Creating endpoint for the scoreboard
This commit is contained in:
Nanne Baars
@ -1,104 +0,0 @@
|
||||
|
||||
package org.owasp.webgoat.session;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Sets;
|
||||
import lombok.Getter;
|
||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||
import org.owasp.webgoat.lessons.Assignment;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @version $Id: $Id
|
||||
* @since October 29, 2003
|
||||
*/
|
||||
public class LessonTracker implements Serializable {
|
||||
private static final long serialVersionUID = 5410058267505412928L;
|
||||
private final Set<Assignment> solvedAssignments = Sets.newHashSet();
|
||||
private final List<Assignment> allAssignments = Lists.newArrayList();
|
||||
@Getter
|
||||
private int numberOfAttempts = 0;
|
||||
|
||||
public LessonTracker(AbstractLesson lesson) {
|
||||
allAssignments.addAll(lesson.getAssignments());
|
||||
}
|
||||
|
||||
public Optional<Assignment> getAssignment(String name) {
|
||||
return allAssignments.stream().filter(a -> a.getName().equals(name)).findFirst();
|
||||
}
|
||||
|
||||
/**
|
||||
* Mark an assignment as solved
|
||||
*
|
||||
* @param solvedAssignment the assignment which the user solved
|
||||
*/
|
||||
public void assignmentSolved(String solvedAssignment) {
|
||||
getAssignment(solvedAssignment).ifPresent(a -> solvedAssignments.add(a));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return did they user solved all solvedAssignments for the lesson?
|
||||
*/
|
||||
public boolean isLessonSolved() {
|
||||
return allAssignments.size() == solvedAssignments.size();
|
||||
}
|
||||
|
||||
/**
|
||||
* Increase the number attempts to solve the lesson
|
||||
*/
|
||||
public void incrementAttempts() {
|
||||
numberOfAttempts++;
|
||||
}
|
||||
|
||||
/**
|
||||
* Reset the tracker. We do not reset the number of attempts here!
|
||||
*/
|
||||
void reset() {
|
||||
solvedAssignments.clear();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list containing all the assignments solved or not
|
||||
*/
|
||||
public Map<Assignment, Boolean> getLessonOverview() {
|
||||
List<Assignment> notSolved = allAssignments.stream()
|
||||
.filter(i -> !solvedAssignments.contains(i))
|
||||
.collect(Collectors.toList());
|
||||
Map<Assignment, Boolean> overview = notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
|
||||
overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
|
||||
return overview;
|
||||
}
|
||||
}
|
||||
@ -1,181 +0,0 @@
|
||||
package org.owasp.webgoat.session;
|
||||
|
||||
import java.io.File;
|
||||
import java.sql.Connection;
|
||||
import java.sql.DriverManager;
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
class UserDatabase {
|
||||
private Connection userDB;
|
||||
private final String USER_DB_URI = "jdbc:h2:" + System.getProperty("user.dir") + File.separator + "UserDatabase";
|
||||
|
||||
private final String CREATE_USERS_TABLE = "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY AUTO_INCREMENT, username VARCHAR(255) NOT NULL UNIQUE);";
|
||||
private final String CREATE_ROLES_TABLE = "CREATE TABLE IF NOT EXISTS roles (id INTEGER PRIMARY KEY AUTO_INCREMENT, rolename VARCHAR(255) NOT NULL UNIQUE);";
|
||||
private final String CREATE_USER_ROLES_TABLE = "CREATE TABLE IF NOT EXISTS user_roles (id INTEGER PRIMARY KEY AUTO_INCREMENT, user_id INTEGER NOT NULL, role_id INTEGER NOT NULL, FOREIGN KEY (user_id) REFERENCES users(id), FOREIGN KEY (role_id) REFERENCES roles(id));";
|
||||
private final String ADD_DEFAULT_USERS = "INSERT INTO users (username) VALUES ('webgoat'),('basic'),('guest');";
|
||||
private final String ADD_DEFAULT_ROLES = "INSERT INTO roles (rolename) VALUES ('webgoat_basic'),('webgoat_admin'),('webgoat_user');";
|
||||
private final String ADD_ROLE_TO_USER = "INSERT INTO user_roles (user_id, role_id) SELECT users.id, roles.id FROM users, roles WHERE users.username = ? AND roles.rolename = ?;";
|
||||
|
||||
private final String QUERY_ALL_USERS = "SELECT username FROM users;";
|
||||
private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;";
|
||||
private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;";
|
||||
|
||||
/**
|
||||
* <p>Constructor for UserDatabase.</p>
|
||||
*/
|
||||
public UserDatabase() {
|
||||
createDefaultTables();
|
||||
if (getTableCount("users") <= 0) {
|
||||
createDefaultUsers();
|
||||
}
|
||||
if (getTableCount("roles") <= 0) {
|
||||
createDefaultRoles();
|
||||
}
|
||||
if (getTableCount("user_roles") <= 0) {
|
||||
addDefaultRolesToDefaultUsers();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>open.</p>
|
||||
*
|
||||
* @return a boolean.
