Merge pull request #84 from Qualys/feature/QINT-21167

feature/QINT-21167: Added OIDC changes

Author: qsadhav

src/main/java/com/example/GitHubActionsQWas/WASAuth/WASAuth.java

@@ -1,14 +1,36 @@
 package com.example.GitHubActionsQWas.WASAuth;
 
+import com.example.GitHubActionsQWas.WASClient.QualysWASResponse;
+import com.example.GitHubActionsQWas.WASClient.WASBaseClient;
+import com.example.GitHubActionsQWas.WASClient.WASClient;
+import lombok.Getter;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.util.EntityUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+
+@Getter
 public class WASAuth {
     private String server;
     private String username;
     private String password;
+    private String clientId;
+    private String clientSecret;
     private String authKey;
+    private String authType;
     private String proxyServer;
     private String proxyUsername;
     private String proxyPassword;
     private int proxyPort;
+    private final Logger logger = LoggerFactory.getLogger(WASClient.class);
 
     public WASAuth() {
     }
@@ -17,41 +39,35 @@ public WASAuth(String oauthKey) {
         this.authKey = oauthKey;
     }
 
-    public String getServer() {
-        return server;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-
-    public String getAuthKey() {
-        return authKey;
+    public void setWasCredentials(String server, String username, String password, String authType) {
+        this.server = server;
+        this.username = username;
+        this.password = password;
+        this.authType = authType;
     }
 
-    public String getProxyServer() {
-        return proxyServer;
+    public void setWasOAuthCredentials(String server, String clientId, String clientSecret, String authType) {
+        this.server = server;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.authType = authType;
     }
 
-    public String getProxyUsername() {
-        return proxyUsername;
-    }
+    public void setOAuthKey() throws NoSuchAlgorithmException, KeyManagementException, IOException {
+        WASClient client = new WASClient(this);
+        CloseableHttpClient httpClient = client.getCloseableHttpClient();
 
-    public String getProxyPassword() {
-        return proxyPassword;
-    }
+        URL url = new URL(server + "/auth/oidc");
+        logger.info("Making Request: " + url);
 
-    public int getProxyPort() {
-        return proxyPort;
-    }
+        HttpPost postRequest = new HttpPost(url.toString());
+        postRequest.addHeader("Content-Type", "application/x-www-form-urlencoded");
+        postRequest.addHeader("clientId", this.clientId);
+        postRequest.addHeader("clientSecret", this.clientSecret);
 
-    public void setWasCredentials(String server, String username, String password) {
-        this.server = server;
-        this.username = username;
-        this.password = password;
+        CloseableHttpResponse httpResponse = httpClient.execute(postRequest);
+        logger.info("Server returned with ResponseCode: " + httpResponse.getStatusLine().getStatusCode());
+        this.authKey = EntityUtils.toString(httpResponse.getEntity(), "UTF-8");
+        logger.warn("OAUTH Key is generated successfully...");
     }
 }

src/main/java/com/example/GitHubActionsQWas/WASClient/WASClient.java

@@ -1,6 +1,7 @@
 package com.example.GitHubActionsQWas.WASClient;
 
 import com.example.GitHubActionsQWas.WASAuth.WASAuth;
+import com.example.GitHubActionsQWas.constants.Constants;
 import com.example.GitHubActionsQWas.util.Helper;
 import com.google.gson.*;
 import org.apache.http.HttpEntity;
@@ -21,6 +22,8 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.HashMap;
 
@@ -77,6 +80,10 @@ public QualysWASResponse getReportStatus(String reportId) {
         return this.get(this.apiMap.get("getReportStatus") + reportId);
     }
 
+    public CloseableHttpClient getCloseableHttpClient() throws NoSuchAlgorithmException, KeyManagementException {
+        return this.getHttpClient();
+    }
+
     private void download(String apiPath) {
         CloseableHttpClient httpClient = null;
 
@@ -86,7 +93,11 @@ private void download(String apiPath) {
             httpClient = this.getHttpClient();
 
