STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.eslintrc.js

1	+	module.exports = {
2	+	env: {
3	+	jest: true,
4	+	'cypress/globals': true,
5	+	browser: true,
6	+	commonjs: true,
7	+	es2021: true
8	+	},
9	+	extends: 'standard',
10	+	overrides: [
11	+	],
12	+	parserOptions: {
13	+	ecmaVersion: 'latest'
14	+	},
15	+	rules: {
16	+	},
17	+	plugins: ['cypress']
18	+	}
19	+

■ ■ ■ ■ ■ ■

.github/FUNDING.yml

1		-	custom: https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets
	1	+	custom: ["https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets", "https://www.icrc.org/en/donate/ukraine"]
2	2		github: OWASP
3	3

■ ■ ■ ■ ■ ■

.github/ISSUE_TEMPLATE/01_bug_report.md

1	+	---
2	+	name: 🐜 Bug report
3	+	about: If something isn't working 🔧
4	+	labels: bug
5	+	---
6	+
7	+	<!-- Note: not all sections may be necessary. Strip out what you don't need. -->
8	+
9	+	### Please describe your environment
10	+
11	+	At least:
12	+
13	+	- Operating System + version (and distro if linux):
14	+	- Software versions (Java, Terraform, etc)
15	+
16	+	### What is the expected behavior?
17	+
18	+	### What is the actual behavior?
19	+
20	+	### Please provide a reproducible path or test that demonstrates the bug.
21	+
22	+	### Other notes on how to reproduce the issue
23	+
24	+	### Please provide relevant logs
25	+
26	+	### Any possible solutions?
27	+
28	+	### If the bug is confirmed, would you be willing to submit a PR?
29	+
30	+	Yes / No _(Help can be provided if you need assistance submitting a PR)_
31	+

■ ■ ■ ■ ■ ■

.github/ISSUE_TEMPLATE/02_feature_request.md

1	+	---
2	+	name: 🚀 Feature request
3	+	about: If you have a feature request 💡
4	+	---
5	+
6	+	### Context
7	+
8	+	What are you trying to do and how would you want to do it differently? Is it something you currently you cannot do? Is this related to an issue/problem? Do you want support for a new platform?
9	+
10	+	### Alternatives
11	+
12	+	Can you achieve the same result doing it in an alternative way? Is the alternative considerable?
13	+
14	+	### Has the feature been requested before?
15	+
16	+	Please provide a link to the issue.
17	+
18	+	### If the feature request is approved, would you be willing to submit a PR?
19	+
20	+	Yes / No _(Help can be provided if you need assistance submitting a PR)_
21	+

■ ■ ■ ■ ■ ■

.github/ISSUE_TEMPLATE/03_challenge_idea.md

1	+	---
2	+	name: 🧩 Challenge idea
3	+	about: If you have a challenge idea 💡
4	+	labels: "New Challenge"
5	+	---
6	+
7	+	### Context
8	+
9	+	- What should the challenge scenario be like?
10	+	- What should the participant learn from completing the challenge?
11	+	- For what category would the challenge be? (e.g. Docker, K8s, binary)
12	+
13	+	### Did you encounter this in real life? Could you tell us more about the scenario?
14	+
15	+	Don't break any NDAs 🙃
16	+
17	+	### If the challenge request is approved, would you be willing to submit a PR?
18	+
19	+	Yes / No _(Help can be provided if you need assistance submitting a PR)_
20	+

■ ■ ■ ■ ■ ■

.github/ISSUE_TEMPLATE/config.yml

1	+	blank_issues_enabled: false
2	+	contact_links:
3	+	- name: OWASP Slack registration
4	+	url: https://owasp.org/slack/invite
5	+	about: Sign up for OWASP slack to contact us there
6	+	- name: WrongSecrets Slack Channel
7	+	url: https://owasp.slack.com/archives/C02KQ7D9XHR
8	+	about: Please ask questions here. Please also report security vulnerabilities here (`#project-wrongsecrets`). 🏥
9	+

■ ■ ■ ■ ■ ■

.github/dependabot.yml

		skipped 17 lines
18	18		schedule:
19	19		interval: "monthly"
20	20
21		-	# check our npm
	21	+	# check our npm in project
22	22		- package-ecosystem: "npm"
23	23		directory: "/js"
	24	+	schedule:
	25	+	interval: "monthly"
	26	+
	27	+	# check our npm for dev
	28	+	- package-ecosystem: "npm"
	29	+	directory: "/"
24	30		schedule:
25	31		interval: "monthly"
26	32
		skipped 18 lines

■ ■ ■ ■ ■ ■

.github/scripts/clean_terraform.sh

1	+	#!/bin/bash
2	+	# Usage: source this script with source ./clean_terraform.sh and run clean_terraform
3	+	function clean_terraform {
4	+	echo "Finding and removing terraform artifacts and cache..."
5	+	for filename in $(
6	+	find . -name '.terraform*' \
7	+	! -path "./prod/" ! -path "./test/" \
8	+	! -path "./dev/" ! -path "./uat/"
9	+	); do
10	+	echo "removing: " $filename"..."
11	+	rm -rf $filename
12	+	done
13	+	echo "Done!"
14	+	}
15	+
16	+	# Uncomment if you want to run this script directly instead of sourcing
17	+	# clean_terraform
18	+

■ ■ ■ ■ ■ ■ ■

.github/scripts/docker-create.sh

		skipped 6 lines
7	7		# Display Help
8	8		echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
9	9		echo
10		-	echo "Syntax: docker-create.sh [-h (help)\|-t (test)\|-p (publish)\|-e (herokud)\|-f (herokup)\|-g (fly)\|-n (notag) [tag={tag}\|message={message}\|buildarg={buildarg}\|springProfile={springProfile}]"
	10	+	echo "Syntax: docker-create.sh [-h (help)\|-t (test)\|-p (publish)\|-e (herokud)\|-f (herokup)\|-g (fly)\|-o (okteto)\|-n (notag) [tag={tag}\|message={message}\|buildarg={buildarg}\|springProfile={springProfile}]"
11	11		echo "options: (All optional)"
12	12		echo "tag= Write a custom tag that will be added to the container when it is build locally."
13	13		echo "message= Write a message used for the actual tag-message in git"
		skipped 14 lines
28	28		exit
29	29		fi
30	30		}
	31	+
	32	+	Okteto_redeploy(){
	33	+	break_on_tag
	34	+	echo "Rebuilding the Okteto environment: https://wrongsecrets-commjoen.cloud.okteto.net/"
	35	+	echo "Check if all required binaries are installed"
	36	+	source ../../scripts/check-available-commands.sh
	37	+	checkCommandsAvailable okteto
	38	+	echo "validating okteto k8 deployment to contain the right container with tag "${tag}" (should be part of '$(cat ../../okteto/k8s/secret-challenge-deployment.yml \| grep image)')"
	39	+	if [[ "$(cat ../../okteto/k8s/secret-challenge-deployment.yml \| grep image)" != "${tag}" ]]; then
	40	+	echo "tag ${tag} in ../../okteto/k8s/secret-challenge-deployment.yml not properly set, aborting"
	41	+	exit
	42	+	fi
	43	+	cd ../../okteto
	44	+	okteto destroy
	45	+	okteto deploy
	46	+	}
	47	+
31	48		heroku_check_container() {
32	49		break_on_tag
33	50		echo "validating dockerfile to contain tag "${tag}" (should be part of '$(head -n 1 ../../Dockerfile.web)')"
		skipped 56 lines
90	107		# Set option to local if no option provided
91	108		script_mode="local"
92	109		# Parse provided options
93		-	while getopts ":htpefgn*" option; do
	110	+	while getopts ":htpefgon*" option; do
94	111		case $option in
95	112		h) # display Help
96	113		Help
		skipped 14 lines
111	128		g) #Helper
112	129		script_mode="fly_p"
113	130		;;
	131	+	o) #okteto
	132	+	script_mode="okteto"
	133	+	;;
114	134		n) #notags
115	135		disable_tagging_in_git="true"
116	136		;;
		skipped 10 lines
127	147		################################################
128	148		for ARGUMENT in "$@";
129	149		do
130		-	if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" && $ARGUMENT != "-g" ]]
	150	+	if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" && $ARGUMENT != "-g" && $ARGUMENT != "-o" ]]
131	151		then
132	152		KEY=$(echo "$ARGUMENT" \| cut -f1 -d=)
133	153		KEY_LENGTH=${#KEY}
		skipped 54 lines
188	208		Heroku_publish_prod
189	209		elif [[ $script_mode == "fly_p" ]]; then
190	210		Fly_publish
	211	+	elif [[ $script_mode == "okteto" ]]; then
	212	+	Okteto_redeploy
191	213		fi
192	214
193	215
		skipped 69 lines
263	285		}
264	286
265	287		build_update_pom() {
	288	+	echo "Building new license overview"
	289	+	cd ../.. && mvn license:add-third-party -Dlicense.excludedScopes=test
	290	+	cd .github/scripts
	291	+	echo "preprocessing third party file"
	292	+	sed '/^$/d' ../../target/generated-sources/license/THIRD-PARTY.txt > temp1a.txt
	293	+	sed '/^Lists/ s/./ &/' temp1a.txt > temp1.txt
	294	+	sed 's/^ / <li>/' temp1.txt > temp2.txt
	295	+	sed 's/$/<\/li>/' temp2.txt > temp3.txt
	296	+	echo "refreshing licenses into the file"
	297	+	sed -n '1,/MARKER-start/p;/MARKER-end/,$p' ../../src/main/resources/templates/about.html \| gsed '/MARKER-end-->/e cat temp3.txt ' > temp4.txt
	298	+	mv temp4.txt ../../src/main/resources/templates/about.html
	299	+	rm tem*.txt
266	300		echo "Building and updating pom.xml file so we can use it in our docker"
267	301		cd ../.. && mvn clean && mvn --batch-mode release:update-versions -DdevelopmentVersion=${tag}-SNAPSHOT && mvn install -DskipTests
268	302		cd .github/scripts
		skipped 5 lines
274	308		echo "Creating containers"
275	309		if [[ "$script_mode" == "publish" ]]; then
276	310		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
	311	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
277	312		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
	313	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
278	314		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
	315	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
279	316		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
	317	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
280	318		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
	319	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
281	320		docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
	321	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
282	322		cd ../..
283		-	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile.webdesktop --push .
	323	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --push .
	324	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --push .
	325	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --push .
	326	+	docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --push .
	327	+	cd .github/scripts
284	328		elif [[ "$script_mode" == "test" ]]; then
285	329		docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../.
286	330		else
		skipped 62 lines
349	393		else
350	394		log_failure "The container test has failed, this means that when we built your changes and ran a basic sanity test on the homepage it failed. Please build the container locally and double check the container is running correctly."
351	395		fi
	396	+	echo "testing curl for webjar caching"
	397	+	curl -I 'http://localhost:8080/webjars/bootstrap/5.2.3/css/bootstrap.min.css'
352	398		echo "Testing complete"
353	399		else
354	400		return
		skipped 15 lines

■ ■ ■ ■ ■ ■

.github/workflows/challenge13.yml

		skipped 1 lines
2	2
3	3		on:
4	4		workflow_dispatch:
	5	+	schedule:
	6	+	- cron: "0 9 1 1-12 *" #see https://www.airplane.dev/blog/scheduling-your-github-actions-cron-style
	7	+	permissions:
	8	+	contents: read
5	9		jobs:
6	10		dump:
7	11		name: get the data with shell
		skipped 17 lines

■ ■ ■ ■ ■ ■

.github/workflows/codeclimate_standalone.yml

		skipped 4 lines
5	5		on:
6	6		# Allows you to run this workflow manually from the Actions tab
7	7		workflow_dispatch:
8		-
9		-
	8	+	permissions:
	9	+	contents: read
10	10		# A workflow run is made up of one or more jobs that can run sequentially or in parallel
11	11		jobs:
12	12		code-quality:
		skipped 4 lines
17	17		uses: actions/checkout@v3
18	18
19	19		- name: Run Code Climate
20		-	uses: erzz/[email protected].4
	20	+	uses: erzz/[email protected].5
21	21		with:
22	22		html_report: true
23	23		info_threshold: 50
24	24		minor_threshold: 25
25		-	major_threshold: 10
	25	+	major_threshold: 30
26	26		critical_threshold: 5
27	27		blocker_threshold: 1
28	28
		skipped 9 lines

■ ■ ■ ■ ■ ■

.github/workflows/codeql-analysis.yml

		skipped 12 lines
13	13
14	14		on:
15	15		workflow_dispatch:
16		-
	16	+	push:
	17	+	branches:
	18	+	- master
	19	+	pull_request:
	20	+	branches: [master]
	21	+	permissions:
	22	+	contents: read
17	23		jobs:
18	24		analyze:
19	25		name: Analyze
		skipped 6 lines
26	32		strategy:
27	33		fail-fast: false
28	34		matrix:
29		-	language: [ 'java' ]
	35	+	language: ["java"]
30	36		# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
31	37		# Learn more about CodeQL language support at https://git.io/codeql-language-support
32	38
33	39		steps:
34		-	- name: Checkout repository
35		-	uses: actions/checkout@v3
36		-
37		-	# Initializes the CodeQL tools for scanning.
38		-	- name: Initialize CodeQL
39		-	uses: github/codeql-action/init@v2
40		-	with:
41		-	languages: ${{ matrix.language }}
42		-	# If you wish to specify custom queries, you can do so here or in a config file.
43		-	# By default, queries listed here will override any specified in a config file.
44		-	# Prefix the list here with "+" to use these queries and those in the config file.
45		-	# queries: ./path/to/local/query, your-org/your-repo/queries@main
	40	+	- name: Checkout repository
	41	+	uses: actions/checkout@v3
46	42
47		-	# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
48		-	# If this step fails, then you should remove it and run the build manually (see below)
49		-	- name: Autobuild
50		-	uses: github/codeql-action/autobuild@v2
	43	+	# Initializes the CodeQL tools for scanning.
	44	+	- name: Initialize CodeQL
	45	+	uses: github/codeql-action/init@v2
	46	+	with:
	47	+	languages: ${{ matrix.language }}
	48	+	# If you wish to specify custom queries, you can do so here or in a config file.
	49	+	# By default, queries listed here will override any specified in a config file.
	50	+	# Prefix the list here with "+" to use these queries and those in the config file.
	51	+	# queries: ./path/to/local/query, your-org/your-repo/queries@main
51	52
52		-	# ℹ️ Command-line programs to run using the OS shell.
53		-	# 📚 https://git.io/JvXDl
	53	+	# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
	54	+	# If this step fails, then you should remove it and run the build manually (see below)
	55	+	#- name: Autobuild
	56	+	# uses: github/codeql-action/autobuild@v2
54	57
55		-	# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
56		-	# and modify them (or add more) to build your code if your project
57		-	# uses a compiled language
	58	+	# ℹ️ Command-line programs to run using the OS shell.
	59	+	# 📚 https://git.io/JvXDl
58	60
59		-	#- run: \|
60		-	# make bootstrap
61		-	# make release
	61	+	# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
	62	+	# and modify them (or add more) to build your code if your project
	63	+	# uses a compiled language
62	64
63		-	- name: Perform CodeQL Analysis
64		-	uses: github/codeql-action/analyze@v2
	65	+	#- run: \|
	66	+	# make bootstrap
	67	+	# make release
	68	+	- name: Setup Maven Action
	69	+	uses: "s4u/[email protected]"
	70	+	with:
	71	+	java-version: 19
	72	+	maven-version: 3.8.5
	73	+	- name: run mvn clean package
	74	+	run: mvn clean package -Ddependency-check.skip=true -Dmaven.test.skip=true
	75	+	- name: Perform CodeQL Analysis
	76	+	uses: github/codeql-action/analyze@v2
65	77

■ ■ ■ ■ ■ ■

.github/workflows/container-alts-test.yml

1	+	name: Test container on podman and Colima
2	+
3	+	on:
4	+	push:
5	+	branches:
6	+	- master
7	+	pull_request:
8	+	branches: [master]
9	+	workflow_dispatch:
10	+
11	+	permissions:
12	+	contents: read
13	+
14	+	jobs:
15	+	test-podman:
16	+	name: Test with podman
17	+	runs-on: ubuntu-latest
18	+	steps:
19	+	- uses: actions/checkout@v3
20	+	- name: run container
21	+	run: \|
22	+	podman run -dt -p 8080:8080 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
23	+	echo "wait 20 seconds for container to come up" && sleep 20 && \
24	+	curl localhost:8080
25	+	test-colima:
26	+	name: Test with Colima
27	+	runs-on: macos-latest
28	+	steps:
29	+	- uses: actions/checkout@v3
30	+	- uses: douglascamata/setup-docker-macos-action@v1-alpha
31	+	- name: setup colima
32	+	run: \|
33	+	echo "Colima version: ${{ steps.docker.outputs.colima-version }}"
34	+	- name: test if container comes up
35	+	run: \|
36	+	docker run -d -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault && \
37	+	echo "wait 40 seconds for container to come up" && sleep 40 && \
38	+	curl localhost:8080
39	+

■ ■ ■ ■ ■ ■

.github/workflows/container_test.yml

		skipped 1 lines
2	2
3	3		name: Docker container test
4	4
5		-	# Controls when the workflow will run
6	5		on:
7		-	# Triggers the workflow on push or pull request events but only for the master branch
8	6		push:
9		-
10		-	# Allows you to run this workflow manually from the Actions tab
	7	+	branches:
	8	+	- master
	9	+	pull_request:
	10	+	branches: [master]
11	11		workflow_dispatch:
12		-
	12	+	permissions:
	13	+	contents: read
13	14		# A workflow run is made up of one or more jobs that can run sequentially or in parallel
14	15		jobs:
15	16		test:
		skipped 2 lines
18	19		# Steps represent a sequence of tasks that will be executed as part of the job
19	20		steps:
20	21		- name: Setup Maven Action
21		-	uses: "s4u/setup-maven-action@v1.5.0"
	22	+	uses: "s4u/setup-maven-action@v1.7.0"
22	23		with:
23		-	java-version: 18
	24	+	java-version: 19
24	25		maven-version: 3.8.5
25	26		- uses: actions/checkout@v3
26	27		- name: Navigate to test script and run
27	28		run: cd .github/scripts && bash docker-create.sh -t
28	29
29		-

■ ■ ■ ■ ■ ■

.github/workflows/dast-zap-test.yml

1	+	name: DAST with ZAP
2	+
3	+	on:
4	+	pull_request:
5	+	branches: [master]
6	+	workflow_dispatch:
7	+
8	+	permissions:
9	+	contents: read
10	+
11	+	jobs:
12	+	test-dast:
13	+	name: DAST test with ZAP
14	+	runs-on: ubuntu-latest
15	+	steps:
16	+	- uses: actions/checkout@v3
17	+	- name: Set up JDK 19
18	+	uses: actions/setup-java@v3
19	+	with:
20	+	java-version: "19"
21	+	distribution: "temurin"
22	+	- name: Clean install
23	+	run: ./mvnw --no-transfer-progress clean install -DskipTests -Ddependency-check.skip -Dcyclonedx.skip=true -Dexec.skip
24	+	- name: Start wrongsecrets
25	+	run: nohup ./mvnw spring-boot:run -Dspring-boot.run.profiles=without-vault &
26	+	- name: ZAP Scan
27	+	uses: zaproxy/[email protected]
28	+	with:
29	+	allow_issue_writing: false
30	+	docker_name: "owasp/zap2docker-stable"
31	+	target: "http://localhost:8080"
32	+	rules_file_name: config/zap/rule-config.tsv
33	+	fail_action: true
34	+

■ ■ ■ ■ ■ ■

.github/workflows/java_swagger_doc.yml

1	+	name: Javadoc and Swaggerdoc generator
2	+
3	+	on:
4	+	repository_dispatch:
5	+	workflow_dispatch:
6	+	push:
7	+	branches: [ master ]
8	+	pull_request:
9	+	branches: [ master ]
10	+	permissions:
11	+	contents: read
12	+	jobs:
13	+	javaDocGenerator:
14	+	runs-on: ubuntu-latest
15	+	steps:
16	+	- uses: actions/checkout@v3
17	+	- name: Set up JDK 19
18	+	uses: actions/setup-java@v3
19	+	with:
20	+	java-version: "19"
21	+	distribution: "temurin"
22	+	- name: Clean install
23	+	run: ./mvnw --no-transfer-progress clean install -DskipTests -Ddependency-check.skip -Dcyclonedx.skip=true -Dexec.skip
24	+	- name: Compile javadoc
25	+	run: ./mvnw --no-transfer-progress compile javadoc:javadoc
26	+	- name: Start wrongsecrets
27	+	run: nohup ./mvnw --no-transfer-progress spring-boot:run -Dspring-boot.run.profiles=without-vault &
28	+	- name: Compile javadocs
29	+	run: ./mvnw --no-transfer-progress compile javadoc:javadoc
30	+	- name: Generate swaggerdoc
31	+	run: ./mvnw --no-transfer-progress springdoc-openapi:generate
32	+	- name: Upload swagger api doc
33	+	uses: actions/upload-artifact@v3
34	+	with:
35	+	name: apidocs
36	+	path: target/openapi.json
37	+	- name: Upload javadoc
38	+	uses: actions/upload-artifact@v3
39	+	with:
40	+	name: javadoc
41	+	path: target/site
42	+

■ ■ ■ ■ ■ ■

.github/workflows/link_checker.yml

1		-	# This is a basic workflow to help you get started with Actions
2	1
3	2		name: Dead Link Checker
4	3
		skipped 4 lines
9	8		branches: [ master ]
10	9		pull_request:
11	10		branches: [ master ]
12		-
	11	+	permissions:
	12	+	contents: read
13	13		jobs:
14	14		linkChecker:
15	15		runs-on: ubuntu-latest
		skipped 2 lines
18	18
19	19		- name: Link Checker
20	20		id: lychee
21		-	uses: lycheeverse/lychee-action@v1.5.1
	21	+	uses: lycheeverse/lychee-action@v1.8.0
22	22		with:
23		-	args: --exclude-all-private --exclude-file "config/.lycheeignore" -r 2 './*/.md' './*/.html'
	23	+	args: --exclude-all-private --exclude-path "src/main/resources/templates/about.html" --exclude-file "config/.lycheeignore" -r 2 './*/.md' './*/.html'
24	24		fail: true
25	25
26	26		- name: Create Issue From File
		skipped 7 lines

■ ■ ■ ■ ■ ■

.github/workflows/main.yml

1	1		# This is a basic workflow to help you get started with Actions
2	2
3		-	name: Java checkstyle and testing
	3	+	name: Java spotbugs, checkstyle and testing
4	4
5	5		# Controls when the workflow will run
6	6		on:
7	7		# Triggers the workflow on push or pull request events but only for the master branch
8	8		push:
	9	+	branches:
	10	+	- master
9	11		pull_request:
10		-	branches: [ master ]
	12	+	branches: [master]
11	13
12	14		# Allows you to run this workflow manually from the Actions tab
13	15		workflow_dispatch:
14		-
	16	+	permissions:
	17	+	contents: read
15	18		# A workflow run is made up of one or more jobs that can run sequentially or in parallel
16	19		jobs:
17	20		test:
		skipped 2 lines
20	23		# Steps represent a sequence of tasks that will be executed as part of the job
21	24		steps:
22	25		- uses: actions/checkout@v3
23		-	- name: Set up JDK 18
	26	+	- name: Set up JDK 19
24	27		uses: actions/setup-java@v3
25	28		with:
26		-	java-version: '18'
27		-	distribution: 'temurin'
	29	+	java-version: "19"
	30	+	distribution: "temurin"
28	31		- name: Test with Maven
29	32		run: mvn --no-transfer-progress test
30		-
	33	+	ui-test:
	34	+	name: UI test with Cypress
	35	+	runs-on: ubuntu-latest
	36	+	steps:
	37	+	- name: Checkout repo
	38	+	uses: actions/checkout@v3
	39	+	with:
	40	+	fetch-depth: 0
	41	+	- name: Install node
	42	+	uses: actions/setup-node@v3
	43	+	- name: Set up JDK 19
	44	+	uses: actions/setup-java@v3
	45	+	with:
	46	+	java-version: "19"
	47	+	distribution: "temurin"
	48	+	- name: Test with Cypress
	49	+	run: mvn verify -Dexec.id=xcypress-test -DskipTests -Ddependency-check.skip
	50	+	- name: Uploading screenshots
	51	+	uses: actions/upload-artifact@v3
	52	+	if: failure()
	53	+	with:
	54	+	name: screenshots
	55	+	path: cypress/screenshots
31	56		lint:
32	57		name: lint javacode
33	58		runs-on: ubuntu-latest
34	59		steps:
35	60		- uses: actions/checkout@v3
36		-	- name: Set up JDK 18
	61	+	- name: Set up JDK 19
37	62		uses: actions/setup-java@v3
38	63		with:
39		-	java-version: '18'
40		-	distribution: 'temurin'
	64	+	java-version: "19"
	65	+	distribution: "temurin"
41	66		- name: checkstyle with Maven
42	67		run: mvn --no-transfer-progress checkstyle:check
43	68
	69	+	spotbugs:
	70	+	name: execute java spotbugs
	71	+	runs-on: ubuntu-latest
	72	+	steps:
	73	+	- uses: actions/checkout@v3
	74	+	- name: Set up JDK 19
	75	+	uses: actions/setup-java@v3
	76	+	with:
	77	+	java-version: "19"
	78	+	distribution: "temurin"
	79	+	- name: spotbugs with Maven
	80	+	run: mvn --no-transfer-progress package -DskipTests spotbugs:check
	81	+

■ ■ ■ ■ ■ ■

.github/workflows/minikube-k8s-test.yml

		skipped 3 lines
4	4
5	5		# Controls when the workflow will run
6	6		on:
	7	+	push:
	8	+	branches:
	9	+	- master
7	10		pull_request:
8		-	branches: [ master ]
	11	+	branches: [master]
9	12		workflow_dispatch:
10	13
	14	+	permissions:
	15	+	contents: read
11	16		# A workflow run is made up of one or more jobs that can run sequentially or in parallel
12	17		jobs:
13	18		test-minikube:
		skipped 5 lines
19	24		- name: Start minikube
20	25		uses: medyagh/setup-minikube@master
21	26		with:
22		-	minikube-version: 1.25.2
	27	+	minikube-version: 1.29.0
23	28		driver: docker
24		-	kubernetes-version: v1.22.5
	29	+	kubernetes-version: v1.25.6
25	30		- name: test script
26	31		run: \|
	32	+	kubectl apply -f k8s/workspace-psa.yml
27	33		kubectl apply -f k8s/secrets-config.yml
28	34		kubectl apply -f k8s/secrets-secret.yml
	35	+	kubectl apply -f k8s/challenge33.yml
29	36		kubectl apply -f k8s/secret-challenge-deployment.yml
30	37		while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
31	38		kubectl logs -l app=secret-challenge -f >> pod.log &
		skipped 12 lines

■ ■ ■ ■ ■ ■

.github/workflows/minikube-vault-test.yml

		skipped 3 lines
4	4
5	5		# Controls when the workflow will run
6	6		on:
	7	+	push:
	8	+	branches:
	9	+	- master
7	10		pull_request:
8		-	branches: [ master ]
	11	+	branches: [master]
9	12		workflow_dispatch:
10	13
	14	+	permissions:
	15	+	contents: read
11	16		# A workflow run is made up of one or more jobs that can run sequentially or in parallel
12	17		jobs:
13	18		test-minikube:
		skipped 2 lines
16	21		# Steps represent a sequence of tasks that will be executed as part of the job
17	22		steps:
18	23		- uses: actions/checkout@v3
19		-	- uses: innovationnorway/setup-vault@v1
20		-	with:
21		-	version: '>1.9'
	24	+	- uses: eLco/setup-vault@v1.0.2
22	25		- name: Start minikube
23	26		uses: medyagh/setup-minikube@master
24	27		with:
25		-	minikube-version: 1.25.2
	28	+	minikube-version: 1.29.0
26	29		driver: docker
27		-	kubernetes-version: v1.22.5
	30	+	kubernetes-version: v1.25.6
28	31		- name: Setup helm
29		-	uses: azure/setup-helm@v3.3
	32	+	uses: azure/setup-helm@v3.5
30	33		id: install
31	34		- name: test script
32	35		run: \|
		skipped 2 lines

■ ■ ■ ■ ■ ■

.github/workflows/pre-commit.yml

1	+	name: Pre-commit check
2	+
3	+	# Controls when the workflow will run
4	+	on:
5	+	pull_request:
6	+	branches: [master]
7	+	workflow_dispatch:
8	+
9	+	env:
10	+	TF_DOCS_VERSION: v0.16.0
11	+	TFSEC_VERSION: v1.27.6
12	+	TFLINT_VERSION: v0.41.0
13	+	permissions:
14	+	contents: read
15	+	jobs:
16	+	pre-commit:
17	+	name: Pre-commit check
18	+	runs-on: ubuntu-latest
19	+	steps:
20	+	- name: Checkout git repository
21	+	uses: actions/checkout@v3
22	+	- name: Setup python
23	+	uses: actions/setup-python@v4
24	+	with:
25	+	python-version: "3.9"
26	+	- uses: actions/setup-node@v3
27	+	with:
28	+	node-version: 18
29	+	cache: "npm"
30	+	- uses: actions/setup-java@v3
31	+	with:
32	+	distribution: 'temurin'
33	+	java-version: '19'
34	+	- name: Install npm dependencies
35	+	run: npm install
36	+	- uses: actions/cache@v3
37	+	name: Cache plugin dir
38	+	with:
39	+	path: ~/.tflint.d/plugins
40	+	key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
41	+	- name: Setup Terraform
42	+	uses: hashicorp/setup-terraform@v2
43	+	with:
44	+	terraform_version: 1.1.7
45	+	- name: Setup TFLint
46	+	uses: terraform-linters/setup-tflint@v3
47	+	with:
48	+	tflint_version: ${{env.TFLINT_VERSION}}
49	+	- name: Setup Terraform docs
50	+	run: \|
51	+	wget https://github.com/terraform-docs/terraform-docs/releases/download/${{env.TF_DOCS_VERSION}}/terraform-docs-${{env.TF_DOCS_VERSION}}-linux-amd64.tar.gz -O terraform_docs.tar.gz
52	+	tar -zxvf terraform_docs.tar.gz terraform-docs
53	+	chmod +x terraform-docs
54	+	mv terraform-docs /usr/local/bin/
55	+	- name: Setup tfsec
56	+	run: \|
57	+	curl --output tfsec https://github.com/aquasecurity/tfsec/releases/download/${{env.TFSEC_VERSION}}/tfsec-linux-amd64
58	+	chmod +x tfsec
59	+	mv tfsec /usr/local/bin/
60	+	- name: Pre-commit checks
61	+	uses: pre-commit/[email protected]
62	+	- name: pre-commit-ci-lite
63	+	uses: pre-commit-ci/[email protected]
64	+	if: always()
65	+

■ ■ ■ ■ ■ ■

.github/workflows/scanners.yml

1	+	name: Leaked Secrets Scan With Trufflehog
2	+	on:
3	+	workflow_dispatch:
4	+	permissions:
5	+	contents: read
6	+	jobs:
7	+	TruffleHog:
8	+	runs-on: ubuntu-latest
9	+	steps:
10	+	- name: Checkout code
11	+	uses: actions/checkout@v3
12	+	with:
13	+	fetch-depth: 0
14	+	- name: TruffleHog OSS
15	+	uses: trufflesecurity/trufflehog@main
16	+	with:
17	+	path: ./
18	+	base: experiment-bed
19	+	head: HEAD
20	+	extra_args: --debug --only-verified
21	+

■ ■ ■ ■ ■ ■

.github/workflows/terraform.yml

		skipped 2 lines
3	3		on:
4	4		# Triggers the workflow on push or pull request events but only for the master branch
5	5		push:
	6	+	branches:
	7	+	- master
6	8		paths:
7		-	- 'aws/**'
8		-	- 'gcp/**'
9		-	- 'azure/**'
	9	+	- "aws/**"
	10	+	- "gcp/**"
	11	+	- "azure/**"
10	12		pull_request:
11		-	branches: [ master ]
	13	+	branches: [master]
12	14		paths:
13		-	- 'aws/**'
14		-	- 'gcp/**'
15		-	- 'azure/**'
	15	+	- "aws/**"
	16	+	- "gcp/**"
	17	+	- "azure/**"
16	18		workflow_dispatch:
17		-
	19	+	permissions:
	20	+	contents: read
18	21		jobs:
19	22		terraform-fmt:
20	23		name: terraform-fmt
		skipped 9 lines

■ ■ ■ ■ ■ ■

.gitignore

		skipped 24 lines
25	25		# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
26	26		hs_err_pid*
27	27
28		-	.DS_STORE
	28	+	.DS_Store
29	29		target
30	30
31	31		.vscode
		skipped 11 lines
43	43		# Terraform
44	44		kubeconfig_wrongsecrets-exercise-cluster
45	45		.terraform
46		-	.terraform.lock.hcl
47		-	.terraform*
	46	+	.terraform
48	47		terraform.tfstate*
49	48		aws/terraform.tfstate.*
50	49		aws/terraform.tfstate.backup
		skipped 14 lines
65	64
66	65		# Challenge 17
67	66		.github/scripts/thirdkey.txt
	67	+
	68	+	yourkey.txt
68	69
69	70		# Node JS
70	71		js/node/
71	72		js/node_modules/
	73	+	node_modules
	74	+	.npm
	75	+
	76	+	# Cypress
	77	+	cypress/videos
	78	+	cypress/screenshots
72	79

■ ■ ■ ■ ■ ■

.pre-commit-config.yaml

1	+	ci:
2	+	autofix_commit_msg: \|
3	+	[pre-commit.ci] auto fixes from pre-commit.com hooks
4	+	autofix_prs: false # managed in the action step
5	+	autoupdate_branch: ""
6	+	autoupdate_commit_msg: "[pre-commit.ci] pre-commit autoupdate"
7	+	autoupdate_schedule: weekly
8	+	skip: []
9	+	submodules: false
10	+	repos:
11	+	- repo: https://github.com/pre-commit/pre-commit-hooks
12	+	rev: v4.3.0
13	+	hooks:
14	+	- id: check-yaml
15	+	- id: end-of-file-fixer
16	+	exclude: ^(src/test/resources/yourkey.txt\|src/test/resources/secondkey.txt)
17	+	- id: trailing-whitespace
18	+	- repo: https://github.com/antonbabenko/pre-commit-terraform
19	+	rev: v1.71.0
20	+	hooks:
21	+	- id: terraform_fmt
22	+	- id: terraform_tflint
23	+	args:
24	+	- "--args=--only=terraform_deprecated_interpolation"
25	+	- "--args=--only=terraform_deprecated_index"
26	+	- "--args=--only=terraform_unused_declarations"
27	+	- "--args=--only=terraform_comment_syntax"
28	+	- "--args=--only=terraform_documented_outputs"
29	+	- "--args=--only=terraform_documented_variables"
30	+	- "--args=--only=terraform_typed_variables"
31	+	- "--args=--only=terraform_module_pinned_source"
32	+	- "--args=--only=terraform_naming_convention"
33	+	- "--args=--only=terraform_required_version"
34	+	- "--args=--only=terraform_required_providers"
35	+	- "--args=--only=terraform_standard_module_structure"
36	+	- "--args=--only=terraform_workspace_remote"
37	+	- id: terraform_docs
38	+	- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
39	+	rev: v9.4.0
40	+	hooks:
41	+	- id: commitlint
42	+	stages: [commit-msg]
43	+	- repo: https://github.com/ejba/pre-commit-maven
44	+	rev: v0.3.3
45	+	hooks:
46	+	- id: maven
47	+	args: [ 'clean compile' ]
48	+	- id: maven-spotless-apply
49	+	- repo: https://github.com/eslint/eslint
50	+	rev: v8.35.0
51	+	hooks:
52	+	- id: eslint
53	+	args:
54	+	- "--fix"
55	+

■ ■ ■ ■ ■ ■

CODEOWNERS

1	+	# These owners will be the default owners for everything in
2	+	# the repo. Unless a later match takes precedence,
3	+	* @commjoen @bendehaan
4	+

