diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
index e3c03ad17..f35c4131d 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
@@ -47,6 +47,7 @@ public class ReportCardServiceTest {
@Before
public void setup() {
this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build();
+ when(pluginMessages.getMessage(anyString())).thenReturn("Test");
}
@Test
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
index 54e17a9c2..c10321e74 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
+++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
@@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import java.time.LocalDateTime;
@@ -39,7 +40,11 @@ public class MailAssignment extends AssignmentEndpoint {
.contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
.sender("webgoat@owasp.org")
.build();
- restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+ try {
+ restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+ } catch (RestClientException e ) {
+ return informationMessage().feedback("webwolf.email_failed").output(e.getMessage()).build();
+ }
return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
} else {
return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
index 20947800b..0981f2a08 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
@@ -2,7 +2,7 @@ webwolf.title=WebWolf
webwolf.email_send=An email has been send to {0} please check your inbox.
webwolf.code_incorrect=That is not the correct code: {0}, please try again.
-
+webwolf.email_failed=There was an error while sending the e-mail. Is WebWolf running?
webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index 37126b0ba..2b606b952 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -85,6 +85,10 @@
spring-boot-starter-test
test
+
+ org.springframework.security
+ spring-security-test
+
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
index d721bc5d5..c97e0ba4e 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
@@ -1,5 +1,8 @@
package org.owasp.webwolf.mailbox;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
import lombok.Data;
import lombok.NoArgsConstructor;
@@ -13,6 +16,8 @@ import java.time.format.DateTimeFormatter;
* @since 8/20/17.
*/
@Data
+@Builder
+@AllArgsConstructor
@Entity
@NoArgsConstructor
public class Email implements Serializable {
@@ -20,7 +25,7 @@ public class Email implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
- private LocalDateTime time;
+ private LocalDateTime time = LocalDateTime.now();
@Column(length = 1024)
private String contents;
private String sender;
@@ -28,7 +33,7 @@ public class Email implements Serializable {
private String recipient;
public String getSummary() {
- return "-" + this.contents.substring(0, 50);
+ return "-" + this.contents.substring(0, Math.min(50, contents.length()));
}
public LocalDateTime getTimestamp() {
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
index 52ec55959..b4f149db2 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
@@ -7,6 +7,7 @@ import org.owasp.webwolf.user.WebGoatUser;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@@ -25,12 +26,11 @@ import java.util.concurrent.Callable;
@Slf4j
public class MailboxController {
- private final UserRepository userRepository;
private final MailboxRepository mailboxRepository;
@GetMapping(value = "/WebWolf/mail")
public ModelAndView mail() {
- WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+ User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
ModelAndView modelAndView = new ModelAndView();
List emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
if (emails != null && !emails.isEmpty()) {
@@ -44,13 +44,8 @@ public class MailboxController {
@PostMapping(value = "/mail")
public Callable> sendEmail(@RequestBody Email email) {
return () -> {
- if (userRepository.findByUsername(email.getRecipient()) != null) {
- mailboxRepository.save(email);
- return ResponseEntity.status(HttpStatus.CREATED).build();
- } else {
- log.trace("Mail received for unknown user: {}", email.getRecipient());
- return ResponseEntity.notFound().build();
- }
+ mailboxRepository.save(email);
+ return ResponseEntity.status(HttpStatus.CREATED).build();
};
}
diff --git a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
new file mode 100644
index 000000000..3c554a68d
--- /dev/null
+++ b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
@@ -0,0 +1,98 @@
+package org.owasp.webwolf.mailbox;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+@RunWith(SpringRunner.class)
+@WebMvcTest(MailboxController.class)
+public class MailboxControllerTest {
+
+ @Autowired
+ private MockMvc mvc;
+ @MockBean
+ private MailboxRepository mailbox;
+ @Autowired
+ private ObjectMapper objectMapper;
+
+ @JsonIgnoreProperties("time")
+ public static class EmailMixIn {
+ }
+
+ @Before
+ public void setup() {
+ objectMapper.addMixIn(Email.class, EmailMixIn.class);
+ }
+
+ @Test
+ @WithMockUser
+ public void sendingMailShouldStoreIt() throws Exception {
+ Email email = Email.builder()
+ .contents("This is a test mail")
+ .recipient("test1234@webgoat.org")
+ .sender("hacker@webgoat.org")
+ .title("Click this mail")
+ .time(LocalDateTime.now())
+ .build();
+ this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email)))
+ .andExpect(status().isOk());
+ }
+
+ @Test
+ @WithMockUser(username = "test1234")
+ public void userShouldBeAbleToReadOwnEmail() throws Exception {
+ Email email = Email.builder()
+ .contents("This is a test mail")
+ .recipient("test1234@webgoat.org")
+ .sender("hacker@webgoat.org")
+ .title("Click this mail")
+ .time(LocalDateTime.now())
+ .build();
+ Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+ this.mvc.perform(get("/WebWolf/mail"))
+ .andExpect(status().isOk())
+ .andExpect(view().name("mailbox"))
+ .andExpect(content().string(containsString("Click this mail")))
+ .andExpect(content().string(containsString(DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp()))));
+ }
+
+ @Test
+ @WithMockUser(username = "test1233")
+ public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception {
+ Email email = Email.builder()
+ .contents("This is a test mail")
+ .recipient("test1234@webgoat.org")
+ .sender("hacker@webgoat.org")
+ .title("Click this mail")
+ .time(LocalDateTime.now())
+ .build();
+ Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+ this.mvc.perform(get("/WebWolf/mail"))
+ .andExpect(status().isOk())
+ .andExpect(view().name("mailbox"))
+ .andExpect(content().string(not(containsString("Click this mail"))));
+ }
+
+}
\ No newline at end of file