Merge remote-tracking branch 'origin/master' into release/current

Author: guillaumejparis

openbas-api/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>io.openbas</groupId>
         <artifactId>openbas-platform</artifactId>
-        <version>1.18.3</version>
+        <version>1.18.4</version>
     </parent>
 
     <artifactId>openbas-api</artifactId>
@@ -49,7 +49,7 @@
         <dependency>
             <groupId>io.openbas</groupId>
             <artifactId>openbas-framework</artifactId>
-            <version>1.18.3</version>
+            <version>1.18.4</version>
         </dependency>
         <dependency>
             <groupId>co.elastic.clients</groupId>
@@ -234,6 +234,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-netty</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>

openbas-api/src/main/java/io/openbas/authorisation/TlsConfig.java

@@ -8,6 +8,8 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -41,7 +43,7 @@ private Set<String> getFilesPaths(String dir) {
           .filter(path -> path.endsWith(".pem"))
           .collect(Collectors.toSet());
     } catch (Exception e) {
-      log.info("No extra trusted certificate found in " + dir);
+      log.info("No extra trusted certificate found in {}", dir, e);
       return new HashSet<>();
     }
   }
@@ -73,14 +75,8 @@ private List<X509Certificate> getExtraCerts(Set<String> filesPaths)
     return extraCerts;
   }
 
-  /**
-   * Get and set extra trusted certificates to the java trust manager
-   *
-   * @return tls context with our extra trusted certificates
-   * @throws Exception exception
-   */
-  @Bean
-  public X509TrustManager tlsContextCustom() throws Exception {
+  private X509TrustManager getDefaultTrustManager()
+      throws NoSuchAlgorithmException, KeyStoreException {
     TrustManagerFactory trustManagerFactory =
         TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     trustManagerFactory.init((KeyStore) null);
@@ -93,42 +89,91 @@ public X509TrustManager tlsContextCustom() throws Exception {
       }
     }
 
+    return defaultX509CertificateTrustManager;
+  }
+
+  private Optional<X509TrustManager> getAdditionalTrustManager()
+      throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
     Set<String> filesPaths = getFilesPaths(openBASConfig.getExtraTrustedCertsDir());
 
+    // early return; if there aren't any extra certs
+    // don't bother building a trust manager
+    if (filesPaths.isEmpty()) {
+      return Optional.empty();
+    }
+
     List<X509Certificate> extraCerts = getExtraCerts(filesPaths);
 
-    X509TrustManager finalDefaultTm = defaultX509CertificateTrustManager;
+    // in-memory keystore
+    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+    keyStore.load(null, null);
+    for (X509Certificate cert : extraCerts) {
+      keyStore.setCertificateEntry(cert.getSubjectX500Principal().getName(), cert);
+    }
 
-    X509TrustManager wrapper =
-        new X509TrustManager() {
-          private X509Certificate[] mergeCertificates() {
-            ArrayList<X509Certificate> resultingCerts = new ArrayList<>();
-            resultingCerts.addAll(Arrays.asList(finalDefaultTm.getAcceptedIssuers()));
-            resultingCerts.addAll(extraCerts);
-            return resultingCerts.toArray(new X509Certificate[resultingCerts.size()]);
-          }
+    TrustManagerFactory trustManagerFactory =
+        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(keyStore);
 
-          @Override
-          public X509Certificate[] getAcceptedIssuers() {
-            return mergeCertificates();
-          }
+    return Arrays.stream(trustManagerFactory.getTrustManagers())
+        .filter(tm -> tm instanceof X509TrustManager)
+        .map(tm -> Optional.of((X509TrustManager) tm))
+        .findFirst()
+        .orElse(Optional.empty());
+  }
 
-          @Override
-          public void checkServerTrusted(X509Certificate[] chain, String authType) {
-            try {
-              finalDefaultTm.checkServerTrusted(chain, authType);
-            } catch (CertificateException e) {
-              log.error("Error occurred during checkServerTrusted", e);
-            }
-          }
+  /**
+   * Get and set extra trusted certificates to the java trust manager
+   *
+   * @return tls context with our extra trusted certificates
+   * @throws Exception exception
+   */
+  @Bean
+  public X509TrustManager tlsContextCustom() throws Exception {
+    X509TrustManager defaultX509CertificateTrustManager = getDefaultTrustManager();
+    Optional<X509TrustManager> additionalTrustManager = getAdditionalTrustManager();
+
+    return new X509TrustManager() {
+      private X509Certificate[] mergeCertificates() {
+        ArrayList<X509Certificate> resultingCerts =
+            new ArrayList<>(Arrays.asList(defaultX509CertificateTrustManager.getAcceptedIssuers()));
+        additionalTrustManager.ifPresent(
+            tm -> resultingCerts.addAll(Arrays.asList(tm.getAcceptedIssuers())));
+        return resultingCerts.toArray(new X509Certificate[0]);
+      }
+
+      @Override
+      public X509Certificate[] getAcceptedIssuers() {
+        return mergeCertificates();
+      }
 
