package org.owasp.webgoat.plugin.rollbased;

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugin.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.FindProfile;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Login;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Logout;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/role-based-access-control-1.0.jar:org/owasp/webgoat/plugin/rollbased/RoleBasedAccessControl.class */
public class RoleBasedAccessControl extends GoatHillsFinancial {
    private static final Integer DEFAULT_RANKING = new Integer(125);
    public static final String STAGE1 = "Bypass Business Layer Access Control";
    public static final String STAGE2 = "Add Business Layer Access Control";
    public static final String STAGE3 = "Bypass Data Layer Access Control";
    public static final String STAGE4 = "Add Data Layer Access Control";

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial
    protected void registerActions(String str) {
        registerAction(new ListStaff(this, str, GoatHillsFinancial.LISTSTAFF_ACTION));
        registerAction(new ViewProfileRoleBasedAccessControl(this, str, GoatHillsFinancial.VIEWPROFILE_ACTION));
        registerAction(new EditProfileRoleBasedAccessControl(this, str, GoatHillsFinancial.EDITPROFILE_ACTION));
        registerAction(new EditProfileRoleBasedAccessControl(this, str, GoatHillsFinancial.CREATEPROFILE_ACTION));
        registerAction(new Login(this, str, GoatHillsFinancial.LOGIN_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
        registerAction(new Logout(this, str, "Logout", getAction(GoatHillsFinancial.LOGIN_ACTION)));
        registerAction(new FindProfile(this, str, GoatHillsFinancial.FINDPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new UpdateProfileRoleBasedAccessControl(this, str, GoatHillsFinancial.UPDATEPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new DeleteProfileRoleBasedAccessControl(this, str, GoatHillsFinancial.DELETEPROFILE_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public Category getDefaultCategory() {
        return Category.ACCESS_CONTROL;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Many sites attempt to restrict access to resources by role.");
        arrayList.add("Developers frequently make mistakes implementing this scheme.");
        arrayList.add("Attempt combinations of users, roles, and resources.");
        arrayList.add("Stage1: How does the application know that the user selected the delete function?");
        arrayList.add("Stage2: You have to code to check the authorization of the user for the action.");
        arrayList.add("Stage3: How does the application know that the user selected any particular employee to view?");
        arrayList.add("Note that the contents of the staff listing change depending on who is logged in.");
        arrayList.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
        return arrayList;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.RandomLessonAdapter
    public String[] getStages() {
        return getWebgoatContext().isCodingExercises() ? new String[]{STAGE1, STAGE2, STAGE3, STAGE4} : new String[]{STAGE1, STAGE3};
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        String str = "";
        if (!getLessonTracker(webSession).getCompleted()) {
            String stage = getStage(webSession);
            if (STAGE1.equals(stage)) {
                str = "Stage 1: Bypass Presentational Layer Access Control.<br />As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. Verify that Tom's profile can be deleted. The passwords for users are their given names in lowercase (e.g. the password for Tom Cat is \"tom\").";
            } else if (STAGE2.equals(stage)) {
                str = "Stage 2: Add Business Layer Access Control.<br><br /><b><font color=\"blue\"> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br /><br />Implement a fix to deny unauthorized access to the Delete function. To do this, you will have to alter the WebGoat code. Once you have done this, repeat stage 1 and verify that access to DeleteProfile functionality is properly denied.";
            } else if (STAGE3.equals(stage)) {
                str = "Stage 3: Breaking Data Layer Access Control.<br />As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
            } else if (STAGE4.equals(stage)) {
                str = "Stage 4: Add Data Layer Access Control.<br><br /><b><font color=\"blue\"> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br /><br />Implement a fix to deny unauthorized access to this data. Once you have done this, repeat stage 3, and verify that access to other employee's profiles is properly denied.";
            }
        }
        return str;
    }

    public String getLessonSolutionFileName(WebSession webSession) {
        return "/lesson_solutions_1/Lab Access Control/Lab " + getStage(webSession) + ".html";
    }

