Running locally with AAD OAuth2 authentication about rest-api-fuzz-testing HOT 6 CLOSED

Since you run locally, we just fake a keyvault. After running raft_local.py local init command you will have some folders created, and one of them is secrets

Create a file named authtemplateapi with no extension (in screenshot RaftServicePrincipal file stores MSAL credentials for running raft on raft samples), and place your authentication data in there.

from rest-api-fuzz-testing.

Hi stishkin!

That is exactly what i did, does the format for the auth file look ok? (exept my masked values)

{
"client": "xxxx",
"tenant": "xxxx",
"secret": "xxxx",
"scopes": ["xxxx/.default"],
"authorityUri" : "https://localhost",
"audience" : "xxxx"
}

/Jonas

from rest-api-fuzz-testing.

Hi @Ncedia

I think I see what the issue is. In you job config:

"authenticationMethod": {
"MSAL": "authtemplateapi"
},

you also need to include what secrets you import. So your job config should have keyVaultSecrets section. This is the same behavior across local job deployments or Azure job deployments.

        "keyVaultSecrets": [ "authtemplateapi" ],
        "authenticationMethod": {
          "MSAL": "authtemplateapi"
        },

from rest-api-fuzz-testing.

Yes, I had missed to add the "keyVaultSecrets" attribute :-), and now the script is passing the auth configuration as an environment variable to the container. But something gets wrong with the docker command as soon as I add the "keyVaultSecrets" attribute:

"toolName": "RESTler",
"outputFolder": "restler-logs",
"keyVaultSecrets": ["authtemplateapi"],
"authenticationMethod": {
"MSAL": "authtemplateapi"
},

C:\Fuzzing\rest-api-fuzz-testing\cli>python raft_local.py job create --file templateapi.json
{'testTasks': {'targetConfiguration': {'apiSpecifications': ['https://xxxx/swagger/v1/swagger.json'], 'endpoint': 'https://xxxx'}, 'tasks': [{'toolName': 'RESTler', 'outputFolder': 'restler-logs', 'keyVaultSecrets': ['authtemplateapi'], 'authenticationMethod': {'MSAL': 'authtemplateapi'}, 'toolConfiguration': {'tasks': [{'task': 'compile'}, {'task': 'Fuzz', 'runConfiguration': {'Duration': '00:10:00'}}]}}, {'toolName': 'ZAP', 'outputFolder': 'zap-logs'}]}}
creating job a5680a87-84b1-4593-bf11-029744659458
------------------------ Job results: C:\Fuzzing\rest-api-fuzz-testing\cli\local\storage\a5680a87-84b1-4593-bf11-029744659458
v4.latest: Pulling from restapifuzztesting/agent-utilities
Digest: sha256:83eed4832d9904f65b4f5620c96f2f906118cb3af4c08b88bc9622d3b091bfc5
Status: Image is up to date for mcr.microsoft.com/restapifuzztesting/agent-utilities:v4.latest
mcr.microsoft.com/restapifuzztesting/agent-utilities:v4.latest

Running docker with command : run -d -t --no-healthcheck --privileged --user="root" --name raft-agent-utilities-a5680a87-84b1-4593-bf11-029744659458 --network host --mount type=bind,source="C:\Fuzzing\rest-api-fuzz-testing\cli\raft-tools",target="/raft-tools",readonly --mount type=bind,source="C:\Fuzzing\rest-api-fuzz-testing\cli\local\events_sink\a5680a87-84b1-4593-bf11-029744659458",target="/raft-events-sink" --env ASPNETCORE_URLS="http://:8085" --env RAFT_authtemplateapi="{
"client": "xxxx",
"tenant": "xxxx",
"secret": "xxxx",
"audience" : "xxxx"
}" mcr.microsoft.com/restapifuzztesting/agent-utilities:v4.latest
Job finished, cleaning up job containers
------------------------ Job results: C:\Fuzzing\rest-api-fuzz-testing\cli\local\storage\a5680a87-84b1-4593-bf11-029744659458
Traceback (most recent call last):
File "C:\Fuzzing\rest-api-fuzz-testing\cli\raft_local.py", line 830, in
run(vars(args))
File "C:\Fuzzing\rest-api-fuzz-testing\cli\raft_local.py", line 755, in run
cli.new_job(job_config, args.get('jobStatusWebhookUrl'), args.get('bugFoundWebhookUrl'))
File "C:\Fuzzing\rest-api-fuzz-testing\cli\raft_local.py", line 644, in new_job
agent_utils, agent_utils_endpoint, agent_utils_port = self.start_agent_utils(bridge_name, job_id,
File "C:\Fuzzing\rest-api-fuzz-testing\cli\raft_local.py", line 284, in start_agent_utils
out = docker(cmd)
File "C:\Fuzzing\rest-api-fuzz-testing\cli\raft_local.py", line 51, in docker
raise RaftLocalCliDockerException(stderr, args)
main.RaftLocalCliDockerException: args: run -d -t --no-healthcheck --privileged --user="root" --name raft-agent-utilities-a5680a87-84b1-4593-bf11-029744659458 --network host --mount type=bind,source="C:\Fuzzing\rest-api-fuzz-testing\cli\raft-tools",target="/raft-tools",readonly --mount type=bind,source="C:\Fuzzing\rest-api-fuzz-testing\cli\local\events_sink\a5680a87-84b1-4593-bf11-029744659458",target="/raft-events-sink" --env ASPNETCORE_URLS="http://:8085" --env RAFT_authtemplateapi="{
"client": "xxxx",
"tenant": "xxxx",
"secret": "xxxx",
"audience" : "xxxx"
}" mcr.microsoft.com/restapifuzztesting/agent-utilities:v4.latest
std error: "docker run" requires at least 1 argument.
See 'docker run --help'.

/Jonas

from rest-api-fuzz-testing.

I don't know what is the reason - but your docker command is missing a script as a last parameter to the docker run command. That script is called task-run.sh and it is generated in the work folder for your run.

Are you using latest version of RAFT CLI ?

py .\raft_local.py --help
usage: raft_local.py [-h] {local,job} ...

RAFT-Local CLI 4.1

positional arguments:
  {local,job}

optional arguments:
  -h, --help   show this help message and exit

Were there any manual modifications were done to raft_local.py ?
I see your environment variable that is used for authentication does not have any escape character around quotes (which supposed to be added automatically by raft_local.py script) see:

def env_variable(self, name, value): function

from rest-api-fuzz-testing.

@Ncedia - hi, we figured out what's the issue is.

Can you make a one-liner out of your value in the secret file ? So the json blob has no new lines.

That will solve the issue.

from rest-api-fuzz-testing.