|
||||
*/
|
||||
public boolean open() {
|
||||
try {
|
||||
if (userDB == null || userDB.isClosed()) {
|
||||
Class.forName("org.h2.Driver");
|
||||
userDB = DriverManager.getConnection(USER_DB_URI, "webgoat_admin", "");
|
||||
}
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
} catch (ClassNotFoundException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>close.</p>
|
||||
*
|
||||
* @return a boolean.
|
||||
*/
|
||||
public boolean close() {
|
||||
try {
|
||||
if (userDB != null && !userDB.isClosed())
|
||||
userDB.close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>getTableCount.</p>
|
||||
*
|
||||
* @param tableName a {@link java.lang.String} object.
|
||||
* @return a int.
|
||||
*/
|
||||
public int getTableCount(String tableName) {
|
||||
int count = 0;
|
||||
try {
|
||||
open();
|
||||
Statement statement = userDB.createStatement();
|
||||
ResultSet countResult = statement.executeQuery(QUERY_TABLE_COUNT.replace("table", tableName));
|
||||
if (countResult.next()) {
|
||||
count = countResult.getInt("count");
|
||||
}
|
||||
countResult.close();
|
||||
statement.close();
|
||||
close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
count = -1;
|
||||
}
|
||||
return count;
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>addRoleToUser.</p>
|
||||
*
|
||||
* @param username a {@link java.lang.String} object.
|
||||
* @param rolename a {@link java.lang.String} object.
|
||||
* @return a boolean.
|
||||
*/
|
||||
public boolean addRoleToUser(String username, String rolename) {
|
||||
try {
|
||||
open();
|
||||
PreparedStatement statement = userDB.prepareStatement(ADD_ROLE_TO_USER);
|
||||
statement.setString(1, username);
|
||||
statement.setString(2, rolename);
|
||||
statement.execute();
|
||||
statement.close();
|
||||
close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/*
|
||||
* Methods to initialise the default state of the database.
|
||||
*/
|
||||
|
||||
private boolean createDefaultTables() {
|
||||
try {
|
||||
open();
|
||||
Statement statement = userDB.createStatement();
|
||||
statement.execute(CREATE_USERS_TABLE);
|
||||
statement.execute(CREATE_ROLES_TABLE);
|
||||
statement.execute(CREATE_USER_ROLES_TABLE);
|
||||
statement.close();
|
||||
close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean createDefaultUsers() {
|
||||
try {
|
||||
open();
|
||||
Statement statement = userDB.createStatement();
|
||||
statement.execute(ADD_DEFAULT_USERS);
|
||||
statement.close();
|
||||
close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean createDefaultRoles() {
|
||||
try {
|
||||
open();
|
||||
Statement statement = userDB.createStatement();
|
||||
statement.execute(ADD_DEFAULT_ROLES);
|
||||
statement.close();
|
||||
close();
|
||||
} catch (SQLException e) {
|
||||
e.printStackTrace();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private void addDefaultRolesToDefaultUsers() {
|
||||
addRoleToUser("webgoat", "webgoat_admin");
|
||||
addRoleToUser("basic", "webgoat_user");
|
||||
addRoleToUser("basic", "webgoat_basic");
|
||||
addRoleToUser("guest", "webgoat_user");
|
||||
}
|
||||
}
|
||||
@ -1,154 +0,0 @@
|
||||
|
||||
package org.owasp.webgoat.session;
|
||||
|
||||
import com.google.common.collect.Maps;
|
||||
import com.google.common.io.ByteStreams;
|
||||
import lombok.SneakyThrows;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||
import org.owasp.webgoat.lessons.Assignment;
|
||||
import org.springframework.core.serializer.DefaultDeserializer;
|
||||
|
||||
import java.io.*;
|
||||
import java.util.Map;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* <p>
|
||||
* <p>
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
* <p>
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
* <p>
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
* <p>
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
* <p>
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
* <p>
|
||||
* Getting Source ==============
|
||||
* <p>
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @version $Id: $Id
|
||||
* @since October 29, 2003
|
||||
*/
|
||||
@Slf4j
|
||||
public class UserTracker {
|
||||
|
||||
private final String webgoatHome;
|
||||
private final String user;
|
||||
|
||||
public UserTracker(final String webgoatHome, final String user) {
|
||||
this.webgoatHome = webgoatHome;
|
||||
this.user = user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the lesson tracker for a specific lesson if available.
|
||||
*
|
||||
* @param lesson the lesson
|
||||
* @return the optional lesson tracker
|
||||
*/
|
||||
public LessonTracker getLessonTracker(AbstractLesson lesson) {
|
||||
return getLessonTracker(load(), lesson);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the lesson tracker for a specific lesson if available.
