hawkscripts download taks

hawkscripts readme updates
simple GHA PR build workflow

.github/workflows/build.yaml

@@ -0,0 +1,14 @@
+name:  Build
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v2
+      - name: Gradle build
+        run: ./gradlew build

README.md

@@ -50,8 +50,8 @@ In PowerShell, with administrative privileges:
    2. add the new gradle directory to `$env:PATH`
 2. Run the gradle build:
    1. `.\gradlew.bat --no-daemon build`
-3. Update the `spring.datasource.url` in your local [application.properties](https://github.com/kaakaww/javaspringvulny/blob/main/src/main/resources/application.properties) file from `spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE` to an absolute path.
-   1. For instance: `spring.datasource.url=jdbc:h2:file:C:/Users/Dan/projects/javaspringvulny/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE`.
+3. Update the `spring.datasource.url` in your local [application.yaml](https://github.com/kaakaww/javaspringvulny/blob/main/src/main/resources/application.properties) file from `spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE` to an absolute path.
+   1. For instance: `spring.datasource.url: jdbc:h2:file:C:/Users/Dan/projects/javaspringvulny/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE`.
 
 ### Run
 
@@ -69,7 +69,7 @@ Once the app starts up, you can reach it at [https://localhost:9000](https://loc
 You can log in to the application with the following credentials:
 
 ```
-    username: user
+    username: janesmith
     password: password
 ```
 

azure-pipelines.yml

@@ -51,15 +51,6 @@ steps:
       dockerComposeFile: docker-compose.yml
       action: Run services
 
-  # specific path replacement for in-memory database on windows in azure-pipelines
-  - powershell: |
-      $file = 'src/main/resources/application.properties'
-      $find = 'spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;'
-      $replace = "spring.datasource.url=jdbc:h2:file:D:\\a\\1\\db\\vulny;"
-      (Get-Content $file).replace($find, $replace) | Set-Content $file
-    condition: eq(variables['imageName'], 'windows-latest')
-    displayName: Configure JavaSpringVulny for windows
-
   # azure pipelines default jdk is 8, so we upgrade to 11 to run JavaSpringVulny
   # the hawkscan msi bundles java with it, so this step isn't necesarry for running HawkScan
   - task: JavaToolInstaller@0
@@ -70,6 +61,7 @@ steps:
 
   # start javaspringVulny in the background
   - powershell: |
+      $Env:SPRING_PROFILES_ACTIVE = 'windows'
       start-process ./gradlew.bat bootRun
     displayName: Start JavaSpringVulny on windows with gradle in the background
     condition: eq(variables['imageName'], 'windows-latest')

docker-compose.yml

@@ -15,6 +15,7 @@ services:
     container_name: javavulny
     environment:
       SPRING_PROFILES_ACTIVE: postgresql
+      SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/postgres
     ports:
       - "9000:9000"
     links:

hawkscripts/README.md

@@ -0,0 +1,33 @@
+
+## Hawkscripts
+
+A directory of kotlin scripts to customize [HawkScan](https://docs.stackhawk.com/stackhawk-cli/#install-with-zip-file) with 
+[IntelliJ IDE](https://www.jetbrains.com/idea/download) support via gradle. 
+
+To enable IDE support...
+
+1. Open a shell in the root of the javaspringvulny repository and run...
+    ```shell
+    ./gradlew :hawkscripts:download
+    ```
+   This will download the hawk scripts sdk zip into the `hawkscripts/build` directory as 
+   required by the dependencies defined in [hawkscripts.gradle.kts](hawkscripts.gradle.kts). 
+1. Start the [IntelliJ IDE](https://www.jetbrains.com/idea/download)
+1. Open javaspringvulny as a new gradle project
+
+    ![intellij-new-project-1.png](help-images%2Fintellij-new-project-1.png)
+
+    ![intellij-new-project-2.png](help-images%2Fintellij-new-project-2.png)
+
+    ![intellij-new-project-3.png](help-images%2Fintellij-new-project-3.png)
+
+1. **Wait for the indexer!**
+   ![intellij-new-project-4.png](help-images%2Fintellij-new-project-4.png)
+
+When indexing is complete open any of the `.kts` files in the
+defined source directories `authentication, session, httpsender, active, proxy` 
+to see activated code highlighting, auto-completion, and inline compilation errors.
+
+Use the [hawk perch]() and [hawk validate auth --watch]() to 
+develop and test authentication and session scripts against your 
+running web API's. 

hawkscripts/authentication/form-auth-multi.kts

@@ -33,11 +33,6 @@ fun authenticate(
     logger.info("host ${talon.talonHawkScanConf.hawkscanConf.app.cleanHost()}")
 
     val mapper = ObjectMapper()
-    /*val payload = JSONObject().apply {
-        put("username", credentials.getParam("username"))
-        put("password", credentials.getParam("password"))
-    }.toString()*/
-
     val payload = mapper.writeValueAsString(
         mapOf(
             "username" to credentials.getParam("username"),

hawkscripts/hawkscripts.gradle.kts

@@ -1,11 +1,24 @@
-import org.jetbrains.kotlin.konan.file.File.Companion.userHome
+import java.net.HttpURLConnection
+import java.net.URL
+import java.nio.file.Files
+import kotlin.math.roundToLong
 
