Merge pull request #3058 from mercedes-benz/feature-1483-make-browser…

…-of-ajaxspider-configurable

Make browser to use during ajax scan configurable #1483

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/CommandLineSettings.java

@@ -6,6 +6,7 @@
 import java.nio.file.Paths;
 
 import com.beust.jcommander.Parameter;
+import com.mercedesbenz.sechub.zapwrapper.config.ZAPAcceptedBrowserId;
 import com.mercedesbenz.sechub.zapwrapper.util.EnvironmentVariableConstants;
 import com.mercedesbenz.sechub.zapwrapper.util.FileUtilities;
 
@@ -53,6 +54,15 @@ public boolean isAjaxSpiderEnabled() {
         return ajaxSpiderEnabled;
     }
 
+    @Parameter(names = { "--ajaxSpiderBrowserId" }, description = "Set the browser id you want to use for the AjaxSpider module. "
+            + "Make sure the browser you want to use is installed on the system the scan is running. "
+            + "Supported browser are: [firefox-headless, firefox, chrome-headless, chrome, htmlunit, safari].", required = false, validateWith = ZAPAcceptedBrowserIdValidator.class)
+    private String ajaxSpiderBrowserId = ZAPAcceptedBrowserId.FIREFOX_HEADLESS.getBrowserId();
+
+    public String getAjaxSpiderBrowserId() {
+        return ajaxSpiderBrowserId;
+    }
+
     @Parameter(names = { "--activeScan" }, description = "Set this option to enable Zap active scan.", required = false)
     private boolean activeScanEnabled;
 

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/cli/ZAPAcceptedBrowserIdValidator.java

@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.zapwrapper.cli;
+
+import com.beust.jcommander.IParameterValidator;
+import com.beust.jcommander.ParameterException;
+import com.mercedesbenz.sechub.zapwrapper.config.ZAPAcceptedBrowserId;
+
+public class ZAPAcceptedBrowserIdValidator implements IParameterValidator {
+
+    @Override
+    public void validate(String name, String value) throws ParameterException {
+        if (value == null) {
+            throw new ParameterException("Specified browser id was null, only following browser ids are accepted: " + ZAPAcceptedBrowserId.values());
+        }
+        boolean isValid = false;
+        for (ZAPAcceptedBrowserId browserId : ZAPAcceptedBrowserId.values()) {
+            if (browserId.getBrowserId().equals(value)) {
+                isValid = true;
+                break;
+            }
+        }
+        if (!isValid) {
+            throw new ParameterException("Specified browser id was " + value + ", only follwing browser ids are accepted: " + ZAPAcceptedBrowserId.values());
+        }
+    }
+
+}

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/BrowserId.java → sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZAPAcceptedBrowserId.java

@@ -1,20 +1,30 @@
 // SPDX-License-Identifier: MIT
 package com.mercedesbenz.sechub.zapwrapper.config;
 
-public enum BrowserId {
+public enum ZAPAcceptedBrowserId {
 
     FIREFOX_HEADLESS("firefox-headless"),
 
+    FIREFOX("firefox"),
+
+    CHROME_HEADLESS("chrome-headless"),
+
+    CHROME("chrome"),
+
+    HTMLUNIT("htmlunit"),
+
+    SAFARI("safari"),
+
     ;
 
     private String browserId;
 
-    private BrowserId(String browserId) {
+    private ZAPAcceptedBrowserId(String browserId) {
         this.browserId = browserId;
     }
 
     public String getBrowserId() {
         return browserId;
     }
 
-}
+}

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContext.java

@@ -61,6 +61,7 @@ public class ZapScanContext {
 
     private File clientCertificateFile;
     private Map<String, File> headerValueFiles;
+    private String ajaxSpiderBrowserId;
 
     private ZapScanContext() {
     }
@@ -176,6 +177,10 @@ public Map<String, File> getHeaderValueFiles() {
         return Collections.unmodifiableMap(headerValueFiles);
     }
 
+    public String getAjaxSpiderBrowserId() {
+        return ajaxSpiderBrowserId;
+    }
+
     public static ZapScanContextBuilder builder() {
         return new ZapScanContextBuilder();
     }
@@ -225,6 +230,8 @@ public static class ZapScanContextBuilder {
 
         private Map<String, File> headerValueFiles = new HashMap<>();
 
+        private String ajaxSpiderBrowserId;
+
         public ZapScanContextBuilder setServerConfig(ZapServerConfiguration serverConfig) {
             this.serverConfig = serverConfig;
             return this;
@@ -340,6 +347,11 @@ public ZapScanContextBuilder addHeaderValueFiles(Map<String, File> headerValueFi
             return this;
         }
 
+        public ZapScanContextBuilder setAjaxSpiderBrowserId(String ajaxSpiderBrowserId) {
+            this.ajaxSpiderBrowserId = ajaxSpiderBrowserId;
+            return this;
+        }
+
         public ZapScanContext build() {
             ZapScanContext zapScanConfiguration = new ZapScanContext();
             zapScanConfiguration.serverConfig = this.serverConfig;
@@ -378,8 +390,9 @@ public ZapScanContext build() {
 
             zapScanConfiguration.headerValueFiles = this.headerValueFiles;
 
+            zapScanConfiguration.ajaxSpiderBrowserId = this.ajaxSpiderBrowserId;
+
             return zapScanConfiguration;
         }
-
     }
 }

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/config/ZapScanContextFactory.java

