openstack
/
syntribos
Code Issues Proposed changes

Updating syntribos documentation 

Updating documentation and fixing some nits

Change-Id: Ic37199d35a5cd284506d1baefbbcdf31d2e458a6
This commit is contained in:
Rahul Nair 2016-10-25 14:21:43 -05:00
parent 97de7a6c17
commit 0824fddcaa
10 changed files with 114 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CONTRIBUTING.rst
View File

@ -1,9 +1,10 @@
=================================
Syntribos Contributing Guidelines
=================================
=======================
Contributing Guidelines
=======================
Contributions to syntribos are always welcome, if you have any questions,
we can be found in the #openstack-security channel on Freenode IRC.
Syntribos is an open source project and contributions are always
welcome, if you have any questions, we can be found in the
#openstack-security channel on Freenode IRC.
1. Follow all the `OpenStack Style Guidelines <http://docs.openstack.org/developer/hacking/>`__
(e.g. PEP8, Py3 compatibility)
@ -32,3 +33,8 @@ and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other unprioritized work should first be
submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
for review.
**Note:** README.rst is auto generated from docs by running ``python readme.py``
from the ``syntribos/scripts`` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in syntribos/doc/source and auto generatoe the README.

77
README.rst
View File

@ -32,8 +32,8 @@ Syntribos, An Automated API Security Testing Tool
:target: https://pypi.python.org/pypi/syntribos/
:alt: Downloads
Syntribos is an automated API security testing tool that is maintained by
members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Syntribos is an open source automated API security testing tool that is
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body
@ -217,7 +217,7 @@ file.
endpoint=http://localhost:5000
# Set payload and templates path
templates=<location_of_templates_dir/file>
payload_dir=<location_of_payload_dir>
payloads_dir=<location_of_payloads_dir>
[user]
#
@ -247,7 +247,7 @@ section is the one being tested by syntribos and the endpoint URL in
``[user]`` section is just used to get an AUTH_TOKEN.
Downloading templates and payloads remotely
-------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Payload and template files can be downloaded remotely in syntribos.
In the config file under ``[syntribos]`` section, if ``templates``
@ -266,18 +266,18 @@ and payload files.
The advantage of using these options are that you will be able to get
the latest payloads from the official repository and if you are
using syntribos to test OpenStack projects, then in most cases
you would already have well defined templates availble to work with.
you would already have well defined templates available to work with.
This option also helps to easily manage different versions of
templates remotely, without the need to maintain a set of
different versions offline.
Testing keystone API
~~~~~~~~~~~~~~~~~~~~
Testing OpenStack keystone API
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A sample config file is given in :file:`examples/configs/keystone.conf`.
A sample config file is given in ``examples/configs/keystone.conf``.
Copy this file to a location of your choice (default file path for
configuration file is: :file:`~/.syntribos/syntribos.conf`) and update the
configuration file is: ``~/.syntribos/syntribos.conf``) and update the
necessary fields like user credentials, log, template directory etc.
::
@ -294,7 +294,7 @@ necessary fields like user credentials, log, template directory etc.
endpoint=http://localhost:5000
# Set payload and templates path
templates=<location_of_templates_dir/file>
payload_dir=<location_of_payload_dir>
payloads_dir=<location_of_payloads_dir>
[user]
#
@ -351,15 +351,15 @@ necessary fields like user credentials, log, template directory etc.
# if you don't want this, set this option to False.
http_request_compression=True
==================
Syntribos Commands
==================
========
Commands
========
Below are the set of commands that should be specified while
Below are the set of commands that can be specified while
using syntribos.
- :command:`syntribos run`
- ``syntribos run``
This command runs syntribos with the given config options
@ -367,7 +367,7 @@ using syntribos.
$ syntribos --config-file keystone.conf -t SQL run
- :command:`syntribos dry-run`
- ``syntribos dry-run``
This command ensures that the template files given for this run parse
@ -382,7 +382,7 @@ using syntribos.
$ syntribos --config-file keystone.conf dry_run
- :command:`syntribos list_tests`
- ``syntribos list_tests``
This command will list the names and description of all the tests
@ -394,15 +394,18 @@ using syntribos.
All these commands will only work if a configuration file
is specified.
is specified. If a configuration file is present in the default
path ( ``.syntribos/syntribos.conf`` ), then you
do not need to explicitly specify a config file and
can just run syntribos like ``syntribos run``.
=================
Running syntribos
=================
To run syntribos against all the available tests, just specify the
command ``syntribos`` with the configuration file without specifying
any test type.
command ``syntribos`` with the configuration file without
specifying any test type.
::
@ -422,9 +425,9 @@ the ``-t`` flag.
This will match all tests that contain ``SQL`` in their name
like SQL_INJECTION_HEADERS, SQL_INJECTION_BODY etc.
=================
Syntribos logging
=================
===================
Logging and Results
===================
Two types of logs are generated by syntribos, results and debug logs. While
results log is the representation of results(collection of issues) from a
@ -589,7 +592,7 @@ And the signals captured:
Debug logs are sanitized to prevent storing secrets to log files.
Passwords and other sensitive information are masked with astericks using a