 plugins {
     kotlin("jvm") version "1.8.22"
 }
 
 val kotlinVersion = "1.7.20"
-val hawkScriptSdkVersion = "3.4.2"
+val hawkScriptSdkVersion = lazy { sdkVersion() }
+val sdkZipName = lazy {  "hawkscript-sdk-${hawkScriptSdkVersion.value}.zip" }
+val hawkScriptSDKZip = lazy { "$buildDir/${sdkZipName.value}" }
+
+tasks.compileKotlin.configure {
+    if (!File(hawkScriptSDKZip.value).exists()) {
+        logger.warn("hawkscripts sdk zip ${hawkScriptSDKZip.value} not found")
+        logger.lifecycle("Run ./gradlew :hawkscripts:download to enable kotlin scripting support for IntelliJ")
+    }
+    enabled = File(hawkScriptSDKZip.value).exists()
+}
 
 kotlin {
     sourceSets {
@@ -30,6 +43,73 @@ repositories {
 dependencies {
     compileOnly("org.jetbrains.kotlin:kotlin-stdlib:$kotlinVersion")
     compileOnly("org.jetbrains.kotlin:kotlin-script-runtime:$kotlinVersion")
-    // change to location of the hawkscript-sdk-<version>/ directory.
-    compileOnly(zipTree("$userHome/Downloads/hawkscript-sdk-$hawkScriptSdkVersion.zip"))
+    compileOnly(zipTree(hawkScriptSDKZip.value))
+}
+tasks.register("download") {
+
+    group = "StackHawk"
+    description = "Download the latest hawk scripting sdk zip"
+
+    doLast {
+
+        Files.createDirectories(buildDir.toPath())
+        val localSdkZip = File("$buildDir/${sdkZipName.value}")
+        if (!localSdkZip.exists()) {
+            val hawkscriptSdkUrl = URL("https://download.stackhawk.com/hawk/sdk/${sdkZipName.value}")
+            val zipConn = hawkscriptSdkUrl.openConnection() as HttpURLConnection
+            zipConn.connect()
+            if ((200..299).contains(zipConn.responseCode)) {
+                logger.lifecycle("Downloading $hawkscriptSdkUrl -> $localSdkZip")
+                val delay = 1000L
+                var curLen = 0
+                val len = zipConn.getHeaderField("Content-Length").toLong()
+                val input = zipConn.inputStream
+                localSdkZip.outputStream().use { output ->
+                    var buf = ByteArray(8192)
+                    var c = input.read(buf, 0, buf.size)
+                    var lastPct = 0L
+                    while (c != -1) {
+                        curLen += c
+                        output.write(buf, 0, c)
+                        c = input.read(buf, 0, buf.size)
+                        val pc = ((curLen.toDouble() / len.toDouble()) * 100).roundToLong()
+                        if ((System.currentTimeMillis() % delay) == 0L && lastPct != pc) {
+                            logger.lifecycle("${sdkZipName.value} [${curLen / 1024 / 1024}mb] ${pc}%")
+                            lastPct = pc
+                        }
+                    }
+                    val pc = ((curLen.toDouble() / len.toDouble()) * 100).roundToLong()
+                    logger.lifecycle("${sdkZipName.value} [${curLen / 1024 / 1024}mb] ${pc}%")
+                }
+            } else {
+                logger.error("Error downloading $hawkscriptSdkUrl ${zipConn.responseMessage}")
+            }
+        } else {
+            logger.lifecycle("latest hawkscan sdk already found: ${"$buildDir/${sdkZipName.value}"}")
+        }
+
+    }
+}
+
+fun sdkVersion(): String {
+    val verFile = File("$buildDir/hawkscriptsdk.version")
+    val ret = if (verFile.exists()) {
+        verFile.readText()
+    } else {
+        downloadSdkVersion()
+        verFile.readText()
+    }
+    return ret
 }
+
+fun downloadSdkVersion() {
+    Files.createDirectories(buildDir.toPath())
+    val hawkscanVersionUrl = URL("https://api.stackhawk.com/hawkscan/version")
+    val verisionConn = hawkscanVersionUrl.openConnection() as HttpURLConnection
+    verisionConn.connect()
+    val version = String(verisionConn.inputStream.readAllBytes())
+    File("$buildDir/hawkscriptsdk.version").outputStream().use {
+        it.write(version.toByteArray())
+    }
+}
+

src/main/resources/application-windows.yaml

@@ -0,0 +1,4 @@
+
+spring:
+  datasource:
+    url: jdbc:h2:file:D:\\a\\1\\db\\vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE

stackhawk.d/stackhawk-auth-json-token.yml

@@ -10,7 +10,7 @@ app:
       loginPath: /api/jwt/auth/signin
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     tokenExtraction:
       type: TOKEN_PATH

stackhawk.d/stackhawk-custom-spider-curl.yml

@@ -16,7 +16,7 @@ app:
       loginPagePath: /login
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     cookieAuthorization:
       cookieNames:

stackhawk.d/stackhawk-custom-spider-newman.yml

@@ -16,7 +16,7 @@ app:
       loginPagePath: /login
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     cookieAuthorization:
       cookieNames:

stackhawk.d/stackhawk-jsv-form-cookie.yml

@@ -18,7 +18,7 @@ app:
       loginPagePath: /login
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     cookieAuthorization:
       cookieNames:

stackhawk.d/stackhawk-jsv-json-token.yml

@@ -15,7 +15,7 @@ app:
       loginPath: /api/jwt/auth/signin
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     tokenAuthorization:
       type: HEADER

stackhawk.d/stackhawk-openapi.yml

@@ -13,7 +13,7 @@ app:
       loginPath: /api/jwt/auth/signin
       usernameField: username
       passwordField: password
-      scanUsername: "user"
+      scanUsername: "janesmith"
       scanPassword: "password"
     tokenAuthorization:
       type: HEADER

stackhawk.yml

@@ -28,6 +28,3 @@ app:
     testPath:
       path: /search
       success: "HTTP.*200.*"
-  waitForAppTarget:
-    pollDelay: 500
-    waitTimeoutMillis: 5000