STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.github/workflows/minikube-vault-test.yml

		skipped 17 lines
18	18		- uses: actions/checkout@v3
19	19		- uses: innovationnorway/setup-vault@v1
20	20		with:
21		-	version: '~1.9'
	21	+	version: '>1.9'
22	22		- name: Start minikube
23	23		uses: medyagh/setup-minikube@master
24	24		with:
		skipped 10 lines

■ ■ ■ ■ ■ ■ ■

Dockerfile.web

1		-	FROM jeroenwillemsen/wrongsecrets:1.5.0-no-vault
	1	+	FROM jeroenwillemsen/wrongsecrets:ctfd-safe-4-no-vault
2	2
3	3		ARG argBasedVersion="1.5.0"
4	4		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
5	5		ARG CTF_ENABLED=false
6	6		ARG HINTS_ENABLED=true
	7	+	#ONLY OVERRIDE THE ARGS BELOW WHEN YOU ARE SETTING UP A CTF!
	8	+	ARG CTF_KEY=TRwzkRJnHOTckssAeyJbysWgP!Qc2T
	9	+	ARG CHALLENGE_5_VALUE=if_you_see_this_please_use_k8s
	10	+	ARG CHALLENGE_6_VALUE=if_you_see_this_please_use_k8s
	11	+	ARG CHALLENGE_7_VALUE=if_you_see_this_please_use_K8S_and_Vault
	12	+	ARG CHALLENGE_9_VALUE=if_you_see_this_please_use_AWS_Setup
	13	+	ARG CHALLENGE_10_VALUE=if_you_see_this_please_use
	14	+	ARG CHALLENGE_11_VALUE=if_you_see_this_please_use
7	15		ENV APP_VERSION=$argBasedVersion
8	16		ENV K8S_ENV=Heroku(Docker)
9	17		ENV canarytokenURLs=$CANARY_URLS
10	18		ENV ctf_enabled=$CTF_ENABLED
	19	+	ENV ctf_key=$CTF_KEY
11	20		ENV hints_enabled=$HINTS_ENABLED
12	21		ENV challengedockermtpath="/var/helpers"
13	22		ENV keepasspath="/var/helpers/alibabacreds.kdbx"
	23	+	ENV SPECIAL_K8S_SECRET=$CHALLENGE_5_VALUE
	24	+	ENV SPECIAL_SPECIAL_K8S_SECRET=$CHALLENGE_6_VALUE
	25	+	ENV vaultpassword=$CHALLENGE_7_VALUE
	26	+	ENV default_aws_value_challenge_9=$CHALLENGE_9_VALUE
	27	+	ENV default_aws_value_challenge_10=$CHALLENGE_10_VALUE
	28	+	ENV default_aws_value_challenge_11=$CHALLENGE_11_VALUE
14	29		COPY .github/scripts/ /var/helpers
15	30		COPY src/test/resources/alibabacreds.kdbx /var/helpers
16	31		CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault application.jar
		skipped 1 lines

■ ■ ■ ■ ■ ■

ctf-instructions.md

1	+	# CTF Instructions
2	+
3	+	So you want to play a CTF with WrongSecrets? This is the place to read up all about it.
4	+	Our CTF setup makes use of the [Juice Shop CTF CLI extension](https://github.com/juice-shop/juice-shop-ctf), which you
5	+	can read all about at [here](https://pwning.owasp-juice.shop/part1/ctf.html).
6	+
7	+	The difference between Juiceshop and WrongSecrets, is that WrongSecrets is more of a secrets-hunter game. Thiss means
8	+	that your contestants will try to find the CTF key soon after a few challenges. That is why we should separate out the
9	+	actual container for which the CTF scores are generated, from the container where the challenges live in.
10	+
11	+	You can see this practice already here in our repository: Our standard [Dockerfile](/Dockerfile) does not contain any
12	+	CTF entries, our Heroku [Dockerfile.web](/Dockerfile.web) does contain them.
13	+	So make sure you host your actual scoring Dockerfile.web at a place where your contestants cannot enter the container (
14	+	image) in order to extract the CTF key.
15	+
16	+	## Setting up CTFs
17	+
18	+	There are 3 flavors of CTF to be setup: Docker/Heroku, K8S, Cloud based.
19	+
20	+	### Docker or Heroku CTF
21	+
22	+	When doing a Docker or Heroku based CTF, you can follow
23	+	the [instructions in the readme](https://github.com/commjoen/wrongsecrets#ctfd-support).
24	+	If you want to use your own CTF key, you can build a container with the following
25	+	arguments `CTF_ENABLED=true,HINTS_ENABLED=false,CTF_KEY=<YOURNEWKEYHERE>`. Just make sure you provide the same key
26	+	to `juice-shop-ctf` when you run it.
27	+
28	+	Want to make it a little more exciting? Override the Dockerfile with your preferred values, so that copying from online
29	+	hosted solutions no longer works!
30	+
31	+	### K8s based CTF
32	+
33	+	TODO as #https://github.com/commjoen/wrongsecrets/issues/372
34	+
35	+	### Cloud based CTF
36	+
37	+	TODO as #https://github.com/commjoen/wrongsecrets/issues/372
38	+
39	+