■ ■ ■ ■ ■ ■ ■

CONTRIBUTING.md

1	1		# Contributing
2	2
3		-	[![GitHub contributors](https://img.shields.io/github/contributors/commjoen/wrongsecrets.svg)](https://github.com/commjoen/wrongsecrets/graphs/contributors)
4		-	![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/commjoen/wrongsecrets/help%20wanted.svg)
	3	+	[![GitHub contributors](https://img.shields.io/github/contributors/OWASP/wrongsecrets.svg)](https://github.com/OWASP/wrongsecrets/graphs/contributors)
	4	+	![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/OWASP/wrongsecrets/help%20wanted.svg)
5	5
6	6		This document describes how you can contribute to WrongSecrets. Please read it carefully.
7	7
8	8		Table of Contents
9	9
10		-	* [How to Contribute to the Project](#how-to-contribute-to-the-project)
11		-	* [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment)
12		-	* [How to get your PR Accepted](#how-to-get-your-pr-accepted)
	10	+	- [How to Contribute to the Project](#how-to-contribute-to-the-project)
	11	+	- [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment)
	12	+	- [How to get your PR Accepted](#how-to-get-your-pr-accepted)
	13	+	- [Beginner Guide](#beginner-guide)
	14	+	- [About the Project](#OWASP-WrongSecrets)
	15	+	- [Prerequisites](#Prerequisites)
	16	+	- [Pictorial Guide on how to get started with the project in IntelliJ IDEA](#How-to-get-started-with-the-project-in-IntelliJ-IDEA)
	17	+	- [How to add a Challenge](#how-to-add-a-challenge)
13	18
14	19		## How to Contribute to the project
15	20
16	21		There are a couple of ways on how you can contribute to the project:
17	22
18		-	* File [issues](https://github.com/commjoen/wrongsecrets/issues "WrongSecret Issues") for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
19		-	* Create a [pull request (PR)](https://github.com/commjoen/wrongsecrets/pulls "Create a pull request"). This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/commjoen/wrongsecrets/issues "WrongSecret Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
20		-	* Promote us by giving us a Star or share information via social media.
	23	+	- File [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecret Issues") for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
	24	+	- Create a [pull request (PR)](https://github.com/OWASP/wrongsecrets/pulls "Create a pull request"). This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/OWASP/wrongsecrets/issues "WrongSecret Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
	25	+	- Promote us by giving us a Star or share information via social media.
21	26
22	27		## How to get your PR accepted
23	28
24	29		Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
25	30		The minimum requirements for code contributions are:
26	31
27		-	1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
	32	+	1. The code _must_ be compliant with the configured pre-commit hooks, and Checkstyle and PMD rules.
28	33		2. All new and changed code _should_ have a corresponding unit and/or integration test.
29	34		3. New and changed lessons _must_ have a corresponding integration test.
30	35		4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
		skipped 4 lines
35	40
36	41		Pull requests should be as small/atomic as possible. Large, wide-sweeping changes in a pull request will be rejected, with comments to isolate the specific code in your pull request. Some examples:
37	42
38		-	* If you are making spelling corrections in the docs, don't modify other files.
39		-	* If you are adding new functions don't '_cleanup_' unrelated functions. That cleanup belongs in another pull request.
	43	+	- If you are making spelling corrections in the docs, don't modify other files.
	44	+	- If you are adding new functions don't '_cleanup_' unrelated functions. That cleanup belongs in another pull request.
40	45
41	46		### Write a good commit message
42	47
43		-	* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
44		-
45		-	* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
	48	+	- Make sure your commit message passes the [conventional commit standards](https://www.conventionalcommits.org/en/v1.0.0/)
	49	+	- Explain why you make the changes. [More info about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
	50	+	- If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
46	51
47		-	For example: `Fix #545` or `Closes #10`
	52	+	For example: `Fix #545` or `Closes #10`
48	53
49	54		## How to set up your Contributor Environment
50	55
		skipped 7 lines
58	63		origin [email protected]:<your Github handle>/wrongsecrets.git (fetch)
59	64		origin [email protected]:<your Github handle>/wrongsecrets.git (push)
60	65
61		-	$ git remote add upstream [email protected]:commjoen/wrongsecrets.git
	66	+	$ git remote add upstream [email protected]:OWASP/wrongsecrets.git
62	67
63	68		$ git remote -v
64	69		origin [email protected]:<your Github handle>/wrongsecrets.git (fetch)
65	70		origin [email protected]:<your Github handle>/wrongsecrets.git (push)
66		-	upstream [email protected]:commjoen/wrongsecrets.git (fetch)
67		-	upstream [email protected]:commjoen/wrongsecrets.git (push)
	71	+	upstream [email protected]:OWASP/wrongsecrets.git (fetch)
	72	+	upstream [email protected]:OWASP/wrongsecrets.git (push)
68	73		```
69	74
70	75		See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
71		-	5. Choose what to work on, based on any of the outstanding [issues](https://github.com/commjoen/wrongsecrets/issues "WrongSecrets Issues").
72		-	6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
	76	+
	77	+	5. Choose what to work on, based on any of the outstanding [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecrets Issues").
	78	+	6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b fix/Issue66`
73	79		7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
74		-	8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
75		-	9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/wrongsecrets> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
76		-	10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
77		-	11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
	80	+	8. Install [pre-commit](https://pre-commit.com/#install) the dependencies for our pre-commit configuration to make sure your code complies with standards used in the project. This requires terraform, [terraform-docs](https://github.com/terraform-docs/terraform-docs#installation), [tflint](https://github.com/terraform-linters/tflint#installation), and [commitlint](https://commitlint.js.org/#/guides-local-setup). For commitlint, you need [NodeJS](https://nodejs.org/en/download/) installed, after which you you can use `npm install` in the root folder of this project.
	81	+	9. Install the pre-commit hook using `pre-commit install --hook-type commit-msg`. We recommend to run `pre-commit run -a` every so often if you're working on a bigger change.
	82	+	10. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
	83	+	11. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/wrongsecrets> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
	84	+	12. If something in your git workflow went wrong (and e.g., the precommit hook CI run failed), check out ["O Shit, Git!?!"](https://ohshitgit.com/) to view tips on editing your historical commit message(s), among others.
	85	+	13. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. If pre-commit can auto-fix the issue, it will automatically try to do so by adding a new commit. This new commit can be pulled in with a simple `git pull`, or, if you've already made one or more new commits: `git pull --rebase`.
	86	+	14. When starting on a new PR in the future, make sure to always keep your local repo up to date:
78	87
79	88		```bash
80	89		git fetch upstream
		skipped 10 lines
91	100
92	101		Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration:
93	102
94		-	* The Wrongsecrets project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
95		-	* Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide.
	103	+	- The Wrongsecrets project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
	104	+	- Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide.
	105	+
	106	+	Please be sure to take a careful look at our [Code of Conduct](https://github.com/OWASP/wrongsecrets/blob/master/CODE_OF_CONDUCT.md) for all the details.
	107	+
	108	+	---
	109	+
	110	+	# Beginner guide
	111	+
	112	+	## OWASP WrongSecrets
	113	+
	114	+	[_WrongSecrets_](https://owasp.org/www-project-wrongsecrets/) is an application teaching how to _not_ store secrets by offering challenges to the user, helping the user to Self-reflect and correct those mistakes.
	115	+
	116	+	## Prerequisites
	117	+
	118	+	1. Docker
	119	+	[_Docker_](https://www.docker.com/) is a software platform that allows you to build, test, and deploy applications quickly and in a more efficient manner.
	120	+
	121	+	2. Node.Js
	122	+	[_Node.Js_](https://nodejs.org/en/) is an open-source library and a cross-platform JavaScript runtime environment specifically for running web applications outside one's browser.
	123	+
	124	+	3. JDK-19
	125	+	[_JDK_](https://www.oracle.com/java/technologies/javase/jdk19-archive-downloads.html) is a tool used in development and testing programs written in the Java programming language.
	126	+
	127	+	4. IntelliJ IDEA
	128	+	[_IntelliJ IDEA_](https://www.jetbrains.com/idea/download/#section=windows) is an integrated development environment basically an IDE written in Java for developing software written in Java, Kotlin, Groovy etc.
	129	+
	130	+	5. GitHub Desktop
	131	+	[_GitHub Desktop_](https://desktop.github.com/) is an application that enables you to interact with GitHub using a GUI instead of the command line or a web browser.
	132	+	(_Not Mandatory but is recommended for beginners_)
	133	+
	134	+	---
	135	+
	136	+	## How to get started with the project in IntelliJ IDEA
	137	+
	138	+	-
	139	+
	140	+	### Step 1: Fork the Project.
	141	+
	142	+	Navigate to the landing page of the repository in your web browser and click on the _Fork_ button on the repository’s home page.
	143	+	A forked copy of that Git repository will be added to your personal GitHub.
	144	+
	145	+	![](images/fork-project-1.png)
	146	+
	147	+	-
	148	+
	149	+	### Step 2: Clone the Project.
	150	+
	151	+	A clone is a full copy of a repository, including all logging and versions of files.
	152	+	To _clone_ the Project to your local desktop by clicking on the button as shown below.
	153	+
	154	+	![](images/clone-project-2.png)
	155	+
	156	+	-
	157	+
	158	+	### Step 3: Open the Project using IntelliJ IDEA
	159	+
	160	+	- _Open_ the Cloned Project using IntelliJ IDEA by clicking on the button as shown below.
	161	+
	162	+	![](images/open-project-3.1.png)
	163	+
	164	+	- Wait till the Project Loads.
	165	+
	166	+	![](images/wait-3.2.png)
	167	+
	168	+
	169	+	### Step 4: Setup.
	170	+
	171	+	- Open Settings by pressing _Ctrl+Alt+S_
	172	+	![](images/open-settings-4.1.png)
	173	+
	174	+	- Follow the path _IDE settings>Language & Frameworks > Lombok_ and then click on _Lombok._
	175	+	![](images/lombok-setup-4.2.png)
	176	+
	177	+	- Make sure that the _Lombok processing_ is enabled.
	178	+	![](images/lombok-processing-4.3.png)
	179	+
	180	+	- Select _Plugins > Marketplace_ and type 'google-java-format' and restart IntelliJ to install the plugin.
	181	+
	182	+	- Open Settings by pressing _Ctrl+Alt+S_
	183	+	![](images/open-settings-4.1.png)
	184	+
	185	+	- Select _google-java-format Settings_ and click enable.
	186	+	![](images/open-settings-4.4.png)
	187	+
	188	+	- ### Step 5: Reload the project
	189	+
	190	+	- Open the _Maven_ Tab
	191	+
	192	+	![](images/open-maven-5.1.png)
	193	+
	194	+	- Press the _Reload_ button as shown below and allow the project to Reload.
	195	+
	196	+	![](images/reload-maven-5.2.png)
	197	+
	198	+	- Further use the _OWASP WrongSecrets --> Lifecycle --> install_ step to load all the depedencies
	199	+
	200	+	NOTE: Indians and other Asia-Pacific countries users may have to use VPN if you enounter this exception `org.owasp.dependencycheck.utils.DownloadFailedException: TLS Connection Reset`.
	201	+
	202	+	-
	203	+
	204	+	### Step 6: Running the Project.
	205	+
	206	+	- Open the _WrongSecretsApplication_ by following the path _main>java>org.owasp.wrongsecrets>WrongSecretApplication_.
	207	+	![](images/open-application-6.1.png)
	208	+	- Press _Shift+F10_ to run the application, this will open up the _Run/Debug Configurations Menu._
	209	+	![](images/run-application-6.2.png)
	210	+
	211	+	- ### Step 7: Setting up Configurations.
	212	+
	213	+	- Select _Edit configuration templates_ then select _Application_ section.
96	214
97		-	Please be sure to take a careful look at our [Code of Conduct](https://github.com/commjoen/wrongsecrets/blob/master/CODE_OF_CONDUCT.md) for all the details.
	215	+	![](images/edit-config-7.1.png)
	216	+
	217	+	- There under the _Application_ section click on the button shown below.
	218	+
	219	+	![](images/modify-options-7.2.png)
	220	+
	221	+	- _Select_ all the fields that are Selected in the below picture.
	222	+
	223	+	![](images/select-options-7.3.png)
	224	+
	225	+	- _Fill out_ all the fields as shown below.
	226	+
	227	+	![](images/fill-fields-7.4.png)
	228	+
	229	+	- Again press _Shift+F10_ which runs the Application.
	230	+
	231	+	![](images/run-application-6.2.png)
	232	+
	233	+	-
	234	+
	235	+	### There you have it, _WrongSecrets_ running successfully.
	236	+
	237	+	- Here is a _preview_ on how does it look after successfully running the Application.
	238	+	Note: Running the Application doesn't open any kind of _GUI_, it only initializes the _local webserver_ that you can open via a _browser._
	239	+	![](images/final-output-8.png)
	240	+
	241	+	- Here is the preview of the web server, you can try to find the secrets by means of solving the challenge offered at:
	242	+	[Challenges](https://github.com/OWASP/wrongsecrets#basic-docker-exercises)
	243	+	![](images/screenshot.png)
	244	+
	245	+	---
	246	+
	247	+	## How to add a challenge
	248	+
	249	+	-
	250	+
	251	+	### Step 1: Creating a new issue.
	252	+
	253	+	First make sure that you have an [Issue](https://github.com/OWASP/wrongsecrets/issues/new) reported for which a challenge is really wanted, And make sure the challenge is assigned to you, as others might be working on the challenge.
	254	+
	255	+	-
	256	+
	257	+	### Step 2: Adding the challenge.
	258	+
	259	+	Add the new challenge in this folder `wrongsecrets/src/main/java/org/owasp/wrongsecrets/challenges/`.
	260	+	These are the things that you have to keep in mind.
	261	+	- First and foremost make sure your challenge is coded in Java.
	262	+	- Don't forget to add your challenge number in `@Order(28)` annotation, _28_ in my case.
	263	+	- Here is an example of a possible Challenge 28:
	264	+
	265	+	```java
	266	+	package org.owasp.wrongsecrets.challenges.docker;
	267	+	import lombok.extern.slf4j.Slf4j;
	268	+	import org.owasp.wrongsecrets.RuntimeEnvironment;
	269	+	import org.owasp.wrongsecrets.ScoreCard;
	270	+	import org.owasp.wrongsecrets.challenges.Challenge;
	271	+	import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
	272	+	import org.owasp.wrongsecrets.challenges.Spoiler;
	273	+	import org.springframework.core.annotation.Order;
	274	+	import org.springframework.stereotype.Component;
	275	+	import java.util.List;
	276	+	/**
	277	+	* Describe what your challenge does
	278	+	*/
	279	+	@Slf4j
	280	+	@Component
	281	+	@Order(28) //make sure this number is the same as your challenge
	282	+	public class Challenge28 extends Challenge {
	283	+	private final String secret;
	284	+	public Challenge28(ScoreCard scoreCard) {
	285	+	super(scoreCard);
	286	+	secret = "hello world";
	287	+	}
	288	+	//is this challenge usable in CTF mode?
	289	+	@Override
	290	+	public boolean canRunInCTFMode() {
	291	+	return true;
	292	+	}
	293	+	//return the plain text secret here
	294	+	@Override
	295	+	public Spoiler spoiler() {
	296	+	return new Spoiler(secret);
	297	+	}
	298	+	//here you validate if your answer matches the secret
	299	+	@Override
	300	+	public boolean answerCorrect(String answer) {
	301	+	return secret.equals(answer);
	302	+	}
	303	+	//which runtime can you use to run the challenge on? (You can just use Docker here)
	304	+	/**
	305	+	* {@inheritDoc}
	306	+	*/
	307	+	@Override
	308	+	public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
	309	+	return List.of(RuntimeEnvironment.Environment.DOCKER);
	310	+	}
	311	+	//set the difficulty: 1=low, 5=very hard
	312	+	/**
	313	+	* {@inheritDoc}
	314	+	* Difficulty: 1.
	315	+	*/
	316	+	@Override
	317	+	public int difficulty() {
	318	+	return 1;
	319	+	}
	320	+	//on which tech is this challenge? See ChallengeTechnology.Tech for categories
	321	+	/**
	322	+	* {@inheritDoc}
	323	+	* Secrets based.
	324	+	*/
	325	+	@Override
	326	+	public String getTech() {
	327	+	return ChallengeTechnology.Tech.SECRETS.id;
	328	+	}
	329	+	//if you use this in a shared environment and need to adapt it, then return true here.
	330	+	@Override
	331	+	public boolean isLimittedWhenOnlineHosted() {
	332	+	return false;
	333	+
	334	+	}
	335	+	}
	336	+	```
	337	+	- ### Step 3: Adding Test File.
	338	+
	339	+	Add the new TestFile in this folder `wrongsecrets/src/test/java/org/owasp/wrongsecrets/challenges/`. TestFile is required to do unit testing.
	340	+	These are the things that you have to keep in mind.
	341	+
	342	+	- Make sure that this file is also of Java type.
	343	+	- Here is a unit test for reference:
	344	+	```java
	345	+	package org.owasp.wrongsecrets.challenges.docker;
	346	+	import org.assertj.core.api.Assertions;
	347	+	import org.junit.jupiter.api.Test;
	348	+	import org.junit.jupiter.api.extension.ExtendWith;
	349	+	import org.mockito.Mock;
	350	+	import org.mockito.Mockito;
	351	+	import org.mockito.junit.jupiter.MockitoExtension;
	352	+	import org.owasp.wrongsecrets.ScoreCard;
	353	+	@ExtendWith(MockitoExtension.class)
	354	+	class Challenge28Test {
	355	+	@Mock
	356	+	private ScoreCard scoreCard;
	357	+	@Test
	358	+	void rightAnswerShouldSolveChallenge() {
	359	+	var challenge = new Challenge28(scoreCard);
	360	+	Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
	361	+	Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
	362	+	}
	363	+	}
	364	+	```
	365	+	Please note that PRs for new challenges are only accepted when unit tests are added to prove that the challenge works. Normally tests should not immediately leak the actual secret, so leverage the `.spoil()` functionality of your test implementation for this.
	366	+
	367	+	-
	368	+
	369	+	### Step 4: Adding explanations, reasons and hints.
	370	+
	371	+	Add the explanation for your challenge along with the hints that will help in finding the secret in this folder `wrongsecrets/src/main/resources/explanations/`.
	372	+	Things to be noted.
	373	+
	374	+	- All the possible explanations for your challenge, included with all the hints and reasons should be provided.
	375	+	- Everything must be in separate AsciiDoc files.
	376	+	- Follow this fashion in naming the file.
	377	+
	378	+	- Here is a Explanation for reference:
	379	+
	380	+	```adoc
	381	+	=== Hello world challenge
	382	+
	383	+	Welcome to OWASP WrongSecrets Beginner guide Challenge
	384	+
	385	+	Basically this challenge is there only to demonstrate how to add a challenge in our project and to give you a basic idea on how does things work.
	386	+
	387	+	```
	388	+
	389	+	- refer this block for reasons:
	390	+
	391	+	```adoc
	392	+	==== What’s the purpose of this specific challenge?
	393	+	With this challenge, we basically aim to help new contributors to better understand the code and encourage them to add new challenges for our end-user.
	394	+	```
	395	+
	396	+	- Use this block as refrence for hints:
	397	+
	398	+	```adoc
	399	+	Your secret is `Hello World`
	400	+
	401	+	Copy this and paste it in the box provided and press "Submit" and you are good to go.
	402	+
	403	+	This challenge is only meant for helping new contributors to add new challenges. Please, have fun with trying more difficult challenges;-).
	404	+	```
	405	+
	406	+	- ### Step 5: Submitting your PR.
	407	+	After completing all the above steps, final step is to submit the PR and refer [Contributing.md](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-get-your-pr-accepted) on how to get your PR accepted.
	408	+
	409	+	---
98	410

■ ■ ■ ■ ■ ■

Dockerfile

1		-	FROM eclipse-temurin:18_36-jdk-focal
	1	+	FROM eclipse-temurin:19-jre-focal
2	2
3	3		ARG argBasedPassword="default"
4	4		ARG argBasedVersion="0.0.0"
		skipped 3 lines
8	8		ENV APP_VERSION=$argBasedVersion
9	9		ENV DOCKER_ENV_PASSWORD="This is it"
10	10		ENV AZURE_KEY_VAULT_ENABLED=false
	11	+	ENV SPRINGDOC_UI=false
	12	+	ENV SPRINGDOC_DOC=false
11	13
12	14		RUN echo "2vars"
13	15		RUN echo "$ARG_BASED_PASSWORD"
		skipped 7 lines
21	23		COPY --chown=wrongsecrets src/main/resources/executables/ /home/wrongsecrets/
22	24		COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
23	25		USER wrongsecrets
24		-	CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar
	26	+	CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D /application.jar
25	27

■ ■ ■ ■ ■ ■

Dockerfile.web

1		-	FROM jeroenwillemsen/wrongsecrets:1.5.2-no-vault
2		-
3		-	ARG argBasedVersion="1.5.2"
	1	+	FROM jeroenwillemsen/wrongsecrets:1.6.4-no-vault
	2	+	ARG argBasedVersion="1.6.4-no-vault"
4	3		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
5	4		ARG CTF_ENABLED=false
6	5		ARG HINTS_ENABLED=true
	6	+	ARG CHALLENGE_ACHT_CTF_HOST_VALUE="not_set"
7	7		#ONLY OVERRIDE THE ARGS BELOW WHEN YOU ARE SETTING UP A CTF!
8	8		ARG CTF_KEY=TRwzkRJnHOTckssAeyJbysWgP!Qc2T
9	9		ARG CHALLENGE_5_VALUE=if_you_see_this_please_use_k8s
		skipped 13 lines
23	23		ENV SPECIAL_K8S_SECRET=$CHALLENGE_5_VALUE
24	24		ENV SPECIAL_SPECIAL_K8S_SECRET=$CHALLENGE_6_VALUE
25	25		ENV vaultpassword=$CHALLENGE_7_VALUE
	26	+	ENV challenge_acht_ctf_host_value=$CHALLENGE_ACHT_CTF_HOST_VALUE
26	27		ENV default_aws_value_challenge_9=$CHALLENGE_9_VALUE
27	28		ENV default_aws_value_challenge_10=$CHALLENGE_10_VALUE
28	29		ENV default_aws_value_challenge_11=$CHALLENGE_11_VALUE
29	30		COPY .github/scripts/ /var/helpers
30	31		COPY src/test/resources/alibabacreds.kdbx /var/helpers
31		-	CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault application.jar
	32	+	CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
32	33

■ ■ ■ ■ ■ ■

Dockerfile.webdesktop

1	-	FROM lscr.io/linuxserver/webtop:latest
2	-
3	-	RUN \
4	-	echo "** install packages **" && \
5	-	apk add --no-cache keepassxc radare2 && \
6	-	echo "** cleanup **" && \
7	-	rm -rf \
8	-	/tmp/*
9	-
10	-	RUN mkdir /home/wrongsecrets
11	-	COPY src/main/resources/executables/ /home/wrongsecrets/
12	-	COPY src/test/resources/alibabacreds.kdbx /var/tmp/helpers
13	-

■ ■ ■ ■ ■ ■

Dockerfile_webdesktop

1	+	FROM lscr.io/linuxserver/webtop:4.16-r0-ls72
2	+	LABEL NAME="OWASP WrongSecrets Web Desktop" MAINTAINER="Jeroen Willemsen"
3	+
4	+	RUN \
5	+	echo "* install kubectl *" && \
6	+	curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" &&\
7	+	sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl &&\
8	+	rm kubectl
9	+
10	+	RUN \
11	+	echo "** install packages **" && \
12	+	apk add --no-cache shadow keepassxc radare2 aws-cli geany git && \
13	+	echo "** adding abc user to root for Docker **" && \
14	+	usermod -aG root abc && \
15	+	touch /var/run/docker.sock && \
16	+	chown abc:abc /var/run/docker.sock && \
17	+	echo "** cleanup **" && \
18	+	rm -rf /tmp/*
19	+
20	+	WORKDIR /config/Desktop
21	+
22	+	COPY src/main/resources/executables/linux /config/Desktop/wrongsecrets/
23	+	COPY src/test/resources/alibabacreds.kdbx /var/tmp/helpers/
24	+	COPY src/test/resources/alibabacreds.kdbx /var/tmp/wrongsecrets/
25	+	COPY wrongsecret-desktop-resources/welcome.md /var/tmp/wrongsecrets/
26	+
27	+	RUN sudo chown abc /var/tmp/wrongsecrets
28	+
29	+	COPY wrongsecret-desktop-resources/startwm.sh /defaults/startwm.sh
30	+

■ ■ ■ ■ ■ ■

Dockerfile_webdesktopk8s

1	+	FROM lscr.io/linuxserver/webtop:4.16-r0-ls72
2	+	LABEL NAME="OWASP WrongSecrets Web Desktop" MAINTAINER="Jeroen Willemsen"
3	+
4	+	RUN \
5	+	echo "* install kubectl *" && \
6	+	curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" &&\
7	+	sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl &&\
8	+	rm kubectl
9	+
10	+	RUN \
11	+	echo "** install packages **" && \
12	+	apk add --no-cache shadow keepassxc radare2 aws-cli geany git && \
13	+	echo "** adding abc user to root for Docker **" && \
14	+	usermod -aG root abc && \
15	+	touch /var/run/docker.sock && \
16	+	chown abc:abc /var/run/docker.sock && \
17	+	echo "** cleanup **" && \
18	+	rm -rf /tmp/*
19	+
20	+	RUN echo "** clone wrongsecrets.git for webtop in k8s **" && \
21	+	mkdir /var/tmp/wrongsecrets && \
22	+	cd /var/tmp/wrongsecrets && \
23	+	git clone https://github.com/OWASP/wrongsecrets.git
24	+
25	+
26	+	WORKDIR /config/Desktop
27	+
28	+	COPY src/main/resources/executables/linux /var/tmp/wrongsecrets/
29	+	COPY src/test/resources/alibabacreds.kdbx /var/tmp/helpers/
30	+	COPY src/test/resources/alibabacreds.kdbx /var/tmp/wrongsecrets/
31	+	COPY wrongsecret-desktop-resources/welcome.md /var/tmp/wrongsecrets/
32	+
33	+
34	+	RUN sudo chown abc /var/tmp/wrongsecrets
35	+
36	+	COPY wrongsecret-desktop-resources/startwm.sh /defaults/startwm.sh
37	+

■ ■ ■ ■ ■ ■

HELP.md

1	1		# Getting Started
2	2
	3	+	Please consult the [readme](./README.md), [Contributing](./CONTRIBUTING.md), [Code of Conduct](./CODE_OF_CONDUCT.md), our [ctf instructions](./ctf-instructions.md) and our [Wiki](https://github.com/OWASP/wrongsecrets/wiki) when you are getting started.
	4	+
3	5		### Reference Documentation
4	6		For further reference, please consider the following sections:
5	7
		skipped 1 lines
7	9		* [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.3.4.RELEASE/maven-plugin/reference/html/)
8	10		* [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.3.4.RELEASE/maven-plugin/reference/html/#build-image)
9	11
10		-

