From 4811a9d563a2c953705ea9ed99ece3d8bb492c83 Mon Sep 17 00:00:00 2001
From: nbaars <nanne.baars@owasp.org>
Date: Fri, 29 Dec 2017 22:20:52 +0100
Subject: [PATCH] Removed Mongodb, so we do not have issues with downloading
 the embedded Mongodb. Moved back to JPA and use HSQLDB for storing user
 information. WebWolf now has its own user management (will move to separate
 Github repo)

---
 webwolf/pom.xml                               |  7 +-
 .../java/org/owasp/webwolf/mailbox/Email.java |  8 +-
 .../webwolf/mailbox/MailboxRepository.java    |  5 +-
 .../webwolf/user/RegistrationController.java  | 47 ++++++++++
 .../java/org/owasp/webwolf/user/UserForm.java | 28 ++++++
 .../owasp/webwolf/user/UserRepository.java    |  4 +-
 .../org/owasp/webwolf/user/UserService.java   |  5 ++
 .../org/owasp/webwolf/user/UserValidator.java | 35 ++++++++
 .../org/owasp/webwolf/user/WebGoatUser.java   |  6 +-
 .../src/main/resources/application.properties |  9 +-
 .../main/resources/i18n/messages.properties   | 40 +++++++++
 .../src/main/resources/templates/login.html   |  1 +
 .../resources/templates/registration.html     | 89 +++++++++++++++++++
 13 files changed, 267 insertions(+), 17 deletions(-)
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
 create mode 100644 webwolf/src/main/resources/i18n/messages.properties
 create mode 100644 webwolf/src/main/resources/templates/registration.html

diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index a9c955020..cc1cd5fa2 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -55,7 +55,7 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-mongodb</artifactId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -73,6 +73,11 @@
             <artifactId>jquery</artifactId>
             <version>3.2.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.hsqldb</groupId>
+            <artifactId>hsqldb</artifactId>
+            <version>${hsqldb.version}</version>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
index edcfa54fc..cd6b9f1b4 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
@@ -4,10 +4,9 @@ import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
-import org.springframework.data.annotation.Id;
-import org.springframework.data.mongodb.core.index.Indexed;
-import org.springframework.data.mongodb.core.mapping.Document;
 
+import javax.persistence.Entity;
+import javax.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
@@ -18,7 +17,7 @@ import java.time.format.DateTimeFormatter;
  */
 @Builder
 @Data
-@Document
+@Entity
 @NoArgsConstructor
 @AllArgsConstructor
 public class Email implements Serializable {
@@ -29,7 +28,6 @@ public class Email implements Serializable {
     private String contents;
     private String sender;
     private String title;
-    @Indexed
     private String recipient;
 
     public String getSummary() {
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java
index 55cb88ac8..890ef3df4 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java
@@ -1,7 +1,6 @@
 package org.owasp.webwolf.mailbox;
 
-import org.bson.types.ObjectId;
-import org.springframework.data.mongodb.repository.MongoRepository;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 import java.util.List;
 
@@ -9,7 +8,7 @@ import java.util.List;
  * @author nbaars
  * @since 8/17/17.
  */
-public interface MailboxRepository extends MongoRepository<Email, ObjectId> {
+public interface MailboxRepository extends JpaRepository<Email, String> {
 
     List<Email> findByRecipientOrderByTimeDesc(String recipient);
 
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java b/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
new file mode 100644
index 000000000..052f02047
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
@@ -0,0 +1,47 @@
+package org.owasp.webwolf.user;
+
+import lombok.AllArgsConstructor;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.stereotype.Controller;
+import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.bind.annotation.PostMapping;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.validation.Valid;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+@Controller
+@AllArgsConstructor
+@Slf4j
+public class RegistrationController {
+
+    private UserValidator userValidator;
+    private UserService userService;
+    private AuthenticationManager authenticationManager;
+
+    @GetMapping("/registration")
+    public String showForm(UserForm userForm) {
+        return "registration";
+    }
+
+    @PostMapping("/register.mvc")
+    @SneakyThrows
+    public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) {
+        userValidator.validate(userForm, bindingResult);
+
+        if (bindingResult.hasErrors()) {
+            return "registration";
+        }
+        userService.addUser(userForm.getUsername(), userForm.getPassword());
+        request.login(userForm.getUsername(), userForm.getPassword());
+
+        return "redirect:/WebWolf/home";
+    }
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java b/webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java
new file mode 100644
index 000000000..7e9d82a82
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java
@@ -0,0 +1,28 @@
+package org.owasp.webwolf.user;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Size;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+@Getter
+@Setter
+public class UserForm {
+
+    @NotNull
+    @Size(min=6, max=20)
+    private String username;
+    @NotNull
+    @Size(min=6, max=10)
+    private String password;
+    @NotNull
+    @Size(min=6, max=10)
+    private String matchingPassword;
+    @NotNull
+    private String agree;
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java b/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java
index 680125a0a..1477e0695 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java
@@ -1,12 +1,12 @@
 package org.owasp.webwolf.user;
 
