#846: add extra test to verify whether the solution is solved for the original user as well

2020-10-23 14:06:14 +02:00 · 2020-10-23 14:06:14 +02:00 · 753a2db958
commit 753a2db958
parent 37e9359c9e
2 changed files with 201 additions and 177 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
@ -1,8 +1,15 @@
 package org.owasp.webgoat;


-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.DynamicTest.dynamicTest;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import lombok.Data;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DynamicTest;
+import org.junit.jupiter.api.TestFactory;
+import org.owasp.webgoat.lessons.Assignment;

 import java.io.IOException;
 import java.nio.file.Files;
@ -12,14 +19,9 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;

-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DynamicTest;
-import org.junit.jupiter.api.TestFactory;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import lombok.SneakyThrows;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.DynamicTest.dynamicTest;

 public class CSRFTest extends IntegrationTest {

@ -217,9 +219,28 @@ public class CSRFTest extends IntegrationTest {
                .statusCode(200)
                .extract().path("lessonCompleted");

-    	//vaidate the result
-    	assertEquals(true, result);
+        assertThat(result).isTrue();

+        login();
+        startLesson("CSRF", false);
+
+        Overview[] assignments = RestAssured.given()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/service/lessonoverview.mvc"))
+                .then()
+                .extract()
+                .jsonPath()
+                .getObject("$", Overview[].class);
+		assertThat(assignments)
+                .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
+                .extracting(o -> o.solved)
+                .containsExactly(true);
+    }
+
+    @Data
+    private static class Overview {
+        Assignment assignment;
+        boolean solved;
    }

    /**
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
@ -42,8 +42,11 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
 public class CSRFLogin extends AssignmentEndpoint {

-    @Autowired
-    private UserTrackerRepository userTrackerRepository;
+    private final UserTrackerRepository userTrackerRepository;
+
+    public CSRFLogin(UserTrackerRepository userTrackerRepository) {
+        this.userTrackerRepository = userTrackerRepository;
+    }

    @PostMapping(path = "/csrf/login", produces = {"application/json"})
    @ResponseBody