-          @Override
-          public void checkClientTrusted(X509Certificate[] chain, String authType)
-              throws CertificateException {
-            finalDefaultTm.checkClientTrusted(mergeCertificates(), authType);
+      @Override
+      public void checkServerTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+        try {
+          defaultX509CertificateTrustManager.checkServerTrusted(chain, authType);
+        } catch (Exception e) {
+          if (additionalTrustManager.isPresent()) {
+            additionalTrustManager.get().checkServerTrusted(chain, authType);
+          } else {
+            throw e;
           }
-        };
+        }
+      }
 
-    return wrapper;
+      @Override
+      public void checkClientTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+        try {
+          defaultX509CertificateTrustManager.checkClientTrusted(chain, authType);
+        } catch (Exception e) {
+          if (additionalTrustManager.isPresent()) {
+            additionalTrustManager.get().checkClientTrusted(chain, authType);
+          } else {
+            throw e;
+          }
+        }
+      }
+    };
   }
 }

openbas-api/src/main/java/io/openbas/migration/V4_11__Payload_Expectations.java

@@ -0,0 +1,22 @@
+package io.openbas.migration;
+
+import java.sql.Connection;
+import java.sql.Statement;
+import org.flywaydb.core.api.migration.BaseJavaMigration;
+import org.flywaydb.core.api.migration.Context;
+import org.springframework.stereotype.Component;
+
+@Component
+public class V4_11__Payload_Expectations extends BaseJavaMigration {
+
+  @Override
+  public void migrate(Context context) throws Exception {
+    Connection connection = context.getConnection();
+    try (Statement statement = connection.createStatement()) {
+      statement.execute(
+          """
+              ALTER TABLE payloads ADD COLUMN payload_expectations text[];
+              """);
+    }
+  }
+}

openbas-api/src/main/java/io/openbas/migration/V4_11__List_Widget_config_update.java renamed to openbas-api/src/main/java/io/openbas/migration/V4_12__List_Widget_config_update.java

@@ -7,7 +7,7 @@
 import org.springframework.stereotype.Component;
 
 @Component
-public class V4_11__List_Widget_config_update extends BaseJavaMigration {
+public class V4_12__List_Widget_config_update extends BaseJavaMigration {
 
   @Override
   public void migrate(Context context) throws Exception {

openbas-api/src/main/java/io/openbas/migration/V4_12__Update_Role_table.java renamed to openbas-api/src/main/java/io/openbas/migration/V4_13__Update_Role_table.java

@@ -7,7 +7,7 @@
 import org.springframework.stereotype.Component;
 
 @Component
-public class V4_12__Update_Role_table extends BaseJavaMigration {
+public class V4_13__Update_Role_table extends BaseJavaMigration {
 
   @Override
   public void migrate(Context context) throws Exception {

openbas-api/src/main/java/io/openbas/rest/payload/form/PayloadCreateInput.java

@@ -5,6 +5,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.openbas.database.model.*;
 import io.openbas.database.model.Endpoint.PLATFORM_TYPE;
+import io.openbas.database.model.InjectExpectation.EXPECTATION_TYPE;
 import io.openbas.database.model.Payload.PAYLOAD_SOURCE;
 import io.openbas.database.model.Payload.PAYLOAD_STATUS;
 import io.swagger.v3.oas.annotations.media.DiscriminatorMapping;
@@ -62,6 +63,11 @@ public class PayloadCreateInput {
   private Payload.PAYLOAD_EXECUTION_ARCH executionArch =
       Payload.PAYLOAD_EXECUTION_ARCH.ALL_ARCHITECTURES;
 
+  @JsonProperty("payload_expectations")
+  @NotNull
+  private EXPECTATION_TYPE[] expectations =
+      new EXPECTATION_TYPE[] {EXPECTATION_TYPE.PREVENTION, EXPECTATION_TYPE.DETECTION};
+
   @JsonProperty("payload_description")
   private String description;
 

openbas-api/src/main/java/io/openbas/rest/payload/form/PayloadUpdateInput.java

@@ -4,6 +4,7 @@
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.openbas.database.model.Endpoint.PLATFORM_TYPE;
+import io.openbas.database.model.InjectExpectation;
 import io.openbas.database.model.Payload;
 import io.openbas.database.model.PayloadArgument;
 import io.openbas.database.model.PayloadPrerequisite;
@@ -42,6 +43,13 @@ public class PayloadUpdateInput {
   private Payload.PAYLOAD_EXECUTION_ARCH executionArch =
       Payload.PAYLOAD_EXECUTION_ARCH.ALL_ARCHITECTURES;
 
