Intermediate result for calling multiple lesson endpoints

2016-08-18 21:15:12 +02:00 · 2016-08-18 21:15:12 +02:00 · 61d5116d44
commit 61d5116d44
parent c0ab7b7d1c
8 changed files with 93 additions and 63 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@ -1,38 +1,39 @@
 /**
- *************************************************************************************************
- *
- *
+ * ************************************************************************************************
+ * <p>
+ * <p>
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
- *
+ * <p>
 * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
- *
+ * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
- *
+ * <p>
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
- *
+ * <p>
 * Getting Source ==============
- *
+ * <p>
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
 * projects.
 *
 * @author WebGoat
- * @since October 28, 2003
 * @version $Id: $Id
+ * @since October 28, 2003
 */
 package org.owasp.webgoat;

 import org.owasp.webgoat.plugins.PluginClassLoader;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.WebgoatProperties;
@ -94,11 +95,18 @@ public class WebGoat extends SpringBootServletInitializer {
    }

    @Bean
-    public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties, LessonEndpointProvider endpointProvider) {
+    public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties,
+                         LessonEndpointProvider endpointProvider) {
        Course course = new Course(webgoatProperties);
        course.loadCourses(webgoatContext, context, "/");
        course.loadLessonFromPlugin(pluginsLoader.loadPlugins());
        endpointProvider.registerEndpoints();
        return course;
    }
+
+    @Bean
+    public UserTracker userTracker() {
+        UserTracker userTracker = UserTracker.instance();
+        return userTracker;
+    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
@ -33,8 +33,6 @@ package org.owasp.webgoat.controller;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
 import org.owasp.webgoat.plugins.YmlBasedLesson;
-import org.owasp.webgoat.session.LessonTracker;
-import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@ -88,37 +86,9 @@ public class StartLesson {
        Optional<AbstractLesson> lesson = lessons.stream()
                .filter(l -> l.getId().equals(lessonName))
                .findFirst();
+        ws.setCurrentScreen(lesson.get().getScreenId());
        model.setViewName("lesson_content");
        model.addObject("lesson", lesson.get());
        return model;
    }
-    
-//// FIXME: 8/8/2016 duplicate code
-    @RequestMapping(value = {"*.attack"}, produces = "text/html")
-    public ModelAndView attack(HttpServletRequest request) {
-        // I will set here the thymeleaf fragment location based on the resource requested.
-        ModelAndView model = new ModelAndView();
-        SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
-        GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
-        String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
-        String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".attack"));
-        WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
-        List<AbstractLesson> lessons = ws.getCourse()
-                .getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
-        Optional<AbstractLesson> lesson = lessons.stream()
-                .filter(l -> l.getId().equals(lessonName))
-                .findFirst();
-        model.setViewName("lesson_content");
-
-        YmlBasedLesson ymlBasedLesson = (YmlBasedLesson) lesson.get();
-        if (ymlBasedLesson.getLessonAttack().attack()) {
-            UserTracker userTracker = UserTracker.instance();
-            LessonTracker lessonTracker = userTracker.getLessonTracker(ws, lesson.get());
-            lessonTracker.setCompleted(true);
-            model.addObject("message", ws.getMessage());
-        }
-
-        model.addObject("lesson", lesson.get());
-        return model;
-    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Attack.java
@ -1,5 +1,7 @@
 package org.owasp.webgoat.lessons;

+import org.owasp.webgoat.lessons.model.AttackResult;
+
 /**
 * ************************************************************************************************
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@ -31,5 +33,5 @@ package org.owasp.webgoat.lessons;
 */
 public interface Attack {

-    boolean attack();
+    AttackResult attack();
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpoint.java
@ -25,6 +25,9 @@
 */
 package org.owasp.webgoat.lessons;

+import org.owasp.webgoat.session.LessonTracker;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.actuate.endpoint.Endpoint;
@ -47,6 +50,8 @@ public abstract class LessonEndpoint implements MvcEndpoint {
    @Autowired
    @Qualifier("pluginTargetDirectory")
    private File pluginDirectory;
+    @Autowired
+    private WebSession webSession;

    /**
     * The directory of the plugin directory in which the lessons resides, so if you want to access the lesson 'ClientSideFiltering' you will
@ -64,6 +69,12 @@ public abstract class LessonEndpoint implements MvcEndpoint {
        return new File(this.pluginDirectory, "plugin");
    }

+    protected LessonTracker getLessonTracker() {
+        UserTracker userTracker = UserTracker.instance();
+        LessonTracker lessonTracker = userTracker.getLessonTracker(webSession, webSession.getCurrentLesson());
+        return lessonTracker;
+    }
+
    @Override
    public final boolean isSensitive() {
        return false;
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java
@ -0,0 +1,56 @@
+package org.owasp.webgoat.lessons.model;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since August 13, 2016
+ */
+public class AttackResult {
+
+    private boolean lessonCompleted;
+    private String feedback;
+    private String output;
+
+    public static AttackResult success() {
+        AttackResult attackResult = new AttackResult();
+        attackResult.lessonCompleted = true;
+        attackResult.feedback = "Congratulations";
+        return attackResult;
+    }
+
+    public boolean isLessonCompleted() {
+        return lessonCompleted;
+    }
+
+    public String getFeedback() {
+        return feedback;
+    }
+
+    public String getOutput() {
+        return output;
+    }
+}
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/YmlBasedLesson.java
@ -50,7 +50,7 @@ public class YmlBasedLesson extends LessonAdapter {
        this.hints = hints;
        this.title = title;
        this.id = id;
-        createAttack(attack);
+      //  createAttack(attack);

    }

--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@ -6,6 +6,7 @@ server.port=8080

 logging.level.org.springframework=WARN
 spring.thymeleaf.cache=false
+spring.thymeleaf.content-type=text/html
 security.enable-csrf=false


--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@ -40,28 +40,10 @@ define(['jquery',
            // The current LessonAdapter#getLink() generates a hash-mark link.  It will not match the mask below.
            // Besides, the new MVC code registers an event handler that will reload the lesson according to the route.
            $('form').submit(function(event){
-                var url = this.baseURI;
-                url = url.replace('start.mvc#lesson', '');
-                url = url + '.attack';
-                $.get(url)
+                $.get(this.action, "json")
                    .done(self.reLoadView.bind(self))
                    .fail(function() { alert("failed to GET " + url); });
            });
-            //
-            //
-            // $.each($('a[href^="*.attack"]'),function(i,el) { //FIXME: need to figure out what to do here ...
-            //     var url = $(el).attr('href');
-            //     $(el).unbind('click').attr('href','#').attr('link',url);
-            //     //TODO pull currentMenuId
-            //     $(el).click(function(event) {
-            //         event.preventDefault();
-            //         var _url = $(el).attr('link');
-            //         console.log("About to GET " + _url);
-            //         $.get(_url)
-            //             .done(self.reLoadView.bind(self))
-            //             .fail(function() { alert("failed to GET " + _url); });
-            //     });
-            // });
        },

        onAttackExecution: function(feedback) {