From 8df1d5347197ba8e5bde5db2639d948cd6defb02 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Tue, 8 Aug 2017 09:28:09 -0600
Subject: [PATCH] interim missing function ac commit, traversing dev. env.

---
 .../org/owasp/webgoat/MvcConfiguration.java   |   1 +
 .../owasp/webgoat/controller/ListUsers.java   |  43 +++++
 .../owasp/webgoat/users/UserRepository.java   |   5 +
 .../org/owasp/webgoat/users/UserService.java  |  12 ++
 .../org/owasp/webgoat/users/WebGoatUser.java  |   6 +
 .../main/resources/templates/list_users.html  | 181 ++++++++++++++++++
 .../main/resources/templates/main_new.html    |   4 +-
 .../webgoat/plugin/MissingACListUsers.java    |  54 ------
 8 files changed, 250 insertions(+), 56 deletions(-)
 create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/controller/ListUsers.java
 create mode 100644 webgoat-container/src/main/resources/templates/list_users.html
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
index 349904de9..bf67aff33 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -72,6 +72,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         registry.addViewController("/lesson_content").setViewName("lesson_content");
         registry.addViewController("/start.mvc").setViewName("main_new");
         registry.addViewController("/scoreboard").setViewName("scoreboard");
+        //registry.addViewController("/list_users").setViewName("list_users");
     }
 
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/ListUsers.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/ListUsers.java
new file mode 100644
index 000000000..226bc5ec4
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/ListUsers.java
@@ -0,0 +1,43 @@
+package org.owasp.webgoat.controller;
+
+import com.sun.corba.se.spi.activation.EndPointInfo;
+import org.owasp.webgoat.assignments.*;
+import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.users.UserService;
+import org.owasp.webgoat.users.WebGoatUser;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@Controller
+public class ListUsers {
+
+    @Autowired
+    private UserService userService;
+
+    @RequestMapping(path = {"list_users", "/"}, method = {RequestMethod.GET,RequestMethod.POST})
+    public ModelAndView listUsers(HttpServletRequest request) {
+
+        ModelAndView model = new ModelAndView();
+        model.setViewName("list_users");
+        List<WebGoatUser> allUsers = userService.getAllUsers();
+        model.addObject("numUsers",allUsers.size());
+        model.addObject("allUsers",allUsers);
+
+        return model;
+    }
+
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
index ae2f1063e..b836d5bfa 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
@@ -2,6 +2,8 @@ package org.owasp.webgoat.users;
 
 import org.springframework.data.mongodb.repository.MongoRepository;
 
+import java.util.List;
+
 /**
  * @author nbaars
  * @since 3/19/17.
@@ -9,4 +11,7 @@ import org.springframework.data.mongodb.repository.MongoRepository;
 public interface UserRepository extends MongoRepository<WebGoatUser, String> {
 
     WebGoatUser findByUsername(String username);
+
+    List<WebGoatUser> findAll();
+
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
index 7a1175c45..932dc6e98 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
@@ -5,6 +5,8 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
+import java.util.List;
+
 /**
  * @author nbaars
  * @since 3/19/17.
@@ -31,4 +33,14 @@ public class UserService implements UserDetailsService {
         userRepository.save(new WebGoatUser(username, password));
         userTrackerRepository.save(new UserTracker(username));
     }
+
+    public void addUser(String username, String password, String role) {
+        userRepository.save(new WebGoatUser(username,password,role));
+        userTrackerRepository.save(new UserTracker(username));
+    }
+
+    public List<WebGoatUser> getAllUsers () {
+        return userRepository.findAll();
+    }
+
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
index 8b3c7c88c..e96f524e8 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
@@ -37,6 +37,12 @@ public class WebGoatUser implements UserDetails {
         createUser();
     }
 
