Regenerate APIs and prepare release

CHANGELOG.md

@@ -3,9 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
-## [Unreleased]
+## [0.0.18] - 2020-12-18
 ### Changed
-- Update APIs from GraphQL add-on.
+- Core APIs updated for ZAP version 2.10.0.
+- Update APIs from add-ons:
+ - AJAX Spider;
+ - GraphQL.
 
 ## [0.0.17] - 2020-10-14
 ### Added
@@ -87,7 +90,7 @@ ensure it's automatically sent in all API requests.
 ### Changed
 - Moved from the main `zaproxy` repository.
 
-[Unreleased]: https://github.com/zaproxy/zap-api-python/compare/0.0.17...HEAD
+[0.0.18]: https://github.com/zaproxy/zap-api-python/compare/0.0.17...0.0.18
 [0.0.17]: https://github.com/zaproxy/zap-api-python/compare/0.0.16...0.0.17
 [0.0.16]: https://github.com/zaproxy/zap-api-python/compare/0.0.15...0.0.16
 [0.0.15]: https://github.com/zaproxy/zap-api-python/compare/0.0.14...0.0.15

setup.py

@@ -27,8 +27,8 @@
 setup(
     name="python-owasp-zap-v2.4",
     version="0.0.18",
-    description="OWASP ZAP 2.9 API client",
-    long_description="OWASP Zed Attack Proxy 2.9 API Python client (the 2.4 package name has been kept to make it easier to upgrade)",
+    description="OWASP ZAP 2.10 API client",
+    long_description="OWASP Zed Attack Proxy 2.10 API Python client (the 2.4 package name has been kept to make it easier to upgrade)",
     author="ZAP development team",
     author_email='',
     url="https://www.zaproxy.org/",

src/zapv2/acsrf.py

@@ -34,6 +34,13 @@ def option_tokens_names(self):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'acsrf/view/optionTokensNames/')))
 
+    @property
+    def option_partial_matching_enabled(self):
+        """
+        Define if ZAP should detect CSRF tokens by searching for partial matches
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'acsrf/view/optionPartialMatchingEnabled/')))
+
     def add_option_token(self, string, apikey=''):
         """
         Adds an anti-CSRF token with the given name, enabled by default
@@ -46,6 +53,12 @@ def remove_option_token(self, string, apikey=''):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'acsrf/action/removeOptionToken/', {'String': string, 'apikey': apikey})))
 
+    def set_option_partial_matching_enabled(self, boolean, apikey=''):
+        """
+        Define if ZAP should detect CSRF tokens by searching for partial matches.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'acsrf/action/setOptionPartialMatchingEnabled/', {'Boolean': boolean, 'apikey': apikey})))
+
     def gen_form(self, hrefid, apikey=''):
         """
         Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP

src/zapv2/ajaxSpider.py

@@ -27,6 +27,13 @@ class ajaxSpider(object):
     def __init__(self, zap):
         self.zap = zap
 
+    @property
+    def allowed_resources(self):
+        """
+        This component is optional and therefore the API will only work if it is installed
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'ajaxSpider/view/allowedResources/')))
+
     @property
     def status(self):
         """
@@ -131,7 +138,7 @@ def option_random_inputs(self):
 
     def scan(self, url=None, inscope=None, contextname=None, subtreeonly=None, apikey=''):
         """
-        Runs the spider against the given URL and/or context, optionally, spidering everything in scope. The parameter 'contextName' can be used to constrain the scan to a Context, the option 'in scope' is ignored if a context was also specified. The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'url').
+        Runs the AJAX Spider against a given target.
         This component is optional and therefore the API will only work if it is installed
         """
         params = {'apikey': apikey}
@@ -147,7 +154,7 @@ def scan(self, url=None, inscope=None, contextname=None, subtreeonly=None, apike
 
     def scan_as_user(self, contextname, username, url=None, subtreeonly=None, apikey=''):
         """
-        Runs the spider from the perspective of a User, obtained using the given context name and user name. The parameter 'url' allows to specify the starting point for the spider, otherwise it's used an existing URL from the context (if any). The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'url').
+        Runs the AJAX Spider from the perspective of a User of the web application.
         This component is optional and therefore the API will only work if it is installed
         """
         params = {'contextName': contextname, 'userName': username, 'apikey': apikey}
@@ -163,6 +170,27 @@ def stop(self, apikey=''):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'ajaxSpider/action/stop/', {'apikey': apikey})))
 
