devsecops-engine-tools 1.33.0__py3-none-any.whl → 1.33.1__py3-none-any.whl

devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/http/client/auth_client.py

@@ -0,0 +1,12 @@
+from devsecops_engine_tools.engine_dast.src.domain.model.gateways.authentication_gateway import (
+    AuthenticationGateway,
+)
+
+
+class AuthClientCredential(AuthenticationGateway):
+    def __init__(self, security_auth: dict):
+        self.client_id: str = security_auth.get("client_id")
+        self.client_secrets: str = security_auth.get("client_secret")
+
+    def get_credentials(self):
+        return None

devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/jwt/jwt_object.py

@@ -0,0 +1,64 @@
+from time import (
+    time
+)
+from secrets import (
+    token_hex
+)
+from authlib.jose import (
+    jwt
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.gateways.authentication_gateway import (
+    AuthenticationGateway,
+)
+
+
+class JwtObject(AuthenticationGateway):
+    def __init__(self, security_auth: dict):
+        self.type = "jwt"
+        self.private_key: str = security_auth.get("jwt_private_key")
+        self.algorithm: str = security_auth.get("jwt_algorithm")
+        self.iss: str = security_auth.get("jwt_iss")
+        self.sum: str = security_auth.get("jwt_sum")
+        self.aud: str = security_auth.get("jwt_aud")
+        self.iat: float = time()
+        self.exp: float = self.iat + 60 * 60
+        self.nonce = token_hex(10)
+        self.payload: dict = {}
+        self.header: dict = {}
+        self.jwt_token: str = ""
+        self.header_name: str = security_auth.get("jwt_header_name")
+        self.init_header()
+        self.init_payload()
+
+    def init_header(self) -> None:
+        self.header: dict = {"alg": self.algorithm}
+
+    def init_payload(self) -> dict:
+        self.payload: dict = {
+            "iss": self.iss,
+            "sum": self.sum,
+            "aud": self.aud,
+            "exp": self.exp,
+            "iat": self.iat,
+            "nonce": self.nonce,
+        }
+        return self.payload
+
+    def get_credentials(self) -> tuple:
+        """
+        Generates JWT using a file with the configuration
+
+        Returns:
+
+        tuple: header and jwt
+
+        """
+        self.private_key = (
+            self.private_key.replace(" ", "\n")
+            .replace("-----BEGIN\nPRIVATE\nKEY-----", "-----BEGIN PRIVATE KEY-----")
+            .replace("-----END\nPRIVATE\nKEY-----", "-----END PRIVATE KEY-----")
+        )
+        self.jwt_token = jwt.encode(self.header, self.payload, self.private_key).decode(
+            "utf-8"
+        )
+        return self.header_name, self.jwt_token

devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/jwt/jwt_tool.py

@@ -0,0 +1,153 @@
+from typing import (
+    List
+)
+from datetime import (
+    datetime,
+)
+import jwt
+from devsecops_engine_tools.engine_core.src.domain.model.finding import (
+    Category,
+    Finding,
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.gateways.tool_gateway import (
+    ToolGateway,
+)
+from devsecops_engine_tools.engine_dast.src.domain.model.api_operation import (
+    ApiOperation
+)
+from devsecops_engine_tools.engine_dast.src.infrastructure.helpers.file_generator_tool import (
+    generate_file_from_tool,
+)
+
+class JwtTool(ToolGateway):
+
+    def __init__(self, target_config):
+        self.TOOL = "JWT"
+        self.BAD_JWT_ALG = ["none", "ES256", "ES384", "ES512"]
+        self.BAD_JWS_ALG = ["none", "ES256", "ES384", "ES512"]
+        self.GOOD_JWE_ALG = ["dir", "RSA-OAEP", "RSA-OAEP-256"]
+        self.GOOD_JWE_ENC = ["A256GCM"]
+        self.target_config = target_config
+
+    def verify_jwt_alg(self, token):
+        "Evaluate JSON Web token's algorithm"
+
+        map_id = "JWT_ALGORITHM"
+        alg = jwt.get_unverified_header(token)["alg"]
+
+        if alg in self.BAD_JWT_ALG: #Is vulnerable
+            return {
+                "map_id": map_id,
+                "description": "msg"
+                }
+
+    def verify_jws_alg(self, token):
+        """Evaluate JSON Web signature's algorithm"""
+
+        map_id = "JWS_ALGORITHM"
+        alg = jwt.get_unverified_header(token)["alg"]
+
+        if alg in self.BAD_JWS_ALG:#Is vulnerable
+            return {
+                "map_id": map_id,
+                "description": "msg"
+                }
+
+    def verify_jwe(self, token):
+        """Evaluate JSON Web encryption's algorithm"""
+
+        map_id = "JWE_ALGORITHM"
+        msg = ""
+        enc = jwt.get_unverified_header(token)["enc"]
+        alg = jwt.get_unverified_header(token)["alg"]
+
+        if enc in self.GOOD_JWE_ENC:
+            if alg in self.GOOD_JWE_ALG:# Is not vulnerable
+                return
+            else:
+                msg = "Algorithm: " + alg
+        else:
+            msg = "Encryption: " + enc
+
+        return {
+            "map_id": map_id,
+            "description": msg
+            }
+
+    def check_token(self, token, jwt_details, config_tool):
+        "Validates JWT, JWS or JWE"
+
+        hed = jwt.get_unverified_header(token)
+
+        if "enc" in hed.keys():
+            result = self.verify_jwe(token)
+        elif "typ" in hed.keys():
+            result = self.verify_jwt_alg(token)
+        else:
+            result = self.verify_jws_alg(token)
+
+        if result:
+            mapped_result = {
+                "check_id": config_tool["RULES"][result["map_id"]]["checkID"],
+                "cvss": config_tool["RULES"][result["map_id"]]["cvss"],
+                "matched-at": jwt_details["path"],
+                "description": result["msg"],
+                "severity": config_tool["RULES"][result["map_id"]]["severity"],
+                "remediation": result["remediation"]
+            }
+            return mapped_result
+        return None
+    
+    def configure_tool(self, target_data):
+        """Method for group all operations that uses JWT"""
+        jwt_list: List[ApiOperation] = []
+        for operation in target_data.operations:
+            if operation.authentication_gateway.type.lower() == "jwt":
+                jwt_list.append(operation)
+        return jwt_list
+
+    def execute(self, jwt_config: List[ApiOperation], config_tool):
+        result_scans = []
+        if len(jwt_config) > 0:
+            for jwt_operation in jwt_config:
+                jwt_operation.authenticate()
+                result = self.check_token(token=jwt_operation.credentials[1],
+                                        jwt_details=jwt_operation.data["operation"],
+                                        config_tool=config_tool)
+                if result:
+                    result_scans.append(result)
+        return result_scans
+
+    def get_list_finding(
+        self,
+        result_scan_list: "List[dict]"
+    ) -> "List[Finding]":
+        list_open_findings = []
+        if len(result_scan_list) > 0:
+            for scan in result_scan_list:
+                finding_open = Finding(
+                    id=scan.get("check-id"),
+                    cvss=scan.get("cvss"),
+                    where=scan.get("matched-at"),
+                    description=scan.get("description"),
+                    severity=scan.get("severity").lower(),
+                    identification_date=datetime.now().strftime("%d%m%Y"),
+                    module="engine_dast",
+                    category=Category("vulnerability"),
+                    requirements=scan.get("remediation"),
+                    tool="jwt",
+                    published_date_cve=scan.get("published-cve")
+                )
+                list_open_findings.append(finding_open)
+        return list_open_findings
+
+    def run_tool(self, target_data, config_tool):
+        jwt_config = self.configure_tool(target_data)
+        result_scans = self.execute(jwt_config, config_tool)
+        if result_scans:
+            finding_list = self.get_list_finding(result_scans)
+            path_file_results = generate_file_from_tool(
+                self.TOOL, result_scans, config_tool
+            )
+            return finding_list, path_file_results
+        return []

devsecops_engine_tools/version.py

@@ -1 +1 @@
-version = '1.33.0'
+version = '1.33.1'