             HttpGet getRequest = new HttpGet(url.toString());
-            getRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            if (Constants.BASIC.equals(auth.getAuthType())) {
+                getRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            } else if (Constants.OAUTH.equals(auth.getAuthType())) {
+                getRequest.addHeader("Authorization", "Bearer " + auth.getAuthKey());
+            }
             CloseableHttpResponse response = httpClient.execute(getRequest);
             logger.debug("Server returned with ResponseCode: {}", response.getStatusLine().getStatusCode());
 
@@ -201,7 +212,11 @@ private QualysWASResponse get(String apiPath) {
 
             HttpGet getRequest = new HttpGet(url.toString());
             getRequest.addHeader("accept", "application/json");
-            getRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            if (Constants.BASIC.equals(auth.getAuthType())) {
+                getRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            } else if (Constants.OAUTH.equals(auth.getAuthType())) {
+                getRequest.addHeader("Authorization", "Bearer " + auth.getAuthKey());
+            }
             CloseableHttpResponse response = httpClient.execute(getRequest);
             apiResponse.responseCode = response.getStatusLine().getStatusCode();
             logger.debug("Server returned with ResponseCode: " + apiResponse.responseCode);
@@ -245,7 +260,11 @@ private QualysWASResponse post(String apiPath, JsonObject requestData) {
 
             HttpPost postRequest = new HttpPost(url.toString());
             postRequest.addHeader("accept", "application/json");
-            postRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            if (Constants.BASIC.equals(auth.getAuthType())) {
+                postRequest.addHeader("Authorization", "Basic " + this.getBasicAuthHeader());
+            } else if (Constants.OAUTH.equals(auth.getAuthType())) {
+                postRequest.addHeader("Authorization", "Bearer " + auth.getAuthKey());
+            }
             Gson gson = new Gson();
             if (requestData != null) {
                 postRequest.addHeader("Content-Type", "application/json");

src/main/java/com/example/GitHubActionsQWas/constants/Constants.java

@@ -18,5 +18,6 @@ public class Constants {
     public static final String COMPLETE = "COMPLETE";
     public static final String UNKNOWN = "UNKNOWN";
     public static final String PDF_FORMAT = "PDF";
-
+    public static final String BASIC = "BASIC";
+    public static final String OAUTH = "OAUTH";
 }

src/main/java/com/example/GitHubActionsQWas/service/QualysWASScanBuilder.java

@@ -1,10 +1,14 @@
 package com.example.GitHubActionsQWas.service;
 
+import ch.qos.logback.core.util.StringUtil;
 import com.example.GitHubActionsQWas.WASAuth.WASAuth;
 import com.example.GitHubActionsQWas.WASClient.QualysWASResponse;
 import com.example.GitHubActionsQWas.WASClient.WASClient;
 import com.example.GitHubActionsQWas.constants.Constants;
+import com.example.GitHubActionsQWas.util.ApiGatewayUrl;
+import com.example.GitHubActionsQWas.util.ApiServerUrl;
 import com.example.GitHubActionsQWas.util.Helper;
+import com.example.GitHubActionsQWas.util.PortalUrl;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -21,6 +25,10 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.core.env.Environment;
 
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -36,6 +44,8 @@ public class QualysWASScanBuilder {
     private Environment environment;
     private String apiServer;
     private String portalServer;
+    private String gatewayServer;
+    private String platform;
     private String qualysUsername;
     private String qualysPasssword;
     private boolean useProxy = false;
@@ -76,11 +86,14 @@ public class QualysWASScanBuilder {
     private boolean waitForResult;
     private WASClient client;
     private String fileType;
+    private String authType;
+    private String clientId;
+    private String clientSecret;
+    private String qualysIdentificationUrl;
 
