wrongsecrets/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java at 3c16056b65d964882320ac6b1b679ab5286e9403 · OWASP/wrongsecrets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package org.owasp.wrongsecrets.ctftests;

import static org.hamcrest.CoreMatchers.not;
import static org.hamcrest.Matchers.containsString;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

import org.junit.jupiter.api.Test;
import org.owasp.wrongsecrets.Challenges;
import org.owasp.wrongsecrets.WrongSecretsApplication;
import org.owasp.wrongsecrets.challenges.cloud.Challenge10;
import org.owasp.wrongsecrets.challenges.cloud.challenge11.Challenge11Aws;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MockMvc;

@SpringBootTest(
    properties = {
      "K8S_ENV=gcp",
      "ctf_enabled=true",
      "ctf_key=randomtextforkey",
      "SPECIAL_K8S_SECRET=test5",
      "SPECIAL_SPECIAL_K8S_SECRET=test6",
      "vaultpassword=test7",
      "secretmountpath=nothere",
      "default_aws_value_challenge_9=ACTUAL_ANSWER_CHALLENGE9",
      "default_aws_value_challenge_10=ACTUAL_ANSWER_CHALLENGE10",
      "default_aws_value_challenge_11=ACTUAL_ANSWER_CHALLENGE_11"
    },
    classes = WrongSecretsApplication.class)
@AutoConfigureMockMvc
class ChallengesControllerCTFModeWithPresetCloudValuesTest {

  @Autowired private MockMvc mvc;
  @Autowired private Challenges challenges;
  @Autowired private Challenge11Aws challenge11;

  @Test
  void shouldNotSpoilWhenInCTFMode() throws Exception {
    var firstChallenge = challenges.getChallengeDefinitions().getFirst();
    mvc.perform(get("/spoil/%s".formatted(firstChallenge.name().shortName())))
        .andExpect(status().isOk())
        .andExpect(content().string(containsString("Spoils are disabled in CTF mode")));
  }

  @Test
  void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge9() throws Exception {
    var challenge9Definition = challenges.findByShortName("challenge-9").orElseThrow();
    var challenge9 = challenges.getChallenge(challenge9Definition).getFirst();
    var spoil = challenge9.spoiler().solution();
    mvc.perform(
            post("/challenge/%s".formatted(challenge9Definition.name().shortName()))
                .contentType(MediaType.APPLICATION_FORM_URLENCODED)
                .param("solution", spoil)
                .param("action", "submit")
                .with(csrf()))
        .andExpect(status().isOk())
        .andExpect(content().string(containsString("6a1714fe4ca37b0508f549f593db87c6")));
  }

  @Test
  void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge10() throws Exception {
    var spoil =
        new Challenge10(null, "ACTUAL_ANSWER_CHALLENGE10", "wrongsecret-2").spoiler().solution();
    mvc.perform(
            post("/challenge/challenge-10")
                .contentType(MediaType.APPLICATION_FORM_URLENCODED)
                .param("solution", spoil)
                .param("action", "submit")
                .with(csrf()))
        .andExpect(status().isOk())
        .andExpect(content().string(containsString("578a061f2a7659e6962061e98d779abd")));
  }

  @Test
  void shouldNotShowFlagWhenRespondingWithSuccessInCTFModeChallenge11() throws Exception {
    var spoil = challenge11.spoiler().solution();

    mvc.perform(
            post("/challenge/challenge-11")
                .contentType(MediaType.APPLICATION_FORM_URLENCODED)
                .param("solution", spoil)
                .param("action", "submit")
                .with(csrf()))
        .andExpect(status().isOk())
        .andExpect(content().string(containsString("This challenge has been disabled.")));
  }

  @Test
  void shouldEnableCloudExerciseBut11() throws Exception {
    mvc.perform(get("/"))
        .andExpect(status().isOk())
        .andExpect(content().string(not(containsString("challenge-9_disabled-link"))))
        .andExpect(content().string(not(containsString("challeng-10_disabled-link"))))
        .andExpect(content().string(containsString("challenge-11_disabled-link")));
  }

  @Test
  void shouldEnableK8sExercises() throws Exception {
    mvc.perform(get("/"))
        .andExpect(status().isOk())
        .andExpect(content().string(not(containsString("challenge-5_disabled-link"))))
        .andExpect(content().string(not(containsString("challenge-6_disabled-link"))))
        .andExpect(content().string(not(containsString("challenge-7_disabled-link"))));
  }
}