For my CI, I know need to launch ZAP from the CLI, this works fine:
docker run --net mynetwork -v $(pwd):/zap/wrk/:rw \
-t owasp/zap2docker-stable zap-full-scan.py -I -j -m 10 -T 60 \
-t http://myapiserver.com:8080/api/docs \
-r report-$(date +%Y%m%d-%H%M%S).html
Now, my REST API server uses OAuth2/OIDC/Keycloak, I know how to get a token, no problem with that.
But I can't see how can I activate a community script, AddBearerTokenHeader.js to include a token in each call. The doc is not clear for me and basically demands installing the app to find the keys using the mouse, which I can't (no right to install apps on my PC).
Where can I find what are the parameters to activate this script?
Update
Although I was able to launch the Swing interface from Docker...
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
# Browse for http://localhost:8080/zap/
... can't make the config.xml differences raise following the doc (yes, I know how to use docker, share directories, RTFM, etc.).
#SimonBennets' answer provides a nice solution, not the best (what if I want to add multiple headers? how to update tokens?), but it works:
TOKEN=$(curl -ks -X POST \
${URL}realms/${REALM}/protocol/openid-connect/token \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "cache-control: no-cache" \
-d "grant_type=password" \
-d "username=${USER_NAME}" \
-d "password=${USER_PASS}" \
-d "client_id=admin-cli"|jq -r .access_token|tr -d "\n"
)
docker run --net net_oia \
--name zap \
-v $(pwd):/zap/wrk/:rw \
-e ZAP_AUTH_HEADER="Authorization" \
-e ZAP_AUTH_HEADER_VALUE="Bearer $TOKEN" \
-t owasp/zap2docker-stable zap-full-scan.py -I -j -m 10 -T 60 \
-t http://apidb:8080/api/ \
-r report-$(date +%Y%m%d-%H%M%S).html
My logs showing how the OWASP Zap HEADER is generated (notice the authorization header... why lowercase? anyway, this is ok):
apidb | Headers({'host': 'apidb:8080', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'authorization': 'Bearer eyJhbGciOiJSUzI1NiIsIn...'})
An easier option it to use the ZAP_AUTH_HEADER_VALUE env var.
Its explained in more detail here https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
Related
From Add protocol-mapper to keycloak using kcadm.sh
Has anyone figured this out yet? I tried it the way Oscar suggested and it still does not work.
The lines that are not commented work perfectly.
The lines that are commented do not work. I get an error that says "./clientmapper.sh: 59 (or whatever line number that I have uncommented): -s: not found"
sudo docker exec $keycontainer /opt/jboss/keycloak/bin/kcadm.sh create \
clients/$cid/protocol-mappers/models \
-r myrealm \
-s name=roles \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-attribute-mapper
#-s 'config."id.token.claim"=true' \
#-s claim.name=roles \
#-s jsonType.label=String \
#-s multivalued=true \
#-s userinfo.token.claim=true \
#-s access.token.claim=true
I made this work by formatting as Oscar suggested and using -i after the docker exec command. It works perfectly now.
sudo docker exec -i $keycontainer /opt/jboss/keycloak/bin/kcadm.sh create \
clients/$cid/protocol-mappers/models \
-r testrealm \
-s name=testmap \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-realm-role-mapper \
-s 'config."id.token.claim"=true' \
-s 'config."claim.name"=testmap' \
-s 'config."jsonType.label"=String' \
-s 'config."multivalued"=true' \
-s 'config."userinfo.token.claim"=true' \
-s 'config."access.token.claim"=true'
I'm trying to automate the configuration setup for a Realm in Keycloak using the kcadm.sh CLI tool. When I add our LDAP configuration for user federation using a command like the following
kcadm.sh create components -r API \
-s name="Active Directory" \
-s parentId=f19b715d-272d-4b29-8474-dc538fb5e5c8 \
-s providerId=ldap \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s 'config.priority=["1"]' \
-s 'config.fullSyncPeriod=["-1"]' \
-s 'config.changedSyncPeriod=["-1"]' \
-s 'config.cachePolicy=["DEFAULT"]' \
-s config.evictionDay=[] \
-s config.evictionHour=[] \
-s config.evictionMinute=[] \
-s config.maxLifespan=[] \
