OWASP
diff --git a/‎.github/scripts/docker-create.sh
+33-4 b/‎.github/scripts/docker-create.sh
+33-4
diff --git a/‎Dockerfile.web
+2-2 b/‎Dockerfile.web
+2-2
diff --git a/‎Dockerfile.webdesktop renamed to ‎Dockerfile_webdesktop
+1-2 b/‎Dockerfile.webdesktop renamed to ‎Dockerfile_webdesktop
+1-2
diff --git a/‎README.md
+14-9 b/‎README.md
+14-9
diff --git a/‎aws/k8s/secret-challenge-vault-deployment.yml
+1-1 b/‎aws/k8s/secret-challenge-vault-deployment.yml
+1-1
diff --git a/‎azure/k8s-vault-azure-start.sh
+2-2 b/‎azure/k8s-vault-azure-start.sh
+2-2
diff --git a/‎azure/k8s/secret-challenge-vault-deployment.yml.tpl
+1-1 b/‎azure/k8s/secret-challenge-vault-deployment.yml.tpl
+1-1
diff --git a/‎fly.toml
+1-2 b/‎fly.toml
+1-2
diff --git a/‎gcp/README.md
+2-2 b/‎gcp/README.md
+2-2
diff --git a/‎gcp/k8s-vault-gcp-start.sh
+1-1 b/‎gcp/k8s-vault-gcp-start.sh
+1-1
diff --git a/‎gcp/k8s/secret-challenge-vault-deployment.yml.tpl
+1-1 b/‎gcp/k8s/secret-challenge-vault-deployment.yml.tpl
+1-1
diff --git a/‎k8s/secret-challenge-deployment.yml
+1-1 b/‎k8s/secret-challenge-deployment.yml
+1-1
diff --git a/‎k8s/secret-challenge-vault-deployment.yml
+1-1 b/‎k8s/secret-challenge-vault-deployment.yml
+1-1
diff --git a/‎okteto/k8s/secret-challenge-deployment.yml
+56 b/‎okteto/k8s/secret-challenge-deployment.yml
+56
diff --git a/‎okteto/k8s/secrets-config.yml
+11 b/‎okteto/k8s/secrets-config.yml
+11
diff --git a/‎okteto/k8s/secrets-secret.yml
+23 b/‎okteto/k8s/secrets-secret.yml
+23
@@ -7,7 +7,7 @@ Help() {
     # Display Help
     echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
     echo
-    echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup)|-g (fly)|-n (notag) [tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
+    echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup)|-g (fly)|-o (okteto)|-n (notag) [tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
     echo "options: (All optional)"
     echo "tag=             Write a custom tag that will be added to the container when it is build locally."
     echo "message=         Write a message used for the actual tag-message in git"
@@ -28,6 +28,23 @@ break_on_tag(){
         exit
       fi
 }
+
+Okteto_redeploy(){
+  break_on_tag
+  echo "Rebuilding the Okteto environment: https://wrongsecrets-commjoen.cloud.okteto.net/"
+  echo "Check if all required binaries are installed"
+  source ../../scripts/check-available-commands.sh
+  checkCommandsAvailable okteto
+  echo "validating okteto k8 deployment to contain the right container with tag "${tag}" (should be part of '$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)')"
+  if [[ "$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)" != *"${tag}"* ]]; then
+    echo "tag ${tag} in  ../../okteto/k8s/secret-challenge-deployment.yml not properly set, aborting"
+    exit
+  fi
+  cd ../../okteto
+  okteto destroy
+  okteto deploy
+}
+
 heroku_check_container() {
     break_on_tag
     echo "validating dockerfile to contain tag "${tag}" (should be part of '$(head -n 1 ../../Dockerfile.web)')"
@@ -90,7 +107,7 @@ Fly_publish(){
 # Set option to local if no option provided
 script_mode="local"
 # Parse provided options
-while getopts ":htpefgn*" option; do
+while getopts ":htpefgon*" option; do
     case $option in
     h) # display Help
         Help
@@ -111,6 +128,9 @@ while getopts ":htpefgn*" option; do
     g) #Helper
         script_mode="fly_p"
         ;;
+    o) #okteto
+        script_mode="okteto"
+        ;;
     n) #notags
         disable_tagging_in_git="true"
         ;;
@@ -127,7 +147,7 @@ done
 ################################################
 for ARGUMENT in "$@"; 
 do
-    if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" && $ARGUMENT != "-g" ]]
+    if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" && $ARGUMENT != "-g" && $ARGUMENT != "-o" ]]
     then
         KEY=$(echo "$ARGUMENT" | cut -f1 -d=)
         KEY_LENGTH=${#KEY}
@@ -188,6 +208,8 @@ elif [[ $script_mode == "heroku_p" ]]; then
   Heroku_publish_prod
 elif [[ $script_mode == "fly_p" ]]; then
   Fly_publish
+elif [[ $script_mode == "okteto" ]]; then
+  Okteto_redeploy
 fi
 
