Extract the stage-related code from LessonTracker into SequentialLessonTracker

git-svn-id: http://webgoat.googlecode.com/svn/trunk@157 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -164,13 +164,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
      */
     public abstract Element getCredits();
 
-    /**
-     * Get the number of stages provided by this lesson
-     * 
-     * @return the number of stages
-     */
-    public abstract int getStageCount();
-    
     /**
      * Description of the Method
      * 
@@ -614,23 +607,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
 
     public abstract void setCurrentAction(WebSession s, String lessonScreen);
 
-
-    public void setStage(WebSession s, int stage)
-    {
-	// System.out.println("Changed to stage " + stage);
-	getLessonTracker(s).setStage(stage);
-    }
-
-
-    public int getStage(WebSession s)
-    {
-	int stage = getLessonTracker(s).getStage();
-
-	// System.out.println("In stage " + stage);
-	return stage;
-    }
-
-
     /**
      * Override this method to implement accesss control in a lesson.
      * 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java

@@ -52,7 +52,7 @@ import org.owasp.webgoat.session.WebSession;
  * 
  * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
  */
-public class BackDoors extends LessonAdapter
+public class BackDoors extends SequentialLessonAdapter
 {
 
     private static Connection connection = null;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java

@@ -47,7 +47,7 @@ import org.owasp.webgoat.session.WebSession;
  * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created    October 28, 2003
  */
-public class BasicAuthentication extends LessonAdapter
+public class BasicAuthentication extends SequentialLessonAdapter
 {
 
     private static final String EMPTY_STRING = "";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java

@@ -69,7 +69,7 @@ import org.owasp.webgoat.util.ExecResults;
  * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created    October 28, 2003
  */
-public class Challenge2Screen extends LessonAdapter
+public class Challenge2Screen extends SequentialLessonAdapter
 {
 
     private static final String USER_COOKIE = "user";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -17,6 +17,7 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.HtmlEncoder;
 
 /**
  /*******************************************************************************
@@ -286,4 +287,18 @@ public class CrossSiteScripting extends GoatHillsFinancial
 	return "LAB: Cross Site Scripting (XSS)";
     }
 
+	public String htmlEncode(WebSession s, String text)
+	{
+		//System.out.println("Testing for stage 4 completion in lesson " + getCurrentLesson().getName());
+		if (getStage(s) == 4 && 
+				text.indexOf("<script>") > -1 && text.indexOf("alert") > -1 && text.indexOf("</script>") > -1)
+		{
+			s.setMessage( "Welcome to stage 5 -- exploiting the data layer" );
+			// Set a phantom stage value to setup for the 4-5 transition
+			setStage(s, 1005);
+		}
+		
+		return HtmlEncoder.encode(text);
+	}
+
 }

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java

@@ -5,7 +5,6 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 
-import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java

@@ -9,7 +9,7 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
-import org.owasp.webgoat.lessons.LessonAdapter;
+import org.owasp.webgoat.lessons.SequentialLessonAdapter;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
@@ -45,7 +45,7 @@ import org.owasp.webgoat.session.WebSession;
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
-public class GoatHillsFinancial extends LessonAdapter
+public class GoatHillsFinancial extends SequentialLessonAdapter
 {
 	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession;
  * @created    September 30, 2006
  */
 
-public class HttpSplitting extends LessonAdapter
+public class HttpSplitting extends SequentialLessonAdapter
 {
 
     private final static String LANGUAGE = "language";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -107,90 +107,6 @@ public abstract class LessonAdapter extends AbstractLesson
     }
 
 
-    protected Element createStagedContent(WebSession s)
-    {
-	try
-	{
-	    int stage = getLessonTracker(s).getStage();
-	    //int stage = Integer.parseInt( getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
-
-	    switch (stage)
-	    {
-		case 1:
-		    return (doStage1(s));
-		case 2:
-		    return (doStage2(s));
-		case 3:
-		    return (doStage3(s));
-		case 4:
-		    return (doStage4(s));
-		case 5:
-		    return (doStage5(s));
-		case 6:
-		    return (doStage6(s));
-		default:
-		    throw new Exception("Invalid stage");
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    System.out.println(e);
-	    e.printStackTrace();
-	}
-
-	return (new StringElement(""));
-    }
-
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 1 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 2 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage3(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 3 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage4(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 4 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage5(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 5 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage6(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 6 Stub");
-	return ec;
-    }
-
-
     /**
      *  Gets the category attribute of the LessonAdapter object. The default category is "General" Only
      *  override this method if you wish to create a new category or if you wish this lesson to reside
@@ -382,11 +298,4 @@ public abstract class LessonAdapter extends AbstractLesson
 		return t;
     }
     