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/RuntimeEnvironment.java

		skipped 21 lines
22	22		@Component
23	23		public class RuntimeEnvironment {
24	24
	25	+	@Value("${ctf_enabled}")
	26	+	private boolean ctfModeEnabled;
	27	+
	28	+	@Value("${SPECIAL_K8S_SECRET}")
	29	+	private String challenge5Value; //used to determine if k8s/vault challenges are overriden;
	30	+
	31	+	@Value("${default_aws_value_challenge_9}")
	32	+	private String defaultChallenge9Value; //used to determine if the cloud challenge values are overriden
	33	+
25	34		private static final Map<Environment, List<Environment>> envToOverlappingEnvs = Map.of(
26		-	HEROKU_DOCKER, List.of(DOCKER, HEROKU_DOCKER),
27		-	DOCKER, List.of(DOCKER, HEROKU_DOCKER),
28		-	GCP, List.of(DOCKER, K8S, VAULT),
29		-	AWS, List.of(DOCKER, K8S, VAULT),
30		-	AZURE, List.of(DOCKER, K8S, VAULT),
31		-	VAULT, List.of(DOCKER, K8S),
32		-	K8S, List.of(DOCKER)
	35	+	HEROKU_DOCKER, List.of(DOCKER, HEROKU_DOCKER),
	36	+	DOCKER, List.of(DOCKER, HEROKU_DOCKER),
	37	+	GCP, List.of(DOCKER, K8S, VAULT),
	38	+	AWS, List.of(DOCKER, K8S, VAULT),
	39	+	AZURE, List.of(DOCKER, K8S, VAULT),
	40	+	VAULT, List.of(DOCKER, K8S),
	41	+	K8S, List.of(DOCKER)
33	42		);
34	43
35	44		public enum Environment {
		skipped 12 lines
48	57
49	58		@Getter
50	59		private final Environment runtimeEnvironment;
	60	+
	61	+	private boolean isK8sUnlockedInCTFMode() {
	62	+	String defaultValueChallenge5 = "if_you_see_this_please_use_k8s";
	63	+	return ctfModeEnabled && !challenge5Value.equals(defaultValueChallenge5);
	64	+	}
	65	+
	66	+	private boolean isCloudUnlockedInCTFMode() {
	67	+	String defaultValueAWSValue = "if_you_see_this_please_use_AWS_Setup";
	68	+	return ctfModeEnabled && !defaultChallenge9Value.equals(defaultValueAWSValue);
	69	+	}
51	70
52	71		@Autowired
53	72		public RuntimeEnvironment(@Value("${K8S_ENV}") String currentRuntimeEnvironment) {
		skipped 5 lines
59	78		}
60	79
61	80		public boolean canRun(Challenge challenge) {
	81	+	if (isCloudUnlockedInCTFMode()) {
	82	+	return true;
	83	+	}
	84	+	if (isK8sUnlockedInCTFMode()) {
	85	+	return challenge.supportedRuntimeEnvironments().contains(runtimeEnvironment)
	86	+	\|\| challenge.supportedRuntimeEnvironments().contains(DOCKER) \|\| challenge.supportedRuntimeEnvironments().contains(K8S)
	87	+	\|\| challenge.supportedRuntimeEnvironments().contains(VAULT);
	88	+	}
62	89		return challenge.supportedRuntimeEnvironments().contains(runtimeEnvironment)
63		-	\|\| !Collections.disjoint(envToOverlappingEnvs.get(runtimeEnvironment), challenge.supportedRuntimeEnvironments());
	90	+	\|\| !Collections.disjoint(envToOverlappingEnvs.get(runtimeEnvironment), challenge.supportedRuntimeEnvironments());
64	91		}
65	92
66	93		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/canaries/CanariesController.java

		skipped 29 lines
30	30		}
31	31		log.info("Canarytoken called, with manage_url {}", canaryToken.getManageUrl());
32	32		log.info("Total number of canary callback calls: {}", canaryCounter.getTotalCount());
33		-	/*
34		-	todo:
35		-	- follow 3 of baeldung.com/spring-server-sent-events, but make sure you register the emitter per connection
36		-	- and in a map lookup which emiter you can use for the given connection to send the event.
37		-	*/
38	33		return new ResponseEntity<>("all good", HttpStatus.ACCEPTED);
39	34		}
40	35
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java

