Merge pull request #5714 from thc202/openapi/context-excludes

openapi: honour context exclusions

Author: psiinon

addOns/openapi/CHANGELOG.md

@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Added
 - Allow to import the OpenAPI definitions with a user (Issue 7739).
+- Honour context exclusions when importing (Issue 8021).
 
 ### Fixed
 - Allow to select the contexts of the Automation Framework plan when configuring the job.

addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/ExtensionOpenApi.java

@@ -423,15 +423,13 @@ private List<String> importOpenApiDefinition(
                     public void run() {
                         ProgressPane currentImportPane = null;
                         try {
-                            List<RequestModel> requestModels = converter.getRequestModels();
-                            if (contextId != -1) {
-                                Context context = getModel().getSession().getContext(contextId);
-                                if (context != null) {
-                                    converter.updateVariantChecks(
-                                            context,
-                                            variantChecksMap.computeIfAbsent(
-                                                    contextId, VariantOpenApiChecks::new));
-                                }
+                            Context context = getModel().getSession().getContext(contextId);
+                            List<RequestModel> requestModels = converter.getRequestModels(context);
+                            if (context != null) {
+                                converter.updateVariantChecks(
+                                        context,
+                                        variantChecksMap.computeIfAbsent(
+                                                contextId, VariantOpenApiChecks::new));
                             }
                             if (requestor == null) {
                                 return;

addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/converter/Converter.java

@@ -22,8 +22,9 @@
 import java.util.List;
 import org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerException;
 import org.zaproxy.zap.extension.openapi.network.RequestModel;
+import org.zaproxy.zap.model.Context;
 
 public interface Converter {
 
-    List<RequestModel> getRequestModels() throws SwaggerException;
+    List<RequestModel> getRequestModels(Context context) throws SwaggerException;
 }

addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/converter/swagger/SwaggerConverter.java

@@ -198,14 +198,17 @@ public List<OperationModel> getOperationModels() throws SwaggerException {
     }
 
     @Override
-    public List<RequestModel> getRequestModels() throws SwaggerException {
-        return convertToRequest(getOperationModels());
+    public List<RequestModel> getRequestModels(Context context) throws SwaggerException {
+        return convertToRequest(context, getOperationModels());
     }
 
-    private List<RequestModel> convertToRequest(List<OperationModel> operations) {
+    private List<RequestModel> convertToRequest(Context context, List<OperationModel> operations) {
         List<RequestModel> requests = new LinkedList<>();
         for (OperationModel operation : operations) {
-            requests.add(requestConverter.convert(operation, generators));
+            var model = requestConverter.convert(operation, generators);
+            if (context == null || !context.isExcluded(model.getUrl())) {
+                requests.add(model);
+            }
         }
         return requests;
     }
@@ -479,15 +482,22 @@ public void updateVariantChecks(
             if (PATH_PART_PATTERN.matcher(uri).find()) {
                 String regex = uri.replaceAll(PATH_PART_PATTERN.pattern(), "[^/?]+");
                 variantChecks.pathsWithParamsRegex.put(operation, Pattern.compile(regex));
-                if (!context.isIncluded(uri.replaceAll("[{}]", ""))) {
+                if (isContextIncludeNeeded(context, uri.replaceAll("[{}]", ""))) {
                     context.addIncludeInContextRegex(regex);
                 }
             } else {
                 variantChecks.pathsWithNoParams.add(operation);
-                if (!context.isIncluded(uri)) {
+                if (isContextIncludeNeeded(context, uri)) {
                     context.addIncludeInContextRegex(uri);
                 }
             }
         }
     }
+
+    private static boolean isContextIncludeNeeded(Context context, String uri) {
+        if (context.isExcluded(uri)) {
+            return false;
+        }
+        return !context.isIncluded(uri);
+    }
 }

addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/spider/OpenApiSpider.java

@@ -57,7 +57,7 @@ public boolean parseResource(ParseContext ctx) {
                             message.getRequestHeader().getURI().toString(),
                             message.getResponseBody().toString(),
                             valGenSupplier.get());
-            requestor.run(ctx.getUser(), converter.getRequestModels());
+            requestor.run(ctx.getUser(), converter.getRequestModels(ctx.getContext()));
         } catch (Exception e) {
             LOGGER.debug(e.getMessage(), e);
             return false;

addOns/openapi/src/main/javahelp/org/zaproxy/zap/extension/openapi/resources/help/contents/openapi.html

@@ -31,6 +31,7 @@ <H3>Context</H3>
     <li>the imported spec is saved to the session database</li>
     <li>data driven nodes are generated for endpoints with path parameters</li>
 </ul>
+<strong>Note:</strong> Endpoints excluded by the Context will not be imported.
 
