aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 22:14:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix freeze time regressions (#989)

Browse Source 
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze
    * Closes #988
* Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would. 
    * Closes #986
This commit is contained in:
Kevin Chung
2019-05-11 00:18:56 -04:00
committed by GitHub
parent b7a19f74ff
commit 3d23ece370
8 changed files with 321 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
tests/api/v1/test_challenges.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Users, Challenges, Tags, Hints, Flags
from CTFd.models import Users, Challenges, Tags, Hints, Flags, Solves
from CTFd.utils import set_config
from tests.helpers import (
create_ctfd,
@@ -442,6 +442,54 @@ def test_api_challenge_get_solves_ctftime_public():
destroy_ctfd(app)
def test_api_challenge_get_solves_ctf_frozen():
"""Test users can only see challenge solves that happened before freeze time"""
app = create_ctfd()
with app.app_context():
register_user(app, name="user1", email="user1@ctfd.io")
register_user(app, name="user2", email="user2@ctfd.io")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=2, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
chal2 = gen_solve(app.db, user_id=2, challenge_id=chal2_id)
# There should now be two solves assigned to the same user.
assert Solves.query.count() == 2
client = login_as_user(app, name="user2")
# Challenge 1 should have one solve
r = client.get('/api/v1/challenges/1/solves')
data = r.get_json()['data']
assert len(data) == 1
# Challenge 2 should have a solve shouldn't be shown to the user
r = client.get('/api/v1/challenges/2/solves')
data = r.get_json()['data']
assert len(data) == 0
# Admins should see data as an admin with no modifications
admin = login_as_user(app, name="admin")
r = admin.get('/api/v1/challenges/2/solves')
data = r.get_json()['data']
assert len(data) == 1
# But should see as a user if the preview param is passed
r = admin.get('/api/v1/challenges/2/solves?preview=true')
data = r.get_json()['data']
assert len(data) == 0
destroy_ctfd(app)
def test_api_challenge_get_solves_visibility_private():
"""Can a private user get /api/v1/challenges/<challenge_id>/solves if challenge_visibility is private/public"""
app = create_ctfd()

127
tests/api/v1/test_teams.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Teams, Users
from CTFd.models import Teams, Users, Solves, Fails, Awards
from CTFd.utils import set_config
from CTFd.utils.crypto import verify_password
from tests.helpers import (
@@ -13,8 +13,12 @@ from tests.helpers import (
gen_team,
gen_challenge,
gen_flag,
gen_solve,
gen_award,
gen_fail,
simulate_user_activity
)
from freezegun import freeze_time
def test_api_teams_get_public():
@@ -42,7 +46,6 @@ def test_api_teams_get_private():
with login_as_user(app) as client:
set_config('account_visibility', 'public')
r = client.get('/api/v1/teams')
print(r.__dict__)
assert r.status_code == 200
set_config('account_visibility', 'private')
r = client.get('/api/v1/teams')
@@ -191,7 +194,6 @@ def test_api_team_get_private():
set_config('account_visibility', 'public')
gen_team(app.db)
r = client.get('/api/v1/teams/1')
print(r.__dict__)
assert r.status_code == 200
set_config('account_visibility', 'private')
r = client.get('/api/v1/teams/1')
@@ -408,7 +410,6 @@ def test_api_team_get_me_solves_logged_in():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/me/solves')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
@@ -424,11 +425,50 @@ def test_api_team_get_solves():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/1/solves')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
def test_api_team_get_solves_after_freze_time():
"""Can a user get /api/v1/teams/<team_id>/solves after freeze time"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
team = gen_team(app.db, name='team1', email='team1@ctfd.io', member_count=1)
team_member = team.members[0]
tm_name = team_member.name
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=3, team_id=1, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
gen_solve(app.db, user_id=3, team_id=1, challenge_id=chal2_id)
assert Solves.query.count() == 2
with login_as_user(app) as client:
r = client.get('/api/v1/teams/1/solves')
data = r.get_json()['data']
assert len(data) == 1
with login_as_user(app, name=tm_name) as client:
r = client.get('/api/v1/teams/me/solves')
data = r.get_json()['data']
assert len(data) == 2
with login_as_user(app, name="admin") as client:
r = client.get('/api/v1/teams/1/solves')
data = r.get_json()['data']
assert len(data) == 2
destroy_ctfd(app)
def test_api_team_get_me_fails_not_logged_in():
"""Can a user get /api/v1/teams/me/fails if not logged in"""
app = create_ctfd(user_mode="teams")
@@ -450,7 +490,6 @@ def test_api_team_get_me_fails_logged_in():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/me/fails')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
@@ -466,11 +505,47 @@ def test_api_team_get_fails():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/1/fails')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
def test_api_team_get_fails_after_freze_time():
"""Can a user get /api/v1/teams/<team_id>/fails after freeze time"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
team = gen_team(app.db, name='team1', email='team1@ctfd.io', member_count=1)
team_member = team.members[0]
tm_name = team_member.name
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
gen_fail(app.db, user_id=3, team_id=1, challenge_id=chal_id)
with freeze_time("2017-10-8"):
gen_fail(app.db, user_id=3, team_id=1, challenge_id=chal2_id)
assert Fails.query.count() == 2
with login_as_user(app) as client:
r = client.get('/api/v1/teams/1/fails')
assert r.get_json()['meta']['count'] == 1
with login_as_user(app, name=tm_name) as client:
r = client.get('/api/v1/teams/me/fails')
assert r.get_json()['meta']['count'] == 2
with login_as_user(app, name="admin") as client:
r = client.get('/api/v1/teams/1/fails')
assert r.get_json()['meta']['count'] == 2
destroy_ctfd(app)
def test_api_team_get_me_awards_not_logged_in():
"""Can a user get /api/v1/teams/me/awards if not logged in"""
app = create_ctfd(user_mode="teams")
@@ -492,7 +567,6 @@ def test_api_team_get_me_awards_logged_in():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/me/awards')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
@@ -508,11 +582,46 @@ def test_api_team_get_awards():
app.db.session.commit()
with login_as_user(app, name="user_name") as client:
r = client.get('/api/v1/teams/1/awards')
print(r.get_json())
assert r.status_code == 200
destroy_ctfd(app)
def test_api_team_get_awards_after_freze_time():
"""Can a user get /api/v1/teams/<team_id>/awards after freeze time"""
app = create_ctfd(user_mode="teams")
with app.app_context():
register_user(app)
team = gen_team(app.db, name='team1', email='team1@ctfd.io', member_count=1)
team_member = team.members[0]
tm_name = team_member.name
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
gen_award(app.db, user_id=3)
with freeze_time("2017-10-8"):
gen_award(app.db, user_id=3)
assert Awards.query.count() == 2
with login_as_user(app) as client:
r = client.get('/api/v1/teams/1/awards')
data = r.get_json()['data']
assert len(data) == 1
with login_as_user(app, name=tm_name) as client:
r = client.get('/api/v1/teams/me/awards')
data = r.get_json()['data']
assert len(data) == 2
with login_as_user(app, name="admin") as client:
r = client.get('/api/v1/teams/1/awards')
data = r.get_json()['data']
assert len(data) == 2
destroy_ctfd(app)
def test_api_team_patch_password():
"""Can a user change their team password /api/v1/teams/me if logged in as the captain"""
app = create_ctfd(user_mode="teams")

131
tests/api/v1/test_users.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from CTFd.models import Users
from CTFd.models import Users, Solves, Awards, Fails
from CTFd.utils import set_config
from CTFd.utils.crypto import verify_password
from CTFd.schemas.users import UserSchema
@@ -10,9 +10,14 @@ from tests.helpers import (
destroy_ctfd,
register_user,
login_as_user,
simulate_user_activity,
gen_challenge,
gen_user,
simulate_user_activity
gen_solve,
gen_award,
gen_fail,
)
from freezegun import freeze_time
def test_api_users_get_public():
@@ -543,6 +548,49 @@ def test_api_user_get_solves():
destroy_ctfd(app)
def test_api_user_get_solves_after_freze_time():
"""Can a user get /api/v1/users/<user_id>/solves after freeze time"""
app = create_ctfd(user_mode="users")
with app.app_context():
register_user(app, name="user1", email="user1@ctfd.io")
register_user(app, name="user2", email="user2@ctfd.io")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=2, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
chal2 = gen_solve(app.db, user_id=2, challenge_id=chal2_id)
