zap-extensions
zap-extensions copied to clipboard
authentication helper add-on 1.0.0
as discussed in GSoC meetings, an add-on to help set up authentication in ZAP. This PR addresses guided configuration and authentication status scanning.
Main tracker issue: ZAPROXY-4705
- [ ] set release date in about.html
- [x] trigger the process by right-clicking a node in
ContextsSitePanel
- [x] trigger the process from
Tools
menu - [x] trigger the process from
AuthenticationStatusPanel
toolbar - [x] a dynamic checklist indicating the status of required configurations using icons
- [x] a label indicating the overall configuration status and next desired user action
- [x] link to relevant configuration dialog for each checklist item ~~link to the context status checklist item will~~ ~~automatically create a context for a target without context and then it will show context properties dialog~~ ~~show context properties dialog for a target with the context defined~~
- [x] refresh button to rerun the check with updated settings
- [x] links to the checklist item are enabled/disabled based on the current configuration to guide the user
- [x] a panel showing authentication, logged in, logged out indicator status with other relevant message details
- [x] support multiple authentication methods
- [x] run multiple scans from different or same user's perspective
- [x] an options panel to add exclude regexes
- [x] recheck the authentication status by selecting URI from
AuthenticationStatusPanel
- [x] help contents
- [x] test cases
ready for a review :)
is it safe to change the local and remote branch names to authenticationhelper-addon
now?
That would require opening a new PR.
OK, then I am leaving the branch name as it is.
@KajanM is the release date really the only thing missing here?
@kingthorin There is one pending feature that can be addressed in this PR which is to highlight the occurrence(s) of the found logged in or(and) logged out indicator(s) in the response tab. I plan to add this feature in a later release so that I can allocate time to make the automatic authentication configuration logic robust.
All other functionalities are implemented, however, this PR is not completely reviewed yet. Please note, since some UI changes and automatic authentication configuration logic requires recent ZAP version, those changes are tackled separately in https://github.com/KajanM/zap-extensions/tree/authenticationhelper-addon-1.1.0
IMHO if ZAP 2.8.0 release is somewhere soon then it is preferable to release the 1.1.0 version of the add-on as 1.0.0.
If it makes sense to make the 1.1.0 version of the add-on available for ZAP weekly release let me know.
Thanks for the update.
@KajanM could you include the 1.1.0 changes in this PR? You can set the extension manifest to <not-before-version>2.8.0</not-before-version>
then it can be built/published to the marketplace and people can load it in dev builds and we can do a full review and any outstanding modifications etc for 2.8.0.
@kingthorin I am sorry since we moved to bitbucket, I just noticed the comment. Is it ok to do it this weekend?
Ya I think that’s fine, thanks for getting back to us 😀
Thanks
The pull request is now updated (after build changes, zaproxy/zaproxy#5302).