     public QualysWASScanBuilder(Environment environment) {
         try {
             this.environment = environment;
-            this.apiServer = environment.getProperty("API_SERVER", "");
             this.qualysUsername = environment.getProperty("QUALYS_USERNAME", "");
             this.qualysPasssword = environment.getProperty("QUALYS_PASSWORD", "");
             this.useProxy = environment.getProperty("USE_PROXY", Boolean.class, false);
@@ -107,6 +120,21 @@ public QualysWASScanBuilder(Environment environment) {
             this.interval = environment.getProperty("INTERVAL", Integer.class, 1);
             this.timeout = environment.getProperty("TIMEOUT", Integer.class, (60 * 5) + 50);
             this.fileType = environment.getProperty("FILE_TYPE", "PDF");
+            this.authType = environment.getProperty("AUTH_TYPE", "");
+            this.clientId = environment.getProperty("CLIENT_ID", "");
+            this.clientSecret = environment.getProperty("CLIENT_SECRET", "");
+            this.platform = environment.getProperty("PLATFORM", "");
+            this.qualysIdentificationUrl = "https://www.qualys.com/platform-identification";
+
+            if (StringUtil.notNullNorEmpty(platform)) {
+                this.apiServer = ApiServerUrl.getByKey(platform).getUrl();
+                this.portalServer = PortalUrl.getByKey(platform).getUrl();
+                this.gatewayServer = ApiGatewayUrl.getByKey(platform).getUrl();
+            } else {
+                throw new Exception("PLATFORM not specified, Please configure it and try again. Please visit following url to identify correct platform: " +
+                        qualysIdentificationUrl);
+            }
+
             this.severity1Limit = 0;
             this.severity2Limit = 0;
             this.severity3Limit = 0;
@@ -120,7 +148,7 @@ public QualysWASScanBuilder(Environment environment) {
                 assignSeverities();
             }
         } catch (Exception ex) {
-            logger.error("Something went wrong. Reason: " + ex.getCause());
+            logger.error("Something went wrong. Reason: " + ex.getMessage());
             System.exit(1);
         }
     }
@@ -173,10 +201,14 @@ protected void assignSeverities() {
         }
     }
 
-    protected void initWASClient() {
-        WASAuth auth = new WASAuth();
-        auth.setWasCredentials(apiServer, qualysUsername, qualysPasssword);
-
+    protected void initWASClient() throws NoSuchAlgorithmException, KeyManagementException, IOException {
+        WASAuth auth = new WASAuth();;
+        if (authType.equals(Constants.BASIC)) {
+            auth.setWasCredentials(apiServer, qualysUsername, qualysPasssword, Constants.BASIC);
+        } else {
+            auth.setWasOAuthCredentials(gatewayServer, clientId, clientSecret, Constants.OAUTH);
+            auth.setOAuthKey();
+        }
 //        if (useProxy) {
 //            auth.setProxyCredentials(proxyServer, proxyPort, proxyUsername, proxyPassword);
 //        }
@@ -226,8 +258,6 @@ protected JsonObject getCriteriaAsJsonObject() {
      *
      */
     public void launchWebApplicationScan() {
-        portalServer = apiServer.replace("api", "guard");
-
         logger.info("Using Qualys API Server: " + apiServer);
 
         try {
@@ -410,7 +440,16 @@ private JsonElement getEvaluationResult(JsonObject result) {
     }
 
     public boolean isMandatoryParametersSet() {
-        return !(this.apiServer == null || this.apiServer.isEmpty() || this.qualysUsername == null || this.qualysUsername.isEmpty() || this.qualysPasssword == null || this.qualysPasssword.isEmpty() || webAppId == null || webAppId.isEmpty() || scanName == null || scanName.isEmpty() || scanType == null || scanType.isEmpty());
+        return !(this.apiServer == null || this.apiServer.isEmpty() ||
+                this.qualysUsername == null || this.qualysUsername.isEmpty() ||
+                this.qualysPasssword == null || this.qualysPasssword.isEmpty() ||
+                this.webAppId == null || this.webAppId.isEmpty() ||
+                this.scanName == null || this.scanName.isEmpty() ||
+                this.scanType == null || this.scanType.isEmpty() ||
+                this.platform == null || this.platform.isEmpty()) ||
+                this.gatewayServer == null || this.gatewayServer.isEmpty() ||
+                this.portalServer == null || this.portalServer.isEmpty() ||
+                this.authType == null || this.authType.isEmpty();
     }
 
