|
| 1 | +/* |
| 2 | +* This script is intended to be used along with httpsender/AddBearerTokenHeader.js to |
| 3 | +* handle an OAUTH2 offline token refresh workflow. |
| 4 | +* |
| 5 | +* authentication/OfflineTokenRefresher.js will automatically fetch the new access token for every unauthorized |
| 6 | +* request determined by the "Logged Out" or "Logged In" indicator previously set in Context -> Authentication. |
| 7 | +* |
| 8 | +* httpsender/AddBearerTokenHeader.js will add the new access token to all requests in scope |
| 9 | +* made by ZAP (except the authentication ones) as an "Authorization: Bearer [access_token]" HTTP Header. |
| 10 | +* |
| 11 | +* @author Laura Pardo <lpardo at redhat.com> |
| 12 | +*/ |
| 13 | + |
| 14 | +var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader"); |
| 15 | +var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"); |
| 16 | +var URI = Java.type("org.apache.commons.httpclient.URI"); |
| 17 | +var ScriptVars = Java.type('org.zaproxy.zap.extension.script.ScriptVars'); |
| 18 | + |
| 19 | + |
| 20 | +function authenticate(helper, paramsValues, credentials) { |
| 21 | + |
| 22 | + var token_endpoint = paramsValues.get("token_endpoint"); |
| 23 | + var client_id = paramsValues.get("client_id"); |
| 24 | + var refresh_token = credentials.getParam("refresh_token"); |
| 25 | + |
| 26 | + // Build body |
| 27 | + var refreshTokenBody = "client_id=" + client_id; |
| 28 | + refreshTokenBody+= "&grant_type=refresh_token"; |
| 29 | + refreshTokenBody+= "&refresh_token=" + refresh_token; |
| 30 | + |
| 31 | + // Build header |
| 32 | + var tokenRequestURI = new URI(token_endpoint, false); |
| 33 | + var tokenRequestMethod = HttpRequestHeader.POST; |
| 34 | + var tokenRequestMainHeader = new HttpRequestHeader(tokenRequestMethod, tokenRequestURI, HttpHeader.HTTP11); |
| 35 | + |
| 36 | + // Build message |
| 37 | + var tokenMsg = helper.prepareMessage(); |
| 38 | + tokenMsg.setRequestBody(refreshTokenBody); |
| 39 | + tokenMsg.setRequestHeader(tokenRequestMainHeader); |
| 40 | + tokenMsg.getRequestHeader().setContentLength(tokenMsg.getRequestBody().length()); |
| 41 | + |
| 42 | + // Make the request and receive the response |
| 43 | + helper.sendAndReceive(tokenMsg, false); |
| 44 | + |
| 45 | + // Parse the JSON response and save the new access_token in a global var |
| 46 | + // we will replace the Authentication header in AddBearerTokenHeader.js |
| 47 | + var json = JSON.parse(tokenMsg.getResponseBody().toString()); |
| 48 | + var access_token = json['access_token']; |
| 49 | + |
| 50 | + if (access_token){ |
| 51 | + ScriptVars.setGlobalVar("access_token", access_token); |
| 52 | + }else{ |
| 53 | + print("Error getting access token") |
| 54 | + } |
| 55 | + |
| 56 | + return tokenMsg; |
| 57 | +} |
| 58 | + |
| 59 | + |
| 60 | +function getRequiredParamsNames(){ |
| 61 | + return ["token_endpoint", "client_id"]; |
| 62 | +} |
| 63 | + |
| 64 | + |
| 65 | +function getOptionalParamsNames(){ |
| 66 | + return []; |
| 67 | +} |
| 68 | + |
| 69 | + |
| 70 | +function getCredentialsParamsNames(){ |
| 71 | + return ["access_token", "refresh_token"]; |
| 72 | +} |
0 commit comments