|
||||
*
|
||||
* @param lesson the lesson
|
||||
* @return the optional lesson tracker
|
||||
*/
|
||||
public LessonTracker getLessonTracker(Map<String, LessonTracker> storage, AbstractLesson lesson) {
|
||||
LessonTracker lessonTracker = storage.get(lesson.getTitle());
|
||||
if (lessonTracker == null) {
|
||||
lessonTracker = new LessonTracker(lesson);
|
||||
storage.put(lesson.getTitle(), lessonTracker);
|
||||
save(storage);
|
||||
}
|
||||
return lessonTracker;
|
||||
}
|
||||
|
||||
public void assignmentSolved(AbstractLesson lesson, String assignmentName) {
|
||||
Map<String, LessonTracker> storage = load();
|
||||
LessonTracker lessonTracker = storage.get(lesson.getTitle());
|
||||
lessonTracker.incrementAttempts();
|
||||
lessonTracker.assignmentSolved(assignmentName);
|
||||
save(storage);
|
||||
}
|
||||
|
||||
public void assignmentFailed(AbstractLesson lesson) {
|
||||
Map<String, LessonTracker> storage = load();
|
||||
LessonTracker lessonTracker = storage.get(lesson.getTitle());
|
||||
lessonTracker.incrementAttempts();
|
||||
save(storage);
|
||||
}
|
||||
|
||||
public Map<String, LessonTracker> load() {
|
||||
File file = new File(webgoatHome, user + ".progress");
|
||||
Map<String, LessonTracker> storage = Maps.newHashMap();
|
||||
if (file.exists() && file.isFile()) {
|
||||
try {
|
||||
DefaultDeserializer deserializer = new DefaultDeserializer(Thread.currentThread().getContextClassLoader());
|
||||
try (FileInputStream fis = new FileInputStream(file)) {
|
||||
byte[] b = ByteStreams.toByteArray(fis);
|
||||
storage = (Map<String, LessonTracker>) deserializer.deserialize(new ByteArrayInputStream(b));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
log.error("Unable to read the progress file, creating a new one...");
|
||||
}
|
||||
}
|
||||
return storage;
|
||||
}
|
||||
|
||||
@SneakyThrows
|
||||
private void save(Map<String, LessonTracker> storage) {
|
||||
File file = new File(webgoatHome, user + ".progress");
|
||||
|
||||
try (ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(file))) {
|
||||
objectOutputStream.writeObject(storage);
|
||||
objectOutputStream.flush();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public void reset(AbstractLesson al) {
|
||||
Map<String, LessonTracker> storage = load();
|
||||
LessonTracker lessonTracker = getLessonTracker(storage, al);
|
||||
lessonTracker.reset();
|
||||
save(storage);
|
||||
}
|
||||
|
||||
public int numberOfLessonsSolved() {
|
||||
int numberOfLessonsSolved = 0;
|
||||
Map<String, LessonTracker> storage = load();
|
||||
for (LessonTracker lessonTracker : storage.values()) {
|
||||
if (lessonTracker.isLessonSolved()) {
|
||||
numberOfLessonsSolved = numberOfLessonsSolved + 1;
|
||||
}
|
||||
}
|
||||
return numberOfLessonsSolved;
|
||||
}
|
||||
|
||||
public int numberOfAssignmentsSolved() {
|
||||
int numberOfAssignmentsSolved = 0;
|
||||
Map<String, LessonTracker> storage = load();
|
||||
for (LessonTracker lessonTracker : storage.values()) {
|
||||
Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
|
||||
numberOfAssignmentsSolved = lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue();
|
||||
}
|
||||
return numberOfAssignmentsSolved;
|
||||
}
|
||||
}
|
||||
@ -1,71 +0,0 @@
|
||||
package org.owasp.webgoat.session;
|
||||
|
||||
import lombok.Getter;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
|
||||
import javax.persistence.Entity;
|
||||
import javax.persistence.Id;
|
||||
import javax.persistence.Transient;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 3/19/17.
|
||||
*/
|
||||
@Getter
|
||||
@Entity
|
||||
public class WebGoatUser implements UserDetails {
|
||||
|
||||
public static final String ROLE_USER = "WEBGOAT_USER";
|
||||
public static final String ROLE_ADMIN = "WEBGOAT_ADMIN";
|
||||
|
||||
@Id
|
||||
private String username;
|
||||
private String password;
|
||||
private String role = ROLE_USER;
|
||||
@Transient
|
||||
private User user;
|
||||
|
||||
protected WebGoatUser() {
|
||||
}
|
||||
|
||||
public WebGoatUser(String username, String password) {
|
||||
this.username = username;
|
||||
this.password = password;
|
||||
createUser();
|
||||
}
|
||||
|
||||
public void createUser() {
|
||||
this.user = new User(username, password, getAuthorities());
|
||||
}
|
||||
|
||||
public Collection<? extends GrantedAuthority> getAuthorities() {
|
||||
return Collections.singleton(new SimpleGrantedAuthority(getRole()));
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAccountNonExpired() {
|
||||
return this.user.isAccountNonExpired();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAccountNonLocked() {
|
||||
return this.user.isAccountNonLocked();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isCredentialsNonExpired() {
|
||||
return this.user.isCredentialsNonExpired();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isEnabled() {
|
||||
return this.user.isEnabled();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2,6 +2,7 @@ package org.owasp.webgoat.session;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||
import org.owasp.webgoat.users.WebGoatUser;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
|
||||
import java.sql.Connection;
|
||||
|
||||
Reference in New Issue
Block a user