dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Last assignment for JWT tokens finished

Browse Source
This commit is contained in:
Nanne Baars
2018-05-22 17:06:03 +02:00
parent e06d4642eb
commit dda6f674a3
10 changed files with 394 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTRefreshEndpointTest.java Normal file
View File

@ -0,0 +1,102 @@
package org.owasp.webgoat.plugin;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Maps;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.util.Map;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.plugin.JWTRefreshEndpoint.PASSWORD;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringJUnit4ClassRunner.class)
public class JWTRefreshEndpointTest extends LessonTest {
@Before
public void setup() {
JWT jwt = new JWT();
when(webSession.getCurrentLesson()).thenReturn(jwt);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void solveAssignment() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
//First login to obtain tokens for Jerry
Map<String, Object> loginJson = Maps.newHashMap();
loginJson.put("user", "Jerry");
loginJson.put("password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
.andExpect(status().isOk())
.andReturn();
Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
String accessToken = tokens.get("access_token");
String refreshToken = tokens.get("refresh_token");
//Now create a new refresh token for Tom based on Toms old access token and send the refresh token of Jerry
String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
Map<String, Object> refreshJson = Maps.newHashMap();
refreshJson.put("refresh_token", refreshToken);
result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
.contentType(MediaType.APPLICATION_JSON)
.header("Authorization", "Bearer " + accessTokenTom)
.content(objectMapper.writeValueAsString(refreshJson)))
.andExpect(status().isOk())
.andReturn();
tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
accessTokenTom = tokens.get("access_token");
//Now checkout with the new token from Tom
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
.header("Authorization", "Bearer " + accessTokenTom))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(true)));
}
@Test
public void checkoutWithTomsTokenFromAccessLogShouldFail() throws Exception {
String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
.header("Authorization", "Bearer " + accessTokenTom))
.andExpect(status().isOk())
.andExpect(jsonPath("$.output", CoreMatchers.containsString("JWT expired at")));
}
@Test
public void flowForJerryAlwaysWorks() throws Exception {
ObjectMapper objectMapper = new ObjectMapper();
Map<String, Object> loginJson = Maps.newHashMap();
loginJson.put("user", "Jerry");
loginJson.put("password", PASSWORD);
MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(loginJson)))
.andExpect(status().isOk())
.andReturn();
Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
String accessToken = tokens.get("access_token");
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
.header("Authorization", "Bearer " + accessToken))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", is("User is not Tom but Jerry, please try again")));
}
}

19
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/TokenTest.java
View File

@ -6,6 +6,10 @@ import io.jsonwebtoken.*;
import io.jsonwebtoken.impl.TextCodec;
import org.junit.Test;
import java.time.Duration;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.Period;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@ -34,4 +38,19 @@ public class TokenTest {
}).parse(token);
}
@Test
public void testRefresh() {
Instant now = Instant.now(); //current date
Claims claims = Jwts.claims().setIssuedAt(Date.from(now.minus(Duration.ofDays(10))));
claims.setExpiration(Date.from(now.minus(Duration.ofDays(9))));
claims.put("admin", "false");
claims.put("user", "Tom");
String token = Jwts.builder().setClaims(claims)
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, "bm5n3SkxCX4kKRy4")
.compact();
//Jws<Claims> jws = Jwts.parser().setSigningKey("bm5n3SkxCX4kKRy4").parseClaimsJws(token);
//Jwts.parser().setSigningKey().parsePlaintextJws(token);
System.out.println(token);
}
}