■ ■ ■ ■ ■ ■ ■

LICENSE

1		-	MIT License
	1	+	GNU AFFERO GENERAL PUBLIC LICENSE
	2	+	Version 3, 19 November 2007
	3	+
	4	+	Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
	5	+	Everyone is permitted to copy and distribute verbatim copies
	6	+	of this license document, but changing it is not allowed.
	7	+
	8	+	Preamble
	9	+
	10	+	The GNU Affero General Public License is a free, copyleft license for
	11	+	software and other kinds of works, specifically designed to ensure
	12	+	cooperation with the community in the case of network server software.
	13	+
	14	+	The licenses for most software and other practical works are designed
	15	+	to take away your freedom to share and change the works. By contrast,
	16	+	our General Public Licenses are intended to guarantee your freedom to
	17	+	share and change all versions of a program--to make sure it remains free
	18	+	software for all its users.
	19	+
	20	+	When we speak of free software, we are referring to freedom, not
	21	+	price. Our General Public Licenses are designed to make sure that you
	22	+	have the freedom to distribute copies of free software (and charge for
	23	+	them if you wish), that you receive source code or can get it if you
	24	+	want it, that you can change the software or use pieces of it in new
	25	+	free programs, and that you know you can do these things.
	26	+
	27	+	Developers that use our General Public Licenses protect your rights
	28	+	with two steps: (1) assert copyright on the software, and (2) offer
	29	+	you this License which gives you legal permission to copy, distribute
	30	+	and/or modify the software.
	31	+
	32	+	A secondary benefit of defending all users' freedom is that
	33	+	improvements made in alternate versions of the program, if they
	34	+	receive widespread use, become available for other developers to
	35	+	incorporate. Many developers of free software are heartened and
	36	+	encouraged by the resulting cooperation. However, in the case of
	37	+	software used on network servers, this result may fail to come about.
	38	+	The GNU General Public License permits making a modified version and
	39	+	letting the public access it on a server without ever releasing its
	40	+	source code to the public.
	41	+
	42	+	The GNU Affero General Public License is designed specifically to
	43	+	ensure that, in such cases, the modified source code becomes available
	44	+	to the community. It requires the operator of a network server to
	45	+	provide the source code of the modified version running there to the
	46	+	users of that server. Therefore, public use of a modified version, on
	47	+	a publicly accessible server, gives the public access to the source
	48	+	code of the modified version.
	49	+
	50	+	An older license, called the Affero General Public License and
	51	+	published by Affero, was designed to accomplish similar goals. This is
	52	+	a different license, not a version of the Affero GPL, but Affero has
	53	+	released a new version of the Affero GPL which permits relicensing under
	54	+	this license.
	55	+
	56	+	The precise terms and conditions for copying, distribution and
	57	+	modification follow.
	58	+
	59	+	TERMS AND CONDITIONS
	60	+
	61	+	0. Definitions.
	62	+
	63	+	"This License" refers to version 3 of the GNU Affero General Public License.
	64	+
	65	+	"Copyright" also means copyright-like laws that apply to other kinds of
	66	+	works, such as semiconductor masks.
	67	+
	68	+	"The Program" refers to any copyrightable work licensed under this
	69	+	License. Each licensee is addressed as "you". "Licensees" and
	70	+	"recipients" may be individuals or organizations.
	71	+
	72	+	To "modify" a work means to copy from or adapt all or part of the work
	73	+	in a fashion requiring copyright permission, other than the making of an
	74	+	exact copy. The resulting work is called a "modified version" of the
	75	+	earlier work or a work "based on" the earlier work.
	76	+
	77	+	A "covered work" means either the unmodified Program or a work based
	78	+	on the Program.
	79	+
	80	+	To "propagate" a work means to do anything with it that, without
	81	+	permission, would make you directly or secondarily liable for
	82	+	infringement under applicable copyright law, except executing it on a
	83	+	computer or modifying a private copy. Propagation includes copying,
	84	+	distribution (with or without modification), making available to the
	85	+	public, and in some countries other activities as well.
	86	+
	87	+	To "convey" a work means any kind of propagation that enables other
	88	+	parties to make or receive copies. Mere interaction with a user through
	89	+	a computer network, with no transfer of a copy, is not conveying.
	90	+
	91	+	An interactive user interface displays "Appropriate Legal Notices"
	92	+	to the extent that it includes a convenient and prominently visible
	93	+	feature that (1) displays an appropriate copyright notice, and (2)
	94	+	tells the user that there is no warranty for the work (except to the
	95	+	extent that warranties are provided), that licensees may convey the
	96	+	work under this License, and how to view a copy of this License. If
	97	+	the interface presents a list of user commands or options, such as a
	98	+	menu, a prominent item in the list meets this criterion.
	99	+
	100	+	1. Source Code.
	101	+
	102	+	The "source code" for a work means the preferred form of the work
	103	+	for making modifications to it. "Object code" means any non-source
	104	+	form of a work.
	105	+
	106	+	A "Standard Interface" means an interface that either is an official
	107	+	standard defined by a recognized standards body, or, in the case of
	108	+	interfaces specified for a particular programming language, one that
	109	+	is widely used among developers working in that language.
	110	+
	111	+	The "System Libraries" of an executable work include anything, other
	112	+	than the work as a whole, that (a) is included in the normal form of
	113	+	packaging a Major Component, but which is not part of that Major
	114	+	Component, and (b) serves only to enable use of the work with that
	115	+	Major Component, or to implement a Standard Interface for which an
	116	+	implementation is available to the public in source code form. A
	117	+	"Major Component", in this context, means a major essential component
	118	+	(kernel, window system, and so on) of the specific operating system
	119	+	(if any) on which the executable work runs, or a compiler used to
	120	+	produce the work, or an object code interpreter used to run it.
	121	+
	122	+	The "Corresponding Source" for a work in object code form means all
	123	+	the source code needed to generate, install, and (for an executable
	124	+	work) run the object code and to modify the work, including scripts to
	125	+	control those activities. However, it does not include the work's
	126	+	System Libraries, or general-purpose tools or generally available free
	127	+	programs which are used unmodified in performing those activities but
	128	+	which are not part of the work. For example, Corresponding Source
	129	+	includes interface definition files associated with source files for
	130	+	the work, and the source code for shared libraries and dynamically
	131	+	linked subprograms that the work is specifically designed to require,
	132	+	such as by intimate data communication or control flow between those
	133	+	subprograms and other parts of the work.
	134	+
	135	+	The Corresponding Source need not include anything that users
	136	+	can regenerate automatically from other parts of the Corresponding
	137	+	Source.
	138	+
	139	+	The Corresponding Source for a work in source code form is that
	140	+	same work.
	141	+
	142	+	2. Basic Permissions.
	143	+
	144	+	All rights granted under this License are granted for the term of
	145	+	copyright on the Program, and are irrevocable provided the stated
	146	+	conditions are met. This License explicitly affirms your unlimited
	147	+	permission to run the unmodified Program. The output from running a
	148	+	covered work is covered by this License only if the output, given its
	149	+	content, constitutes a covered work. This License acknowledges your
	150	+	rights of fair use or other equivalent, as provided by copyright law.
	151	+
	152	+	You may make, run and propagate covered works that you do not
	153	+	convey, without conditions so long as your license otherwise remains
	154	+	in force. You may convey covered works to others for the sole purpose
	155	+	of having them make modifications exclusively for you, or provide you
	156	+	with facilities for running those works, provided that you comply with
	157	+	the terms of this License in conveying all material for which you do
	158	+	not control copyright. Those thus making or running the covered works
	159	+	for you must do so exclusively on your behalf, under your direction
	160	+	and control, on terms that prohibit them from making any copies of
	161	+	your copyrighted material outside their relationship with you.
	162	+
	163	+	Conveying under any other circumstances is permitted solely under
	164	+	the conditions stated below. Sublicensing is not allowed; section 10
	165	+	makes it unnecessary.
	166	+
	167	+	3. Protecting Users' Legal Rights From Anti-Circumvention Law.
	168	+
	169	+	No covered work shall be deemed part of an effective technological
	170	+	measure under any applicable law fulfilling obligations under article
	171	+	11 of the WIPO copyright treaty adopted on 20 December 1996, or
	172	+	similar laws prohibiting or restricting circumvention of such
	173	+	measures.
2	174
3		-	Copyright (c) 2020-2022 Jeroen Willemsen and WrongSecret contributors.
	175	+	When you convey a covered work, you waive any legal power to forbid
	176	+	circumvention of technological measures to the extent such circumvention
	177	+	is effected by exercising rights under this License with respect to
	178	+	the covered work, and you disclaim any intention to limit operation or
	179	+	modification of the work as a means of enforcing, against the work's
	180	+	users, your or third parties' legal rights to forbid circumvention of
	181	+	technological measures.
4	182
5		-	Permission is hereby granted, free of charge, to any person obtaining a copy
6		-	of this software and associated documentation files (the "Software"), to deal
7		-	in the Software without restriction, including without limitation the rights
8		-	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9		-	copies of the Software, and to permit persons to whom the Software is
10		-	furnished to do so, subject to the following conditions:
	183	+	4. Conveying Verbatim Copies.
11	184
12		-	The above copyright notice and this permission notice shall be included in all
13		-	copies or substantial portions of the Software.
	185	+	You may convey verbatim copies of the Program's source code as you
	186	+	receive it, in any medium, provided that you conspicuously and
	187	+	appropriately publish on each copy an appropriate copyright notice;
	188	+	keep intact all notices stating that this License and any
	189	+	non-permissive terms added in accord with section 7 apply to the code;
	190	+	keep intact all notices of the absence of any warranty; and give all
	191	+	recipients a copy of this License along with the Program.
	192	+
	193	+	You may charge any price or no price for each copy that you convey,
	194	+	and you may offer support or warranty protection for a fee.
	195	+
	196	+	5. Conveying Modified Source Versions.
14	197
15		-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16		-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17		-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18		-	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19		-	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20		-	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21		-	SOFTWARE.
	198	+	You may convey a work based on the Program, or the modifications to
	199	+	produce it from the Program, in the form of source code under the
	200	+	terms of section 4, provided that you also meet all of these conditions:
	201	+
	202	+	a) The work must carry prominent notices stating that you modified
	203	+	it, and giving a relevant date.
	204	+
	205	+	b) The work must carry prominent notices stating that it is
	206	+	released under this License and any conditions added under section
	207	+	7. This requirement modifies the requirement in section 4 to
	208	+	"keep intact all notices".
	209	+
	210	+	c) You must license the entire work, as a whole, under this
	211	+	License to anyone who comes into possession of a copy. This
	212	+	License will therefore apply, along with any applicable section 7
	213	+	additional terms, to the whole of the work, and all its parts,
	214	+	regardless of how they are packaged. This License gives no
	215	+	permission to license the work in any other way, but it does not
	216	+	invalidate such permission if you have separately received it.
	217	+
	218	+	d) If the work has interactive user interfaces, each must display
	219	+	Appropriate Legal Notices; however, if the Program has interactive
	220	+	interfaces that do not display Appropriate Legal Notices, your
	221	+	work need not make them do so.
	222	+
	223	+	A compilation of a covered work with other separate and independent
	224	+	works, which are not by their nature extensions of the covered work,
	225	+	and which are not combined with it such as to form a larger program,
	226	+	in or on a volume of a storage or distribution medium, is called an
	227	+	"aggregate" if the compilation and its resulting copyright are not
	228	+	used to limit the access or legal rights of the compilation's users
	229	+	beyond what the individual works permit. Inclusion of a covered work
	230	+	in an aggregate does not cause this License to apply to the other
	231	+	parts of the aggregate.
	232	+
	233	+	6. Conveying Non-Source Forms.
	234	+
	235	+	You may convey a covered work in object code form under the terms
	236	+	of sections 4 and 5, provided that you also convey the
	237	+	machine-readable Corresponding Source under the terms of this License,
	238	+	in one of these ways:
	239	+
	240	+	a) Convey the object code in, or embodied in, a physical product
	241	+	(including a physical distribution medium), accompanied by the
	242	+	Corresponding Source fixed on a durable physical medium
	243	+	customarily used for software interchange.
	244	+
	245	+	b) Convey the object code in, or embodied in, a physical product
	246	+	(including a physical distribution medium), accompanied by a
	247	+	written offer, valid for at least three years and valid for as
	248	+	long as you offer spare parts or customer support for that product
	249	+	model, to give anyone who possesses the object code either (1) a
	250	+	copy of the Corresponding Source for all the software in the
	251	+	product that is covered by this License, on a durable physical
	252	+	medium customarily used for software interchange, for a price no
	253	+	more than your reasonable cost of physically performing this
	254	+	conveying of source, or (2) access to copy the
	255	+	Corresponding Source from a network server at no charge.
	256	+
	257	+	c) Convey individual copies of the object code with a copy of the
	258	+	written offer to provide the Corresponding Source. This
	259	+	alternative is allowed only occasionally and noncommercially, and
	260	+	only if you received the object code with such an offer, in accord
	261	+	with subsection 6b.
	262	+
	263	+	d) Convey the object code by offering access from a designated
	264	+	place (gratis or for a charge), and offer equivalent access to the
	265	+	Corresponding Source in the same way through the same place at no
	266	+	further charge. You need not require recipients to copy the
	267	+	Corresponding Source along with the object code. If the place to
	268	+	copy the object code is a network server, the Corresponding Source
	269	+	may be on a different server (operated by you or a third party)
	270	+	that supports equivalent copying facilities, provided you maintain
	271	+	clear directions next to the object code saying where to find the
	272	+	Corresponding Source. Regardless of what server hosts the
	273	+	Corresponding Source, you remain obligated to ensure that it is
	274	+	available for as long as needed to satisfy these requirements.
	275	+
	276	+	e) Convey the object code using peer-to-peer transmission, provided
	277	+	you inform other peers where the object code and Corresponding
	278	+	Source of the work are being offered to the general public at no
	279	+	charge under subsection 6d.
	280	+
	281	+	A separable portion of the object code, whose source code is excluded
	282	+	from the Corresponding Source as a System Library, need not be
	283	+	included in conveying the object code work.
	284	+
	285	+	A "User Product" is either (1) a "consumer product", which means any
	286	+	tangible personal property which is normally used for personal, family,
	287	+	or household purposes, or (2) anything designed or sold for incorporation
	288	+	into a dwelling. In determining whether a product is a consumer product,
	289	+	doubtful cases shall be resolved in favor of coverage. For a particular
	290	+	product received by a particular user, "normally used" refers to a
	291	+	typical or common use of that class of product, regardless of the status
	292	+	of the particular user or of the way in which the particular user
	293	+	actually uses, or expects or is expected to use, the product. A product
	294	+	is a consumer product regardless of whether the product has substantial
	295	+	commercial, industrial or non-consumer uses, unless such uses represent
	296	+	the only significant mode of use of the product.
	297	+
	298	+	"Installation Information" for a User Product means any methods,
	299	+	procedures, authorization keys, or other information required to install
	300	+	and execute modified versions of a covered work in that User Product from
	301	+	a modified version of its Corresponding Source. The information must
	302	+	suffice to ensure that the continued functioning of the modified object
	303	+	code is in no case prevented or interfered with solely because
	304	+	modification has been made.
	305	+
	306	+	If you convey an object code work under this section in, or with, or
	307	+	specifically for use in, a User Product, and the conveying occurs as
	308	+	part of a transaction in which the right of possession and use of the
	309	+	User Product is transferred to the recipient in perpetuity or for a
	310	+	fixed term (regardless of how the transaction is characterized), the
	311	+	Corresponding Source conveyed under this section must be accompanied
	312	+	by the Installation Information. But this requirement does not apply
	313	+	if neither you nor any third party retains the ability to install
	314	+	modified object code on the User Product (for example, the work has
	315	+	been installed in ROM).
	316	+
	317	+	The requirement to provide Installation Information does not include a
	318	+	requirement to continue to provide support service, warranty, or updates
	319	+	for a work that has been modified or installed by the recipient, or for
	320	+	the User Product in which it has been modified or installed. Access to a
	321	+	network may be denied when the modification itself materially and
	322	+	adversely affects the operation of the network or violates the rules and
	323	+	protocols for communication across the network.
	324	+
	325	+	Corresponding Source conveyed, and Installation Information provided,
	326	+	in accord with this section must be in a format that is publicly
	327	+	documented (and with an implementation available to the public in
	328	+	source code form), and must require no special password or key for
	329	+	unpacking, reading or copying.
	330	+
	331	+	7. Additional Terms.
	332	+
	333	+	"Additional permissions" are terms that supplement the terms of this
	334	+	License by making exceptions from one or more of its conditions.
	335	+	Additional permissions that are applicable to the entire Program shall
	336	+	be treated as though they were included in this License, to the extent
	337	+	that they are valid under applicable law. If additional permissions
	338	+	apply only to part of the Program, that part may be used separately
	339	+	under those permissions, but the entire Program remains governed by
	340	+	this License without regard to the additional permissions.
	341	+
	342	+	When you convey a copy of a covered work, you may at your option
	343	+	remove any additional permissions from that copy, or from any part of
	344	+	it. (Additional permissions may be written to require their own
	345	+	removal in certain cases when you modify the work.) You may place
	346	+	additional permissions on material, added by you to a covered work,
	347	+	for which you have or can give appropriate copyright permission.
	348	+
	349	+	Notwithstanding any other provision of this License, for material you
	350	+	add to a covered work, you may (if authorized by the copyright holders of
	351	+	that material) supplement the terms of this License with terms:
	352	+
	353	+	a) Disclaiming warranty or limiting liability differently from the
	354	+	terms of sections 15 and 16 of this License; or
	355	+
	356	+	b) Requiring preservation of specified reasonable legal notices or
	357	+	author attributions in that material or in the Appropriate Legal
	358	+	Notices displayed by works containing it; or
	359	+
	360	+	c) Prohibiting misrepresentation of the origin of that material, or
	361	+	requiring that modified versions of such material be marked in
	362	+	reasonable ways as different from the original version; or
	363	+
	364	+	d) Limiting the use for publicity purposes of names of licensors or
	365	+	authors of the material; or
	366	+
	367	+	e) Declining to grant rights under trademark law for use of some
	368	+	trade names, trademarks, or service marks; or
	369	+
	370	+	f) Requiring indemnification of licensors and authors of that
	371	+	material by anyone who conveys the material (or modified versions of
	372	+	it) with contractual assumptions of liability to the recipient, for
	373	+	any liability that these contractual assumptions directly impose on
	374	+	those licensors and authors.
	375	+
	376	+	All other non-permissive additional terms are considered "further
	377	+	restrictions" within the meaning of section 10. If the Program as you
	378	+	received it, or any part of it, contains a notice stating that it is
	379	+	governed by this License along with a term that is a further
	380	+	restriction, you may remove that term. If a license document contains
	381	+	a further restriction but permits relicensing or conveying under this
	382	+	License, you may add to a covered work material governed by the terms
	383	+	of that license document, provided that the further restriction does
	384	+	not survive such relicensing or conveying.
	385	+
	386	+	If you add terms to a covered work in accord with this section, you
	387	+	must place, in the relevant source files, a statement of the
	388	+	additional terms that apply to those files, or a notice indicating
	389	+	where to find the applicable terms.
	390	+
	391	+	Additional terms, permissive or non-permissive, may be stated in the
	392	+	form of a separately written license, or stated as exceptions;
	393	+	the above requirements apply either way.
	394	+
	395	+	8. Termination.
	396	+
	397	+	You may not propagate or modify a covered work except as expressly
	398	+	provided under this License. Any attempt otherwise to propagate or
	399	+	modify it is void, and will automatically terminate your rights under
	400	+	this License (including any patent licenses granted under the third
	401	+	paragraph of section 11).
	402	+
	403	+	However, if you cease all violation of this License, then your
	404	+	license from a particular copyright holder is reinstated (a)
	405	+	provisionally, unless and until the copyright holder explicitly and
	406	+	finally terminates your license, and (b) permanently, if the copyright
	407	+	holder fails to notify you of the violation by some reasonable means
	408	+	prior to 60 days after the cessation.
	409	+
	410	+	Moreover, your license from a particular copyright holder is
	411	+	reinstated permanently if the copyright holder notifies you of the
	412	+	violation by some reasonable means, this is the first time you have
	413	+	received notice of violation of this License (for any work) from that
	414	+	copyright holder, and you cure the violation prior to 30 days after
	415	+	your receipt of the notice.
	416	+
	417	+	Termination of your rights under this section does not terminate the
	418	+	licenses of parties who have received copies or rights from you under
	419	+	this License. If your rights have been terminated and not permanently
	420	+	reinstated, you do not qualify to receive new licenses for the same
	421	+	material under section 10.
	422	+
	423	+	9. Acceptance Not Required for Having Copies.
	424	+
	425	+	You are not required to accept this License in order to receive or
	426	+	run a copy of the Program. Ancillary propagation of a covered work
	427	+	occurring solely as a consequence of using peer-to-peer transmission
	428	+	to receive a copy likewise does not require acceptance. However,
	429	+	nothing other than this License grants you permission to propagate or
	430	+	modify any covered work. These actions infringe copyright if you do
	431	+	not accept this License. Therefore, by modifying or propagating a
	432	+	covered work, you indicate your acceptance of this License to do so.
	433	+
	434	+	10. Automatic Licensing of Downstream Recipients.
	435	+
	436	+	Each time you convey a covered work, the recipient automatically
	437	+	receives a license from the original licensors, to run, modify and
	438	+	propagate that work, subject to this License. You are not responsible
	439	+	for enforcing compliance by third parties with this License.
	440	+
	441	+	An "entity transaction" is a transaction transferring control of an
	442	+	organization, or substantially all assets of one, or subdividing an
	443	+	organization, or merging organizations. If propagation of a covered
	444	+	work results from an entity transaction, each party to that
	445	+	transaction who receives a copy of the work also receives whatever
	446	+	licenses to the work the party's predecessor in interest had or could
	447	+	give under the previous paragraph, plus a right to possession of the
	448	+	Corresponding Source of the work from the predecessor in interest, if
	449	+	the predecessor has it or can get it with reasonable efforts.
	450	+
	451	+	You may not impose any further restrictions on the exercise of the
	452	+	rights granted or affirmed under this License. For example, you may
	453	+	not impose a license fee, royalty, or other charge for exercise of
	454	+	rights granted under this License, and you may not initiate litigation
	455	+	(including a cross-claim or counterclaim in a lawsuit) alleging that
	456	+	any patent claim is infringed by making, using, selling, offering for
	457	+	sale, or importing the Program or any portion of it.
	458	+
	459	+	11. Patents.
	460	+
	461	+	A "contributor" is a copyright holder who authorizes use under this
	462	+	License of the Program or a work on which the Program is based. The
	463	+	work thus licensed is called the contributor's "contributor version".
	464	+
	465	+	A contributor's "essential patent claims" are all patent claims
	466	+	owned or controlled by the contributor, whether already acquired or
	467	+	hereafter acquired, that would be infringed by some manner, permitted
	468	+	by this License, of making, using, or selling its contributor version,
	469	+	but do not include claims that would be infringed only as a
	470	+	consequence of further modification of the contributor version. For
	471	+	purposes of this definition, "control" includes the right to grant
	472	+	patent sublicenses in a manner consistent with the requirements of
	473	+	this License.
	474	+
	475	+	Each contributor grants you a non-exclusive, worldwide, royalty-free
	476	+	patent license under the contributor's essential patent claims, to
	477	+	make, use, sell, offer for sale, import and otherwise run, modify and
	478	+	propagate the contents of its contributor version.
	479	+
	480	+	In the following three paragraphs, a "patent license" is any express
	481	+	agreement or commitment, however denominated, not to enforce a patent
	482	+	(such as an express permission to practice a patent or covenant not to
	483	+	sue for patent infringement). To "grant" such a patent license to a
	484	+	party means to make such an agreement or commitment not to enforce a
	485	+	patent against the party.
	486	+
	487	+	If you convey a covered work, knowingly relying on a patent license,
	488	+	and the Corresponding Source of the work is not available for anyone
	489	+	to copy, free of charge and under the terms of this License, through a
	490	+	publicly available network server or other readily accessible means,
	491	+	then you must either (1) cause the Corresponding Source to be so
	492	+	available, or (2) arrange to deprive yourself of the benefit of the
	493	+	patent license for this particular work, or (3) arrange, in a manner
	494	+	consistent with the requirements of this License, to extend the patent
	495	+	license to downstream recipients. "Knowingly relying" means you have
	496	+	actual knowledge that, but for the patent license, your conveying the
	497	+	covered work in a country, or your recipient's use of the covered work
	498	+	in a country, would infringe one or more identifiable patents in that
	499	+	country that you have reason to believe are valid.
	500	+
	501	+	If, pursuant to or in connection with a single transaction or
	502	+	arrangement, you convey, or propagate by procuring conveyance of, a
	503	+	covered work, and grant a patent license to some of the parties
	504	+	receiving the covered work authorizing them to use, propagate, modify
	505	+	or convey a specific copy of the covered work, then the patent license
	506	+	you grant is automatically extended to all recipients of the covered
	507	+	work and works based on it.
	508	+
	509	+	A patent license is "discriminatory" if it does not include within
	510	+	the scope of its coverage, prohibits the exercise of, or is
	511	+	conditioned on the non-exercise of one or more of the rights that are
	512	+	specifically granted under this License. You may not convey a covered
	513	+	work if you are a party to an arrangement with a third party that is
	514	+	in the business of distributing software, under which you make payment
	515	+	to the third party based on the extent of your activity of conveying
	516	+	the work, and under which the third party grants, to any of the
	517	+	parties who would receive the covered work from you, a discriminatory
	518	+	patent license (a) in connection with copies of the covered work
	519	+	conveyed by you (or copies made from those copies), or (b) primarily
	520	+	for and in connection with specific products or compilations that
	521	+	contain the covered work, unless you entered into that arrangement,
	522	+	or that patent license was granted, prior to 28 March 2007.
	523	+
	524	+	Nothing in this License shall be construed as excluding or limiting
	525	+	any implied license or other defenses to infringement that may
	526	+	otherwise be available to you under applicable patent law.
	527	+
	528	+	12. No Surrender of Others' Freedom.
	529	+
	530	+	If conditions are imposed on you (whether by court order, agreement or
	531	+	otherwise) that contradict the conditions of this License, they do not
	532	+	excuse you from the conditions of this License. If you cannot convey a
	533	+	covered work so as to satisfy simultaneously your obligations under this
	534	+	License and any other pertinent obligations, then as a consequence you may
	535	+	not convey it at all. For example, if you agree to terms that obligate you
	536	+	to collect a royalty for further conveying from those to whom you convey
	537	+	the Program, the only way you could satisfy both those terms and this
	538	+	License would be to refrain entirely from conveying the Program.
	539	+
	540	+	13. Remote Network Interaction; Use with the GNU General Public License.
	541	+
	542	+	Notwithstanding any other provision of this License, if you modify the
	543	+	Program, your modified version must prominently offer all users
	544	+	interacting with it remotely through a computer network (if your version
	545	+	supports such interaction) an opportunity to receive the Corresponding
	546	+	Source of your version by providing access to the Corresponding Source
	547	+	from a network server at no charge, through some standard or customary
	548	+	means of facilitating copying of software. This Corresponding Source
	549	+	shall include the Corresponding Source for any work covered by version 3
	550	+	of the GNU General Public License that is incorporated pursuant to the
	551	+	following paragraph.
	552	+
	553	+	Notwithstanding any other provision of this License, you have
	554	+	permission to link or combine any covered work with a work licensed
	555	+	under version 3 of the GNU General Public License into a single
	556	+	combined work, and to convey the resulting work. The terms of this
	557	+	License will continue to apply to the part which is the covered work,
	558	+	but the work with which it is combined will remain governed by version
	559	+	3 of the GNU General Public License.
	560	+
	561	+	14. Revised Versions of this License.
	562	+
	563	+	The Free Software Foundation may publish revised and/or new versions of
	564	+	the GNU Affero General Public License from time to time. Such new versions
	565	+	will be similar in spirit to the present version, but may differ in detail to
	566	+	address new problems or concerns.
	567	+
	568	+	Each version is given a distinguishing version number. If the
	569	+	Program specifies that a certain numbered version of the GNU Affero General
	570	+	Public License "or any later version" applies to it, you have the
	571	+	option of following the terms and conditions either of that numbered
	572	+	version or of any later version published by the Free Software
	573	+	Foundation. If the Program does not specify a version number of the
	574	+	GNU Affero General Public License, you may choose any version ever published
	575	+	by the Free Software Foundation.
	576	+
	577	+	If the Program specifies that a proxy can decide which future
	578	+	versions of the GNU Affero General Public License can be used, that proxy's
	579	+	public statement of acceptance of a version permanently authorizes you
	580	+	to choose that version for the Program.
	581	+
	582	+	Later license versions may give you additional or different
	583	+	permissions. However, no additional obligations are imposed on any
	584	+	author or copyright holder as a result of your choosing to follow a
	585	+	later version.
	586	+
	587	+	15. Disclaimer of Warranty.
	588	+
	589	+	THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
	590	+	APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
	591	+	HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
	592	+	OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
	593	+	THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	594	+	PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
	595	+	IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
	596	+	ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
	597	+
	598	+	16. Limitation of Liability.
	599	+
	600	+	IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
	601	+	WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
	602	+	THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
	603	+	GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
	604	+	USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
	605	+	DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
	606	+	PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
	607	+	EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
	608	+	SUCH DAMAGES.
	609	+
	610	+	17. Interpretation of Sections 15 and 16.
	611	+
	612	+	If the disclaimer of warranty and limitation of liability provided
	613	+	above cannot be given local legal effect according to their terms,
	614	+	reviewing courts shall apply local law that most closely approximates
	615	+	an absolute waiver of all civil liability in connection with the
	616	+	Program, unless a warranty or assumption of liability accompanies a
	617	+	copy of the Program in return for a fee.
	618	+
	619	+	END OF TERMS AND CONDITIONS
	620	+
	621	+	How to Apply These Terms to Your New Programs
	622	+
	623	+	If you develop a new program, and you want it to be of the greatest
	624	+	possible use to the public, the best way to achieve this is to make it
	625	+	free software which everyone can redistribute and change under these terms.
	626	+
	627	+	To do so, attach the following notices to the program. It is safest
	628	+	to attach them to the start of each source file to most effectively
	629	+	state the exclusion of warranty; and each file should have at least
	630	+	the "copyright" line and a pointer to where the full notice is found.
	631	+
	632	+	<one line to give the program's name and a brief idea of what it does.>
	633	+	Copyright (C) <year> <name of author>
	634	+
	635	+	This program is free software: you can redistribute it and/or modify
	636	+	it under the terms of the GNU Affero General Public License as published by
	637	+	the Free Software Foundation, either version 3 of the License, or
	638	+	(at your option) any later version.
	639	+
	640	+	This program is distributed in the hope that it will be useful,
	641	+	but WITHOUT ANY WARRANTY; without even the implied warranty of
	642	+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	643	+	GNU Affero General Public License for more details.
	644	+
	645	+	You should have received a copy of the GNU Affero General Public License
	646	+	along with this program. If not, see <https://www.gnu.org/licenses/>.
	647	+
	648	+	Also add information on how to contact you by electronic and paper mail.
	649	+
	650	+	If your software can interact with users remotely through a computer
	651	+	network, you should also make sure that it provides a way for users to
	652	+	get its source. For example, if your program is a web application, its
	653	+	interface could display a "Source" link that leads users to an archive
	654	+	of the code. There are many ways you could offer source, and different
	655	+	solutions will be better for different programs; see section 13 for the
	656	+	specific requirements.
	657	+
	658	+	You should also get your employer (if you work as a programmer) or school,
	659	+	if any, to sign a "copyright disclaimer" for the program, if necessary.
	660	+	For more information on this, and how to apply and follow the GNU AGPL, see
	661	+	<https://www.gnu.org/licenses/>.
22	662

■ ■ ■ ■ ■ ■ ■

PULL_REQUEST_TEMPLATE.md

1		-	Thank you for submitting a pull request to the WrongSecrets app!
	1	+	<!-- Thank you for submitting a pull request to the WrongSecrets app! See what makes a good PR at https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md-->
	2	+
	3	+	### What kind of changes does this PR include?
	4	+
	5	+	- [ ] Fixes or refactors
	6	+	- [ ] A new challenge
	7	+	- [ ] Additional documentation
	8	+	- [ ] Something else
	9	+
	10	+	#### Description
	11	+
	12	+	<!---
	13	+	Please provide a helpful summary of what change this pull request will introduce.
	14	+	--->
	15	+
	16	+	### Relations
	17	+
	18	+	<!---
	19	+	If your pull request fully resolves and should automatically close the linked issue, use Closes. Otherwise, use Relates.
	20	+
	21	+	For Example:
	22	+
	23	+	Relates #0000
	24	+	or
	25	+	Closes #0000
	26	+	--->
	27	+
	28	+	### References
	29	+
	30	+	<!---
	31	+	Optionally, provide any helpful references that may help the reviewer(s).
	32	+	--->
	33	+
	34	+	### Checklist:
	35	+
	36	+	- [ ] All the contributions made are solely the work of me and my co-authors
	37	+	- [ ] I tested the changes in this PR (if applicable)
	38	+	- [ ] I added unit tests to ensure my change works (when change in Java or on front-end code)
	39	+	- [ ] I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
	40	+	- [ ] The PR passes pre-commit hooks and automated tests
	41	+

■ ■ ■ ■ ■ ■

README.md

1	1		<!-- CRE Link: [223-780](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2015%20challenges%3F) -->
2	2
3		-	# OWASP WrongSecrets [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/commjoen/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets)
	3	+	# OWASP WrongSecrets
	4	+
	5	+	[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/OWASP/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets) [<img src="https://img.shields.io/badge/-MASTODON-%232B90D9?style=for-the-badge&logo=mastodon&logoColor=white" width=84>](https://tootpick.org/#text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this%0A%0Ahttps://github.com/OWASP/wrongsecrets%20%23secretsmanagement,%20%23secrets,%20%23hunting,%20%23p0wnableapp,%20%23OWASP,%20%23WrongSecrets) [<img src="https://img.shields.io/badge/LinkedIn-0077B5?style=for-the-badge&logo=linkedin&logoColor=white" width=80>](https://www.linkedin.com/shareArticle/?url=https://www.github.com/OWASP/wrongsecrets&title=OWASP%20WrongSecrets)
	6	+
	7	+	[![Java checkstyle and testing](https://github.com/OWASP/wrongsecrets/actions/workflows/main.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/main.yml) [![Pre-commit](https://github.com/OWASP/wrongsecrets/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/pre-commit.yml) [![Terraform FMT](https://github.com/OWASP/wrongsecrets/actions/workflows/terraform.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/terraform.yml) [![CodeQL](https://github.com/OWASP/wrongsecrets/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/codeql-analysis.yml) [![Dead Link Checker](https://github.com/OWASP/wrongsecrets/actions/workflows/link_checker.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/link_checker.yml)[![Javadoc and Swaggerdoc generator](https://github.com/OWASP/wrongsecrets/actions/workflows/java_swagger_doc.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/java_swagger_doc.yml)
4	8
5		-	[![Java checkstyle and testing](https://github.com/commjoen/wrongsecrets/actions/workflows/main.yml/badge.svg)](https://github.com/commjoen/wrongsecrets/actions/workflows/main.yml) [![Terraform FMT](https://github.com/commjoen/wrongsecrets/actions/workflows/terraform.yml/badge.svg)](https://github.com/commjoen/wrongsecrets/actions/workflows/terraform.yml) [![Test minikube script (k8s)](https://github.com/commjoen/wrongsecrets/actions/workflows/minikube-k8s-test.yml/badge.svg)](https://github.com/commjoen/wrongsecrets/actions/workflows/minikube-k8s-test.yml) [![Test minikube script (k8s&vault)](https://github.com/commjoen/wrongsecrets/actions/workflows/minikube-vault-test.yml/badge.svg)](https://github.com/commjoen/wrongsecrets/actions/workflows/minikube-vault-test.yml) [![Docker container test](https://github.com/commjoen/wrongsecrets/actions/workflows/container_test.yml/badge.svg)](https://github.com/commjoen/wrongsecrets/actions/workflows/container_test.yml)
	9	+	[![Test minikube script (k8s)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml) [![Test minikube script (k8s&vault)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml) [![Docker container test](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml)[![Test container on podman and Colima](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml)
	10	+	[![DAST with ZAP](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml)
	11	+
6	12		[![OWASP Lab Project](https://img.shields.io/badge/OWASP-lab%20project-48A646.svg)](https://owasp.org/projects/)
7		-	[![Discussions](https://img.shields.io/github/discussions/commjoen/wrongsecrets)](https://github.com/commjoen/wrongsecrets/discussions)
	13	+	[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7024/badge)](https://bestpractices.coreinfrastructure.org/projects/7024)
	14	+	[![Discussions](https://img.shields.io/github/discussions/OWASP/wrongsecrets)](https://github.com/OWASP/wrongsecrets/discussions)
8	15
9		-	Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
	16	+	Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
10	17
11		-	Can you solve all the 23 challenges?
12		-	![screenshot.png](screenshot.png)
	18	+	Can you solve all the 32 challenges?
	19	+
	20	+	Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).
	21	+
	22	+	Want to play the other challenges? Read the instructions on how to set them up below.
	23	+
	24	+	![screenshotOfChallenge1](/images/screenshot.png)
	25	+
	26	+	<a href="https://github.com/vshymanskyy/StandWithUkraine/blob/main/README.md"><img src="https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-no-action.svg" /></a>
	27	+
	28	+	## Table of contents
	29	+
	30	+	- [Support](#support)
	31	+	- [Basic docker exercises](#basic-docker-exercises)
	32	+	- [Running these on Heroku](#running-these-on-heroku)
	33	+	- [Running on Fly.io](#running-on-flyio)
	34	+	- [Basic K8s exercise](#basic-k8s-exercise)
	35	+	- [Minikube based](#minikube-based)
	36	+	- [k8s based](#k8s-based)
	37	+	- [Okteto based](#okteto-based)
	38	+	- [Vault exercises with minikube](#vault-exercises-with-minikube)
	39	+	- [Cloud Challenges](#cloud-challenges)
	40	+	- [Running WrongSecrets in AWS](#running-wrongsecrets-in-aws)
	41	+	- [Running WrongSecrets in GCP](#running-wrongsecrets-in-gcp)
	42	+	- [Running WrongSecrets in Azure](#running-wrongsecrets-in-azure)
	43	+	- [Running Challenge15 in your own cloud only](#running-challenge15-in-your-own-cloud-only)
	44	+	- [Do you want to play without guidance?](#do-you-want-to-play-without-guidance)
	45	+	- [Special thanks & Contributors](#special-thanks--contributors)
	46	+	- [Sponsorships](#sponsorships)
	47	+	- [Help Wanted](#help-wanted)
	48	+	- [Use OWASP WrongSecrets as a secret detection benchmark](#use-owasp-wrongsecrets-as-a-secret-detection-benchmark)
	49	+	- [CTF](#ctf)
	50	+	- [CTFD Support](#ctfd-support)
	51	+	- [FBCTF Support](#fbctf-support--experimental--)
	52	+	- [Notes on development](#notes-on-development)
	53	+	- [Dependency management](#dependency-management)
	54	+	- [Get the project started in IntelliJ IDEA](#get-the-project-started-in-intellij-idea)
	55	+	- [Automatic reload during development](#automatic-reload-during-development)
	56	+	- [How to add a Challenge](#how-to-add-a-challenge)
	57	+	- [Local testing](#local-testing)
	58	+	- [Want to play, but are not allowed to install the tools?](#want-to-play-but-are-not-allowed-to-install-the-tools)
	59	+	- [Further reading on secrets management](#further-reading-on-secrets-management)
13	60
14	61		## Support
15	62
16		-	Need support? Contact us via [OWASP Slack](https://owasp.slack.com/archives/C02KQ7D9XHR) [for which you sign up here](https://owasp.org/slack/invite), file a [PR](https://github.com/commjoen/wrongsecrets/pulls), file an [issue](https://github.com/commjoen/wrongsecrets/issues) , or use [discussions](https://github.com/commjoen/wrongsecrets/discussions). Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
	63	+	Need support? Contact us
	64	+	via [OWASP Slack](https://owasp.slack.com/archives/C02KQ7D9XHR) for which you sign up [here](https://owasp.org/slack/invite)
	65	+	, file a [PR](https://github.com/OWASP/wrongsecrets/pulls), file
	66	+	an [issue](https://github.com/OWASP/wrongsecrets/issues) , or
	67	+	use [discussions](https://github.com/OWASP/wrongsecrets/discussions). Please note that this is an OWASP volunteer
	68	+	based project, so it might take a little while before we respond.
	69	+
	70	+	Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.
17	71
18	72		## Experiment / Benchmark branch
19	73
		skipped 3 lines
23	77
24	78		## Basic docker exercises
25	79
26		-	_Can be used for challenges 1-4, 8, 12-23_
	80	+	_Can be used for challenges 1-4, 8, 12-32_
27	81
28	82		For the basic docker exercises you currently require:
29	83
30		-	- Docker [Install from here](https://docs.docker.com/get-docker/)
31		-	- Some Browser that can render HTML
	84	+	- Docker [Install from here](https://docs.docker.com/get-docker/)
	85	+	- Some Browser that can render HTML
32	86
33	87		You can install it by doing:
34	88
35	89		```bash
36		-	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.5.2-no-vault
	90	+	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
37	91		```
38	92
39	93		Now you can try to find the secrets by means of solving the challenge offered at:
40	94
41		-	- [localhost:8080/challenge/1](http://localhost:8080/challenge/1)
42		-	- [localhost:8080/challenge/2](http://localhost:8080/challenge/2)
43		-	- [localhost:8080/challenge/3](http://localhost:8080/challenge/3)
44		-	- [localhost:8080/challenge/4](http://localhost:8080/challenge/4)
45		-	- [localhost:8080/challenge/8](http://localhost:8080/challenge/8)
46		-	- [localhost:8080/challenge/12](http://localhost:8080/challenge/12)
47		-	- [localhost:8080/challenge/13](http://localhost:8080/challenge/13)
48		-	- [localhost:8080/challenge/14](http://localhost:8080/challenge/14)
49		-	- [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
50		-	- [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
51		-	- [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
52		-	- [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
53		-	- [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
54		-	- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
55		-	- [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
56		-	- [localhost:8080/challenge/22](http://localhost:8080/challenge/22)
57		-	- [localhost:8080/challenge/23](http://localhost:8080/challenge/23)
	95	+	- [localhost:8080/challenge/1](http://localhost:8080/challenge/1)
	96	+	- [localhost:8080/challenge/2](http://localhost:8080/challenge/2)
	97	+	- [localhost:8080/challenge/3](http://localhost:8080/challenge/3)
	98	+	- [localhost:8080/challenge/4](http://localhost:8080/challenge/4)
	99	+	- [localhost:8080/challenge/8](http://localhost:8080/challenge/8)
	100	+	- [localhost:8080/challenge/12](http://localhost:8080/challenge/12)
	101	+	- [localhost:8080/challenge/13](http://localhost:8080/challenge/13)
	102	+	- [localhost:8080/challenge/14](http://localhost:8080/challenge/14)
	103	+	- [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
	104	+	- [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
	105	+	- [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
	106	+	- [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
	107	+	- [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
	108	+	- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
	109	+	- [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
	110	+	- [localhost:8080/challenge/22](http://localhost:8080/challenge/22)
	111	+	- [localhost:8080/challenge/23](http://localhost:8080/challenge/23)
	112	+	- [localhost:8080/challenge/24](http://localhost:8080/challenge/24)
	113	+	- [localhost:8080/challenge/25](http://localhost:8080/challenge/25)
	114	+	- [localhost:8080/challenge/26](http://localhost:8080/challenge/26)
	115	+	- [localhost:8080/challenge/27](http://localhost:8080/challenge/27)
	116	+	- [localhost:8080/challenge/28](http://localhost:8080/challenge/28)
	117	+	- [localhost:8080/challenge/29](http://localhost:8080/challenge/29)
	118	+	- [localhost:8080/challenge/30](http://localhost:8080/challenge/30)
	119	+	- [localhost:8080/challenge/31](http://localhost:8080/challenge/31)
	120	+	- [localhost:8080/challenge/32](http://localhost:8080/challenge/32)
58	121
59		-	Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
	122	+	Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
	123	+	better ;-).
60	124
61	125		### Running these on Heroku
62	126
63		-	You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecrets.herokuapp.com/) as well! But please understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.
64		-
65		-	### Deploying the app under your own heroku account
66		-
67		-	1. [Sign up to Heroku](https://signup.heroku.com/) and [log in to your account](https://id.heroku.com/login)
68		-	2. Click the button below and follow the instructions
69		-
70		-	[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy)
	127	+	You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecrets.herokuapp.com/) as well! But please
	128	+	understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try
	129	+	to bring it down: you would be spoiling it for others that want to testdrive it.
71	130
72	131		### Running on Fly.io
73	132
		skipped 1 lines
75	134
76	135		## Basic K8s exercise
77	136
78		-	_Can be used for challenges 1-6, 8, 12-23_
	137	+	_Can be used for challenges 1-6, 8, 12-32_
79	138
80	139		### Minikube based
81	140
82	141		Make sure you have the following installed:
83	142
84		-	- Docker [Install from here](https://docs.docker.com/get-docker/)
85		-	- Minikube [Install from here](https://minikube.sigs.k8s.io/docs/start/)
	143	+	- Docker [Install from here](https://docs.docker.com/get-docker/)
	144	+	- Minikube [Install from here](https://minikube.sigs.k8s.io/docs/start/)
86	145
87	146		The K8S setup currently is based on using Minikube for local fun:
88	147
		skipped 9 lines
98	157
99	158		now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
100	159
101		-	- [localhost:8080/challenge/5](http://localhost:8080/challenge/5)
102		-	- [localhost:8080/challenge/6](http://localhost:8080/challenge/6)
	160	+	- [localhost:8080/challenge/5](http://localhost:8080/challenge/5)
	161	+	- [localhost:8080/challenge/6](http://localhost:8080/challenge/6)
103	162
104	163		### k8s based
105	164
		skipped 11 lines
117	176
118	177		now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
119	178
120		-	- [localhost:8080/challenge/5](http://localhost:8080/challenge/5)
121		-	- [localhost:8080/challenge/6](http://localhost:8080/challenge/6)
	179	+	- [localhost:8080/challenge/5](http://localhost:8080/challenge/5)
	180	+	- [localhost:8080/challenge/6](http://localhost:8080/challenge/6)
	181	+
	182	+	### Okteto based
	183	+
	184	+	[![Develop on Okteto](https://okteto.com/develop-okteto.svg)](https://cloud.okteto.com/deploy?repository=https://github.com/OWASP/wrongsecrets.git&branch=master&filename=okteto/okteto.yml)
	185	+
	186	+	Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
122	187
123	188		## Vault exercises with minikube
124	189
125		-	_Can be used for challenges 1-8, 12-23_
	190	+	_Can be used for challenges 1-8, 12-29_
126	191		Make sure you have the following installed:
127	192
128		-	- minikube with docker (or comment out line 8 and work at your own k8s setup),
129		-	- docker,
130		-	- helm [Install from here](https://helm.sh/docs/intro/install/),
131		-	- kubectl [Install from here](https://kubernetes.io/docs/tasks/tools/),
132		-	- jq [Install from here](https://stedolan.github.io/jq/download/),
133		-	- vault [Install from here](https://www.vaultproject.io/downloads),
134		-	- grep, Cat, and Sed
	193	+	- minikube with docker (or comment out line 8 and work at your own k8s setup),
	194	+	- docker,
	195	+	- helm [Install from here](https://helm.sh/docs/intro/install/),
	196	+	- kubectl [Install from here](https://kubernetes.io/docs/tasks/tools/),
	197	+	- jq [Install from here](https://stedolan.github.io/jq/download/),
	198	+	- vault [Install from here](https://www.vaultproject.io/downloads),
	199	+	- grep, Cat, and Sed
135	200
136		-	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-22.
	201	+	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-32.
137	202
138		-	When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
	203	+	When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`.
	204	+	This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
139	205
140	206		## Cloud Challenges
141	207
142		-	_Can be used for challenges 1-23_
	208	+	_Can be used for challenges 1-32_
143	209
144	210		READ THIS: Given that the exercises below contain IAM privilege escalation exercises,
145		-	never run this on an account which is related to your production environment or can influence your account-over-arching resources.
	211	+	never run this on an account which is related to your production environment or can influence your account-over-arching
	212	+	resources.
146	213
147	214		### Running WrongSecrets in AWS
148	215
		skipped 20 lines
169	236		7. Create a container and push it to your registry
170	237		8. Override the K8s definition files for either [AWS](/aws/k8s/secret-challenge-vault-deployment.yml) or [GCP](/gcp/k8s/secret-challenge-vault-deployment.yml.tpl).
171	238
172		-	## Do you want to play without guidance?
	239	+	## Do you want to play without guidance or spoils?
	240	+
	241	+	Each challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise.
	242	+	Therefore, you can manipulate them by overriding the following settings in your env:
173	243
174		-	Each challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env:
	244	+	- `hints_enabled=false` will turn off the `Show hints` button.
	245	+	- `reason_enabled=false` will turn of the `What's wrong?` explanation button.
	246	+	- `spoiling_enabled=false` will turn off the `/spoil-x` endpoint (where `x` is the number of the challenge).
175	247
176		-	- `hints_enabled=false` will turn off the `Show hints` button.
177		-	- `reason_enabled=false` will turn of the `What's wrong?` explanation button.
	248	+	## Enabling Swaggerdocs and UI
	249	+
	250	+	You can enable Swagger documentation and the Swagger UI by overriding the `SPRINGDOC_UI` and `SPRINGDOC_DOC` when running the Docker container. See our [Okteto Deployment](https://github.com/OWASP/wrongsecrets/blob/master/okteto/k8s/secret-challenge-deployment.yml) for more details.
178	251
179	252		## Special thanks & Contributors
180	253
181	254		Leaders:
182	255
183		-	- [Ben de Haan @bendehaan](https://github.com/bendehaan)
184		-	- [Jeroen willemsen @commjoen](https://github.com/commjoen)
	256	+	- [Ben de Haan @bendehaan](https://github.com/bendehaan)
	257	+	- [Jeroen Willemsen @commjoen](https://github.com/commjoen)
185	258
186	259		Top contributors:
187	260
188		-	- [Nanne Baars @nbaars](https://github.com/nbaars)
189		-	- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)
190		-	- [Joss Sparkes @remakingeden](https://github.com/remakingeden)
191		-	- [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
192		-	- [Filip Chyla @fchyla](https://github.com/fchyla)
193		-	- [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
194		-	- [Josh Grossman @tghosth](https://github.com/tghosth)
195		-	- [Spyros @northdpole](https://github.com/northdpole)
196		-	- [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
197		-	- [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
198		-	- [Finn @f3rn0s](https://github.com/f3rn0s)
199		-	- [Alex Bender @alex-bender](https://github.com/alex-bender)
200		-	- [Rick M @kingthorin](https://github.com/kingthorin)
	261	+	- [Nanne Baars @nbaars](https://github.com/nbaars)
	262	+	- [Joss Sparkes @remakingeden](https://github.com/remakingeden)
	263	+	- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)
	264	+	- [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
	265	+	- [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche)
	266	+	- [Puneeth Y @puneeth072003](https://github.com/puneeth072003)
	267	+	- [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
	268	+	- [Divyanshu Dev @Novice-expert](https://github.com/Novice-expert)
	269	+	- [Filip Chyla @fchyla](https://github.com/fchyla)
	270	+	- [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
	271	+	- [Josh Grossman @tghosth](https://github.com/tghosth)
	272	+	- [Turjo Chowdhury @turjoc120](https://github.com/turjoc120)
	273	+	- [Spyros @northdpole](https://github.com/northdpole)
	274	+	- [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
	275	+	- [Shlomo Zalman Heigh @szh](https://github.com/szh)
	276	+	- [Nicolas Humblot @nhumblot](https://github.com/nhumblot)
	277	+	- [Madhu Akula @madhuakula](https://github.com/madhuakula)
	278	+	- [Finn @f3rn0s](https://github.com/f3rn0s)
	279	+	- [Alex Bender @alex-bender](https://github.com/alex-bender)
	280	+	- [Rick M @kingthorin](https://github.com/kingthorin)
201	281
202	282		Testers:
203	283
204		-	- [Dave van Stein @davevs](https://github.com/davevs)
205		-	- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)
206		-	- [Marc Chang Sing Pang @mchangsp](https://github.com/mchangsp)
	284	+	- [Dave van Stein @davevs](https://github.com/davevs)
	285	+	- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)
	286	+	- [Marc Chang Sing Pang @mchangsp](https://github.com/mchangsp)
207	287
208	288		Special mentions for helping out:
209	289
210		-	- [Madhu Akula @madhuakula](https://github.com/madhuakula)
211		-	- [Björn Kimminich @bkimminich](https://github.com/bkimminich)
212		-	- [Avinash Pancham @avinashpancham](https://github.com/avinashpancham)
	290	+	- [Madhu Akula @madhuakula](https://github.com/madhuakula)
	291	+	- [BjÃ¶rn Kimminich @bkimminich](https://github.com/bkimminich)
	292	+	- [Xiaolu Dai @saragluna](https://github.com/saragluna)
	293	+	- [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles)
	294	+
	295	+	### Sponsorships
	296	+
	297	+	We would like to thank the following parties for helping us out:
	298	+
	299	+	[![gitguardian_logo.png](images/gitguardian_logo.jpeg)](https://blog.gitguardian.com/gitguardian-is-proud-sponsor-of-owasp/)
	300	+
	301	+	[GitGuardian](https://www.gitguardian.com/) for their sponsorship which allows us to pay the bills for our cloud-accounts.
	302	+
	303	+	[![jetbrains_logo.png](images/jetbrains_logo.png)](https://www.jetbrains.com/)
	304	+
	305	+	[Jetbrains](https://www.jetbrains.com/) for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!
	306	+
	307	+	[![docker_logo.png](images/docker_logo.png)](https://www.docker.com)
	308	+
	309	+	[Docker](https://www.docker.com) for granting us their Docker Open Source Sponsored program.
	310	+
	311	+	[![1password_logo.png](images/1password_logo.png)](https://github.com/1Password/1password-teams-open-source/pull/552)
	312	+
	313	+	[1Password](https://1password.com/) for granting us an open source license to 1Password for the secret detection testbed.
	314	+
	315	+
	316	+	[![AWS Open Source](images/aws-white_48x29.png)](https://aws.amazon.com/)
	317	+
	318	+	[AWS](https://aws.amazon.com/) for granting us AWS Open Source credits which we use to test our project and the [Wrongsecrets CTF Party](https://github.com/OWASP/wrongsecrets-ctf-party) setup on AWS.
213	319
214	320		## Help Wanted
215	321
216	322		You can help us by the following methods:
217	323
218		-	- Star us
219		-	- Share this app with others
220		-	- Of course, we can always use your help [to get more flavors](https://github.com/commjoen/wrongsecrets/issues/37) of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloudproiders, like Alibabaor Tencent cloud for instance. Do you miss something else than a cloud provider as an example? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
	324	+	- Star us
	325	+	- Share this app with others
	326	+	- Of course, we can always use your help [to get more flavors](https://github.com/OWASP/wrongsecrets/issues/37) of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
221	327
222	328		## Use OWASP WrongSecrets as a secret detection benchmark
223	329
224	330		As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it.
225		-	Want to know if your tool detects everything? We will keep track of the embedded secrets in [this issue](https://github.com/commjoen/wrongsecrets/issues/201) and have a [branch](https://github.com/commjoen/wrongsecrets/tree/experiment-bed) in which we put additional secrets for your tool to detect.
	331	+	Want to know if your tool detects everything? We will keep track of the embedded secrets in [this issue](https://github.com/OWASP/wrongsecrets/issues/201) and have a [branch](https://github.com/OWASP/wrongsecrets/tree/experiment-bed) in which we put additional secrets for your tool to detect.
226	332		The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
227	333
228	334		## CTF
229	335
	336	+	We have 3 ways of playing CTFs:
	337	+
	338	+	- The quick "let's play"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) or our Okteto domain [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/), which we documented for you here.
	339	+	- A more extended approach documented in [ctf-instructions.md](/ctf-instructions.md).
	340	+	- A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use [the WrongSecrets CTF Party setup](https://github.com/OWASP/wrongsecrets-ctf-party).
	341	+
230	342		### CTFD Support
231	343
232		-	NOTE: CTFD support is experimental, and now works based on the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf).
233		-	NOTE-II: https://wrongsecrets-ctf.herokuapp.com is based on a free heroku instance, which takes time to warm up. Initial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) once before executing the steps below.
	344	+	Want to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!
	345	+
	346	+	NOTE: CTFD support now works based on the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf).
	347	+
	348	+	NOTE-II: [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) (temporary down based on lack of oss credits) is based on Heroku and has limited capacity. Alternatively you can use our Okteto setup at [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/), which uses a free tier and needs some time to warm up. However, the Okteto environment does have more resources & supports the kubernetes challenges, unlike our Heroku setup that only supports the Docker challenges.
	349	+
	350	+	Initial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) or [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) once before executing the steps below.
234	351
235	352		Follow the following steps:
236	353
237	354		```shell
238		-	npm install -g juice-shop-ctf-cli
239		-	juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
	355	+	npm install -g juice-shop-ctf-cli@9.1.0
	356	+	juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com (or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
240	357		docker run -p 8001:8000 -it ctfd/ctfd:3.4.3
241	358		```
242	359
243		-	Now visit the CTFD instance at [http://localhost:8001](http://localhost:8001) and setup your CTF. Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
244		-	Game on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) !
	360	+	Now visit the CTFD instance at [http://localhost:8001](http://localhost:8001) and setup your CTF.
	361	+	Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
	362	+	Game on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) or [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/)!
245	363		Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
246	364
247	365		## FBCTF Support (Experimental!)
248	366
249	367		NOTE: FBCTF support is experimental.
250	368
251		-	follow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose `https://raw.githubusercontent.com/commjoen/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml`. Then follow [https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide](https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide) to run the FBCTF.
252		-
253		-
	369	+	Follow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose `https://raw.githubusercontent.com/OWASP/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml`.
	370	+	Then follow [https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide](https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide) to run the FBCTF.
254	371
255	372		## Notes on development
256	373
257		-	For development on local machine use the `local` profile `./mvnw spring-boot:run -Dspring-boot.run.profiles=local`
	374	+	For development on local machine use the `local` profile `./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault`
258	375
259	376		If you want to test against vault without K8s: start vault locally with
260	377
261	378		```shell
262		-	export VAULT_ADDR='http://127.0.0.1:8200'
	379	+	export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
263	380		export VAULT_API_ADDR='http://127.0.0.1:8200'
264	381		vault server -dev
265	382		```
		skipped 1 lines
267	384		and in your next terminal, do (with the token from the previous commands):
268	385
269	386		```shell
270		-	export VAULT_ADDR='http://127.0.0.1:8200'
271		-	export VAULT_TOKEN='<TOKENHERE>'
	387	+	export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
	388	+	export SPRING_CLOUD_VAULT_TOKEN='<TOKENHERE>'
272	389		vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
273	390		vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
274	391		```
		skipped 17 lines
292	409		We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities.
293	410		You can use the OWASP Dependency-checker by calling `mvn dependency-check:aggregate` and `mvn cyclonedx:makeBom` to use CycloneDX to create an SBOM.
294	411
	412	+	### Get the project started in IntelliJ IDEA
	413	+
	414	+	Requirements: make sure you have the following tools installed: [Docker](https://www.docker.com/products/docker-desktop/), [Java19 JDK](https://jdk.java.net/19/), [NodeJS 18](https://nodejs.org/dist/v18.12.1/node-v18.12.1-x86.msi) and [IntelliJ IDEA](https://www.jetbrains.com/idea/download).
	415	+
	416	+	1. Fork and clone the project as described in the [documentation](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md).
	417	+	2. Import the project in IntelliJ (e.g. import as mvn project / local sources)
	418	+	3. Go to the project settings and make sure it uses Java19 (And that the JDK can be found)
	419	+	4. Go to the IDE settings>Language & Frameworks > Lombok and make sure Lombok processing is enabled
	420	+	5. Open the Maven Tab in your IDEA and run "Reload All Maven Projects" to make the system sync and download everything. Next, in that same tab use the "install" option as part of the OWASP WrongSecrets Lifecycle to genereate the asciidoc and such.
	421	+	6. Now run the `main` method in `org.owasp.wrongsecrets.WrongSecretsApplication.java`. This should fail with a stack trace.
	422	+	7. Now go to the run configuration of the app and make sure you have the active profile `without-vault`. This is done by setting the VM options arguments to `-Dserver.port=8080 -Dspring.profiles.active=local,without-vault`. Set `K8S_ENV=docker` as environment argument.
	423	+	8. Repeat step 6: run the app again, you should have a properly running application which is visitable in your browser at http://localhost:8080.
	424	+
	425	+	Pictorial Guide on how to get the project started in IntelliJ IDEA is available at [_Contributing.md_](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-get-started-with-the-project-in-intellij-idea).
	426	+
	427	+	Feel free to edit and propose changes via pull requests. Be sure to follow our guidance in the [documentation](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md) to get your work accepted.
	428	+
	429	+	Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of `exe` files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).
	430	+
	431	+	If, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot)
	432	+
295	433		### Automatic reload during development
296	434
297		-	To make changes made load faster we added `spring-dev-tools` to the Maven project. To enable this in IntelliJ automatically, make sure:
	435	+	To make changes made load faster we added `spring-dev-tools` to the Maven project.
	436	+	To enable this in IntelliJ automatically, make sure:
298	437
299		-	- Under Compiler -> Automatically build project is enabled, and
300		-	- Under Advanced settings -> Allow auto-make to start even if developed application is currently running.
	438	+	- Under Compiler -> Automatically build project is enabled, and
	439	+	- Under Advanced settings -> Allow auto-make to start even if developed application is currently running.
301	440
302	441		You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.
303	442
		skipped 1 lines
305	444
306	445		Follow the steps below on adding a challenge:
307	446
308		-	1. First make sure that you have an [Issue](https://github.com/commjoen/wrongsecrets/issues) reported for which a challenge is really wanted.
	447	+	1. First make sure that you have an [Issue](https://github.com/OWASP/wrongsecrets/issues) reported for which a challenge is really wanted.
309	448		2. Add the new challenge in the `org.owasp.wrongsecrets.challenges` folder. Make sure you add an explanation in `src/main/resources/explanations` and refer to it from your new Challenge class.
310		-	3. Add a unit and integration test to show that your challenge is working.
	449	+	3. Add unit, integration and UI tests as appropriate to show that your challenge is working.
311	450		4. Don't forget to add `@Order` annotation to your challenge ;-).
	451	+	5. Review the [CONTRIBUTING guide](CONTRIBUTING.md) for setting up your contributing environment and writing good commit messages.
312	452
313		-	If you want to move existing cloud challenges to another cloud: extend Challenge classes in the `org.owasp.wrongsecrets.challenges.cloud` package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to `org.owasp.wrongsecrets.RuntimeEnvironment`. Collaborate with the others at the project to get your container running so you can test at the cloud account.
	453	+	For more details please refer [_Contributing.md_](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-add-a-challenge).
	454	+
	455	+	If you want to move existing cloud challenges to another cloud: extend Challenge classes in the `org.owasp.wrongsecrets.challenges.cloud` package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to `org.owasp.wrongsecrets.RuntimeEnvironment`.
	456	+	Collaborate with the others at the project to get your container running so you can test at the cloud account.
314	457
315	458		### Local testing
316	459
		skipped 8 lines
325	468		## Want to play, but are not allowed to install the tools?
326	469
327	470		If you want to play the challenges, but cannot install tools like keepass, Radare, etc. But are allowed to run Docker containers, try the following:
	471	+
	472	+	```shell
	473	+	docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest
	474	+	```
	475	+
	476	+	or use something more configurable:
328	477
329	478		```shell
330	479		docker run -d \
331	480		--name=webtop \
332		-	--security-opt seccomp=unconfined `#optional` \
	481	+	--security-opt seccomp=unconfined \
333	482		-e PUID=1000 \
334	483		-e PGID=1000 \
335	484		-e TZ=Europe/London \
336		-	-e SUBFOLDER=/ `#optional` \
337		-	-e KEYBOARD=en-us-qwerty `#optional` \
	485	+	-e SUBFOLDER=/ \
	486	+	-e KEYBOARD=en-us-qwerty \
338	487		-p 3000:3000 \
339		-	-v /var/run/docker.sock:/var/run/docker.sock `#optional` \
340		-	--shm-size="1gb" `#optional` \
	488	+	-v /var/run/docker.sock:/var/run/docker.sock \
	489	+	--shm-size="2gb" \
341	490		--restart unless-stopped \
342		-	jeroenwillemsen/wrongsecrets-desktop:<VERSION HERE>
	491	+	jeroenwillemsen/wrongsecrets-desktop:latest
343	492		```
	493	+
	494	+	And then at [http://localhost:3000](http://localhost:3000).
344	495
345	496		Note: be careful with trying to deploy the `jeroenwillemsen/wrongsecrets-desktop` container to Heroku ;-).
346	497
	498	+	## Docker on macOS with M1 and Colima (Experimental!)
	499	+
	500	+	NOTE: Colima support is experimental.
	501	+
	502	+	Using [Colima](https://github.com/abiosoft/colima) (version 0.5.2 when written) you your macOS with Apple Silicon M1
	503	+	to run Docker image `jeroenwillemsen/wrongsecrets` you try one of:
	504	+
	505	+	- switch off Colima
	506	+	- change Docker context
	507	+	- run Colima with 1 CPU
	508	+
	509	+	### Switch off Colima
	510	+
	511	+	```shell
	512	+	colima stop
	513	+	```
	514	+	and run natively Docker image `jeroenwillemsen/wrongsecrets` on ARM.
	515	+
	516	+	### Change Docker context
	517	+
	518	+	Running docker image on Colima container runtimes on macOS Ventura with M1 CPU can run very slowly or can hang at some point.
	519	+	Wrong Secrets provide `arm64` Docker image and switching to `desktop-linux` context will use the native `arm64` image.
	520	+	To do that in the terminal run:
	521	+
	522	+	```shell
	523	+	docker context ls
	524	+	```
	525	+
	526	+	you should see context default `colima *`:
	527	+
	528	+	```
	529	+	NAME TYPE DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR
	530	+	colima * moby colima unix:///Users/YOUR_USER_NAME/.colima/default/docker.sock
	531	+	default moby Current DOCKER_HOST based configuration unix:///var/run/docker.sock https://127.0.0.1:6443 (default) swarm
	532	+	desktop-linux moby unix:///Users/YOUR_USER_NAME/.docker/run/docker.sock
	533	+	```
	534	+
	535	+	Now run one of the above Docker commands together with `--context` switch e.g.:
	536	+
	537	+	```bash
	538	+	docker --context desktop-linux run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
	539	+	```
	540	+
	541	+	### Run Colima with 1 CPU
	542	+
	543	+	Colima is using QEMU behind and for QEMU on Apple Silicon M1 is recommended to use 1 CPU core:
	544	+
	545	+	```shell
	546	+	colima start -m 8 -c 1 --arch x86_64
	547	+	```
	548	+
	549	+	and run with AMD x64 emulation e.g.:
	550	+
	551	+	```bash
	552	+	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
	553	+	```
	554	+
347	555		## Further reading on secrets management
348	556
349	557		Want to learn more? Checkout the sources below:
350	558
351		-	- [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j)
352		-	- [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/)
353		-	- [The secret detection topic at Github](https://github.com/topics/secrets-detection)
354		-	- [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_CheatSheet.md)
355		-	- [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==)
	559	+	- [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j)
	560	+	- [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/)
	561	+	- [The secret detection topic at Github](https://github.com/topics/secrets-detection)
	562	+	- [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md)
	563	+	- [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==)
356	564

■ ■ ■ ■ ■ ■

SECURITY.md

1	+	# Security Policy
2	+
3	+	## Supported Versions
4	+
5	+	We only provide security updates for the latest version that has been released. See our [Release page](https://github.com/OWASP/wrongsecrets/releases)
6	+	The "support latest only" holds both for WrongSecrets and WrongSecrets-CTF-party.
7	+
8	+	\| Version \| Supported \|
9	+	\| ------- \| ------------------ \|
10	+	\| latest \| :white_check_mark: \|
11	+	\| <before \| :x: \|
12	+
13	+	## Reporting a Vulnerability
14	+
15	+	Please use Slack to report a vulnerability in the [#project-wrongsecrets](https://owasp.slack.com/archives/C02KQ7D9XHR) channel. You can register for the OWASP Slack [here](https://owasp.org/slack/invite). Given this is a p0wnable app, we do not have any bug bounty or rewards for you ;-).
16	+
17	+	Given the project is run by volunteers, we intend to respond within a week.
18	+

■ ■ ■ ■ ■ ■

app.json

		skipped 15 lines
16	16		"quantity": 1
17	17		}
18	18		},
19		-	"website": "https://github.com/commjoen/wrongsecrets",
20		-	"repository": "https://github.com/commjoen/wrongsecrets"
	19	+	"website": "https://github.com/OWASP/wrongsecrets",
	20	+	"repository": "https://github.com/OWASP/wrongsecrets"
21	21		}
	22	+

■ ■ ■ ■ ■ ■

aws/.terraform.lock.hcl

1	+	# This file is maintained automatically by "terraform init".
2	+	# Manual edits may be lost in future updates.
3	+
4	+	provider "registry.terraform.io/hashicorp/aws" {
5	+	version = "4.65.0"
6	+	constraints = ">= 3.72.0, >= 4.0.0, >= 4.35.0, >= 4.47.0, >= 4.57.0, ~> 4.65.0"
7	+	hashes = [
8	+	"h1:npDM2DHnGDKlXJJGWdBpTVywKHa9clSgXzvin5phSM4=",
9	+	"zh:0461b8dfc14e94971bfd12783cbd5a5574b9fcfc3694b6afaa8836f90b61c1f9",
10	+	"zh:24a27e7b1f6eb33e9da6f2ffaaa6bc48e933a24224c6572d6e588994e5c7130b",
11	+	"zh:2ca189d04573414bef4876c17ccb2b76f6e721e0450f6ab3700d94d7c04bec64",
12	+	"zh:3fb0654a527677231dab2140e9a55df3b90dba478b3db50001e21a045437a47a",
13	+	"zh:4918173d9c7d2735908622c17efd01746a046f0a571690afa7dd0866f22045f7",
14	+	"zh:491d259b15166f751076d2bdc443928ca63f6c0a83b02ea75fff8b4224662207",
15	+	"zh:4ff8e178f0656f04f88558c295a1d246b1bdcf5ad81d8b3b9ccceaeca2eb7fa8",
16	+	"zh:5e4eaf2855a740124f4bbe34ac4bd22c7f320aa3e91d9cef64396ad0a1571544",
17	+	"zh:65762c60c4bac2e0d55ed8c2877e455e84465cb12f0c885363a1b561cd4f5f07",
18	+	"zh:7c5e4f85eb5f70e6da2d64701dd5551f2bc334dbb9add76bfc6a2bea6acf4483",
19	+	"zh:90d32b238113528319d7a5fade97bd8ac9a8b654482fc9056478a43d2e297886",
20	+	"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
21	+	"zh:e6ed3299516a8fb2292af7e7e123d09817dfd8e039aaf35ad5a276f739668e88",
22	+	"zh:eb84fa96c63d836b3b4689835cb7c4487808dfd1ba7ddacf4d8c4c6ff65cdbef",
23	+	"zh:ff97d1498193c99c9c35afd9bfcdce011abf460ec041721727d6e542f7a3bedd",
24	+	]
25	+	}
26	+
27	+	provider "registry.terraform.io/hashicorp/cloudinit" {
28	+	version = "2.3.2"
29	+	constraints = ">= 2.0.0"
30	+	hashes = [
31	+	"h1:ocyv0lvfyvzW4krenxV5CL4Jq5DiA3EUfoy8DR6zFMw=",
32	+	"zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1",
33	+	"zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3",
34	+	"zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f",
35	+	"zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f",
36	+	"zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422",
37	+	"zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372",
38	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
39	+	"zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136",
40	+	"zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7",
41	+	"zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc",
42	+	"zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040",
43	+	"zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a",
44	+	]
45	+	}
46	+
47	+	provider "registry.terraform.io/hashicorp/http" {
48	+	version = "3.3.0"
49	+	constraints = "~> 3.3.0"
50	+	hashes = [
51	+	"h1:O2VLKCxxAgaFRPnhRuz/VOsP5HzQdQm9YAi848kvImg=",
52	+	"zh:27d101f4c089d1e367bbbbb3f260fc7d52f63559a4424c08633e566863c951b2",
53	+	"zh:37860671324229f52a7d82eea88a31fe24321297fd699d879de5b6cf6aae086c",
54	+	"zh:4680716579e361298e4331ce0c92e38011fc41ed56bd55302c23b696b3b8c469",
55	+	"zh:547cd2a407ca0d22307634d83ffc64cd4225f221baa09682b7a8c5a2429c34d8",
56	+	"zh:61965698af75aad7482f2f593b75f15e4a4f6f0117b643c69f3da61f40b1a9c7",
57	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
58	+	"zh:93f9e0f2244816cbb72197c733ada4214df691e4e6a84b8e340e43e43ab8a383",
59	+	"zh:969aad70624d033c257c365cf75001d29fa7341b48d673cd7317205395b4791b",
60	+	"zh:e9504018b1af992c041bda1e4a6f01db1f1cdb1a7df8055d1082049befbc4217",
61	+	"zh:fa7f6af94e75c6fe21782c622ed387ae08ee3ffeaa0176f08d0b06bb61bb50f4",
62	+	"zh:feda1d7cdae86bce829f82223f625b55c858a36d3aca1a762d7258798a25b476",
63	+	"zh:ff1f3d8c53930aad2fde32d6328df7e7e5b5de36dd7c0682d15518993ab199ef",
64	+	]
65	+	}
66	+
67	+	provider "registry.terraform.io/hashicorp/kubernetes" {
68	+	version = "2.18.1"
69	+	constraints = ">= 2.10.0"
70	+	hashes = [
71	+	"h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=",
72	+	"zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753",
73	+	"zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197",
74	+	"zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8",
75	+	"zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80",
76	+	"zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25",
77	+	"zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce",
78	+	"zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15",
79	+	"zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad",
80	+	"zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8",
81	+	"zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4",
82	+	"zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a",
83	+	"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
84	+	]
85	+	}
86	+
87	+	provider "registry.terraform.io/hashicorp/random" {
88	+	version = "3.5.1"
89	+	constraints = "~> 3.5.1"
90	+	hashes = [
91	+	"h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
92	+	"zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
93	+	"zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
94	+	"zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
95	+	"zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
96	+	"zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
97	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
98	+	"zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
99	+	"zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
100	+	"zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
101	+	"zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
102	+	"zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
103	+	"zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
104	+	]
105	+	}
106	+
107	+	provider "registry.terraform.io/hashicorp/time" {
108	+	version = "0.9.1"
109	+	constraints = ">= 0.9.0"
110	+	hashes = [
111	+	"h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=",
112	+	"zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f",
113	+	"zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5",
114	+	"zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4",
115	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
116	+	"zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a",
117	+	"zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57",
118	+	"zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1",
119	+	"zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b",
120	+	"zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00",
121	+	"zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea",
122	+	"zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904",
123	+	"zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c",
124	+	]
125	+	}
126	+
127	+	provider "registry.terraform.io/hashicorp/tls" {
128	+	version = "4.0.4"
129	+	constraints = ">= 3.0.0"
130	+	hashes = [
131	+	"h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
132	+	"zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
133	+	"zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
134	+	"zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
135	+	"zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
136	+	"zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
137	+	"zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
138	+	"zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
139	+	"zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
140	+	"zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
141	+	"zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
142	+	"zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
143	+	"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
144	+	]
145	+	}
146	+

■ ■ ■ ■ ■ ■

aws/README.md

		skipped 7 lines
8	8
9	9		Have the following tools installed:
10	10
11		-	- AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
12		-	- EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
13		-	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
14		-	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
15		-	- Wget - [Installation](https://www.jcchouinard.com/wget/)
16		-	- Helm [Installation](https://helm.sh/docs/intro/install/)
17		-	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
18		-	- jq [Installation](https://stedolan.github.io/jq/download/)
	11	+	- AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
	12	+	- EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
	13	+	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
	14	+	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
	15	+	- Wget - [Installation](https://www.jcchouinard.com/wget/)
	16	+	- Helm [Installation](https://helm.sh/docs/intro/install/)
	17	+	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
	18	+	- jq [Installation](https://stedolan.github.io/jq/download/)
19	19
20	20		Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as `awsuser`.
	21	+
	22	+	Please note that this setup relies on bash scripts that have been tested in MacOS and Linux. We have no intention of supporting vanilla Windows at the moment.
21	23
22	24		### Multi-user setup: shared state
23	25
		skipped 47 lines
71	73		1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
72	74		3. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
73	75		4. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
74		-	5. Run `rm terraform.ts*` to remove local state files.
	76	+	5. Run `rm terraform.tfstate*` to remove local state files.
75	77
76	78		### A few things to consider
77	79
		skipped 14 lines
92	94
93	95		Note that you might have to do some manual cleanups after that.
94	96
	97	+	## Terraform documentation
	98	+	The documentation below is auto-generated to give insight on what's created via Terraform.
	99	+
	100	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	101	+	## Requirements
	102	+
	103	+	\| Name \| Version \|
	104	+	\|------\|---------\|
	105	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
	106	+	\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| ~> 4.65.0 \|
	107	+	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.3.0 \|
	108	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.5.1 \|
	109	+
	110	+	## Providers
	111	+
	112	+	\| Name \| Version \|
	113	+	\|------\|---------\|
	114	+	\| <a name="provider_aws"></a> [aws](#provider\_aws) \| 4.65.0 \|
	115	+	\| <a name="provider_http"></a> [http](#provider\_http) \| 3.3.0 \|
	116	+	\| <a name="provider_random"></a> [random](#provider\_random) \| 3.5.1 \|
	117	+
	118	+	## Modules
	119	+
	120	+	\| Name \| Source \| Version \|
	121	+	\|------\|--------\|---------\|
	122	+	\| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) \| terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks \| ~> 5.5 \|
	123	+	\| <a name="module_eks"></a> [eks](#module\_eks) \| terraform-aws-modules/eks/aws \| 19.13.1 \|
	124	+	\| <a name="module_vpc"></a> [vpc](#module\_vpc) \| terraform-aws-modules/vpc/aws \| ~> 4.0.1 \|
	125	+
	126	+	## Resources
	127	+
	128	+	\| Name \| Type \|
	129	+	\|------\|------\|
	130	+	\| [aws_iam_policy.secret_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|
	131	+	\| [aws_iam_policy.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) \| resource \|
	132	+	\| [aws_iam_role.irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) \| resource \|
	133	+	\| [aws_iam_role.user_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) \| resource \|
	134	+	\| [aws_iam_role_policy_attachment.irsa_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|
	135	+	\| [aws_iam_role_policy_attachment.user_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) \| resource \|
	136	+	\| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) \| resource \|
	137	+	\| [aws_secretsmanager_secret.secret_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) \| resource \|
	138	+	\| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) \| resource \|
	139	+	\| [aws_secretsmanager_secret_policy.policy_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) \| resource \|
	140	+	\| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) \| resource \|
	141	+	\| [aws_ssm_parameter.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) \| resource \|
	142	+	\| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) \| resource \|
	143	+	\| [random_password.password2](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) \| resource \|
	144	+	\| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) \| data source \|
	145	+	\| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) \| data source \|
	146	+	\| [aws_iam_policy_document.assume_role_with_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) \| data source \|
	147	+	\| [aws_iam_policy_document.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) \| data source \|
	148	+	\| [aws_iam_policy_document.user_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) \| data source \|
	149	+	\| [aws_iam_policy_document.user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) \| data source \|
	150	+	\| [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) \| data source \|
	151	+
	152	+	## Inputs
	153	+
	154	+	\| Name \| Description \| Type \| Default \| Required \|
	155	+	\|------\|-------------\|------\|---------\|:--------:\|
	156	+	\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The EKS cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
	157	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The EKS cluster version to use \| `string` \| `"1.25"` \| no \|
	158	+	\| <a name="input_region"></a> [region](#input\_region) \| The AWS region to use \| `string` \| `"eu-west-1"` \| no \|
	159	+
	160	+	## Outputs
	161	+
	162	+	\| Name \| Description \|
	163	+	\|------\|-------------\|
	164	+	\| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) \| Endpoint for EKS control plane. \|
	165	+	\| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) \| The id of the cluster \|
	166	+	\| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) \| Security group ids attached to the cluster control plane. \|
	167	+	\| <a name="output_irsa_role"></a> [irsa\_role](#output\_irsa\_role) \| The role ARN used in the IRSA setup \|
	168	+	\| <a name="output_secrets_manager_secret_name"></a> [secrets\_manager\_secret\_name](#output\_secrets\_manager\_secret\_name) \| The name of the secrets manager secret \|
	169	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	170	+

■ ■ ■ ■ ■ ■

aws/irsa.tf

1	1		data "aws_caller_identity" "current" {}
2	2
3		-	data "aws_region" "current" {}
4		-
5		-	locals {
6		-	k8s_service_account_namespace = "default"
7		-	k8s_service_account_name = "default"
8		-	}
9		-
10	3		############
11	4		# Pod role #
12	5		############
		skipped 7 lines
20	13		data "aws_iam_policy_document" "assume_role_with_oidc" {
21	14		statement {
22	15		principals {
23		-	type = "Federated"
24		-	identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"]
	16	+	type = "Federated"
	17	+	identifiers = [
	18	+	"arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}"
	19	+	]
25	20		}
26	21		effect = "Allow"
27	22		actions = ["sts:AssumeRoleWithWebIdentity"]
		skipped 16 lines
44	39
45	40		resource "aws_iam_policy" "secret_manager" {
46	41		name_prefix = "secret-manager"
47		-	description = "EKS secret manager policy for cluster ${module.eks.cluster_id}"
	42	+	description = "EKS secret manager policy for cluster ${module.eks.cluster_name}"
48	43		policy = data.aws_iam_policy_document.secret_manager.json
49	44		}
50	45
		skipped 76 lines
127	122		}
128	123		}
129	124
	125	+	module "ebs_csi_irsa_role" {
	126	+	source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
	127	+	version = "~> 5.5"
	128	+	role_name = "ebs-csi"
	129	+	attach_ebs_csi_policy = true
	130	+
	131	+	oidc_providers = {
	132	+	ex = {
	133	+	provider_arn = module.eks.oidc_provider_arn
	134	+	namespace_service_accounts = ["consul:server", "kube-system:ebs-csi-controller-sa"]
	135	+	}
	136	+	}
	137	+	}
	138	+

■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-deployment.yml

		skipped 27 lines
28	28		runAsUser: 2000
29	29		runAsGroup: 2000
30	30		fsGroup: 2000
	31	+	seccompProfile:
	32	+	type: RuntimeDefault
31	33		serviceAccountName: vault
32	34		volumes:
	35	+	- name: "ephemeral"
	36	+	emptyDir: {}
33	37		- name: secrets-store-inline
34	38		csi:
35	39		driver: secrets-store.csi.k8s.io
		skipped 1 lines
37	41		volumeAttributes:
38	42		secretProviderClass: "wrongsecrets-aws-secretsmanager"
39	43		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
	44	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-k8s-vault
41	45		imagePullPolicy: IfNotPresent
	46	+	name: secret-challenge
	47	+	securityContext:
	48	+	allowPrivilegeEscalation: false
	49	+	readOnlyRootFilesystem: true
	50	+	runAsNonRoot: true
	51	+	capabilities:
	52	+	drop:
	53	+	- ALL
	54	+	seccompProfile:
	55	+	type: RuntimeDefault
42	56		ports:
43	57		- containerPort: 8080
44	58		protocol: TCP
45		-	name: secret-challenge
46		-	resources: {}
	59	+	readinessProbe:
	60	+	httpGet:
	61	+	path: "/actuator/health/readiness"
	62	+	port: 8080
	63	+	initialDelaySeconds: 30
	64	+	timeoutSeconds: 5
	65	+	periodSeconds: 5
	66	+	failureThreshold: 8
	67	+	livenessProbe:
	68	+	httpGet:
	69	+	path: "/actuator/health/liveness"
	70	+	port: 8080
	71	+	initialDelaySeconds: 35
	72	+	timeoutSeconds: 30
	73	+	periodSeconds: 40
	74	+	failureThreshold: 5
	75	+	resources:
	76	+	requests:
	77	+	memory: "512Mi"
	78	+	cpu: "200m"
	79	+	ephemeral-storage: "1Gi"
	80	+	limits:
	81	+	memory: "512Mi"
	82	+	cpu: "1200m"
	83	+	ephemeral-storage: "2Gi"
47	84		terminationMessagePath: /dev/termination-log
48	85		terminationMessagePolicy: File
49	86		env:
		skipped 9 lines
59	96		secretKeyRef:
60	97		name: funnystuff
61	98		key: funnier
62		-	- name: VAULT_ADDR
63		-	value: "http://vault:8200"
	99	+	- name: CHALLENGE33
	100	+	valueFrom:
	101	+	secretKeyRef:
	102	+	name: challenge33
	103	+	key: answer
	104	+	- name: SPRING_CLOUD_VAULT_URI
	105	+	value: "http://vault.vault.svc.cluster.local:8200"
64	106		- name: JWT_PATH
65	107		value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
66	108		volumeMounts:
67	109		- name: secrets-store-inline
68	110		mountPath: "/mnt/secrets-store"
69	111		readOnly: true
	112	+	- name: "ephemeral"
	113	+	mountPath: "/tmp"
70	114		dnsPolicy: ClusterFirst
71	115		restartPolicy: Always
72	116		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-ingress.yml

1		-	apiVersion: v1
2		-	kind: Service
3		-	metadata:
4		-	namespace: default
5		-	name: secret-challenge
6		-	labels:
7		-	app: secret-challenge
8		-	spec:
9		-	type: NodePort
10		-	ports:
11		-	- port: 80
12		-	targetPort: 8080
13		-	protocol: TCP
14		-	selector:
15		-	app: secret-challenge
16		-	---
17	1		apiVersion: networking.k8s.io/v1
18	2		kind: Ingress
19	3		metadata:
		skipped 2 lines
22	6		annotations:
23	7		alb.ingress.kubernetes.io/scheme: internet-facing
24	8		alb.ingress.kubernetes.io/target-type: instance
	9	+	#uncomment and configure below if you want to use tls, don't forget to override the cookie to a secure value!
	10	+	# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account>:certificate/xxxxxx
	11	+	# alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
	12	+	# alb.ingress.kubernetes.io/actions.ssl-redirect: '443'
25	13		spec:
26	14		ingressClassName: alb
27	15		rules:
		skipped 10 lines

■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-service.yml

1	+	apiVersion: v1
2	+	kind: Service
3	+	metadata:
4	+	namespace: default
5	+	name: secret-challenge
6	+	labels:
7	+	app: secret-challenge
8	+	spec:
9	+	type: NodePort
10	+	ports:
11	+	- port: 80
12	+	targetPort: 8080
13	+	protocol: TCP
14	+	selector:
15	+	app: secret-challenge
16	+

■ ■ ■ ■ ■ ■

aws/k8s-aws-alb-script.sh

		skipped 88 lines
89	89
90	90		EKS_CLUSTER_VERSION=$(aws eks describe-cluster --name $CLUSTERNAME --region $AWS_REGION --query cluster.version --output text)
91	91
92		-	echo "apply -f k8s/secret-challenge-vault-ingress.yml in 10 s"
	92	+	echo "apply -f k8s/secret-challenge-vault-service.yml in 10 s"
93	93		sleep 10
	94	+	kubectl apply -f k8s/secret-challenge-vault-service.yml
	95	+	echo "apply -f k8s/secret-challenge-vault-ingress.yml in 1 s"
	96	+	sleep 1
94	97		kubectl apply -f k8s/secret-challenge-vault-ingress.yml
95	98
96	99		echo "waiting 10 s for loadBalancer"
		skipped 5 lines

■ ■ ■ ■ ■ ■

aws/k8s-vault-aws-resume.sh

1	1		#!/bin/bash
2	2
3		-	kubectl port-forward vault-0 8200:8200 &
	3	+	kubectl port-forward vault-0 -n vault 8200:8200 &
4	4		kubectl port-forward \
5	5		$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
6	6		8080:8080 \
		skipped 2 lines

■ ■ ■ ■ ■ ■

aws/k8s-vault-aws-start.sh

		skipped 11 lines
12	12		echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, jq, vault, grep, cat, sed, and awscli, and is only tested on mac, Debian and Ubuntu"
13	13		echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"
14	14
	15	+	echo "Setting up workspace PSA to restricted for default"
	16	+	kubectl apply -f ../k8s/workspace-psa.yml
	17	+
15	18		kubectl get configmaps \| grep 'secrets-file' &>/dev/null
16	19		if [ $? == 0 ]; then
17	20		echo "secrets config is already installed"
		skipped 6 lines
24	27		echo "secrets secret is already installed"
25	28		else
26	29		kubectl apply -f ../k8s/secrets-secret.yml
	30	+	kubectl apply -f ../k8s/challenge33.yml
	31	+	fi
	32	+
	33	+	kubectl get sa ebs-csi-controller-sa -n kube-system \| grep '1' &>/dev/null
	34	+	if [ $? == 0 ]; then
	35	+	echo "EBS CSI driver is installed, skipping (1 secret found)"
	36	+	else
	37	+	echo "Installing the EBS CSI Driver from https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md as AWS makes shit hard on us"
	38	+	kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.12"
27	39		fi
28	40
29	41		source ../scripts/install-consul.sh
		skipped 32 lines

■ ■ ■ ■ ■ ■

aws/main.tf

1		-
2	1		terraform {
3		-	required_version = ">= 0.13.1, <= 2.0.0"
4		-
5		-	required_providers {
6		-	aws = ">= 3.22.0, <5.0.0"
7		-	random = "~> 3.0"
8		-	http = "~> 2.1"
9		-	}
10		-
11	2		# Set your region and bucket name (output from shared state) in the placeholder below
12	3		# Then uncomment and apply!
13	4		# backend "s3" {
		skipped 2 lines
16	7		# key = "wrongsecrets/terraform.tfstate"
17	8		# }
18	9		}
19		-
20	10
21	11		locals {
22	12		vpc_cidr = "172.16.0.0/16"
		skipped 24 lines
47	37
48	38		module "vpc" {
49	39		source = "terraform-aws-modules/vpc/aws"
50		-	version = "~> 3.7.0"
	40	+	version = "~> 4.0.1"
51	41
52	42		name = "${var.cluster_name}-vpc"
53	43		cidr = local.vpc_cidr
		skipped 18 lines
72	62
73	63		module "eks" {
74	64		source = "terraform-aws-modules/eks/aws"
75		-	version = "18.20.5"
	65	+	version = "19.13.1"
76	66
77	67		cluster_name = var.cluster_name
78	68		cluster_version = var.cluster_version
		skipped 3 lines
82	72
83	73
84	74		cluster_endpoint_private_access = true
	75	+	cluster_endpoint_public_access = true
85	76
86		-	cluster_endpoint_public_access_cidrs = ["${data.http.ip.body}/32"]
	77	+	cluster_endpoint_public_access_cidrs = ["${data.http.ip.response_body}/32"]
87	78
88	79		enable_irsa = true
89	80
		skipped 4 lines
94	85		disk_iops = 3000
95	86		instance_types = ["t3a.large"]
96	87
97		-	iam_role_additional_policies = [
98		-	"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
99		-	"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
100		-	"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
101		-	"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
102		-	"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
103		-	]
	88	+	iam_role_additional_policies = {
	89	+	AmazonEKSWorkerNodePolicy : "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
	90	+	AmazonEKS_CNI_Policy : "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
	91	+	AmazonEC2ContainerRegistryReadOnly : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
	92	+	AmazonSSMManagedInstanceCore : "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
	93	+	AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
	94	+	AmazonEBSCSIDriverPolicy : "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
	95	+	}
104	96		}
105	97
106	98		eks_managed_node_groups = {
107	99		bottlerocket_default = {
108		-	create_launch_template = false
109		-	launch_template_name = ""
110		-
111		-	capacity_type = "SPOT"
	100	+	use_custom_launch_template = false
	101	+	min_size = 1
	102	+	max_size = 3
	103	+	desired_size = 1
	104	+	capacity_type = "SPOT"
112	105
113	106		ami_type = "BOTTLEROCKET_x86_64"
114	107		platform = "bottlerocket"
		skipped 20 lines

■ ■ ■ ■ ■ ■

aws/outputs.tf

		skipped 17 lines
18	18		value = aws_secretsmanager_secret.secret.name
19	19		}
20	20
	21	+	output "cluster_id" {
	22	+	description = "The id of the cluster"
	23	+	value = module.eks.cluster_id
	24	+	}
	25	+

■ ■ ■ ■ ■ ■

aws/shared-state/README.md

1	+	# Terraform documentation
2	+	The documentation below is auto-generated to give insight on what's created via Terraform.
3	+
4	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5	+	## Requirements
6	+
7	+	\| Name \| Version \|
8	+	\|------\|---------\|
9	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
10	+	\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| ~> 4.0 \|
11	+
12	+	## Providers
13	+
14	+	\| Name \| Version \|
15	+	\|------\|---------\|
16	+	\| <a name="provider_aws"></a> [aws](#provider\_aws) \| ~> 4.0 \|
17	+
18	+	## Modules
19	+
20	+	No modules.
21	+
22	+	## Resources
23	+
24	+	\| Name \| Type \|
25	+	\|------\|------\|
26	+	\| [aws_s3_bucket.state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) \| resource \|
27	+	\| [aws_s3_bucket_server_side_encryption_configuration.encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) \| resource \|
28	+
29	+	## Inputs
30	+
31	+	\| Name \| Description \| Type \| Default \| Required \|
32	+	\|------\|-------------\|------\|---------\|:--------:\|
33	+	\| <a name="input_region"></a> [region](#input\_region) \| The AWS region to use \| `string` \| `"eu-west-1"` \| no \|
34	+
35	+	## Outputs
36	+
37	+	\| Name \| Description \|
38	+	\|------\|-------------\|
39	+	\| <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) \| Name of the terraform state bucket \|
40	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
41	+

■ ■ ■ ■ ■ ■

aws/shared-state/main.tf

1	1		terraform {
	2	+	required_version = "~> 1.1"
2	3		required_providers {
3	4		aws = {
4	5		version = "~> 4.0"
		skipped 1 lines
6	7		}
7	8		}
8	9
9		-	variable "region" {
10		-	description = "The AWS region to use"
11		-	type = string
12		-	default = "eu-west-1"
13		-	}
14		-
15	10		provider "aws" {
16	11		region = var.region
17	12		}
		skipped 9 lines
27	22		}
28	23		}
29	24
30		-	output "s3_bucket_name" {
31		-	description = "Name of the terraform state bucket"
32		-	value = aws_s3_bucket.state.id
33		-	}
34		-

■ ■ ■ ■ ■ ■

aws/shared-state/outputs.tf

1	+	output "s3_bucket_name" {
2	+	description = "Name of the terraform state bucket"
3	+	value = aws_s3_bucket.state.id
4	+	}
5	+

■ ■ ■ ■ ■ ■

aws/shared-state/variables.tf

1	+	variable "region" {
2	+	description = "The AWS region to use"
3	+	type = string
4	+	default = "eu-west-1"
5	+	}
6	+

■ ■ ■ ■ ■ ■

aws/terraform.tfvars

1		-	cluster_version = "1.22"
2		-	region = "eu-west-1"
	1	+	# Edit this if you want a different region, e.g., us-east-1
	2	+	# region = "eu-west-1"
3	3

■ ■ ■ ■ ■ ■

aws/variables.tf

		skipped 6 lines
7	7		variable "cluster_version" {
8	8		description = "The EKS cluster version to use"
9	9		type = string
10		-	default = "1.22"
	10	+	default = "1.25"
11	11		}
12	12
13	13		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

aws/versions.tf

1	+	terraform {
2	+	required_version = "~> 1.1"
3	+
4	+	required_providers {
5	+	aws = {
6	+	version = "~> 4.65.0"
7	+	}
8	+	random = {
9	+	version = "~> 3.5.1"
10	+	}
11	+	http = {
12	+	version = "~> 3.3.0"
13	+	}
14	+	}
15	+	}
16	+

■ ■ ■ ■ ■ ■

azure/.terraform.lock.hcl

1	+	# This file is maintained automatically by "terraform init".
2	+	# Manual edits may be lost in future updates.
3	+
4	+	provider "registry.terraform.io/hashicorp/azurerm" {
5	+	version = "3.54.0"
6	+	constraints = "~> 3.54.0"
7	+	hashes = [
8	+	"h1:DVf2gGxq36IH2se0UDtvu1LgcWOn465XxttMR+TYSl0=",
9	+	"zh:0b5c5ffecc73c0f24f6c06c73883153affcb69a0a05376c4a34d71566be7c1e0",
10	+	"zh:0fb685212f914856c01b7182e2669b9b6d7a3cb77578e2d789baaab3e58fc63e",
11	+	"zh:3d938b865b36f4821a97e70dbbf8a22f498fb4e9848012c62e8ff2c1461d0760",
12	+	"zh:42d506add9bba2e96780c0b406f2d6020cf042ffae96faf96988a959766b3644",
13	+	"zh:433b105444462528f3b3e8619a2edbef6dbd5ce0c694f37ab86d91540c1e427a",
14	+	"zh:66c3cffd8b01413914703b1728d378e6d37d3b929e84c2a875ad125b828ce1d4",
15	+	"zh:7cb7187bfcca6f2d4e9d32544b2ca678b65c7c9f520b402d04301152be0c0aa3",
16	+	"zh:accf83e742d7edfe920b62523a190180257cd59180d0ec0435bf09b74a18e0ae",
17	+	"zh:c07b4d169931852007b2ba0ad6aaa24e10e9e3b17731080002ef927fb9912483",
18	+	"zh:e43d945e51228dfb0e1032590fb9409b2b89c40ec8a29cfd2efbd51c536a75a4",
19	+	"zh:ee248b8cf65fa9d3e8d3859cfcdc6940de5806bdc181b1a794085de162cceb7e",
20	+	"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
21	+	]
22	+	}
23	+
24	+	provider "registry.terraform.io/hashicorp/http" {
25	+	version = "3.3.0"
26	+	constraints = "~> 3.3.0"
27	+	hashes = [
28	+	"h1:O2VLKCxxAgaFRPnhRuz/VOsP5HzQdQm9YAi848kvImg=",
29	+	"zh:27d101f4c089d1e367bbbbb3f260fc7d52f63559a4424c08633e566863c951b2",
30	+	"zh:37860671324229f52a7d82eea88a31fe24321297fd699d879de5b6cf6aae086c",
31	+	"zh:4680716579e361298e4331ce0c92e38011fc41ed56bd55302c23b696b3b8c469",
32	+	"zh:547cd2a407ca0d22307634d83ffc64cd4225f221baa09682b7a8c5a2429c34d8",
33	+	"zh:61965698af75aad7482f2f593b75f15e4a4f6f0117b643c69f3da61f40b1a9c7",
34	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
35	+	"zh:93f9e0f2244816cbb72197c733ada4214df691e4e6a84b8e340e43e43ab8a383",
36	+	"zh:969aad70624d033c257c365cf75001d29fa7341b48d673cd7317205395b4791b",
37	+	"zh:e9504018b1af992c041bda1e4a6f01db1f1cdb1a7df8055d1082049befbc4217",
38	+	"zh:fa7f6af94e75c6fe21782c622ed387ae08ee3ffeaa0176f08d0b06bb61bb50f4",
39	+	"zh:feda1d7cdae86bce829f82223f625b55c858a36d3aca1a762d7258798a25b476",
40	+	"zh:ff1f3d8c53930aad2fde32d6328df7e7e5b5de36dd7c0682d15518993ab199ef",
41	+	]
42	+	}
43	+
44	+	provider "registry.terraform.io/hashicorp/random" {
45	+	version = "3.5.1"
46	+	constraints = "~> 3.5.1"
47	+	hashes = [
48	+	"h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
49	+	"zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
50	+	"zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
51	+	"zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
52	+	"zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
53	+	"zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
54	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
55	+	"zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
56	+	"zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
57	+	"zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
58	+	"zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
59	+	"zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
60	+	"zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
61	+	]
62	+	}
63	+

■ ■ ■ ■ ■ ■

azure/README.md

		skipped 6 lines
7	7
8	8		Have the following tools installed:
9	9
10		-	- az CLI - [Installation](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
11		-	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
12		-	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
13		-	- Wget - [Installation](https://www.jcchouinard.com/wget/)
14		-	- Helm [Installation](https://helm.sh/docs/intro/install/)
15		-	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
16		-	- jq [Installation](https://stedolan.github.io/jq/download/)
	10	+	- az CLI - [Installation](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
	11	+	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
	12	+	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
	13	+	- Wget - [Installation](https://www.jcchouinard.com/wget/)
	14	+	- Helm [Installation](https://helm.sh/docs/intro/install/)
	15	+	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
	16	+	- jq [Installation](https://stedolan.github.io/jq/download/)
17	17
18	18		Make sure you have an active subscription at Azure for which you have configured the credentials on the system where you will execute the steps below.
	19	+
	20	+	Please note that this setup relies on bash scripts that have been tested in MacOS and Linux. We have no intention of supporting vanilla Windows at the moment.
19	21
20	22		## Installation
21	23
		skipped 23 lines
45	47
46	48		Note: You'll need to follow the description below for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
47	49
	50	+
48	51		### WrongSecrets
49	52
50	53		1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
51		-	2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
	54	+	2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
52	55		3. If not yet enabled, register the required services for the subscription, run:
53	56		- `az provider register --namespace Microsoft.ContainerService`
54	57		- `az provider register --namespace Microsoft.KeyVault`
		skipped 2 lines
57	60		5. Run `terraform plan` to see what will be created (optional).
58	61		6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
59	62		7. Run `./k8s-vault-azure-start.sh`. Your kubeconfig file will automatically be updated.
60		-	8. (Optional) To make the app available over a load balancer, run `kubectl apply -f ./k8s/lb.yml`, then look for the public IP using `kubectl describe service wrongsecrets-lb`. The app should be available on HTTP port 80 within a few minutes.
	63	+	8. (Optional) To make the app available over a load balancer, run `kubectl apply -f ./k8s/lb.yml`, then look for the public IP using `kubectl describe service wrongsecrets-lb`. The app should be available on HTTP port 80 within a few minutes.
61	64
62	65		Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
63	66
		skipped 14 lines
78	81		1. Kill the port forward.
79	82		2. Run `terraform destroy` to clean up the infrastructure. Note that you may need to repeat the destroy to fully clean up.
80	83		3. If you've used the shared state, `cd` to the `shared-state` folder and run `terraform destroy` there too.
81		-	4. Run `rm terraform.ts*` to remove local state files.
	84	+	4. Run `rm terraform.tf*` to remove local state files.
82	85
83	86		### A few things to consider
84	87
		skipped 1 lines
86	89		2. Can you easily obtain the AKS managed identity of the Node?
87	90		3. Can you get the secrets in the Key vault? Which paths do you see?
88	91
	92	+	## Terraform documentation
	93	+	The documentation below is auto-generated to give insight on what's created via Terraform.
	94	+
	95	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	96	+	## Requirements
	97	+
	98	+	\| Name \| Version \|
	99	+	\|------\|---------\|
	100	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
	101	+	\| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) \| ~> 3.54.0 \|
	102	+	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.3.0 \|
	103	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.5.1 \|
	104	+
	105	+	## Providers
	106	+
	107	+	\| Name \| Version \|
	108	+	\|------\|---------\|
	109	+	\| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) \| 3.54.0 \|
	110	+	\| <a name="provider_http"></a> [http](#provider\_http) \| 3.3.0 \|
	111	+	\| <a name="provider_random"></a> [random](#provider\_random) \| 3.5.1 \|
	112	+
	113	+	## Modules
	114	+
	115	+	No modules.
	116	+
	117	+	## Resources
	118	+
	119	+	\| Name \| Type \|
	120	+	\|------\|------\|
	121	+	\| [azurerm_key_vault.vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) \| resource \|
	122	+	\| [azurerm_key_vault_access_policy.extra_identity_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) \| resource \|
	123	+	\| [azurerm_key_vault_access_policy.identity_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) \| resource \|
	124	+	\| [azurerm_key_vault_access_policy.user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) \| resource \|
	125	+	\| [azurerm_key_vault_secret.wrongsecret_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) \| resource \|
	126	+	\| [azurerm_key_vault_secret.wrongsecret_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) \| resource \|
	127	+	\| [azurerm_key_vault_secret.wrongsecret_3](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) \| resource \|
	128	+	\| [azurerm_kubernetes_cluster.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) \| resource \|
	129	+	\| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) \| resource \|
	130	+	\| [azurerm_role_assignment.aks_extra_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) \| resource \|
	131	+	\| [azurerm_role_assignment.aks_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) \| resource \|
	132	+	\| [azurerm_role_assignment.aks_vm_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) \| resource \|
	133	+	\| [azurerm_user_assigned_identity.aks_extra_pod_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) \| resource \|
	134	+	\| [azurerm_user_assigned_identity.aks_pod_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) \| resource \|
	135	+	\| [random_integer.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) \| resource \|
	136	+	\| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) \| resource \|
	137	+	\| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) \| resource \|
	138	+	\| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) \| data source \|
	139	+	\| [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) \| data source \|
	140	+
	141	+	## Inputs
	142	+
	143	+	\| Name \| Description \| Type \| Default \| Required \|
	144	+	\|------\|-------------\|------\|---------\|:--------:\|
	145	+	\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The AKS cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
	146	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The AKS cluster version to use \| `string` \| `"1.25"` \| no \|
	147	+	\| <a name="input_region"></a> [region](#input\_region) \| The Azure region to use \| `string` \| `"East US"` \| no \|
	148	+
	149	+	## Outputs
	150	+
	151	+	\| Name \| Description \|
	152	+	\|------\|-------------\|
	153	+	\| <a name="output_aad_extra_pod_identity_client_id"></a> [aad\_extra\_pod\_identity\_client\_id](#output\_aad\_extra\_pod\_identity\_client\_id) \| Client ID for the Managed Identity for AAD Pod Identity \|
	154	+	\| <a name="output_aad_extra_pod_identity_resource_id"></a> [aad\_extra\_pod\_identity\_resource\_id](#output\_aad\_extra\_pod\_identity\_resource\_id) \| Resource ID for the Managed Identity for AAD Pod Identity \|
	155	+	\| <a name="output_aad_pod_identity_client_id"></a> [aad\_pod\_identity\_client\_id](#output\_aad\_pod\_identity\_client\_id) \| Client ID for the Managed Identity for AAD Pod Identity \|
	156	+	\| <a name="output_aad_pod_identity_resource_id"></a> [aad\_pod\_identity\_resource\_id](#output\_aad\_pod\_identity\_resource\_id) \| Resource ID for the Managed Identity for AAD Pod Identity \|
	157	+	\| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) \| AKS Cluster name \|
	158	+	\| <a name="output_key_vault_url"></a> [key\_vault\_url](#output\_key\_vault\_url) \| Azure KeyVault URI for the Demo Container \|
	159	+	\| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) \| Resource group name \|
	160	+	\| <a name="output_tenant_id"></a> [tenant\_id](#output\_tenant\_id) \| Azure tenant ID \|
	161	+	\| <a name="output_vault_name"></a> [vault\_name](#output\_vault\_name) \| Vault name \|
	162	+	\| <a name="output_vault_uri"></a> [vault\_uri](#output\_vault\_uri) \| Vault URI \|
	163	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	164	+

■ ■ ■ ■ ■ ■

azure/k8s/pod-id.yml.tpl

		skipped 30 lines
31	31		spec:
32	32		azureIdentity: separate-workload-pod-id
33	33		selector: separate-workload-pod-id
	34	+

■ ■ ■ ■ ■ ■

azure/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 25 lines
26	26		aadpodidbinding: wrongsecrets-pod-id
27	27		name: secret-challenge
28	28		spec:
	29	+	securityContext:
	30	+	runAsUser: 2000
	31	+	runAsGroup: 2000
	32	+	fsGroup: 2000
29	33		serviceAccountName: vault
30	34		volumes:
	35	+	- name: 'ephemeral'
	36	+	emptyDir: {}
31	37		- name: secrets-store-inline
32	38		csi:
33	39		driver: secrets-store.csi.k8s.io
		skipped 1 lines
35	41		volumeAttributes:
36	42		secretProviderClass: "azure-wrongsecrets-vault"
37	43		containers:
38		-	- image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
	44	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-k8s-vault
39	45		imagePullPolicy: IfNotPresent
	46	+	name: secret-challenge
	47	+	securityContext:
	48	+	allowPrivilegeEscalation: false
	49	+	readOnlyRootFilesystem: true
	50	+	runAsNonRoot: true
	51	+	capabilities:
	52	+	drop:
	53	+	- ALL
	54	+	seccompProfile:
	55	+	type: RuntimeDefault
40	56		ports:
41	57		- containerPort: 8080
42	58		protocol: TCP
43		-	name: secret-challenge
44		-	resources: {}
	59	+	readinessProbe:
	60	+	httpGet:
	61	+	path: '/actuator/health/readiness'
	62	+	port: 8080
	63	+	initialDelaySeconds: 30
	64	+	timeoutSeconds: 5
	65	+	periodSeconds: 5
	66	+	failureThreshold: 8
	67	+	livenessProbe:
	68	+	httpGet:
	69	+	path: '/actuator/health/liveness'
	70	+	port: 8080
	71	+	initialDelaySeconds: 35
	72	+	timeoutSeconds: 30
	73	+	periodSeconds: 40
	74	+	failureThreshold: 5
	75	+	resources:
	76	+	requests:
	77	+	memory: '256Mi'
	78	+	cpu: '200m'
	79	+	ephemeral-storage: '1Gi'
	80	+	limits:
	81	+	memory: '512Mi'
	82	+	cpu: '1200m'
	83	+	ephemeral-storage: '2Gi'
45	84		terminationMessagePath: /dev/termination-log
46	85		terminationMessagePolicy: File
47	86		env:
48	87		- name: K8S_ENV
49	88		value: azure
50		-	- name: azure_keyvault_enabled
	89	+	- name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCEENABLED
51	90		value: "true"
52		-	- name: azure_keyvault_uri
	91	+	- name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_NAME
	92	+	value: wrongsecret-3
	93	+	- name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_ENDPOINT
53	94		value: ${AZ_VAULT_URI}
	95	+	- name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_CREDENTIAL_CLIENTID
	96	+	value: ${AZ_POD_CLIENT_ID}
	97	+	- name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_CREDENTIAL_MANAGEDIDENTITYENABLED
	98	+	value: "true"
54	99		- name: SPECIAL_K8S_SECRET
55	100		valueFrom:
56	101		configMapKeyRef:
		skipped 4 lines
61	106		secretKeyRef:
62	107		name: funnystuff
63	108		key: funnier
64		-	- name: VAULT_ADDR
65		-	value: "http://vault:8200"
	109	+	- name: CHALLENGE33
	110	+	valueFrom:
	111	+	secretKeyRef:
	112	+	name: challenge33
	113	+	key: answer
	114	+	- name: SPRING_CLOUD_VAULT_URI
	115	+	value: "http://vault.vault.svc.cluster.local:8200"
66	116		- name: JWT_PATH
67	117		value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
68	118		volumeMounts:
69	119		- name: secrets-store-inline
70	120		mountPath: "/mnt/secrets-store"
71	121		readOnly: true
	122	+	- name: 'ephemeral'
	123	+	mountPath: '/tmp'
72	124		dnsPolicy: ClusterFirst
73	125		restartPolicy: Always
74	126		schedulerName: default-scheduler
75		-	securityContext: {}
76	127		terminationGracePeriodSeconds: 30
77	128

■ ■ ■ ■ ■ ■

azure/k8s/workspace-psa.yml

1	+	apiVersion: v1
2	+	kind: Namespace
3	+	metadata:
4	+	name: default
5	+	labels:
6	+	pod-security.kubernetes.io/audit: restricted
7	+	kubernetes.io/metadata.name: default
8	+

■ ■ ■ ■ ■ ■

azure/k8s-vault-azure-resume.sh

1	1		#!/bin/bash
2	2
3		-	kubectl port-forward vault-0 8200:8200 &
	3	+	kubectl port-forward vault-0 -n vault 8200:8200 &
4	4		kubectl port-forward \
5	5		$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
6	6		8080:8080 \
		skipped 2 lines

■ ■ ■ ■ ■ ■

azure/k8s-vault-azure-start.sh

		skipped 33 lines
34	34		# Set the kubeconfig
35	35		az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
36	36
	37	+	echo "Setting up workspace PSA to restricted for default"
	38	+	kubectl apply -f k8s/workspace-psa.yml
	39	+
37	40		kubectl get configmaps \| grep 'secrets-file' &>/dev/null
38	41		if [ $? == 0 ]; then
39	42		echo "secrets config is already installed"
		skipped 6 lines
46	49		echo "secrets secret is already installed"
47	50		else
48	51		kubectl apply -f ../k8s/secrets-secret.yml
	52	+	kubectl apply -f ../k8s/challenge33.yml
49	53		fi
50	54
51	55		source ../scripts/install-consul.sh
		skipped 1 lines
53	57		source ../scripts/install-vault.sh
54	58
55	59		echo "Add secrets manager driver to repo"
56		-	helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
	60	+	helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
57	61
58	62		helm list --namespace kube-system \| grep 'csi-secrets-store' &>/dev/null
59	63		if [ $? == 0 ]; then
60	64		echo "CSI driver is already installed"
61	65		else
62	66		echo "Installing CSI driver"
63		-	helm install -n kube-system csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
	67	+	helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
64	68		fi
65	69
	70	+	#TO BE REPLACED WITH https://azure.github.io/azure-workload-identity/docs/installation.html
66	71		echo "Add Azure pod identity to repo"
67	72		helm repo add aad-pod-identity https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
68	73
		skipped 1 lines
70	75		if [ $? == 0 ]; then
71	76		echo "Azure pod identity chart already installed"
72	77		else
73		-	helm install aad-pod-identity aad-pod-identity/aad-pod-identity
	78	+	helm upgrade --install aad-pod-identity aad-pod-identity/aad-pod-identity #NO LONGER WORKS BECAUSE OF OUR CONFIUGRATION (RESTRICTED IN DEFAULT)
74	79		fi
	80	+
	81	+	#END TO BE REPLACED WITH https://azure.github.io/azure-workload-identity/docs/installation.html
75	82
76	83		echo "Generate secret manager challenge secret 2"
77	84		az keyvault secret set --name wrongsecret-2 --vault-name "${AZ_KEY_VAULT_NAME}" --value "$(openssl rand -base64 16)" >/dev/null
		skipped 14 lines
92	99
93	100		while [[ $(kubectl --namespace=default get pods -l "app.kubernetes.io/component=mic" -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for component=mic" && sleep 2; done
94	101		while [[ $(kubectl --namespace=default get pods -l "app.kubernetes.io/component=nmi" -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for component=nmi" && sleep 2; done
	102	+
	103	+
95	104
96	105		source ../scripts/apply-and-portforward.sh
97	106
		skipped 2 lines

■ ■ ■ ■ ■ ■

azure/main.tf

1	1		terraform {
2		-	required_version = ">= 0.14.0"
3		-
4		-	required_providers {
5		-	random = "~> 3.0"
6		-	azurerm = "~> 3.9"
7		-	http = "~> 2.1"
8		-	}
9		-
10	2		# For shared state:
11	3		# Set the resource group in the backend configuration below, then uncomment and apply!
12	4		# Note that you probably already create a resource group. Don't forget to set that correctly in this file.
		skipped 4 lines
17	9		# key = "terraform.tfstate"
18	10		# }
19	11		}
20		-
21		-	provider "http" {}
22	12
23	13		data "http" "ip" {
24	14		url = "http://ipecho.net/plain"
		skipped 28 lines
53	43
54	44		kubernetes_version = var.cluster_version
55	45
56		-	api_server_authorized_ip_ranges = ["${data.http.ip.body}/32"]
	46	+	api_server_access_profile {
	47	+	authorized_ip_ranges = ["${data.http.ip.response_body}/32"]
	48	+	}
57	49
58	50		network_profile {
59	51		network_plugin = "azure"
		skipped 2 lines
62	54		default_node_pool {
63	55		name = "default"
64	56		node_count = 1
65		-	vm_size = "Standard_A2_v2"
	57	+	vm_size = "Standard_A2m_v2"
66	58		}
67	59
68	60		identity {
		skipped 6 lines

■ ■ ■ ■ ■ ■

azure/providers.tf

	1	+	provider "http" {}
	2	+

■ ■ ■ ■ ■ ■

azure/secrets.tf

		skipped 10 lines
11	11		length = 5
12	12		special = false
13	13		upper = false
14		-	number = true
	14	+	numeric = true
15	15		}
16	16
17	17		resource "azurerm_key_vault" "vault" {
		skipped 99 lines

■ ■ ■ ■ ■ ■

azure/shared-state/README.md

1	+	# Terraform documentation
2	+	The documentation below is auto-generated to give insight on what's created via Terraform.
3	+
4	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5	+	## Requirements
6	+
7	+	\| Name \| Version \|
8	+	\|------\|---------\|
9	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
10	+	\| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) \| ~> 3.0 \|
11	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.0 \|
12	+
13	+	## Providers
14	+
15	+	\| Name \| Version \|
16	+	\|------\|---------\|
17	+	\| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) \| ~> 3.0 \|
18	+	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.0 \|
19	+
20	+	## Modules
21	+
22	+	No modules.
23	+
24	+	## Resources
25	+
26	+	\| Name \| Type \|
27	+	\|------\|------\|
28	+	\| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) \| resource \|
29	+	\| [azurerm_storage_account.account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) \| resource \|
30	+	\| [azurerm_storage_container.blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) \| resource \|
31	+	\| [random_integer.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) \| resource \|
32	+	\| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) \| resource \|
33	+
34	+	## Inputs
35	+
36	+	\| Name \| Description \| Type \| Default \| Required \|
37	+	\|------\|-------------\|------\|---------\|:--------:\|
38	+	\| <a name="input_region"></a> [region](#input\_region) \| The Azure region to use \| `string` \| `"East US"` \| no \|
39	+
40	+	## Outputs
41	+
42	+	\| Name \| Description \|
43	+	\|------\|-------------\|
44	+	\| <a name="output_storage_account_name"></a> [storage\_account\_name](#output\_storage\_account\_name) \| The generated storage account name \|
45	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
46	+

■ ■ ■ ■ ■ ■

azure/shared-state/main.tf

1	1		terraform {
	2	+	required_version = "~> 1.1"
2	3		required_providers {
3		-	azurerm = "~> 3.0"
4		-	random = "~> 3.0"
	4	+	azurerm = {
	5	+	version = "~> 3.0"
	6	+	}
	7	+	random = {
	8	+	version = "~> 3.0"
	9	+	}
5	10		}
6	11		}
7	12
8		-	variable "region" {
9		-	description = "The Azure region to use"
10		-	type = string
11		-	default = "East US"
12		-	}
13		-
14		-
15	13		provider "azurerm" {
16	14		features {}
17	15		skip_provider_registration = true
		skipped 21 lines
39	37		length = 5
40	38		special = false
41	39		upper = false
42		-	number = true
	40	+	numeric = true
43	41		}
44	42
45	43
		skipped 13 lines
59	57		container_access_type = "private"
60	58		}
61	59
62		-	output "storage_account_name" {
63		-	description = "The generated storage account name"
64		-	value = azurerm_storage_account.account.name
65		-	}
66		-

■ ■ ■ ■ ■ ■

azure/shared-state/outputs.tf

1	+	output "storage_account_name" {
2	+	description = "The generated storage account name"
3	+	value = azurerm_storage_account.account.name
4	+	}
5	+

■ ■ ■ ■ ■ ■

azure/shared-state/variables.tf

1	+	variable "region" {
2	+	description = "The Azure region to use"
3	+	type = string
4	+	default = "East US"
5	+	}
6	+

■ ■ ■ ■ ■ ■

azure/variables.tf

		skipped 6 lines
7	7		variable "cluster_version" {
8	8		description = "The AKS cluster version to use"
9	9		type = string
10		-	default = "1.22.6"
	10	+	default = "1.25"
11	11		}
12	12
13	13		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

azure/versions.tf

1	+	terraform {
2	+	required_version = "~> 1.1"
3	+
4	+	required_providers {
5	+	random = {
6	+	version = "~> 3.5.1"
7	+	}
8	+	azurerm = {
9	+	version = "~> 3.54.0"
10	+	}
11	+	http = {
12	+	version = "~> 3.3.0"
13	+	}
14	+	}
15	+	}
16	+

■ ■ ■ ■ ■ ■

commitlint.config.js

1	+	// commitlint.config.js
2	+	module.exports = {
3	+	extends: [
4	+	'@commitlint/config-conventional' // scoped packages are not prefixed
5	+	]
6	+	}
7	+

■ ■ ■ ■ ■ ■

config/.lycheeignore

		skipped 2 lines
3	3
4	4		# This is used as an example when creating a pull request
5	5		https://github.com/Your_Github_Handle.*
6		-	https://wrongsecrets-ctf.herokuapp.com/api/Challenges
	6	+	# Heroku is not guaranteed to be up
	7	+	https://wrongsecrets-ctf.herokuapp.com/
	8	+	https://wrongsecrets.herokuapp.com
	9	+	# Okteto is not guaranteed to be up
	10	+	https://wrongsecrets-commjoen.cloud.okteto.net/
	11	+	https://wrongsecrets-ctf-commjoen.cloud.okteto.net/
	12	+	https://wrongsecrets.fly.dev/
	13	+	https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d
	14	+	# Twitter its API does not like us
	15	+	https://twitter.com/intent/tweet?*
7	16

■ ■ ■ ■ ■ ■

config/checkstyle/checkstyle.xml

		skipped 241 lines
242	242		value="Method name ''{0}'' must match pattern ''{1}''."/>
243	243		</module>
244	244		<module name="SingleLineJavadoc">
	245	+	<property name="ignoredTags" value="@inheritDoc, @see"/>
245	246		<property name="ignoreInlineTags" value="false"/>
246	247		</module>
247	248		<module name="EmptyCatchBlock">
		skipped 6 lines

■ ■ ■ ■ ■ ■

config/checkstyle/suppressions.xml

		skipped 3 lines
4	4		"https://checkstyle.org/dtds/suppressions_1_2.dtd">
5	5		<suppressions>
6	6		</suppressions>
	7	+

■ ■ ■ ■ ■ ■

config/zap/rule-config.tsv

1	+	10027 IGNORE (Information Disclosure - Suspicious Comments)
2	+	10031 IGNORE (Informational User Controllable HTML Element Attribute (Potential XSS))
3	+	10049 IGNORE (Non-Storable Content)
4	+	10054 IGNORE (Cookie without SameSite Attribute)
5	+	10055 IGNORE (CSP: Wildcard Directive)
6	+	10055 IGNORE (CSP: script-src unsafe-inline)
7	+	10055 IGNORE (CSP: style-src unsafe-inline)
8	+	10063 IGNORE (Permissions Policy Header Not Set)
9	+	10109 IGNORE (Modern Web Application)
10	+	10110 IGNORE (Dangerous JS Functions)
11	+	90033 IGNORE (Loosely Scoped Cookie)
12	+	10096 IGNORE (Timestamp Disclosure - Unix)
13	+