 <H3>User</H3>
 The dialogues also allow selecting a User, optionally, to do authenticated imports.

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/converter/swagger/SwaggerConverterUnitTest.java

@@ -31,6 +31,9 @@
 import static org.hamcrest.Matchers.not;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
 
 import io.swagger.v3.oas.models.servers.Server;
 import io.swagger.v3.oas.models.servers.ServerVariable;
@@ -44,6 +47,7 @@
 import org.zaproxy.zap.extension.openapi.OpenApiExceptions.EmptyDefinitionException;
 import org.zaproxy.zap.extension.openapi.OpenApiExceptions.InvalidUrlException;
 import org.zaproxy.zap.extension.openapi.network.RequestModel;
+import org.zaproxy.zap.model.Context;
 
 /** Unit test for {@link SwaggerConverter}. */
 class SwaggerConverterUnitTest extends AbstractOpenApiTest {
@@ -1117,7 +1121,7 @@ void shouldUsePathServers() throws Exception {
         String definition = getHtml("openapi_path_servers.yaml");
         SwaggerConverter converter = new SwaggerConverter(definition, null);
         // When
-        List<RequestModel> requests = converter.getRequestModels();
+        List<RequestModel> requests = converter.getRequestModels(null);
         // Then
         assertThat(converter.getErrorMessages(), is(empty()));
         assertThat(
@@ -1136,7 +1140,7 @@ void shouldUseTargetUrlForPathServers() throws Exception {
         SwaggerConverter converter =
                 new SwaggerConverter("/v2/", "http://localhost/definition/", definition, null);
         // When
-        List<RequestModel> requests = converter.getRequestModels();
+        List<RequestModel> requests = converter.getRequestModels(null);
         // Then
         assertThat(converter.getErrorMessages(), is(empty()));
         assertThat(
@@ -1153,7 +1157,7 @@ void shouldUseOperationServers() throws Exception {
         String definition = getHtml("openapi_operation_servers.yaml");
         SwaggerConverter converter = new SwaggerConverter(definition, null);
         // When
-        List<RequestModel> requests = converter.getRequestModels();
+        List<RequestModel> requests = converter.getRequestModels(null);
         // Then
         assertThat(converter.getErrorMessages(), is(empty()));
         assertThat(
@@ -1177,7 +1181,7 @@ void shouldUseTargetUrlForOperationServers() throws Exception {
         SwaggerConverter converter =
                 new SwaggerConverter("/v2/", "http://localhost/definition/", definition, null);
         // When
-        List<RequestModel> requests = converter.getRequestModels();
+        List<RequestModel> requests = converter.getRequestModels(null);
         // Then
         assertThat(converter.getErrorMessages(), is(empty()));
         assertThat(
@@ -1193,6 +1197,51 @@ void shouldUseTargetUrlForOperationServers() throws Exception {
                         "PATCH http://server8.localhost/v2/operations/with/servers"));
     }
 
+    @Test
+    void shouldConvertAllEndpointsIfNoContextProvided() throws Exception {
+        // Given
+        String definition = getHtml("openapi_paths_misc.yaml");
+        SwaggerConverter converter = new SwaggerConverter(definition, null);
+        Context context = null;
+        // When
+        List<RequestModel> requests = converter.getRequestModels(context);
+        // Then
+        assertThat(converter.getErrorMessages(), is(empty()));
+        assertThat(
+                urlsOf(requests),
+                contains(
+                        "http://server.localhost/path/a/",
+                        "http://server.localhost/path/b/",
+                        "http://server.localhost/path/b/1/",
+                        "http://server.localhost/path/c/",
+                        "http://server.localhost/path/c/1/",
+                        "http://server.localhost/path/c/2/"));
+    }
+
+    @Test
+    void shouldNotConvertEndpointsExcludedFromContext() throws Exception {
+        // Given
+        String definition = getHtml("openapi_paths_misc.yaml");
+        SwaggerConverter converter = new SwaggerConverter(definition, null);
+        var context = mock(Context.class);
+        given(context.isExcluded(anyString()))
+                .willAnswer(
+                        e -> {
+                            var uri = e.getArgument(0).toString();
+                            return uri.contains("/path/b/") || uri.contains("/path/c/1/");
+                        });
+        // When
+        List<RequestModel> requests = converter.getRequestModels(context);
+        // Then
+        assertThat(converter.getErrorMessages(), is(empty()));
+        assertThat(
+                urlsOf(requests),
+                contains(
+                        "http://server.localhost/path/a/",
+                        "http://server.localhost/path/c/",
+                        "http://server.localhost/path/c/2/"));
+    }
+
     private static List<String> urlsOf(List<RequestModel> requests) {
         return requests.stream().map(RequestModel::getUrl).collect(Collectors.toList());
     }