-    /* By default returns 1 stage.
-     * (non-Javadoc)
-     * @see org.owasp.webgoat.lessons.AbstractLesson#getStageCount()
-     */
-    public int getStageCount() {
-    	return 1;
-    }
 }

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java

@@ -0,0 +1,139 @@
+package org.owasp.webgoat.lessons;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.owasp.webgoat.session.LessonTracker;
+import org.owasp.webgoat.session.SequentialLessonTracker;
+import org.owasp.webgoat.session.WebSession;
+
+public class SequentialLessonAdapter extends LessonAdapter {
+
+
+    public void setStage(WebSession s, int stage)
+    {
+	// System.out.println("Changed to stage " + stage);
+	getLessonTracker(s).setStage(stage);
+    }
+
+    /* By default returns 1 stage.
+     * (non-Javadoc)
+     */
+    public int getStageCount() {
+    	return 1;
+    }
+
+    public int getStage(WebSession s)
+    {
+	int stage = getLessonTracker(s).getStage();
+
+	// System.out.println("In stage " + stage);
+	return stage;
+    }
+
+	@Override
+    public SequentialLessonTracker getLessonTracker(WebSession s) {
+    	return (SequentialLessonTracker) super.getLessonTracker(s);
+    }
+
+
+	@Override
+	public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
+		return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
+	}
+
+
+	@Override
+	public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) {
+		return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
+	}
+
+	@Override
+	public LessonTracker createLessonTracker() {
+		return new SequentialLessonTracker();
+	}
+
+    protected Element createStagedContent(WebSession s)
+    {
+	try
+	{
+	    int stage = getLessonTracker(s).getStage();
+	    //int stage = Integer.parseInt( getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
+
+	    switch (stage)
+	    {
+		case 1:
+		    return (doStage1(s));
+		case 2:
+		    return (doStage2(s));
+		case 3:
+		    return (doStage3(s));
+		case 4:
+		    return (doStage4(s));
+		case 5:
+		    return (doStage5(s));
+		case 6:
+		    return (doStage6(s));
+		default:
+		    throw new Exception("Invalid stage");
+	    }
+	}
+	catch (Exception e)
+	{
+	    s.setMessage("Error generating " + this.getClass().getName());
+	    System.out.println(e);
+	    e.printStackTrace();
+	}
+
+	return (new StringElement(""));
+    }
+
+
+    protected Element doStage1(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 1 Stub");
+	return ec;
+    }
+
+
+    protected Element doStage2(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 2 Stub");
+	return ec;
+    }
+
+
+    protected Element doStage3(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 3 Stub");
+	return ec;
+    }
+
+
+    protected Element doStage4(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 4 Stub");
+	return ec;
+    }
+
+
+    protected Element doStage5(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 5 Stub");
+	return ec;
+    }
+
+
+    protected Element doStage6(WebSession s) throws Exception
+    {
+	ElementContainer ec = new ElementContainer();
+	ec.addElement("Stage 6 Stub");
+	return ec;
+    }
+    
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java

@@ -61,7 +61,7 @@ import org.owasp.webgoat.session.WebSession;
  * TODO To change the template for this generated type comment go to
  * Window - Preferences - Java - Code Style - Code Templates
  */
-public class SoapRequest extends LessonAdapter
+public class SoapRequest extends SequentialLessonAdapter
 {
 
     /* TEST CODE

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java

@@ -55,7 +55,7 @@ import org.owasp.webgoat.session.WebSession;
  * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created    October 28, 2003
  */
-public class SqlNumericInjection extends LessonAdapter
+public class SqlNumericInjection extends SequentialLessonAdapter
 {
 
     private final static String STATION_ID = "station";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java