+  @JsonProperty("payload_expectations")
+  @NotNull
+  private InjectExpectation.EXPECTATION_TYPE[] expectations =
+      new InjectExpectation.EXPECTATION_TYPE[] {
+        InjectExpectation.EXPECTATION_TYPE.PREVENTION, InjectExpectation.EXPECTATION_TYPE.DETECTION
+      };
+
   @JsonProperty("executable_file")
   private String executableFile;
 

openbas-api/src/main/java/io/openbas/rest/payload/form/PayloadUpsertInput.java

@@ -3,10 +3,7 @@
 import static io.openbas.config.AppConfig.MANDATORY_MESSAGE;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import io.openbas.database.model.Endpoint;
-import io.openbas.database.model.Payload;
-import io.openbas.database.model.PayloadArgument;
-import io.openbas.database.model.PayloadPrerequisite;
+import io.openbas.database.model.*;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
@@ -48,6 +45,13 @@ public class PayloadUpsertInput {
   private Payload.PAYLOAD_EXECUTION_ARCH executionArch =
       Payload.PAYLOAD_EXECUTION_ARCH.ALL_ARCHITECTURES;
 
+  @JsonProperty("payload_expectations")
+  @NotNull
+  private InjectExpectation.EXPECTATION_TYPE[] expectations =
+      new InjectExpectation.EXPECTATION_TYPE[] {
+        InjectExpectation.EXPECTATION_TYPE.PREVENTION, InjectExpectation.EXPECTATION_TYPE.DETECTION
+      };
+
   @JsonProperty("payload_description")
   private String description;
 

openbas-api/src/main/java/io/openbas/rest/payload/service/PayloadService.java

@@ -29,6 +29,7 @@
 import io.openbas.injector_contract.ContractTargetedProperty;
 import io.openbas.injector_contract.fields.*;
 import io.openbas.injectors.openbas.util.OpenBASObfuscationMap;
+import io.openbas.model.inject.form.Expectation;
 import io.openbas.rest.payload.PayloadUtils;
 import jakarta.annotation.Resource;
 import jakarta.validation.constraints.NotBlank;
@@ -146,7 +147,7 @@ private Contract buildContract(
             true);
     ContractAsset assetField = assetField(Multiple);
     ContractAssetGroup assetGroupField = assetGroupField(Multiple);
-    ContractExpectations expectationsField = expectations();
+    ContractExpectations expectationsField = expectations(payload.getExpectations());
     ContractDef builder = contractBuilder();
     builder.mandatoryGroup(assetField, assetGroupField);
 
@@ -184,12 +185,35 @@ private Contract buildContract(
         true);
   }
 
-  private ContractExpectations expectations() {
-    return expectationsField(
-        List.of(
-            this.expectationBuilderService.buildPreventionExpectation(),
-            this.expectationBuilderService.buildDetectionExpectation(),
-            this.expectationBuilderService.buildVulnerabilityExpectation()));
+  private ContractExpectations expectations(InjectExpectation.EXPECTATION_TYPE[] expectationTypes) {
+    List<Expectation> expectations = new ArrayList<>();
+    if (expectationTypes.length == 0) {
+      return expectationsField(
+          List.of(
+              this.expectationBuilderService.buildPreventionExpectation(),
+              this.expectationBuilderService.buildDetectionExpectation()));
+    } else {
+      for (InjectExpectation.EXPECTATION_TYPE type : expectationTypes) {
+        switch (type) {
+          case TEXT -> expectations.add(this.expectationBuilderService.buildTextExpectation());
+          case DOCUMENT ->
+              expectations.add(this.expectationBuilderService.buildDocumentExpectation());
+          case ARTICLE ->
+              expectations.add(this.expectationBuilderService.buildArticleExpectation());
+          case CHALLENGE ->
+              expectations.add(this.expectationBuilderService.buildChallengeExpectation());
+          case MANUAL -> expectations.add(this.expectationBuilderService.buildManualExpectation());
+          case PREVENTION ->
+              expectations.add(this.expectationBuilderService.buildPreventionExpectation());
+          case DETECTION ->
+              expectations.add(this.expectationBuilderService.buildDetectionExpectation());
+          case VULNERABILITY ->
+              expectations.add(this.expectationBuilderService.buildVulnerabilityExpectation());
+          default -> throw new IllegalArgumentException("Unsupported expectation type: " + type);
+        }
+      }
+      return expectationsField(expectations);
+    }
   }
 
   public Payload duplicate(@NotBlank final String payloadId) {