Merge pull request #1133 from OWASP/hotfix-k8s-okteto

Fix for issues regarding challenge rendering

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="xNxJ7KQ+ViCMgwuLWxr9lBeyfrKc43W+qzrFiuCf7JA="
+export tempPassword="j0F45AmfXRSTk8hkEiMe+BSAhqzZ8hiH1B23HcCmgck="
 mvn run tempPassword
 k6
 npx k6

Dockerfile

@@ -1,7 +1,7 @@
 FROM amazoncorretto:21.0.1-alpine
 
 ARG argBasedPassword="default"
-ARG argBasedVersion="1.8.0RC4B"
+ARG argBasedVersion="1.8.0RC11"
 ARG spring_profile=""
 ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV ARG_BASED_PASSWORD=$argBasedPassword

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.8.0RC4B-no-vault
-ARG argBasedVersion="1.8.0RC4B-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.8.0RC11-no-vault
+ARG argBasedVersion="1.8.0RC11-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true

aws/k8s/secret-challenge-vault-deployment.yml

@@ -41,7 +41,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC9-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -41,7 +41,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC4B-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

fly.toml

@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.8.0RC4B-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.8.0RC11-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -39,7 +39,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC9-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports:

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC4B-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-no-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports:

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC9-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

okteto/k8s/secret-challenge-ctf-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.0RC4B-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.0RC11-no-vault
           name: secret-challenge-ctf
           imagePullPolicy: IfNotPresent
           securityContext:

pom.xml

@@ -11,7 +11,7 @@
 
   <groupId>org.owasp</groupId>
   <artifactId>wrongsecrets</artifactId>
-  <version>1.8.0RC4-SNAPSHOT</version>
+  <version>1.8.0RC11-SNAPSHOT</version>
 
   <name>OWASP WrongSecrets</name>
   <description>Examples with how to not use secrets</description>

src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java

@@ -309,13 +309,17 @@ private void includeScoringStatus(Model model, ChallengeDefinition challenge) {
 
   private void addWarning(ChallengeDefinition challenge, Model model) {
     if (!runtimeEnvironment.canRun(challenge)) {
-      var warning =
-          challenge.supportedEnvironments().stream()
-              .limit(1)
-              .map(env -> env.missingEnvironment().contents().get())
-              .findFirst()
-              .orElse(null);
-      model.addAttribute("missingEnvWarning", warning);
+      if (challenge.missingEnvironment() != null) {
+        model.addAttribute("missingEnvWarning", challenge.missingEnvironment().contents().get());
+      } else {
+        var warning =
+            challenge.supportedEnvironments().stream()
+                .limit(1)
+                .map(env -> env.missingEnvironment().contents().get())
+                .findFirst()
+                .orElse(null);
+        model.addAttribute("missingEnvWarning", warning);
+      }
     }
   }
 

src/main/java/org/owasp/wrongsecrets/definitions/ChallengeDefinition.java

@@ -41,7 +41,8 @@ public record ChallengeDefinition(
     Difficulty difficulty,
     ChallengeCategory category,
     Ctf ctf,
-    Sources environmentToSource) {
+    Sources environmentToSource,
+    Sources.TextWithFileLocation missingEnvironment) {
 
   @SuppressFBWarnings(value = "IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN")
   public ChallengeDefinition {

src/main/resources/application.properties

@@ -65,7 +65,7 @@ challenge41password=UEBzc3dvcmQxMjM=
 management.endpoint.health.probes.enabled=true
 management.health.livenessState.enabled=true
 management.health.readinessState.enabled=true
-management.endpoints.web.exposure.include=auditevents
+management.endpoints.web.exposure.include=auditevents,info,health
 #---
 spring.config.activate.on-profile=kubernetes-vault
 wrongsecretvalue=wrongsecret

src/main/resources/templates/challenge.html

@@ -84,8 +84,8 @@
                  th:text="${totalPoints}"></div>
         </div>
 
