nexpose 0.9.8 → 1.0.0

data/lib/nexpose/site_credentials.rb

@@ -0,0 +1,178 @@
+module Nexpose
+
+  # Object that represents administrative credentials to be used
+  # during a scan. When retrieved from an existing site configuration
+  # the credentials will be returned as a security blob and can only
+  # be passed back as is during a Site Save operation. This object
+  # can only be used to create a new set of credentials.
+  #
+  class SiteCredentials < Credential
+
+    # Unique identifier of the credential on the Nexpose console.
+    attr_accessor :id
+    # The service for these credentials.
+    attr_accessor :service
+    # The host for these credentials.
+    attr_accessor :host_restriction
+    # The port on which to use these credentials.
+    attr_accessor :port_restriction
+    # The password
+    attr_accessor :password
+    # The name
+    attr_accessor :name
+    # is this credential enable on site or not.
+    attr_accessor :enabled
+    # the description of credential
+    attr_accessor :description
+    # domain of the service
+    attr_accessor :domain
+    # database of the service
+    attr_accessor :database
+    # The type of privilege escalation to use (sudo/su)
+    # Permission elevation type. See Nexpose::Credential::ElevationType.
+    attr_accessor :permission_elevation_type
+    # The userid to use when escalating privileges (optional)
+    attr_accessor :permission_elevation_user
+    # The password to use when escalating privileges (optional)
+    attr_accessor :permission_elevation_password
+    # The authentication type to use with SNMP v3 credentials
+    attr_accessor :authentication_type
+    # The privacy/encryption type to use with SNMP v3 credentials
+    attr_accessor :privacy_type
+    # The privacy/encryption pass phrase to use with SNMP v3 credentials
+    attr_accessor :privacy_password
+    # the user name to be used in service
+    attr_accessor :user_name
+    # the notes password
+    attr_accessor :notes_id_password
+    # use windows auth
+    attr_accessor :use_windows_auth
+    # sid for oracle
+    attr_accessor :sid
+    #for ssh public key require pem format private key
+    attr_accessor :pem_format_private_key
+    # for snmp v1/v2
+    attr_accessor :community_name
+    # scope of credential
+    attr_accessor :scope
+
+    #Create a credential object using name, id, description, host and port
+    def self.for_service(name, id = -1, desc = nil, host = nil, port = nil, service = Credential::Service::CIFS)
+      cred = new
+      cred.name = name
+      cred.id = id.to_i
+      cred.enabled = true
+      cred.description = desc
+      cred.host_restriction = host
+      cred.port_restriction = port
+      cred.service = service
+      cred.scope = Credential::Scope::SITE_SPECIFIC
+      cred
+    end
+
+    # Load an credential from the provided console.
+    #
+    # @param [Connection] nsc Active connection to a Nexpose console.
+    # @param [String] id Unique identifier of an site.
+    # @param [String] id Unique identifier of an credential.
+    # @return [SiteCredential] The requested credential of site, if found.
+    #
+    def self.load(nsc, site_id, credential_id)
+      uri = "/api/2.1/sites/#{site_id}/credentials/#{credential_id}"
+      resp = AJAX.get(nsc, uri, AJAX::CONTENT_TYPE::JSON)
+      hash = JSON.parse(resp, symbolize_names: true)
+      new.object_from_hash(nsc, hash)
+    end
+
+    # Copy an existing configuration from a Nexpose instance.
+    # Returned object will reset the credential ID and append "Copy" to the existing
+    # name.
+    #
+    # @param [Connection] connection Connection to the security console.
+    # @param [String] id Unique identifier of an site.
+    # @param [String] id Unique identifier of an credential.
+    # @return [SiteCredentials] Site credential loaded from a Nexpose console.
+    #
+    def self.copy(connection, site_id, credential_id)
+      siteCredential = self.load(connection, site_id, credential_id)
+      siteCredential.id = -1
+      siteCredential.name = "#{siteCredential.name} Copy"
+      siteCredential
+    end
+
+    # Copy an existing configuration from a site credential.
+    # Returned object will reset the credential ID and append "Copy" to the existing
+    # name.
+    #
+    # @param [siteCredential] site credential to be copied.
+    # @return [SiteCredentials] modified.
+    #
+    def self.copy(siteCredential)
+      siteCredential.id = -1
+      siteCredential.name = "#{siteCredential.name} Copy"
+      siteCredential
+    end
+
+    def to_json
+      JSON.generate(to_h)
+    end
+
+    def to_h
+      { id: id,
+        service: service,
+        host_restriction: host_restriction,
+        port_restriction: port_restriction,
+        password: password,
+        name: name,
+        enabled: enabled,
+        description: description,
+        domain: domain,
+        database: database,
+        permission_elevation_type: permission_elevation_type,
+        permission_elevation_user: permission_elevation_user,
+        permission_elevation_password: permission_elevation_password,
+        authentication_type: authentication_type,
+        privacy_type: privacy_type,
+        privacy_password: privacy_password,
+        user_name: user_name,
+        notes_id_password: notes_id_password,
+        use_windows_auth: use_windows_auth,
+        sid: sid,
+        pem_format_private_key: pem_format_private_key,
+        community_name: community_name,
+        scope: scope
+      }
+    end
+
+    def ==(other)
+      eql?(other)
+    end
+
+    def eql?(other)
+      id.eql?(other.id) &&
+      service.eql?(other.service) &&
+      host_restriction.eql?(other.host_restriction) &&
+      port_restriction.eql?(other.port_restriction) &&
+      password.eql?(other.password) &&
+      name.eql?(other.name) &&
+      enabled.eql?(other.enabled) &&
+      description.eql?(other.description) &&
+      domain.eql?(other.domain) &&
+      database.eql?(other.database) &&
+      permission_elevation_type.eql?(other.permission_elevation_type) &&
+      permission_elevation_user.eql?(other.permission_elevation_user) &&
+      permission_elevation_password.eql?(other.permission_elevation_password) &&
+      authentication_type.eql?(other.authentication_type) &&
+      privacy_type.eql?(other.privacy_type) &&
+      privacy_password.eql?(other.privacy_password) &&
+      user_name.eql?(other.user_name) &&
+      notes_id_password.eql?(other.notes_id_password) &&
+      use_windows_auth.eql?(other.use_windows_auth) &&
+      sid.eql?(other.sid) &&
+      pem_format_private_key.eql?(other.pem_format_private_key) &&
+      community_name.eql?(other.community_name) &&
+      scope.eql?(other.scope)
+    end
+
+  end
+end

data/lib/nexpose/tag.rb

@@ -218,7 +218,48 @@ module Nexpose
       end 
 
       @color = hex 
-    end 
+    end
+
+    # Create list of tag objects from hash
+    def self.load_tags(tags)
+      unless tags.nil?
+        tags = tags.map do |hash|
+          self.create(hash)
+        end
+      end
+      tags
+    end
+
+    # Create tag object from hash
+    def self.create(hash)
+      attributes = hash[:attributes]
+      color = attributes.find { |attr| attr[:tag_attribute_name] == 'COLOR' }
+      color = color[:tag_attribute_value] if color
+      source = attributes.find { |attr| attr[:tag_attribute_name] == 'SOURCE' }
+      source = source[:tag_attribute_value] if source
+      tag = Tag.new(hash[:tag_name], hash[:tag_type], hash[:tag_id])
+      tag.color = color
+      tag.source = source
+      tag
+    end
+
+    def to_h
+      {
+        tag_id: id,
+        tag_name: name,
+        tag_type: type,
+        attributes:[
+          {
+            tag_attribute_name: "COLOR",
+            tag_attribute_value: color
+          },
+          {
+            tag_attribute_name: "SOURCE",
+            tag_attribute_value: source
+          }
+        ]
+      }
+    end
 
     # Creates and saves a tag to Nexpose console
     #

data/lib/nexpose/util.rb

@@ -1,5 +1,4 @@
 module Nexpose
-
   module Sanitize
     def replace_entities(str)
       str.to_s.gsub(/&/, '&amp;').gsub(/'/, '&apos;').gsub(/"/, '&quot;').gsub(/</, '&lt;').gsub(/>/, '&gt;')
@@ -7,21 +6,18 @@ module Nexpose
   end
 
   module XMLUtils
-
     def parse_xml(xml)
       ::REXML::Document.new(xml.to_s)
     end
 
     def make_xml(name, opts = {}, data = '', append_session_id = true)
       xml = REXML::Element.new(name)
-      if @session_id and append_session_id
+      if @session_id && append_session_id
         xml.attributes['session-id'] = @session_id
       end
 
       opts.keys.each do |k|
-        if opts[k] != nil
-          xml.attributes[k] = "#{opts[k]}"
-        end
+        xml.attributes[k] = "#{opts[k]}" unless opts[k].nil?
       end
 
       xml.text = data
@@ -54,16 +50,15 @@ module Nexpose
     # @return [IPRange|HostName] Valid class, if it can be converted.
     #
     def convert(asset)
-      begin
-        # Use IPAddr construtor validation to see if it's an IP.
-        IPAddr.new(asset)
-        IPRange.new(asset)
-      rescue ArgumentError => e
-        if e.message == 'invalid address'
-          HostName.new(asset)
-        else
-          raise "Unable to parse asset: '#{asset}'. #{e.message}"
-        end
+      ips = asset.split(' - ')
+      IPAddr.new(ips[0])
+      IPAddr.new(ips[1]) if ips[1]
+      IPRange.new(ips[0], ips[1])
+    rescue ArgumentError => e
+      if e.message == 'invalid address'
+        HostName.new(asset)
+      else
+        raise "Unable to parse asset: '#{asset}'. #{e.message}"
       end
     end
 

data/lib/nexpose/version.rb

@@ -1,4 +1,4 @@
 module Nexpose
   # The latest version of the Nexpose gem
-  VERSION = '0.9.8'
+  VERSION = '1.0.0'
 end

data/lib/nexpose/wait.rb

@@ -0,0 +1,103 @@
+module Nexpose
+  class Wait
+    attr_reader :error_message, :ready, :retry_count, :timeout, :polling_interval
+
+    def initialize(retry_count: nil, timeout: nil, polling_interval: nil)
+      @error_message = 'Default General Failure in Nexpose::Wait'
