Package com.adobe.granite.maven.scq

Source Code of com.adobe.granite.maven.scq.SecureCQMojo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
/*
*    Copyright 2013 Adobe
*
*   Licensed under the Apache License, Version 2.0 (the "License");
*   you may not use this file except in compliance with the License.
*   You may obtain a copy of the License at
*
*     http://www.apache.org/licenses/LICENSE-2.0
*
*   Unless required by applicable law or agreed to in writing, software
*   distributed under the License is distributed on an "AS IS" BASIS,
*   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*   See the License for the specific language governing permissions and
*   limitations under the License.
*/
package com.adobe.granite.maven.scq;

import static java.util.Arrays.asList;
import static com.google.inject.Guice.createInjector;
import static com.google.inject.Key.get;
import static com.google.inject.name.Names.named;

import java.io.IOException;
import java.util.LinkedList;
import java.util.List;
import java.util.Map.Entry;

import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;

import com.adobe.granite.maven.scq.di.SecureCQComponentsModule;
import com.cognifide.securecq.AbstractTest;
import com.cognifide.securecq.Configuration;
import com.cognifide.securecq.TestResult;
import com.cognifide.securecq.markers.AuthorTest;
import com.cognifide.securecq.markers.DispatcherTest;
import com.cognifide.securecq.markers.PublishTest;
import com.google.inject.Binding;
import com.google.inject.ConfigurationException;
import com.google.inject.Injector;
import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import com.google.inject.name.Named;

/**
* Performs the SecureCQ test analysis.
*/
@Mojo(
    name = "securecq",
    defaultPhase = LifecyclePhase.TEST,
    threadSafe = true,
    requiresProject = false
)
public final class SecureCQMojo extends AbstractMojo {

    /**
     * The {@code author} CQ instance URL.
     */
    @Parameter(property = "scq.url.author", defaultValue = "http://localhost:4502")
    private String authorUrl;

    /**
     * The {@code publish} CQ instance URL.
     */
    @Parameter(property = "scq.url.publish", defaultValue = "")
    private String publishUrl;

    /**
     * The {@code dispatcher} CQ instance URL.
     */
    @Parameter(property = "scq.url.dispatcher", defaultValue = "")
    private String dispatcherUrl;

    /**
     * The list of tests have to be performed, {@code config-validation}, {@code default-passwords}, {@code dispatcher-access},
     * {@code shindig-proxy}, {@code etc-tools}, {@code content-grabbing}, {@code feed-selector}, {@code wcm-debug}, {@code webdav},
     * {@code webdav}, {@code geometrixx} and {@code redundant-selectors} by default.
     */
    @Parameter
    private String[] enabledTests;

    public void execute() throws MojoExecutionException, MojoFailureException {
        // setup tests
        Injector injector = createInjector(new SecureCQComponentsModule(authorUrl, publishUrl, dispatcherUrl));

        // discover all available predefined tests
        if (enabledTests == null || enabledTests.length == 0) {
            List<String> boundTests = new LinkedList<String>();

            TypeLiteral<AbstractTest> abstractTestTypeLiteral = new TypeLiteral<AbstractTest>(){};

            for (Entry<Key<?>, Binding<?>> binding : injector.getAllBindings().entrySet()) {
                Key<?> bindingKey = binding.getKey();

                if (abstractTestTypeLiteral.equals(bindingKey.getTypeLiteral())
                        && bindingKey.getAnnotation() != null
                        && Named.class.isAssignableFrom(bindingKey.getAnnotationType())) {
                    boundTests.add(((Named) bindingKey.getAnnotation()).value());
                }
            }

            enabledTests = boundTests.toArray(new String[boundTests.size()]);
        }

        getLog().debug("Performing tests: " + asList(enabledTests));

        // perform tests

        boolean success = true;

        for (String enabledTest : enabledTests) {
            getLog().info("Discovering test '" + enabledTest + "'...");

            try {
                AbstractTest test = injector.getInstance(get(AbstractTest.class, named(enabledTest)));

                getLog().info("Performing security check '" + enabledTest + "'...");

                // configuration exists at that point
                Configuration configuration = injector.getInstance(get(Configuration.class, named(enabledTest)));

                // putting the `success` flag BEFORE, if false, doesn't evaluate the test!
                success = performTest(enabledTest, test, configuration) && success;
            } catch (ConfigurationException e) {
                getLog().warn("Test '" + enabledTest + "' does not exist in this context, ignored it.");
            }
        }

        if (success) {
            getLog().info("Congratulations, all SequreCQ tests passed!");
        } else {
            throw new MojoFailureException("SequreCQ detected secutity vulnerabilities in your instances, see the log for details.");
        }
    }

    private boolean performTest(String componentName, AbstractTest test, Configuration configuration) throws MojoExecutionException {
        try {
            test.test();

            if (TestResult.DISABLED == test.getResult()) {
                if (test instanceof DispatcherTest) {
                    logDisabledTest(componentName, "authorUrl", "scq.url.author", authorUrl);
                } else if (test instanceof PublishTest) {
                    logDisabledTest(componentName, "publishUrl", "scq.url.publish", publishUrl);
                } else if (test instanceof AuthorTest) {
                    logDisabledTest(componentName, "dispatcherUrl", "scq.url.dispatcher", dispatcherUrl);
                } else {
                    getLog().info("'" + componentName + "' is disabled, skipping it - It may be possible that you haven't specified one of author/publish/dispatcher URL, please refere to plugin documentation.");
                }

                return true;
            }

            getLog().info("'" + componentName + "' result: " + test.getResult());

            if (!test.getErrorMessages().isEmpty()) {
                getLog().warn("'" + componentName + "' detected some failures:");

                for (String message : test.getErrorMessages()) {
                    getLog().warn(" - " + message);
                }
            }

            if (!test.getInfoMessages().isEmpty() && !"true".equals(configuration.getStringValue("hidePassed", "false"))) {
                getLog().info("'" + componentName + "' passed tests:");

                for (String message : test.getInfoMessages()) {
                    getLog().info(" - " + message);
                }
            }

            return TestResult.OK == test.getResult();
        } catch (IOException e) {
            throw new MojoExecutionException("An error occurred while loading test '"
                                             + componentName
                                             + "' configuration, see nested exceptions", e);
        }
    }

    private void logDisabledTest(String componentName, String parameterName, String propertyName, String instanceUrl) {
        getLog().info("Security check '"
                      + componentName
                      + "' is disabled, please make sure you have correctly set the <"
                      + parameterName
                      + " /> configuration property OR you have passed the -D"
                      + parameterName
                      + "=http://<host>:<port> property AND that instance located on '"
                      + instanceUrl
                      + "' is active and reachable.");
    }

}
TOP

Related Classes of com.adobe.granite.maven.scq.SecureCQMojo

  • com.adobe.granite.maven.scq.di.SecureCQComponentsModule
  • com.cognifide.securecq.AbstractTest
  • com.cognifide.securecq.Configuration
  • com.google.inject.Injector
  • org.apache.maven.plugin.MojoFailureException
  • org.apache.maven.plugin.MojoExecutionException
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.