I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.
Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.
However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.
So, the questions are:
Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?
Is there a way to send HttpSender script, or any other way, to put the token in each scan request?
Thanks!
Related
I have a CLI tool that requires search access, on behalf of the user. I've set up an application on our team's workspace with all of the right scopes and configuration.
However, I am dismayed at how oppressive the OAuth access token process is for CLI tools. Step 1 in their process is to provide a link to a custom web site that has an "Add to Slack" button. This already extends a simple CLI tool into requiring an entire web site, but the button is merely a static URL with parameters about the app and scopes. So far, a static page from Confluence, GitHub, or some other wiki-based project space would be enough.
Step 2 is where the user grants access to the application through their browser. However, Step 3 is where the action redirects to a special, dynamic page that requires access to take a special code, and translate it into an actual usable token for the user to plug into the CLI configuration. This extra step requires a special web page that Slack does not provide to do the translation, instead of just handing a token directly to the user.
Even worse, the API call requires secret client_id and client_secret parameters that would be plain as day in an shared or open-source CLI tool. (Despite the API documentation saying otherwise, both of these parameters are actually required.)
For example, Slackcat requires a one-page special web site expressly for the purposes of fielding OAuth requests. This is a web page that cannot be opened to the public because it would reveal the secret parameters. Unfortunately, Slackcat does not have the right scope levels I need, so I can't just borrow its web site for token generation.
Is there a better way to sidestep this process and allow a simple CLI tool to just get the right user access token it needs?
OAuth2 is fundamentally built around web browsers. The entire point is to allow the user's web browser to be redirected to the OAuth2 provider's website for password entry, so that the user's credentials are never visible to you or pass through any infrastructure you control.
This necessarily involves spawning a browser and sending it to a site you control to begin the OAuth2 flow by setting up state and redirecting the user to the OAuth2 provider, and then complete the OAuth2 flow by handling the redirect back from the OAuth2 provider and performing the code/token exchange. You can't do any of this with a static site, you need a web service.
Is there a better way to sidestep this process and allow a simple CLI tool to just get the right user access token it needs?
No. If there were, it would be a vulnerability in OAuth2 that should be fixed, not exploited to bypass the entire point of OAuth2.
I have set up a release pipeline to automatically deploy an API artefact to a particular domain, and as part of that pipeline I have introduced the execution of a postman collection via the Newman CLI, the ultimate goal that I want to achieve with this is a post-deployment "integration test".
My API is secured using Identity Server 4 and there is a client created that uses the grant type "authorisation_code"
I am able to manually create an access token through the "Get New Access Token" feature of Postman, but there doesn't seem to be a way to get a new token when running through the collection runner. Nor can I find a way to do this via the NewMan CLI thus these test responses come back as "401".
Does anybody know of a way to retrieve an authorisation code / access token within postman pre-request scripts or a way to ensure that an access token is requested when running through the collection runner or via Newman CLI?
BTW I don't mind supplying test creds through an environment file.
I'm setting up a docker registry using the container provided in the official documentation.
I setup the token authentication for the registry and I would like to consume the catalog API, e.g. for
listing repositories, but I would like to restrict it at the user level.
Therefore, an authenticated user, at the point of calling myregistry.com/v2/_catalog it will get as part
of the response body just the repositories where he has access.
Is there any middleware mechanism that can be easily implemented within the current docker registry
version?
If not, what is the recommended approach you would suggest in order to fulfil this use case.
My goal is to ask questions of the Jenkins server within a Jenkins-run script (specifically when it's run on a remote agent). I'd like to use a Perl or Python script with the REST API. I'd like to ask data known by the Jenkins server.
In my specific case, I'd like a build-display-name of a most-recent successful build of a different project. I'd like to do this without username/password credentials. I'd expect to be able to use the environment variable JENKINS_SERVER_COOKIE as a credential as a cookie or header as I use the Jenkins REST API for GET-based requests.
Is that possible? If not, what is the environment variable JENKINS_SERVER_COOKIE used for?
Thanks!
JENKINS_SERVER_COOKIE is not used for anything related to the REST API; best to ignore it.
What you request is not currently possible.
I am writing a set of Puppet modules that deploy WSO2 ESB & Identity Service and the API & authentication services we are providing to a client.
For the most part, I have been able to figure out which XML config files I need to update to automatically configure the WSO2 product.
However, I can't work out how to automatically provision an OAuth2 service provider via the config files. I can create and successfully use an OAuth2 service provider through the Identity Service mgmt console, however I'd really rather not have to do that as a manual step when my aim is to configure a set of machines using Puppet to automatically provision an OAuth2 provider.
To confirm, screenshot of the UI below that I am trying to apply settings for via an XML config file, rather than having to do it in the UI:
After some googling, is the correct directory /repository/conf/identity/service-providers?
If so, could somebody point me in the direction of an example where this is used for configuring an OAuth2 service provider?
If not, any more pointers would be gratefully received!
Many thanks
Chris
In case of searching configuration file for adding OAuth configuration without management console UI, you are in the right place. As you specified you can use the configuration in /repository/conf/service-providers/default.xml.
When you add service provider you have to call IdentityApplicationManagementService. You can use IdentityApplicationManagementServiceStub to call IdentityApplicationManagementService. When you add OAuth configuration you have to call OAuthAdminService. You can use OAuthAdminServiceStub to call OAuthAdminService. After creating the service provider and OAuth configurations separately, you have to bind service provider with created OAuth configs.
Note that I will recommend to check the source code in UI classes which used to add service providers, OAuth configs and binding those two. Hope this helps.