+      @ready = false
+      @retry_count = retry_count.to_i
+      @timeout = timeout
+      @polling_interval = polling_interval
+    end
+
+    def ready?
+      @ready
+    end
+
+    def for_report(nexpose_connection:, report_id:)
+      poller = Nexpose::Poller.new(timeout: @timeout, polling_interval: @polling_interval)
+      poller.wait(report_status_proc(nexpose_connection: nexpose_connection, report_id: report_id))
+      @ready = true
+      rescue TimeoutError
+        retry if timeout_retry?
+        @error_message = "Timeout Waiting for Report to Generate - Report Config ID: #{report_id}"
+      rescue NoMethodError => error
+        @error_message = "Error Report Config ID: #{report_id} :: Report Probably Does Not Exist :: #{error}"
+      rescue => error
+        @error_message = "Error Report Config ID: #{report_id} :: #{error}"
+    end
+
+    def for_integration(nexpose_connection:, scan_id:, status: 'finished')
+      poller = Nexpose::Poller.new(timeout: @timeout, polling_interval: @polling_interval)
+      poller.wait(integration_status_proc(nexpose_connection: nexpose_connection, scan_id: scan_id, status: status))
+      @ready = true
+      rescue TimeoutError
+        retry if timeout_retry?
+        @error_message = "Timeout Waiting for Integration Status of '#{status}' - Scan ID: #{scan_id}"
+      rescue Nexpose::APIError => error
+        @error_message = "API Error Waiting for Integration Scan ID: #{scan_id} :: #{error.req.error}"
+    end
+
+    def for_judgment(proc:, desc:)
+      poller = Nexpose::Poller.new(timeout: @timeout, polling_interval: @polling_interval)
+      poller.wait(proc)
+      @ready = true
+      rescue TimeoutError
+        retry if timeout_retry?
+        @error_message = "Timeout Waiting for Judgment to Judge. #{desc}"
+    end
+
+    private
+
+    def report_status_proc(nexpose_connection:, report_id:)
+      Proc.new { nexpose_connection.last_report(report_id).status == 'Generated' }
+    end
+
+    def integration_status_proc(nexpose_connection:, scan_id:, status:)
+      Proc.new { nexpose_connection.scan_status(scan_id).downcase == status.downcase }
+    end
+
+    def timeout_retry?
+      if @retry_count > 0
+        @retry_count -= 1
+        true
+      else
+        false
+      end
+    end
+  end
+
+  class Poller
+    ## Stand alone object to handle waiting logic.
+    attr_reader :timeout, :polling_interval, :poll_begin
+
+    def initialize(timeout: nil, polling_interval: nil)
+      global_timeout = set_global_timeout
+      @timeout = timeout.nil? ? global_timeout : timeout
+
+      global_polling = set_polling_interval
+      @polling_interval = polling_interval.nil? ? global_polling : polling_interval
+    end
+
+    def wait(condition)
+      @poll_begin = Time.now
+      loop do
+        break if condition.call
+        raise TimeoutError if @poll_begin + @timeout < Time.now
+        sleep @polling_interval
+      end
+    end
+
+    private
+
+    def set_global_timeout
+      default_timeout = 120
+      ENV['GLOBAL_TIMEOUT'].nil? ? default_timeout : ENV['GLOBAL_TIMEOUT']
+    end
+
+    def set_polling_interval
+      default_polling = 1
+      ENV['GLOBAL_POLLING_INTERVAL'].nil? ? default_polling : ENV['GLOBAL_POLLING_INTERVAL']
+    end
+  end
+end

