Refactoring (#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>

src/main/java/org/owasp/webgoat/webwolf/FileServer.java

@@ -0,0 +1,121 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
+import org.owasp.webgoat.webwolf.user.WebGoatUser;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.RedirectView;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+
+import static org.springframework.http.MediaType.ALL_VALUE;
+
+/**
+ * Controller for uploading a file
+ */
+@Controller
+@Slf4j
+public class FileServer {
+
+    @Value("${webwolf.fileserver.location}")
+    private String fileLocation;
+    @Value("${server.address}")
+    private String server;
+    @Value("${server.port}")
+    private int port;
+
+    @RequestMapping(path = "/file-server-location", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
+    @ResponseBody
+    public String getFileLocation() {
+        return fileLocation;
+    }
+
+    @PostMapping(value = "/fileupload")
+    public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
+        var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        var destinationDir = new File(fileLocation, user.getUsername());
+        destinationDir.mkdirs();
+        myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
+        log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
+
+        return new ModelAndView(
+                new RedirectView("files", true),
+                new ModelMap().addAttribute("uploadSuccess", "File uploaded successful")
+        );
+    }
+
+    @AllArgsConstructor
+    @Getter
+    private class UploadedFile {
+        private final String name;
+        private final String size;
+        private final String link;
+    }
+
+    @GetMapping(value = "/files")
+    public ModelAndView getFiles(HttpServletRequest request) {
+        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        String username = user.getUsername();
+        File destinationDir = new File(fileLocation, username);
+
+        ModelAndView modelAndView = new ModelAndView();
+        modelAndView.setViewName("files");
+        File changeIndicatorFile = new File(destinationDir, user.getUsername() + "_changed");
+        if (changeIndicatorFile.exists()) {
+            modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess"));
+        }
+        changeIndicatorFile.delete();
+
+        var uploadedFiles = new ArrayList<>();
+        File[] files = destinationDir.listFiles(File::isFile);
+        if (files != null) {
+            for (File file : files) {
+                String size = FileUtils.byteCountToDisplaySize(file.length());
+                String link = String.format("files/%s/%s", username, file.getName());
+                uploadedFiles.add(new UploadedFile(file.getName(), size, link));
+            }
+        }
+
+        modelAndView.addObject("files", uploadedFiles);
+        modelAndView.addObject("webwolf_url", "http://" + server + ":" + port);
+        return modelAndView;
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java

@@ -0,0 +1,66 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import javax.annotation.PostConstruct;
+import java.io.File;
+
+/**
+ * @author nbaars
+ * @since 8/13/17.
+ */
+@Configuration
+public class MvcConfiguration implements WebMvcConfigurer {
+
+    @Value("${webwolf.fileserver.location}")
+    private String fileLocation;
+
+    @Override
+    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        registry.addResourceHandler("/files/**").addResourceLocations("file:///" + fileLocation + "/");
+
+        registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webwolf/static/css/");
+        registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webwolf/static/js/");
+        registry.addResourceHandler("/images/**").addResourceLocations("classpath:/webwolf/static/images/");
+    }
+
+    @Override
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/login").setViewName("webwolf-login");
+        registry.addViewController("/home").setViewName("home");
+    }
+
+    @PostConstruct
+    public void createDirectory() {
+        File file = new File(fileLocation);
+        if (!file.exists()) {
+            file.mkdirs();
+        }
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java

@@ -0,0 +1,91 @@
+
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+package org.owasp.webgoat.webwolf;
+
+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.webwolf.user.UserService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+
+/**
+ * Security configuration for WebGoat.
+ */
+@Configuration
+@AllArgsConstructor
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    private final UserService userDetailsService;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
+                .authorizeRequests()
+                .antMatchers("/css/**", "/images/**", "/js/**", "/fonts/**", "/webjars/**", "/home").permitAll()
+                .antMatchers(HttpMethod.GET, "/mail/**", "/requests/**").authenticated()
+                .antMatchers("/files").authenticated()
+                .anyRequest().permitAll();
+        security.and().csrf().disable().formLogin()
+                .loginPage("/login").failureUrl("/login?error=true");
+        security.and()
+                .formLogin()
+                .loginPage("/login")
+                .defaultSuccessUrl("/home", true)
+                .permitAll();
+        security.and()
+                .logout()
+                .permitAll();
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder());
+    }
+
+    @Bean
+    @Override
+    public UserDetailsService userDetailsServiceBean() throws Exception {
+        return userDetailsService;
+    }
+
+    @Override
+    @Bean
+    protected AuthenticationManager authenticationManager() throws Exception {
+        return super.authenticationManager();
+    }
+
+    @Bean
+    public NoOpPasswordEncoder passwordEncoder() {
+        return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/WebWolf.java

