Add extra informational message when a failure occurs while sending an email from WebGoat to WebWolf.

2018-04-28 16:01:57 +02:00
parent e4ca0c4836
commit 8b8a89a8ab
7 changed files with 121 additions and 13 deletions
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@ -85,6 +85,10 @@
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+        </dependency>
    </dependencies>

    <build>
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
@ -1,5 +1,8 @@
 package org.owasp.webwolf.mailbox;

+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;

@ -13,6 +16,8 @@ import java.time.format.DateTimeFormatter;
 * @since 8/20/17.
 */
@Data
+@Builder
+@AllArgsConstructor
@Entity
@NoArgsConstructor
 public class Email implements Serializable {
@ -20,7 +25,7 @@ public class Email implements Serializable {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
-    private LocalDateTime time;
+    private LocalDateTime time = LocalDateTime.now();
    @Column(length = 1024)
    private String contents;
    private String sender;
@ -28,7 +33,7 @@ public class Email implements Serializable {
    private String recipient;

    public String getSummary() {
-        return "-" + this.contents.substring(0, 50);
+        return "-" + this.contents.substring(0, Math.min(50, contents.length()));
    }

    public LocalDateTime getTimestamp() {
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
@ -7,6 +7,7 @@ import org.owasp.webwolf.user.WebGoatUser;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@ -25,12 +26,11 @@ import java.util.concurrent.Callable;
@Slf4j
 public class MailboxController {

-    private final UserRepository userRepository;
    private final MailboxRepository mailboxRepository;

    @GetMapping(value = "/WebWolf/mail")
    public ModelAndView mail() {
-        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        ModelAndView modelAndView = new ModelAndView();
        List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
        if (emails != null && !emails.isEmpty()) {
@ -44,13 +44,8 @@ public class MailboxController {
    @PostMapping(value = "/mail")
    public Callable<ResponseEntity<?>> sendEmail(@RequestBody Email email) {
        return () -> {
-            if (userRepository.findByUsername(email.getRecipient()) != null) {
-                mailboxRepository.save(email);
-                return ResponseEntity.status(HttpStatus.CREATED).build();
-            } else {
-                log.trace("Mail received for unknown user: {}", email.getRecipient());
-                return ResponseEntity.notFound().build();
-            }
+            mailboxRepository.save(email);
+            return ResponseEntity.status(HttpStatus.CREATED).build();
        };
    }

--- a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
+++ b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
@ -0,0 +1,98 @@
+package org.owasp.webwolf.mailbox;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+@RunWith(SpringRunner.class)
+@WebMvcTest(MailboxController.class)
+public class MailboxControllerTest {
+
+    @Autowired
+    private MockMvc mvc;
+    @MockBean
+    private MailboxRepository mailbox;
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @JsonIgnoreProperties("time")
+    public static class EmailMixIn {
+    }
+
+    @Before
+    public void setup() {
+        objectMapper.addMixIn(Email.class, EmailMixIn.class);
+    }
+
+    @Test
+    @WithMockUser
+    public void sendingMailShouldStoreIt() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email)))
+                .andExpect(status().isOk());
+    }
+
+    @Test
+    @WithMockUser(username = "test1234")
+    public void userShouldBeAbleToReadOwnEmail() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+        this.mvc.perform(get("/WebWolf/mail"))
+                .andExpect(status().isOk())
+                .andExpect(view().name("mailbox"))
+                .andExpect(content().string(containsString("Click this mail")))
+                .andExpect(content().string(containsString(DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp()))));
+    }
+
+    @Test
+    @WithMockUser(username = "test1233")
+    public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+        this.mvc.perform(get("/WebWolf/mail"))
+                .andExpect(status().isOk())
+                .andExpect(view().name("mailbox"))
+                .andExpect(content().string(not(containsString("Click this mail"))));
+    }
+
+}