@@ -51,7 +51,7 @@ import org.owasp.webgoat.session.WebSession;
  * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created    October 28, 2003
  */
-public class SqlStringInjection extends LessonAdapter
+public class SqlStringInjection extends SequentialLessonAdapter
 {
 
     private final static String ACCT_NAME = "account_name";

webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java

@@ -42,8 +42,6 @@ public class LessonTracker
 
     private boolean completed = false;
 
-    private int currentStage = 1;
-
     private int maxHintLevel = 0;
 
     private int numVisits = 0;
@@ -72,18 +70,6 @@ public class LessonTracker
     }
 
 
-    public int getStage()
-    {
-	return currentStage;
-    }
-
-
-    public void setStage(int stage)
-    {
-	currentStage = stage;
-    }
-
-
     /**
      *  Gets the maxHintLevel attribute of the LessonTracker object
      *
@@ -175,15 +161,13 @@ public class LessonTracker
      *
      * @param  props  The new properties value
      */
-    private void setProperties(Properties props, Screen screen)
+    protected void setProperties(Properties props, Screen screen)
     {
 	completed = Boolean.valueOf(
 		props.getProperty(screen.getTitle() + ".completed"))
 		.booleanValue();
 	maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
 		+ ".maxHintLevel"));
-	currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
-		+ ".currentStage"));
 	numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
 		+ ".numVisits"));
 	viewedCookies = Boolean.valueOf(
@@ -367,8 +351,6 @@ public class LessonTracker
 	//System.out.println( "Storing data to" + fileName );
 	lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
 		.toString(completed));
-	lessonProperties.setProperty(screen.getTitle() + ".currentStage",
-		Integer.toString(currentStage));
 	lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
 		Integer.toString(maxHintLevel));
 	lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
@@ -417,7 +399,6 @@ public class LessonTracker
 	StringBuffer buff = new StringBuffer();
 	buff.append("LessonTracker:" + "\n");
 	buff.append("    - completed:.......... " + completed + "\n");
-	buff.append("    - currentStage:....... " + currentStage + "\n");
 	buff.append("    - maxHintLevel:....... " + maxHintLevel + "\n");
 	buff.append("    - numVisits:.......... " + numVisits + "\n");
 	buff.append("    - viewedCookies:...... " + viewedCookies + "\n");

webgoat/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java

@@ -0,0 +1,39 @@
+package org.owasp.webgoat.session;
+
+import java.util.Properties;
+
+public class SequentialLessonTracker extends LessonTracker {
+
+    private int currentStage = 1;
+
+
+
+    public int getStage()
+    {
+	return currentStage;
+    }
+
+
+    public void setStage(int stage)
+    {
+	currentStage = stage;
+    }
+
+    protected void setProperties(Properties props, Screen screen)
+    {
+    super.setProperties(props, screen);
+	currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+		+ ".currentStage"));
+    }
+    
+    public void store(WebSession s, Screen screen, String user)
+    {
+	lessonProperties.setProperty(screen.getTitle() + ".currentStage",
+		Integer.toString(currentStage));
+	super.store(s, screen, user);
+    }
+    
+    public String toString() {
+    	return super.toString() + "    - currentStage:....... " + currentStage + "\n";
+    }
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java

@@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.SequentialLessonAdapter;
 
 /*******************************************************************************
  * 
@@ -907,9 +908,14 @@ public class WebSession
 		}
 		else if (myParser.getRawParameter( STAGE, null ) != null) 
 		{
-			int stage = myParser.getIntParameter(STAGE, getCurrentLesson().getStage(this));
+			AbstractLesson al = getCurrentLesson();
-			if (stage > 0 && stage <= getCurrentLesson().getStageCount())
+			if (al instanceof SequentialLessonAdapter)
-				getCurrentLesson().setStage(this, stage);
+			{
+			SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+			int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
+			if (stage > 0 && stage <= sla.getStageCount())
+				sla.setStage(this, stage);
+			}
 		}
 		// else update global variables for the current screen
 		else
@@ -981,9 +987,14 @@ public class WebSession
 	
 	private void restartLesson(int lessonId)
 	{
-		System.out.println("Restarting lesson: " + getLesson(lessonId));
+		AbstractLesson al = getLesson(lessonId);
-		getCurrentLesson().getLessonTracker( this ).setStage(1);
+		System.out.println("Restarting lesson: " + al);
-		getCurrentLesson().getLessonTracker( this ).setCompleted(false);
+		al.getLessonTracker( this ).setCompleted(false);
+		if (al instanceof SequentialLessonAdapter)
+		{
+		SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+		sla.getLessonTracker( this ).setStage(1);
+		}
 	}
 