		skipped 68 lines
69	69		.collect(Collectors.joining());
70	70		}
71	71
	72	+	public int difficulty() {
	73	+	return challenge.difficulty();
	74	+	}
	75	+
72	76		public boolean isChallengeEnabled() {
73	77		return runtimeEnvironment.canRun(challenge);
74	78		}
75	79
76	80		public static List<ChallengeUI> toUI(List<Challenge> challenges, RuntimeEnvironment environment) {
77	81		return challenges.stream()
78		-	.sorted(Comparator.comparingInt(challenge -> Integer.parseInt(challenge.getClass().getSimpleName().replace("Challenge",""))))
	82	+	.sorted(Comparator.comparingInt(challenge -> Integer.parseInt(challenge.getClass().getSimpleName().replace("Challenge", ""))))
79	83		.map(challenge -> new ChallengeUI(challenge, challenges.indexOf(challenge) + 1, environment))
80	84		.toList();
81	85		}
		skipped 2 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengesAPIController.java

		skipped 7 lines
8	8		import org.owasp.wrongsecrets.RuntimeEnvironment;
9	9		import org.owasp.wrongsecrets.ScoreCard;
10	10		import org.owasp.wrongsecrets.asciidoc.TemplateGenerator;
11		-	import org.springframework.beans.factory.annotation.Autowired;
12	11		import org.springframework.http.MediaType;
13	12		import org.springframework.util.ResourceUtils;
14	13		import org.springframework.web.bind.annotation.GetMapping;
15	14		import org.springframework.web.bind.annotation.RestController;
16		-	import org.yaml.snakeyaml.Yaml;
17	15
18	16		import java.io.BufferedReader;
19	17		import java.io.IOException;
20	18		import java.io.InputStreamReader;
21	19		import java.util.ArrayList;
22	20		import java.util.List;
23		-	import java.util.Locale;
24	21
25	22		@Slf4j
26	23		@RestController
		skipped 8 lines
35	32
36	33		private final TemplateGenerator templateGenerator;
37	34
	35	+	private final RuntimeEnvironment runtimeEnvironment;
	36	+
38	37		public ChallengesAPIController(ScoreCard scoreCard, List<ChallengeUI> challenges, RuntimeEnvironment runtimeEnvironment, TemplateGenerator templateGenerator) {
39	38		this.scoreCard = scoreCard;
40	39		this.challenges = challenges;
41	40		this.descriptions = new ArrayList<>();
42	41		this.hints = new ArrayList<>();
	42	+	this.runtimeEnvironment = runtimeEnvironment;
43	43		this.templateGenerator = templateGenerator;
44	44		}
45	45
		skipped 71 lines
117	117		}
118	118
119	119		private String getDisabledEnv(ChallengeUI challenge) {
120		-	if (!challenge.getChallenge().supportedRuntimeEnvironments().contains(RuntimeEnvironment.Environment.DOCKER)) {
121		-	return "Docker";
	120	+	if (runtimeEnvironment.canRun(challenge.getChallenge())) {
	121	+	return runtimeEnvironment.getRuntimeEnvironment().name();
122	122		}
123	123		return null;
124	124		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java

		skipped 26 lines
27	27
28	28		public Challenge10(ScoreCard scoreCard,
29	29		@Value("${secretmountpath}") String filePath,
30		-	@Value("${default_aws_value}") String awsDefaultValue,
	30	+	@Value("${default_aws_value_challenge_10}") String awsDefaultValue,
31	31		RuntimeEnvironment runtimeEnvironment) {
32	32		super(scoreCard, runtimeEnvironment);
33	33		this.awsDefaultValue = awsDefaultValue;
		skipped 37 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