     protected boolean testConnection() {

src/main/java/com/example/GitHubActionsQWas/util/ApiGatewayUrl.java

@@ -0,0 +1,38 @@
+package com.example.GitHubActionsQWas.util;
+
+import lombok.Getter;
+
+@Getter
+public enum ApiGatewayUrl {
+  US1 ("https://gateway.qualys.com"),
+  US2 ("https://gateway.qg2.apps.qualys.com"),
+  US3 ("https://gateway.qg3.apps.qualys.com"),
+  US4 ("https://gateway.qg4.apps.qualys.com"),
+  EU1 ("https://gateway.qualys.eu"),
+  EU2 ("https://gateway.qg2.apps.qualys.eu"),
+  EU3 ("https://gateway.qg3.apps.qualys.eu"),
+  IN1 ("https://gateway.qg1.apps.qualys.in"),
+  CA1 ("https://gateway.qg1.apps.qualys.ca"),
+  AE1 ("https://gateway.qg1.apps.qualys.ae"),
+  UK1 ("https://gateway.qg1.apps.qualys.co.uk"),
+  AU1 ("https://gateway.qg1.apps.qualys.com.au"),
+  KSA1 ("https://gateway.qg1.apps.qualysksa.com")
+  ;
+
+  private final String url;
+
+  ApiGatewayUrl(String url) {
+    this.url = url;
+  }
+
+  public static ApiGatewayUrl getByKey(String key) throws Exception {
+    try {
+      return valueOf(key.toUpperCase());
+    } catch (Exception e) {
+      String exception = String.format("Exception: You have entered invalid platform {%s}, Please visit following url to identify correct platform - %s",
+              key.toUpperCase(),
+              "https://www.qualys.com/platform-identification ");
+      throw new Exception(exception);
+    }
+  }
+}

src/main/java/com/example/GitHubActionsQWas/util/ApiServerUrl.java

@@ -0,0 +1,38 @@
+package com.example.GitHubActionsQWas.util;
+
+import lombok.Getter;
+
+@Getter
+public enum ApiServerUrl {
+  US1 ("https://qualysapi.qualys.com"),
+  US2 ("https://qualysapi.qg2.apps.qualys.com"),
+  US3 ("https://qualysapi.qg3.apps.qualys.com"),
+  US4 ("https://qualysapi.qg4.apps.qualys.com"),
+  EU1 ("https://qualysapi.qualys.eu"),
+  EU2 ("https://qualysapi.qg2.apps.qualys.eu"),
+  EU3 ("https://qualysapi.qg3.apps.qualys.eu"),
+  IN1 ("https://qualysapi.qg1.apps.qualys.in"),
+  CA1 ("https://qualysapi.qg1.apps.qualys.ca"),
+  AE1 ("https://qualysapi.qg1.apps.qualys.ae"),
+  UK1 ("https://qualysapi.qg1.apps.qualys.co.uk"),
+  AU1 ("https://qualysapi.qg1.apps.qualys.com.au"),
+  KSA1 ("https://qualysapi.qg1.apps.qualysksa.com")
+  ;
+
+  private final String url;
+
+  ApiServerUrl(String url) {
+    this.url = url;
+  }
+
+  public static ApiServerUrl getByKey(String key) throws Exception {
+    try {
+      return valueOf(key.toUpperCase());
+    } catch (IllegalArgumentException e) {
+      String exception = String.format("Exception: You have entered invalid platform {%s}, Please visit following url to identify correct platform - %s",
+              key.toUpperCase(),
+              "https://www.qualys.com/platform-identification ");
+      throw new Exception(exception);
+    }
+  }
+}