Add -validation-server and -validation-server-auth params to validate detected endpoints against a running server

Author: tylercamp

src/com/denimgroup/threadfix/cli/endpoints/Credentials.java

@@ -0,0 +1,12 @@
+package com.denimgroup.threadfix.cli.endpoints;
+
+import java.util.Map;
+
+import static com.denimgroup.threadfix.CollectionUtils.map;
+
+public class Credentials {
+    public String authenticationEndpoint;
+    public Map<String, String> parameters = map();
+
+    public Map<String, String> authenticatedParameters = null;
+}

src/com/denimgroup/threadfix/cli/endpoints/EndpointMain.java

@@ -79,6 +79,7 @@ enum Logging {
     static int totalDetectedParameters = 0;
 
     static String testUrlPath = null;
+    static Credentials testCredentials = null;
 
     private static void println(String line) {
         if (printFormat != SIMPLE_JSON && printFormat != FULL_JSON) {
@@ -335,6 +336,25 @@ private static boolean checkArguments(String[] args) {
                 } else if (arg.startsWith("-validation-server=")) {
                     String[] parts = arg.split("=");
                     testUrlPath = parts[1];
+                } else if (arg.startsWith("-validation-server-auth=")) {
+                    arg = arg.substring("-validation-server-auth=".length());
+                    String[] parts = arg.split(";");
+                    testCredentials = new Credentials();
+                    testCredentials.parameters = map();
+
+                    for (String part : parts) {
+                        if (testCredentials.authenticationEndpoint == null) {
+                            testCredentials.authenticationEndpoint = part;
+                        } else {
+                            String[] paramParts = part.split("=");
+                            if (paramParts.length != 2) {
+                                println("Invalid authentication parameter format: " + part);
+                            } else {
+                                testCredentials.parameters.put(paramParts[0], paramParts[1]);
+                            }
+                        }
+                    }
+
                 } else {
                     println("Received unsupported option " + arg + ", valid arguments are -lint, -debug, -simple-json, -json, -path-list-file, and -simple");
                     return false;
@@ -455,11 +475,22 @@ private static List<Endpoint> listEndpoints(File rootFile, Collection<FrameworkT
             println("Failed to validate serialization for at least one of these endpoints");
         }
 
+        //  Run endpoint testing against a given server
         if (testUrlPath != null) {
             EndpointTester tester = new EndpointTester(testUrlPath);
 
             println("Testing endpoints against server at: " + testUrlPath);
 
+            if (testCredentials != null) {
+                try {
+                    if (tester.authorize(testCredentials, null) < 400) {
+                        println("Successfully authenticated");
+                    }
+                } catch (IOException e) {
+                    println("Warning - unable to authorize against server");
+                }
+            }
+
             List<Endpoint> successfulEndpoints = list();
             List<Endpoint> failedEndpoints = list();
             List<Endpoint> allEndpoints = EndpointUtil.flattenWithVariants(endpoints);
@@ -477,13 +508,19 @@ private static List<Endpoint> listEndpoints(File rootFile, Collection<FrameworkT
                 }
 
                 try {
-                    tester.test(endpoint);
-                    successfulEndpoints.add(endpoint);
-                } catch (FileNotFoundException | UnknownHostException e) {
-                    failedEndpoints.add(endpoint);
+                    int responseCode = tester.test(endpoint, testCredentials);
+                    if (responseCode != 404) {
+                        successfulEndpoints.add(endpoint);
+                    } else {
+                        failedEndpoints.add(endpoint);
+                    }
                 } catch (IOException e) {
-                    if (e.getMessage().contains("HTTP")) {
+                    //  Any non-404 error is considered "successful", since any other 4xx or 5xx may indicate
+                    //  that the endpoint exists but incorrect parameters were provided
+                    if (e.getMessage().contains("Server returned HTTP response code") && !e.getMessage().contains("code: 404")) {
                         successfulEndpoints.add(endpoint);
+                    } else {
+                        failedEndpoints.add(endpoint);
                     }
                 }
             }
@@ -493,6 +530,7 @@ private static List<Endpoint> listEndpoints(File rootFile, Collection<FrameworkT
             }
 
