From 599f36fdb8a7a44bae38f8e72d5754f0476a66de Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 8 Apr 2017 10:31:56 +0200
Subject: [PATCH] Challenge 2 JavaScript is working

---
 .../owasp/webgoat/plugin/ShopEndpoint.java    | 51 +++++++++----------
 .../webgoat/plugin/SolutionConstants.java     |  2 +-
 .../src/main/resources/html/Challenge.html    | 33 ++++++++----
 .../src/main/resources/js/challenge2.js       | 43 +++++++++++-----
 .../resources/lessonPlans/en/Challenge_2.adoc |  1 +
 5 files changed, 78 insertions(+), 52 deletions(-)
 create mode 100644 webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc

diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
index fc0323613..cc1f2bc3f 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
@@ -3,13 +3,14 @@ package org.owasp.webgoat.plugin;
 import com.beust.jcommander.internal.Lists;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
+import java.util.Optional;
 
 import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
 
@@ -18,54 +19,50 @@ import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
  * @since 4/6/17.
  */
 @RestController
+@RequestMapping("challenge-store")
 public class ShopEndpoint {
 
     @AllArgsConstructor
-    private class CouponCodes {
+    private class CheckoutCodes {
 
         @Getter
-        private List<CouponCode> codes = Lists.newArrayList();
+        private List<CheckoutCode> codes = Lists.newArrayList();
 
-        public boolean contains(String code) {
-            return codes.stream().anyMatch(c -> c.getCode().equals(code));
+        public Optional<CheckoutCode> get(String code) {
+            return codes.stream().filter(c -> c.getCode().equals(code)).findFirst();
         }
     }
 
     @AllArgsConstructor
     @Getter
-    private class CouponCode {
+    private class CheckoutCode {
         private String code;
         private int discount;
     }
 
-    private CouponCodes couponCodes;
+    private CheckoutCodes checkoutCodes;
 
     public ShopEndpoint() {
-        List<CouponCode> codes = Lists.newArrayList();
-        for (int i = 0; i < 9; i++) {
-            codes.add(new CouponCode(RandomStringUtils.random(10), i * 100));
-        }
-        this.couponCodes = new CouponCodes(codes);
+        List<CheckoutCode> codes = Lists.newArrayList();
+        codes.add(new CheckoutCode("pre-order-webgoat", 25));
+        codes.add(new CheckoutCode("pre-order-owasp", 25));
+        codes.add(new CheckoutCode("pre-order-webgoat-owasp", 50));
+        this.checkoutCodes = new CheckoutCodes(codes);
     }
 
-    @GetMapping(value = "/coupons/{user}", produces = MediaType.APPLICATION_JSON_VALUE)
-    public CouponCodes getDiscountCodes(@PathVariable String user) {
-        if ("Tom".equals(user)) {
-            return couponCodes;
+    @GetMapping(value = "/coupons/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
+    public CheckoutCode getDiscountCode(@PathVariable String code) {
+        if (SUPER_COUPON_CODE.equals(code)) {
+            return new CheckoutCode(SUPER_COUPON_CODE, 100);
         }
-        return null;
-    }
-
-    @GetMapping(value = "/coupons/valid/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
-    public boolean isValidCouponCode(@PathVariable String code) {
-        return couponCodes.contains(code);
+        return checkoutCodes.get(code).orElse(new CheckoutCode("no", 0));
     }
 
     @GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
-    public CouponCodes coupons() {
-        List<CouponCode> all = Lists.newArrayList();
-        all.addAll(this.couponCodes.getCodes());
-        all.add(new CouponCode(SUPER_COUPON_CODE, 100));
-        return new CouponCodes(all);
+    public CheckoutCodes all() {
+        List<CheckoutCode> all = Lists.newArrayList();
+        all.addAll(this.checkoutCodes.getCodes());
+        all.add(new CheckoutCode(SUPER_COUPON_CODE, 100));
+        return new CheckoutCodes(all);
     }
 }
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
index 5450e02ae..d881875d9 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -9,6 +9,6 @@ package org.owasp.webgoat.plugin;
 public interface SolutionConstants {
 
     String PASSWORD = "!!webgoat_admin_1234!!";
-    String SUPER_COUPON_CODE = "get_if_for_free";
+    String SUPER_COUPON_CODE = "get_it_for_free";
 
 }
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index 59de297d1..8c9bbc78d 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -7,6 +7,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Challenge_1.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="panel panel-default">
@@ -54,8 +55,8 @@
     </div>
 </div>
 
