SecurityShepherd/src/it/java/servlets/module/lesson/SessionManagementLessonIT.java at dbd003cc38d5e303063cd0e1dae91ddb17ca801b · OWASP/SecurityShepherd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
package servlets.module.lesson;

import static org.junit.jupiter.api.Assertions.fail;

import dbProcs.GetterIT;
import dbProcs.Setter;
import java.io.IOException;
import java.sql.SQLException;
import jakarta.servlet.http.Cookie;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletConfig;
import testUtils.TestProperties;

public class SessionManagementLessonIT {

  private static String lang = "en_GB";
  private static final Logger log = LogManager.getLogger(SessionManagementLessonIT.class);
  private static String applicationRoot = new String();
  private MockHttpServletRequest request;
  private MockHttpServletResponse response;

  /** Creates DB or Restores DB to Factory Defaults before running tests */
  @BeforeAll
  public static void resetDatabase() throws IOException, SQLException {
    TestProperties.setTestPropertiesFileDirectory(log);

    TestProperties.createMysqlResource();

    TestProperties.ensureSchemaReady(log);
    TestProperties.reseedTestData();
  }

  @BeforeEach
  public void setup() {
    request = new MockHttpServletRequest();
    response = new MockHttpServletResponse();
    // Open All modules
    if (!Setter.openAllModules(applicationRoot, false)) {
      fail("Could not Mark All Modules As Open");
    }
  }

  public String getModuleDoPost(String cookieValue, int expectedResponseCode) throws Exception {
    try {
      String servletClassName = "SessionManagementLesson";
      log.debug("Creating " + servletClassName + " Servlet Instance");
      SessionManagementLesson servlet = new SessionManagementLesson();
      servlet.init(new MockServletConfig(servletClassName));

      // Setup Servlet Parameters and Attributes
      log.debug("Setting Up Params and Atrributes");
      Cookie submittedCookie = new Cookie("lessonComplete", cookieValue);
      request.setCookies(submittedCookie);

      log.debug("Running doPost");
      servlet.doPost(request, response);

      if (response.getStatus() != expectedResponseCode) {
        fail(
            servletClassName
                + " Servlet Returned "
                + response.getStatus()
                + " Code. "
                + expectedResponseCode
                + " Expected");
      } else {
        log.debug("302 OK Detected");
        log.debug(
            servletClassName
                + " Successful, returning location retrieved: "
                + response.getContentAsString());
        return (response.getContentAsString());
      }
    } catch (Exception e) {
      throw e;
    }
    return null;
  }

  @Test
  public void testLevelValidAnswer() {
    String userName = "lessonTester";
    try {
      // Verify User Exists in DB
      GetterIT.verifyTestUser(applicationRoot, userName, userName);
      // Sign in as Normal User
      log.debug("Signing in as " + userName + " Through LoginServlet");
      TestProperties.loginDoPost(log, request, response, userName, userName, null, lang);
      log.debug("Login Servlet Complete, Getting CSRF Token");
      if (response.getCookie("token") == null) {
        fail("No CSRF Token Was Returned from Login Servlet");
      }
      String csrfToken = response.getCookie("token").getValue();
      if (csrfToken.isEmpty()) {
        String message = new String("No CSRF token returned from Login Servlet");
        log.fatal(message);
        fail(message);
      } else {
        request.setCookies(response.getCookies());
        String servletResponse = getModuleDoPost("lessonComplete", 302);
        if (servletResponse.contains("You must be getting funky")) {
          String message = new String("General 'Funky' Error Detected");
          log.fatal(message);
          fail(message);
        } else if (!servletResponse.contains("Lesson Complete")) {
          String message = new String("Valid Solution did not yeild Result Key");
          log.fatal(message);
          fail(message);
        }
      }
    } catch (Exception e) {
      log.fatal("Could not Complete: " + e.toString());
      fail("Could not Complete: " + e.toString());
    }
  }

  @Test
  public void testLevelInvalidAnswer() {
    String userName = "lessonTester";
    try {
      // Verify User Exists in DB
      GetterIT.verifyTestUser(applicationRoot, userName, userName);
      // Sign in as Normal User
      log.debug("Signing in as " + userName + " Through LoginServlet");
      TestProperties.loginDoPost(log, request, response, userName, userName, null, lang);
      log.debug("Login Servlet Complete, Getting CSRF Token");
      if (response.getCookie("token") == null) {
        fail("No CSRF Token Was Returned from Login Servlet");
      }
      String csrfToken = response.getCookie("token").getValue();
      if (csrfToken.isEmpty()) {
        String message = new String("No CSRF token returned from Login Servlet");
        log.fatal(message);
        fail(message);
      } else {
        request.setCookies(response.getCookies());
        String servletResponse = getModuleDoPost("lessonNotComplete", 302);
        if (servletResponse.contains("You must be getting funky")) {
          String message = new String("General 'Funky' Error Detected");
          log.fatal(message);
          fail(message);
        } else if (!servletResponse.contains("Lesson Not Complete")) {
          String message = new String("Invalid Solution yeilded Result Key");
          log.fatal(message);
          fail(message);
        }
      }
    } catch (Exception e) {
      log.fatal("Could not Complete: " + e.toString());
      fail("Could not Complete: " + e.toString());
    }
  }

  @Test
  public void testLevelNoAuth() {
    try {
      request.getSession().setAttribute("lang", lang);
      String servletResponse =
          getModuleDoPost(
              "lessonComplete",
              200); // Mock response is 200 for Unauthenticated response for some reason
      if (servletResponse.contains("You must be getting funky")) {
        String message = new String("General 'Funky' Error Detected");
        log.fatal(message);
        fail(message);
      } else if (!servletResponse.contains("Are you signed in")) {
        String message = new String("Did not get 'Are you signed in' Response");
        log.fatal(message);
        fail(message);
      }
    } catch (Exception e) {
      log.fatal("Could not Complete: " + e.toString());
      fail("Could not Complete: " + e.toString());
    }
  }
}