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public String getSolution(WebSession webSession) {
        String str;
        try {
            str = readFromFile(new BufferedReader(new FileReader(webSession.getWebResource(getLessonSolutionFileName(webSession)))), false);
        } catch (IOException e) {
            webSession.setMessage("Could not find the solution file");
            str = "Could not find the solution file";
        }
        return str;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        String str;
        if (webSession.getLessonSession(this) == null) {
            webSession.openLessonSession(this);
        }
        try {
            str = webSession.getParser().getStringParameter("action");
        } catch (ParameterNotFoundException e) {
            str = GoatHillsFinancial.LOGIN_ACTION;
        }
        try {
            DefaultLessonAction defaultLessonAction = (DefaultLessonAction) getAction(str);
            if (defaultLessonAction == null) {
                setCurrentAction(webSession, "error");
            } else if (!defaultLessonAction.requiresAuthentication()) {
                defaultLessonAction.handleRequest(webSession);
            } else {
                if (!defaultLessonAction.isAuthenticated(webSession)) {
                    throw new UnauthenticatedException();
                }
                defaultLessonAction.handleRequest(webSession);
            }
        } catch (ParameterNotFoundException e2) {
            e2.printStackTrace();
            setCurrentAction(webSession, "error");
        } catch (UnauthenticatedException e3) {
            webSession.setMessage("Login failed");
            e3.printStackTrace();
        } catch (UnauthorizedException e4) {
            webSession.setMessage("You are not authorized to perform this function");
            String stage = getStage(webSession);
            if (STAGE2.equals(stage)) {
                try {
                    if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(str) && !isAuthorized(webSession, getUserId(webSession), GoatHillsFinancial.DELETEPROFILE_ACTION)) {
                        setStageComplete(webSession, STAGE2);
                    }
                } catch (ParameterNotFoundException e5) {
                    e5.printStackTrace();
                }
            }
            if (STAGE4.equals(stage)) {
                try {
                    if (!((DefaultLessonAction) getAction(getCurrentAction(webSession))).isAuthorizedForEmployee(webSession, Integer.parseInt((String) webSession.getRequest().getSession().getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID)), webSession.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID))) {
                        setStageComplete(webSession, STAGE4);
                    }
                } catch (Exception e6) {
                }
            }
            setCurrentAction(webSession, "error");
            e4.printStackTrace();
        } catch (ValidationException e7) {
            e7.printStackTrace();
            setCurrentAction(webSession, "error");
        } catch (Exception e8) {
            e8.printStackTrace();
            setCurrentAction(webSession, "error");
        }
        setContent(new ElementContainer());
    }

    public void handleRequest_BACKUP(WebSession webSession) {
        String str;
        if (webSession.getLessonSession(this) == null) {
            webSession.openLessonSession(this);
        }
        try {
            str = webSession.getParser().getStringParameter("action");
        } catch (ParameterNotFoundException e) {
            str = GoatHillsFinancial.LOGIN_ACTION;
        }
        if (str != null) {
            try {
                LessonAction action = getAction(str);
                if (action == null) {
                    setCurrentAction(webSession, "error");
                } else if (!action.requiresAuthentication()) {
                    action.handleRequest(webSession);
                } else {
                    if (!action.isAuthenticated(webSession)) {
                        throw new UnauthenticatedException();
                    }
                    if (!action.isAuthorized(webSession, action.getUserId(webSession), action.getActionName())) {
                        throw new UnauthorizedException();
                    }
                    action.handleRequest(webSession);
                }
            } catch (ParameterNotFoundException e2) {
                e2.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (UnauthenticatedException e3) {
                webSession.setMessage("Login failed");
                e3.printStackTrace();
            } catch (UnauthorizedException e4) {
                String stage = getStage(webSession);
                if (STAGE2.equals(stage)) {
                    try {
                        if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(str) && !isAuthorized(webSession, getUserId(webSession), GoatHillsFinancial.DELETEPROFILE_ACTION)) {
                            setStageComplete(webSession, STAGE2);
                        }
                    } catch (ParameterNotFoundException e5) {
                        e5.printStackTrace();
                    }
                }
                if (STAGE4.equals(stage)) {
                    try {
                        if (!((DefaultLessonAction) getAction(getCurrentAction(webSession))).isAuthorizedForEmployee(webSession, Integer.parseInt((String) webSession.getRequest().getSession().getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID)), webSession.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID))) {
                            setStageComplete(webSession, STAGE4);
                        }
                    } catch (Exception e6) {
                    }
                }
                webSession.setMessage("You are not authorized to perform this function");
                setCurrentAction(webSession, "error");
                e4.printStackTrace();
            } catch (ValidationException e7) {
                e7.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (Exception e8) {
                e8.printStackTrace();
                setCurrentAction(webSession, "error");
            }
        }
        setContent(new ElementContainer());
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "LAB: Role Based Access Control";
    }
}