-s 'config.batchSizeForSync=["1000"]' \
-s 'config.editMode=["READ_ONLY"]' \
-s 'config.syncRegistrations=["false"]' \
-s 'config.vendor=["ad"]' \
-s 'config.usernameLDAPAttribute=["sAMAccountName"]' \
-s 'config.rdnLDAPAttribute=["sAMAccountName"]' \
-s 'config.uuidLDAPAttribute=["objectGUID"]' \
-s 'config.userObjectClasses=["person, organizationalPerson, user"]' \
-s 'config.connectionUrl=["LDAP://192.168.110.50"]' \
-s 'config.usersDn=["OU=ST Users,DC=something,DC=com,DC=au"]' \
-s 'config.authType=["simple"]' \
-s 'config.bindDn=["CN=Webauth LDAP,OU=System Accounts,OU=AIH Users,DC=something,DC=com,DC=au"]' \
-s 'config.bindCredential=["secret"]' \
-s 'config.searchScope=["2"]' \
-s 'config.useTruststoreSpi=["ldapsOnly"]' \
-s 'config.connectionPooling=["true"]' \
-s 'config.pagination=["true"]' \
-s 'config.allowKerberosAuthentication=["true"]' \
-s 'config.serverPrincipal=["HTTP/alb-keycloak-shared.int.something.cloud.local#SOMETHING.COM.AU"]' \
-s 'config.keyTab=["/opt/keycloak/standalone/configuration/int-keycloak.keytab"]' \
-s 'config.kerberosRealm=["SOMETHING.COM.AU"]' \
-s 'config.debug=["true"]' \
-s 'config.useKerberosForPasswordAuthentication=["true"]'
it is successfully added to the realm (as verified by inspecting the database component and component_config tables). BUT, when I sign-in to the Keycloak Admin console to inspect that setup for the realm I do not see any User Federation setup. It is not until I made some benign change to the realm (change the realm display name) or flush the realm caches does the configuration for the LDAP user federation becomes visible in the Admin console UI.
Is there something I should be doing to automate adding user federation with LDAP?
Note: I'm using Keycloak v8.0.1.
This might happen because you haven't passed the -s parentId correctly
PARENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get /auth/admin/realms/$REALM_NAME --fields id --format csv --noquotes)
/opt/jboss/keycloak/bin/kcadm.sh create components -r $REALM_NAME -s name="migration-provider" -s providerId="migration-provider" -s providerType="org.keycloak.storage.UserStorageProvider" -s parentId="$PARENT_ID" -s 'config.priority=["0"]' -s 'config.enabled=["true"]' -s 'config.cachePolicy=["NO_CACHE"]'
Try something like this it worked for me :)
I have been trying to setup my full test system in keycloak using the kcadmin cli, but I have some problems creating protocol mappers:
HTTP error - 400 Bad Request
I have been trying to implement a request using:
http://www.keycloak.org/docs-api/3.3/rest-api/index.html
http://blog.keycloak.org/2017/01/administer-keycloak-server-from-shell.html
Am I missing something in the request:
/opt/jboss/keycloak/bin/kcadm.sh create \
clients/7e8ef93b-0d0f-487d-84a5-5cfaee7ddf13/protocol-mappers/models \
-r $test_realm \
-s config.user.attribute=tenants \
-s config.claim.name=tenants \
-s config.jsonType.label=String \
-s config.id.token.claim=true \
-s config.access.token.claim=true \
-s config.userinfo.token.claim=true \
-s config.multivalued=true \
-s name=tenants \
-s protocolMapper=oidc-usermodel-attribute-mapper
This works:
/opt/jboss/keycloak/bin/kcadm.sh create \
clients/7e8ef93b-0d0f-487d-84a5-5cfaee7ddf13/protocol-mappers/models \
-r $test_realm \
-s name=tenants1 \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-attribute-mapper
You need to specify nested config values like this in Linux:
-s 'config."id.token.claim"=true'
-s 'config."included.client.audience"=theclient'
In the failing example the following value is missing:
-s protocol=openid-connect
I want to restart my Fritz!Box 7390 using wget.
The webinterface has got a reboot form which looks like this:
<form action="/system/reboot.lua" method="POST">
<div id="btn_form_foot">
<input type="hidden" name="sid" value="beb5683181c2ab9f">
<button type="submit" name="reboot">Neu starten</button>
</div>
</form>
I want to submit this form. So far i tried it like this, but it does not seem to work:
wget --post-data "sid=beb5683181c2ab9f" "http://fritz.box/system/reboot.lua"
The sid seems to change everytime i load the page.