-import org.springframework.data.mongodb.repository.MongoRepository;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 /**
  * @author nbaars
  * @since 3/19/17.
  */
-public interface UserRepository extends MongoRepository<WebGoatUser, String> {
+public interface UserRepository extends JpaRepository<WebGoatUser, String> {
 
     WebGoatUser findByUsername(String username);
 }
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java b/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java
index 0062e6328..319a9a355 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java
@@ -27,4 +27,9 @@ public class UserService implements UserDetailsService {
     }
 
 
+    public void addUser(String username, String password) {
+        userRepository.save(new WebGoatUser(username, password));
+    }
+
+
 }
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java b/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
new file mode 100644
index 000000000..495619b14
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
@@ -0,0 +1,35 @@
+package org.owasp.webwolf.user;
+
+import lombok.AllArgsConstructor;
+import org.springframework.stereotype.Component;
+import org.springframework.validation.Errors;
+import org.springframework.validation.Validator;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+@Component
+@AllArgsConstructor
+public class UserValidator implements Validator {
+
+    private final UserRepository userRepository;
+
+    @Override
+    public boolean supports(Class<?> aClass) {
+        return UserForm.class.equals(aClass);
+    }
+
+    @Override
+    public void validate(Object o, Errors errors) {
+        UserForm userForm = (UserForm) o;
+
+        if (userRepository.findByUsername(userForm.getUsername()) != null) {
+            errors.rejectValue("username", "username.duplicate");
+        }
+
+        if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
+            errors.rejectValue("matchingPassword", "password.diff");
+        }
+    }
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java b/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java
index 666c99124..a6495840b 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java
@@ -1,13 +1,14 @@
 package org.owasp.webwolf.user;
 
 import lombok.Getter;
-import org.springframework.data.annotation.Id;
-import org.springframework.data.annotation.Transient;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
 
@@ -16,6 +17,7 @@ import java.util.Collections;
  * @since 3/19/17.
  */
 @Getter
+@Entity
 public class WebGoatUser implements UserDetails {
 
     public static final String ROLE_USER = "WEBGOAT_USER";
diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties
index 7c865d4c9..b169284c8 100644
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@@ -5,6 +5,10 @@ server.session.timeout=6000
 server.port=8081
 server.session.cookie.name = WEBWOLFSESSION
 
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf
+spring.jpa.hibernate.ddl-auto=update
+spring.messages.basename=i18n/messages
+
 logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
@@ -25,12 +29,9 @@ multipart.location=${java.io.tmpdir}
 multipart.max-file-size=1Mb
 multipart.max-request-size=1Mb
 