@@ -103,6 +103,7 @@ public ZapScanContext create(CommandLineSettings settings) {
 												.setReportFile(settings.getReportFile())
 												.setContextName(contextName)
 												.setAjaxSpiderEnabled(settings.isAjaxSpiderEnabled())
+												.setAjaxSpiderBrowserId(settings.getAjaxSpiderBrowserId())
 												.setActiveScanEnabled(settings.isActiveScanEnabled())
 												.setServerConfig(serverConfig)
 												.setAuthenticationType(authType)

sechub-wrapper-owasp-zap/src/main/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScanner.java

@@ -28,7 +28,6 @@
 import com.mercedesbenz.sechub.commons.model.login.WebLoginConfiguration;
 import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode;
 import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException;
-import com.mercedesbenz.sechub.zapwrapper.config.BrowserId;
 import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation;
 import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext;
 import com.mercedesbenz.sechub.zapwrapper.config.auth.SessionManagementType;
@@ -138,7 +137,7 @@ void setupStandardConfiguration() throws ClientApiException {
 
         LOG.info("Set browser for ajaxSpider.");
         // use firefox in headless mode by default
-        clientApiFacade.configureAjaxSpiderBrowserId(BrowserId.FIREFOX_HEADLESS.getBrowserId());
+        clientApiFacade.configureAjaxSpiderBrowserId(scanContext.getAjaxSpiderBrowserId());
     }
 
     void deactivateRules(ZapFullRuleset fullRuleset, DeactivatedRuleReferences deactivatedRuleReferences) throws ClientApiException {

sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/cli/ZAPAcceptedBrowserIdValidatorTest.java

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.zapwrapper.cli;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EnumSource;
+import org.junit.jupiter.params.provider.NullSource;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import com.beust.jcommander.ParameterException;
+import com.mercedesbenz.sechub.zapwrapper.config.ZAPAcceptedBrowserId;
+
+class ZAPAcceptedBrowserIdValidatorTest {
+
+    private ZAPAcceptedBrowserIdValidator validatorToTest = new ZAPAcceptedBrowserIdValidator();
+
+    @ParameterizedTest
+    @NullSource
+    @ValueSource(strings = { "1", "invalid", "FIREFOX-HEADLESS" })
+    void invalid_values_throw_an_parameter_exception(String browserId) {
+        /* execute + test */
+        assertThrows(ParameterException.class, () -> validatorToTest.validate(null, browserId));
+    }
+
+    @ParameterizedTest
+    @EnumSource(ZAPAcceptedBrowserId.class)
+    void all_valid_browser_ids_are_accepted(ZAPAcceptedBrowserId browserId) {
+        /* execute + test */
+        assertDoesNotThrow(() -> validatorToTest.validate(null, browserId.getBrowserId()));
+    }
+
+}

sechub-wrapper-owasp-zap/src/test/java/com/mercedesbenz/sechub/zapwrapper/scan/ZapScannerTest.java

@@ -1,18 +1,9 @@
 // SPDX-License-Identifier: MIT
 package com.mercedesbenz.sechub.zapwrapper.scan;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.atLeast;
-import static org.mockito.Mockito.doCallRealMethod;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.*;
 
 import java.io.File;
 import java.net.MalformedURLException;
@@ -45,6 +36,7 @@
 import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperExitCode;
 import com.mercedesbenz.sechub.zapwrapper.cli.ZapWrapperRuntimeException;
 import com.mercedesbenz.sechub.zapwrapper.config.ProxyInformation;
+import com.mercedesbenz.sechub.zapwrapper.config.ZAPAcceptedBrowserId;
 import com.mercedesbenz.sechub.zapwrapper.config.ZapScanContext;
 import com.mercedesbenz.sechub.zapwrapper.config.auth.AuthenticationType;
 import com.mercedesbenz.sechub.zapwrapper.config.auth.SessionManagementType;
@@ -88,6 +80,7 @@ void beforeEach() {
         when(scanContext.getContextName()).thenReturn(contextName);
         when(scanContext.getZapProductMessageHelper()).thenReturn(helper);
         when(scanContext.getZapPDSEventHandler()).thenReturn(zapPDSEventHandler);
+        when(scanContext.getAjaxSpiderBrowserId()).thenReturn(ZAPAcceptedBrowserId.FIREFOX_HEADLESS.getBrowserId());
 
         doNothing().when(helper).writeProductError(any());
         doNothing().when(helper).writeProductMessages(any());
@@ -105,7 +98,7 @@ void setup_standard_configuration_results_in_expected_calls() throws ClientApiEx
         when(clientApiFacade.configureMaximumAlertsForEachRule("0")).thenReturn(null);
         when(clientApiFacade.enableAllPassiveScannerRules()).thenReturn(null);
         when(clientApiFacade.enableAllActiveScannerRulesForPolicy(null)).thenReturn(null);
-        when(clientApiFacade.configureAjaxSpiderBrowserId("firefox-headless")).thenReturn(null);
+        when(clientApiFacade.configureAjaxSpiderBrowserId(ZAPAcceptedBrowserId.FIREFOX_HEADLESS.getBrowserId())).thenReturn(null);
 
         /* execute */
         scannerToTest.setupStandardConfiguration();
@@ -115,7 +108,7 @@ void setup_standard_configuration_results_in_expected_calls() throws ClientApiEx
         verify(clientApiFacade, times(1)).configureMaximumAlertsForEachRule("0");
         verify(clientApiFacade, times(1)).enableAllPassiveScannerRules();
         verify(clientApiFacade, times(1)).enableAllActiveScannerRulesForPolicy(null);
-        verify(clientApiFacade, times(1)).configureAjaxSpiderBrowserId("firefox-headless");
+        verify(clientApiFacade, times(1)).configureAjaxSpiderBrowserId(ZAPAcceptedBrowserId.FIREFOX_HEADLESS.getBrowserId());
     }
 
     @Test