Remove WebGoat session object (#1929)

* refactor: modernize code

* refactor: move to Tomcat

* chore: bump to Spring Boot 3.3.3

* refactor: use Testcontainers to run integration tests

* refactor: lesson/assignment progress

* chore: format code

* refactor: first step into removing base class for assignment

Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.

As a bonus we now wire the authentication principal directly in the controllers.

* refactor: use authentication principal directly.

* refactor: pass lesson to the endpoints

No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.

* fix: Testcontainers cannot run on Windows host in Github actions.

Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)

src/main/java/org/owasp/webgoat/container/WebGoat.java

@@ -32,30 +32,33 @@
 package org.owasp.webgoat.container;
 
 import java.io.File;
-import org.owasp.webgoat.container.session.UserSessionData;
-import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.session.LessonSession;
 import org.owasp.webgoat.container.users.UserRepository;
-import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.domain.EntityScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
+import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
 import org.springframework.web.client.RestTemplate;
 
 @Configuration
 @ComponentScan(basePackages = {"org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
 @PropertySource("classpath:application-webgoat.properties")
 @EnableAutoConfiguration
+@EnableJpaRepositories(basePackages = {"org.owasp.webgoat.container"})
+@EntityScan(basePackages = "org.owasp.webgoat.container")
 public class WebGoat {
 
-  @Autowired private UserRepository userRepository;
+  private final UserRepository userRepository;
+
+  public WebGoat(UserRepository userRepository) {
+    this.userRepository = userRepository;
+  }
 
   @Bean(name = "pluginTargetDirectory")
   public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
@@ -64,21 +67,8 @@ public class WebGoat {
 
   @Bean
   @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
-  public WebSession webSession() {
-    WebGoatUser webGoatUser = null;
-    Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-    if (principal instanceof WebGoatUser) {
-      webGoatUser = (WebGoatUser) principal;
-    } else if (principal instanceof DefaultOAuth2User) {
-      webGoatUser = userRepository.findByUsername(((DefaultOAuth2User) principal).getName());
-    }
-    return new WebSession(webGoatUser);
-  }
-
-  @Bean
-  @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
-  public UserSessionData userSessionData() {
-    return new UserSessionData("test", "data");
+  public LessonSession userSessionData() {
+    return new LessonSession();
   }
 
   @Bean