Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)

* better check on host and port for password reset and make context roots more flexible * spotless applied * removed hardcoded /WebGoat from js * removed hardcoded /WebGoat from js * fix spotless * fix scoreboard * upgrade WebWolf bootstrap version and icons and templates - part 1 * fixed more bootstrap 5 style issues and context path issues * organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed) * spotless applied * added mock bean * requires updates to properties - commented for now * requires updates to properties - commented for now * oauth secrets through env values * user creation after oauth login * integration test against non default context paths * adjusted StartupMessage * add global model element username * conditionally show login oauth links * fixed WebWolf login --------- Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
2023-11-14 10:01:59 +01:00
parent 5a4974f3c2
commit d1e44bbc98
114 changed files with 2763 additions and 546 deletions
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@ -242,6 +242,7 @@ public class MvcConfiguration implements WebMvcConfigurer {
  @Override
  public void addInterceptors(InterceptorRegistry registry) {
    registry.addInterceptor(localeChangeInterceptor());
+    registry.addInterceptor(new UserInterceptor());
  }

  @Bean
--- a/src/main/java/org/owasp/webgoat/container/UserInterceptor.java
+++ b/src/main/java/org/owasp/webgoat/container/UserInterceptor.java
@ -0,0 +1,53 @@
+package org.owasp.webgoat.container;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.owasp.webgoat.container.asciidoc.EnvironmentExposure;
+import org.springframework.core.env.Environment;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.ModelAndView;
+
+public class UserInterceptor implements HandlerInterceptor {
+
+  private Environment env = EnvironmentExposure.getEnv();
+
+  @Override
+  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+      throws Exception {
+    // Do nothing
+    return true;
+  }
+
+  @Override
+  public void postHandle(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      Object handler,
+      ModelAndView modelAndView)
+      throws Exception {
+    if (null != modelAndView) {
+      Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+      if (null != authentication) {
+        modelAndView.getModel().put("username", authentication.getName());
+      }
+      if (null != env) {
+        String githubClientId =
+            env.getProperty("spring.security.oauth2.client.registration.github.client-id");
+        if (null != githubClientId && !githubClientId.equals("dummy")) {
+          modelAndView.getModel().put("oauth", Boolean.TRUE);
+        }
+      } else {
+        modelAndView.getModel().put("oauth", Boolean.FALSE);
+      }
+    }
+  }
+
+  @Override
+  public void afterCompletion(
+      HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
+      throws Exception {
+    // Do nothing
+  }
+}
--- a/src/main/java/org/owasp/webgoat/container/WebGoat.java
+++ b/src/main/java/org/owasp/webgoat/container/WebGoat.java
@ -34,6 +34,9 @@ package org.owasp.webgoat.container;
 import java.io.File;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserRepository;
+import org.owasp.webgoat.container.users.WebGoatUser;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
@ -42,6 +45,8 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.web.client.RestTemplate;

@Configuration
@ -50,6 +55,8 @@ import org.springframework.web.client.RestTemplate;
@EnableAutoConfiguration
 public class WebGoat {

+  @Autowired private UserRepository userRepository;
+
  @Bean(name = "pluginTargetDirectory")
  public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
    return new File(webgoatHome);
@ -58,7 +65,14 @@ public class WebGoat {
  @Bean
  @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
  public WebSession webSession() {
-    return new WebSession();
+    WebGoatUser webGoatUser = null;
+    Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    if (principal instanceof WebGoatUser) {
+      webGoatUser = (WebGoatUser) principal;
+    } else if (principal instanceof DefaultOAuth2User) {
+      webGoatUser = userRepository.findByUsername(((DefaultOAuth2User) principal).getName());
+    }
+    return new WebSession(webGoatUser);
  }

  @Bean
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@ -54,32 +54,41 @@ public class WebSecurityConfig {

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
-        auth ->
-            auth.requestMatchers(
-                    "/css/**",
-                    "/images/**",
-                    "/js/**",
-                    "fonts/**",
-                    "/plugins/**",
-                    "/registration",
-                    "/register.mvc",
-                    "/actuator/**")
-                .permitAll()
-                .anyRequest()
-                .authenticated());
-    http.formLogin()
-        .loginPage("/login")
-        .defaultSuccessUrl("/welcome.mvc", true)
-        .usernameParameter("username")
-        .passwordParameter("password")
-        .permitAll();
-    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    http.csrf().disable();
-
-    http.headers().cacheControl().disable();
-    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
-    return http.build();
+    return http.authorizeHttpRequests(
+            auth ->
+                auth.requestMatchers(
+                        "/",
+                        "/favicon.ico",
+                        "/css/**",
+                        "/images/**",
+                        "/js/**",
+                        "fonts/**",
+                        "/plugins/**",
+                        "/registration",
+                        "/register.mvc")
+                    .permitAll()
+                    .anyRequest()
+                    .authenticated())
+        .formLogin(
+            login ->
+                login
+                    .loginPage("/login")
+                    .defaultSuccessUrl("/welcome.mvc", true)
+                    .usernameParameter("username")
+                    .passwordParameter("password")
+                    .permitAll())
+        .oauth2Login(
+            oidc -> {
+              oidc.defaultSuccessUrl("/login-oauth.mvc");
+              oidc.loginPage("/login");
+            })
+        .logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
+        .csrf(csrf -> csrf.disable())
+        .headers(headers -> headers.disable())
+        .exceptionHandling(
+            handling ->
+                handling.authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")))
+        .build();
  }

  @Autowired
@ -98,7 +107,6 @@ public class WebSecurityConfig {
    return authenticationConfiguration.getAuthenticationManager();
  }

-  @SuppressWarnings("deprecation")
  @Bean
  public NoOpPasswordEncoder passwordEncoder() {
    return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
@ -16,7 +16,7 @@ public class EnvironmentExposure implements ApplicationContextAware {
  private static ApplicationContext context;

  public static Environment getEnv() {
-    return context.getEnvironment();
+    return (null != context) ? context.getEnvironment() : null;
  }

  @Override
--- a/src/main/java/org/owasp/webgoat/container/session/WebSession.java
+++ b/src/main/java/org/owasp/webgoat/container/session/WebSession.java
@ -3,7 +3,6 @@ package org.owasp.webgoat.container.session;
 import java.io.Serializable;
 import org.owasp.webgoat.container.lessons.Lesson;
 import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.security.core.context.SecurityContextHolder;

 /**
 * *************************************************************************************************
@ -40,13 +39,12 @@ import org.springframework.security.core.context.SecurityContextHolder;
 public class WebSession implements Serializable {

  private static final long serialVersionUID = -4270066103101711560L;
-  private final WebGoatUser currentUser;
+  private WebGoatUser currentUser;
  private transient Lesson currentLesson;
  private boolean securityEnabled;

-  public WebSession() {
-    this.currentUser =
-        (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+  public WebSession(WebGoatUser webGoatUser) {
+    this.currentUser = webGoatUser;
  }

  /**
--- a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@ -3,8 +3,10 @@ package org.owasp.webgoat.container.users;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.validation.Valid;
+import java.util.UUID;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@ -44,4 +46,12 @@ public class RegistrationController {

    return "redirect:/attack";
  }
+
+  @GetMapping("/login-oauth.mvc")
+  public String registrationOAUTH(Authentication authentication, HttpServletRequest request)
+      throws ServletException {
+    log.info("register oauth user in database");
+    userService.addUser(authentication.getName(), UUID.randomUUID().toString());
+    return "redirect:/welcome.mvc";
+  }
 }