■ ■ ■ ■ ■ ■

ctf-instructions.md

1	1		# CTF Instructions
2	2
3	3		So you want to play a CTF with WrongSecrets? This is the place to read up all about it.
4		-	Our CTF setup makes use of the [Juice Shop CTF CLI extension](https://github.com/juice-shop/juice-shop-ctf), which you
5		-	can read all about at [here](https://pwning.owasp-juice.shop/part1/ctf.html).
	4	+	Our CTF setup makes use of the [Juice Shop CTF CLI extension](https://github.com/juice-shop/juice-shop-ctf), which you can read all about at [here](https://pwning.owasp-juice.shop/part1/ctf.html).
	5	+
	6	+	The difference between Juiceshop and WrongSecrets, is that WrongSecrets is more of a secrets-hunter game.
	7	+	This means that your contestants will try to find the CTF key soon after a few challenges.
	8	+	That is why we should separate out the actual container for which the CTF scores are generated, from the container where the challenges live in. We call this the 3-domain setup where you now have 3 environments:
	9	+
	10	+	- the play-environment: here players can just play with WrongSecrets: this can be something you host online, or just a Docker container they start up locally.
	11	+	- the CTF-scoring-environment: this is the intermediary domain where people exchange answers found in the 'play-environment' for actual flags for the CTF-platform.
	12	+	- your CTF-platform: this can be a platform like CTFD or FBCTF.
	13	+
	14	+	You can see this practice already here in our repository: Our standard [Dockerfile](/Dockerfile) does not contain any CTF entries, our Heroku [Dockerfile.web](/Dockerfile.web) does contain them.
	15	+	So make sure you host your actual scoring Dockerfile.web at a place where your contestants cannot enter the container (image) in order to extract the CTF key.
	16	+
	17	+	## Want to get rid of the additional domain?
	18	+
	19	+	Want to make sure you don't need to bug your users to copy paste values twice to get points? Here we describe the "2-domain setup". With the 2-domain setup you need to do a manual crafted approach instead of the HMAC based approach for platforms like CTFD. That way, you do not need the 'CTF-scoring-environment' to exchange answers for flags, for this you:
	20	+	- Follow the steps described at [instructions in the readme](https://github.com/OWASP/wrongsecrets#ctfd-support).
	21	+	- Then unzip the created zip file and update all the flags in flags.jsson with the actual values of the answers for your CTF.
	22	+	- Zip the json files again.
	23	+	- Upload your own crafted zipfile with the actual answers, instead of HMACs to CTFD.
6	24
7		-	The difference between Juiceshop and WrongSecrets, is that WrongSecrets is more of a secrets-hunter game. Thiss means
8		-	that your contestants will try to find the CTF key soon after a few challenges. That is why we should separate out the
9		-	actual container for which the CTF scores are generated, from the container where the challenges live in.
	25	+	Now users can directly use your Wrongsecrets setup together with the CTF-platform to play challenges without having to copy answers and flags twice!
10	26
11		-	You can see this practice already here in our repository: Our standard [Dockerfile](/Dockerfile) does not contain any
12		-	CTF entries, our Heroku [Dockerfile.web](/Dockerfile.web) does contain them.
13		-	So make sure you host your actual scoring Dockerfile.web at a place where your contestants cannot enter the container (
14		-	image) in order to extract the CTF key.
	27	+	Note: make sure that you do set `CTF_SERVER_ADDRESS` to point to the address where you are running your CTF-platform (E.g. CTFD/Facebook CTF) and that you set `challenge_acht_ctf_to_provide_to_host_value` and `challenge_thirty_ctf_to_provide_to_host_value` to the flag you store in your CTF-platform.
15	28
16	29		## Setting up CTFs
17	30
		skipped 1 lines
19	32
20	33		### Docker or Heroku CTF
21	34
22		-	When doing a Docker or Heroku based CTF, you can follow
23		-	the [instructions in the readme](https://github.com/commjoen/wrongsecrets#ctfd-support).
24		-	If you want to use your own CTF key, you can build a container with the following
25		-	arguments `CTF_ENABLED=true,HINTS_ENABLED=false,CTF_KEY=<YOURNEWKEYHERE>`. Just make sure you provide the same key
	35	+	When doing a Docker or Heroku based CTF, you can follow the [instructions in the readme](https://github.com/OWASP/wrongsecrets#ctfd-support).
	36	+	If you want to use your own CTF key, you can build a container with the following arguments `CTF_ENABLED=true,HINTS_ENABLED=false,CTF_KEY=<YOURNEWKEYHERE>`. Just make sure you provide the same key
26	37		to `juice-shop-ctf` when you run it.
	38	+	Host the Docker container somewhere, where your users can not access the container variables directly, so they cannot extract the CTF key that easily.
	39	+	Want to make it a little more exciting? Create your own custom Docker image for both the 'play-environment' and the 'CTF-scoring-environment', where you override certain values (e.g. the ARG, the docker ENV, etc.) with your preferred values, so that copying from any existing online solution no longer works!
	40	+	There are a few env-vars that you need to pay attention to when setting this up:
	41	+	- `CTF_SERVER_ADDRESS` in the 'play-environment' to be set to the URL of the 'CTF-scoring-environment' (e.g. your instance of wrongsecrets-ctf.herokuapp.com), and in the 2-domain approach that would be your CTF-platform. Note that in the domain where your users exchange answers for flags for your CTF-platform, you can set it to the URL where your CTF-platform lives.
	42	+	- `challenge_acht_ctf_to_provide_to_host_value` and `challenge_thirty_ctf_to_provide_to_host_value` need to be set to a sufficiently long value at the 'play-environment' where your players interact with WrongSecrets to hack around. The value of this entry is returned to the players when they have found the randomly generated value in the logs. If you have the 2-domain approach: make sure that this value is actually the flag-entry for challenge 8 in your CTF-platform, if you have the normal setup, make sure that your 'CTF-scoring-environment' where people provide answers in exchange for flags has the same value stored under `challenge_acht_ctf_host_value`.
	43	+	- `challenge_acht_ctf_host_value` needs to be set in your 'ctf scoring environment' where players exchange answers for CTF flags to the same value as `challenge_acht_ctf_to_provide_to_host_value` in the environment players play around. Note that this value is not required in a 2-domain approach.
27	44
28		-	Want to make it a little more exciting? Override the Dockerfile with your preferred values, so that copying from online
29		-	hosted solutions no longer works!
	45	+	### K8s based CTF
30	46
31		-	### K8s based CTF
	47	+	If you are interested in setting up a Kubernetes based CTF, you might want to look at [WrongSecrets CTF party](https://github.com/OWASP/wrongsecrets-ctf-party) instead. Still want to take a different approach than using that? Please read the rest of the paragraph.
	48	+
	49	+	When you want to enable the Kubernetes challenges in your CTF-environment, make sure your 'play-environment' is actually running in a Kubernetes environment where the K8ss Configmap, K8s secret, and optionally the Vault setup, are configured correctly. See [our k8s folder](/k8s/) as an example, or have a look at our [Okteto](/okteto/) setup for just having the K8s & Configmap challenges supported.
	50	+	When you take the 2-domain approach, make sure that the decoded K8S Secret entry and the Configmap value are stored correctly in the CTF-platform. If you take the standard HMAC approach instead, make sure that your CTF-scoring-environment has the following environment variables set:
32	51
33		-	TODO as #https://github.com/commjoen/wrongsecrets/issues/372
	52	+	- `SPECIAL_K8S_SECRET` which should be set to the value stored in your K8S Configmap
	53	+	- `SPECIAL_SPECIAL_K8S_SECRET` which should be set to the value of your K8S Secret.
	54	+	- `vaultPassword` (optionally when having vault setup for your players) which should be set to the value stored inside Vault for challenge 7.
34	55
35	56		### Cloud based CTF
36	57
37		-	TODO as #https://github.com/commjoen/wrongsecrets/issues/372
	58	+	If you are interested in setting up a Cloud-based CTF in AWS, you might want to look at [WrongSecrets CTF party](https://github.com/OWASP/wrongsecrets-ctf-party) instead. Still want to take a different approach than using that? Please read the rest of the paragraph.
38	59
	60	+	When you take the 2-domain approach, make sure that the decoded K8S Secret entry and the Configmap value are stored correctly in the CTF-platform, next: make sure that the values used for Challenge 9,10 & 11 are stored there correctly as well.
	61	+
	62	+	Note: if you want to support challenge 11 at your CTF: make sure players don't share the same cloud-account together, or make sure that the privilege escalation path can only be done to the given account described in the challenge code and not to a role/user with more administrative access, as this would allow your players to wreak havoc to your CTF setup. We rather recommend disabling challenge 11 in your CTF setups.
	63	+
	64	+	If you take the 3 domain setup, make sure the following values are configured in your CTF-scoring-environment:
	65	+
	66	+	- `default_aws_value_challenge_9` set to the value of the secret generated for challenge 9. Don't be fooled by the name, as this will work for AWS/GCP/Azure.
	67	+	- `default_aws_value_challenge_10` set to the value of the secret generated for challenge 10. Don't be fooled by the name, as this will work for AWS/GCP/Azure.
	68	+	- `default_aws_value_challenge_11` (Optionally, when you have separated cloud accounts or took care of permissiosn boundaries) set to the value of the secret generated for challenge 11. Don't be fooled by the name, as this will work for AWS/GCP/Azure.
39	69

■ ■ ■ ■ ■ ■

cypress/README.md

1	+	# Cypress UI Tests
2	+
3	+	This project uses [Cypress](https://www.cypress.io/) to run UI tests for the project.
4	+
5	+	## How to run the tests
6	+
7	+	- Clone this repository and navigate to the project folder.
8	+	- Run `npm install` to install the dependencies.
9	+	- Run `npm run test:open` to launch the Cypress Test Runner.
10	+
11	+	## How to interact with elements
12	+
13	+	- To select an element in the UI, add a `data-cy` attribute to the HTML element and give it a unique value.
14	+	- To interact with the element in the test, use the `cy.dataCy()` command and pass the value of the `data-cy` attribute as an argument. For example:
15	+
16	+	```javascript
17	+	// HTML element
18	+	<h1 th:attr="data-cy='spoiler-title'">Spoiling secret</h1>
19	+
20	+	// Cypress test
21	+	cy.dataCy("spoiler-title").click();
22	+	```
23	+
24	+	## How the tests work
25	+	- The tests are located in the cypress/e2e folder.
26	+	- The tests loop through all the enabled challenges and check if they meet the expected criteria.
27	+
28	+	## When to create new tests
29	+	- A new UI test(s) only needs creating when the UI changes, not with each PR.
30	+	- If a new challenge is added or an existing challenge is modified no changes are needed.
31	+	- If a new UI element is added or an existing element is changed, update the data-cy attributes and the tests accordingly.
32	+

■ ■ ■ ■ ■ ■

cypress/e2e/challenges.cy.js

1	+	import ChallengesPage from '../pages/challengesPage'
2	+	const challengesPage = new ChallengesPage()
3	+
4	+	describe('Challenge Tests', () => {
5	+	beforeEach(() => {
6	+	cy.getEnabledChallenges()
7	+	cy.getDisabledChallenges()
8	+	})
9	+
10	+	it('Check all enabled challenges display correctly', () => {
11	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
12	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
13	+	cy.visit('/')
14	+	challengesPage.selectChallenge(challengeNum)
15	+	challengesPage.assertEnabledChallengePage(challengeNum)
16	+	})
17	+	})
18	+	})
19	+
20	+	it('Check all disabled challenges display correctly', () => {
21	+	cy.get('@disabledChallengeIds').then((disabledChallengeIds) => {
22	+	cy.wrap(disabledChallengeIds).each((challengeNum) => {
23	+	cy.visit(`/challenge/${challengeNum}`)
24	+	challengesPage.assertDisabledChallengePage(challengeNum)
25	+	})
26	+	})
27	+	})
28	+
29	+	it('Check all hints display correctly', () => {
30	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
31	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
32	+	cy.visit(`/challenge/${challengeNum}`)
33	+	cy.dataCy(ChallengesPage.SHOW_HINTS_BTN).click()
34	+	cy.dataCy(ChallengesPage.HINT_PARAGRAPH).should('be.visible')
35	+	})
36	+	})
37	+	})
38	+
39	+	it('Check whats wrong section display correctly', () => {
40	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
41	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
42	+	cy.visit(`/challenge/${challengeNum}`)
43	+	cy.dataCy(ChallengesPage.WHATS_WRONG_BTN).click()
44	+	cy.dataCy(ChallengesPage.WHATS_WRONG_PARAGRAPH).should('be.visible')
45	+	})
46	+	})
47	+	})
48	+
49	+	it('Check reset button clears page', () => {
50	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
51	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
52	+	cy.visit(`/challenge/${challengeNum}`)
53	+	cy.dataCy(ChallengesPage.WHATS_WRONG_BTN).click()
54	+	cy.dataCy(ChallengesPage.SHOW_HINTS_BTN).click()
55	+	cy.dataCy(ChallengesPage.RESET_BTN).click()
56	+	cy.dataCy(ChallengesPage.WHATS_WRONG_PARAGRAPH).should('not.be.visible')
57	+	cy.dataCy(ChallengesPage.HINT_PARAGRAPH).should('not.be.visible')
58	+	})
59	+	})
60	+	})
61	+
62	+	it('Clear button clears answer box', () => {
63	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
64	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
65	+	cy.visit(`/challenge/${challengeNum}`)
66	+	cy.dataCy(ChallengesPage.ANSWER_TEXTBOX).type('Tst')
67	+	cy.dataCy(ChallengesPage.CLEAR_TEXTBOX_BTN).click()
68	+	cy.dataCy(ChallengesPage.ANSWER_TEXTBOX).should('be.empty')
69	+	})
70	+	})
71	+	})
72	+
73	+	it('Submitting wrong answer gives warning', () => {
74	+	cy.get('@enabledChallengeIds').then((enabledChallengeIds) => {
75	+	cy.wrap(enabledChallengeIds).each((challengeNum) => {
76	+	cy.visit(`/challenge/${challengeNum}`)
77	+	cy.dataCy(ChallengesPage.ANSWER_TEXTBOX).type('X')
78	+	cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).click()
79	+	cy.dataCy(ChallengesPage.INCORRECT_ALERT).should('contain', 'Your answer is incorrect, try harder ;-)')
80	+	})
81	+	})
82	+	})
83	+
84	+	it('Submitting right answer gives success notification and progress bar', () => {
85	+	cy.visit('/challenge/0')
86	+	cy.dataCy(ChallengesPage.ANSWER_TEXTBOX).type('The first answer')
87	+	cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).click()
88	+	cy.dataCy(ChallengesPage.SUCCESS_ALERT).should('contain', 'Your answer is correct!')
89	+	cy.dataCy(ChallengesPage.PROGRESS_BAR).should('be.visible').should('not.have.attr', 'aria-valuenow', '0')
90	+	})
91	+	})
92	+

■ ■ ■ ■ ■ ■

cypress/e2e/spoilers.cy.js

1	+	import SpoilersPage from '../pages/spoilersPage'
2	+
3	+	describe('Spoiler Tests', () => {
4	+	beforeEach(() => {
5	+	cy.getAllChallenges()
6	+	})
7	+
8	+	it('Check all spoiler pages display correctly (e.g. have a title and some data)', () => {
9	+	cy.get('@allChallengeIds').then((allChallengeIds) => {
10	+	cy.wrap(allChallengeIds).each((challengeNum) => {
11	+	cy.visit(`/spoil-${challengeNum}`)
12	+	cy.dataCy(SpoilersPage.SPOILER_TITLE).should('be.visible')
13	+	cy.dataCy(SpoilersPage.SPOILER_TITLE).should('not.be.empty')
14	+	cy.dataCy(SpoilersPage.SPOILER_ANSWER).should('be.visible')
15	+	cy.dataCy(SpoilersPage.SPOILER_ANSWER).should('not.be.empty')
16	+	})
17	+	})
18	+	})
19	+	})
20	+

■ ■ ■ ■ ■ ■

cypress/e2e/themeSwitch.cy.js

1	+	import ThemeSwitchPage from '../pages/themeSwitchPage'
2	+
3	+	describe('Theme Switching Tests', () => {
4	+	it('A user can switch the theme to dark on each page', () => {
5	+	cy.wrap(['', 'challenge/0', 'stats', 'about']).each((endpoint) => {
6	+	cy.visit(`/${endpoint}`)
7	+	cy.dataCy(ThemeSwitchPage.DARK_MODE_RADIO).click()
8	+	cy.get(ThemeSwitchPage.DARK_MODE).should('exist')
9	+	})
10	+	})
11	+
12	+	it('Dark mode persists on each page', () => {
13	+	cy.visit('/')
14	+	cy.dataCy(ThemeSwitchPage.DARK_MODE_RADIO).click()
15	+	cy.wrap(['', 'challenge/0', 'stats', 'about']).each((endpoint) => {
16	+	cy.visit(`/${endpoint}`)
17	+	cy.get(ThemeSwitchPage.DARK_MODE).should('exist')
18	+	})
19	+	})
20	+
21	+	it('A user can switch the theme to light on each page', () => {
22	+	cy.wrap(['', 'challenge/0', 'stats', 'about']).each((endpoint) => {
23	+	cy.visit(`/${endpoint}`)
24	+	cy.dataCy(ThemeSwitchPage.LIGHT_MODE_RADIO).click()
25	+	cy.get(ThemeSwitchPage.DARK_MODE).should('not.exist')
26	+	})
27	+	})
28	+
29	+	it('Light mode persists on each page', () => {
30	+	cy.visit('/')
31	+	cy.dataCy(ThemeSwitchPage.LIGHT_MODE_RADIO).click()
32	+	cy.wrap(['', 'challenge/0', 'stats', 'about']).each((endpoint) => {
33	+	cy.visit(`/${endpoint}`)
34	+	cy.get(ThemeSwitchPage.DARK_MODE).should('not.exist')
35	+	})
36	+	})
37	+
38	+	it('A user can switch theme to dark and back to light on each page', () => {
39	+	cy.wrap(['', 'challenge/0', 'stats', 'about']).each((endpoint) => {
40	+	cy.visit(`/${endpoint}`)
41	+	cy.dataCy(ThemeSwitchPage.DARK_MODE_RADIO).click()
42	+	cy.dataCy(ThemeSwitchPage.LIGHT_MODE_RADIO).click()
43	+	cy.get(ThemeSwitchPage.DARK_MODE).should('not.exist')
44	+	})
45	+	})
46	+	})
47	+

■ ■ ■ ■ ■ ■

cypress/pages/challengesPage.js

1	+	export default class ChallengesPage {
2	+	static CHALLENGE_TITLE = 'challenge-title'
3	+	static CHALLENGE_DESCRIPTION = 'challenge-description'
4	+	static SHOW_HINTS_BTN = 'show-hints-btn'
5	+	static HINT_PARAGRAPH = 'hint-paragraph'
6	+	static WHATS_WRONG_BTN = 'whats-wrong-btn'
7	+	static WHATS_WRONG_PARAGRAPH = 'whats-wrong-paragraph'
8	+	static RESET_BTN = 'reset-btn'
9	+	static ANSWER_TEXTBOX = 'answer-textbox'
10	+	static CLEAR_TEXTBOX_BTN = 'clear-textbox-btn'
11	+	static SUBMIT_TEXTBOX_BTN = 'submit-textbox-btn'
12	+	static INCORRECT_ALERT = 'incorrect-alert'
13	+	static SUCCESS_ALERT = 'success-alert'
14	+	static DISABLED_alert = 'disabled-alert'
15	+	static PROGRESS_BAR = 'progress-bar'
16	+
17	+	assertEnabledChallengePage (challengeNum) {
18	+	cy.url().should('contain', `challenge/${challengeNum}`)
19	+	cy.dataCy(ChallengesPage.CHALLENGE_TITLE).should('be.visible')
20	+	cy.dataCy(ChallengesPage.CHALLENGE_DESCRIPTION).should('be.visible')
21	+	cy.dataCy(ChallengesPage.SHOW_HINTS_BTN).should('be.visible')
22	+	cy.dataCy(ChallengesPage.WHATS_WRONG_BTN).should('be.visible')
23	+	cy.dataCy(ChallengesPage.RESET_BTN).should('be.visible')
24	+	cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).should('be.visible')
25	+	cy.dataCy(ChallengesPage.CLEAR_TEXTBOX_BTN).should('be.visible')
26	+	}
27	+
28	+	assertDisabledChallengePage (challengeNum) {
29	+	cy.url().should('contain', `challenge/${challengeNum}`)
30	+	cy.dataCy(ChallengesPage.CHALLENGE_TITLE).should('be.visible')
31	+	cy.dataCy(ChallengesPage.CHALLENGE_DESCRIPTION).should('be.visible')
32	+	cy.dataCy(ChallengesPage.SHOW_HINTS_BTN).should('be.visible')
33	+	cy.dataCy(ChallengesPage.WHATS_WRONG_BTN).should('be.visible')
34	+	cy.dataCy(ChallengesPage.RESET_BTN).should('be.visible')
35	+	cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).should('be.visible')
36	+	cy.dataCy(ChallengesPage.CLEAR_TEXTBOX_BTN).should('be.visible')
37	+	cy.dataCy(ChallengesPage.INCORRECT_ALERT).should('be.visible')
38	+	cy.dataCy(ChallengesPage.DISABLED_alert).should('be.visible')
39	+	}
40	+
41	+	selectChallenge (challengeNum) {
42	+	cy.get('.form-select').select('All')
43	+	cy.dataCy(`"challenge ${challengeNum}-link"`).click()
44	+	}
45	+	}
46	+

■ ■ ■ ■ ■ ■

cypress/pages/spoilersPage.js

1	+	export default class SpoilersPage {
2	+	static SPOILER_TITLE = 'spoiler-title'
3	+	static SPOILER_ANSWER = 'spoiler-answer'
4	+	}
5	+

■ ■ ■ ■ ■ ■

cypress/pages/themeSwitchPage.js

1	+	export default class ChallengesPage {
2	+	static DARK_MODE_RADIO = 'dark-mode-radio'
3	+	static LIGHT_MODE_RADIO = 'light-mode-radio'
4	+	static DARK_MODE = '.dark-mode'
5	+	}
6	+

■ ■ ■ ■ ■ ■

cypress/support/commands.js

1	+	Cypress.Commands.add('dataCy', (value) => {
2	+	return cy.get(`[data-cy=${value}]`)
3	+	})
4	+
5	+	Cypress.Commands.add('getEnabledChallenges', () => {
6	+	cy.request('/api/challenges').then((response) => {
7	+	const numChallenges = response.body.data.length
8	+	const enabledChallengeIds = []
9	+	for (let i = 0; i < numChallenges; i++) {
10	+	if (response.body.data[i].disabledEnv != null) {
11	+	enabledChallengeIds.push(response.body.data[i].id - 1)
12	+	}
13	+	}
14	+	cy.wrap(enabledChallengeIds).as('enabledChallengeIds')
15	+	})
16	+	})
17	+
18	+	Cypress.Commands.add('getDisabledChallenges', () => {
19	+	cy.request('/api/challenges').then((response) => {
20	+	const numChallenges = response.body.data.length
21	+	const disabledChallengeIds = []
22	+	for (let i = 0; i < numChallenges; i++) {
23	+	if (response.body.data[i].disabledEnv === null) {
24	+	disabledChallengeIds.push(response.body.data[i].id - 1)
25	+	}
26	+	}
27	+	cy.wrap(disabledChallengeIds).as('disabledChallengeIds')
28	+	})
29	+	})
30	+
31	+	Cypress.Commands.add('getAllChallenges', () => {
32	+	cy.request('/api/challenges').then((response) => {
33	+	const numChallenges = response.body.data.length
34	+	const allChallengeIds = Array.from({ length: numChallenges }, (v, i) => i)
35	+	cy.wrap(allChallengeIds).as('allChallengeIds')
36	+	})
37	+	})
38	+

■ ■ ■ ■ ■ ■

cypress/support/e2e.js

1	+	// ***********************************************************
2	+	// This example support/e2e.js is processed and
3	+	// loaded automatically before your test files.
4	+	//
5	+	// This is a great place to put global configuration and
6	+	// behavior that modifies Cypress.
7	+	//
8	+	// You can change the location of this file or turn off
9	+	// automatically serving support files with the
10	+	// 'supportFile' configuration option.
11	+	//
12	+	// You can read more here:
13	+	// https://on.cypress.io/configuration
14	+	// ***********************************************************
15	+
16	+	// Import commands.js using ES2015 syntax:
17	+	import './commands'
18	+
19	+	// Alternatively you can use CommonJS syntax:
20	+	// require('./commands')
21	+

■ ■ ■ ■ ■ ■

cypress.config.js

1	+	const { defineConfig } = require('cypress')
2	+
3	+	module.exports = defineConfig({
4	+	video: false,
5	+	e2e: {
6	+	baseUrl: 'http://localhost:8080',
7	+	setupNodeEvents (on, config) {
8	+	// implement node event listeners here
9	+	}
10	+	}
11	+	})
12	+

■ ■ ■ ■ ■ ■

fly.toml

		skipped 8 lines
9	9		dockerfile = "Dockerfile"
10	10
11	11		[build.args]
12		-	argBasedVersion="1.5.2"
	12	+	argBasedVersion="1.6.4"
13	13		spring_profile="without-vault"
14		-	argBasedEnv="Fly(Docker)"
	14	+	springdoc_api-docs_enabled="false"
	15	+	springdoc_swagger-ui_enabled="false"
15	16
16	17		[env]
17	18		K8S_ENV="Fly(Docker)"
		skipped 32 lines

■ ■ ■ ■ ■ ■

gcp/.terraform.lock.hcl

1	+	# This file is maintained automatically by "terraform init".
2	+	# Manual edits may be lost in future updates.
3	+
4	+	provider "registry.terraform.io/hashicorp/google" {
5	+	version = "4.63.1"
6	+	constraints = "~> 4.63.1"
7	+	hashes = [
8	+	"h1:AJ0z+BKwPr0rEBmfRiIt3RhFKDlCZrlc/mVGPUdsJTw=",
9	+	"zh:0c8e024715dfe8bb4837059fc1a32369bf83f445129ebd3511591650eb9b3961",
10	+	"zh:3ca839141b59d670cc04a3f918fbbb3c6c95eeb8215bbb4214d1a2a57d1f6f7d",
11	+	"zh:3f68f83aaeecaf05f1066d0c7ca23ebc959a1ed10c57fd9f4d958b6b8d38fcc2",
12	+	"zh:3f84b372468f7768a7ca4775227afd105075670649474ba6524ea028175d5e0c",
13	+	"zh:60a016a6d4bd6a8f96ffdef5f9bd37863a8124056c39dbaf282c9713ceac06e8",
14	+	"zh:66e1fe61b78d7f35b5e1ed0d150dfa4997f32c877627c573b51735ab0c794d8e",
15	+	"zh:6d4b832f2147dae47da68d80a7d7cd66cb799205ed6b476ae490b2e2c3087d49",
16	+	"zh:bdf6555b6106ee5b597aa5e2ffed25d442f0e9ded1b531b0864c7d70d6b40c8b",
17	+	"zh:c2095125ce9f9627091fc673a3ca673c66caa288e38970ae585869c89cd5946d",
18	+	"zh:d43feedc9f6e0a49d208e4bac355ca0e843038c8f87cb8d3bb2355830d6e8dce",
19	+	"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
20	+	"zh:f80bf9c3bef00ba4738d46c7e6170d1eb7f49e20a081acffa33a39035df86326",
21	+	]
22	+	}
23	+
24	+	provider "registry.terraform.io/hashicorp/google-beta" {
25	+	version = "4.63.1"
26	+	constraints = "~> 4.63.1"
27	+	hashes = [
28	+	"h1:pqqFiQv23kiEbVk0OKRoT0+gxLZGsB28BUih+DZu/YM=",
29	+	"zh:03677a3781a5b4a49c64fc2cbf46912c8b1c13b95a36297e799df1b720871c87",
30	+	"zh:0a646edbb433bdda0dccc84af60b3e3460fe5d71341001ec8574cfeeef3948ac",
31	+	"zh:2cce8e374d4a4ca046b1abbbe5fe50090f731cf69783b3333bb3594e7e7ff340",
32	+	"zh:655a3e0805c125da33f60e0a0de5c0efaeab42a97e45a0c4bbcaaad1b38f6e09",
33	+	"zh:6d7470e4bf1ffc9915371a3aec01b6fd187c267eddd34378fda9f8793d7ae49a",
34	+	"zh:734a18e973a551b293e650806b77dfbca3c9a8c45aa087a1a34d6be5d4a5fe50",
35	+	"zh:97a6512247144c9ebe47bb189a831293c815bff0eb91d9a8b5c3240041ee794a",
36	+	"zh:a5f9a4290d0a0f6988c0139e64a9194ea96d711657669d5f52d18dd4738f2bce",
37	+	"zh:ace0af5e78bc5a829eefddbe32c360a5989128f8c999e30036961f692055ea61",
38	+	"zh:b01839915cd0da6522076e54656a1fe01eac72013f2567c3994b865714a973be",
39	+	"zh:bd68231046fe56b1cec25a51c484df6327bb7856638cf5e16dd2e686764ddc87",
40	+	"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
41	+	]
42	+	}
43	+
44	+	provider "registry.terraform.io/hashicorp/http" {
45	+	version = "3.3.0"
46	+	constraints = "~> 3.3.0"
47	+	hashes = [
48	+	"h1:O2VLKCxxAgaFRPnhRuz/VOsP5HzQdQm9YAi848kvImg=",
49	+	"zh:27d101f4c089d1e367bbbbb3f260fc7d52f63559a4424c08633e566863c951b2",
50	+	"zh:37860671324229f52a7d82eea88a31fe24321297fd699d879de5b6cf6aae086c",
51	+	"zh:4680716579e361298e4331ce0c92e38011fc41ed56bd55302c23b696b3b8c469",
52	+	"zh:547cd2a407ca0d22307634d83ffc64cd4225f221baa09682b7a8c5a2429c34d8",
53	+	"zh:61965698af75aad7482f2f593b75f15e4a4f6f0117b643c69f3da61f40b1a9c7",
54	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
55	+	"zh:93f9e0f2244816cbb72197c733ada4214df691e4e6a84b8e340e43e43ab8a383",
56	+	"zh:969aad70624d033c257c365cf75001d29fa7341b48d673cd7317205395b4791b",
57	+	"zh:e9504018b1af992c041bda1e4a6f01db1f1cdb1a7df8055d1082049befbc4217",
58	+	"zh:fa7f6af94e75c6fe21782c622ed387ae08ee3ffeaa0176f08d0b06bb61bb50f4",
59	+	"zh:feda1d7cdae86bce829f82223f625b55c858a36d3aca1a762d7258798a25b476",
60	+	"zh:ff1f3d8c53930aad2fde32d6328df7e7e5b5de36dd7c0682d15518993ab199ef",
61	+	]
62	+	}
63	+
64	+	provider "registry.terraform.io/hashicorp/random" {
65	+	version = "3.5.1"
66	+	constraints = "~> 3.5.1"
67	+	hashes = [
68	+	"h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
69	+	"zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
70	+	"zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
71	+	"zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
72	+	"zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
73	+	"zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
74	+	"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
75	+	"zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
76	+	"zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
77	+	"zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
78	+	"zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
79	+	"zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
80	+	"zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
81	+	]
82	+	}
83	+

■ ■ ■ ■ ■ ■

gcp/README.md

		skipped 1 lines
2	2
3	3		In this setup we integrate the secrets exercise with GCP GKE and let pods consume secrets from the GCP Secret manager. If you want to know more about integrating secrets with GKE, check [this link](https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp).
4	4		Please make sure that the account in which you run this exercise has either Cloud Audit Logs enabled, or is not linked to your current organization and/or DTAP environment.
	5	+
5	6		## Pre-requisites
6	7
7	8		Have the following tools installed:
8	9
9		-	- gcloud CLI - [Installation](https://cloud.google.com/sdk/docs/install)
10		-	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
11		-	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
12		-	- Wget - [Installation](https://www.jcchouinard.com/wget/)
13		-	- Helm [Installation](https://helm.sh/docs/intro/install/)
14		-	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
15		-	- jq [Installation](https://stedolan.github.io/jq/download/)
	10	+	- gcloud CLI - [Installation](https://cloud.google.com/sdk/docs/install)
	11	+	- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
	12	+	- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
	13	+	- Wget - [Installation](https://www.jcchouinard.com/wget/)
	14	+	- Helm [Installation](https://helm.sh/docs/intro/install/)
	15	+	- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
	16	+	- jq [Installation](https://stedolan.github.io/jq/download/)
16	17
17	18		Make sure you have an active account at GCP for which you have configured the credentials on the system where you will execute the steps below.
	19	+
	20	+	Please note that this setup relies on bash scripts that have been tested in MacOS and Linux. We have no intention of supporting vanilla Windows at the moment.
	21	+
18	22
19	23		### Multi-user setup: shared state
20	24
21	25		If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform gcs backend.
22	26
23		-	First, create an s3 bucket:
	27	+	First, create an storage bucket:
24	28
25	29		1. Navigate to the 'shared-state' directory `cd shared-state`
26	30		2. Change the `project_id` in the `terraform.tfvars` file to your project id
27	31		3. Run `terraform init`
28		-	4. Run `terraform apply`
	32	+	4. Run `terraform apply`.
29	33
30		-	The bucket name should be in the output. Please use that to configure the Terraform backend in `versions.tf`.
	34	+	The bucket name should be in the output. Please use that to configure the Terraform backend in `main.tf`.
31	35
32	36		## Installation
33	37
		skipped 10 lines
44	48		5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
45	49		6. Run `terraform plan`
46	50		7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
47		-	8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`
48		-	9. Run `./k8s-vault-gcp-start.sh`
	51	+	8. Run `export USE_GKE_GCLOUD_AUTH_PLUGIN=True`
	52	+	9. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`. Note if it errors on a missing plugin to support `kubectl`, then run `gcloud components install gke-gcloud-auth-plugin` and `gcloud container clusters get-credentials wrongsecrets-exercise-cluster` .
	53	+	10. Run `./k8s-vault-gcp-start.sh`
49	54
50	55		### GKE ingres for shared deployment
51	56
52		-	By default the deployment uses a nodePort tunneled to localhost. For a larger audiance deployment the wrongsecrets app can deployed with a GKE ingress, run `k8s-vault-gcp-ingress-start.sh`
	57	+	By default the deployment uses a nodePort tunneled to localhost. For a larger audience deployment the wrongsecrets app can deployed with a GKE ingress, run `k8s-vault-gcp-ingress-start.sh`
53	58		Please note that the GKE ingress can take a few minues to deploy and is publicly available. A connection URL will be returned once the ingress is available. Note that, after the connection URL is returned, a first lookup might still take a minute, after which it is much faster.
54	59
55	60		Your GKE cluster should be visible in [EU-West4](https://console.cloud.google.com/kubernetes?referrer=search&project=wrongsecrets) by default. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
		skipped 5 lines
61	66		Run `./k8s-vault-gcp-start.sh` and connect to [http://localhost:8080](http://localhost:8080) when it's ready to accept connections (you'll read the line `Forwarding from 127.0.0.1:8080 -> 8080` in your console). Now challenge 9 and 10 should be available as well.
62	67
63	68		### Resume it
	69	+
64	70		When you stopped the `k8s-vault-gcp-start.sh` script and want to resume the port forward run: `k8s-vault-gcp-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
65	71
66	72		### Clean it up
		skipped 4 lines
71	77		2. Run `terraform destroy` to clean up the infrastructure.
72	78		3. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
73	79		4. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
74		-	5. Run `rm terraform.ts*` to remove local state files.
	80	+	5. Run `rm terraform.tfstate*` to remove local state files.
75	81
76	82		### A few things to consider
77	83
		skipped 2 lines
80	86		3. Can you get the secrets in the SSM Parameter Store and Secret Manager easily? Which paths do you see?
81	87		4. You should see at the configuration details of the cluster that `databaseEncryption` is `DECRYPTED` (`gcloud container clusters describe wrongsecrets-exercise-cluster --region europe-west4`). What does that mean?
82	88
	89	+	## Terraform documentation
	90	+
	91	+	The documentation below is auto-generated to give insight on what's created via Terraform.
	92	+
	93	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	94	+	## Requirements
	95	+
	96	+	\| Name \| Version \|
	97	+	\|------\|---------\|
	98	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
	99	+	\| <a name="requirement_google"></a> [google](#requirement\_google) \| ~> 4.63.1 \|
	100	+	\| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) \| ~> 4.63.1 \|
	101	+	\| <a name="requirement_http"></a> [http](#requirement\_http) \| ~> 3.3.0 \|
	102	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.5.1 \|
	103	+
	104	+	## Providers
	105	+
	106	+	\| Name \| Version \|
	107	+	\|------\|---------\|
	108	+	\| <a name="provider_google"></a> [google](#provider\_google) \| 4.63.1 \|
	109	+	\| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) \| 4.63.1 \|
	110	+	\| <a name="provider_http"></a> [http](#provider\_http) \| 3.3.0 \|
	111	+	\| <a name="provider_random"></a> [random](#provider\_random) \| 3.5.1 \|
	112	+
	113	+	## Modules
	114	+
	115	+	No modules.
	116	+
	117	+	## Resources
	118	+
	119	+	\| Name \| Type \|
	120	+	\|------\|------\|
	121	+	\| [google-beta_google_iam_workload_identity_pool.pool](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool) \| resource \|
	122	+	\| [google_compute_network.vpc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) \| resource \|
	123	+	\| [google_compute_subnetwork.master_subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) \| resource \|
	124	+	\| [google_compute_subnetwork.node_subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) \| resource \|
	125	+	\| [google_container_cluster.gke](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) \| resource \|
	126	+	\| [google_project_iam_member.wrongsecrets_cluster_sa_roles](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) \| resource \|
	127	+	\| [google_secret_manager_secret.wrongsecret_1](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) \| resource \|
	128	+	\| [google_secret_manager_secret.wrongsecret_2](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) \| resource \|
	129	+	\| [google_secret_manager_secret.wrongsecret_3](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) \| resource \|
	130	+	\| [google_secret_manager_secret_iam_member.wrongsecret_1_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) \| resource \|
	131	+	\| [google_secret_manager_secret_iam_member.wrongsecret_2_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) \| resource \|
	132	+	\| [google_secret_manager_secret_iam_member.wrongsecret_3_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) \| resource \|
	133	+	\| [google_secret_manager_secret_version.secret_version_basic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) \| resource \|
	134	+	\| [google_service_account.wrongsecrets_cluster](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) \| resource \|
	135	+	\| [google_service_account.wrongsecrets_workload](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) \| resource \|
	136	+	\| [google_service_account_iam_member.wrongsecret_pod_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) \| resource \|
	137	+	\| [google_service_account_iam_member.wrongsecret_wrong_pod_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) \| resource \|
	138	+	\| [random_integer.int](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) \| resource \|
	139	+	\| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) \| resource \|
	140	+	\| [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) \| data source \|
	141	+
	142	+	## Inputs
	143	+
	144	+	\| Name \| Description \| Type \| Default \| Required \|
	145	+	\|------\|-------------\|------\|---------\|:--------:\|
	146	+	\| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) \| The GKE cluster name \| `string` \| `"wrongsecrets-exercise-cluster"` \| no \|
	147	+	\| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) \| The GKE cluster version to use \| `string` \| `"1.25"` \| no \|
	148	+	\| <a name="input_project_id"></a> [project\_id](#input\_project\_id) \| project id \| `string` \| n/a \| yes \|
	149	+	\| <a name="input_region"></a> [region](#input\_region) \| The GCP region to use \| `string` \| `"eu-west4"` \| no \|
	150	+
	151	+	## Outputs
	152	+
	153	+	\| Name \| Description \|
	154	+	\|------\|-------------\|
	155	+	\| <a name="output_gke_config"></a> [gke\_config](#output\_gke\_config) \| config string for the cluster credentials \|
	156	+	\| <a name="output_kubernetes_cluster_host"></a> [kubernetes\_cluster\_host](#output\_kubernetes\_cluster\_host) \| GKE Cluster Host \|
	157	+	\| <a name="output_kubernetes_cluster_name"></a> [kubernetes\_cluster\_name](#output\_kubernetes\_cluster\_name) \| GKE Cluster Name \|
	158	+	\| <a name="output_project_id"></a> [project\_id](#output\_project\_id) \| GCloud Project ID \|
	159	+	\| <a name="output_region"></a> [region](#output\_region) \| GCloud Region \|
	160	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
	161	+

■ ■ ■ ■ ■ ■

gcp/iam.tf

		skipped 23 lines
24	24		service_account_id = google_service_account.wrongsecrets_workload.id
25	25		role = "roles/iam.workloadIdentityUser"
26	26		member = "serviceAccount:${var.project_id}.svc.id.goog[default/vault]"
27		-	depends_on = [
	27	+	depends_on = [
28	28		google_iam_workload_identity_pool.pool,
29	29		google_container_cluster.gke
30	30		]
		skipped 4 lines
35	35		service_account_id = google_service_account.wrongsecrets_workload.id
36	36		role = "roles/iam.workloadIdentityUser"
37	37		member = "serviceAccount:${var.project_id}.svc.id.goog[default/default]"
38		-	depends_on = [
	38	+	depends_on = [
39	39		google_iam_workload_identity_pool.pool,
40	40		google_container_cluster.gke
41	41		]
		skipped 15 lines

■ ■ ■ ■ ■ ■

gcp/k8s/k8s-gke-ingress.yaml

1		-	apiVersion: v1
2		-	kind: Service
3		-	metadata:
4		-	namespace: default
5		-	name: secret-challenge
6		-	labels:
7		-	app: secret-challenge
8		-	spec:
9		-	type: NodePort
10		-	ports:
11		-	- port: 80
12		-	targetPort: 8080
13		-	protocol: TCP
14		-	selector:
15		-	app: secret-challenge
16		-	---
17	1		apiVersion: networking.k8s.io/v1
18	2		kind: Ingress
19	3		metadata:
		skipped 5 lines
25	9		port:
26	10		number: 80
27	11
28		-

■ ■ ■ ■ ■ ■

gcp/k8s/k8s-gke-service.yaml

1	+	apiVersion: v1
2	+	kind: Service
3	+	metadata:
4	+	namespace: default
5	+	name: secret-challenge
6	+	labels:
7	+	app: secret-challenge
8	+	spec:
9	+	type: NodePort
10	+	ports:
11	+	- port: 80
12	+	targetPort: 8080
13	+	protocol: TCP
14	+	selector:
15	+	app: secret-challenge
16	+

■ ■ ■ ■ ■ ■

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 29 lines
30	30		fsGroup: 2000
31	31		serviceAccountName: vault
32	32		volumes:
	33	+	- name: 'ephemeral'
	34	+	emptyDir: {}
33	35		- name: secrets-store-inline
34	36		csi:
35	37		driver: secrets-store.csi.k8s.io
		skipped 1 lines
37	39		volumeAttributes:
38	40		secretProviderClass: "wrongsecrets-gcp-secretsmanager"
39	41		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
	42	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-k8s-vault
41	43		imagePullPolicy: IfNotPresent
	44	+	name: secret-challenge
42	45		ports:
43	46		- containerPort: 8080
44	47		protocol: TCP
45		-	name: secret-challenge
46		-	resources: {}
	48	+	readinessProbe:
	49	+	httpGet:
	50	+	path: '/actuator/health/readiness'
	51	+	port: 8080
	52	+	initialDelaySeconds: 30
	53	+	timeoutSeconds: 5
	54	+	periodSeconds: 5
	55	+	failureThreshold: 8
	56	+	livenessProbe:
	57	+	httpGet:
	58	+	path: '/actuator/health/liveness'
	59	+	port: 8080
	60	+	initialDelaySeconds: 35
	61	+	timeoutSeconds: 30
	62	+	periodSeconds: 40
	63	+	failureThreshold: 5
	64	+	securityContext:
	65	+	allowPrivilegeEscalation: false
	66	+	readOnlyRootFilesystem: true
	67	+	runAsNonRoot: true
	68	+	capabilities:
	69	+	drop:
	70	+	- ALL
	71	+	seccompProfile:
	72	+	type: RuntimeDefault
	73	+	resources:
	74	+	requests:
	75	+	memory: '512Mi'
	76	+	cpu: '200m'
	77	+	ephemeral-storage: '1Gi'
	78	+	limits:
	79	+	memory: '512Mi'
	80	+	cpu: '800m'
	81	+	ephemeral-storage: '2Gi'
47	82		terminationMessagePath: /dev/termination-log
48	83		terminationMessagePolicy: File
49	84		env:
50		-	- name: GCP_PROJECT_ID
	85	+	- name: GCP_PROJECT
	86	+	value: ${GCP_PROJECT}
	87	+	- name: GOOGLE_CLOUD_PROJECT
51	88		value: ${GCP_PROJECT}
52	89		- name: K8S_ENV
53	90		value: gcp
		skipped 2 lines
56	93		configMapKeyRef:
57	94		name: secrets-file
58	95		key: funny.entry
	96	+	- name: CHALLENGE33
	97	+	valueFrom:
	98	+	secretKeyRef:
	99	+	name: challenge33
	100	+	key: answer
59	101		- name: SPECIAL_SPECIAL_K8S_SECRET
60	102		valueFrom:
61	103		secretKeyRef:
62	104		name: funnystuff
63	105		key: funnier
64		-	- name: VAULT_ADDR
65		-	value: "http://vault:8200"
	106	+	- name: SPRING_CLOUD_VAULT_URI
	107	+	value: "http://vault.vault.svc.cluster.local:8200"
66	108		- name: JWT_PATH
67	109		value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
68	110		volumeMounts:
69	111		- name: secrets-store-inline
70	112		mountPath: "/mnt/secrets-store"
71	113		readOnly: true
	114	+	- name: 'ephemeral'
	115	+	mountPath: '/tmp'
72	116		dnsPolicy: ClusterFirst
73	117		restartPolicy: Always
74	118		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

gcp/k8s-vault-gcp-ingress-clean.sh

		skipped 8 lines
9	9
10	10		export GCP_PROJECT=$(gcloud config list --format 'value(core.project)' 2>/dev/null)
11	11
	12	+	kubectl delete -f ./k8s/k8s-gke-service.yaml
12	13		kubectl delete -f ./k8s/k8s-gke-ingress.yaml
13	14
14	15		echo "Waiting 10 seconds..."
		skipped 5 lines

■ ■ ■ ■ ■ ■

gcp/k8s-vault-gcp-ingress-start.sh

		skipped 49 lines
50	50		while [[ $isvaultrunning != "vault-2" ]]; do echo "waiting for Vaul2" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
51	51
52	52		echo "Setting up port forwarding"
53		-	kubectl port-forward vault-0 8200:8200 &
	53	+	kubectl port-forward vault-0 -n vault 8200:8200 &
54	54		echo "Unsealing Vault"
55	55		kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json
56	56		cat cluster-keys.json \| jq -r ".unseal_keys_b64[]"
		skipped 86 lines
143	143		kubectl apply -f./k8s/secret-challenge-vault-deployment.yml
144	144		while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
145	145
146		-	echo "Deploying ingress"
	146	+	echo "Deploying service"
	147	+	kubectl apply -f k8s/k8s-gke-service.yaml
147	148
	149	+	echo "Deploying ingress"
148	150		kubectl apply -f k8s/k8s-gke-ingress.yaml
149	151
150	152		while [[ -z $(kubectl get ingress basic-ingress --output jsonpath='{.status.loadBalancer.ingress[].ip}') ]]; do echo "waiting for ingress IP, this will take a few minutes... last check: $(date +\%T)" && sleep 10; done
		skipped 7 lines

■ ■ ■ ■ ■ ■

gcp/k8s-vault-gcp-resume.sh

1	1		#!/bin/bash
2	2
3		-	kubectl port-forward vault-0 8200:8200 &
	3	+	kubectl port-forward vault-0 -n vault 8200:8200 &
4	4		kubectl port-forward \
5	5		$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
6	6		8080:8080 \
		skipped 2 lines

■ ■ ■ ■ ■ ■

gcp/k8s-vault-gcp-start.sh

		skipped 10 lines
11	11		echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"
12	12
13	13		export GCP_PROJECT=$(gcloud config list --format 'value(core.project)' 2>/dev/null)
14		-	export USE_GKE_GCLOUD_AUTH_PLUGIN=True
	14	+	#export USE_GKE_GCLOUD_AUTH_PLUGIN=True
	15	+
	16	+	echo "Setting up workspace PSA to restricted for default"
	17	+	kubectl apply -f ../k8s/workspace-psa.yml
15	18
16	19		kubectl get configmaps \| grep 'secrets-file' &>/dev/null
17	20		if [ $? == 0 ]; then
		skipped 7 lines
25	28		echo "secrets secret is already installed"
26	29		else
27	30		kubectl apply -f ../k8s/secrets-secret.yml
	31	+	kubectl apply -f ../k8s/challenge33.yml
28	32		fi
29	33
30	34		source ../scripts/install-consul.sh
		skipped 44 lines

■ ■ ■ ■ ■ ■

gcp/main.tf

	1	+	terraform {
	2	+	# For shared state:
	3	+	# Set the resource group in the backend configuration below, then uncomment and apply!
	4	+	# Note that you probably already create a resource group. Don't forget to set that correctly in this file.
	5	+	# backend "gcs" {
	6	+	# bucket = ""
	7	+	# prefix = "terraform/state"
	8	+	# }
	9	+	}
	10	+
1	11		provider "google" {
2	12		project = var.project_id
3	13		region = var.region
		skipped 26 lines
30	40		node_config {
31	41		# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
32	42		service_account = google_service_account.wrongsecrets_cluster.email
33		-	machine_type = "e2-highcpu-2"
	43	+	machine_type = "e2-standard-2"
34	44		oauth_scopes = [
35	45		"https://www.googleapis.com/auth/cloud-platform"
36	46		]
		skipped 5 lines
42	52
43	53		master_authorized_networks_config {
44	54		cidr_blocks {
45		-	cidr_block = "${data.http.ip.body}/32"
	55	+	cidr_block = "${data.http.ip.response_body}/32"
46	56		display_name = "user origin"
47	57		}
48	58		}
		skipped 7 lines

■ ■ ■ ■ ■ ■

gcp/shared-state/README.md

1	+	# Terraform documentation
2	+	The documentation below is auto-generated to give insight on what's created via Terraform.
3	+
4	+	<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5	+	## Requirements
6	+
7	+	\| Name \| Version \|
8	+	\|------\|---------\|
9	+	\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| ~> 1.1 \|
10	+	\| <a name="requirement_google"></a> [google](#requirement\_google) \| ~> 4.1 \|
11	+	\| <a name="requirement_random"></a> [random](#requirement\_random) \| ~> 3.0 \|
12	+
13	+	## Providers
14	+
15	+	\| Name \| Version \|
16	+	\|------\|---------\|
17	+	\| <a name="provider_google"></a> [google](#provider\_google) \| ~> 4.1 \|
18	+	\| <a name="provider_random"></a> [random](#provider\_random) \| ~> 3.0 \|
19	+
20	+	## Modules
21	+
22	+	No modules.
23	+
24	+	## Resources
25	+
26	+	\| Name \| Type \|
27	+	\|------\|------\|
28	+	\| [google_storage_bucket.state_bucket](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) \| resource \|
29	+	\| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) \| resource \|
30	+
31	+	## Inputs
32	+
33	+	\| Name \| Description \| Type \| Default \| Required \|
34	+	\|------\|-------------\|------\|---------\|:--------:\|
35	+	\| <a name="input_project_id"></a> [project\_id](#input\_project\_id) \| The GCP project id to use \| `string` \| `"owasp-wrongsecrets"` \| no \|
36	+	\| <a name="input_region"></a> [region](#input\_region) \| The GCP region to use \| `string` \| `"europe-west4"` \| no \|
37	+
38	+	## Outputs
39	+
40	+	\| Name \| Description \|
41	+	\|------\|-------------\|
42	+	\| <a name="output_bucket"></a> [bucket](#output\_bucket) \| Terraform backend storage bucket \|
43	+	<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
44	+

■ ■ ■ ■ ■ ■

gcp/shared-state/main.tf

	1	+	terraform {
	2	+	required_version = "~> 1.1"
	3	+	required_providers {
	4	+	google = {
	5	+	source = "hashicorp/google"
	6	+	version = "~> 4.1"
	7	+	}
	8	+	random = {
	9	+	version = "~> 3.0"
	10	+	}
	11	+	}
	12	+	}
	13	+
	14	+
1	15		provider "google" {
2		-	project = var.project_id
3		-	region = var.region
	16	+	project = var.project_id
	17	+	region = var.region
4	18		}
5	19
6	20		resource "random_id" "suffix" {
7		-	byte_length = 4
	21	+	byte_length = 4
8	22		}
9	23
10		-	resource "google_storage_bucket" "state-bucket" {
11		-	name = "tfstate-wrongsecrets-${random_id.suffix.hex}"
12		-	location = var.region
13		-
14		-	versioning {
15		-	enabled = true
16		-	}
17		-	}
	24	+	resource "google_storage_bucket" "state_bucket" {
	25	+	name = "tfstate-wrongsecrets-${random_id.suffix.hex}"
	26	+	location = var.region
18	27
19		-	output "bucket" {
20		-	value = google_storage_bucket.state-bucket.name
21		-	description = "Terraform backend storage bucket"
	28	+	versioning {
	29	+	enabled = true
	30	+	}
22	31		}
23	32

■ ■ ■ ■ ■ ■

gcp/shared-state/outputs.tf

1	+	output "bucket" {
2	+	value = google_storage_bucket.state-bucket.name
3	+	description = "Terraform backend storage bucket"
4	+	}
5	+

■ ■ ■ ■ ■ ■

gcp/shared-state/variables.tf

1	1		variable "project_id" {
2		-	description = "The GCP project id to use"
3		-	type = string
4		-	default = "owasp-wrongsecrets"
	2	+	description = "The GCP project id to use"
	3	+	type = string
	4	+	default = "owasp-wrongsecrets"
5	5		}
6	6
7	7		variable "region" {
8		-	description = "The GCP region to use"
9		-	type = string
10		-	default = "europe-west4"
	8	+	description = "The GCP region to use"
	9	+	type = string
	10	+	default = "europe-west4"
11	11		}
12	12

■ ■ ■ ■ ■ ■

gcp/variables.tf

		skipped 11 lines
12	12		variable "cluster_version" {
13	13		description = "The GKE cluster version to use"
14	14		type = string
15		-	default = "1.22"
	15	+	default = "1.25"
16	16		}
17	17
18	18		variable "cluster_name" {
		skipped 5 lines

■ ■ ■ ■ ■ ■

gcp/versions.tf

1	1		terraform {
2		-	required_version = ">= 1.0.0"
3		-
	2	+	required_version = "~> 1.1"
4	3		required_providers {
5	4		google = {
6	5		source = "hashicorp/google"
7		-	version = ">= 4.1.0"
	6	+	version = "~> 4.63.1"
8	7		}
9	8		google-beta = {
10	9		source = "hashicorp/google-beta"
11		-	version = ">= 4.1.0"
	10	+	version = "~> 4.63.1"
12	11		}
13		-	local = ">= 1.4"
14		-	random = ">= 2.1"
15		-	kubernetes = ">= 1.11"
	12	+	random = {
	13	+	version = "~> 3.5.1"
	14	+	}
	15	+	http = {
	16	+	version = "~> 3.3.0"
	17	+	}
16	18		}
17		-
18		-	# For shared state:
19		-	# Set the resource group in the backend configuration below, then uncomment and apply!
20		-	# Note that you probably already create a resource group. Don't forget to set that correctly in this file.
21		-	# backend "gcs" {
22		-	# bucket = ""
23		-	# prefix = "terraform/state"
24		-	# }
25	19		}
26	20

images/1password_logo.png

images/aws-white_48x29.png

images/clone-project-2.png

images/docker_logo.png

images/edit-config-7.1.png

images/fill-fields-7.4.png

images/final-output-8.png

images/fork-project-1.png

images/gitguardian_logo.jpeg

images/jetbrains_logo.png

images/lombok-processing-4.3.png

images/lombok-setup-4.2.png

images/modify-options-7.2.png

images/open-application-6.1.png

images/open-maven-5.1.png

images/open-project-3.1.png

images/open-settings-4.1.png

images/open-settings-4.4.png

images/reload-maven-5.2.png

images/run-application-6.2.png

images/screenshot.png

images/select-options-7.3.png

images/wait-3.2.png

■ ■ ■ ■ ■ ■

js/index.js

1		-	function secret() {
2		-	var password = "jLJIQZM=" + 9 + "aG7l" + 6 + "LAQ=" + 2 + "UdiM" + 7;
3		-	return password;
4		-	}
	1	+	/* eslint-disable no-unused-vars */
	2	+	function secret () {
	3	+	const password = 'jLJIQZM=' + 9 + 'aG7l' + 6 + 'LAQ=' + 2 + 'UdiM' + 7
	4	+	return password
	5	+	}
5	6

■ ■ ■ ■ ■ ■

js/package-lock.json

		skipped 7 lines
8	8		"name": "wrongsecrets",
9	9		"version": "1.3.1",
10	10		"license": "MIT",
	11	+	"dependencies": {
	12	+	"minimatch": ">=9.0.0"
	13	+	},
11	14		"devDependencies": {
12		-	"javascript-obfuscator": "^4.0.0"
	15	+	"javascript-obfuscator": "^4.0.2",
	16	+	"minimatch": ">=9.0.0"
13	17		}
14	18		},
15	19		"node_modules/@javascript-obfuscator/escodegen": {
		skipped 29 lines
45	49		"integrity": "sha512-Klz949h02Gz2uZCMGwDUSDS1YBlTdDDgbWHi+81l29tQALUtvz4rAYi5uoVhE5Lagoq6DeqAUlbrHvW/mXDgdQ==",
46	50		"dev": true
47	51		},
	52	+	"node_modules/@types/validator": {
	53	+	"version": "13.7.12",
	54	+	"resolved": "https://registry.npmjs.org/@types/validator/-/validator-13.7.12.tgz",
	55	+	"integrity": "sha512-YVtyAPqpefU+Mm/qqnOANW6IkqKpCSrarcyV269C8MA8Ux0dbkEuQwM/4CjL47kVEM2LgBef/ETfkH+c6+moFA==",
	56	+	"dev": true
	57	+	},
48	58		"node_modules/acorn": {
49		-	"version": "8.7.0",
50		-	"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.7.0.tgz",
51		-	"integrity": "sha512-V/LGr1APy+PXIwKebEWrkZPwoeoF+w1jiOBUmuxuiUIaOHtob8Qc9BTrYo7VuI5fR8tqsy+buA2WFooR5olqvQ==",
	59	+	"version": "8.8.2",
	60	+	"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.2.tgz",
	61	+	"integrity": "sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==",
52	62		"dev": true,
53	63		"bin": {
54	64		"acorn": "bin/acorn"
		skipped 75 lines
130	140		"dev": true
131	141		},
132	142		"node_modules/brace-expansion": {
133		-	"version": "1.1.11",
134		-	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
135		-	"integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
	143	+	"version": "2.0.1",
	144	+	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
	145	+	"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
136	146		"dev": true,
137	147		"dependencies": {
138		-	"balanced-match": "^1.0.0",
139		-	"concat-map": "0.0.1"
	148	+	"balanced-match": "^1.0.0"
140	149		}
141	150		},
142	151		"node_modules/buffer-from": {
		skipped 32 lines
175	184		}
176	185		},
177	186		"node_modules/chance": {
178		-	"version": "1.1.8",
179		-	"resolved": "https://registry.npmjs.org/chance/-/chance-1.1.8.tgz",
180		-	"integrity": "sha512-v7fi5Hj2VbR6dJEGRWLmJBA83LJMS47pkAbmROFxHWd9qmE1esHRZW8Clf1Fhzr3rjxnNZVCjOEv/ivFxeIMtg==",
	187	+	"version": "1.1.9",
	188	+	"resolved": "https://registry.npmjs.org/chance/-/chance-1.1.9.tgz",
	189	+	"integrity": "sha512-TfxnA/DcZXRTA4OekA2zL9GH8qscbbl6X0ZqU4tXhGveVY/mXWvEQLt5GwZcYXTEyEFflVtj+pG8nc8EwSm1RQ==",
181	190		"dev": true
182	191		},
183	192		"node_modules/char-regex": {
		skipped 15 lines
199	208		}
200	209		},
201	210		"node_modules/class-validator": {
202		-	"version": "0.13.2",
203		-	"resolved": "https://registry.npmjs.org/class-validator/-/class-validator-0.13.2.tgz",
204		-	"integrity": "sha512-yBUcQy07FPlGzUjoLuUfIOXzgynnQPPruyK1Ge2B74k9ROwnle1E+NxLWnUv5OLU8hA/qL5leAE9XnXq3byaBw==",
	211	+	"version": "0.14.0",
	212	+	"resolved": "https://registry.npmjs.org/class-validator/-/class-validator-0.14.0.tgz",
	213	+	"integrity": "sha512-ct3ltplN8I9fOwUd8GrP8UQixwff129BkEtuWDKL5W45cQuLd19xqmTLu5ge78YDm/fdje6FMt0hGOhl0lii3A==",
205	214		"dev": true,
206	215		"dependencies": {
207		-	"libphonenumber-js": "^1.9.43",
	216	+	"@types/validator": "^13.7.10",
	217	+	"libphonenumber-js": "^1.10.14",
208	218		"validator": "^13.7.0"
209	219		}
210	220		},
		skipped 16 lines
227	237		"dev": true
228	238		},
229	239		"node_modules/commander": {
230		-	"version": "9.0.0",
231		-	"resolved": "https://registry.npmjs.org/commander/-/commander-9.0.0.tgz",
232		-	"integrity": "sha512-JJfP2saEKbQqvW+FI93OYUB4ByV5cizMpFMiiJI8xDbBvQvSkIk0VvQdn1CZ8mqAO8Loq2h0gYTYtDFUZUeERw==",
	240	+	"version": "10.0.0",
	241	+	"resolved": "https://registry.npmjs.org/commander/-/commander-10.0.0.tgz",
	242	+	"integrity": "sha512-zS5PnTI22FIRM6ylNW8G4Ap0IEOyk62fhLSD0+uHRT9McRCLGpkVNvao4bjimpK/GShynyQkFFxHhwMcETmduA==",
233	243		"dev": true,
234	244		"engines": {
235		-	"node": "^12.20.0 \|\| >=14"
	245	+	"node": ">=14"
236	246		}
237	247		},
238	248		"node_modules/concat-map": {
239	249		"version": "0.0.1",
240	250		"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
241		-	"integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
	251	+	"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
242	252		"dev": true
243	253		},
244	254		"node_modules/crypt": {
		skipped 81 lines
326	336		"dev": true
327	337		},
328	338		"node_modules/eslint-scope": {
329		-	"version": "7.1.0",
330		-	"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.0.tgz",
331		-	"integrity": "sha512-aWwkhnS0qAXqNOgKOK0dJ2nvzEbhEvpy8OlJ9kZ0FeZnA6zpjv1/Vei+puGFFX7zkPCkHHXb7IDX3A+7yPrRWg==",
	339	+	"version": "7.1.1",
	340	+	"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz",
	341	+	"integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==",
332	342		"dev": true,
333	343		"dependencies": {
334	344		"esrecurse": "^4.3.0",
		skipped 4 lines
339	349		}
340	350		},
341	351		"node_modules/eslint-visitor-keys": {
342		-	"version": "3.2.0",
343		-	"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.2.0.tgz",
344		-	"integrity": "sha512-IOzT0X126zn7ALX0dwFiUQEdsfzrm4+ISsQS8nukaJXwEyYKRSnEIIDULYg1mCtGp7UUXgfGl7BIolXREQK+XQ==",
	352	+	"version": "3.3.0",
	353	+	"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz",
	354	+	"integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==",
345	355		"dev": true,
346	356		"engines": {
347	357		"node": "^12.22.0 \|\| ^14.17.0 \|\| >=16.0.0"
		skipped 401 lines
749	759		}
750	760		},
751	761		"node_modules/javascript-obfuscator": {
752		-	"version": "4.0.0",
753		-	"resolved": "https://registry.npmjs.org/javascript-obfuscator/-/javascript-obfuscator-4.0.0.tgz",
754		-	"integrity": "sha512-vS/8w/9eKISzwXNLd+OLMCCwjD+dFMdOlCDOo919iR/MWdBs+7u1ybpwRoWOmODToPQKVYw5GasvZoIiPs5nPw==",
	762	+	"version": "4.0.2",
	763	+	"resolved": "https://registry.npmjs.org/javascript-obfuscator/-/javascript-obfuscator-4.0.2.tgz",
	764	+	"integrity": "sha512-MRBQREvjEwqEGdwNGG7yp0te5uZBFzrPZdxEs4rDYkPpHhhOQu+E0IhSXP7bO9dIUWXZU0Kkdohsuws525aVGQ==",
755	765		"dev": true,
756	766		"hasInstallScript": true,
757	767		"dependencies": {
758	768		"@javascript-obfuscator/escodegen": "2.3.0",
759	769		"@javascript-obfuscator/estraverse": "5.4.0",
760		-	"acorn": "8.7.0",
	770	+	"acorn": "8.8.2",
761	771		"assert": "2.0.0",
762	772		"chalk": "4.1.2",
763		-	"chance": "1.1.8",
764		-	"class-validator": "0.13.2",
765		-	"commander": "9.0.0",
766		-	"eslint-scope": "7.1.0",
767		-	"eslint-visitor-keys": "3.2.0",
	773	+	"chance": "1.1.9",
	774	+	"class-validator": "0.14.0",
	775	+	"commander": "10.0.0",
	776	+	"eslint-scope": "7.1.1",
	777	+	"eslint-visitor-keys": "3.3.0",
768	778		"fast-deep-equal": "3.1.3",
769	779		"inversify": "6.0.1",
770	780		"js-string-escape": "1.0.1",
771	781		"md5": "2.3.0",
772		-	"mkdirp": "1.0.4",
	782	+	"mkdirp": "2.1.3",
773	783		"multimatch": "5.0.0",
774	784		"opencollective-postinstall": "2.0.3",
775	785		"process": "0.11.10",
		skipped 1 lines
777	787		"source-map-support": "0.5.21",
778	788		"string-template": "1.0.0",
779	789		"stringz": "2.1.0",
780		-	"tslib": "2.3.1"
	790	+	"tslib": "2.5.0"
781	791		},
782	792		"bin": {
783	793		"javascript-obfuscator": "bin/javascript-obfuscator"
784	794		},
785	795		"engines": {
786		-	"node": "^12.22.0 \|\| ^14.17.0 \|\| >=16.0.0"
	796	+	"node": "^12.22.0 \|\| ^14.0.0 \|\| ^16.0.0 \|\| ^17.0.0 \|\| >=18.0.0"
787	797		},
788	798		"funding": {
789	799		"type": "opencollective",
		skipped 23 lines
813	823		}
814	824		},
815	825		"node_modules/libphonenumber-js": {
816		-	"version": "1.9.46",
817		-	"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.9.46.tgz",
818		-	"integrity": "sha512-QqTX4UVsGy24njtCgLRspiKpxfRniRBZE/P+d0vQXuYWQ+hwDS6X0ouo0O/SRyf7bhhMCE71b6vAvLMtY5PfEw==",
	826	+	"version": "1.10.19",
	827	+	"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.10.19.tgz",
	828	+	"integrity": "sha512-MDZ1zLIkfSDZV5xBta3nuvbEOlsnKCPe4z5r3hyup/AXveevkl9A1eSWmLhd2FX4k7pJDe4MrLeQsux0HI/VWg==",
819	829		"dev": true
820	830		},
821	831		"node_modules/md5": {
		skipped 8 lines
830	840		}
831	841		},
832	842		"node_modules/minimatch": {
833		-	"version": "3.0.4",
834		-	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
835		-	"integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
	843	+	"version": "9.0.0",
	844	+	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.0.tgz",
	845	+	"integrity": "sha512-0jJj8AvgKqWN05mrwuqi8QYKx1WmYSUoKSxu5Qhs9prezTz10sxAHGNZe9J9cqIJzta8DWsleh2KaVaLl6Ru2w==",
836	846		"dev": true,
837	847		"dependencies": {
838		-	"brace-expansion": "^1.1.7"
	848	+	"brace-expansion": "^2.0.1"
839	849		},
840	850		"engines": {
841		-	"node": "*"
	851	+	"node": ">=16 \|\| 14 >=14.17"
	852	+	},
	853	+	"funding": {
	854	+	"url": "https://github.com/sponsors/isaacs"
842	855		}
843	856		},
844	857		"node_modules/mkdirp": {
845		-	"version": "1.0.4",
846		-	"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
847		-	"integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
	858	+	"version": "2.1.3",
	859	+	"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-2.1.3.tgz",
	860	+	"integrity": "sha512-sjAkg21peAG9HS+Dkx7hlG9Ztx7HLeKnvB3NQRcu/mltCVmvkF0pisbiTSfDVYTT86XEfZrTUosLdZLStquZUw==",
848	861		"dev": true,
849	862		"bin": {
850		-	"mkdirp": "bin/cmd.js"
	863	+	"mkdirp": "dist/cjs/src/bin.js"
851	864		},
852	865		"engines": {
853	866		"node": ">=10"
	867	+	},
	868	+	"funding": {
	869	+	"url": "https://github.com/sponsors/isaacs"
854	870		}
855	871		},
856	872		"node_modules/multimatch": {
		skipped 2 lines
859	875		"integrity": "sha512-ypMKuglUrZUD99Tk2bUQ+xNQj43lPEfAeX2o9cTteAmShXy2VHDJpuwu1o0xqoKCt9jLVAvwyFKdLTPXKAfJyA==",
860	876		"dev": true,
861	877		"dependencies": {
862		-	"@types/minimatch": "^3.0.3",
	878	+	"@types/minimatch": "^3.0.5",
863	879		"array-differ": "^3.0.0",
864	880		"array-union": "^2.1.0",
865	881		"arrify": "^2.0.1",
866		-	"minimatch": "^3.0.4"
	882	+	"minimatch": "^3.0.5"
867	883		},
868	884		"engines": {
869	885		"node": ">=10"
870	886		},
871	887		"funding": {
872	888		"url": "https://github.com/sponsors/sindresorhus"
	889	+	}
	890	+	},
	891	+	"node_modules/multimatch/node_modules/brace-expansion": {
	892	+	"version": "1.1.11",
	893	+	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
	894	+	"integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
	895	+	"dev": true,
	896	+	"dependencies": {
	897	+	"balanced-match": "^1.0.0",
	898	+	"concat-map": "0.0.1"
	899	+	}
	900	+	},
	901	+	"node_modules/multimatch/node_modules/minimatch": {
	902	+	"version": "3.1.2",
	903	+	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
	904	+	"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
	905	+	"dev": true,
	906	+	"dependencies": {
	907	+	"brace-expansion": "^1.1.7"
	908	+	},
	909	+	"engines": {
	910	+	"node": "*"
873	911		}
874	912		},
875	913		"node_modules/object-inspect": {
		skipped 205 lines
1081	1119		}
1082	1120		},
1083	1121		"node_modules/tslib": {
1084		-	"version": "2.3.1",
1085		-	"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.3.1.tgz",
1086		-	"integrity": "sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==",
	1122	+	"version": "2.5.0",
	1123	+	"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.5.0.tgz",
	1124	+	"integrity": "sha512-336iVw3rtn2BUK7ORdIAHTyxHGRIHVReokCR3XjbckJMK7ms8FysBfhLR8IXnAgy7T0PTPNBWKiH514FOW/WSg==",
1087	1125		"dev": true
1088	1126		},
1089	1127		"node_modules/type-check": {
		skipped 38 lines
1128	1166		}
1129	1167		},
1130	1168		"node_modules/validator": {
1131		-	"version": "13.7.0",
1132		-	"resolved": "https://registry.npmjs.org/validator/-/validator-13.7.0.tgz",
1133		-	"integrity": "sha512-nYXQLCBkpJ8X6ltALua9dRrZDHVYxjJ1wgskNt1lH9fzGjs3tgojGSCBjmEPwkWS1y29+DrizMTW19Pr9uB2nw==",
	1169	+	"version": "13.9.0",
	1170	+	"resolved": "https://registry.npmjs.org/validator/-/validator-13.9.0.tgz",
	1171	+	"integrity": "sha512-B+dGG8U3fdtM0/aNK4/X8CXq/EcxU2WPrPEkJGslb47qyHsxmbggTWK0yEA4qnYVNF+nxNlN88o14hIcPmSIEA==",
1134	1172		"dev": true,
1135	1173		"engines": {
1136	1174		"node": ">= 0.10"
		skipped 71 lines
1208	1246		"integrity": "sha512-Klz949h02Gz2uZCMGwDUSDS1YBlTdDDgbWHi+81l29tQALUtvz4rAYi5uoVhE5Lagoq6DeqAUlbrHvW/mXDgdQ==",
1209	1247		"dev": true
1210	1248		},
	1249	+	"@types/validator": {
	1250	+	"version": "13.7.12",
	1251	+	"resolved": "https://registry.npmjs.org/@types/validator/-/validator-13.7.12.tgz",
	1252	+	"integrity": "sha512-YVtyAPqpefU+Mm/qqnOANW6IkqKpCSrarcyV269C8MA8Ux0dbkEuQwM/4CjL47kVEM2LgBef/ETfkH+c6+moFA==",
	1253	+	"dev": true
	1254	+	},
1211	1255		"acorn": {
1212		-	"version": "8.7.0",
1213		-	"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.7.0.tgz",
1214		-	"integrity": "sha512-V/LGr1APy+PXIwKebEWrkZPwoeoF+w1jiOBUmuxuiUIaOHtob8Qc9BTrYo7VuI5fR8tqsy+buA2WFooR5olqvQ==",
	1256	+	"version": "8.8.2",
	1257	+	"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.2.tgz",
	1258	+	"integrity": "sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==",
1215	1259		"dev": true
1216	1260		},
1217	1261		"ansi-styles": {
		skipped 48 lines
1266	1310		"dev": true
1267	1311		},
1268	1312		"brace-expansion": {
1269		-	"version": "1.1.11",
1270		-	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
1271		-	"integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
	1313	+	"version": "2.0.1",
	1314	+	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
	1315	+	"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
1272	1316		"dev": true,
1273	1317		"requires": {
1274		-	"balanced-match": "^1.0.0",
1275		-	"concat-map": "0.0.1"
	1318	+	"balanced-match": "^1.0.0"
1276	1319		}
1277	1320		},
1278	1321		"buffer-from": {
		skipped 23 lines
1302	1345		}
1303	1346		},
1304	1347		"chance": {
1305		-	"version": "1.1.8",
1306		-	"resolved": "https://registry.npmjs.org/chance/-/chance-1.1.8.tgz",
1307		-	"integrity": "sha512-v7fi5Hj2VbR6dJEGRWLmJBA83LJMS47pkAbmROFxHWd9qmE1esHRZW8Clf1Fhzr3rjxnNZVCjOEv/ivFxeIMtg==",
	1348	+	"version": "1.1.9",
	1349	+	"resolved": "https://registry.npmjs.org/chance/-/chance-1.1.9.tgz",
	1350	+	"integrity": "sha512-TfxnA/DcZXRTA4OekA2zL9GH8qscbbl6X0ZqU4tXhGveVY/mXWvEQLt5GwZcYXTEyEFflVtj+pG8nc8EwSm1RQ==",
1308	1351		"dev": true
1309	1352		},
1310	1353		"char-regex": {
		skipped 9 lines
1320	1363		"dev": true
1321	1364		},
1322	1365		"class-validator": {
1323		-	"version": "0.13.2",
1324		-	"resolved": "https://registry.npmjs.org/class-validator/-/class-validator-0.13.2.tgz",
1325		-	"integrity": "sha512-yBUcQy07FPlGzUjoLuUfIOXzgynnQPPruyK1Ge2B74k9ROwnle1E+NxLWnUv5OLU8hA/qL5leAE9XnXq3byaBw==",
	1366	+	"version": "0.14.0",
	1367	+	"resolved": "https://registry.npmjs.org/class-validator/-/class-validator-0.14.0.tgz",
	1368	+	"integrity": "sha512-ct3ltplN8I9fOwUd8GrP8UQixwff129BkEtuWDKL5W45cQuLd19xqmTLu5ge78YDm/fdje6FMt0hGOhl0lii3A==",
1326	1369		"dev": true,
1327	1370		"requires": {
1328		-	"libphonenumber-js": "^1.9.43",
	1371	+	"@types/validator": "^13.7.10",
	1372	+	"libphonenumber-js": "^1.10.14",
1329	1373		"validator": "^13.7.0"
1330	1374		}
1331	1375		},
		skipped 13 lines
1345	1389		"dev": true
1346	1390		},
1347	1391		"commander": {
1348		-	"version": "9.0.0",
1349		-	"resolved": "https://registry.npmjs.org/commander/-/commander-9.0.0.tgz",
1350		-	"integrity": "sha512-JJfP2saEKbQqvW+FI93OYUB4ByV5cizMpFMiiJI8xDbBvQvSkIk0VvQdn1CZ8mqAO8Loq2h0gYTYtDFUZUeERw==",
	1392	+	"version": "10.0.0",
	1393	+	"resolved": "https://registry.npmjs.org/commander/-/commander-10.0.0.tgz",
	1394	+	"integrity": "sha512-zS5PnTI22FIRM6ylNW8G4Ap0IEOyk62fhLSD0+uHRT9McRCLGpkVNvao4bjimpK/GShynyQkFFxHhwMcETmduA==",
1351	1395		"dev": true
1352	1396		},
1353	1397		"concat-map": {
1354	1398		"version": "0.0.1",
1355	1399		"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
1356		-	"integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
	1400	+	"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
1357	1401		"dev": true
1358	1402		},
1359	1403		"crypt": {
		skipped 63 lines
1423	1467		"dev": true
1424	1468		},
1425	1469		"eslint-scope": {
1426		-	"version": "7.1.0",
1427		-	"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.0.tgz",
1428		-	"integrity": "sha512-aWwkhnS0qAXqNOgKOK0dJ2nvzEbhEvpy8OlJ9kZ0FeZnA6zpjv1/Vei+puGFFX7zkPCkHHXb7IDX3A+7yPrRWg==",
	1470	+	"version": "7.1.1",
	1471	+	"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz",
	1472	+	"integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==",
1429	1473		"dev": true,
1430	1474		"requires": {
1431	1475		"esrecurse": "^4.3.0",
		skipped 1 lines
1433	1477		}
1434	1478		},
1435	1479		"eslint-visitor-keys": {
1436		-	"version": "3.2.0",
1437		-	"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.2.0.tgz",
1438		-	"integrity": "sha512-IOzT0X126zn7ALX0dwFiUQEdsfzrm4+ISsQS8nukaJXwEyYKRSnEIIDULYg1mCtGp7UUXgfGl7BIolXREQK+XQ==",
	1480	+	"version": "3.3.0",
	1481	+	"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz",
	1482	+	"integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==",
1439	1483		"dev": true
1440	1484		},
1441	1485		"esprima": {
		skipped 268 lines
1710	1754		}
1711	1755		},
1712	1756		"javascript-obfuscator": {
1713		-	"version": "4.0.0",
1714		-	"resolved": "https://registry.npmjs.org/javascript-obfuscator/-/javascript-obfuscator-4.0.0.tgz",
1715		-	"integrity": "sha512-vS/8w/9eKISzwXNLd+OLMCCwjD+dFMdOlCDOo919iR/MWdBs+7u1ybpwRoWOmODToPQKVYw5GasvZoIiPs5nPw==",
	1757	+	"version": "4.0.2",
	1758	+	"resolved": "https://registry.npmjs.org/javascript-obfuscator/-/javascript-obfuscator-4.0.2.tgz",
	1759	+	"integrity": "sha512-MRBQREvjEwqEGdwNGG7yp0te5uZBFzrPZdxEs4rDYkPpHhhOQu+E0IhSXP7bO9dIUWXZU0Kkdohsuws525aVGQ==",
1716	1760		"dev": true,
1717	1761		"requires": {
1718	1762		"@javascript-obfuscator/escodegen": "2.3.0",
1719	1763		"@javascript-obfuscator/estraverse": "5.4.0",
1720		-	"acorn": "8.7.0",
	1764	+	"acorn": "8.8.2",
1721	1765		"assert": "2.0.0",
1722	1766		"chalk": "4.1.2",
1723		-	"chance": "1.1.8",
1724		-	"class-validator": "0.13.2",
1725		-	"commander": "9.0.0",
1726		-	"eslint-scope": "7.1.0",
1727		-	"eslint-visitor-keys": "3.2.0",
	1767	+	"chance": "1.1.9",
	1768	+	"class-validator": "0.14.0",
	1769	+	"commander": "10.0.0",
	1770	+	"eslint-scope": "7.1.1",
	1771	+	"eslint-visitor-keys": "3.3.0",
1728	1772		"fast-deep-equal": "3.1.3",
1729	1773		"inversify": "6.0.1",
1730	1774		"js-string-escape": "1.0.1",
1731	1775		"md5": "2.3.0",
1732		-	"mkdirp": "1.0.4",
	1776	+	"mkdirp": "2.1.3",
1733	1777		"multimatch": "5.0.0",
1734	1778		"opencollective-postinstall": "2.0.3",
1735	1779		"process": "0.11.10",
		skipped 1 lines
1737	1781		"source-map-support": "0.5.21",
1738	1782		"string-template": "1.0.0",
1739	1783		"stringz": "2.1.0",
1740		-	"tslib": "2.3.1"
	1784	+	"tslib": "2.5.0"
1741	1785		}
1742	1786		},
1743	1787		"js-string-escape": {
		skipped 13 lines
1757	1801		}
1758	1802		},
1759	1803		"libphonenumber-js": {
1760		-	"version": "1.9.46",
1761		-	"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.9.46.tgz",
1762		-	"integrity": "sha512-QqTX4UVsGy24njtCgLRspiKpxfRniRBZE/P+d0vQXuYWQ+hwDS6X0ouo0O/SRyf7bhhMCE71b6vAvLMtY5PfEw==",
	1804	+	"version": "1.10.19",
	1805	+	"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.10.19.tgz",
	1806	+	"integrity": "sha512-MDZ1zLIkfSDZV5xBta3nuvbEOlsnKCPe4z5r3hyup/AXveevkl9A1eSWmLhd2FX4k7pJDe4MrLeQsux0HI/VWg==",
1763	1807		"dev": true
1764	1808		},
1765	1809		"md5": {
		skipped 8 lines
1774	1818		}
1775	1819		},
1776	1820		"minimatch": {
1777		-	"version": "3.0.4",
1778		-	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
1779		-	"integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
	1821	+	"version": "9.0.0",
	1822	+	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.0.tgz",
	1823	+	"integrity": "sha512-0jJj8AvgKqWN05mrwuqi8QYKx1WmYSUoKSxu5Qhs9prezTz10sxAHGNZe9J9cqIJzta8DWsleh2KaVaLl6Ru2w==",
1780	1824		"dev": true,
1781	1825		"requires": {
1782		-	"brace-expansion": "^1.1.7"
	1826	+	"brace-expansion": "^2.0.1"
1783	1827		}
1784	1828		},
1785	1829		"mkdirp": {
1786		-	"version": "1.0.4",
1787		-	"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
1788		-	"integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
	1830	+	"version": "2.1.3",
	1831	+	"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-2.1.3.tgz",
	1832	+	"integrity": "sha512-sjAkg21peAG9HS+Dkx7hlG9Ztx7HLeKnvB3NQRcu/mltCVmvkF0pisbiTSfDVYTT86XEfZrTUosLdZLStquZUw==",
1789	1833		"dev": true
1790	1834		},
1791	1835		"multimatch": {
		skipped 2 lines
1794	1838		"integrity": "sha512-ypMKuglUrZUD99Tk2bUQ+xNQj43lPEfAeX2o9cTteAmShXy2VHDJpuwu1o0xqoKCt9jLVAvwyFKdLTPXKAfJyA==",
1795	1839		"dev": true,
1796	1840		"requires": {
1797		-	"@types/minimatch": "^3.0.3",
	1841	+	"@types/minimatch": "^3.0.5",
1798	1842		"array-differ": "^3.0.0",
1799	1843		"array-union": "^2.1.0",
1800	1844		"arrify": "^2.0.1",
1801		-	"minimatch": "^3.0.4"
	1845	+	"minimatch": "^3.0.5"
	1846	+	},
	1847	+	"dependencies": {
	1848	+	"brace-expansion": {
	1849	+	"version": "1.1.11",
	1850	+	"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
	1851	+	"integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
	1852	+	"dev": true,
	1853	+	"requires": {
	1854	+	"balanced-match": "^1.0.0",
	1855	+	"concat-map": "0.0.1"
	1856	+	}
	1857	+	},
	1858	+	"minimatch": {
	1859	+	"version": "3.1.2",
	1860	+	"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
	1861	+	"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
	1862	+	"dev": true,
	1863	+	"requires": {
	1864	+	"brace-expansion": "^1.1.7"
	1865	+	}
	1866	+	}
1802	1867		}
1803	1868		},
1804	1869		"object-inspect": {
		skipped 146 lines
1951	2016		}
1952	2017		},
1953	2018		"tslib": {
1954		-	"version": "2.3.1",
1955		-	"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.3.1.tgz",
1956		-	"integrity": "sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==",
	2019	+	"version": "2.5.0",
	2020	+	"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.5.0.tgz",
	2021	+	"integrity": "sha512-336iVw3rtn2BUK7ORdIAHTyxHGRIHVReokCR3XjbckJMK7ms8FysBfhLR8IXnAgy7T0PTPNBWKiH514FOW/WSg==",
1957	2022		"dev": true
1958	2023		},
1959	2024		"type-check": {
		skipped 32 lines
1992	2057		}
1993	2058		},
1994	2059		"validator": {
1995		-	"version": "13.7.0",
1996		-	"resolved": "https://registry.npmjs.org/validator/-/validator-13.7.0.tgz",
1997		-	"integrity": "sha512-nYXQLCBkpJ8X6ltALua9dRrZDHVYxjJ1wgskNt1lH9fzGjs3tgojGSCBjmEPwkWS1y29+DrizMTW19Pr9uB2nw==",
	2060	+	"version": "13.9.0",
	2061	+	"resolved": "https://registry.npmjs.org/validator/-/validator-13.9.0.tgz",
	2062	+	"integrity": "sha512-B+dGG8U3fdtM0/aNK4/X8CXq/EcxU2WPrPEkJGslb47qyHsxmbggTWK0yEA4qnYVNF+nxNlN88o14hIcPmSIEA==",
1998	2063		"dev": true
1999	2064		},
2000	2065		"which-boxed-primitive": {
		skipped 35 lines

