From 945976868b669fe7c29a1969da0240af691cfbe1 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 May 2017 23:28:48 +0200
Subject: [PATCH] Added testcases

---
 webgoat-lessons/challenge/pom.xml             | 18 +++++
 .../plugin/challenge1/Assignment1.java        |  2 +-
 .../src/main/resources/html/Challenge2.html   |  4 +-
 .../plugin/challenge1/Assignment1Test.java    | 72 +++++++++++++++++++
 .../plugin/challenge2/Assignment2Test.java    | 49 +++++++++++++
 .../plugin/challenge2/ShopEndpointTest.java   | 63 ++++++++++++++++
 .../HttpBasicsInterceptRequestTest.java       |  2 +-
 7 files changed, 206 insertions(+), 4 deletions(-)
 create mode 100644 webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge1/Assignment1Test.java
 create mode 100644 webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java
 create mode 100644 webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java

diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml
index 05ff6d9ac..04adf95cb 100644
--- a/webgoat-lessons/challenge/pom.xml
+++ b/webgoat-lessons/challenge/pom.xml
@@ -16,5 +16,23 @@
             <artifactId>jjwt</artifactId>
             <version>0.7.0</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
index a4dfae2d4..ac7dd76fc 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
@@ -68,7 +68,7 @@ public class Assignment1 extends AssignmentEndpoint {
         return getClientIP(request).contains(ip.getHostAddress());
     }
 
-    private String getClientIP(HttpServletRequest request) {
+    public static String getClientIP(HttpServletRequest request) {
         String xfHeader = request.getHeader("X-Forwarded-For");
         if (xfHeader == null) {
             return request.getRemoteAddr();
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge2.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
index 3e261419b..777761ed1 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge2.html
@@ -10,7 +10,7 @@
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
-        <div class="container">
+        <div class="container-fluid">
             <form class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
                   action="/WebGoat/challenge/2"
@@ -88,7 +88,7 @@
             </form>
         </div>
         <br/>
-        <form class="attack-form form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
+        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge1/Assignment1Test.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge1/Assignment1Test.java
new file mode 100644
index 000000000..5e123a7b2
--- /dev/null
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge1/Assignment1Test.java
@@ -0,0 +1,72 @@
+package org.owasp.webgoat.plugin.challenge1;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.plugin.Flag;
+import org.owasp.webgoat.plugin.SolutionConstants;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+/**
+ * @author nbaars
+ * @since 5/2/17.
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class Assignment1Test extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        Assignment1 assignment1 = new Assignment1();
+        init(assignment1);
+        new Flag().initFlags();
+        this.mockMvc = standaloneSetup(assignment1).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+                .header("X-Forwarded-For", "127.0.1.1")
+                .param("username", "admin")
+                .param("password", SolutionConstants.PASSWORD))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void wrongPassword() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+                .param("username", "admin")
+                .param("password", "wrong"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    public void correctPasswordXForwardHeaderMissing() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+                .param("username", "admin")
+                .param("password", SolutionConstants.PASSWORD))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    public void correctPasswordXForwardHeaderWrong() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+                .header("X-Forwarded-For", "127.0.1.2")
+                .param("username", "admin")
+                .param("password", SolutionConstants.PASSWORD))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java
new file mode 100644
index 000000000..edf70df28
--- /dev/null
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java
@@ -0,0 +1,49 @@
+package org.owasp.webgoat.plugin.challenge2;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.plugin.Flag;
+import org.owasp.webgoat.plugin.SolutionConstants;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+/**
+ * @author nbaars
+ * @since 5/2/17.
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class Assignment2Test extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        Assignment2 assignment2 = new Assignment2();
+        init(assignment2);
+        new Flag().initFlags();
+        this.mockMvc = standaloneSetup(assignment2).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
+                .param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void wrongCouponCode() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
+                .param("checkoutCode", "test"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java
new file mode 100644
index 000000000..1fb4e73d1
--- /dev/null
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/ShopEndpointTest.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin.challenge2;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
+
+import static org.hamcrest.Matchers.is;
+import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+/**
+ * @author nbaars
+ * @since 5/2/17.
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class ShopEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        ShopEndpoint shopEndpoint = new ShopEndpoint();
+        this.mockMvc = standaloneSetup(shopEndpoint).build();
+    }
+
+    @Test
+    public void getSuperCoupon() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
+                .andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
+    }
+
+    @Test
+    public void getCoupon() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
+                .andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
+    }
+
+    @Test
+    public void askForUnknownCouponCode() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.code", CoreMatchers.is("no")))
+                .andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
+    }
+
+    @Test
+    public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
+    }
+
+}
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
index 90686bca7..ae32edacb 100644
--- a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
+++ b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
@@ -53,7 +53,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
 
     @Test
     public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+        mockMvc.perform(MockMvcRequestBuilders.get("/challenge/1")
                 .header("x-request-intercepted", "true")
                 .param("changeMe", "Requests are tampered easily"))
                 .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())