Restructured the baseline to remove extra src/main directory structure. Added eclipes project file

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
2012-11-19 23:57:51 +00:00
parent fb938e0933
commit 6a96547ef0
1204 changed files with 85 additions and 2 deletions
--- a/java/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
+++ b/java/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
@ -0,0 +1,330 @@
+
+package org.owasp.webgoat.lessons.GoatHillsFinancial;
+
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.UnauthenticatedException;
+import org.owasp.webgoat.session.UnauthorizedException;
+import org.owasp.webgoat.session.ValidationException;
+import org.owasp.webgoat.session.WebSession;
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+public abstract class DefaultLessonAction implements LessonAction
+{
+	// FIXME: We could parse this class name to get defaults for these fields.
+	private String lessonName;
+	private String actionName;
+
+	private GoatHillsFinancial lesson;
+
+	public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName)
+	{
+		this.lesson = lesson;
+		this.lessonName = lessonName;
+		this.actionName = actionName;
+	}
+
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
+	{
+		getLesson().setCurrentAction(s, getActionName());
+
+		if (isAuthenticated(s))
+		{
+		}
+		else
+			throw new UnauthenticatedException();
+	}
+
+	public abstract String getNextPage(WebSession s);
+
+	public GoatHillsFinancial getLesson()
+	{
+		return lesson;
+	}
+
+	public String getLessonName()
+	{
+		return lessonName;
+	}
+
+	public String getActionName()
+	{
+		return actionName;
+	}
+
+	public void setSessionAttribute(WebSession s, String name, Object value)
+	{
+		s.getRequest().getSession().setAttribute(name, value);
+	}
+
+	public void setRequestAttribute(WebSession s, String name, Object value)
+	{
+		s.getRequest().setAttribute(name, value);
+	}
+
+	public void removeSessionAttribute(WebSession s, String name)
+	{
+		s.getRequest().getSession().removeAttribute(name);
+	}
+
+	protected String getSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
+	{
+		String value = (String) s.getRequest().getSession().getAttribute(name);
+		if (value == null) { throw new ParameterNotFoundException(); }
+
+		return value;
+	}
+
+	protected boolean getBooleanSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
+	{
+		boolean value = false;
+
+		Object attribute = s.getRequest().getSession().getAttribute(name);
+		if (attribute == null)
+		{
+			throw new ParameterNotFoundException();
+		}
+		else
+		{
+			// System.out.println("Attribute " + name + " is of type " +
+			// s.getRequest().getSession().getAttribute(name).getClass().getName());
+			// System.out.println("Attribute value: " +
+			// s.getRequest().getSession().getAttribute(name));
+			value = ((Boolean) attribute).booleanValue();
+		}
+		return value;
+	}
+
+	protected int getIntSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
+	{
+		int value = -1;
+		String ss = (String) s.getRequest().getSession().getAttribute(name);
+		if (ss == null)
+		{
+			throw new ParameterNotFoundException();
+		}
+		else
+		{
+			try
+			{
+				value = Integer.parseInt(ss);
+			} catch (NumberFormatException nfe)
+			{
+			}
+		}
+
+		return value;
+	}
+
+	protected String getRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
+	{
+		String value = (String) s.getRequest().getAttribute(name);
+		if (value == null) { throw new ParameterNotFoundException(); }
+
+		return value;
+	}
+
+	protected int getIntRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
+	{
+		int value = -1;
+		String ss = (String) s.getRequest().getAttribute(name);
+		if (ss == null)
+		{
+			throw new ParameterNotFoundException();
+		}
+		else
+		{
+			try
+			{
+				value = Integer.parseInt(ss);
+			} catch (NumberFormatException nfe)
+			{
+			}
+		}
+
+		return value;
+	}
+
+	public int getUserId(WebSession s) throws ParameterNotFoundException
+	{
+		return getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+	}
+
+	public String getUserName(WebSession s) throws ParameterNotFoundException
+	{
+		String name = null;
+
+		int employeeId = getUserId(s);
+		try
+		{
+			String query = "SELECT first_name FROM employee WHERE userid = " + employeeId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next()) name = answer_results.getString("first_name");
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting user name");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting user name");
+			e.printStackTrace();
+		}
+
+		return name;
+	}
+
+	public boolean requiresAuthentication()
+	{
+		// Default to true
+		return true;
+	}
+
+	public boolean isAuthenticated(WebSession s)
+	{
+		boolean authenticated = false;
+
+		try
+		{
+			authenticated = getBooleanSessionAttribute(s, getLessonName() + ".isAuthenticated");
+		} catch (ParameterNotFoundException e)
+		{
+		}
+
+		return authenticated;
+	}
+
+	public boolean isAuthorized(WebSession s, int employeeId, String functionId)
+	{
+		String employer_id = (String) s.getRequest().getSession()
+				.getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+		// System.out.println("Authorizing " + employeeId + " for use of function: " + functionId +
+		// " having USER_ID = "
+		// + employer_id );
+		boolean authorized = false;
+
+		try
+		{
+			String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = "
+					+ employeeId + ") and functionid = '" + functionId + "'";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				authorized = answer_results.first();
+
+				/*
+				 * User is validated for function, but can the user perform that function on the
+				 * specified user?
+				 */
+				if (authorized)
+				{
+					authorized = isAuthorizedForEmployee(s, Integer.parseInt(employer_id), employeeId);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error authorizing");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error authorizing");
+			e.printStackTrace();
+		}
+
+		// System.out.println("Authorized? " + authorized);
+		return authorized;
+	}
+
+	public boolean isAuthorizedForEmployee(WebSession s, int userId, int employeeId)
+	{
+		// System.out.println("Authorizing " + userId + " for access to employee: " + employeeId);
+		boolean authorized = false;
+
+		try
+		{
+			String query = "SELECT * FROM ownership WHERE employer_id = ? AND employee_id = ?";
+
+			try
+			{
+
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, userId);
+				answer_statement.setInt(2, employeeId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				authorized = answer_results.first();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error authorizing");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error authorizing");
+			e.printStackTrace();
+		}
+
+		return authorized;
+	}
+
+	protected void setStage(WebSession s, String stage)
+	{
+		getLesson().setStage(s, stage);
+	}
+
+	protected void setStageComplete(WebSession s, String stage)
+	{
+		getLesson().setStageComplete(s, stage);
+	}
+
+	protected String getStage(WebSession s)
+	{
+		return getLesson().getStage(s);
+	}
+
+	public String toString()
+	{
+		return getActionName();
+	}
+
+}