Updated XXE lessons with challenge screens

2017-05-21 12:24:42 +02:00
parent cb9503d4a3
commit 877de6ebd4
12 changed files with 323 additions and 119 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
@ -33,7 +33,6 @@ package org.owasp.webgoat.controller;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
@ -77,8 +76,8 @@ public class StartLesson {
        // I will set here the thymeleaf fragment location based on the resource requested.
        ModelAndView model = new ModelAndView();
        SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
-        GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
-        String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
+        //GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
+        String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
        String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
        List<AbstractLesson> lessons = course.getLessons();
        Optional<AbstractLesson> lesson = lessons.stream()
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@ -1,6 +1,6 @@
 package org.owasp.webgoat.lessons;

-import lombok.Getter;
+import com.google.common.collect.Lists;
 import lombok.Setter;
 import org.owasp.webgoat.session.Screen;

@ -44,10 +44,16 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object

    private Integer ranking;

-    @Getter
    @Setter
    private List<Assignment> assignments;

+    public List<Assignment> getAssignments() {
+        if (assignments == null) {
+            return Lists.newArrayList();
+        }
+        return assignments;
+    }
+
    /**
     * Constructor for the Lesson object
     */
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@ -29,6 +29,7 @@ webgoat.database.driver=org.hsqldb.jdbcDriver
 webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en

+
 spring.data.mongodb.database=webgoat
 spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/

--- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
@ -0,0 +1,42 @@
+package org.owasp.webgoat.plugins;
+
+import org.junit.Before;
+import org.owasp.webgoat.i18n.Language;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.LocalServerPort;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.context.WebApplicationContext;
+
+import java.util.Locale;
+
+import static org.mockito.Mockito.when;
+
+/**
+ * @author nbaars
+ * @since 5/20/17.
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+public abstract class LessonTest {
+
+    @LocalServerPort
+    protected int localPort;
+    protected MockMvc mockMvc;
+    @Autowired
+    protected WebApplicationContext wac;
+    @Autowired
+    protected Messages messages;
+    @MockBean
+    protected WebSession webSession;
+    @MockBean
+    private Language language;
+
+    @Before
+    public void init() {
+        when(language.getLocale()).thenReturn(Locale.US);
+    }
+
+}
--- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java
@ -0,0 +1,23 @@
+package org.owasp.webgoat.plugins;
+
+import com.github.fakemongo.Fongo;
+import com.mongodb.MongoClient;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.mongodb.config.AbstractMongoConfiguration;
+
+/**
+ * Using Fongo for embedded in memory MongoDB testing
+ */
+@Configuration
+public class TestConfig extends AbstractMongoConfiguration {
+
+    @Override
+    protected String getDatabaseName() {
+        return "test";
+    }
+
+    @Override
+    public MongoClient mongo() throws Exception {
+        return new Fongo(getDatabaseName()).getMongo();
+    }
+}