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v1/OpenApiUnitTest.java

@@ -84,7 +84,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkPetStore2dot0Requests(accessedUrls, "localhost:" + nano.getListeningPort());
     }

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v2/OpenApiPrimitivesInBodyUnitTest.java

@@ -83,7 +83,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkRequests(accessedUrls, "localhost:" + nano.getListeningPort());
     }

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v2/OpenApiUnitTest.java

@@ -76,7 +76,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkPetStoreRequests(accessedUrls, "localhost:" + nano.getListeningPort());
     }
@@ -109,7 +109,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkPetStoreRequests(accessedUrls, "localhost:" + nano.getListeningPort());
     }
@@ -145,7 +145,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkPetStoreRequests(accessedUrls, altHost);
     }
@@ -183,7 +183,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                 };
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         checkPetStoreRequests(accessedUrls, defaultHost);
     }
@@ -220,7 +220,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                 };
         requestor.addListener(listener);
         // When / Then
-        assertThrows(SwaggerException.class, () -> requestor.run(converter.getRequestModels()));
+        assertThrows(SwaggerException.class, () -> requestor.run(converter.getRequestModels(null)));
     }
 
     @Test
@@ -256,7 +256,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                 };
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         checkPetStoreRequests(accessedUrls, "localhost:" + nano.getListeningPort());
     }
@@ -280,7 +280,7 @@ void shouldFailToExplorePetStoreWithoutScheme() throws Exception {
                         requestor.getResponseBody(defnMsg.getRequestHeader().getURI()),
                         null);
         // When / Then
-        assertThrows(SwaggerException.class, () -> converter.getRequestModels());
+        assertThrows(SwaggerException.class, () -> converter.getRequestModels(null));
     }
 
     @Test
@@ -312,7 +312,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                 };
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         assertThat(converter.getErrorMessages(), is(empty()));
         assertEquals(
@@ -382,7 +382,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         checkPetStoreRequestsValGen(accessedUrls, "localhost:" + nano.getListeningPort());
     }
@@ -416,7 +416,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
 
         assertEquals(accessedUrls.size(), 2);
 

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/OpenApiDefaultValuesTest.java

@@ -58,7 +58,7 @@ void shouldUseDefaultValues() throws Exception {
         Requestor requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR);
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         HttpMessage message = accessedMessages.get(0);
         assertThat(

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/OpenApiEnumsUnitTest.java

@@ -58,7 +58,7 @@ void shouldUseEnumValues() throws Exception {
         Requestor requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR);
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         HttpMessage message = accessedMessages.get(0);
         assertThat(message.getRequestHeader().getURI().getEscapedQuery(), is(equalTo("Name=123")));

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/OpenApiExternalRefsUnitTest.java

@@ -83,7 +83,7 @@ void shouldResolveExternalReferencesDirectly() throws Exception {
         Requestor requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR);
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         assertThat(requestedUris, contains("/path/"));
         assertThat(serverHandler.getRequestedUris(), contains("/path/"));

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/OpenApiGeneratedCookieValuesTest.java

@@ -58,7 +58,7 @@ void shouldUseDefaultValues() throws Exception {
         Requestor requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR);
         requestor.addListener(listener);
         // When
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         // Then
         HttpMessage message = accessedMessages.get(0);
         assertThat(message.getRequestHeader().getHeader("Cookie"), is(equalTo("Name=true")));

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/OpenApiPrimitivesInBodyUnitTest.java

@@ -83,7 +83,7 @@ public void handleMessage(HttpMessage message, int initiator) {
                     }
                 };
         requestor.addListener(listener);
-        requestor.run(converter.getRequestModels());
+        requestor.run(converter.getRequestModels(null));
         checkRequests(accessedUrls, "localhost:" + nano.getListeningPort());
     }