		skipped 45 lines
46	46		private final String azureVaultUri;
47	47		private final String azureWrongSecret3;
48	48
	49	+	private final String ctfValue;
	50	+
	51	+	private final boolean ctfEnabled;
	52	+
49	53		public Challenge11(ScoreCard scoreCard,
50	54		@Value("${AWS_ROLE_ARN}") String awsRoleArn,
51	55		@Value("${AWS_WEB_IDENTITY_TOKEN_FILE}") String tokenFileLocation,
		skipped 4 lines
56	60		@Value("${azure.keyvault.uri}") String azureVaultUri,
57	61		@Value("${wrongsecret-3}") String azureWrongSecret3, // Exclusively auto-wired for Azure
58	62		@Value("${GCP_PROJECT_ID}") String projectId,
	63	+	@Value("${default_aws_value_challenge_11}") String ctfValue,
	64	+	@Value("${ctf_enabled}") boolean ctfEnabled,
59	65		RuntimeEnvironment runtimeEnvironment) {
60	66		super(scoreCard, runtimeEnvironment);
61	67		this.awsRoleArn = awsRoleArn;
		skipped 5 lines
67	73		this.projectId = projectId;
68	74		this.azureVaultUri = azureVaultUri;
69	75		this.azureWrongSecret3 = azureWrongSecret3;
	76	+	this.ctfValue = ctfValue;
	77	+	this.ctfEnabled = ctfEnabled;
70	78		this.challengeAnswer = getChallenge11Value(runtimeEnvironment);
71	79		}
72	80
		skipped 23 lines
96	104
97	105		private String getChallenge11Value(RuntimeEnvironment runtimeEnvironment) {
98	106		if (runtimeEnvironment != null && runtimeEnvironment.getRuntimeEnvironment() != null) {
	107	+	if (ctfEnabled && ctfValue != awsDefaultValue) {
	108	+	return ctfValue;
	109	+	}
99	110		return switch (runtimeEnvironment.getRuntimeEnvironment()) {
100	111		case AWS -> getAWSChallenge11Value();
101	112		case GCP -> getGCPChallenge11Value();
		skipped 10 lines
112	123		try { //based on https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/sts/src/main/java/com/example/sts
113	124		String webIDentityToken = Files.readString(Paths.get(tokenFileLocation));
114	125		StsClient stsClient = StsClient.builder()
115		-	.region(Region.of(awsRegion))
116		-	.build();
	126	+	.region(Region.of(awsRegion))
	127	+	.build();
117	128		AssumeRoleWithWebIdentityRequest webIdentityRequest = AssumeRoleWithWebIdentityRequest.builder()
118		-	.roleArn(awsRoleArn)
119		-	.roleSessionName("WrongsecretsApp")
120		-	.webIdentityToken(webIDentityToken)
121		-	.build();
	129	+	.roleArn(awsRoleArn)
	130	+	.roleSessionName("WrongsecretsApp")
	131	+	.webIdentityToken(webIDentityToken)
	132	+	.build();
122	133
123	134		AssumeRoleWithWebIdentityResponse tokenResponse = stsClient.assumeRoleWithWebIdentity(webIdentityRequest);
124	135		log.info("The token value is " + tokenResponse.credentials().sessionToken());
125	136		SsmClient ssmClient = SsmClient.builder()
126		-	.region(Region.of(awsRegion))
127		-	.credentialsProvider(StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
128		-	.stsClient(stsClient)
129		-	.refreshRequest(webIdentityRequest)
130		-	.build())
131		-	.build();
	137	+	.region(Region.of(awsRegion))
	138	+	.credentialsProvider(StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
	139	+	.stsClient(stsClient)
	140	+	.refreshRequest(webIdentityRequest)
	141	+	.build())
	142	+	.build();
132	143		GetParameterRequest parameterRequest = GetParameterRequest.builder()
133		-	.name("wrongsecretvalue")
134		-	.withDecryption(true)
135		-	.build();
	144	+	.name("wrongsecretvalue")
	145	+	.withDecryption(true)
	146	+	.build();
136	147		GetParameterResponse parameterResponse = ssmClient.getParameter(parameterRequest);
137	148		log.info("The parameter value is " + parameterResponse.parameter().value());
138	149		ssmClient.close();
		skipped 44 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge9.java

		skipped 26 lines
27	27
28	28		public Challenge9(ScoreCard scoreCard,
29	29		@Value("${secretmountpath}") String filePath,
30		-	@Value("${default_aws_value}") String awsDefaultValue,
	30	+	@Value("${default_aws_value_challenge_9}") String awsDefaultValue,
31	31		RuntimeEnvironment runtimeEnvironment) {
32	32		super(scoreCard, runtimeEnvironment);
33	33		this.awsDefaultValue = awsDefaultValue;
		skipped 37 lines

■ ■ ■ ■ ■ ■

src/main/resources/application.properties

		skipped 7 lines
8	8		DOCKER_ENV_PASSWORD=if_you_see_this_please_use_docker_instead
9	9		vaultpassword=if_you_see_this_please_use_K8S_and_Vault
10	10		default_aws_value=if_you_see_this_please_use_AWS_Setup
	11	+	default_aws_value_challenge_9=if_you_see_this_please_use_AWS_Setup
	12	+	default_aws_value_challenge_10=if_you_see_this_please_use_AWS_Setup
	13	+	default_aws_value_challenge_11=if_you_see_this_please_use_AWS_Setup
11	14		default_gcp_value=if_you_see_this_please_use_GCP_Setup
12	15		default_azure_value=if_you_see_this_please_use_Azure_Setup
13	16		AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
		skipped 54 lines
68	71		wrongsecretvalue=wrongsecret
69	72		spring.cloud.vault.enabled=false
70	73		asciidoctor.enabled=false
	74	+	#---
	75	+	spring.config.activate.on-profile=without-vault-ctf-emulation
	76	+	wrongsecretvalue=wrongsecret
	77	+	spring.cloud.vault.enabled=false
	78	+	asciidoctor.enabled=false
	79	+	ctf_enabled=true
	80	+	ctf_key=randomtextforkey
	81	+	vaultpassword=ACTUAL_ANSWER_CHALLENGE7
	82	+	secretmountpath=nothere
	83	+	SPECIAL_K8S_SECRET=ACTUAL_ANSWER_CHALLENGE5
	84	+	SPECIAL_SPECIAL_K8S_SECRET=ACTUAL_ANSWER_CHALLENGE6
	85	+	default_aws_value_challenge_9=ACTUAL_ANSWER_CHALLENGE9
	86	+	default_aws_value_challenge_10=ACTUAL_ANSWER_CHALLENGE10
	87	+	default_aws_value_challenge_11=ACTUAL_ANSWER_CHALLENGE_11
	88	+	K8S_ENV=Heroku(Docker)
71	89

■ ■ ■ ■ ■ ■

src/main/resources/templates/challenge.html

		skipped 2 lines
3	3		<body>
4	4		<div class="container" layout:fragment="content">
5	5		<!--/@thymesVar id="challenge" type="org.owasp.wrongsecrets.challenges.ChallengeUI"/-->
6		-	<h1 class="mt-2" th:text="${challenge.name}"/>
	6	+	<p class="h1 mt-2"> <span th:text="${challenge.name}"/> <span th:block th:each="i: ${#numbers.sequence(1, challenge.difficulty)}"><span>☆</span></span></p>
7	7		<p><span th:text="'Welcome to challenge ' + ${challenge.challengeNumber} + '.'"></span> You need to guess the secret
8	8		that is hidden in <a href="https://github.com/commjoen/wrongsecrets">Java</a>, <a
9	9		href="https://hub.docker.com/r/jeroenwillemsen/wrongsecrets">Docker</a>, Kubernetes, Vault, AWS or GCP.</p>
		skipped 74 lines
84	84		</div>
85	85		<div th:if="${missingEnvWarning} eq 'AWS' or ${missingEnvWarning} eq 'GCP'" class="alert alert-danger"
86	86		role="alert">
87		-	We are running outside a properly configured AWS environment. Please run this in an AWS/GCP environment as
	87	+	We are running outside a properly configured Cloud environment. Please run this in an AWS/Azure/GCP environment as
88	88		explained in the <a href="https://github.com/commjoen/wrongsecrets#cloud-challenges">README.md</a>.
89	89		</div>
90	90		</div>
		skipped 22 lines