@@ -0,0 +1,44 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf;
+
+import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
+
+@Configuration
+@ComponentScan("org.owasp.webgoat.webwolf")
+@PropertySource("classpath:application-webwolf.properties")
+@EnableAutoConfiguration
+public class WebWolf {
+
+    @Bean
+    public HttpTraceRepository traceRepository() {
+        return new WebWolfTraceRepository();
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java

@@ -0,0 +1,36 @@
+package org.owasp.webgoat.webwolf.jwt;
+
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.ModelAndView;
+
+import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+@RestController
+public class JWTController {
+
+    @GetMapping("/jwt")
+    public ModelAndView jwt() {
+        return new ModelAndView("jwt");
+    }
+
+    @PostMapping(value = "/jwt/decode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
+    public JWTToken decode(@RequestBody MultiValueMap<String, String> formData) {
+        var jwt = formData.getFirst("token");
+        var secretKey = formData.getFirst("secretKey");
+        return JWTToken.decode(jwt, secretKey);
+    }
+
+    @PostMapping(value = "/jwt/encode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
+    public JWTToken encode(@RequestBody MultiValueMap<String, String> formData) {
+        var header = formData.getFirst("header");
+        var payload = formData.getFirst("payload");
+        var secretKey = formData.getFirst("secretKey");
+        return JWTToken.encode(header, payload, secretKey);
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java

@@ -0,0 +1,137 @@
+package org.owasp.webgoat.webwolf.jwt;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.consumer.InvalidJwtException;
+import org.jose4j.jwt.consumer.JwtConsumer;
+import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.jose4j.jwx.CompactSerializer;
+import org.jose4j.keys.HmacKey;
+import org.jose4j.lang.JoseException;
+
+import java.util.Map;
+import java.util.TreeMap;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.jose4j.jwx.CompactSerializer.serialize;
+import static org.springframework.util.Base64Utils.decodeFromUrlSafeString;
+import static org.springframework.util.StringUtils.hasText;
+
+@NoArgsConstructor
+@AllArgsConstructor
+@Getter
+@Setter
+@Builder(toBuilder = true)
+public class JWTToken {
+
+    private String encoded = "";
+    private String secretKey;
+    private String header;
+    private boolean validHeader;
+    private boolean validPayload;
+    private boolean validToken;
+    private String payload;
+    private boolean signatureValid = true;
+
+    public static JWTToken decode(String jwt, String secretKey) {
+        var token = parseToken(jwt.trim().replace(System.getProperty("line.separator"), ""));
+        return token.toBuilder().signatureValid(validateSignature(secretKey, jwt)).build();
+    }
+
+    private static Map<String, Object> parse(String header) {
+        var reader = new ObjectMapper();
+        try {
+            return reader.readValue(header, TreeMap.class);
+        } catch (JsonProcessingException e) {
+            return Map.of();
+        }
+    }
+
+    private static String write(String originalValue, Map<String, Object> data) {
+        var writer = new ObjectMapper().writerWithDefaultPrettyPrinter();
+        try {
+            if (data.isEmpty()) {
+                return originalValue;
+            }
+            return writer.writeValueAsString(data);
+        } catch (JsonProcessingException e) {
+            return originalValue;
+        }
+    }
+
+    public static JWTToken encode(String header, String payloadAsString, String secretKey) {
+        var headers = parse(header);
+        var payload = parse(payloadAsString);
+
+        var builder = JWTToken.builder()
+                .header(write(header, headers))
+                .payload(write(payloadAsString, payload))
+                .validHeader(!hasText(header) || !headers.isEmpty())
+                .validToken(true)
+                .validPayload(!hasText(payloadAsString) || !payload.isEmpty());
+
+        JsonWebSignature jws = new JsonWebSignature();
+        jws.setPayload(payloadAsString);
+        headers.forEach((k, v) -> jws.setHeader(k, v));
+        if (!headers.isEmpty()) { //otherwise e30 meaning {} will be shown as header
+            builder.encoded(CompactSerializer.serialize(new String[]{jws.getHeaders().getEncodedHeader(), jws.getEncodedPayload()}));
+        }
+
+        //Only sign when valid header and payload
+        if (!headers.isEmpty() && !payload.isEmpty() && hasText(secretKey)) {
+            jws.setDoKeyValidation(false);
+            jws.setKey(new HmacKey(secretKey.getBytes(UTF_8)));
+            try {
+                builder.encoded(jws.getCompactSerialization());
+                builder.signatureValid(true);
+            } catch (JoseException e) {
+                //Do nothing
+            }
+        }
+        return builder.build();
+    }
+
+    private static JWTToken parseToken(String jwt) {
+        var token = jwt.split("\\.");
+        var builder = JWTToken.builder().encoded(jwt);
+
+        if (token.length >= 2) {
+            var header = new String(decodeFromUrlSafeString(token[0]), UTF_8);
+            var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8);
+            var headers = parse(header);
+            var payload = parse(payloadAsString);
+            builder.header(write(header, headers));
+            builder.payload(write(payloadAsString, payload));
+            builder.validHeader(!headers.isEmpty());
+            builder.validPayload(!payload.isEmpty());
+            builder.validToken(!headers.isEmpty() && !payload.isEmpty());
+        } else {
+            builder.validToken(false);
+        }
+        return builder.build();
+    }
+
+    private static boolean validateSignature(String secretKey, String jwt) {
+        if (hasText(secretKey)) {
+            JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+                    .setSkipAllValidators()
+                    .setVerificationKey(new HmacKey(secretKey.getBytes(UTF_8)))
+                    .setRelaxVerificationKeyValidation()
+                    .build();
+            try {
+                jwtConsumer.processToClaims(jwt);
+                return true;
+            } catch (InvalidJwtException e) {
+                return false;
+            }
+        }
+        return false;
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java

