From fbf2d1b422e33c49047a5cc51624a83913645aeb Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 8 Apr 2017 08:30:14 +0200
Subject: [PATCH] Added validation to detect duplicate users during
 registration

---
 .../owasp/webgoat/users/UserValidator.java    | 11 ++--
 .../webgoat/users/UserValidatorTest.java      | 62 +++++++++++++++++++
 2 files changed, 68 insertions(+), 5 deletions(-)
 create mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
index e3c1e9c35..b0a46b4d6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.users;
 
+import lombok.AllArgsConstructor;
 import org.springframework.stereotype.Component;
 import org.springframework.validation.Errors;
 import org.springframework.validation.Validator;
@@ -9,10 +10,10 @@ import org.springframework.validation.Validator;
  * @since 3/19/17.
  */
 @Component
+@AllArgsConstructor
 public class UserValidator implements Validator {
 
-//    @Autowired
-//    private UserService userService;
+    private final UserRepository userRepository;
 
     @Override
     public boolean supports(Class<?> aClass) {
@@ -23,9 +24,9 @@ public class UserValidator implements Validator {
     public void validate(Object o, Errors errors) {
         UserForm userForm = (UserForm) o;
 
-//        if (userService.findByUsername(userForm.getUsername()) != null) {
-//            errors.rejectValue("username", "Duplicate.userForm.username");
-//        }
+        if (userRepository.findByUsername(userForm.getUsername()) != null) {
+            errors.rejectValue("username", "username.duplicate");
+        }
 
         if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
             errors.rejectValue("matchingPassword", "password.diff");
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
new file mode 100644
index 000000000..7968ed30f
--- /dev/null
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
@@ -0,0 +1,62 @@
+package org.owasp.webgoat.users;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.session.WebGoatUser;
+import org.springframework.validation.BeanPropertyBindingResult;
+import org.springframework.validation.Errors;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class UserValidatorTest {
+
+    @Mock
+    private UserRepository userRepository;
+
+    @Test
+    public void passwordsShouldMatch() {
+        UserForm userForm = new UserForm();
+        userForm.setAgree("true");
+        userForm.setUsername("test1234");
+        userForm.setPassword("test1234");
+        userForm.setMatchingPassword("test1234");
+        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+        new UserValidator(userRepository).validate(userForm, errors);
+        assertFalse(errors.hasErrors());
+    }
+
+    @Test
+    public void shouldGiveErrorWhenPasswordsDoNotMatch() {
+        UserForm userForm = new UserForm();
+        userForm.setAgree("true");
+        userForm.setUsername("test1234");
+        userForm.setPassword("test12345");
+        userForm.setMatchingPassword("test1234");
+        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+        new UserValidator(userRepository).validate(userForm, errors);
+        assertTrue(errors.hasErrors());
+        assertThat(errors.getFieldError("matchingPassword").getCode()).isEqualTo("password.diff");
+    }
+
+    @Test
+    public void shouldGiveErrorWhenUserAlreadyExists() {
+        UserForm userForm = new UserForm();
+        userForm.setAgree("true");
+        userForm.setUsername("test12345");
+        userForm.setPassword("test12345");
+        userForm.setMatchingPassword("test12345");
+        when(userRepository.findByUsername(anyString())).thenReturn(new WebGoatUser("test1245", "password"));
+        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+        new UserValidator(userRepository).validate(userForm, errors);
+        assertTrue(errors.hasErrors());
+        assertThat(errors.getFieldError("username").getCode()).isEqualTo("username.duplicate");
+    }
+
+}
\ No newline at end of file