■ ■ ■ ■ ■ ■

src/main/resources/templates/welcome.html

		skipped 16 lines
17	17		<div class="container-fluid text-sm p-2 p-lg-3">
18	18		<div class="row">
19	19		<div class="col-12 col-lg-7">
20		-	<table class="table">
	20	+	<table class="table table-responsive">
21	21		<thead>
22	22		<tr>
23		-	<th scope="col">#</th>
24		-	<th scope="col">Challenge   </th>
	23	+	<th scope="col" class="d-none d-xl-table-cell">#</th>
	24	+	<th scope="col"> Challenge     </th>
25	25		<th scope="col">Focus   </th>
26		-	<th scope="col" th:text="'Runs on environment (current: '+${environment}+')'"></th>
	26	+	<th scope="col" class="d-sm-none"
	27	+	th:text="'Runs on environment (current: '+${#strings.replace(environment,'_',' _')}+')'"></th>
	28	+	<th scope="col" class="d-none d-md-table-cell">Difficulty       </th>
	29	+	<th scope="col" class="d-none d-sm-table-cell"
	30	+	th:text="'Runs on environment (current: '+${environment}+')'"></th>
27	31		</tr>
28	32		</thead>
29	33		<tbody>
30	34		<tr th:each="challenge: ${challenges}">
31		-	<td th:text="${challenge.link}"></td>
32		-	<td><a th:href="@{/challenge} + '/' + ${challenge.link}"
33		-	th:class="${challenge.isChallengeEnabled} ? '' : 'disabled'"><span
	35	+	<th scope="row" class="d-none d-xl-table-cell" th:text="${challenge.link}"></th>
	36	+	<td> <a th:href="@{/challenge} + '/' + ${challenge.link}"
	37	+	th:class="${challenge.isChallengeEnabled} ? '' : 'disabled'"><span
34	38		th:text="${challenge.name}"
35	39		th:remove="tag"></span></a></td>
36	40		<td th:text="${challenge.tech}"></td>
	41	+	<td class="d-none d-md-table-cell">
	42	+	<th:span th:each="i: ${#numbers.sequence(1, challenge.difficulty)}"><span>★ </span></th:span>
	43	+	<th:span th:if="${challenge.difficulty<5}"
	44	+	th:each="i: ${#numbers.sequence(challenge.difficulty+1, 5)}"><span>☆</span>
	45	+	</th:span>
	46	+	</td>
37	47		<th:block th:if="${challenge.requiredEnv} == 'DOCKER'">
38	48		<td>Docker</td>
39	49		</th:block>
		skipped 4 lines
44	54		<td>K8s or Minikube with Vault</td>
45	55		</th:block>
46	56		<th:block
47		-	th:if="${challenge.requiredEnv} == 'AWS' or ${challenge.requiredEnv} == 'GCP'or ${challenge.requiredEnv} == 'AZURE'">
	57	+	th:if="${challenge.requiredEnv} == 'AWS' or ${challenge.requiredEnv} == 'GCP' or ${challenge.requiredEnv} == 'AZURE'">
48	58		<td>AWS, GCP, Azure</td>
49	59		</th:block>
	60	+
50	61		</tr>
51	62		</tbody>
52	63		</table>
		skipped 62 lines
115	126		<li><a
116	127		href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_CheatSheet.md">OWASP
117	128		Secretsmanagement Cheatsheet</a></li>
118		-	<li><a href="https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==">Open CRE on Secrets Management</a></li>
	129	+	<li><a
	130	+	href="https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==">Open
	131	+	CRE on Secrets Management</a></li>
119	132		</ul>
120	133		</div>
121	134		</div>
		skipped 17 lines
139	152		</div>
140	153		<div class="col-12 col-lg-7">
141	154		<div class="border border-dark thank-you">
142		-	Want to see if your tool of choice detects all the secrets available in this project? <a href="https://github.com/commjoen/wrongsecrets/#use-owasp-wrongsecrets-as-a-secret-detection-benchmark">Check the instructions in the README</a>.
	155	+	Want to see if your tool of choice detects all the secrets available in this project? <a
	156	+	href="https://github.com/commjoen/wrongsecrets/#use-owasp-wrongsecrets-as-a-secret-detection-benchmark">Check
	157	+	the instructions in the README</a>.
143	158		</div>
144	159		</div>
145	160		</div>
		skipped 5 lines

■ ■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/ChallengesControllerCTFModeTest.java

		skipped 1 lines
2	2
3	3		import org.junit.jupiter.api.Test;
4	4		import org.junit.jupiter.api.extension.ExtendWith;
5		-	import org.owasp.wrongsecrets.challenges.ChallengeForm;
6	5		import org.owasp.wrongsecrets.challenges.docker.Challenge1;
7	6		import org.springframework.beans.factory.annotation.Autowired;
8	7		import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
		skipped 30 lines
39	38		}
40	39
41	40		@Test
	41	+	void shouldNotSpoilWhenInCTFModeEvenWhenChallengeUnsupported() throws Exception {
	42	+	mvc.perform(get("/spoil-5"))
	43	+	.andExpect(status().isOk())
	44	+	.andExpect(content().string(containsString("Spoils are disabled in CTF mode")));
	45	+
	46	+	}
	47	+
	48	+	@Test
42	49		void shouldShowFlagWhenRespondingWithSuccessInCTFMode() throws Exception {
43	50		var spoil = new Challenge1(new InMemoryScoreCard(1)).spoiler().solution();
44	51		mvc.perform(post("/challenge/1")
		skipped 4 lines
49	56		.andExpect(status().isOk())
50	57		.andExpect(content().string(containsString("ba9a72ac7057576344856")));
51	58
	59	+	}
	60	+
	61	+
	62	+	@Test
	63	+	void shouldEnableK8sExercises() throws Exception{
	64	+	mvc.perform(get("/"))
	65	+	.andExpect(status().isOk())
	66	+	.andExpect(content().string(containsString("class=\"disabled\">Challenge 5</a></td>")))
	67	+	.andExpect(content().string(containsString("class=\"disabled\">Challenge 6</a></td>")))
	68	+	.andExpect(content().string(containsString("class=\"disabled\">Challenge 7</a></td>")));
	69	+	}
	70	+
	71	+	@Test
	72	+	void shouldStillDissableTestsIfNotPreconfigured() throws Exception {
	73	+	testK8sChallenge("/challenge/5");
	74	+	testK8sChallenge("/challenge/6");
	75	+	testK8sChallenge("/challenge/7");
	76	+	testForCloudCluster("/challenge/9");
	77	+	testForCloudCluster("/challenge/10");
	78	+	testForCloudCluster("/challenge/11");
	79	+	}
	80	+
	81	+	private void testK8sChallenge(String url) throws Exception {
	82	+	mvc.perform(get(url)
	83	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
	84	+	.with(csrf()))
	85	+	.andExpect(status().isOk())
	86	+	.andExpect(content().string(containsString("We are running outside a K8s cluster")));
	87	+	}
	88	+
	89	+	private void testForCloudCluster(String url) throws Exception {
	90	+	mvc.perform(get(url)
	91	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
	92	+	.with(csrf()))
	93	+	.andExpect(status().isOk())
	94	+	.andExpect(content().string(containsString("We are running outside a properly configured Cloud environment.")));
52	95		}
53	96		}
54	97