slightly modified version of `oslo_utils.strutils.mask_password <http://docs.openstack.org/developer/oslo.utils/api/strutils.html#oslo_utils.strutils.mask_password>_`
slightly modified version of `oslo_utils.strutils.mask_password <http://docs.openstack.org/developer/oslo.utils/api/strutils.html#oslo_utils.strutils.mask_password>`__
Debug logs also includes body compression, wherein long fuzz strings are
compressed before being written to the logs. The threshold to start data
@ -628,12 +631,24 @@ containing the status and coverage details of each test.
Contributing Guidelines
=======================
Syntribos is an open source project and contributions are always
welcome, if you have any questions, we can be found in the
#openstack-security channel on Freenode IRC.
1. Follow all the `OpenStack Style Guidelines <http://docs.openstack.org/developer/hacking/>`__
(e.g. PEP8, Py3 compatibility)
2. All new classes/functions should have appropriate docstrings in
`RST format <https://pythonhosted.org/an_example_pypi_project/sphinx.html>`__
3. All new code should have appropriate unittests (place them in the
:file:`tests/unit` folder)
``tests/unit`` folder)
4. Any change you make can be tested using tox:
pip install tox
tox -e pep8
tox -e py27
tox -e py34
tox -e cover
Anyone wanting to contribute to OpenStack must follow
`the OpenStack development workflow <http://docs.openstack.org/infra/manual/developers.html#development-workflow>`__
@ -644,12 +659,12 @@ described above. All pull requests on Github will be closed/ignored.
Bugs should be filed on the `syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other non prioritized work should
first be submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
Breaking changes, feature requests, and other unprioritized work should first be
submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
for review.
Note: README.rst is auto generated from docs by running :command:`python readme.py`
in the :file:`syntribos/scripts` directory. So when the README.rst needs to
be updated; modify the corresponding rst file in :file:`syntribos/doc/source`
and auto generate the README.
**Note:** README.rst is auto generated from docs by running ``python readme.py``
from the ``syntribos/scripts`` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in syntribos/doc/source and auto generatoe the README.

4
doc/source/about.rst
View File

@ -32,8 +32,8 @@ Syntribos, An Automated API Security Testing Tool
:target: https://pypi.python.org/pypi/syntribos/
:alt: Downloads
Syntribos is an automated API security testing tool that is maintained by
members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Syntribos is an open source automated API security testing tool that is
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body

19
doc/source/commands.rst
View File

@ -1,12 +1,12 @@
==================
Syntribos Commands
==================
========
Commands
========
Below are the set of commands that should be specified while
Below are the set of commands that can be specified while
using syntribos.
- :command:`syntribos run`
- ``syntribos run``
This command runs syntribos with the given config options
@ -14,7 +14,7 @@ using syntribos.
$ syntribos --config-file keystone.conf -t SQL run
- :command:`syntribos dry-run`
- ``syntribos dry-run``
This command ensures that the template files given for this run parse
@ -29,7 +29,7 @@ using syntribos.
$ syntribos --config-file keystone.conf dry_run
- :command:`syntribos list_tests`
- ``syntribos list_tests``
This command will list the names and description of all the tests
@ -41,4 +41,7 @@ using syntribos.
All these commands will only work if a configuration file
is specified.
is specified. If a configuration file is present in the default
path ( ``.syntribos/syntribos.conf`` ), then you
do not need to explicitly specify a config file and
can just run syntribos like ``syntribos run``.

16
doc/source/configuration.rst
View File

@ -21,7 +21,7 @@ file.
endpoint=http://localhost:5000
# Set payload and templates path
templates=<location_of_templates_dir/file>
payload_dir=<location_of_payload_dir>
payloads_dir=<location_of_payloads_dir>
[user]
#
@ -51,7 +51,7 @@ section is the one being tested by syntribos and the endpoint URL in
``[user]`` section is just used to get an AUTH_TOKEN.
Downloading templates and payloads remotely
-------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Payload and template files can be downloaded remotely in syntribos.
In the config file under ``[syntribos]`` section, if ``templates``
@ -70,18 +70,18 @@ and payload files.
The advantage of using these options are that you will be able to get
the latest payloads from the official repository and if you are
using syntribos to test OpenStack projects, then in most cases
you would already have well defined templates availble to work with.
you would already have well defined templates available to work with.
This option also helps to easily manage different versions of
templates remotely, without the need to maintain a set of
different versions offline.
Testing keystone API
~~~~~~~~~~~~~~~~~~~~
Testing OpenStack keystone API
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A sample config file is given in :file:`examples/configs/keystone.conf`.
A sample config file is given in ``examples/configs/keystone.conf``.
Copy this file to a location of your choice (default file path for
configuration file is: :file:`~/.syntribos/syntribos.conf`) and update the
configuration file is: ``~/.syntribos/syntribos.conf``) and update the
necessary fields like user credentials, log, template directory etc.
::
@ -98,7 +98,7 @@ necessary fields like user credentials, log, template directory etc.
endpoint=http://localhost:5000
# Set payload and templates path
templates=<location_of_templates_dir/file>
payload_dir=<location_of_payload_dir>
payloads_dir=<location_of_payloads_dir>
[user]
#

