fix: challenge test fails sometimes when calling scoreboard endpoint

2023-02-15 17:28:15 +00:00 · 2023-02-15 17:28:15 +00:00 · 3ec34b0df5
commit 3ec34b0df5
parent eb4c8388f8
3 changed files with 99 additions and 103 deletions
--- a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
@ -1,112 +1,112 @@
 package org.owasp.webgoat;

+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.hamcrest.Matchers.lessThan;
+import static org.junit.jupiter.api.Assertions.assertTrue;

 import io.restassured.RestAssured;
-import org.junit.jupiter.api.Test;
-
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
+import org.junit.jupiter.api.Test;

 public class ChallengeIntegrationTest extends IntegrationTest {

-    @Test
-    public void testChallenge1() {
-        startLesson("Challenge1");
+  @Test
+  public void testChallenge1() {
+    startLesson("Challenge1");

-        byte[] resultBytes =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .get(url("/WebGoat/challenge/logo"))
-                        .then()
-                        .statusCode(200)
-                        .extract().asByteArray();
+    byte[] resultBytes =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .get(url("/WebGoat/challenge/logo"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .asByteArray();

-        String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username", "admin");
-        params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
+    String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("username", "admin");
+    params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));

+    checkAssignment(url("/WebGoat/challenge/1"), params, true);
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .formParams(params)
+            .post(url("/WebGoat/challenge/1"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .asString();

-        checkAssignment(url("/WebGoat/challenge/1"), params, true);
-        String result =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .formParams(params)
-                        .post(url("/WebGoat/challenge/1"))
-                        .then()
-                        .statusCode(200)
-                        .extract().asString();
+    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+    params.clear();
+    params.put("flag", flag);
+    checkAssignment(url("/WebGoat/challenge/flag"), params, true);

-        String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
-        params.clear();
-        params.put("flag", flag);
-        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+    checkResults("/challenge/1");

+    List<String> capturefFlags =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .get(url("/WebGoat/scoreboard-data"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .jsonPath()
+            .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
+    assertTrue(capturefFlags.contains("Admin lost password"));
+  }

-        checkResults("/challenge/1");
+  @Test
+  public void testChallenge5() {
+    startLesson("Challenge5");

-        List<String> capturefFlags =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .get(url("/WebGoat/scoreboard-data"))
-                        .then()
-                        .statusCode(200)
-                        .extract().jsonPath()
-                        .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
-        assertTrue(capturefFlags.contains("Admin lost password"));
-    }
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("username_login", "Larry");
+    params.put("password_login", "1' or '1'='1");

-    @Test
-    public void testChallenge5() {
-        startLesson("Challenge5");
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .formParams(params)
+            .post(url("/WebGoat/challenge/5"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .asString();

-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username_login", "Larry");
-        params.put("password_login", "1' or '1'='1");
+    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+    params.clear();
+    params.put("flag", flag);
+    checkAssignment(url("/WebGoat/challenge/flag"), params, true);

-        String result =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .formParams(params)
-                        .post(url("/WebGoat/challenge/5"))
-                        .then()
-                        .statusCode(200)
-                        .extract().asString();
-
-        String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
-        params.clear();
-        params.put("flag", flag);
-        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
-
-
-        checkResults("/challenge/5");
-
-        List<String> capturefFlags =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .get(url("/WebGoat/scoreboard-data"))
-                        .then()
-                        .statusCode(200)
-                        .extract().jsonPath()
-                        .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
-        assertTrue(capturefFlags.contains("Without password"));
-    }
+    checkResults("/challenge/5");

+    List<String> capturefFlags =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .get(url("/WebGoat/scoreboard-data"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .jsonPath()
+            .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
+    assertTrue(capturefFlags.contains("Without password"));
+  }
 }
--- a/src/it/java/org/owasp/webgoat/IntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/IntegrationTest.java
@ -26,7 +26,7 @@ public abstract class IntegrationTest {
    @Getter
    private String webWolfCookie;
    @Getter
-    private String user = "webgoat";
+    private final String user = "webgoat";

    protected String url(String url) {
        url = url.replaceFirst("/WebGoat/", "");
--- a/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
+++ b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;

-import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.owasp.webgoat.container.i18n.PluginMessages;
@ -35,19 +35,15 @@ public class Scoreboard {

  @GetMapping("/scoreboard-data")
  public List<Ranking> getRankings() {
-    List<WebGoatUser> allUsers = userRepository.findAll();
-    List<Ranking> rankings = new ArrayList<>();
-    for (WebGoatUser user : allUsers) {
-      if (user.getUsername().startsWith("csrf-")) {
-        // the csrf- assignment specific users do not need to be in the overview
-        continue;
-      }
-      UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
-      rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
-    }
-    /* sort on number of captured flags to present an ordered ranking */
-    rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
-    return rankings;
+    return userRepository.findAll().stream()
+        .filter(user -> !user.getUsername().startsWith("csrf-"))
+        .map(
+            user ->
+                new Ranking(
+                    user.getUsername(),
+                    challengesSolved(userTrackerRepository.findByUser(user.getUsername()))))
+        .sorted((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size())
+        .collect(Collectors.toList());
  }

  private List<String> challengesSolved(UserTracker userTracker) {