             println(successfulEndpoints.size() + "/" + (successfulEndpoints.size() + failedEndpoints.size()) + " endpoints were queryable");
+            println("(" + (allEndpoints.size() - successfulEndpoints.size() - failedEndpoints.size()) + " endpoints skipped since they had a wildcard in the URL)");
         }
 
         int numMissingStartLine = 0;

src/com/denimgroup/threadfix/cli/endpoints/EndpointTester.java

@@ -1,13 +1,21 @@
 package com.denimgroup.threadfix.cli.endpoints;
 
+import com.denimgroup.threadfix.data.entities.RouteParameter;
+import com.denimgroup.threadfix.data.entities.RouteParameterType;
 import com.denimgroup.threadfix.data.interfaces.Endpoint;
 import com.denimgroup.threadfix.framework.util.PathUtil;
 
 import java.io.IOException;
-import java.net.HttpURLConnection;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLConnection;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
+import java.net.*;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import java.util.Map;
+import java.util.StringJoiner;
+
+import static com.denimgroup.threadfix.CollectionUtils.list;
+import static com.denimgroup.threadfix.CollectionUtils.map;
 
 public class EndpointTester {
     String basePath;
@@ -16,12 +24,171 @@ public EndpointTester(String basePath) {
         this.basePath = basePath;
     }
 
-    public int test(Endpoint endpoint) throws IOException {
+    public int test(Endpoint endpoint, Credentials credentials) throws IOException {
         URL url = new URL(PathUtil.combine(this.basePath, endpoint.getUrlPath()));
         HttpURLConnection conn = (HttpURLConnection)url.openConnection();
         conn.setRequestMethod(endpoint.getHttpMethod());
 