@@ -0,0 +1,74 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.mailbox;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import javax.persistence.*;
+import java.io.Serializable;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@Entity
+@NoArgsConstructor
+public class Email implements Serializable {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+    @JsonIgnore
+    private LocalDateTime time = LocalDateTime.now();
+    @Column(length = 1024)
+    private String contents;
+    private String sender;
+    private String title;
+    private String recipient;
+
+    public String getSummary() {
+        return "-" + this.contents.substring(0, Math.min(50, contents.length()));
+    }
+
+    public LocalDateTime getTimestamp() {
+        return time;
+    }
+
+    public String getTime() {
+        return DateTimeFormatter.ofPattern("h:mm a").format(time);
+    }
+
+    public String getShortSender() {
+        return sender.substring(0, sender.indexOf("@"));
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java

@@ -0,0 +1,65 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.mailbox;
+
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.ModelAndView;
+
+import java.util.List;
+
+@RestController
+@AllArgsConstructor
+@Slf4j
+public class MailboxController {
+
+    private final MailboxRepository mailboxRepository;
+
+    @GetMapping(value = "/mail")
+    public ModelAndView mail() {
+        UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        ModelAndView modelAndView = new ModelAndView();
+        List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
+        if (emails != null && !emails.isEmpty()) {
+            modelAndView.addObject("total", emails.size());
+            modelAndView.addObject("emails", emails);
+        }
+        modelAndView.setViewName("mailbox");
+        return modelAndView;
+    }
+
+    @PostMapping(value = "/mail")
+    public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+        mailboxRepository.save(email);
+        return ResponseEntity.status(HttpStatus.CREATED).build();
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java

@@ -0,0 +1,37 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.mailbox;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.List;
+
+/**
+ * @author nbaars
+ * @since 8/17/17.
+ */
+public interface MailboxRepository extends JpaRepository<Email, String> {
+
+    List<Email> findByRecipientOrderByTimeDesc(String recipient);
+
+}

src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.requests;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.concurrent.Callable;
+
+@Controller
+@Slf4j
+@RequestMapping("/landing/**")
+public class LandingPage {
+
+    @RequestMapping(method = {RequestMethod.POST, RequestMethod.GET, RequestMethod.DELETE, RequestMethod.PATCH, RequestMethod.PUT})
+    public Callable<ResponseEntity<?>> ok(HttpServletRequest request) {
+        return () -> {
+            log.trace("Incoming request for: {}", request.getRequestURL());
+            return ResponseEntity.ok().build();
+        };
+    }
+
+}