-        <div th:text="${missingEnvWarning}" th:if="${missingEnvWarning!=null}" class="alert alert-danger" role="alert"
-             th:attr="data-cy='disabled-alert'">
+        <div th:if="${missingEnvWarning!=null}" class="alert alert-danger" role="alert"
+             th:attr="data-cy='disabled-alert'">[(${missingEnvWarning})]
         </div>
     </div>
     <div class="modal fade" id="finishedModal">

src/main/resources/wrong-secrets-configuration.yaml

@@ -31,57 +31,64 @@ configurations:
       ctf: "Docker"  # Name used in the CTF json message
       overview: "Docker" # Display name for the environment in the overview screen
       display_name: "Docker" # General display name for environment
-      missing_environment: "challenges/missing_docker.adoc" # Missing environment warning
+      missing_environment: "explanations/missing_docker.adoc" # Missing environment warning
     - &heroku
       name: "Heroku(Docker)"
       ctf: "Docker"
       overview: "Docker"
       display_name: "Heroku"
-      missing_environment: "challenges/missing_docker.adoc"
+      missing_environment: "explanations/missing_docker.adoc"
     - &fly
       name: "Fly(Docker)"
       ctf: "Docker"
       overview: "Docker"
       display_name: "Fly.io"
-      missing_environment: "challenges/missing_docker.adoc"
+      missing_environment: "explanations/missing_docker.adoc"
+    - &railway
+      name: "Railway(Docker)"
+      ctf: "Docker"
+      overview: "Docker"
+      display_name: "Railway.io"
+      missing_environment: "explanations/missing_docker.adoc"
     - &gcp
       name: "gcp"
       ctf: "Cloud"
       overview: "AWS, GCP, Azure"
       display_name: "GCP"
-      missing_environment: "challenges/missing_cloud.adoc"
+      missing_environment: "explanations/missing_cloud.adoc"
     - &aws
       name: "aws"
       ctf: "Cloud"
       overview: "AWS, GCP, Azure"
       display_name: "AWS"
-      missing_environment: "challenges/missing_cloud.adoc"
+      missing_environment: "explanations/missing_cloud.adoc"
     - &azure
       name: "azure"
       ctf: "Cloud"
       overview: "AWS, GCP, Azure"
       display_name: "Azure"
-      missing_environment: "challenges/missing_cloud.adoc"
+      missing_environment: "explanations/missing_cloud.adoc"
     - &k8s_vault
       name: "k8s_vault"
-      ctf: Vault
+      ctf: "Vault"
       overview: "K8s with Vault"
       display_name: "K8s with Vault"
-      missing_environment: "challenges/missing_vault.adoc"
+      missing_environment: "explanations/missing_vault.adoc"
     - &k8s
       name: "k8s"
       ctf: "Kubernetes"
       overview: "K8s"
       display_name: "Kubernetes"
-      missing_environment: "challenges/missing_k8s.adoc"
+      missing_environment: "explanations/missing_k8s.adoc"
     - &okteto
       name: "Okteto(k8s)"
       ctf: "Kubernetes"
       overview: "K8s"
       display_name: "Okteto"
-      missing_environment: "challenges/missing_k8s.adoc"
-  all_environments: &all_envs [ *docker, *heroku, *fly, *gcp, *aws, *azure, *k8s_vault, *k8s, *okteto ]
-  docker_environments: &docker_envs [ *docker, *heroku, *fly ]
+      missing_environment: "explanations/missing_k8s.adoc"
+  all_environments: &all_envs [ *docker, *heroku, *fly, *railway, *gcp, *aws, *azure, *k8s_vault, *k8s, *okteto ]
+  docker_environments: &docker_envs [ *docker, *heroku, *fly, *railway ]
+  k8s_environments: &k8s_envs [ *k8s_vault, *k8s, *okteto ]
 
   challenges:
     - name: Challenge 0
@@ -192,11 +199,12 @@ configurations:
           explanation: "explanations/challenge7.adoc"
           hint: "explanations/challenge7_hint.adoc"
           reason: "explanations/challenge7_reason.adoc"
-          environments: [ *k8s_vault, *gcp, *aws, *azure ]
+          environments: [*gcp, *aws, *azure, *k8s_vault ]
       difficulty: *expert
       category: *vault
       ctf:
         enabled: true
+      missing_environment: "explanations/missing_vault.adoc"
 
