package org.owasp.webgoat.lessons.GoatHillsFinancial; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; /*************************************************************************************************** * * * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ * * Copyright (c) 2002 - 2007 Bruce Mayhew * * This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * * Getting Source ============== * * Source for this application is maintained at code.google.com, a repository for free software * projects. * * For details, please see http://code.google.com/p/webgoat/ */ public abstract class DefaultLessonAction implements LessonAction { // FIXME: We could parse this class name to get defaults for these fields. private String lessonName; private String actionName; private GoatHillsFinancial lesson; public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName) { this.lesson = lesson; this.lessonName = lessonName; this.actionName = actionName; } public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException { getLesson().setCurrentAction(s, getActionName()); if (isAuthenticated(s)) { } else throw new UnauthenticatedException(); } public abstract String getNextPage(WebSession s); public GoatHillsFinancial getLesson() { return lesson; } public String getLessonName() { return lessonName; } public String getActionName() { return actionName; } public void setSessionAttribute(WebSession s, String name, Object value) { s.getRequest().getSession().setAttribute(name, value); } public void setRequestAttribute(WebSession s, String name, Object value) { s.getRequest().setAttribute(name, value); } public void removeSessionAttribute(WebSession s, String name) { s.getRequest().getSession().removeAttribute(name); } protected String getSessionAttribute(WebSession s, String name) throws ParameterNotFoundException { String value = (String) s.getRequest().getSession().getAttribute(name); if (value == null) { throw new ParameterNotFoundException(); } return value; } protected boolean getBooleanSessionAttribute(WebSession s, String name) throws ParameterNotFoundException { boolean value = false; Object attribute = s.getRequest().getSession().getAttribute(name); if (attribute == null) { throw new ParameterNotFoundException(); } else { // System.out.println("Attribute " + name + " is of type " + // s.getRequest().getSession().getAttribute(name).getClass().getName()); // System.out.println("Attribute value: " + // s.getRequest().getSession().getAttribute(name)); value = ((Boolean) attribute).booleanValue(); } return value; } protected int getIntSessionAttribute(WebSession s, String name) throws ParameterNotFoundException { int value = -1; String ss = (String) s.getRequest().getSession().getAttribute(name); if (ss == null) { throw new ParameterNotFoundException(); } else { try { value = Integer.parseInt(ss); } catch (NumberFormatException nfe) { } } return value; } protected String getRequestAttribute(WebSession s, String name) throws ParameterNotFoundException { String value = (String) s.getRequest().getAttribute(name); if (value == null) { throw new ParameterNotFoundException(); } return value; } protected int getIntRequestAttribute(WebSession s, String name) throws ParameterNotFoundException { int value = -1; String ss = (String) s.getRequest().getAttribute(name); if (ss == null) { throw new ParameterNotFoundException(); } else { try { value = Integer.parseInt(ss); } catch (NumberFormatException nfe) { } } return value; } public int getUserId(WebSession s) throws ParameterNotFoundException { return getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID); } public String getUserName(WebSession s) throws ParameterNotFoundException { String name = null; int employeeId = getUserId(s); try { String query = "SELECT first_name FROM employee WHERE userid = " + employeeId; try { Statement answer_statement = WebSession.getConnection(s) .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet answer_results = answer_statement.executeQuery(query); if (answer_results.next()) name = answer_results.getString("first_name"); } catch (SQLException sqle) { s.setMessage("Error getting user name"); sqle.printStackTrace(); } } catch (Exception e) { s.setMessage("Error getting user name"); e.printStackTrace(); } return name; } public boolean requiresAuthentication() { // Default to true return true; } public boolean isAuthenticated(WebSession s) { boolean authenticated = false; try { authenticated = getBooleanSessionAttribute(s, getLessonName() + ".isAuthenticated"); } catch (ParameterNotFoundException e) { } return authenticated; } public boolean isAuthorized(WebSession s, int employeeId, String functionId) { String employer_id = (String) s.getRequest().getSession() .getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID); // System.out.println("Authorizing " + employeeId + " for use of function: " + functionId + // " having USER_ID = " // + employer_id ); boolean authorized = false; try { String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = " + employeeId + ") and functionid = '" + functionId + "'"; try { Statement answer_statement = WebSession.getConnection(s) .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet answer_results = answer_statement.executeQuery(query); authorized = answer_results.first(); /* * User is validated for function, but can the user perform that function on the * specified user? */ if (authorized) { authorized = isAuthorizedForEmployee(s, Integer.parseInt(employer_id), employeeId); } } catch (SQLException sqle) { s.setMessage("Error authorizing"); sqle.printStackTrace(); } } catch (Exception e) { s.setMessage("Error authorizing"); e.printStackTrace(); } // System.out.println("Authorized? " + authorized); return authorized; } public boolean isAuthorizedForEmployee(WebSession s, int userId, int employeeId) { // System.out.println("Authorizing " + userId + " for access to employee: " + employeeId); boolean authorized = false; try { String query = "SELECT * FROM ownership WHERE employer_id = ? AND employee_id = ?"; try { PreparedStatement answer_statement = WebSession.getConnection(s) .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); answer_statement.setInt(1, userId); answer_statement.setInt(2, employeeId); ResultSet answer_results = answer_statement.executeQuery(); authorized = answer_results.first(); } catch (SQLException sqle) { s.setMessage("Error authorizing"); sqle.printStackTrace(); } } catch (Exception e) { s.setMessage("Error authorizing"); e.printStackTrace(); } return authorized; } protected void setStage(WebSession s, String stage) { getLesson().setStage(s, stage); } protected void setStageComplete(WebSession s, String stage) { getLesson().setStageComplete(s, stage); } protected String getStage(WebSession s) { return getLesson().getStage(s); } public String toString() { return getActionName(); } }