+webgoat.server.directory=${user.home}/.webgoat/
 webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 
-spring.data.mongodb.host=${WG_MONGO_HOST:}
-spring.data.mongodb.port=${WG_MONGO_PORT:27017}
-spring.data.mongodb.database=webgoat
-
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 
diff --git a/webwolf/src/main/resources/i18n/messages.properties b/webwolf/src/main/resources/i18n/messages.properties
new file mode 100644
index 000000000..9e5d51223
--- /dev/null
+++ b/webwolf/src/main/resources/i18n/messages.properties
@@ -0,0 +1,40 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+register.new=Register new user
+sign.up=Sign up
+register.title=Register 
+
+password=Password
+password.confirm=Confirm password
+username=Username
+
+
+
+not.empty=This field is required.
+username.size=Please use between 6 and 10 characters.
+username.duplicate=User already exists.
+password.size=Password should at least contain 6 characters
+password.diff=The passwords do not match.
\ No newline at end of file
diff --git a/webwolf/src/main/resources/templates/login.html b/webwolf/src/main/resources/templates/login.html
index 6f9a4e07c..755831691 100644
--- a/webwolf/src/main/resources/templates/login.html
+++ b/webwolf/src/main/resources/templates/login.html
@@ -45,6 +45,7 @@
                         <div class="col-xs-6 col-sm-6 col-md-6">
                         </div>
                     </div>
+                    <div><b><a th:href="@{/registration}" th:text="#{register.new}"></a></b></div>
                 </fieldset>
             </form>
         </div>
diff --git a/webwolf/src/main/resources/templates/registration.html b/webwolf/src/main/resources/templates/registration.html
new file mode 100644
index 000000000..2c4d06a2a
--- /dev/null
+++ b/webwolf/src/main/resources/templates/registration.html
@@ -0,0 +1,89 @@
+<!DOCTYPE HTML>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <div th:replace="fragments/header :: header-css"/>
+</head>
+<body>
+
+<div th:replace="fragments/header :: header"/>
+
+<div class="container">
+
+    <br/><br/>
+    <fieldset>
+        <legend th:text="#{register.title}">Please Sign Up</legend>
+        <form class="form-horizontal" action="#" th:action="@{/register.mvc}" th:object="${userForm}"
+              method='POST'>
+
+            <div class="form-group" th:classappend="${#fields.hasErrors('username')}? 'has-error'">
+                <label for="username" class="col-sm-2 control-label" th:text="#{username}">Username</label>
+                <div class="col-sm-4">
+                    <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
+                           th:field="*{username}"
+                           id="username" placeholder="Username" name='username'/>
+                </div>
+                <span th:if="${#fields.hasErrors('username')}" th:errors="*{username}">Username error</span>
+            </div>
+            <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
+                <label for="password" class="col-sm-2 control-label" th:text="#{password}">Password</label>
+                <div class="col-sm-4">
+                    <input type="password" class="form-control" id="password" placeholder="Password"
+                           name='password' th:value="*{password}"/>
+                </div>
+                <span th:if="${#fields.hasErrors('password')}" th:errors="*{password}">Password error</span>
+            </div>
+            <div class="form-group" th:classappend="${#fields.hasErrors('matchingPassword')}? 'has-error'">
+                <label for="matchingPassword" class="col-sm-2 control-label" th:text="#{password.confirm}">Confirm
+                    password</label>
+                <div class="col-sm-4">
+                    <input type="password" class="form-control" id="matchingPassword" placeholder="Password"
+                           name='matchingPassword' th:value="*{matchingPassword}"/>
+                </div>
+                <span th:if="${#fields.hasErrors('matchingPassword')}"
+                      th:errors="*{matchingPassword}">Password error</span>
+
+            </div>
+
+            <div class="form-group" th:classappend="${#fields.hasErrors('agree')}? 'has-error'">
+                <label class="col-sm-2 control-label">Terms of use</label>
+                <div class="col-sm-6">
+                    <div style="border: 1px solid #e5e5e5; height: 200px; overflow: auto; padding: 10px;">
+                        <p>
+                            While running this program your machine will be extremely
+                            vulnerable to attack. You should disconnect from the Internet while using
+                            this program. WebGoat's default configuration binds to localhost to minimize
+                            the exposure.
+                        </p>
+                        <p>
+                            This program is for educational purposes only. If you attempt
+                            these techniques without authorization, you are very likely to get caught. If
+                            you are caught engaging in unauthorized hacking, most companies will fire you.
+                            Claiming that you were doing security research will not work as that is the
+                            first thing that all hackers claim.
+                        </p>
+                    </div>
+                </div>
+            </div>
+
+            <div class="form-group" th:classappend="${#fields.hasErrors('agree')}? 'has-error'">
+                <div class="col-sm-6 col-sm-offset-2">
+                    <div class="checkbox">
+                        <label>
+                            <input type="checkbox" name="agree" value="agree"/>Agree with the terms and
+                            conditions
+                        </label>
+                    </div>
+                </div>
+            </div>
+
+            <div class="form-group">
+                <div class="col-sm-offset-2 col-sm-6">
+                    <button type="submit" class="btn btn-primary" th:text="#{sign.up}">Sign up</button>
+                </div>
+            </div>
+        </form>
+    </fieldset>
+
+</div>
+</body>
+</html>
\ No newline at end of file