     - name: Challenge 8
       short-name: "challenge-8"
@@ -205,7 +213,7 @@ configurations:
           explanation: "explanations/challenge8.adoc"
           hint: "explanations/challenge8_hint.adoc"
           reason: "explanations/challenge8_reason.adoc"
-          environments: [ *docker,  *gcp, *aws, *azure, *k8s_vault, *k8s ]
+          environments: [ *docker, *gcp, *aws, *azure, *k8s_vault, *k8s ]
         - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge8"
           explanation: "explanations/challenge8.adoc"
           hint: "explanations/challenge8_hint_limited.adoc"
@@ -567,7 +575,7 @@ configurations:
           explanation: "explanations/challenge33.adoc"
           hint: "explanations/challenge33_hint.adoc"
           reason: "explanations/challenge33_reason.adoc"
-          environments: [ *k8s, *k8s_vault, *gcp, *azure, *aws ]
+          environments: [*k8s, *k8s_vault, *okteto, *gcp, *azure, *aws ]
       difficulty: *normal
       category: *secrets
       ctf:

src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/ChallengesControllerWithPresetKubernetesValuesTest.java

@@ -0,0 +1,94 @@
+package org.owasp.wrongsecrets.challenges.kubernetes;
+
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.Matchers.containsString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.jupiter.api.Test;
+import org.owasp.wrongsecrets.Challenges;
+import org.owasp.wrongsecrets.WrongSecretsApplication;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+
+@SpringBootTest(
+    properties = {
+      "K8S_ENV=Okteto(k8s)",
+      "ctf_key=randomtextforkey",
+      "SPECIAL_K8S_SECRET=test5",
+      "SPECIAL_SPECIAL_K8S_SECRET=test6",
+      "vaultpassword=test7",
+      "secretmountpath=nothere"
+    },
+    classes = WrongSecretsApplication.class)
+@AutoConfigureMockMvc
+class ChallengesControllerWithPresetKubernetesValuesTest {
+
+  @Autowired private MockMvc mvc;
+  @Autowired private Challenges challenges;
+
+  @Test
+  void shouldSpoilExercises() throws Exception {
+    mvc.perform(get("/spoil/challenge-0"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(containsString("The first answer")));
+    mvc.perform(get("/spoil/challenge-5"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(containsString("test5")));
+    mvc.perform(get("/spoil/challenge-6"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(containsString("test6")));
+    mvc.perform(get("/spoil/challenge-9"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(containsString("if_you_see_this_please_use_AWS_Setup")));
+  }
+
+  @Test
+  void shouldNotShowDisabledChallengeAnywhere() throws Exception {
+    for (var challenge : challenges.getChallengeDefinitions()) {
+      var shortname = challenge.name().shortName();
+      if (shortname.contains("7")
+          || shortname.contains("9")
+          || shortname.contains("10")
+          || shortname.contains("11")) {
+        continue;
+      }
+      mvc.perform(get("/challenge/%s".formatted(challenge.name().shortName())))
+          .andExpect(status().isOk())
+          .andExpect(content().string(not(containsString("This challenge has been disabled."))));
+    }
+  }
+
+  @Test
+  void shouldDisableCloudExercises() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(containsString("challenge-9_disabled-link")))
+        .andExpect(content().string(containsString("challenge-10_disabled-link")))
+        .andExpect(content().string(containsString("challenge-11_disabled-link")));
+  }
+
+  @Test
+  void shouldEnableK8sExercises() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(not(containsString("challenge-5_disabled-link"))))
+        .andExpect(content().string(not(containsString("challenge-6_disabled-link"))))
+        .andExpect(
+            content().string(containsString("challenge-7_disabled-link"))) // vault is not visible
+        .andExpect(content().string(not(containsString("challenge-33_disabled-link"))));
+  }
+
+  @Test
+  void shouldEnableDockerExercises() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(content().string(not(containsString("challenge-1_disabled-link"))))
+        .andExpect(content().string(not(containsString("challenge-2_disabled-link"))))
+        .andExpect(content().string(not(containsString("challenge-14_disabled-link"))))
+        .andExpect(content().string(not(containsString("challenge-22_disabled-link"))));
+  }
+}

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFClientModeTest.java

@@ -91,6 +91,13 @@ void shouldStillDissableTestsIfNotPreconfigured() throws Exception {
     testForCloudCluster("/challenge/challenge-11");
   }
 
+  private void testForVault(String url) throws Exception {
+    mvc.perform(get(url).contentType(MediaType.APPLICATION_FORM_URLENCODED).with(csrf()))
+        .andExpect(status().isOk())
+        .andExpect(
+            content().string(containsString("We are running outside a K8s cluster with Vault")));
+  }
+
   private void testK8sChallenge(String url) throws Exception {
     mvc.perform(get(url).contentType(MediaType.APPLICATION_FORM_URLENCODED).with(csrf()))
         .andExpect(status().isOk())