data/lib/nexpose/web_credentials.rb

@@ -0,0 +1,252 @@
+module Nexpose
+
+  # Object that represents web credential defined in site configuration.
+  module WebCredentials
+
+    module WebAppAuthType
+      HTML_FORM = 'htmlform'  # Represent HTML form credentials.
+      HTTP_HEADER = 'httpheaders' # Represent HTTP header credentials.
+    end
+
+    # Object that represents Header name-value pairs, associated with Web Session Authentication.
+    #
+    class Header
+
+      # Name, one per Header
+      attr_reader :name
+      # Value, one per Header
+      attr_reader :value
+
+      # Construct with name value pair
+      def initialize(name, value)
+        @name = name
+        @value = value
+      end
+
+      def to_json
+        JSON.generate(to_h)
+      end
+
+      def to_h
+        header = Hash.new
+        header[@name] = @value
+        header
+      end
+    end
+
+    # Object that represents Headers, associated with Web Session Authentication.
+    #
+    class Headers < APIObject
+
+      # A regular expression used to match against the response to identify authentication failures.
+      attr_reader :soft403Pattern
+      # Base URL of the application for which the form authentication applies.
+      attr_reader :baseURL
+      # When using HTTP headers, this represents the set of headers to pass with the authentication request.
+      attr_reader :headers
+      # name of the html header
+      attr_reader :name
+      # is this enable for the site configuration
+      attr_accessor :enabled
+      #service type of header
+      attr_reader :service
+      # id of the header
+      attr_reader :id
+
+
+      def initialize(name, baseURL, soft403Pattern, id = -1, enabled = true)
+        @headers = {}
+        @name = name
+        @baseURL = baseURL
+        @soft403Pattern = soft403Pattern
+        @service = WebAppAuthType::HTTP_HEADER
+        @enabled = enabled
+        @id = id
+      end
+
+      def add_header(header)
+        @headers = @headers.merge(header.to_h)
+      end
+
+      def to_json
+        JSON.generate(to_h)
+      end
+
+      def to_h
+        { id: id,
+          service: service,
+          enabled: enabled,
+          name: name,
+          headers: headers,
+          baseURL: baseURL,
+          soft403Pattern: soft403Pattern
+        }
+      end
+
+      def ==(other)
+        eql?(other)
+      end
+
+      def eql?(other)
+        id.eql?(other.id) &&
+        service.eql?(other.service) &&
+        enabled.eql?(other.enabled) &&
+        name.eql?(other.name) &&
+        headers.eql?(other.headers) &&
+        baseURL.eql?(other.baseURL) &&
+        soft403Pattern.eql?(other.soft403Pattern)
+      end
+   end
+
+    # When using HTML form, this represents the login form information.
+    #
+    class Field
+      # The name of the HTML field (form parameter).
+      attr_reader :name
+      # The value of the HTML field (form parameter).
+      attr_reader :value
+      # The type of the HTML field (form parameter).
+      attr_reader :type
+      # Is the HTML field (form parameter) dynamically generated? If so,
+      # the login page is requested and the value of the field is extracted
+      # from the response.
+      attr_reader :dynamic
+      # If the HTML field (form parameter) is a radio button, checkbox or select
+      # field, this flag determines if the field should be checked (selected).
+      attr_reader :checked
+
+      def initialize(name, value, type, dynamic, checked)
+        @name = name
+        @value = value
+        @type = type
+        @dynamic = dynamic
+        @checked = checked
+      end
+
+      def to_json
+        JSON.generate(to_h)
+      end
+
+      def to_h
+        {
+          value: value,
+          type: type,
+          name: name,
+          dynamic: dynamic,
+          checked: checked
+        }
+      end
+    end
+
+    # When using HTML form, this represents the login form information.
+    #
+    class HTMLForm
+
+      # The name of the form being submitted.
+      attr_reader :name
+      # The HTTP action (URL) through which to submit the login form.
+      attr_reader :action
+      # The HTTP request method with which to submit the form.
+      attr_reader :method
+      # The HTTP encoding type with which to submit the form.
+      attr_reader :encType
+      # The fields in the HTML Form
+      attr_reader :fields
+
+      def initialize(name, action, method, encType)
+        @name = name
+        @action = action
+        @method = method
+        @encType = encType
+        @fields = []
+      end
+
+      def add_field(field)
+        @fields << field.to_h
+      end
+
+      def to_json
+        JSON.generate(to_h)
+      end
+
+      def to_h
+        { name: name,
+          action: action,
+          method: method,
+          encType: encType,
+          fields: fields,
+          parentPage: action
+        }
+      end
+    end
+
+    # When using HTML form, this represents the login form information.
+    #
+    class HTMLForms < APIObject
+
+      # A regular expression used to match against the response to identify authentication failures.
+      attr_reader :soft403Pattern
+      # Base URL of the application for which the form authentication applies.
+      attr_reader :baseURL
+      # The URL of the login page containing the login form.
+      attr_reader :loginURL
+      # name of the html header
+      attr_reader :name
+      # is this enable for the site configuration
+      attr_accessor :enabled
+      #service type of header
+      attr_reader :service
+      # id of the header
+      attr_reader :id
+      # The forms to authenticate with
+      attr_reader :form
+
+      def initialize(name, baseURL, loginURL, soft403Pattern, id = -1, enabled = true)
+        @name = name
+        @baseURL = baseURL
+        @loginURL = loginURL
+        @soft403Pattern = soft403Pattern
+        @service = WebAppAuthType::HTML_FORM
+        @enabled = enabled
+        @id = id
+      end
+
+      def add_html_form(html_form)
+        @form = html_form
+      end
+
+      def to_json
+        JSON.generate(to_h)
+      end
+
+      def to_h
+        { id: id,
+          service: service,
+          enabled: enabled,
+          name: name,
+          form: form.to_h,
+          baseURL: baseURL,
+          loginURL: loginURL,
+          soft403Pattern: soft403Pattern
+        }
+      end
+
+      def ==(other)
+        eql?(other)
+      end
+
+      def eql?(other)
+        id.eql?(other.id) &&
+        service.eql?(other.service) &&
+        enabled.eql?(other.enabled) &&
+        name.eql?(other.name) &&
+        form.eql?(other.form) &&
+        baseURL.eql?(other.baseURL) &&
+        loginURL.eql?(other.loginURL) &&
+        soft403Pattern.eql?(other.soft403Pattern)
+      end
+
+    end
+  end
+end
+