+        if (credentials != null && credentials.authenticatedParameters != null) {
+            for (Map.Entry<String, String> header : credentials.authenticatedParameters.entrySet()) {
+                conn.setRequestProperty(header.getKey(), header.getValue());
+            }
+        }
+
         conn.getInputStream().close();
         return conn.getResponseCode();
     }
+
+    public int authorize(Credentials credentials, Endpoint endpoint) throws IOException {
+        //  Get query settings
+        String httpMethod = endpoint != null ? endpoint.getHttpMethod() : "POST";
+
+        HttpURLConnection.setFollowRedirects(false);
+
+        //  Try auth by best-match
+
+        if (endpoint != null) {
+            try {
+                String urlParams = configureRequestWithBestMatchParameters(endpoint.getParameters(), credentials, null);
+                String finalizedPath = credentials.authenticationEndpoint;
+                if (!urlParams.isEmpty()) {
+                    finalizedPath += "?" + urlParams;
+                }
+
+                URL url = new URL(PathUtil.combine(this.basePath, finalizedPath));
+                // Configure connection
+                HttpURLConnection conn = (HttpURLConnection)url.openConnection();
+                conn.setRequestMethod(httpMethod);
+                configureRequestWithBestMatchParameters(endpoint.getParameters(), credentials, conn);
+
+                conn.getInputStream().close();
+                if (conn.getResponseCode() < 400 && saveCredentialsResponse(conn, credentials)) {
+                    return conn.getResponseCode();
+                }
+            } catch (IOException e) {
+                System.out.println("Unable to authorize using best-match parameters:");
+                e.printStackTrace();
+            }
+        }
+
+        try {
+            URL url = new URL(PathUtil.combine(this.basePath, credentials.authenticationEndpoint));
+            HttpURLConnection conn = (HttpURLConnection)url.openConnection();
+            conn.setRequestMethod(httpMethod);
+            configureRequestWithFormParameters(credentials, conn);
+
+            conn.getInputStream().close();
+            if (conn.getResponseCode() < 400 && saveCredentialsResponse(conn, credentials)) {
+                return conn.getResponseCode();
+            }
+        } catch (IOException e) {
+            System.out.println("Unable to authorize using all-forms parameters:");
+            e.printStackTrace();
+        }
+
+        return -1;
+    }
+
+    private boolean saveCredentialsResponse(HttpURLConnection conn, Credentials creds) {
+        if (conn.getHeaderField("Set-Cookie") != null) {
+            List<String> cookies = conn.getHeaderFields().get("Set-Cookie");
+            List<String> sanitizeCookies = list();
+
+            for (String cookie : cookies) {
+                String mainPart = cookie;
+                if (mainPart.contains(";")) {
+                    mainPart = mainPart.substring(0, mainPart.indexOf(';'));
+                }
+                sanitizeCookies.add(mainPart);
+            }
+
+            creds.authenticatedParameters = map();
+            creds.authenticatedParameters.put("Cookie", String.join("; ", sanitizeCookies));
+
+            return true;
+        }
+        return false;
+    }
+
+    private String configureRequestWithBestMatchParameters(Map<String, RouteParameter> parsedParameters, Credentials credentials, HttpURLConnection conn) throws IOException {
+        StringJoiner queryString = new StringJoiner("&");
+        StringJoiner formParams = new StringJoiner("&");
+
+        for (Map.Entry<String, String> credParam : credentials.parameters.entrySet()) {
+            RouteParameter paramSpec = null;
+            if (parsedParameters != null) {
+                if (parsedParameters.containsKey(credParam.getKey())) {
+                    paramSpec = parsedParameters.get(credParam.getKey());
+                }
+            }
+
+            if (paramSpec == null) {
+                paramSpec = RouteParameter.fromDataType(credParam.getKey(), "String");
+                paramSpec.setParamType(RouteParameterType.FORM_DATA);
+            }
+
+            String encodedKey, encodedValue;
+            try {
+                encodedKey = URLEncoder.encode(credParam.getKey(), "UTF-8");
+                encodedValue = URLEncoder.encode(credParam.getValue(), "UTF-8");
+            } catch (UnsupportedEncodingException e) {
+                e.printStackTrace();
+                continue;
+            }
+
+            String encodedPair = encodedKey + "=" + encodedValue;
+
+            switch (paramSpec.getParamType()) {
+                case QUERY_STRING:
+                    queryString.add(encodedPair);
+                    break;
+
+                default:
+                    // Assume form data for anything else
+                    formParams.add(encodedPair);
+            }
+        }
+
+        if (formParams.length() > 0 && conn != null) {
+
+            byte[] out = formParams.toString().getBytes(StandardCharsets.UTF_8);
+
+            conn.setDoOutput(true);
+            conn.setFixedLengthStreamingMode(out.length);
+            conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
+
+            conn.connect();
+            try (OutputStream os = conn.getOutputStream()) {
+                os.write(out);
+            }
+        }
+
+        if (queryString.length() == 0) {
+            return "";
+        } else {
+            return "?" + queryString.toString();
+        }
+    }
+
+    private void configureRequestWithFormParameters(Credentials credentials, HttpURLConnection conn) throws IOException {
+        StringJoiner joiner = new StringJoiner("&");
+        for (Map.Entry<String, String> param : credentials.parameters.entrySet()) {
+            try {
+                joiner.add(URLEncoder.encode(param.getKey(), "UTF-8") + "=" + URLEncoder.encode(param.getValue(), "UTF-8"));
+            } catch (UnsupportedEncodingException e) {
+                e.printStackTrace();
+            }
+        }
+
+        byte[] out = joiner.toString().getBytes(StandardCharsets.UTF_8);
+
+        conn.setDoOutput(true);
+        conn.setFixedLengthStreamingMode(out.length);
+        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
+
+        conn.connect();
+        try (OutputStream os = conn.getOutputStream()) {
+            os.write(out);
+        }
+    }
 }