26
doc/source/contributing.rst
View File

@ -2,12 +2,24 @@
Contributing Guidelines
=======================
Syntribos is an open source project and contributions are always
welcome, if you have any questions, we can be found in the
#openstack-security channel on Freenode IRC.
1. Follow all the `OpenStack Style Guidelines <http://docs.openstack.org/developer/hacking/>`__
(e.g. PEP8, Py3 compatibility)
2. All new classes/functions should have appropriate docstrings in
`RST format <https://pythonhosted.org/an_example_pypi_project/sphinx.html>`__
3. All new code should have appropriate unittests (place them in the
:file:`tests/unit` folder)
``tests/unit`` folder)
4. Any change you make can be tested using tox:
pip install tox
tox -e pep8
tox -e py27
tox -e py34
tox -e cover
Anyone wanting to contribute to OpenStack must follow
`the OpenStack development workflow <http://docs.openstack.org/infra/manual/developers.html#development-workflow>`__
@ -18,11 +30,11 @@ described above. All pull requests on Github will be closed/ignored.
Bugs should be filed on the `syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other non prioritized work should
first be submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
Breaking changes, feature requests, and other unprioritized work should first be
submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
for review.
Note: README.rst is auto generated from docs by running :command:`python readme.py`
in the :file:`syntribos/scripts` directory. So when the README.rst needs to
be updated; modify the corresponding rst file in :file:`syntribos/doc/source`
and auto generate the README.
**Note:** README.rst is auto generated from docs by running ``python readme.py``
from the ``syntribos/scripts`` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in syntribos/doc/source and auto generatoe the README.

8
doc/source/logging.rst
View File

@ -1,6 +1,6 @@
=================
Syntribos logging
=================
===================
Logging and Results
===================
Two types of logs are generated by syntribos, results and debug logs. While
results log is the representation of results(collection of issues) from a
@ -165,7 +165,7 @@ And the signals captured:
Debug logs are sanitized to prevent storing secrets to log files.
Passwords and other sensitive information are masked with astericks using a
slightly modified version of `oslo_utils.strutils.mask_password <http://docs.openstack.org/developer/oslo.utils/api/strutils.html#oslo_utils.strutils.mask_password>_`
slightly modified version of `oslo_utils.strutils.mask_password <http://docs.openstack.org/developer/oslo.utils/api/strutils.html#oslo_utils.strutils.mask_password>`__
Debug logs also includes body compression, wherein long fuzz strings are
compressed before being written to the logs. The threshold to start data

8
doc/source/man/syntribos.rst
View File

@ -36,7 +36,7 @@ OPTIONS
-h, --help show this help message and exit
--colorize, -cl Enable color in syntribos terminal output
--config-dir DIR Path to a config directory to pull :file:`*.conf` files
--config-dir DIR Path to a config directory to pull ``*.conf`` files
from. This file set is sorted, so as to provide a
predictable parse order if individual options are
over-ridden. The set is parsed after the file(s)
@ -73,10 +73,10 @@ Main Syntribos Config:
Syntribos Commands:
{list_tests,run,dry_run}
Available commands
Available commands
list_tests List all available tests
run Run syntribos with given config options
dry_run Dry run Syntribos with given config options
dry_run Dry run syntribos with given config options
FILES
~~~~~
@ -88,7 +88,7 @@ EXAMPLES
~~~~~~~~
To run syntribos against all the available tests, just specify the
command :command:`syntribos run` with the configuration file without
command ``syntribos run`` with the configuration file without
specifying any test type.
::

4
doc/source/running.rst
View File

@ -3,8 +3,8 @@ Running syntribos
=================
To run syntribos against all the available tests, just specify the
command ``syntribos`` with the configuration file without specifying
any test type.
command ``syntribos`` with the configuration file without
specifying any test type.
::

13
doc/source/test-anatomy.rst
View File

@ -1,11 +1,13 @@
============================
Basic syntribos Test Anatomy
============================
==================
Basic Test Anatomy
==================
This section describes how to test and API using syntribos.
Test Types
~~~~~~~~~~
The tests included at release time include LDAP injection, SQL
Some tests included with syntribos by default are LDAP injection, SQL
injection, integer overflow, command injection, XML external entity,
reflected cross-site scripting, Cross Origin Resource Sharing (CORS)
wildcard and SSL.
@ -48,8 +50,7 @@ Calls to extensions are made in this form:
CALL_EXTERNAL|{extension dot path}:{function}:{arguments}
One example packaged with syntribos enables the tester to obtain an auth
token from keystone/identity. The code is located in
``identity/client.py``
token from keystone. The code is located in ``identity/client.py``
To use this extension, you can add the following to your template file: