Integrate ZAP automation for MCP authentication

Replaced manual authentication and session management config in rapidast-config.yml with ZAP Automation Framework integration. Added automation-framework.yml for custom MCP protocol scripts. Updated mock server to return user data in expected results array format.

Author: mabashian

rapidast-config.yml

@@ -11,28 +11,13 @@ application:
   shortName: "aap-mcp-server"
   url: "http://localhost:3000"
 
-# General scanning configuration
-general:
-  # Authentication configuration for MCP protocol
-  authentication:
-    type: "script_based"
-    parameters:
-      script_name: "mcp-authentication.js"
-      script_engine: "ECMAScript : Graal.js"
-      script_file: "/opt/rapidast/work/scripts/zap/mcp-authentication.js"
-      Login URL: "http://localhost:3000/mcp"
-    credentials:
-      token: "test-token"
-
-  # Session management for MCP
-  session_management:
-    script_name: "mcp-session-management.js"
-    script_engine: "ECMAScript : Graal.js"
-    script_file: "/opt/rapidast/work/scripts/zap/mcp-session-management.js"
-
 # Scanner configurations
 scanners:
   zap:
+    # Use ZAP Automation Framework for custom MCP authentication
+    automation:
+      fileName: "scripts/zap/automation-framework.yml"
+
     # Import URLs from file for comprehensive API scanning
     importUrlsFromFile:
       fileName: "rapidast-urls.txt"

scripts/mock-aap-server.cjs

@@ -223,7 +223,8 @@ const server = http.createServer((req, res) => {
   if (pathname === "/api/gateway/v1/me/") {
     console.log(`${logPrefix} - Returning mock user data`);
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify(mockUserData));
+    // MCP server expects results array format
+    res.end(JSON.stringify({ results: [mockUserData] }));
     return;
   }
 

scripts/zap/automation-framework.yml

@@ -0,0 +1,54 @@
+---
+# ZAP Automation Framework Configuration for MCP Protocol
+# This configures custom authentication and session management scripts
+# for the MCP (Model Context Protocol) used by AAP MCP Server
+
+env:
+  contexts:
+    - name: "aap-mcp-context"
+      urls:
+        - "http://localhost:3000"
+      includePaths:
+        - "http://localhost:3000/.*"
+      excludePaths: []
+      authentication:
+        method: "script"
+        parameters:
+          script: "MCP Authentication"
+          scriptEngine: "ECMAScript : Graal.js"
+          Login URL: "http://localhost:3000/mcp"
+        verification:
+          method: "response"
+          loggedInRegex: "\\Q{\"result\":\\E"
+          loggedOutRegex: "\\Qerror\\E"
+      sessionManagement:
+        method: "script"
+        parameters:
+          script: "MCP Session Management"
+          scriptEngine: "ECMAScript : Graal.js"
+      users:
+        - name: "test-user"
+          credentials:
+            token: "test-token"
+
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+
+jobs:
+  - type: script
+    parameters:
+      action: add
+      name: "MCP Authentication"
+      type: authentication
+      engine: "ECMAScript : Graal.js"
+      file: "/opt/rapidast/work/scripts/zap/mcp-authentication.js"
+
+  - type: script
+    parameters:
+      action: add
+      name: "MCP Session Management"
+      type: session
+      engine: "ECMAScript : Graal.js"
+      file: "/opt/rapidast/work/scripts/zap/mcp-session-management.js"