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/ChallengesControllerCTFModeWithPresetCloudValuesTest.java

1	+	package org.owasp.wrongsecrets;
2	+
3	+	import org.junit.jupiter.api.Test;
4	+	import org.junit.jupiter.api.extension.ExtendWith;
5	+	import org.owasp.wrongsecrets.challenges.cloud.Challenge10;
6	+	import org.owasp.wrongsecrets.challenges.cloud.Challenge11;
7	+	import org.owasp.wrongsecrets.challenges.cloud.Challenge9;
8	+	import org.springframework.beans.factory.annotation.Autowired;
9	+	import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
10	+	import org.springframework.boot.test.context.SpringBootTest;
11	+	import org.springframework.http.MediaType;
12	+	import org.springframework.test.context.junit.jupiter.SpringExtension;
13	+	import org.springframework.test.web.servlet.MockMvc;
14	+
15	+	import static org.hamcrest.Matchers.containsString;
16	+	import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
17	+	import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
18	+	import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
19	+	import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
20	+	import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
21	+
22	+	@ExtendWith(SpringExtension.class)
23	+	@SpringBootTest(
24	+	properties = {"ctf_enabled=true", "ctf_key=randomtextforkey",
25	+	"SPECIAL_K8S_SECRET=test5", "SPECIAL_SPECIAL_K8S_SECRET=test6", "vaultpassword=test7",
26	+	"secretmountpath=nothere", "default_aws_value_challenge_9=ACTUAL_ANSWER_CHALLENGE9",
27	+	"default_aws_value_challenge_10=ACTUAL_ANSWER_CHALLENGE10", "default_aws_value_challenge_11=ACTUAL_ANSWER_CHALLENGE_11"},
28	+	classes = WrongSecretsApplication.class
29	+	)
30	+	@AutoConfigureMockMvc
31	+	class ChallengesControllerCTFModeWithPresetCloudValuesTest {
32	+
33	+	@Autowired
34	+	private MockMvc mvc;
35	+
36	+
37	+	@Test
38	+	void shouldNotSpoilWhenInCTFMode() throws Exception {
39	+	mvc.perform(get("/spoil-9"))
40	+	.andExpect(status().isOk())
41	+	.andExpect(content().string(containsString("Spoils are disabled in CTF mode")));
42	+
43	+	}
44	+
45	+	@Test
46	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge9() throws Exception {
47	+	var spoil = new Challenge9(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE9", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
48	+	mvc.perform(post("/challenge/9")
49	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
50	+	.param("solution", spoil)
51	+	.param("action", "submit")
52	+	.with(csrf()))
53	+	.andExpect(status().isOk())
54	+	.andExpect(content().string(containsString("70d75bf845890b2419bd8795c")));
55	+	}
56	+
57	+	@Test
58	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge10() throws Exception {
59	+	var spoil = new Challenge10(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE10", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
60	+	mvc.perform(post("/challenge/10")
61	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
62	+	.param("solution", spoil)
63	+	.param("action", "submit")
64	+	.with(csrf()))
65	+	.andExpect(status().isOk())
66	+	.andExpect(content().string(containsString("176e937a2cafea3b0da3")));
67	+	}
68	+
69	+	@Test
70	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge11() throws Exception {
71	+	var spoil = new Challenge11(new InMemoryScoreCard(1),
72	+	"awsRoleArn", "tokenFileLocation",
73	+	"awsRegion", "gcpDefualtValue", "awsDefaultValue",
74	+	"azureDefaultValue", "azureVaultUri", "azureWrongSecret3",
75	+	"projectId", "ACTUAL_ANSWER_CHALLENGE_11", true,
76	+	new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
77	+
78	+	mvc.perform(post("/challenge/11")
79	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
80	+	.param("solution", spoil)
81	+	.param("action", "submit")
82	+	.with(csrf()))
83	+	.andExpect(status().isOk())
84	+	.andExpect(content().string(containsString("89aeb4b29d4a0bc13bd")));
85	+	}
86	+
87	+	@Test
88	+	void shouldEnableCloudExercises() throws Exception {
89	+	mvc.perform(get("/"))
90	+	.andExpect(status().isOk())
91	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/9\">Challenge 9</a></td>")))
92	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/10\">Challenge 10</a></td>")))
93	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/11\">Challenge 11</a></td>")));
94	+	}
95	+
96	+	@Test
97	+	void shouldEnableK8sExercises() throws Exception{
98	+	mvc.perform(get("/"))
99	+	.andExpect(status().isOk())
100	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/5\">Challenge 5</a></td>")))
101	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/6\">Challenge 6</a></td>")))
102	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/7\">Challenge 7</a></td>")));
103	+	}
104	+
105	+	}
106	+

