As a user, I want to scan sites that have authentication

[afeld]

Broken out from https://github.com/18F/before-you-ship/issues/158.

[afeld]

Turns out scanning the sites manually for the FedRAMP 3PAO isn't tenable...talked with @dlapiduz, @mogul, and @LinuxBozo this morning and decided I will spend the rest of the week on it to see if we can get this issue done so that we can run the scans automatically and in parallel.

[afeld]

Acceptance criteria

• [ ] Sites that require UAA auth (login.cloud.gov) can be scanned fully via the ZAP Concourse pipeline

[afeld]

Stepping away from this in the immediate term to not block the assessment. Doing the scans of cloud.gov components that have auth manually—see https://github.com/18F/cg-atlas/issues/86.

[mogul]

My most recent thought here is that we probably shouldn't make stepping through auth the job of Compliance Toolkit, particularly given that requirements for login might be fairly baroque and differ widely app to app. An alternative I thought of was some way for app owners to supply a session pre-populated with still-valid cookies, which the scanner would work from. That way it's an app-specific problem to own how to keep a valid session ready to go for scans. I haven't thought about it enough to come up with a way to make that session securely available to the scanner... 🤔

[afeld]

some way for app owners to supply a session pre-populated with still-valid cookies

Cookies/sessions expire, so that would need to be supplied for every run 😕 Would kind of defeat the purpose of having the automated scan.

[mogul]

An alternative I thought of was some way for app owners to supply a session pre-populated with still-valid cookies, which the scanner would work from.

I was fretting about how to securely handle the delivery of authenticated session info, but then I had an idea overnight that Compliance Viewer could accept uploads of authenticated session cookies for assorted apps that it scans, where the team encrypts those cookies for CV with a public key and uploads them to a drop-point within [expiration] minutes of when their scan is scheduled to run. That would put the onus for getting a fresh authenticated session on the app teams, who can then automate the process of getting a valid session and uploading to the drop-point as warranted.

Cookies/sessions expire, so that would need to be supplied for every run 😕 Would kind of defeat the purpose of having the automated scan.

Even if teams don't automate, the burden of "log in, save your cookies, and upload them here" is way lower than "understand how to run a scanner and get the results". Once they do automate... well, it's automated!

[mogul]

Heck, they could use Fugacious. ;)

[JJediny]

What if the scanner stored a key in Vault.io and have each application w/ auth setup an user account for the scanner. The user/pass hash could then be stored in the open or shared without concern. When the scanner/toolkit runs it decrypts the creds and scans as an authenticated user. The issue of getting around each app having its own nav/login elements could be solved by requiring a common div tag on the form fields like div=username and div=password?

[mogul]

The issue of getting around each app having its own nav/login elements could be solved by requiring a common div tag on the form fields like div=username and div=password?

Based on my experience (and our target set of users), often the ability to modify the scanned apps to include "standardized" changes like that just isn't available. This is why I was suggesting that the cookies would be the best way. We could have some simple/common methods supported and use cookies as an "advanced" option, though...? ¯_(ツ)_/¯

[afeld]

/cc https://github.com/Grunny/zap-cli/issues/7