Refactoring (WebGoat#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: WebGoat#1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <[email protected]>

.dockerignore

@@ -0,0 +1,3 @@
+**
+
+!/target

.editorconfig

@@ -12,5 +12,4 @@ ij_continuation_indent_size = 8
 ij_formatter_off_tag = @formatter:off
 ij_formatter_on_tag = @formatter:on
 ij_formatter_tags_enabled = false
-ij_wrap_on_typing = true
 ij_java_names_count_to_use_import_on_demand = 999

.github/workflows/build.yml

@@ -0,0 +1,72 @@
+name: "Build"
+on:
+  pull_request:
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+      - develop
+      - release/*
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
+
+jobs:
+  pr-build:
+    if: >
+      github.event_name == 'pull_request' && !github.event.pull_request.draft && (
+        github.event.action == 'opened' ||
+        github.event.action == 'reopened' ||
+        github.event.action == 'synchronize' 
+      )
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 17
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/[email protected]
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-
+      - name: Build with Maven
+        run: mvn --no-transfer-progress package
+
+  build:
+    if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push'
+    runs-on: ubuntu-latest
+    name: "Branch build"
+    steps:
+        - uses: actions/checkout@v2
+        - name: set up JDK 17
+          uses: actions/setup-java@v2
+          with:
+              distribution: 'temurin'
+              java-version: 17
+              architecture: x64
+        - name: Cache Maven packages
+          uses: actions/[email protected]
+          with:
+              path: ~/.m2
+              key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+              restore-keys: ubuntu-latest-m2-
+        - name: Test with Maven
+          run: mvn --no-transfer-progress verify

.github/workflows/release.yml

@@ -46,8 +46,7 @@ jobs:
         with:
           draft: false
           files: |
-            webgoat-server/target/webgoat-server-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
-            webwolf/target/webwolf-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
+            webgoat/target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
           body: |
             ## Version ${{ steps.tag.outputs.tag }}
 
@@ -91,13 +90,13 @@ jobs:
       - name: "Build and push"
         uses: docker/[email protected]
         with:
-          context: ./docker
-          file: docker/Dockerfile
+          context: ./
+          file: ./Dockerfile
           push: true 
           platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
-            webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
-            webgoat/goatandwolf:latest
+            webgoat/webgoat:${{ env.WEBGOAT_TAG_VERSION }}
+            webgoat/webgoat:latest
           build-args: |
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
@@ -118,10 +117,10 @@ jobs:
           ref: develop
           token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }}
 
-      - name: Set up JDK 15
+      - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
-          java-version: 15
+          java-version: 17
           architecture: x64
 
       - name: Set version to next snapshot

Dockerfile

@@ -0,0 +1,32 @@
+FROM docker.io/eclipse-temurin:17-jdk-focal
+
+RUN useradd -ms /bin/bash webgoat
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
+
+USER webgoat
+
+COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
+
+EXPOSE 8080
+EXPOSE 9090
+
+WORKDIR /home/webgoat
+ENTRYPOINT [ "java", \
+   "-Duser.home=/home/webgoat", \
+   "-Dfile.encoding=UTF-8", \
+   "--add-opens", "java.base/java.lang=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.lang.reflect=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.text=ALL-UNNAMED", \
+   "--add-opens", "java.desktop/java.beans=ALL-UNNAMED", \
+   "--add-opens", "java.desktop/java.awt.font=ALL-UNNAMED", \
+   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "-Drunning.in.docker=true", \
+   "-Dwebgoat.host=0.0.0.0", \
+   "-Dwebwolf.host=0.0.0.0", \
+   "-Dwebgoat.port=8080", \
+   "-Dwebwolf.port=9090", \
+   "-jar", "webgoat.jar" ]

README.md

@@ -33,21 +33,15 @@ For more details check [the Contribution guide](/CONTRIBUTING.md)
 
 ## 1. Run using Docker
 
-Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
+Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
 
 The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
 
-docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
+docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
 ```
 
-The landing page will be located at: http://localhost  
-WebGoat will be located at: http://localhost:8080/WebGoat  
-WebWolf will be located at: http://localhost:9090/WebWolf
-
-**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*  
-
 **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
 
 
@@ -56,12 +50,10 @@ WebWolf will be located at: http://localhost:9090/WebWolf
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dserver.address=localhost -Dhsqldb.port=9001 -jar webgoat-server-8.2.2.jar 
-java -Dfile.encoding=UTF-8 -Dserver.port=9090 -Dserver.address=localhost -jar webwolf-8.2.2.jar
+java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar 
 ```
 
-WebGoat will be located at: http://localhost:8080/WebGoat and   
-WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
+Click the link in the log to start WebGoat.
 
 ## 3. Run from the sources
 
@@ -84,17 +76,21 @@ cd WebGoat
 git checkout <<branch_name>>
 # On Linux/Mac:
 ./mvnw clean install 
+
 # On Windows:
 ./mvnw.cmd clean install
+
+# Using docker or podman, you can than build the container locally
+docker build -f Dockerfile . -t webgoat/webgoat
 ```
 
 Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 
 ```Shell
 # On Linux/Mac:
-./mvnw -pl webgoat-server spring-boot:run
-# On Widows:
-./mvnw.cmd -pl webgoat-server spring-boot:run
+./mvnw spring-boot:run
+# On Windows:
+./mvnw.cmd spring-boot:run
 
 ```
 ... you should be running WebGoat on localhost:8080/WebGoat momentarily
@@ -114,9 +110,9 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
-```
+java -jar target/webgoat-8.2.3-SNAPSHOT.jar
+
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
 ```Shell
-docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
+docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
 ```

RELEASE_NOTES.md

@@ -4,7 +4,21 @@
 
 ### New functionality
 
-- Update the Docker startup script, it is now possible to pass `skip-nginx` or set `SKIP_NGINX` as environment variable.
+- New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
+- Move away from multi-project setup:
+  - This has a huge performance benefit when building the application. Build time locally is now `Total time:  42.469 s` (depends on your local machine of course)
+  - No longer add Maven dependencies in several places
+  - H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
+- More explicit paths in html files to reference `adoc` files, less magic.
+- Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
+- Add WebWolf button in WebGoat
+- Move all lessons into `src/main/resources` 
+- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience. 
+- WebGoat logs URL after startup: `Please browse to http://127.0.0.1:8080/WebGoat to get started...`
+- Simplify `Dockerfile` as we no longer need a script to start everything
+- Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
+- Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example.
+- Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
 
 ## Version 8.2.2