feat: Introduce Playwright for UI testing

Instead of using Robot Framework which does not run during a `mvn install`. Playwright seems to be the better approach. We can now write them as normal JUnit test and they are executed during a build. Additionally this PR solves some interesting bugs found during writing Playwright tests: - A reset of a lesson removes all assignments as a result another user wouldn't see any assignments - If someone solves an assignment the assignment automatically got solved for a new user since the assignment included the `solved` flag which immediately got copied to new lesson progress. - Introduction of assignment progress linking a assignment not directly to all users.
2025-01-26 16:59:59 +01:00
parent 9d5ab5fb21
commit 8e45316638
47 changed files with 599 additions and 281 deletions
--- a/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java
@ -0,0 +1,85 @@
+package org.owasp.webgoat.integration;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import java.util.Map;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+
+class AccessControlIntegrationTest extends IntegrationTest {
+
+  @Test
+  void testLesson() {
+    startLesson("MissingFunctionAC", true);
+    assignment1();
+    assignment2();
+    assignment3();
+
+    checkResults("MissingFunctionAC");
+  }
+
+  private void assignment3() {
+    // direct call should fail if user has not been created
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .contentType(ContentType.JSON)
+        .get(url("access-control/users-admin-fix"))
+        .then()
+        .statusCode(HttpStatus.SC_FORBIDDEN);
+
+    // create user
+    var userTemplate =
+        """
+                {"username":"%s","password":"%s","admin": "true"}
+                """;
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .contentType(ContentType.JSON)
+        .body(String.format(userTemplate, this.getUser(), this.getUser()))
+        .post(url("access-control/users"))
+        .then()
+        .statusCode(HttpStatus.SC_OK);
+
+    // get the users
+    var userHash =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .contentType(ContentType.JSON)
+            .get(url("access-control/users-admin-fix"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .jsonPath()
+            .get("find { it.username == \"Jerry\" }.userHash");
+
+    checkAssignment(url("access-control/user-hash-fix"), Map.of("userHash", userHash), true);
+  }
+
+  private void assignment2() {
+    var userHash =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .contentType(ContentType.JSON)
+            .get(url("access-control/users"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .jsonPath()
+            .get("find { it.username == \"Jerry\" }.userHash");
+
+    checkAssignment(url("access-control/user-hash"), Map.of("userHash", userHash), true);
+  }
+
+  private void assignment1() {
+    var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
+    checkAssignment(url("access-control/hidden-menu"), params, true);
+  }
+}