersStrategy() {
     return {
       ...super.getScannersStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        log: this.log,
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties('testSession')
+      }
     };
   }
 
   getScanningStrategy() {
     return {
       ...super.getScanningStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        log: this.log,
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties(['testSession', 'context', 'userId'])
+      }
     };
   }
 
   getPostScanningStrategy() {
     return {
       ...super.getPostScanningStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        publisher: this.publisher,
+        baseUrl: this.baseUrl(),
+        sutPropertiesSubSet: this.getProperties('testSession')
+      }
     };
   }
 
   getReportingStrategy() {
     return {
       ...super.getReportingStrategy(),
-      args: { /* Todo: args specific to the API specific strategy */ }
+      args: {
+        log: this.log,
+        publisher: this.publisher,
+        sutPropertiesSubSet: this.getProperties('testSession')
+      }
     };
   }
 }

src/api/app/do/sUt.browserApp.js

@@ -32,7 +32,7 @@ class BrowserApp extends Sut {
 
   #createSchema() {
     this.#sutSchema = Joi.object({
-      sUtType: Joi.string().required().valid('BrowserApp', 'Api'),
+      sUtType: Joi.string().required().valid('BrowserApp'),
       protocol: Joi.string().required().valid('https', 'http'),
       ip: Joi.string().hostname().required(),
       port: Joi.number().port().required(),
@@ -58,12 +58,12 @@ class BrowserApp extends Sut {
         id: Joi.string().alphanum().required(),
         attributes: Joi.object({
           sitesTreePopulationStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('WebDriverStandard'),
-          spiderStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('BrowserAppStandard'),
+          spiderStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
           scannersStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('BrowserAppStandard'),
-          scanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
-          postScanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
+          scanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('BrowserAppStandard'),
+          postScanningStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('BrowserAppStandard'),
           reportingStrategy: Joi.string().min(2).regex(/^[-\w/]{1,200}$/).default('Standard'),
-          username: Joi.string().min(2),
+          username: Joi.string().min(2).required(),
           password: Joi.string().min(2),
           aScannerAttackStrength: Joi.string().valid(...this.#configSchemaProps.sut._cvtProperties.aScannerAttackStrength.format).uppercase().default(this.config.get('sut.aScannerAttackStrength')), // eslint-disable-line no-underscore-dangle
           aScannerAlertThreshold: Joi.string().valid(...this.#configSchemaProps.sut._cvtProperties.aScannerAlertThreshold.format).uppercase().default(this.config.get('sut.aScannerAlertThreshold')), // eslint-disable-line no-underscore-dangle
@@ -90,7 +90,7 @@ class BrowserApp extends Sut {
           submit: Joi.string().min(2).regex(/^[a-z0-9_-]+/i)
         })
       }))
-    });
+    }).xor('loggedInIndicator', 'loggedOutIndicator');
   }
 
   #selectStrategies() {
@@ -158,7 +158,8 @@ class BrowserApp extends Sut {
         publisher: this.publisher,
         baseUrl: this.baseUrl(),
         browser,
-        sutPropertiesSubSet: this.getProperties(['testSession', 'testRoutes'])
+        sutPropertiesSubSet: this.getProperties(['testSession', 'context', 'testRoutes']),
+        setContextId: (id) => { this.properties.context.id = id; }
       }
     };
   }
@@ -170,9 +171,7 @@ class BrowserApp extends Sut {
         log: this.log,
         publisher: this.publisher,
         baseUrl: this.baseUrl(),
-        browser,
-        sutPropertiesSubSet: this.getProperties(['authentication', 'loggedInIndicator', 'loggedOutIndicator', 'excludeFromContext', 'testSession', 'context']),
-        setContextId: (id) => { this.properties.context.id = id; },
+        sutPropertiesSubSet: this.getProperties(['authentication', 'loggedInIndicator', 'loggedOutIndicator', 'testSession', 'context']),
         setUserId: (id) => { this.properties.userId = id; }
       }
     };

src/api/app/models/app.js

@@ -84,12 +84,12 @@ class App {
     const testSessions = testJob.included.filter((resourceObject) => resourceObject.type === 'appScanner');
 
     this.#sessionsProps = testSessions.map((sesh) => ({
-      testRoutes,
+      ...(testRoutes.length > 0 ? { testRoutes } : {/* No test routes in API schema */}),
       sUtType: testJob.data.type,
       protocol: testJob.data.attributes.sutProtocol,
       ip: testJob.data.attributes.sutIp,
       port: testJob.data.attributes.sutPort,
-      browser: testJob.data.attributes.browser,
+      browser: testJob.data.attributes.browser || 'chrome', // Todo: Needs removing for API, along with selenium containers.
       loggedInIndicator: testJob.data.attributes.loggedInIndicator,
       loggedOutIndicator: testJob.data.attributes.loggedOutIndicator,
       context: { name: `${sesh.id}_Context` },
@@ -140,8 +140,8 @@ class App {
   }
 
 
-  async testPlan(testJob) { // eslint-disable-line no-unused-vars
-    const cucumberArgs = this.#createCucumberArgs({});
+  async testPlan(testJob) {
+    const cucumberArgs = this.#createCucumberArgs({ sessionProps: { sUtType: testJob.data.type } });
     const cucumberCliInstance = new cucumber.Cli({
       argv: ['node', ...cucumberArgs],
       cwd: process.cwd(),
@@ -157,7 +157,7 @@ class App {
   }
 
   // Receiving appEmissaryPort and seleniumPort are only essential if running in cloud environment.
-  #createCucumberArgs({ sessionProps = {}, emissaryHost = this.#emissary.hostname, seleniumContainerName = '', appEmissaryPort = this.#emissary.port, seleniumPort = 4444 }) {
+  #createCucumberArgs({ sessionProps, emissaryHost = this.#emissary.hostname, seleniumContainerName = '', appEmissaryPort = this.#emissary.port, seleniumPort = 4444 }) {
     this.#log.debug(`seleniumContainerName is: ${seleniumContainerName}`, { tags: ['app'] });
     const emissaryProperties = {
       hostname: emissaryHost,
@@ -184,16 +184,16 @@ class App {
 
     const cucumberArgs = [
       this.#cucumber.binary,
-      this.#cucumber.features,
+      `${this.#cucumber.features}/${sessionProps.sUtType}`,
       '--require',
-      this.#cucumber.steps,
+      `${this.#cucumber.steps}/${sessionProps.sUtType}`,
       /* '--exit', */
       `--format=message:${this.#results.dir}result_appScannerId-${sessionProps.testSession ? sessionProps.testSession.id : 'noSessionPropsAvailable'}_${this.#strings.NowAsFileName('-')}.NDJSON`,
       /* Todo: Provide ability for Build User to pass flag to disable colours */
       '--format-options',
       '{"colorsEnabled": true}',
       '--tags',
-      this.#cucumber.tagExpression,
+      sessionProps.sUtType === 'BrowserApp' ? '@app_scan' : '@api_scan',
       '--world-parameters',
       parameters
     ];

src/clients/browser.js

@@ -129,8 +129,6 @@ const checkAndNotifyBuildUserIfAnyKnownBrowserErrors = async (testSessionId) =>
   }
 };
 
-const percentEncode = (str) => str.split('').map((char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`).reduce((accum, cV) => `${accum}${cV}`, '');
-
 module.exports = {
   findElementThenClick,
   findElementThenClear,
@@ -145,6 +143,5 @@ module.exports = {
   },
   getWebDriver() {
     return internals.driver;
-  },
-  percentEncode
+  }
 };