lib/owasp_zap.rb

require "json"
require "rest_client"
require "addressable/uri"
require "cgi"
require "logger"

require_relative "owasp_zap/version"
require_relative "owasp_zap/error"
require_relative "owasp_zap/string_extension"
require_relative "owasp_zap/spider"
require_relative "owasp_zap/attack"
require_relative "owasp_zap/alert"
require_relative "owasp_zap/auth"
require_relative "owasp_zap/scanner"
require_relative "owasp_zap/policy"

module OwaspZap
    class ZapException < Exception;end

    class Zap
       attr_accessor :target,:base, :zap_bin
       attr_reader :api_key
       def initialize(params = {})
            #TODO
            # handle params
            @base = params[:base] || "http://127.0.0.1:8080"
            @target = params[:target]
            @api_key = params[:api_key]
            @zap_bin = params [:zap] || "#{ENV['HOME']}/ZAP/zap.sh"
            @output = params[:output] || $stdout #default we log everything to the stdout
        end

        def status_for(component)
            case component
            when :ascan
                Zap::Attack.new(:base=>@base,:target=>@target).status
            when :spider
                Zap::Spider.new(:base=>@base,:target=>@target).status
            when :scan
                Zap::Scan.new(:base=>@base,:target=>@target).status
            else
                {:status=>"unknown component"}.to_json
            end

        end
        def ok?(json_data)
            json_data.is_a?(Hash) and json_data[0] == "OK"
        end

        def running?
            begin
                response = RestClient::get "#{@base}"
            rescue Errno::ECONNREFUSED
                return false
            end
            response.code == 200
        end

        def policy
            Zap::Policy.new(:base=>@base)
        end

        def alerts
            Zap::Alert.new(:base=>@base,:target=>@target)
        end

        def scanner
            Zap::Scanner.new(:base=>@base)
        end

        #attack
        def ascan
            Zap::Attack.new(:base=>@base,:target=>@target)
        end

        def spider
            Zap::Spider.new(:base=>@base,:target=>@target)
        end

        def auth
            Zap::Auth.new(:base=>@base)
        end

        # TODO
        # DOCUMENT the step necessary: install ZAP under $home/ZAP or should be passed to new as :zap parameter
        def start(params = {})
            # default we are disabling api key
            params = {api_key:false}.merge(params)
            cmd_line = "#{@zap_bin}"
            case
            when params.key?(:daemon)
              cmd_line += " -daemon"
            when params.key?(:api_key)
              cmd_line += if params[:api_key] == true
                " -config api.key=#{@api_key}"
              else
                " -config api.disablekey=true"
              end
            end
            if params.key?(:host)
                cmd_line += " -host #{params[:host]}"
            end
            if params.key?(:port)
                cmd_line += " -port #{params[:port]}"
            end
            fork do
               # if you passed :output=>"file.txt" to the constructor, then it will send the forked process output
               # to this file (that means, ZAP stdout)
               unless @output == $stdout
                STDOUT.reopen(File.open(@output, 'w+'))
                STDOUT.sync = true
               end
               print "Running the following command: #{cmd_line} \n"

               exec cmd_line

            end
        end

        #shutdown zap
        def shutdown
            RestClient::get "#{@base}/JSON/core/action/shutdown/"
        end

        #xml report
        #maybe it should be refactored to alert.
        def xml_report
            RestClient::get "#{@base}/OTHER/core/other/xmlreport/"
        end

        def html_report
            RestClient::get "#{@base}/OTHER/core/other/htmlreport/"
        end
   end
end