Fixed WebWolf issues with sending e-mails

.travis.yml

@@ -7,7 +7,7 @@ install: "/bin/true"
 script:
 - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
 - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
-- mvn clean install
+- mvn clean install -q
 cache:
   directories:
   - "$HOME/.m2"

CREATE_RELEASE.MD

@@ -0,0 +1,29 @@
+## Release WebGoat
+
+
+### Version numbers
+
+For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
+ and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use 
+ `v8.0.0` and 8.0.0 in the `pom.xml`
+
+At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
+
+```
+git checkout develop
+git flow release start <version>
+mvn versions:set <<version> 
+git commit -am "New release, updaing pom.xml" 
+git flow release publish
+```
+
+Now we can make a new release, be sure you committed all your changes.
+
+```
+git tag v8.0.0.M3
+git push origin v8.0.0.M3 
+```
+
+Now Travis takes over and will create the release in Github and on Docker Hub. 
+
+

docker-compose.yml

@@ -1,12 +1,6 @@
 version: '2.0'
 
 services:
-  activemq:
-    image: webcenter/activemq:latest
-    ports:
-      - 8161:8161
-      - 61616:61616
-      - 61613:61613
   mongo:
     image: mongo:latest
     expose:

webgoat-container/src/main/resources/application.properties

@@ -34,7 +34,7 @@ webwolf.host=${WEBWOLF_HOST:localhost}
 webwolf.port=${WEBWOLF_PORT:8081}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
 webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
-webworf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
+webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
 
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java

@@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint {
 
     @Autowired
     private RestTemplate restTemplate;
-    @Value("${webworf.url.mail}")
+    @Value("${webwolf.url.mail}")
     private String webWolfMailURL;
 
     @GetMapping("/reset-password/{link}")

webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java

@@ -22,7 +22,7 @@ public class MailAssignment extends AssignmentEndpoint {
     private final String webWolfURL;
     private RestTemplate restTemplate;
 
-    public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url}") String webWolfURL) {
+    public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
         this.restTemplate = restTemplate;
         this.webWolfURL = webWolfURL;
     }
@@ -36,10 +36,10 @@ public AttackResult sendEmail(@RequestParam String email) {
                     .recipient(username)
                     .title("Test messages from WebWolf")
                     .time(LocalDateTime.now())
-                    .contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username))
+                    .contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
                     .sender("[email protected]")
                     .build();
-            restTemplate.postForEntity(webWolfURL + "/WebWolf/mail", mailEvent, Object.class);
+            restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
             return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build();
         } else {
             return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build();

webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html

@@ -12,9 +12,10 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
     <div class="attack-container">
-        <form accept-charset="UNKNOWN"
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/WebWolf/send"
+              action="/WebGoat/WebWolf/mail/send"
               enctype="application/json;charset=UTF-8">
             <div class="container-fluid">
                 <div class="row">

webwolf/src/main/java/org/owasp/webwolf/WebWolf.java

@@ -2,8 +2,6 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webwolf.requests.WebWolfTraceRepository;
-import org.owasp.webwolf.user.UserRepository;
-import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.actuate.trace.TraceRepository;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -16,8 +14,8 @@
 public class WebWolf extends SpringBootServletInitializer {
 
     @Bean
-    public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
-        return new WebWolfTraceRepository(repository, userRepository);
+    public TraceRepository traceRepository() {
+        return new WebWolfTraceRepository();
     }
 
     @Override

webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java

@@ -5,9 +5,7 @@
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webwolf.user.WebGoatUser;
 import org.springframework.boot.actuate.trace.Trace;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -46,8 +44,7 @@ private class Tracert {
     @GetMapping
     public ModelAndView get(HttpServletRequest request) {
         ModelAndView m = new ModelAndView("requests");
-        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        List<Tracert> traces = traceRepository.findTraceForUser(user.getUsername()).stream()
+        List<Tracert> traces = traceRepository.findAllTraces().stream()
                 .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
         m.addObject("traces", traces);
 

webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java

@@ -1,51 +1,25 @@
 package org.owasp.webwolf.requests;
 
