AuthorizationAPI.java

/*
 * Zed Attack Proxy (ZAP) and its related class files.
 * 
 * ZAP is an HTTP/HTTPS proxy for assessing web application security.
 * 
 * Copyright 2013 The ZAP Development Team
 * 
 * Licensed under the Apache License, Version 2.0 (the "License"); 
 * you may not use this file except in compliance with the License. 
 * You may obtain a copy of the License at 
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0 
 *   
 * Unless required by applicable law or agreed to in writing, software 
 * distributed under the License is distributed on an "AS IS" BASIS, 
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
 * See the License for the specific language governing permissions and 
 * limitations under the License. 
 */
package org.zaproxy.zap.extension.authorization;

import net.sf.json.JSONObject;

import org.apache.log4j.Logger;
import org.zaproxy.zap.extension.api.ApiAction;
import org.zaproxy.zap.extension.api.ApiException;
import org.zaproxy.zap.extension.api.ApiException.Type;
import org.zaproxy.zap.extension.api.ApiImplementor;
import org.zaproxy.zap.extension.api.ApiResponse;
import org.zaproxy.zap.extension.api.ApiResponseElement;
import org.zaproxy.zap.extension.api.ApiView;
import org.zaproxy.zap.extension.authorization.BasicAuthorizationDetectionMethod.LogicalOperator;
import org.zaproxy.zap.model.Context;
import org.zaproxy.zap.utils.ApiUtils;

/**
 * The API for managing the Authorization for a Context.
 */
public class AuthorizationAPI extends ApiImplementor {

	private static final Logger log = Logger.getLogger(AuthorizationAPI.class);

	private static final String PREFIX = "authorization";

	private static final String VIEW_GET_AUTHORIZATION_METHOD = "getAuthorizationDetectionMethod";

	private static final String ACTION_SET_AUTHORIZATION_METHOD = "setBasicAuthorizationDetectionMethod";

	public static final String PARAM_CONTEXT_ID = "contextId";
	public static final String PARAM_HEADER_REGEX = "headerRegex";
	public static final String PARAM_BODY_REGEX = "bodyRegex";
	public static final String PARAM_STATUS_CODE = "statusCode";
	public static final String PARAM_LOGICAL_OPERATOR = "logicalOperator";
	public static final String RESPONSE_TYPE = "methodType";
	public static final String RESPONSE_TAG = "authorizationDetectionMethod";

	public AuthorizationAPI() {
		super();

		this.addApiView(new ApiView(VIEW_GET_AUTHORIZATION_METHOD, new String[] { PARAM_CONTEXT_ID }));

		this.addApiAction(new ApiAction(ACTION_SET_AUTHORIZATION_METHOD, new String[] { PARAM_CONTEXT_ID },
				new String[] { PARAM_HEADER_REGEX, PARAM_BODY_REGEX, PARAM_STATUS_CODE,
						PARAM_LOGICAL_OPERATOR }));
	}

	@Override
	public ApiResponse handleApiView(String name, JSONObject params) throws ApiException {
		log.debug("handleApiView " + name + " " + params.toString());

		switch (name) {
		case VIEW_GET_AUTHORIZATION_METHOD:
			Context context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
			return new ApiResponseElement(context.getAuthorizationDetectionMethod().getApiResponseRepresentation());
		default:
			throw new ApiException(Type.BAD_VIEW);
		}
	}

	@Override
	public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
		log.debug("handleApiAction " + name + " " + params.toString());
		Context context;
		switch (name) {
		case ACTION_SET_AUTHORIZATION_METHOD:
			context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);

			String headerRegex = params.optString(PARAM_HEADER_REGEX, null);
			String bodyRegex = params.optString(PARAM_BODY_REGEX, null);

			LogicalOperator logicalOperator = ApiUtils.getOptionalEnumParam(params, PARAM_LOGICAL_OPERATOR,
					LogicalOperator.class);
			if (logicalOperator == null) {
				logicalOperator = LogicalOperator.AND;
			}

			int statusCode = params.optInt(PARAM_STATUS_CODE,
					BasicAuthorizationDetectionMethod.NO_STATUS_CODE);

			if (log.isDebugEnabled()) {
				log.debug(String.format("Setting basic authorization detection to: %s / %s / %d / %s",
						headerRegex, bodyRegex, statusCode, logicalOperator));
			}

			BasicAuthorizationDetectionMethod method = new BasicAuthorizationDetectionMethod(statusCode,
					headerRegex, bodyRegex, logicalOperator);
			context.setAuthorizationDetectionMethod(method);

			return ApiResponseElement.OK;
		default:
			throw new ApiException(Type.BAD_ACTION);
		}
	}

	@Override
	public String getPrefix() {
		return PREFIX;
	}
}