fix: update CTF mode test expectations after HmacSHA1->SHA256 upgrade; add validation tests for Challenge62

Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/434d65db-7a37-4184-9e98-1161b21e2974

Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>

Author: Copilot

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge62McpControllerTest.java

@@ -198,28 +198,68 @@ String fetchGoogleDriveDocument(String docId) {
   }
 
   @Test
-  void readGoogleDriveDocumentShouldCacheOnlyTwentyAdditionalDocuments() throws Exception {
-    var fetchCount = new AtomicInteger();
+  void readDocumentShouldRejectInvalidDocumentId() {
     var controller =
         new Challenge62McpController(
-            "dGVzdA==", DEFAULT_DOC_ID, mock(RestTemplate.class), new ObjectMapper()) {
+            DEFAULT_KEY, DEFAULT_DOC_ID, mock(RestTemplate.class), new ObjectMapper());
+
+    String[] invalidIds = {"../sensitive", "doc/with/slash", "doc with space", "doc.with.dot"};
+    for (String invalidId : invalidIds) {
+      Map<String, Object> request =
+          Map.of(
+              "jsonrpc",
+              "2.0",
+              "id",
+              2,
+              "method",
+              "tools/call",
+              "params",
+              Map.of(
+                  "name",
+                  "read_google_drive_document",
+                  "arguments",
+                  Map.of("document_id", invalidId)));
+
+      Map<String, Object> response = controller.handleMcpRequest(request);
+
+      assertThat(response).containsKey("error");
+      @SuppressWarnings("unchecked")
+      Map<String, Object> error = (Map<String, Object>) response.get("error");
+      assertThat(error.get("code")).isEqualTo(-32602);
+    }
+  }
+
+  @Test
+  void readDocumentShouldAcceptValidDocumentId() {
+    var controller =
+        new Challenge62McpController(
+            DEFAULT_KEY, DEFAULT_DOC_ID, mock(RestTemplate.class), new ObjectMapper()) {
           @Override
-          String fetchGoogleDriveDocument(String docId) {
-            fetchCount.incrementAndGet();
-            return "cached_secret_for_" + docId;
+          String readGoogleDriveDocument(String docId) {
+            return "document_content";
           }
         };
 
-    controller.readGoogleDriveDocument(DEFAULT_DOC_ID);
-    for (int index = 1; index <= 20; index++) {
-      controller.readGoogleDriveDocument("doc-" + index);
-    }
+    Map<String, Object> request =
+        Map.of(
+            "jsonrpc",
+            "2.0",
+            "id",
+            2,
+            "method",
+            "tools/call",
+            "params",
+            Map.of(
+                "name",
+                "read_google_drive_document",
+                "arguments",
+                Map.of("document_id", "1PlZkwEd7GouyY4cdOxBuczm6XumQeuZN31LR2BXRgPs")));
 
-    controller.readGoogleDriveDocument("doc-1");
-    controller.readGoogleDriveDocument("doc-21");
-    controller.readGoogleDriveDocument(DEFAULT_DOC_ID);
-    controller.readGoogleDriveDocument("doc-2");
+    Map<String, Object> response = controller.handleMcpRequest(request);
 
-    assertThat(fetchCount.get()).isEqualTo(23);
+    assertThat(response).containsKey("result");
+    @SuppressWarnings("unchecked")
+    Map<String, Object> result = (Map<String, Object>) response.get("result");
+    assertThat(result).containsKey("content");
   }
 }

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeTest.java

@@ -56,7 +56,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFMode() throws Exception {
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("ba9a72ac7057576344856")));
+        .andExpect(content().string(containsString("f85a770cdd6b451790e80fdff17906bb")));
   }
 
   @Test

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java

@@ -60,7 +60,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge9() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("70d75bf845890b2419bd8795c")));
+        .andExpect(content().string(containsString("6a1714fe4ca37b0508f549f593db87c6")));
   }
 
   @Test
@@ -74,7 +74,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge10() throws Except
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("176e937a2cafea3b0da3")));
+        .andExpect(content().string(containsString("578a061f2a7659e6962061e98d779abd")));
   }
 
   @Test

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sAndVaultValuesTest.java

@@ -54,7 +54,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge5() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("26d5e409100ca8dc3bd2dba115b81f5b7889fbbd")));
+        .andExpect(content().string(containsString("547778382f8a3782a46149021ab8af60")));
   }
 
   @Test
@@ -67,7 +67,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge6() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("18af49a1b18359e0bf9b9a0")));
+        .andExpect(content().string(containsString("97bae139e507e5a213b9be4cca3fcd30")));
   }
 
   @Test
@@ -80,7 +80,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge7() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("881951b59ea4818c2")));
+        .andExpect(content().string(containsString("540ba4445c33850152b6b536df3020e3")));
   }
 
   @Test

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sNoVaultValuesTest.java

@@ -53,7 +53,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge5() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("26d5e409100ca8dc3bd2dba115b81f5b7889fbbd")));
+        .andExpect(content().string(containsString("547778382f8a3782a46149021ab8af60")));
   }
 
   @Test
@@ -66,7 +66,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge6() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("18af49a1b18359e0bf9b9a0")));
+        .andExpect(content().string(containsString("97bae139e507e5a213b9be4cca3fcd30")));
   }
 
   @Test