+    def add_allowed_resource(self, regex, enabled=None, apikey=''):
+        """
+        This component is optional and therefore the API will only work if it is installed
+        """
+        params = {'regex': regex, 'apikey': apikey}
+        if enabled is not None:
+            params['enabled'] = enabled
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'ajaxSpider/action/addAllowedResource/', params)))
+
+    def remove_allowed_resource(self, regex, apikey=''):
+        """
+        This component is optional and therefore the API will only work if it is installed
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'ajaxSpider/action/removeAllowedResource/', {'regex': regex, 'apikey': apikey})))
+
+    def set_enabled_allowed_resource(self, regex, enabled, apikey=''):
+        """
+        This component is optional and therefore the API will only work if it is installed
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'ajaxSpider/action/setEnabledAllowedResource/', {'regex': regex, 'enabled': enabled, 'apikey': apikey})))
+
     def set_option_browser_id(self, string, apikey=''):
         """
         This component is optional and therefore the API will only work if it is installed

src/zapv2/alert.py

@@ -102,6 +102,18 @@ def delete_alert(self, id, apikey=''):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'alert/action/deleteAlert/', {'id': id, 'apikey': apikey})))
 
+    def update_alerts_confidence(self, ids, confidenceid, apikey=''):
+        """
+        Update the confidence of the alerts.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'alert/action/updateAlertsConfidence/', {'ids': ids, 'confidenceId': confidenceid, 'apikey': apikey})))
+
+    def update_alerts_risk(self, ids, riskid, apikey=''):
+        """
+        Update the risk of the alerts.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'alert/action/updateAlertsRisk/', {'ids': ids, 'riskId': riskid, 'apikey': apikey})))
+
     def update_alert(self, id, name, riskid, confidenceid, description, param=None, attack=None, otherinfo=None, solution=None, references=None, evidence=None, cweid=None, wascid=None, apikey=''):
         """
         Update the alert with the given ID, with the provided details.

src/zapv2/context.py

@@ -95,6 +95,23 @@ def set_context_regexs(self, contextname, incregexs, excregexs, apikey=''):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'context/action/setContextRegexs/', {'contextName': contextname, 'incRegexs': incregexs, 'excRegexs': excregexs, 'apikey': apikey})))
 
+    def set_context_checking_strategy(self, contextname, checkingstrategy, pollurl=None, polldata=None, pollheaders=None, pollfrequency=None, pollfrequencyunits=None, apikey=''):
+        """
+        Set the checking strategy for a context - this defines how ZAP checks that a request is authenticated
+        """
+        params = {'contextName': contextname, 'checkingStrategy': checkingstrategy, 'apikey': apikey}
+        if pollurl is not None:
+            params['pollUrl'] = pollurl
+        if polldata is not None:
+            params['pollData'] = polldata
+        if pollheaders is not None:
+            params['pollHeaders'] = pollheaders
+        if pollfrequency is not None:
+            params['pollFrequency'] = pollfrequency
+        if pollfrequencyunits is not None:
+            params['pollFrequencyUnits'] = pollfrequencyunits
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'context/action/setContextCheckingStrategy/', params)))
+
     def new_context(self, contextname, apikey=''):
         """
         Creates a new context with the given name in the current session

src/zapv2/core.py

@@ -287,6 +287,13 @@ def option_use_proxy_chain(self):
     def option_use_proxy_chain_auth(self):
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'core/view/optionUseProxyChainAuth/')))
 