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
+import com.google.common.collect.EvictingQueue;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webwolf.user.UserRepository;
-import org.owasp.webwolf.user.WebGoatUser;
-import org.owasp.webwolf.user.WebGoatUserCookie;
-import org.owasp.webwolf.user.WebGoatUserToCookieRepository;
 import org.springframework.boot.actuate.trace.Trace;
 import org.springframework.boot.actuate.trace.TraceRepository;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.net.HttpCookie;
 import java.util.*;
-import java.util.concurrent.ConcurrentLinkedDeque;
-
-import static java.util.Optional.empty;
-import static java.util.Optional.of;
 
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
- * WebGoat and only if there is a cookie (otherwise we can never relate it back to a user).
+ * WebGoat.
  *
  * @author nbaars
  * @since 8/13/17.
  */
 @Slf4j
 public class WebWolfTraceRepository implements TraceRepository {
 
-    private final LoadingCache<String, ConcurrentLinkedDeque<Trace>> cookieTraces = CacheBuilder.newBuilder()
-            .maximumSize(4000).build(new CacheLoader<String, ConcurrentLinkedDeque<Trace>>() {
-                @Override
-                public ConcurrentLinkedDeque<Trace> load(String s) throws Exception {
-                    return new ConcurrentLinkedDeque<>();
-                }
-            });
-    private final WebGoatUserToCookieRepository repository;
-    private final UserRepository userRepository;
-
-    public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) {
-        this.repository = repository;
-        this.userRepository = userRepository;
-    }
+    private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
 
     @Override
     public List<Trace> findAll() {
@@ -55,59 +29,19 @@ public List<Trace> findAll() {
         return Lists.newArrayList(trace);
     }
 
-    public List<Trace> findTraceForUser(String username) {
-        return Lists.newArrayList(cookieTraces.getUnchecked(username));
+    public List<Trace> findAllTraces() {
+        return Lists.newArrayList(traces);
     }
 
     @Override
     public void add(Map<String, Object> map) {
         Optional<String> host = getFromHeaders("host", map);
         String path = (String) map.getOrDefault("path", "");
-        if (host.isPresent() && path.contains("/landing/")) {
-            Optional<String> cookie = getFromHeaders("cookie", map);
-            Optional<String> user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser();
-            user.ifPresent(u -> {
-                ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u);
-                traces.addFirst(new Trace(new Date(), map));
-                cookieTraces.put(u, traces);
-            });
-            //No user found based on cookie and logged in user, so add the trace to all users
-            //In case of XXE no cookie will be send we cannot retrieve who is logged in.
-            //Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to
-            //fetch is unique
-            if (!user.isPresent()) {
-                List<WebGoatUser> users = this.userRepository.findAll();
-                users.forEach(u -> {
-                    ConcurrentLinkedDeque<Trace> traces = this.cookieTraces.getUnchecked(u.getUsername());
-                    traces.addFirst(new Trace(new Date(), map));
-                    cookieTraces.put(u.getUsername(), traces);
-                });
-            }
+        if (host.isPresent() && path.contains("/landing")) {
+            traces.add(new Trace(new Date(), map));
         }
     }
 
-    private Optional<String> findUserBasedOnCookie(String cookiesIncomingRequest) {
-        //Request from WebGoat to WebWolf will contain the session cookie of WebGoat try to map it to a user
-        //this mapping is added to userSession by the CookieFilter in WebGoat code
-        HttpCookie cookie = HttpCookie.parse(cookiesIncomingRequest).get(0);
-        Optional<WebGoatUserCookie> userToCookie = repository.findByCookie(cookie.getValue());
-        Optional<String> user = userToCookie.map(u -> u.getUsername());
-
-        return user;
-    }
-
-    private Optional<String> getLoggedInUser() {
-        Optional<String> user = empty();
-        //User is maybe logged in to WebWolf use this user
-        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
-            WebGoatUser wg = (WebGoatUser) authentication.getPrincipal();
-            user = of(wg.getUsername());
-        }
-        return user;
-    }
-
-
     private Optional<String> getFromHeaders(String header, Map<String, Object> map) {
         Map<String, Object> headers = (Map<String, Object>) map.get("headers");
         if (headers != null) {