additional tests, one fix

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/HiddenMenuItems.java → webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACHiddenMenus.java

@@ -27,7 +27,7 @@
 
 @AssignmentPath("/access-control/hidden-menu")
 @AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
-public class HiddenMenuItems extends AssignmentEndpoint {
+public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
     //UserSessionData is bound to session and can be used to persist data across multiple assignments
     @Autowired
     UserSessionData userSessionData;
@@ -46,7 +46,7 @@ AttackResult completed(String hiddenMenu1, String hiddenMenu2, HttpServletReques
         }
 
         if (hiddenMenu1.equals("Config") && hiddenMenu2.equals("Users")) {
-            return trackProgress(success()
+            return trackProgress(failed()
                     .output("")
                     .feedback("access-control.hidden-menus.close")
                     .build());

webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,6 +1,6 @@
 missing-function-access-control.title=Missing Function Level Access Control
 
-access-control.hidden-menus.success=Correct! And not hard to find are they?!? For the next lab, note that the endpoints are at /WebGoat/access-control/list-users and /WebGoat/access-control/add-user
+access-control.hidden-menus.success=Correct! And not hard to find are they?!? One of these urls will be helpful in the next lab.
 access-control.hidden-menus.close=Close. Remember that when hacking ... details such as order,case and the like matter.
 access-control.hidden-menus.failure=Please try again.
 

webgoat-lessons/missing-function-ac/src/test/org/owasp/webgoat/plugin/MissingFunctionACHiddenMenusTest.java

@@ -0,0 +1,53 @@
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+@RunWith(MockitoJUnitRunner.class)
+public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
+        init(hiddenMenus);
+        this.mockMvc = standaloneSetup(hiddenMenus).build();
+    }
+
+    @Test
+    public void HiddenMenusSuccess() throws  Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+                .param("hiddenMenu1", "Users")
+                .param("hiddenMenu2", "Config"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.success"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void HiddenMenusClose() throws  Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+                .param("hiddenMenu1", "Config")
+                .param("hiddenMenu2", "Users"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.close"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    public void HiddenMenusFailure() throws  Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+                .param("hiddenMenu1", "Foo")
+                .param("hiddenMenu2", "Bar"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.failure"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}