 	/**
@@ -1063,23 +1074,6 @@ public class WebSession
 		return currentMenu;	
 	}
 	
-	public String htmlEncode(String s)
-	{
-		//System.out.println("Testing for stage 4 completion in lesson " + getCurrentLesson().getName());
-		if (getCurrentLesson().getName().equals("CrossSiteScripting"))
-		{
-			if (getCurrentLesson().getStage(this) == 4 && 
-					s.indexOf("<script>") > -1 && s.indexOf("alert") > -1 && s.indexOf("</script>") > -1)
-			{
-				setMessage( "Welcome to stage 5 -- exploiting the data layer" );
-				// Set a phantom stage value to setup for the 4-5 transition
-				getCurrentLesson().setStage(this, 1005);
-			}
-		}
-		
-		return ParameterParser.htmlEncode(s);
-	}
-
 	public WebgoatContext getWebgoatContext() {
 		return webgoatContext;
 	}

webgoat/main/project/WebContent/lessons/CrossSiteScripting/ViewProfile.jsp

@@ -6,6 +6,7 @@ STAGE 4 FIXES Look for the <-- STAGE 4 - FIX
 <%
 WebSession webSession = ((WebSession)session.getAttribute("websession"));
 	Employee employee = (Employee) session.getAttribute("CrossSiteScripting." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY);
+	CrossSiteScripting lesson = (CrossSiteScripting) webSession.getCurrentLesson();
 //	int myUserId = getIntSessionAttribute(webSession, "CrossSiteScripting." + CrossSiteScripting.USER_ID);
 %>
 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
@@ -83,7 +84,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
 					<TD>
 						<!-- Encode data that might contain HTML content to protect against XSS -->
 
-						<%=webSession.htmlEncode(employee.getPersonalDescription())%>
+						<%=lesson.htmlEncode(webSession, employee.getPersonalDescription())%>
 					</TD>
 					<TD>				
 						Manager: 
@@ -112,7 +113,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
                  <tr>
                  	<td width="50">
 					<%					
-					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION))
 					{
 					%>
 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
@@ -161,9 +162,9 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
 		
 		
 		<%
-		if (webSession.getCurrentLesson().getStage(webSession) == 1005)
+		if (lesson.getStage(webSession) == 1005)
 		{
-			webSession.getCurrentLesson().setStage(webSession, 5);
+			lesson.setStage(webSession, 5);
 			//System.out.println("Reloading ViewProfile.jsp for stage 5 transition");
 			String thisPage = webSession.getCurrentLink();
 			//System.out.println("Redirecting to " + thisPage);

webgoat/main/project/WebContent/main.jsp

@@ -8,6 +8,7 @@ AbstractLesson currentLesson = webSession.getCurrentLesson();
 %>
 
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<%@page import="org.owasp.webgoat.lessons.SequentialLessonAdapter"%>
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
@@ -197,18 +198,23 @@ StringBuffer buildList = new StringBuffer();
 				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
 				</div>
 				<%
-					if (webSession.isDebug()&& webSession.getCurrentLesson().getStageCount() > 1) {
+					AbstractLesson al = webSession.getCurrentLesson();
+					if (al instanceof SequentialLessonAdapter)
+					{
+					SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+					if (webSession.isDebug()&& sla.getStageCount() > 1) {
 						%><form method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
 						<select name="<%= WebSession.STAGE %>" onchange="this.form.submit();">
 						<%
-						int stages = webSession.getCurrentLesson().getStageCount();
+						int stages = sla.getStageCount();
-						int stage = webSession.getCurrentLesson().getStage(webSession);
+						int stage = sla.getStage(webSession);
 						for (int i=1; i<=stages;i++) {
 						%><option <% if (i == stage) out.print("selected"); %> value="<%= i %>">Stage <%= i %></option>
 						<%
 						}
 						%></select></form><%
 					}
+					}
 				%>
 				<div id="lessonContent"><%=webSession.getInstructions()%></div>
 				<div id="message" class="info"><%=webSession.getMessage()%></div>