+    public WebGoatUser(String username, String password, String role) {
+        this.username = username;
+        this.password = password;
+        this.role = role;
+    }
+
     public void createUser() {
         this.user = new User(username, password, getAuthorities());
     }
diff --git a/webgoat-container/src/main/resources/templates/list_users.html b/webgoat-container/src/main/resources/templates/list_users.html
new file mode 100644
index 000000000..be67a9de4
--- /dev/null
+++ b/webgoat-container/src/main/resources/templates/list_users.html
@@ -0,0 +1,181 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
+      xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
+<head>
+    <meta http-equiv="Expires" CONTENT="-1"/>
+    <meta http-equiv="Pragma" CONTENT="no-cache"/>
+    <meta http-equiv="Cache-Control" CONTENT="no-cache"/>
+    <meta http-equiv="Cache-Control" CONTENT="no-store"/>
+
+    <!--[if lt IE 7]>
+    <id class="no-js lt-ie9 lt-ie8 lt-ie7"/> <![endif]-->
+    <!--[if IE 7]>
+    <id class="no-js lt-ie9 lt-ie8"/> <![endif]-->
+    <!--[if IE 8]>
+    <id class="no-js lt-ie9"/> <![endif]-->
+    <!--[if gt IE 8]><!-->
+
+    <!--  CSS -->
+    <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
+
+    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/coderay.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/lessons.css}"/>
+    <!--  end of CSS -->
+
+    <!-- JS -->
+
+    <script src="js/modernizr-2.6.2.min.js"/>
+    <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
+    <!--[if lt IE 9]>
+    <script src="js/html5shiv.js"/>
+    <script src="js/respond.min.js"/>
+    <![endif]-->
+
+    <!-- Require.js used to load js asynchronously -->
+    <script src="js/libs/require.min.js" data-main="js/main.js"/>
+    <meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
+    <title>WebGoat</title>
+</head>
+<body>
+
+<section id="container">
+    <header id="header">
+        <!--logo start-->
+        <div class="brand">
+            <a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
+        </div>
+        <!--logo end-->
+        <div class="toggle-navigation toggle-left">
+            <button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right"
+                    title="Toggle Navigation">
+                <i class="fa fa-bars"></i>
+            </button>
+        </div><!--toggle navigation end-->
+        <div id="lesson-title-wrapper">
+
+        </div><!--lesson title end-->
+        <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
+            <div class="dropdown" style="display:inline">
+                <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="user-menu">
+                    <i class="fa fa-user"></i> <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu dropdown-menu-left">
+                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/logout}"
+                                               th:text="#{logout}">Logout</a></li>
+                    <li role="presentation" class="divider"></li>
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
+                            th:text="${#authentication.name}"></span></a>
+                    </li>
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role:
+                        <span sec:authorize="hasAuthority('WEBGOAT_USER')">User</span>
+                        <span sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin</span>
+                    </a>
+                    </li>
+                    <li role="presentation" class="divider"></li>
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
+                                                                th:text="#{version}">Version: <span
+                            th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
+                    </li>
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
+                                                                th:text="#{build}">Build:
+                        <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
+
+                </ul>
+            </div>
+            <div style="display:inline" id="settings">
+                <!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
+                <!--<i class="fa fa-cog"></i>-->
+                <!--</button>-->
+                <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
+                        th:title="#{report.card}">
+                    <a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
+                </button>
+                <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
+                <!--title="User management">-->
+                <!--<i class="fa fa-users"></i>-->
+                <!--</button>-->
+            </div>
+            <button type="button" id="about-button" class="btn btn-default right_nav_button" th:title="#{about}"
+                    data-toggle="modal" data-target="#about-modal">
+                <i class="fa fa-info"></i>
+            </button>
+            <a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
+                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip"
+                        th:title="#{contact}">
+                    <i class="fa fa-envelope"></i>
+                </button>
+            </a>
+
+
+        </div>
+    </header>
+
+    <aside class="sidebar">
+        <div id="menu-container"></div>
+    </aside>
+    <!--sidebar left end-->
+
+    <!--main content start-->
+    <section class="main-content-wrapper">
+        <section id="main-content"> <!--ng-controller="goatLesson"-->
+            <div id="lesson-page" class="pages">
+                TEST ... <span th:text="${numUsers}"> Users in WebGoat</span>
+                <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin sees this ...
+                </div>
+
+                <div id="lesson-helps-wrapper" class="panel">
+                    <div class="lesson-help" id="lesson-plan-row">
+                        <div class="col-md-12">
+                            <h4>Lesson Plan</h4>
+
+                            <div class="panel">
+                                <div class="panel-body" id="lesson-plan-content">
+                                    <!-- allowing jQuery to handle this one -->
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                    <div class="lesson-help" id="lesson-solution-row">
+                        <div class="col-md-12">
+                            <h4>Lesson Solution</h4>
+
+                            <div class="panel">
+                                <div class="panel-body" id="lesson-solution-content">
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                    <div class="lesson-help" id="lesson-source-row">
+                        <div class="col-md-12">
+                            <h4>Lesson Source Code</h4>
+
+                            <div class="panel">
+                                <div class="panel-body" id="lesson-source-content">
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <div id="report-card-page" class="pages" style="display: none;">
+            </div>
+        </section>
+    </section>
+
+</section>
+
+
+<!-- About WebGoat Modal -->
+<div class="modal" id="about-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
+    <div class="modal-dialog modal-lg">
+        <div class="modal-content" th:replace="about :: about"></div>
+    </div>
+</div>
+</body>
+
+
+</html>
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index f00916bda..07f8143c8 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -71,8 +71,8 @@
                             th:text="${#authentication.name}"></span></a>
                     </li>
                     <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role:
-                        <span sec:authorize="hasRole('WEBGOAT_USER')">User</span>
-                        <span sec:authorize="hasRole('WEBGOAT_ADMIN')">Admin</span>
+                        <span sec:authorize="hasAuthority('WEBGOAT_USER')">User</span>
+                        <span sec:authorize="hasAuthority('WEBGOAT_ADMIN')">Admin</span>
                     </a>
                     </li>
                     <li role="presentation" class="divider"></li>
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java
deleted file mode 100644
index 72ef1c445..000000000
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingACListUsers.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-
-/**
- * Created by jason on 1/5/17.
- */
-
-@AssignmentPath("/access-control/list-users")
-@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
-public class MissingACListUsers extends AssignmentEndpoint {
-    //UserSessionData is bound to session and can be used to persist data across multiple assignments
-    @Autowired
-    UserSessionData userSessionData;
-
-    @PostMapping(produces = {"application/json"})
-    public @ResponseBody
-    AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-
-        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
-        if (hiddenMenu1.equals("List Users") && hiddenMenu2.equals("Add User")) {
-            return trackProgress(success()
-                    .output("")
-                    .feedback("access-control.hidden-menus.success")
-                    .build());
-        }
-
-        if (hiddenMenu1.equals("Add User") && hiddenMenu2.equals("List Users")) {
-            return trackProgress(success()
-                    .output("")
-                    .feedback("access-control.hidden-menus.close")
-                    .build());
-        }
-
-        return trackProgress(failed()
-                .feedback("access-control.hidden-menus.failure")
-                .output("")
-                .build());
-    }
-
-}