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/ChallengesControllerCTFModeWithPresetK8sValuesTest.java

1	+	package org.owasp.wrongsecrets;
2	+
3	+	import org.junit.jupiter.api.Test;
4	+	import org.junit.jupiter.api.extension.ExtendWith;
5	+	import org.owasp.wrongsecrets.challenges.kubernetes.Challenge5;
6	+	import org.owasp.wrongsecrets.challenges.kubernetes.Challenge6;
7	+	import org.owasp.wrongsecrets.challenges.kubernetes.Challenge7;
8	+	import org.springframework.beans.factory.annotation.Autowired;
9	+	import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
10	+	import org.springframework.boot.test.context.SpringBootTest;
11	+	import org.springframework.http.MediaType;
12	+	import org.springframework.test.context.junit.jupiter.SpringExtension;
13	+	import org.springframework.test.web.servlet.MockMvc;
14	+
15	+	import static org.hamcrest.Matchers.containsString;
16	+	import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
17	+	import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
18	+	import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
19	+	import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
20	+	import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
21	+
22	+	@ExtendWith(SpringExtension.class)
23	+	@SpringBootTest(
24	+	properties = {"ctf_enabled=true", "ctf_key=randomtextforkey", "SPECIAL_K8S_SECRET=test5", "SPECIAL_SPECIAL_K8S_SECRET=test6", "vaultpassword=test7"},
25	+	classes = WrongSecretsApplication.class
26	+	)
27	+	@AutoConfigureMockMvc
28	+	class ChallengesControllerCTFModeWithPresetK8sValuesTest {
29	+
30	+	@Autowired
31	+	private MockMvc mvc;
32	+
33	+
34	+	@Test
35	+	void shouldNotSpoilWhenInCTFMode() throws Exception {
36	+	mvc.perform(get("/spoil-5"))
37	+	.andExpect(status().isOk())
38	+	.andExpect(content().string(containsString("Spoils are disabled in CTF mode")));
39	+
40	+	}
41	+
42	+	@Test
43	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge5() throws Exception {
44	+	var spoil = new Challenge5(new InMemoryScoreCard(1), "test5").spoiler().solution();
45	+	mvc.perform(post("/challenge/5")
46	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
47	+	.param("solution", spoil)
48	+	.param("action", "submit")
49	+	.with(csrf()))
50	+	.andExpect(status().isOk())
51	+	.andExpect(content().string(containsString("26d5e409100ca8dc3bd2dba115b81f5b7889fbbd")));
52	+	}
53	+
54	+	@Test
55	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge6() throws Exception {
56	+	var spoil = new Challenge6(new InMemoryScoreCard(1), "test6").spoiler().solution();
57	+	mvc.perform(post("/challenge/6")
58	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
59	+	.param("solution", spoil)
60	+	.param("action", "submit")
61	+	.with(csrf()))
62	+	.andExpect(status().isOk())
63	+	.andExpect(content().string(containsString("18af49a1b18359e0bf9b9a0")));
64	+	}
65	+
66	+	@Test
67	+	void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge7() throws Exception {
68	+	var spoil = new Challenge7(new InMemoryScoreCard(1), null, "test7").spoiler().solution();
69	+	mvc.perform(post("/challenge/7")
70	+	.contentType(MediaType.APPLICATION_FORM_URLENCODED)
71	+	.param("solution", spoil)
72	+	.param("action", "submit")
73	+	.with(csrf()))
74	+	.andExpect(status().isOk())
75	+	.andExpect(content().string(containsString("881951b59ea4818c2")));
76	+	}
77	+
78	+	@Test
79	+	void shouldEnableK8sExercises() throws Exception{
80	+	mvc.perform(get("/"))
81	+	.andExpect(status().isOk())
82	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/5\">Challenge 5</a></td>")))
83	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/6\">Challenge 6</a></td>")))
84	+	.andExpect(content().string(containsString("<td> <a href=\"/challenge/7\">Challenge 7</a></td>")));
85	+	}
86	+
87	+	}
88	+

Merge pull request #370 from commjoen/ctf-improved