# There should now be two solves assigned to the same user.
assert Solves.query.count() == 2
# User 2 should have 2 solves when seen by themselves
client = login_as_user(app, name="user1")
r = client.get('/api/v1/users/me/solves')
data = r.get_json()['data']
assert len(data) == 2
# User 2 should have 1 solve when seen by another user
client = login_as_user(app, name="user2")
r = client.get('/api/v1/users/2/solves')
data = r.get_json()['data']
assert len(data) == 1
# Admins should see all solves for the user
admin = login_as_user(app, name="admin")
r = admin.get('/api/v1/users/2/solves')
data = r.get_json()['data']
assert len(data) == 2
destroy_ctfd(app)
def test_api_user_get_me_fails_not_logged_in():
"""Can a user get /api/v1/users/me/fails if not logged in"""
app = create_ctfd()
@@ -575,6 +623,46 @@ def test_api_user_get_fails():
destroy_ctfd(app)
def test_api_user_get_fails_after_freze_time():
"""Can a user get /api/v1/users/<user_id>/fails after freeze time"""
app = create_ctfd(user_mode="users")
with app.app_context():
register_user(app, name="user1", email="user1@ctfd.io")
register_user(app, name="user2", email="user2@ctfd.io")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
gen_fail(app.db, user_id=2, challenge_id=chal_id)
with freeze_time("2017-10-8"):
chal2 = gen_fail(app.db, user_id=2, challenge_id=chal2_id)
# There should now be two fails assigned to the same user.
assert Fails.query.count() == 2
# User 2 should have 2 fail when seen by themselves
client = login_as_user(app, name="user1")
r = client.get('/api/v1/users/me/fails')
assert r.get_json()['meta']['count'] == 2
# User 2 should have 1 fail when seen by another user
client = login_as_user(app, name="user2")
r = client.get('/api/v1/users/2/fails')
assert r.get_json()['meta']['count'] == 1
# Admins should see all fails for the user
admin = login_as_user(app, name="admin")
r = admin.get('/api/v1/users/2/fails')
assert r.get_json()['meta']['count'] == 2
destroy_ctfd(app)
def test_api_user_get_me_awards_not_logged_in():
"""Can a user get /api/v1/users/me/awards if not logged in"""
app = create_ctfd()
@@ -607,6 +695,45 @@ def test_api_user_get_awards():
destroy_ctfd(app)
def test_api_user_get_awards_after_freze_time():
"""Can a user get /api/v1/users/<user_id>/awards after freeze time"""
app = create_ctfd(user_mode="users")
with app.app_context():
register_user(app, name="user1", email="user1@ctfd.io")
register_user(app, name="user2", email="user2@ctfd.io")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config('freeze', '1507262400')
with freeze_time("2017-10-4"):
gen_award(app.db, user_id=2)
with freeze_time("2017-10-8"):
gen_award(app.db, user_id=2)
# There should now be two awards assigned to the same user.
assert Awards.query.count() == 2
# User 2 should have 2 awards when seen by themselves
client = login_as_user(app, name="user1")
r = client.get('/api/v1/users/me/awards')
data = r.get_json()['data']
assert len(data) == 2
# User 2 should have 1 award when seen by another user
client = login_as_user(app, name="user2")
r = client.get('/api/v1/users/2/awards')
data = r.get_json()['data']
assert len(data) == 1
# Admins should see all awards for the user
admin = login_as_user(app, name="admin")
r = admin.get('/api/v1/users/2/awards')
data = r.get_json()['data']
assert len(data) == 2
destroy_ctfd(app)
def test_api_accessing_hidden_users():
"""Hidden users should not be visible to normal users, only to admins"""
app = create_ctfd()