+    @property
+    def option_use_socks_proxy(self):
+        """
+        Gets whether or not the SOCKS proxy should be used.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'core/view/optionUseSocksProxy/')))
+
     def access_url(self, url, followredirects=None, apikey=''):
         """
         Convenient and simple action to access a URL, optionally following redirections. Returns the request sent and response received and followed redirections, if any. Other actions are available which offer more control on what is sent, like, 'sendRequest' or 'sendHarRequest'.
@@ -536,6 +543,12 @@ def set_option_use_proxy_chain(self, boolean, apikey=''):
     def set_option_use_proxy_chain_auth(self, boolean, apikey=''):
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'core/action/setOptionUseProxyChainAuth/', {'Boolean': boolean, 'apikey': apikey})))
 
+    def set_option_use_socks_proxy(self, boolean, apikey=''):
+        """
+        Sets whether or not the SOCKS proxy should be used.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'core/action/setOptionUseSocksProxy/', {'Boolean': boolean, 'apikey': apikey})))
+
     def proxy_pac(self, apikey=''):
         return (self.zap._request_other(self.zap.base_other + 'core/other/proxy.pac/', {'apikey': apikey}))
 

src/zapv2/users.py

@@ -54,6 +54,18 @@ def get_authentication_credentials(self, contextid, userid):
         """
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/view/getAuthenticationCredentials/', {'contextId': contextid, 'userId': userid})))
 
+    def get_authentication_state(self, contextid, userid):
+        """
+        Gets the authentication state information for the user identified by the Context and User Ids.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/view/getAuthenticationState/', {'contextId': contextid, 'userId': userid})))
+
+    def get_authentication_session(self, contextid, userid):
+        """
+        Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies and realm credentials.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/view/getAuthenticationSession/', {'contextId': contextid, 'userId': userid})))
+
     def new_user(self, contextid, name, apikey=''):
         """
         Creates a new user with the given name for the context with the given ID.
@@ -86,3 +98,39 @@ def set_authentication_credentials(self, contextid, userid, authcredentialsconfi
         if authcredentialsconfigparams is not None:
             params['authCredentialsConfigParams'] = authcredentialsconfigparams
         return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/action/setAuthenticationCredentials/', params)))
+
+    def authenticate_as_user(self, contextid, userid, apikey=''):
+        """
+        Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/action/authenticateAsUser/', {'contextId': contextid, 'userId': userid, 'apikey': apikey})))
+
+    def poll_as_user(self, contextid, userid, apikey=''):
+        """
+        Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.
+        """
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/action/pollAsUser/', {'contextId': contextid, 'userId': userid, 'apikey': apikey})))
+
+    def set_authentication_state(self, contextid, userid, lastpollresult=None, lastpolltimeinms=None, requestssincelastpoll=None, apikey=''):
+        """
+        Sets fields in the authentication state for the user identified by the Context and User Ids.
+        """
+        params = {'contextId': contextid, 'userId': userid, 'apikey': apikey}
+        if lastpollresult is not None:
+            params['lastPollResult'] = lastpollresult
+        if lastpolltimeinms is not None:
+            params['lastPollTimeInMs'] = lastpolltimeinms
+        if requestssincelastpoll is not None:
+            params['requestsSinceLastPoll'] = requestssincelastpoll
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/action/setAuthenticationState/', params)))
+
+    def set_cookie(self, contextid, userid, domain, name, value, path=None, secure=None, apikey=''):
+        """
+        Sets the specified cookie for the user identified by the Context and User Ids.
+        """
+        params = {'contextId': contextid, 'userId': userid, 'domain': domain, 'name': name, 'value': value, 'apikey': apikey}
+        if path is not None:
+            params['path'] = path
+        if secure is not None:
+            params['secure'] = secure
+        return six.next(six.itervalues(self.zap._request(self.zap.base + 'users/action/setCookie/', params)))