 
@@ -274,13 +296,20 @@ create_containers() {
     echo "Creating containers"
     if [[ "$script_mode" == "publish" ]]; then
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
         docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
         cd ../..
-        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile.webdesktop --push .
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --push .
+        docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --push .
         cd .github/scripts
     elif [[ "$script_mode" == "test" ]]; then
         docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../.
 
@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:jre18test2-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.5.3RC1-no-vault
 
-ARG argBasedVersion="1.5.2"
+ARG argBasedVersion="1.5.3RC1"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
 
@@ -9,8 +9,7 @@ RUN \
   touch /var/run/docker.sock && \
   chown abc:abc /var/run/docker.sock && \
   echo "**** cleanup ****" && \
-  rm -rf \
-    /tmp/*
+  rm -rf /tmp/*
 
 WORKDIR /config/Desktop
 
 
@@ -10,7 +10,7 @@ Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed va
 secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different
 secrets by means of various tools and techniques.
 
-Can you solve all the 23 challenges?
+Can you solve all the 24 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -24,7 +24,7 @@ based project, so it might take a little while before we respond.
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-23_
+_Can be used for challenges 1-4, 8, 12-24_
 
 For the basic docker exercises you currently require:
 
@@ -34,7 +34,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.5.2-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -56,6 +56,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
 - [localhost:8080/challenge/22](http://localhost:8080/challenge/22)
 - [localhost:8080/challenge/23](http://localhost:8080/challenge/23)
+- [localhost:8080/challenge/24](http://localhost:8080/challenge/24)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
 better ;-).
@@ -81,7 +82,7 @@ spoiling it for others that want to testdrive it.
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-23_
+_Can be used for challenges 1-6, 8, 12-24_
 
 ### Minikube based
 
@@ -126,9 +127,13 @@ now you can use the provided IP address and port to further play with the K8s va
 - [localhost:8080/challenge/5](http://localhost:8080/challenge/5)
 - [localhost:8080/challenge/6](http://localhost:8080/challenge/6)
 
+### Okteto based
+
+Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond. Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
+
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-23_
+_Can be used for challenges 1-8, 12-24_
 Make sure you have the following installed:
 
 - minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -148,7 +153,7 @@ vault and not update the secret-challenge application with the new secret.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-23_
+_Can be used for challenges 1-24_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
 never run this on an account which is related to your production environment or can influence your account-over-arching
@@ -370,7 +375,7 @@ If you want to play the challenges, but cannot install tools like keepass, Radar
 containers, try the following:
 
 ```shell
-docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:1.5.2
+docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest
 ```
 
