Block new user registration if registering via MLC (#840)

* Block new user registration if registering via MLC
* Allow login with MLC while registration is disabled

tests/oauth/test_redirect.py

@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from tests.helpers import *
+from CTFd.utils import set_config
+
+
+def test_oauth_not_configured():
+    """Test that OAuth redirection fails if OAuth settings aren't configured"""
+    app = create_ctfd()
+    with app.app_context():
+        with app.test_client() as client:
+            r = client.get('/oauth', follow_redirects=False)
+            assert r.location == 'http://localhost/login'
+            r = client.get(r.location)
+            resp = r.get_data(as_text=True)
+            assert "OAuth Settings not configured" in resp
+    destroy_ctfd(app)
+
+
+def test_oauth_configured_flow():
+    """Test that MLC integration works properly but does not allow registration (account creation) if disabled"""
+    app = create_ctfd(user_mode="teams")
+    app.config.update({
+        'OAUTH_CLIENT_ID': 'ctfd_testing_client_id',
+        'OAUTH_CLIENT_SECRET': 'ctfd_testing_client_secret',
+        'OAUTH_AUTHORIZATION_ENDPOINT': 'http://auth.localhost/oauth/authorize',
+        'OAUTH_TOKEN_ENDPOINT': 'http://auth.localhost/oauth/token',
+        'OAUTH_API_ENDPOINT': 'http://api.localhost/user',
+    })
+    with app.app_context():
+        set_config('registration_visibility', 'private')
+        assert Users.query.count() == 1
+        assert Teams.query.count() == 0
+
+        client = login_with_mlc(app, raise_for_error=False)
+
+        assert Users.query.count() == 1
+
+        # Users shouldn't be able to register because registration is disabled
+        resp = client.get('http://localhost/login').get_data(as_text=True)
+        assert 'Public registration is disabled' in resp
+
+        set_config('registration_visibility', 'public')
+        client = login_with_mlc(app)
+
+        # Users should be able to register now
+        assert Users.query.count() == 2
+        user = Users.query.filter_by(email='user@ctfd.io').first()
+        assert user.oauth_id == 1337
+        assert user.team_id == 1
+
+        # Teams should be created
+        assert Teams.query.count() == 1
+        team = Teams.query.filter_by(id=1).first()
+        assert team.oauth_id == 1234
+
+        client.get('/logout')
+
+        # Users should still be able to login if registration is disabled
+        set_config('registration_visibility', 'private')
+        client = login_with_mlc(app)
+        with client.session_transaction() as sess:
+            assert sess['id']
+            assert sess['name']
+            assert sess['type']
+            assert sess['email']
+            assert sess['nonce']
+    destroy_ctfd(app)
+
+
+def test_oauth_login_upgrade():
+    """Test that users who use MLC after having registered will be associated with their MLC account"""
+    app = create_ctfd(user_mode="teams")
+    app.config.update({
+        'OAUTH_CLIENT_ID': 'ctfd_testing_client_id',
+        'OAUTH_CLIENT_SECRET': 'ctfd_testing_client_secret',
+        'OAUTH_AUTHORIZATION_ENDPOINT': 'http://auth.localhost/oauth/authorize',
+        'OAUTH_TOKEN_ENDPOINT': 'http://auth.localhost/oauth/token',
+        'OAUTH_API_ENDPOINT': 'http://api.localhost/user',
+    })
+    with app.app_context():
+        register_user(app)
+        assert Users.query.count() == 2
+        set_config('registration_visibility', 'private')
+
+        # Users should still be able to login
+        client = login_as_user(app)
+        client.get('/logout')
+
+        user = Users.query.filter_by(id=2).first()
+        assert user.oauth_id is None
+        assert user.team_id is None
+
+        login_with_mlc(app)
+
+        assert Users.query.count() == 2
+
+        # Logging in with MLC should insert an OAuth ID and team ID
+        user = Users.query.filter_by(id=2).first()
+        assert user.oauth_id
+        assert user.verified
+        assert user.team_id
+    destroy_ctfd(app)