diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java index 44b12c49c..97770e635 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java @@ -28,7 +28,7 @@ public class MissingFunctionACYourHash extends AssignmentEndpoint { if (userHash.equals(displayUser.getUserHash())) { return trackProgress(success().feedback("access-control.hash.success").build()); } else { - return trackProgress(success().feedback("access-control.hash.close").build()); + return trackProgress(failed().feedback("access-control.hash.close").build()); } } } diff --git a/webgoat-lessons/missing-function-ac/src/test/org/owasp/webgoat/plugin/MissingFunctionYourHashTest.java b/webgoat-lessons/missing-function-ac/src/test/org/owasp/webgoat/plugin/MissingFunctionYourHashTest.java new file mode 100644 index 000000000..2c5350d30 --- /dev/null +++ b/webgoat-lessons/missing-function-ac/src/test/org/owasp/webgoat/plugin/MissingFunctionYourHashTest.java @@ -0,0 +1,60 @@ +package org.owasp.webgoat.plugin; + +import org.hamcrest.CoreMatchers; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.runners.MockitoJUnitRunner; +import org.owasp.webgoat.assignments.AssignmentEndpointTest; +import org.owasp.webgoat.users.UserService; +import org.owasp.webgoat.users.WebGoatUser; +import org.springframework.test.util.ReflectionTestUtils; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; +import org.springframework.test.web.servlet.result.MockMvcResultHandlers; + +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.when; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; + +@RunWith(MockitoJUnitRunner.class) +public class MissingFunctionYourHashTest extends AssignmentEndpointTest { + private MockMvc mockMvc; + private DisplayUser mockDisplayUser; + + @Mock + protected UserService userService; + + @Before + public void setUp() { + MissingFunctionACYourHash yourHashTest = new MissingFunctionACYourHash(); + init(yourHashTest); + this.mockMvc = standaloneSetup(yourHashTest).build(); + this.mockDisplayUser = new DisplayUser(new WebGoatUser("user","userPass")); + ReflectionTestUtils.setField(yourHashTest,"userService",userService); + when(mockDisplayUser.getUserHash()).thenReturn("2340928sadfajsdalsNfwrBla="); + when(userService.loadUserByUsername(anyString())).thenReturn(new WebGoatUser("user","userPass")); + } + + @Test + public void HashDoesNotMatch() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash") + .param("userHash", "42")) + .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print()) + .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Keep trying, this one may take several attempts"))) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } + + @Test + public void hashMatches() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash") + .param("userHash", "2340928sadfajsdalsNfwrBla=")) + .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print()) + .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Keep trying, this one may take several attempts"))) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } + +}