- Use Thymeleaf layout lib to use header and content pages

- Introduce runtime environment to move it away from html
OWASP · Nov 29, 2021 · a3c9797 · a3c9797
1 parent 47e3ed8
commit a3c9797
Show file tree

Hide file tree

Showing 27 changed files with 293 additions and 104 deletions.
diff --git a/pom.xml b/pom.xml
@@ -44,6 +44,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
         </dependency>
+        <dependency>
+            <groupId>nz.net.ultraq.thymeleaf</groupId>
+            <artifactId>thymeleaf-layout-dialect</artifactId>
+            <version>3.0.0</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter</artifactId>

diff --git a/src/main/java/org/owasp/wrongsecrets/AllControllerAdvice.java b/src/main/java/org/owasp/wrongsecrets/AllControllerAdvice.java
@@ -0,0 +1,49 @@
+package org.owasp.wrongsecrets;
+
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeUI;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ModelAttribute;
+
+import java.util.List;
+
+/**
+ * Make sure shared model properties are always set for each controller. So for example `challenges` should be present
+ * in the model instead of adding it in all endpoint we can use this advice to let Spring do this for us.
+ */
+@ControllerAdvice
+public class AllControllerAdvice {
+
+    private final List<ChallengeUI> challenges;
+    private final String version;
+    private RuntimeEnvironment runtimeEnvironment;
+
+    public AllControllerAdvice(List<Challenge> challenges, @Value("${APP_VERSION}") String version, RuntimeEnvironment runtimeEnvironment) {
+        this.challenges = ChallengeUI.toUI(challenges, runtimeEnvironment);
+        this.version = version;
+        this.runtimeEnvironment = runtimeEnvironment;
+    }
+
+    @ModelAttribute
+    public void addChallenges(Model model) {
+        model.addAttribute("challenges", challenges);
+    }
+
+    @ModelAttribute
+    public void addVersion(Model model) {
+        model.addAttribute("version", version);
+    }
+
+    @ModelAttribute
+    public void addRuntimeEnviroment(Model model) {
+        model.addAttribute("environment", runtimeEnvironment);
+    }
+
+    @Bean
+    public List<ChallengeUI> uiChallenges() {
+        return challenges;
+    }
+}
diff --git a/src/main/java/org/owasp/wrongsecrets/IndexController.java b/src/main/java/org/owasp/wrongsecrets/IndexController.java
@@ -1,44 +1,25 @@
 package org.owasp.wrongsecrets;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.wrongsecrets.challenges.Challenge;
-import org.owasp.wrongsecrets.challenges.ChallengeUI;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
-import java.util.List;
-
 @Controller
 @Slf4j
 public class IndexController {
 
-    private final String k8sEnvironment;
-    private final String version;
-    private final List<ChallengeUI> challenges;
-
-    public IndexController(@Value("${K8S_ENV}") String k8sEnvironment, @Value("${APP_VERSION}") String version, List<Challenge> challenges) {
-        this.k8sEnvironment = k8sEnvironment;
-        this.version = version;
-        this.challenges = ChallengeUI.toUI(challenges, k8sEnvironment);
-    }
-
     @GetMapping("/")
     public String index(Model model) {
-        model.addAttribute("page", "index");
-        model.addAttribute("challenges", challenges);
-        model.addAttribute("version", version);
-        model.addAttribute("environment", k8sEnvironment);
-        if ("gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
-            model.addAttribute("cloud", "enabled");
-        }
-        if ("k8s-with-vault".equals(k8sEnvironment) || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
-            model.addAttribute("vault", "enabled");
-        }
-        if (k8sEnvironment.contains("k8s") || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
-            model.addAttribute("k8s", "enabled");
-        }
-        return "index";
+//        if ("gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("cloud", "enabled");
+//        }
+//        if ("k8s-with-vault".equals(k8sEnvironment) || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("vault", "enabled");
+//        }
+//        if (k8sEnvironment.contains("k8s") || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("k8s", "enabled");
+//        }
+        return "welcome";
     }
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/MvcConfiguration.java b/src/main/java/org/owasp/wrongsecrets/MvcConfiguration.java
@@ -1,5 +1,6 @@
 package org.owasp.wrongsecrets;
 
+import nz.net.ultraq.thymeleaf.layoutdialect.LayoutDialect;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -43,6 +44,7 @@ public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThym
                                                         AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) {
         SpringTemplateEngine engine = new SpringTemplateEngine();
         engine.setEnableSpringELCompiler(true);
+        engine.addDialect(new LayoutDialect());
         engine.setTemplateResolvers(
                 Set.of(asciiDoctorTemplateResolver, springThymeleafTemplateResolver));
         return engine;

diff --git a/src/main/java/org/owasp/wrongsecrets/RuntimeEnvironment.java b/src/main/java/org/owasp/wrongsecrets/RuntimeEnvironment.java
@@ -0,0 +1,42 @@
+package org.owasp.wrongsecrets;
+
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import java.util.Arrays;
+
+@Component
+public class RuntimeEnvironment {
+
+    public enum Environment {
+        DOCKER("Docker"), GCP("gcp"), AWS("aws"), VAULT("k8s-with-vault"), K8S("k8s");
+
+        private final String id;
+
+        Environment(String id) {
+            this.id = id;
+        }
+
+        static Environment fromId(String id) {
+            return Arrays.asList(Environment.values()).stream().filter(e -> e.id.equals(id)).findAny().get();
+        }
+    }
+
+    private final Environment runtimeEnvironment;
+
+    @Autowired
+    public RuntimeEnvironment(@Value("${K8S_ENV}") String currentRuntimeEnvironment) {
+        this.runtimeEnvironment = Environment.fromId(currentRuntimeEnvironment);
+    }
+
+    public RuntimeEnvironment(Environment runtimeEnvironment) {
+        this.runtimeEnvironment = runtimeEnvironment;
+    }
+
+    public boolean environmentIsFitFor(Challenge challenge) {
+        return challenge.supportedRuntimeEnvironments().contains(runtimeEnvironment);
+    }
+
+}
diff --git a/src/main/java/org/owasp/wrongsecrets/SecretsErrorController.java b/src/main/java/org/owasp/wrongsecrets/SecretsErrorController.java
@@ -10,7 +10,6 @@ public class SecretsErrorController implements ErrorController {
 
     @RequestMapping("/error")
     public String handleError(Model model) {
-        model.addAttribute("page", "error");
-        return "index";
+        return "error";
     }
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java b/src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java
@@ -22,4 +22,6 @@ public InMemoryScoreCard scoreCard() {
         return new InMemoryScoreCard(11);
     }
 
+
+
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java b/src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
@@ -2,8 +2,11 @@
 
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
+import org.owasp.wrongsecrets.RuntimeEnvironment.Environment;
 import org.owasp.wrongsecrets.ScoreCard;
 
+import java.util.List;
+
 @RequiredArgsConstructor
 @Getter
 public abstract class Challenge {
@@ -26,4 +29,6 @@ public boolean solved(String answer) {
     public boolean environmentSupported() {
         return false;
     }
+
+    public abstract List<Environment> supportedRuntimeEnvironments();
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java b/src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java
@@ -2,9 +2,11 @@
 
 import lombok.Getter;
 import org.asciidoctor.Asciidoctor;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
 
 import java.util.List;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import static org.owasp.wrongsecrets.challenges.ChallengeEnvironment.CLOUD;
 
@@ -17,14 +19,14 @@ public class ChallengeUI {
     private static final Asciidoctor asciidoctor = Asciidoctor.Factory.create();
     private static final Pattern challengePattern = Pattern.compile("(\\D+)(\\d+)");
 
-    private Challenge challenge;
-    private int challengeNumber;
-    private String environment;
+    private final Challenge challenge;
+    private final int challengeNumber;
+    private final RuntimeEnvironment runtimeEnvironment;
 
-    public ChallengeUI(Challenge challenge, int challengeNumber, String environment) {
+    public ChallengeUI(Challenge challenge, int challengeNumber, RuntimeEnvironment runtimeEnvironment) {
         this.challenge = challenge;
         this.challengeNumber = challengeNumber;
-        this.environment = environment;
+        this.runtimeEnvironment = runtimeEnvironment;
     }
 
     public String getName() {
@@ -41,12 +43,38 @@ public Integer getLink() {
 
     public String getExplanation() {
         var name = this.getChallenge().getClass().getSimpleName().toLowerCase();
-        var env = challenge.getEnvironment() == CLOUD && environment.equals("gcp") ? "-gcp" : "";
+        var env = challenge.getEnvironment() == CLOUD && runtimeEnvironment.equals("gcp") ? "-gcp" : "";
 
         return String.format("%s%s", name, env);
     }
 
-    public static List<ChallengeUI> toUI(List<Challenge> challenges, String environment) {
+    public String supportedEnvironments() {
+        return challenge.supportedRuntimeEnvironments().stream().map(environment ->
+                switch (environment) {
+                    case DOCKER -> "Docker";
+                    case VAULT -> "Kubernetes or Minikube with Vault";
+                    case K8S -> "Kubernetes or Minikube";
+                    case AWS, GCP -> "AWS, GCP";
+                }
+        ).limit(1).collect(Collectors.joining());
+    }
+
+    public boolean isChallengeEnabled() {
+        return runtimeEnvironment.environmentIsFitFor(challenge);
+
+
+        //        if ("gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("cloud", "enabled");
+//        }
+//        if ("k8s-with-vault".equals(k8sEnvironment) || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("vault", "enabled");
+//        }
+//        if (k8sEnvironment.contains("k8s") || "gcp".equals(k8sEnvironment) || "aws".equals(k8sEnvironment)) {
+//            model.addAttribute("k8s", "enabled");
+//        }
+    }
+
+    public static List<ChallengeUI> toUI(List<Challenge> challenges, RuntimeEnvironment environment) {
         return challenges.stream().map(challenge -> new ChallengeUI(challenge, challenges.indexOf(challenge) + 1, environment)).toList();
     }
 }
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java b/src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java
@@ -1,7 +1,6 @@
 package org.owasp.wrongsecrets.challenges;
 
 import org.owasp.wrongsecrets.ScoreCard;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -14,14 +13,12 @@
 @Controller
 public class ChallengesController {
 
-    private final String version;
     private final ScoreCard scoreCard;
     private final List<ChallengeUI> challenges;
 
-    public ChallengesController(@Value("${APP_VERSION}") String version, @Value("${K8S_ENV}") String k8sEnvironment, ScoreCard scoreCard, List<Challenge> challenges) {
-        this.version = version;
+    public ChallengesController(ScoreCard scoreCard, List<ChallengeUI> challenges) {
         this.scoreCard = scoreCard;
-        this.challenges = ChallengeUI.toUI(challenges, k8sEnvironment);
+        this.challenges = challenges;
     }
 
     @GetMapping
@@ -32,18 +29,15 @@ public String explanation(@PathVariable Integer id) {
     @GetMapping("/spoil-{id}")
     public String spoiler(Model model, @PathVariable Integer id) {
         var challenge = challenges.get(id - 1).getChallenge();
-        model.addAttribute("challenges", challenges);
-        model.addAttribute("solution", challenge.spoiler().solution()); //TODO update spoiler class directly instead of the String
+        model.addAttribute("solution", challenge.spoiler());
         return "spoil";
     }
 
     @GetMapping("/challenge/{id}")
     public String challenge(Model model, @PathVariable Integer id) {
         var challenge = challenges.get(id - 1);
 
-        model.addAttribute("page", "challenge");
         model.addAttribute("challengeForm", new ChallengeForm(""));
-        model.addAttribute("challenges", challenges);
         model.addAttribute("challenge", challenge);
 
         model.addAttribute("answerCorrect", null);
@@ -53,7 +47,7 @@ public String challenge(Model model, @PathVariable Integer id) {
         includeScoringStatus(model, challenge.getChallenge());
         addWarning(challenge.getChallenge(), model);
 
-        return "index";
+        return "challenge";
     }
 
     @PostMapping("/challenge/{id}")
@@ -67,14 +61,11 @@ public String postController(@ModelAttribute ChallengeForm challengeForm, Model
         }
 
         model.addAttribute("challenge", challenge);
-        model.addAttribute("challenges", challenges);
-        model.addAttribute("page", "challenge");
         includeScoringStatus(model, challenge.getChallenge());
-        return "index";
+        return "challenge";
     }
 
     private void includeScoringStatus(Model model, Challenge challenge) {
-        model.addAttribute("version", version);
         model.addAttribute("totalPoints", scoreCard.getTotalReceivedPoints());
         model.addAttribute("progress", "" + scoreCard.getProgress());
 

diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java b/src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java
@@ -2,6 +2,7 @@
 
 
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.Challenge;
 import org.owasp.wrongsecrets.challenges.ChallengeEnvironment;
@@ -12,6 +13,10 @@
 
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.List;
+
+import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.AWS;
+import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.GCP;
 
 @Component
 @Order(10)
@@ -55,4 +60,8 @@ private String getCloudChallenge9and10Value(String filePath, String fileName) {
             return awsDefaultValue;
         }
     }
+
+    public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+        return List.of(GCP, AWS);
+    }
 }