{devsecops_engine_tools-1.33.0.dist-info → devsecops_engine_tools-1.33.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.33.0
+Version: 1.33.1
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team

{devsecops_engine_tools-1.33.0.dist-info → devsecops_engine_tools-1.33.1.dist-info}/RECORD

@@ -1,5 +1,5 @@
 devsecops_engine_tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/version.py,sha256=slrJ8PjsmWhzds_t0aw7z9hMpKCAEOkgVl8LCAlXhwA,19
+devsecops_engine_tools/version.py,sha256=C3tgQeyYdXECCw9lJcXqOY08lfb8673_qriiLlgXXUE,19
 devsecops_engine_tools/engine_core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/applications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -72,6 +72,12 @@ devsecops_engine_tools/engine_dast/src/domain/usecases/__init__.py,sha256=47DEQp
 devsecops_engine_tools/engine_dast/src/domain/usecases/dast_scan.py,sha256=9zQhA8d9McGWNT2ZdvjmjWCIPN3UpST7RWve2QvyHu4,4693
 devsecops_engine_tools/engine_dast/src/infrastructure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/http/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/http/client/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/http/client/auth_client.py,sha256=aeEB5-TKH1jow8KwxSpucpgoGrxotJ7jeY2Jliwr20o,407
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/jwt/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/jwt/jwt_object.py,sha256=p0_rDDjdsyAa_ar-HgZE_SQE-beua0oK3KBnwj8EmPo,1998
+devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/jwt/jwt_tool.py,sha256=9Yh7lOd6lsHcvl8exgWW7N8qTP55w-Znl0kid7IlKrM,5431
 devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/nuclei/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/nuclei/nuclei_config.py,sha256=TxjdA5_KDmn-RqZQsPkrrqyjd9zPMweKH37pwnxSV8Q,3090
 devsecops_engine_tools/engine_dast/src/infrastructure/driven_adapters/nuclei/nuclei_deserealizer.py,sha256=qqoBMXr350ItzabSU6a_fD2-9kB6pAmtWioFP5AvCIE,1346
@@ -341,8 +347,8 @@ devsecops_engine_tools/engine_utilities/utils/name_conversion.py,sha256=ADJrRGax
 devsecops_engine_tools/engine_utilities/utils/printers.py,sha256=amYAr9YQfYgR6jK9a2l26z3oovFPQ3FAKmhq6BKhEBA,623
 devsecops_engine_tools/engine_utilities/utils/session_manager.py,sha256=Z0fdhB3r-dxU0nGSD9zW_B4r2Qol1rUnUCkhFR0U-HQ,487
 devsecops_engine_tools/engine_utilities/utils/utils.py,sha256=dAklY11OGNDODjZyt9dO68Xiwu9pLJmqLOslqQ7rXa8,6112
-devsecops_engine_tools-1.33.0.dist-info/METADATA,sha256=JjNGfCUCAgdfAXsGiI-nqwmOehCbPKRKPQVaWhD2cHc,11592
-devsecops_engine_tools-1.33.0.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
-devsecops_engine_tools-1.33.0.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
-devsecops_engine_tools-1.33.0.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
-devsecops_engine_tools-1.33.0.dist-info/RECORD,,
+devsecops_engine_tools-1.33.1.dist-info/METADATA,sha256=2w3FO-t3Z9lQmBt-8CrAO7CRvGyvi8BojDLAC4uTFBA,11592
+devsecops_engine_tools-1.33.1.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
+devsecops_engine_tools-1.33.1.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
+devsecops_engine_tools-1.33.1.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
+devsecops_engine_tools-1.33.1.dist-info/RECORD,,