Fix subdirectory deployments in a generic manner (#802)

* Fix subdirectory deployments in a generic manner by modifying`request.path` to combine both `request.script_root` and `request.path` and also creating a request preprocessor to redirect users into the true CTFd app. Without this sessions will be invalid because sessions will be set to a subdirectory. 
* Add a test for testing subdirectory deployments and the customized CTFdRequest object.
* Fix `TestingConfig.SAFE_MODE` getting stuck in between tests. 
* Order AWS keys properly in travis.yml
* Redirect to `request.full_path` instead of just `request.path`

tests/test_themes.py

@@ -3,6 +3,9 @@
 
 from tests.helpers import *
 from jinja2.sandbox import SecurityError
+from werkzeug.test import Client
+from werkzeug.wrappers import BaseResponse
+from flask import request
 
 
 def test_themes_run_in_sandbox():
@@ -62,3 +65,72 @@ def test_custom_css():
             r = admin.get('/static/user.css')
             assert r.get_data(as_text=True) == css_value2
     destroy_ctfd(app)
+
+
+def test_that_ctfd_can_be_deployed_in_subdir():
+    """Test that CTFd can be deployed in a subdirectory"""
+    # This test is quite complicated. I do not suggest modifying it haphazardly.
+    # Flask is automatically inserting the APPLICATION_ROOT into the
+    # test urls which means when we hit /setup we hit /ctf/setup.
+    # You can use the raw Werkzeug client to bypass this as we do below.
+    app = create_ctfd(setup=False, application_root='/ctf')
+    with app.app_context():
+        with app.test_client() as client:
+            r = client.get('/')
+            assert r.status_code == 302
+            assert r.location == 'http://localhost/ctf/setup'
+
+            r = client.get('/setup')
+            with client.session_transaction() as sess:
+                data = {
+                    "ctf_name": 'name',
+                    "name": 'admin',
+                    "email": 'admin@ctfd.io',
+                    "password": 'password',
+                    "user_mode": 'users',
+                    "nonce": sess.get('nonce')
+                }
+            r = client.post('/setup', data=data)
+            assert r.status_code == 302
+            assert r.location == 'http://localhost/ctf/'
+
+            c = Client(app)
+            app_iter, status, headers = c.get('/')
+            headers = dict(headers)
+            assert status == '302 FOUND'
+            assert headers['Location'] == 'http://localhost/ctf/'
+
+            r = client.get('/challenges')
+            assert r.status_code == 200
+            assert "Challenges" in r.get_data(as_text=True)
+
+            r = client.get('/scoreboard')
+            assert r.status_code == 200
+            assert "Scoreboard" in r.get_data(as_text=True)
+    destroy_ctfd(app)
+
+
+def test_that_request_path_hijacking_works_properly():
+    """Test that the CTFdRequest subclass correctly mimics the Flask Request when it should"""
+    app = create_ctfd(setup=False, application_root='/ctf')
+    assert app.request_class.__name__ == 'CTFdRequest'
+    with app.app_context():
+        # Despite loading /challenges request.path should actually be /ctf/challenges because we are
+        # preprending script_root and the test context already accounts for the application_root
+        with app.test_request_context('/challenges'):
+            assert request.path == '/ctf/challenges'
+    destroy_ctfd(app)
+
+    app = create_ctfd()
+    assert app.request_class.__name__ == 'CTFdRequest'
+    with app.app_context():
+        # Under normal circumstances we should be an exact clone of BaseRequest
+        with app.test_request_context('/challenges'):
+            assert request.path == '/challenges'
+
+        from flask import Flask
+        test_app = Flask('test')
+        assert test_app.request_class.__name__ == 'Request'
+        with test_app.test_request_context('/challenges'):
+            assert request.path == '/challenges'
+    destroy_ctfd(app)