-
 <div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Challenge_2.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
     <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
     <div class="attack-container">
@@ -66,23 +67,23 @@
                     <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
                 </div>
                 <div class="col-xs-5" style="border:0px solid gray">
-                    <h3>Samsung Galaxy S8 Plus 64GB Android Phone</h3>
-                    <h5 style="color:#337ab7">Manufacturer <a href="http://www.samsung.com">Samsung</a> ·
-                        <small style="color:#337ab7">(5054 reviews)</small>
+                    <h3>Samsung Galaxy S8 Plus Android Phone</h3>
+                    <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(124421 reviews)</small>
                     </h5>
 
                     <h6 class="title-price">
                         <small>PRICE</small>
                     </h6>
-                    <h3 style="margin-top:0px;">US $899</h3>
+                    <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
 
                     <div class="section">
                         <h6 class="title-attr" style="margin-top:15px;">
                             <small>COLOR</small>
                         </h6>
                         <div>
-                            <div class="attr" style="width:25px;background:#5a5a5a;"></div>
-                            <div class="attr" style="width:25px;background:white;"></div>
+                            <div class="attr" style="width:25px;background:lightgrey;"></div>
+                            <div class="attr" style="width:25px;background:black;"></div>
                         </div>
                     </div>
                     <div class="section" style="padding-bottom:5px;">
@@ -90,8 +91,8 @@
                             <small>CAPACITY</small>
                         </h6>
                         <div>
-                            <div class="attr2">16 GB</div>
-                            <div class="attr2">32 GB</div>
+                            <div class="attr2">64 GB</div>
+                            <div class="attr2">128 GB</div>
                         </div>
                     </div>
                     <div class="section" style="padding-bottom:20px;">
@@ -100,11 +101,23 @@
                         </h6>
                         <div>
                             <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
-                            <input value="1"/>
+                            <input class="quantity" value="1"/>
                             <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
                         </div>
                     </div>
 
+                    <div class="section" style="padding-bottom:20px;">
+                        <h6 class="title-attr">
+                            <small>CHECKOUT CODE</small>
+                        </h6>
+
+                        <!--
+                          Checkout code: pre-order-webgoat, pre-order-owasp, pre-order-webgoat-owasp
+                        -->
+                        <input class="checkoutCode" value=""/>
+
+                    </div>
+
                     <div class="section" style="padding-bottom:20px;">
                         <button class="btn btn-success"><span style="margin-right:20px"
                                                               class="glyphicon glyphicon-shopping-cart"
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge2.js b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
index a9e649e8c..eb1528c7c 100644
--- a/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
@@ -1,11 +1,11 @@
-$(document).ready(function(){
+$(document).ready(function () {
     //-- Click on detail
-    $("ul.menu-items > li").on("click",function(){
+    $("ul.menu-items > li").on("click", function () {
         $("ul.menu-items > li").removeClass("active");
         $(this).addClass("active");
     })
 
-    $(".attr,.attr2").on("click",function(){
+    $(".attr,.attr2").on("click", function () {
         var clase = $(this).attr("class");
 
         $("." + clase).removeClass("active");
@@ -13,21 +13,36 @@ $(document).ready(function(){
     })
 
     //-- Click on QUANTITY
-    $(".btn-minus").on("click",function(){
+    $(".btn-minus").on("click", function () {
         var now = $(".section > div > input").val();
-        if ($.isNumeric(now)){
-            if (parseInt(now) -1 > 0){ now--;}
-            $(".section > div > input").val(now);
-        }else{
-            $(".section > div > input").val("1");
+        if ($.isNumeric(now)) {
+            if (parseInt(now) - 1 > 0) {
+                now--;
+            }
+            $(".quantity").val(now);
+        } else {
+            $(".quantity").val("1");
         }
     })
-    $(".btn-plus").on("click",function(){
+    $(".btn-plus").on("click", function () {
         var now = $(".section > div > input").val();
-        if ($.isNumeric(now)){
-            $(".section > div > input").val(parseInt(now)+1);
-        }else{
-            $(".section > div > input").val("1");
+        if ($.isNumeric(now)) {
+            $(".quantity").val(parseInt(now) + 1);
+        } else {
+            $(".quantity").val("1");
         }
     })
+    $(".checkoutCode").on("blur", function () {
+        var checkoutCode = $(".checkoutCode").val();
+        $.get("challenge-store/coupons/" + checkoutCode, function (result, status) {
+            var discount = result.discount;
+            if (discount > 0) {
+                var price = $('#price').val();
+                $('#price').text((899 - (899 * discount / 100)).toFixed(2));
+            } else {
+                $('#price').text(899);
+            }
+
+        });
+    })
 })
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
new file mode 100644
index 000000000..a9177c5b2
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
@@ -0,0 +1 @@
+=== No need to pay... (WIP!!)
\ No newline at end of file