From 8b8a89a8ab838c487d54cd5b718d04dbedf985c2 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 28 Apr 2018 16:01:57 +0200
Subject: [PATCH] Add extra informational message when a failure occurs while
 sending an email from WebGoat to WebWolf.

---
 .../service/ReportCardServiceTest.java        |  1 +
 .../owasp/webgoat/plugin/MailAssignment.java  |  7 +-
 .../resources/i18n/WebGoatLabels.properties   |  2 +-
 webwolf/pom.xml                               |  4 +
 .../java/org/owasp/webwolf/mailbox/Email.java |  9 +-
 .../webwolf/mailbox/MailboxController.java    | 13 +--
 .../mailbox/MailboxControllerTest.java        | 98 +++++++++++++++++++
 7 files changed, 121 insertions(+), 13 deletions(-)
 create mode 100644 webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java

diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
index e3c03ad17f..f35c4131da 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
@@ -47,6 +47,7 @@ public class ReportCardServiceTest {
     @Before
     public void setup() {
         this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build();
+        when(pluginMessages.getMessage(anyString())).thenReturn("Test");
     }
 
     @Test
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
index 54e17a9c2a..c10321e74f 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
+++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java
@@ -8,6 +8,7 @@
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
 
 import java.time.LocalDateTime;
@@ -39,7 +40,11 @@ public AttackResult sendEmail(@RequestParam String email) {
                     .contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
                     .sender("webgoat@owasp.org")
                     .build();
-            restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+            try {
+                restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+            } catch (RestClientException e ) {
+                return informationMessage().feedback("webwolf.email_failed").output(e.getMessage()).build();
+            }
             return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
         } else {
             return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
index 20947800b1..0981f2a08b 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
@@ -2,7 +2,7 @@ webwolf.title=WebWolf
 
 webwolf.email_send=An email has been send to {0} please check your inbox.
 webwolf.code_incorrect=That is not the correct code: {0}, please try again.
-
+webwolf.email_failed=There was an error while sending the e-mail. Is WebWolf running?
 
 webwolf.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
 
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index 37126b0ba4..2b606b9520 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -85,6 +85,10 @@
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
index d721bc5d54..c97e0ba4ee 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
@@ -1,5 +1,8 @@
 package org.owasp.webwolf.mailbox;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
@@ -13,6 +16,8 @@
  * @since 8/20/17.
  */
 @Data
+@Builder
+@AllArgsConstructor
 @Entity
 @NoArgsConstructor
 public class Email implements Serializable {
@@ -20,7 +25,7 @@ public class Email implements Serializable {
     @Id
     @GeneratedValue(strategy = GenerationType.IDENTITY)
     private Long id;
-    private LocalDateTime time;
+    private LocalDateTime time = LocalDateTime.now();
     @Column(length = 1024)
     private String contents;
     private String sender;
@@ -28,7 +33,7 @@ public class Email implements Serializable {
     private String recipient;
 
     public String getSummary() {
-        return "-" + this.contents.substring(0, 50);
+        return "-" + this.contents.substring(0, Math.min(50, contents.length()));
     }
 
     public LocalDateTime getTimestamp() {
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
index 52ec559594..b4f149db2b 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
@@ -7,6 +7,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -25,12 +26,11 @@
 @Slf4j
 public class MailboxController {
 
-    private final UserRepository userRepository;
     private final MailboxRepository mailboxRepository;
 
     @GetMapping(value = "/WebWolf/mail")
     public ModelAndView mail() {
-        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         ModelAndView modelAndView = new ModelAndView();
         List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
         if (emails != null && !emails.isEmpty()) {
@@ -44,13 +44,8 @@ public ModelAndView mail() {
     @PostMapping(value = "/mail")
     public Callable<ResponseEntity<?>> sendEmail(@RequestBody Email email) {
         return () -> {
-            if (userRepository.findByUsername(email.getRecipient()) != null) {
-                mailboxRepository.save(email);
-                return ResponseEntity.status(HttpStatus.CREATED).build();
-            } else {
-                log.trace("Mail received for unknown user: {}", email.getRecipient());
-                return ResponseEntity.notFound().build();
-            }
+            mailboxRepository.save(email);
+            return ResponseEntity.status(HttpStatus.CREATED).build();
         };
     }
 
diff --git a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
new file mode 100644
index 0000000000..3c554a68db
--- /dev/null
+++ b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
@@ -0,0 +1,98 @@
+package org.owasp.webwolf.mailbox;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mockito;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+@RunWith(SpringRunner.class)
+@WebMvcTest(MailboxController.class)
+public class MailboxControllerTest {
+
+    @Autowired
+    private MockMvc mvc;
+    @MockBean
+    private MailboxRepository mailbox;
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @JsonIgnoreProperties("time")
+    public static class EmailMixIn {
+    }
+
+    @Before
+    public void setup() {
+        objectMapper.addMixIn(Email.class, EmailMixIn.class);
+    }
+
+    @Test
+    @WithMockUser
+    public void sendingMailShouldStoreIt() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email)))
+                .andExpect(status().isOk());
+    }
+
+    @Test
+    @WithMockUser(username = "test1234")
+    public void userShouldBeAbleToReadOwnEmail() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+        this.mvc.perform(get("/WebWolf/mail"))
+                .andExpect(status().isOk())
+                .andExpect(view().name("mailbox"))
+                .andExpect(content().string(containsString("Click this mail")))
+                .andExpect(content().string(containsString(DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp()))));
+    }
+
+    @Test
+    @WithMockUser(username = "test1233")
+    public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception {
+        Email email = Email.builder()
+                .contents("This is a test mail")
+                .recipient("test1234@webgoat.org")
+                .sender("hacker@webgoat.org")
+                .title("Click this mail")
+                .time(LocalDateTime.now())
+                .build();
+        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+
+        this.mvc.perform(get("/WebWolf/mail"))
+                .andExpect(status().isOk())
+                .andExpect(view().name("mailbox"))
+                .andExpect(content().string(not(containsString("Click this mail"))));
+    }
+
+}
\ No newline at end of file