#846: add extra test to verify whether the solution is solved for the original user as well

2020-10-23 14:06:14 +02:00 · 2020-10-23 14:06:14 +02:00 · 753a2db958
commit 753a2db958
parent 37e9359c9e
2 changed files with 201 additions and 177 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
@ -1,8 +1,15 @@
 package org.owasp.webgoat;


-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.DynamicTest.dynamicTest;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import lombok.Data;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DynamicTest;
+import org.junit.jupiter.api.TestFactory;
+import org.owasp.webgoat.lessons.Assignment;

 import java.io.IOException;
 import java.nio.file.Files;
@ -12,14 +19,9 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;

-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DynamicTest;
-import org.junit.jupiter.api.TestFactory;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import lombok.SneakyThrows;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.DynamicTest.dynamicTest;

 public class CSRFTest extends IntegrationTest {

@ -65,10 +67,10 @@ public class CSRFTest extends IntegrationTest {
    @TestFactory
    Iterable<DynamicTest> testCSRFLesson() {
        return Arrays.asList(
-    			dynamicTest("assignement 3",()-> checkAssignment3(callTrickHtml("csrf3.html"))),
-    			dynamicTest("assignement 4",()-> checkAssignment4(callTrickHtml("csrf4.html"))),
-    			dynamicTest("assignement 7",()-> checkAssignment7(callTrickHtml("csrf7.html"))),
-    			dynamicTest("assignement 8",()-> checkAssignment8(callTrickHtml("csrf8.html")))
+                dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
+                dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
+                dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
+                dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
        );
    }

@ -84,8 +86,8 @@ public class CSRFTest extends IntegrationTest {

        //remove any left over html
        Path webWolfFilePath = Paths.get(webwolfFileDir);
-        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)).toFile().exists()) {
-        	Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)));
+        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) {
+            Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)));
        }

        //upload trick html
@ -105,10 +107,10 @@ public class CSRFTest extends IntegrationTest {
                .relaxedHTTPSValidation()
                .cookie("JSESSIONID", getWebGoatCookie())
                .cookie("WEBWOLFSESSION", getWebWolfCookie())
-    	        .get(webWolfUrl("/files/"+getWebgoatUser()+"/"+htmlName))
+                .get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName))
                .then()
                .extract().response().getBody().asString();
-    	result = result.substring(8+result.indexOf("action=\""));
+        result = result.substring(8 + result.indexOf("action=\""));
        result = result.substring(0, result.indexOf("\""));

        return result;
@ -164,11 +166,11 @@ public class CSRFTest extends IntegrationTest {
                .cookie("JSESSIONID", getWebGoatCookie())
                .header("Referer", webWolfUrl("/files/fake.html"))
                .contentType(ContentType.TEXT)
-            	.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!"+ "=\"}")
+                .body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!" + "=\"}")
                .post(goatURL)
                .then()
                .extract().asString();
-    	flag = flag.substring(9+flag.indexOf("flag is:"));
+        flag = flag.substring(9 + flag.indexOf("flag is:"));
        flag = flag.substring(0, flag.indexOf("\""));

        params.clear();
@ -184,8 +186,8 @@ public class CSRFTest extends IntegrationTest {

        Map<String, Object> params = new HashMap<>();
        params.clear();
-        params.put("username", "csrf-"+getWebgoatUser());
-        params.put("password","password");
+        params.put("username", "csrf-" + getWebgoatUser());
+        params.put("password", "password");

        //login and get the new cookie
        String newCookie = RestAssured.given()
@ -217,9 +219,28 @@ public class CSRFTest extends IntegrationTest {
                .statusCode(200)
                .extract().path("lessonCompleted");

-    	//vaidate the result
-    	assertEquals(true, result);
+        assertThat(result).isTrue();

+        login();
+        startLesson("CSRF", false);
+
+        Overview[] assignments = RestAssured.given()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/service/lessonoverview.mvc"))
+                .then()
+                .extract()
+                .jsonPath()
+                .getObject("$", Overview[].class);
+		assertThat(assignments)
+                .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
+                .extracting(o -> o.solved)
+                .containsExactly(true);
+    }
+
+    @Data
+    private static class Overview {
+        Assignment assignment;
+        boolean solved;
    }

    /**
@ -230,7 +251,7 @@ public class CSRFTest extends IntegrationTest {
        RestAssured.given()
                .when()
                .relaxedHTTPSValidation()
-                    .formParam("username", "csrf-"+getWebgoatUser())
+                .formParam("username", "csrf-" + getWebgoatUser())
                .formParam("password", "password")
                .formParam("matchingPassword", "password")
                .formParam("agree", "agree")
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
@ -42,8 +42,11 @@ import org.springframework.web.bind.annotation.RestController;
@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
 public class CSRFLogin extends AssignmentEndpoint {

-    @Autowired
-    private UserTrackerRepository userTrackerRepository;
+    private final UserTrackerRepository userTrackerRepository;
+
+    public CSRFLogin(UserTrackerRepository userTrackerRepository) {
+        this.userTrackerRepository = userTrackerRepository;
+    }

    @PostMapping(path = "/csrf/login", produces = {"application/json"})
    @ResponseBody