src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java

@@ -0,0 +1,106 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.requests;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+import java.time.Instant;
+
+import static java.util.stream.Collectors.toList;
+
+/**
+ * Controller for fetching all the HTTP requests from WebGoat to WebWolf for a specific
+ * user.
+ *
+ * @author nbaars
+ * @since 8/13/17.
+ */
+@Controller
+@RequiredArgsConstructor
+@Slf4j
+@RequestMapping(value = "/requests")
+public class Requests {
+
+    private final WebWolfTraceRepository traceRepository;
+    private final ObjectMapper objectMapper;
+
+    @AllArgsConstructor
+    @Getter
+    private class Tracert {
+        private final Instant date;
+        private final String path;
+        private final String json;
+    }
+
+    @GetMapping
+    public ModelAndView get() {
+        var model = new ModelAndView("requests");
+        var user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        var traces = traceRepository.findAllTraces().stream()
+        		.filter(t -> allowedTrace(t, user))
+                .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
+        model.addObject("traces", traces);
+
+        return model;
+    }
+    
+    private boolean allowedTrace(HttpTrace t, UserDetails user) {
+    	Request req = t.getRequest();
+    	boolean allowed = true;
+    	/* do not show certain traces to other users in a classroom setup */
+    	if (req.getUri().getPath().contains("/files") && !req.getUri().getPath().contains(user.getUsername())) {
+    		allowed = false;
+    	} else if (req.getUri().getPath().contains("/landing") && req.getUri().getQuery()!=null && req.getUri().getQuery().contains("uniqueCode") && !req.getUri().getQuery().contains(StringUtils.reverse(user.getUsername()))) {
+    		allowed = false;
+    	}
+    	    	
+    	return allowed;
+    }
+
+    private String path(HttpTrace t) {
+        return (String) t.getRequest().getUri().getPath();
+    }
+
+    private String toJsonString(HttpTrace t) {
+        try {
+            return objectMapper.writeValueAsString(t);
+        } catch (JsonProcessingException e) {
+            log.error("Unable to create json", e);
+        }
+        return "No request(s) found";
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java

@@ -0,0 +1,68 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.requests;
+
+import com.google.common.collect.EvictingQueue;
+import com.google.common.collect.Lists;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Keep track of all the incoming requests, we are only keeping track of request originating from
+ * WebGoat.
+ *
+ * @author nbaars
+ * @since 8/13/17.
+ */
+@Slf4j
+public class WebWolfTraceRepository implements HttpTraceRepository {
+
+    private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
+    private final List<String> exclusionList = List.of("/tmpdir", "/home", "/files",
+            "/images/", "/favicon.ico", "/js/", "/webjars/", "/requests", "/css/", "/mail");
+
+    @Override
+    public List<HttpTrace> findAll() {
+        return List.of();
+    }
+
+    public List<HttpTrace> findAllTraces() {
+        return new ArrayList<>(traces);
+    }
+
+    private boolean isInExclusionList(String path) {
+        return exclusionList.stream().anyMatch(e -> path.contains(e));
+    }
+
+    @Override
+    public void add(HttpTrace httpTrace) {
+        var path = httpTrace.getRequest().getUri().getPath();
+        if (!isInExclusionList(path)) {
+            traces.add(httpTrace);
+        }
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java

@@ -0,0 +1,34 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.user;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+public interface UserRepository extends JpaRepository<WebGoatUser, String> {
+
+    WebGoatUser findByUsername(String username);
+}

src/main/java/org/owasp/webgoat/webwolf/user/UserService.java

@@ -0,0 +1,56 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.user;
+
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+@Service
+public class UserService implements UserDetailsService {
+
+    private UserRepository userRepository;
+
+    public UserService(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @Override
+    public WebGoatUser loadUserByUsername(final String username) throws UsernameNotFoundException {
+        WebGoatUser webGoatUser = userRepository.findByUsername(username);
+        if (webGoatUser == null) {
+            throw new UsernameNotFoundException("User not found");
+        }
+        webGoatUser.createUser();
+        return webGoatUser;
+    }
+
+
+    public void addUser(final String username, final String password) {
+        userRepository.save(new WebGoatUser(username, password));
+    }
+}

src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java

@@ -0,0 +1,89 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.webwolf.user;
+
+import lombok.Getter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
+import java.util.Collection;
+import java.util.Collections;
+
+/**
+ * @author nbaars
+ * @since 3/19/17.
+ */
+@Getter
+@Entity
+public class WebGoatUser implements UserDetails {
+
+    @Id
+    private String username;
+    private String password;
+    @Transient
+    private User user;
+
+    protected WebGoatUser() {
+    }
+
+    public WebGoatUser(String username, String password) {
+        this.username = username;
+        this.password = password;
+        createUser();
+    }
+
+    public void createUser() {
+        this.user = new User(username, password, getAuthorities());
+    }
+
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return Collections.emptyList();
+    }
+
+    @Override
+    public boolean isAccountNonExpired() {
+        return this.user.isAccountNonExpired();
+    }
+
+    @Override
+    public boolean isAccountNonLocked() {
+        return this.user.isAccountNonLocked();
+    }
+
+    @Override
+    public boolean isCredentialsNonExpired() {
+        return this.user.isCredentialsNonExpired();
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return this.user.isEnabled();
+    }
+}
+
+