■ ■ ■ ■ ■ ■

js/package.json

		skipped 10 lines
11	11		],
12	12		"author": "",
13	13		"license": "MIT",
	14	+	"dependencies": {
	15	+	"minimatch": ">=9.0.0"
	16	+	},
14	17		"devDependencies": {
15		-	"javascript-obfuscator": "^4.0.0"
	18	+	"minimatch": ">=9.0.0",
	19	+	"javascript-obfuscator": "^4.0.2"
16	20		}
17	21		}
18	22

■ ■ ■ ■ ■ ■

jsconfig.json

1	+	{
2	+	"include": ["./node_modules/cypress", "cypress/*/.js"]
3	+	}
4	+

■ ■ ■ ■ ■ ■

k8s/challenge33.yml

1	+	apiVersion: v1
2	+	data:
3	+	answer: VBUGh3wu/3I1naHj1Uf97Y0Lq8B5/92q1jwp3/aYSwHSJI8WqdZnYLj78hESlfPPKf1ZKPap4z2+r+G9NRwdFU/YBMTY3cNguMm5C6l2pTK9JhPFnUzerIwMrnhu9GjrqSFn/BtOvLnQa/mSgXDNJYUOU8gCHFs9JEeQv9hpWpyxlB2Nqu0MHrPNODY3ZohhkjWXaxbjCZi9SpmHydU06Z7LqWyF39G6V8CF6LBPkdUn3aJAV++F0Q9IcSM=
4	+	kind: Secret
5	+	metadata:
6	+	annotations:
7	+	kubectl.kubernetes.io/last-applied-configuration: \|
8	+	{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"challenge33","namespace":"default"},"stringData":{"answer":"This was a standardValue as SecureSecret"},"type":"generic"}
9	+	creationTimestamp: "2023-05-14T20:58:31Z"
10	+	name: challenge33
11	+	namespace: default
12	+	resourceVersion: "1891"
13	+	uid: 02f40c7a-0319-4936-9d3f-f47b8c4eb642
14	+	type: generic
15	+

k8s/helm-vault-values.yml

Content is identical

■ ■ ■ ■ ■ ■ ■

k8s/secret-challenge-deployment.yml

		skipped 27 lines
28	28		runAsGroup: 2000
29	29		fsGroup: 2000
30	30		containers:
31		-	- image: jeroenwillemsen/wrongsecrets:1.5.2-no-vault
	31	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-no-vault
32	32		imagePullPolicy: IfNotPresent
	33	+	name: secret-challenge
33	34		ports:
34	35		- containerPort: 8080
35	36		protocol: TCP
36		-	name: secret-challenge
37		-	resources: {}
	37	+	readinessProbe:
	38	+	httpGet:
	39	+	path: '/actuator/health/readiness'
	40	+	port: 8080
	41	+	initialDelaySeconds: 30
	42	+	timeoutSeconds: 5
	43	+	periodSeconds: 5
	44	+	failureThreshold: 8
	45	+	livenessProbe:
	46	+	httpGet:
	47	+	path: '/actuator/health/liveness'
	48	+	port: 8080
	49	+	initialDelaySeconds: 35
	50	+	timeoutSeconds: 30
	51	+	periodSeconds: 40
	52	+	failureThreshold: 5
	53	+	resources:
	54	+	requests:
	55	+	memory: '512Mi'
	56	+	cpu: '200m'
	57	+	ephemeral-storage: '1Gi'
	58	+	limits:
	59	+	memory: '512Mi'
	60	+	cpu: '1200m'
	61	+	ephemeral-storage: '2Gi'
	62	+	securityContext:
	63	+	capabilities:
	64	+	drop:
	65	+	- ALL
	66	+	seccompProfile:
	67	+	type: RuntimeDefault
	68	+	allowPrivilegeEscalation: false
	69	+	readOnlyRootFilesystem: true
	70	+	runAsNonRoot: true
	71	+	volumeMounts:
	72	+	- name: 'ephemeral'
	73	+	mountPath: '/tmp'
38	74		terminationMessagePath: /dev/termination-log
39	75		terminationMessagePolicy: File
40	76		env:
		skipped 9 lines
50	86		secretKeyRef:
51	87		name: funnystuff
52	88		key: funnier
	89	+	- name: CHALLENGE33
	90	+	valueFrom:
	91	+	secretKeyRef:
	92	+	name: challenge33
	93	+	key: answer
	94	+	volumes:
	95	+	- name: 'ephemeral'
	96	+	emptyDir: { }
53	97		dnsPolicy: ClusterFirst
54	98		restartPolicy: Always
55	99		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

k8s/secret-challenge-vault-deployment.yml

		skipped 29 lines
30	30		runAsNonRoot: true
31	31		serviceAccountName: vault
32	32		containers:
33		-	- image: jeroenwillemsen/wrongsecrets:1.5.2-k8s-vault
	33	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-k8s-vault
34	34		imagePullPolicy: IfNotPresent
	35	+	name: secret-challenge
	36	+	securityContext:
	37	+	allowPrivilegeEscalation: false
	38	+	readOnlyRootFilesystem: true
	39	+	runAsNonRoot: true
	40	+	capabilities:
	41	+	drop:
	42	+	- ALL
	43	+	seccompProfile:
	44	+	type: RuntimeDefault
35	45		ports:
36	46		- containerPort: 8080
37	47		protocol: TCP
38		-	name: secret-challenge
39		-	resources: { }
	48	+	readinessProbe:
	49	+	httpGet:
	50	+	path: '/actuator/health/readiness'
	51	+	port: 8080
	52	+	initialDelaySeconds: 30
	53	+	timeoutSeconds: 5
	54	+	periodSeconds: 5
	55	+	failureThreshold: 8
	56	+	livenessProbe:
	57	+	httpGet:
	58	+	path: '/actuator/health/liveness'
	59	+	port: 8080
	60	+	initialDelaySeconds: 35
	61	+	timeoutSeconds: 30
	62	+	periodSeconds: 40
	63	+	failureThreshold: 5
	64	+	resources:
	65	+	requests:
	66	+	memory: '512Mi'
	67	+	cpu: '200m'
	68	+	ephemeral-storage: '1Gi'
	69	+	limits:
	70	+	memory: '512Mi'
	71	+	cpu: '1200m'
	72	+	ephemeral-storage: '2Gi'
	73	+	volumeMounts:
	74	+	- name: 'ephemeral'
	75	+	mountPath: '/tmp'
40	76		terminationMessagePath: /dev/termination-log
41	77		terminationMessagePolicy: File
42	78		env:
		skipped 9 lines
52	88		secretKeyRef:
53	89		name: funnystuff
54	90		key: funnier
55		-	- name: VAULT_ADDR
56		-	value: "http://vault:8200"
	91	+	- name: CHALLENGE33
	92	+	valueFrom:
	93	+	secretKeyRef:
	94	+	name: challenge33
	95	+	key: answer
	96	+	- name: SPRING_CLOUD_VAULT_URI
	97	+	value: "http://vault.vault.svc.cluster.local:8200"
57	98		- name: JWT_PATH
58	99		value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
	100	+	volumes:
	101	+	- name: 'ephemeral'
	102	+	emptyDir: { }
59	103		dnsPolicy: ClusterFirst
60	104		restartPolicy: Always
61	105		schedulerName: default-scheduler
		skipped 2 lines

■ ■ ■ ■ ■ ■

k8s/workspace-psa.yml

1	+	apiVersion: v1
2	+	kind: Namespace
3	+	metadata:
4	+	name: default
5	+	labels:
6	+	pod-security.kubernetes.io/enforce: restricted
7	+	kubernetes.io/metadata.name: default
8	+

■ ■ ■ ■ ■ ■

k8s-vault-minkube-resume.sh

1	1		#!/bin/bash
2	2
3		-	kubectl port-forward vault-0 8200:8200 &
	3	+	kubectl port-forward vault-0 -n vault 8200:8200 &
4	4		kubectl port-forward \
5	5		$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
6	6		8080:8080 \
		skipped 2 lines

■ ■ ■ ■ ■ ■

k8s-vault-minkube-start.sh

		skipped 8 lines
9	9
10	10		echo "This is only a script for demoing purposes. You can comment out line 22 and work with your own k8s setup"
11	11		echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube . Vault is awesome!"
12		-	minikube start --kubernetes-version=v1.22.5
	12	+	minikube start --kubernetes-version=v1.25.6
	13	+
	14	+	echo "Patching default ns with new PSA; we should run as restricted!"
	15	+	kubectl apply -f k8s/workspace-psa.yml
13	16
14	17		kubectl get configmaps \| grep 'secrets-file' &> /dev/null
15	18		if [ $? == 0 ]; then
		skipped 7 lines
23	26		echo "secrets secret is already installed"
24	27		else
25	28		kubectl apply -f k8s/secrets-secret.yml
	29	+	kubectl apply -f k8s/challenge33.yml
26	30		fi
27	31		helm list \| grep 'consul' &> /dev/null
28	32		if [ $? == 0 ]; then
29	33		echo "Consul is already installed"
30	34		else
31	35		helm repo add hashicorp https://helm.releases.hashicorp.com
32		-	helm install consul hashicorp/consul --version 0.30.0 --values k8s/helm-consul-values.yml
33	36		fi
	37	+	helm upgrade --install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values k8s/helm-consul-values.yml
34	38
35		-	while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True" ]]; do echo "waiting for Consul" && sleep 2; done
	39	+	while [[ $(kubectl get pods -n consul -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
36	40
37	41		helm list \| grep 'vault' &> /dev/null
38	42		if [ $? == 0 ]; then
39	43		echo "Vault is already installed"
40	44		else
41	45		helm repo add hashicorp https://helm.releases.hashicorp.com
42		-	helm install vault hashicorp/vault --version 0.19.0 --values k8s/helm-vault-values.yml
43	46		fi
	47	+	kubectl create ns vault
	48	+	helm upgrade --install vault hashicorp/vault --version 0.23.0 --namespace vault --values k8s/helm-vault-values.yml
44	49
45		-	isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
46		-	while [[ $isvaultrunning != "vault-0" ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
47		-	while [[ $isvaultrunning != "vault-1" ]]; do echo "waiting for Vault2" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
48		-	while [[ $isvaultrunning != "vault-2" ]]; do echo "waiting for Vault3" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
	50	+	isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
	51	+	while [[ $isvaultrunning != "vault-0" ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
	52	+	while [[ $isvaultrunning != "vault-1" ]]; do echo "waiting for Vault2" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
	53	+	while [[ $isvaultrunning != "vault-2" ]]; do echo "waiting for Vault3" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
49	54		echo "Setting up port forwarding"
50		-	kubectl port-forward vault-0 8200:8200 &
	55	+	kubectl port-forward vault-0 8200:8200 -n vault &
51	56		echo "Unsealing Vault"
52		-	kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
	57	+	kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
53	58		cat cluster-keys.json \| jq -r ".unseal_keys_b64[]"
54	59		VAULT_UNSEAL_KEY=$(cat cluster-keys.json \| jq -r ".unseal_keys_b64[]")
55		-	kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
56		-	kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
57		-	kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
	60	+
	61	+	echo "⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰⏰"
	62	+	echo "PLEASE COPY PASTE THE FOLLOWING VALUE: ${VAULT_UNSEAL_KEY} , you will be asked for it 3 times to unseal the vaults"
	63	+
	64	+	kubectl exec -it vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
	65	+	kubectl exec -it vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
	66	+	kubectl exec -it vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
58	67
59	68
60	69		echo "Obtaining root token"
		skipped 3 lines
64	73		ROOTTOKEN=$(cat root_token)
65	74
66	75		echo "Logging in"
67		-	kubectl exec vault-0 -- vault login $ROOTTOKEN
	76	+	kubectl exec vault-0 -n vault -- vault login $ROOTTOKEN
68	77
69	78		echo "Enabling kv-v2 kubernetes"
70		-	kubectl exec vault-0 -- vault secrets enable -path=secret kv-v2
	79	+	kubectl exec vault-0 -n vault -- vault secrets enable -path=secret kv-v2
71	80
72	81		echo "Putting a secret in"
73		-	kubectl exec vault-0 -- vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
	82	+	kubectl exec vault-0 -n vault -- vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
74	83
75	84		echo "Enable k8s auth"
76		-	kubectl exec vault-0 -- vault auth enable kubernetes
	85	+	kubectl exec vault-0 -n vault -- vault auth enable kubernetes
77	86
78	87		echo "Writing k8s auth config"
79	88
80		-	kubectl exec vault-0 -- /bin/sh -c 'vault write auth/kubernetes/config \
	89	+	kubectl exec vault-0 -n vault -- /bin/sh -c 'vault write auth/kubernetes/config \
81	90		token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
82	91		kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
83	92		kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
84	93
85	94		echo "Writing policy for secret-challenge"
86		-	kubectl exec vault-0 -- /bin/sh -c 'vault policy write secret-challenge - <<EOF
	95	+	kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write secret-challenge - <<EOF
87	96		path "secret/data/secret-challenge" {
88	97		capabilities = ["read"]
89	98		}
		skipped 3 lines
93	102		EOF'
94	103
95	104		echo "Write secrets for secret-challenge"
96		-	kubectl exec vault-0 -- vault write auth/kubernetes/role/secret-challenge \
	105	+	kubectl exec vault-0 -n vault -- vault write auth/kubernetes/role/secret-challenge \
97	106		bound_service_account_names=vault \
98	107		bound_service_account_namespaces=default \
99	108		policies=secret-challenge \
		skipped 1 lines
101	110		&& vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)" \
102	111		&& vault kv put secret/application vaultpassword.password="$(openssl rand -base64 16)" \
103	112
	113	+	kubectl create serviceaccount vault
104	114		echo "Deploy secret challenge app"
105	115		kubectl apply -f k8s/secret-challenge-vault-deployment.yml
106	116		while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
		skipped 10 lines
117	127		echo "logs from pod to make sure:"
118	128		cat pod.log
119	129
120		-

■ ■ ■ ■ ■ ■

okteto/k8s/challenge33.yml

1	+	apiVersion: v1
2	+	data:
3	+	answer: VBUGh3wu/3I1naHj1Uf97Y0Lq8B5/92q1jwp3/aYSwHSJI8WqdZnYLj78hESlfPPKf1ZKPap4z2+r+G9NRwdFU/YBMTY3cNguMm5C6l2pTK9JhPFnUzerIwMrnhu9GjrqSFn/BtOvLnQa/mSgXDNJYUOU8gCHFs9JEeQv9hpWpyxlB2Nqu0MHrPNODY3ZohhkjWXaxbjCZi9SpmHydU06Z7LqWyF39G6V8CF6LBPkdUn3aJAV++F0Q9IcSM=
4	+	kind: Secret
5	+	metadata:
6	+	annotations:
7	+	kubectl.kubernetes.io/last-applied-configuration: \|
8	+	{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"challenge33","namespace":"default"},"stringData":{"answer":"This was a standardValue as SecureSecret"},"type":"generic"}
9	+	creationTimestamp: "2023-05-14T20:58:31Z"
10	+	name: challenge33
11	+	namespace: default
12	+	resourceVersion: "1891"
13	+	uid: 02f40c7a-0319-4936-9d3f-f47b8c4eb642
14	+	type: generic
15	+

■ ■ ■ ■ ■ ■

okteto/k8s/secret-challenge-ctf-deployment.yml

1	+	apiVersion: apps/v1
2	+	kind: Deployment
3	+	metadata:
4	+	labels:
5	+	app: secret-challenge-ctf
6	+	name: secret-challenge-ctf
7	+	namespace: $OKTETO_NAMESPACE
8	+	spec:
9	+	progressDeadlineSeconds: 600
10	+	replicas: 1
11	+	revisionHistoryLimit: 10
12	+	selector:
13	+	matchLabels:
14	+	app: secret-challenge-ctf
15	+	strategy:
16	+	rollingUpdate:
17	+	maxSurge: 25%
18	+	maxUnavailable: 25%
19	+	type: RollingUpdate
20	+	template:
21	+	metadata:
22	+	labels:
23	+	app: secret-challenge-ctf
24	+	name: secret-challenge-ctf
25	+	spec:
26	+	securityContext:
27	+	runAsUser: 2000
28	+	runAsGroup: 2000
29	+	fsGroup: 2000
30	+	containers:
31	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-no-vault
32	+	name: secret-challenge-ctf
33	+	imagePullPolicy: IfNotPresent
34	+	securityContext:
35	+	allowPrivilegeEscalation: false
36	+	readOnlyRootFilesystem: true
37	+	runAsNonRoot: true
38	+	capabilities:
39	+	drop:
40	+	- ALL
41	+	seccompProfile:
42	+	type: RuntimeDefault
43	+	ports:
44	+	- containerPort: 8080
45	+	protocol: TCP
46	+	readinessProbe:
47	+	httpGet:
48	+	path: "/actuator/health/readiness"
49	+	port: 8080
50	+	initialDelaySeconds: 30
51	+	timeoutSeconds: 5
52	+	periodSeconds: 5
53	+	failureThreshold: 8
54	+	livenessProbe:
55	+	httpGet:
56	+	path: "/actuator/health/liveness"
57	+	port: 8080
58	+	initialDelaySeconds: 35
59	+	timeoutSeconds: 30
60	+	periodSeconds: 40
61	+	failureThreshold: 5
62	+	resources:
63	+	requests:
64	+	memory: "512Mi"
65	+	cpu: "200m"
66	+	ephemeral-storage: "1Gi"
67	+	limits:
68	+	memory: "512Mi"
69	+	cpu: "1000m"
70	+	ephemeral-storage: "2Gi"
71	+	volumeMounts:
72	+	- name: "ephemeral"
73	+	mountPath: "/tmp"
74	+	terminationMessagePath: /dev/termination-log
75	+	terminationMessagePolicy: File
76	+	env:
77	+	- name: ctf_enabled
78	+	value: "true"
79	+	- name: hints_enabled
80	+	value: "false"
81	+	- name: ctf_key
82	+	value: TRwzkRJnHOTckssAeyJbysWgP!Qc2T
83	+	- name: CHALLENGE33
84	+	valueFrom:
85	+	secretKeyRef:
86	+	name: challenge33
87	+	key: answer
88	+	- name: vaultpassword
89	+	value: if_you_see_this_please_use_K8S_and_Vault
90	+	- name: default_aws_value_challenge_9
91	+	value: if_you_see_this_please_use_AWS_Setup
92	+	- name: default_aws_value_challenge_10
93	+	value: if_you_see_this_please_use
94	+	- name: default_aws_value_challenge_11
95	+	value: if_you_see_this_please_use
96	+	- name: canarytokenURLs
97	+	value: "https://canarytokens.org/history?token=cs07k832u9t1u4npowbvsw4mb&auth=7f75f2b2a4207c91fbc1ea59f7a495eb"
98	+	- name: challenge15ciphertext
99	+	value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9JweUDy8k2SHUoG6I9FOhM1mgPKIUlyPWvROo+2T5p4qrAnuPYC/xAzVjGDUoN4eIXdXn+gwcYmL+Be8TodjXUt9U3g1/B9O2wyVZTT9Q839FaDHeBR4Og="
100	+	- name: springdoc_api-docs_enabled
101	+	value: "false"
102	+	- name: challenge_acht_ctf_host_value
103	+	value: "thisisfunnyisitnot?"
104	+	- name: challenge_thirty_ctf_to_provide_to_host_value
105	+	value: "thisisthekeyforchallengethirty"
106	+	- name: K8S_ENV
107	+	value: Okteto(k8s)
108	+	- name: SPECIAL_K8S_SECRET
109	+	valueFrom:
110	+	configMapKeyRef:
111	+	name: secrets-file
112	+	key: funny.entry
113	+	- name: SPECIAL_SPECIAL_K8S_SECRET
114	+	valueFrom:
115	+	secretKeyRef:
116	+	name: funnystuff
117	+	key: funnier
118	+	volumes:
119	+	- name: "ephemeral"
120	+	emptyDir: {}
121	+	dnsPolicy: ClusterFirst
122	+	restartPolicy: Always
123	+	schedulerName: default-scheduler
124	+	terminationGracePeriodSeconds: 30
125	+

■ ■ ■ ■ ■ ■

okteto/k8s/secret-challenge-deployment.yml

1	+	apiVersion: apps/v1
2	+	kind: Deployment
3	+	metadata:
4	+	labels:
5	+	app: secret-challenge
6	+	name: secret-challenge
7	+	namespace: $OKTETO_NAMESPACE
8	+	spec:
9	+	progressDeadlineSeconds: 600
10	+	replicas: 1
11	+	revisionHistoryLimit: 10
12	+	selector:
13	+	matchLabels:
14	+	app: secret-challenge
15	+	strategy:
16	+	rollingUpdate:
17	+	maxSurge: 25%
18	+	maxUnavailable: 25%
19	+	type: RollingUpdate
20	+	template:
21	+	metadata:
22	+	labels:
23	+	app: secret-challenge
24	+	name: secret-challenge
25	+	spec:
26	+	securityContext:
27	+	runAsUser: 2000
28	+	runAsGroup: 2000
29	+	fsGroup: 2000
30	+	containers:
31	+	- image: jeroenwillemsen/wrongsecrets:1.6.4-no-vault
32	+	name: secret-challenge
33	+	imagePullPolicy: IfNotPresent
34	+	securityContext:
35	+	allowPrivilegeEscalation: false
36	+	readOnlyRootFilesystem: true
37	+	runAsNonRoot: true
38	+	capabilities:
39	+	drop:
40	+	- ALL
41	+	seccompProfile:
42	+	type: RuntimeDefault
43	+	ports:
44	+	- containerPort: 8080
45	+	protocol: TCP
46	+	readinessProbe:
47	+	httpGet:
48	+	path: "/actuator/health/readiness"
49	+	port: 8080
50	+	initialDelaySeconds: 30
51	+	timeoutSeconds: 5
52	+	periodSeconds: 5
53	+	failureThreshold: 8
54	+	livenessProbe:
55	+	httpGet:
56	+	path: "/actuator/health/liveness"
57	+	port: 8080
58	+	initialDelaySeconds: 35
59	+	timeoutSeconds: 30
60	+	periodSeconds: 40
61	+	failureThreshold: 5
62	+	resources:
63	+	requests:
64	+	memory: "512Mi"
65	+	cpu: "200m"
66	+	ephemeral-storage: "1Gi"
67	+	limits:
68	+	memory: "512Mi"
69	+	cpu: "1000m"
70	+	ephemeral-storage: "2Gi"
71	+	volumeMounts:
72	+	- name: "ephemeral"
73	+	mountPath: "/tmp"
74	+	terminationMessagePath: /dev/termination-log
75	+	terminationMessagePolicy: File
76	+	env:
77	+	- name: canarytokenURLs
78	+	value: "https://canarytokens.org/history?token=n0cnd92mavmv1m61tjmyj9of5&auth=6519be82ef910868529091527c3edb3f"
79	+	- name: challenge15ciphertext
80	+	value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9Jwe0qQlT+RGDJH/otpFgUzixTbCndwPW3HOqOCQYY844MgxM0N+RRbclS1bpJnYd7BT2aj8v4iA9xR8DwAjU0tt2n84PFKN4vNKjyNATETwPE1GQKBTIi1"
81	+	- name: K8S_ENV
82	+	value: Okteto(k8s)
83	+	- name: SPRINGDOC_UI
84	+	value: "true"
85	+	- name: SPRINGDOC_DOC
86	+	value: "true"
87	+	- name: SPECIAL_K8S_SECRET
88	+	valueFrom:
89	+	configMapKeyRef:
90	+	name: secrets-file
91	+	key: funny.entry
92	+	- name: SPECIAL_SPECIAL_K8S_SECRET
93	+	valueFrom:
94	+	secretKeyRef:
95	+	name: funnystuff
96	+	key: funnier
97	+	- name: CHALLENGE33
98	+	valueFrom:
99	+	secretKeyRef:
100	+	name: challenge33
101	+	key: answer
102	+	volumes:
103	+	- name: "ephemeral"
104	+	emptyDir: {}
105	+	dnsPolicy: ClusterFirst
106	+	restartPolicy: Always
107	+	schedulerName: default-scheduler
108	+	terminationGracePeriodSeconds: 30
109	+

■ ■ ■ ■ ■ ■

okteto/k8s/secrets-config.yml

1	+	apiVersion: v1
2	+	data:
3	+	funny.entry: "thisIsK8SConfigMap"
4	+	kind: ConfigMap
5	+	metadata:
6	+	creationTimestamp: "2020-10-29T19:29:38Z"
7	+	name: secrets-file
8	+	namespace: $OKTETO_NAMESPACE
9	+	resourceVersion: "4228"
10	+	selfLink: /api/v1/namespaces/default/configmaps/secrets-file
11	+	uid: d777ebfa-2a53-4bca-b1e3-4907eca16552
12	+

■ ■ ■ ■ ■ ■

okteto/k8s/secrets-secret.yml

1	+	apiVersion: v1
2	+	data:
3	+	funnier: dGhpcyBpcyBhcGFzc3dvcmQ=
4	+	kind: Secret
5	+	metadata:
6	+	creationTimestamp: "2020-10-29T20:49:16Z"
7	+	managedFields:
8	+	- apiVersion: v1
9	+	fieldsType: FieldsV1
10	+	fieldsV1:
11	+	f:data:
12	+	.: {}
13	+	f:funnier.entry: {}
14	+	f:type: {}
15	+	manager: kubectl-create
16	+	operation: Update
17	+	time: "2020-10-29T20:49:16Z"
18	+	name: funnystuff
19	+	namespace: $OKTETO_NAMESPACE
20	+	resourceVersion: "6559"
21	+	selfLink: /api/v1/namespaces/default/secrets/funnystuff
22	+	uid: baee7f4a-5161-4777-a512-3d236d3573d4
23	+	type: Opaque
24	+

■ ■ ■ ■ ■ ■

okteto/k8s/secrets-service-ctf.yml

1	+	apiVersion: v1
2	+	kind: Service
3	+	metadata:
4	+	name: wrongsecrets-ctf
5	+	spec:
6	+	type: LoadBalancer
7	+	ports:
8	+	- name: http
9	+	port: 8080
10	+	selector:
11	+	app: secret-challenge-ctf
12	+

■ ■ ■ ■ ■ ■

okteto/k8s/secrets-service.yml

1	+	apiVersion: v1
2	+	kind: Service
3	+	metadata:
4	+	name: wrongsecrets
5	+	spec:
6	+	type: LoadBalancer
7	+	ports:
8	+	- name: http
9	+	port: 8080
10	+	selector:
11	+	app: secret-challenge
12	+

■ ■ ■ ■ ■ ■

okteto/okteto.yml

1	+	name: okteto
2	+
3	+	# The build section defines how to build the images of your development environment
4	+	# More info: https://www.okteto.com/docs/reference/manifest/#build
5	+	# build:
6	+	# my-service:
7	+	# context: .
8	+
9	+	# The deploy section defines how to deploy your development environment
10	+	# More info: https://www.okteto.com/docs/reference/manifest/#deploy
11	+	deploy:
12	+	- for f in k8s/*.yml; do envsubst < $f \| kubectl apply -f -; done
13	+
14	+	dev:
15	+	# The dependencies section defines other git repositories to be deployed as part of your development environment
16	+	# More info: https://www.okteto.com/docs/reference/manifest/#dependencies
17	+	# dependencies:
18	+	# - https://github.com/okteto/sample
19	+	# The dev section defines how to activate a development container
20	+	# More info: https://www.okteto.com/docs/reference/manifest/#dev
21	+	# dev:
22	+	# sample:
23	+	# image: okteto/dev:latest
24	+	# command: bash
25	+	# workdir: /usr/src/app
26	+	# sync:
27	+	# - .:/usr/src/app
28	+	# environment:
29	+	# - name=$USER
30	+	# forward:
31	+	# - 8080:80
32	+

package-lock.json

Diff is too large to be displayed.

■ ■ ■ ■ ■ ■

package.json

1	+	{
2	+	"scripts": {
3	+	"test:open": "cypress open",
4	+	"test:ci": "cypress run --browser chrome"
5	+	},
6	+	"devDependencies": {
7	+	"@commitlint/config-conventional": "^17.6.1",
8	+	"cypress": "^12.10.0",
9	+	"eslint": "^8.39.0",
10	+	"eslint-config-standard": "^17.0.0",
11	+	"eslint-plugin-cypress": "^2.13.3",
12	+	"eslint-plugin-import": "^2.27.5",
13	+	"eslint-plugin-jest": "^27.2.1",
14	+	"eslint-plugin-n": "^15.7.0",
15	+	"eslint-plugin-promise": "^6.1.1"
16	+	},
17	+	"dependencies": {
18	+	"test": "^3.3.0"
19	+	}
20	+	}
21	+

Merge branch 'master' into experiment-bed