 or use something more configurable:
@@ -386,9 +391,9 @@ docker run -d \
   -e KEYBOARD=en-us-qwerty \
   -p 3000:3000 \
   -v /var/run/docker.sock:/var/run/docker.sock \
-  --shm-size="1gb" \
+  --shm-size="2gb" \
   --restart unless-stopped \
-  jeroenwillemsen/wrongsecrets-desktop:1.5.2
+  jeroenwillemsen/wrongsecrets-desktop:latest
 ```
 
 And then at [http://localhost:3000](http://localhost:3000).
 
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
 
@@ -53,14 +53,14 @@ source ../scripts/install-consul.sh
 source ../scripts/install-vault.sh
 
 echo "Add secrets manager driver to repo"
-helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
+helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
 
 helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
 if [ $? == 0 ]; then
   echo "CSI driver is already installed"
 else
   echo "Installing CSI driver"
-  helm install -n kube-system csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
+  helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
 fi
 
 echo "Add Azure pod identity to repo"
 
@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
 
@@ -9,9 +9,8 @@ processes = []
   dockerfile = "Dockerfile"
 
 [build.args]
-  argBasedVersion="1.5.2"
+  argBasedVersion="1.5.3RC1"
   spring_profile="without-vault"
-  argBasedEnv="Fly(Docker)"
 
 [env]
   K8S_ENV="Fly(Docker)"
 
@@ -20,7 +20,7 @@ Make sure you have an active account at GCP for which you have configured the cr
 
 If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform gcs backend.
 
-First, create an s3 bucket:
+First, create an storage bucket:
 
 1. Navigate to the 'shared-state' directory `cd shared-state`
 2. Change the `project_id` in the `terraform.tfvars` file to your project id
@@ -44,7 +44,7 @@ The bucket name should be in the output. Please use that to configure the Terraf
 5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
 6. Run `terraform plan`
 7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
-8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`
+8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
 9. Run `./k8s-vault-gcp-start.sh`
 
 ### GKE ingres for shared deployment
 
@@ -11,7 +11,7 @@ echo "This is a script to bootstrap the configuration. You need to have installe
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"
 
 export GCP_PROJECT=$(gcloud config list --format 'value(core.project)' 2>/dev/null)
-export USE_GKE_GCLOUD_AUTH_PLUGIN=True
+#export USE_GKE_GCLOUD_AUTH_PLUGIN=True
 
 kubectl get configmaps | grep 'secrets-file' &>/dev/null
 if [ $? == 0 ]; then
 
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
 
@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:jre18test2-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
 
@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:jre18test2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
 
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: secret-challenge
+  name: secret-challenge
+  namespace: commjoen
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: secret-challenge
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: secret-challenge
+      name: secret-challenge
+    spec:
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+        fsGroup: 2000
+      containers:
+        - image: jeroenwillemsen/wrongsecrets:1.5.3RC1-no-vault
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+          name: secret-challenge
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          env:
+            - name: K8S_ENV
+              value: Okteto(k8s)
+            - name: SPECIAL_K8S_SECRET
+              valueFrom:
+                configMapKeyRef:
+                  name: secrets-file
+                  key: funny.entry
+            - name: SPECIAL_SPECIAL_K8S_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: funnystuff
+                  key: funnier
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  funny.entry: "thisIsK8SConfigMap"
+kind: ConfigMap
+metadata:
+  creationTimestamp: "2020-10-29T19:29:38Z"
+  name: secrets-file
+  namespace: commjoen
+  resourceVersion: "4228"
+  selfLink: /api/v1/namespaces/default/configmaps/secrets-file
+  uid: d777ebfa-2a53-4bca-b1e3-4907eca16552
@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+  funnier: dGhpcyBpcyBhcGFzc3dvcmQ=
+kind: Secret
+metadata:
+  creationTimestamp: "2020-10-29T20:49:16Z"
+  managedFields:
+  - apiVersion: v1
+    fieldsType: FieldsV1
+    fieldsV1:
+      f:data:
+        .: {}
+        f:funnier.entry: {}
+      f:type: {}
+    manager: kubectl-create
+    operation: Update
+    time: "2020-10-29T20:49:16Z"
+  name: funnystuff
+  namespace: commjoen
+  resourceVersion: "6559"
+  selfLink: /api/v1/namespaces/default/secrets/funnystuff
+  uid: baee7f4a-5161-4777-a512-3d236d3573d4
+type: Opaque