But im not sure if thats the issue, cause i can fix the sid by adding ?sid=example to the url
You can't just POST to that url alone. You first need to get a valid session id. This can be done by doing a GET request on http://fritz.box/checklogin.lua and grabbing it from the LOCATION header value. Then you can use this to post to the http://fritz.box/system/reboot.lua including the session id.
Here are the minimal steps to automate it:
SID=$(curl -s -I "http://fritz.box/logincheck.lua" | grep -Fi Location | awk -F'[=]' '{print $2}')
SID=$(curl -s -i -H "Content-Type: application/x-www-form-urlencoded" -H "Origin: http://fritz.box" -H "Referer: http://fritz.box/system/reboot.lua\?sid\=$SID" --data "reboot=&sid=$SID" -L http://fritz.box/system/reboot.lua | grep -Fi Location | awk -F'[=]' '{print $2}')
curl -s http://fritz.box/reboot.lua?ajax=1&sid=$REBOOT_SID
I've created a little script with some extra checks that you can find hereYou can find the complete script including check here at: http://git.io/v3zQs
Suggestions what the steps are for the current software (v7.20+)?
Preferably for router that is password protected.
I tried to update it to use the recent path using the Chrome dev tools info.
It gives a statuscode 200 and response: {"reboot_state":"extern"}.
But no restart.
Chrome Developer Tools says the url when pressing the Restart button in the UI is:
curl 'http://fritz.box/reboot.lua' \
-H 'Connection: keep-alive' \
-H 'Pragma: no-cache' \
-H 'Cache-Control: no-cache' \
-H 'User-Agent: Mozilla/5.0 (...) Chrome/86.0.4240.111 Safari/537.36' \
-H 'DNT: 1' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: */*' \
-H 'Origin: http://fritz.box' \
-H 'Referer: http://fritz.box/' \
-H 'Accept-Language: en,en-US;q=0.9,nl;q=0.8,de;q=0.7,la;q=0.6' \
--data-raw 'ajax=1&sid=1fd4370b50b14b07&no_sidrenew=1&xhr=1&useajax=1' \
--compressed \
--insecure
(sid obviously changes after each login)
For a remote administration of multiple Glassfish 3.1.2.2 instances I want to configure resource adapter connection pool and connector resources. These configuration can only be done after the resource adapter deployment.
All works if I do things with asadmin.
Get Access via REST works as expected.
Example:
curl --user admin:pwd -X GET -H "Accept: application/JSON"
http://localhost:4848/management/domain/resources/connector-connection-pool
Now I want to create a connection pool using the following command with REST
asadmin create-connector-connection-pool --raname MulticastDNS-connector
--connectiondefinition multicastdns.outbound.MulticastDNSRegistry multicastdns/pool
I followed some of the Oracle examples http://docs.oracle.com/cd/E18930_01/html/821-2416/gjipx.html#gjijx or http://docs.oracle.com/cd/E19798-01/821-1751/gjijx/index.html
But all things I tried got 400 Bad Requests.
Example:
curl --user admin:pwd -X POST -H "Accept: application/JSON" -H "Content-Type: application/json"
-d '{"id":"multicastdn%2fspool","connectiondefinitionname":"multicastdns.outbound.MulticastDNSRegistry","resourceAdapterName":"MulticastDNS-connector"}'\
http://localhost:4848/management/domain/resources/connector-connection-pool -v
# other check
curl --user admin:pwd -X POST -H "Accept: application/JSON" \
-d id=multicastdns%2fpool \
-d connectiondefinitionname=multicastdns.outbound.MulticastDNSRegistry \
-d resourceAdapterName=MulticastDNS-connector \
http://localhost:4848/management/domain/resources/connector-connection-pool -v
Simular results if I want to delete a existing resource.
curl --user admin:pwd -X DELETE -H "Accept: application/JSON" \
http://localhost:4848/management/domain/resources/connector-connection-pool/multicastdns%2fpool -v
# other try
curl --user admin:pwd -X DELETE -H "Accept: application/JSON" \
-d id=multicastdns%2fpool \
http://localhost:4848/management/domain/resources/connector-connection-pool -v
Same issue if try the second step with connector resource
asadmin create-connector-resource --poolname multicastdns/pool jca/multicastdns
Get via REST works but add and delete an entry won't work.
Thanx florian