aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-20 07:14:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

2.0.0 (#741)

Browse Source 
* Fix user and admin panel user/team graphs
* Closes #682
* Unify login and logout under specific functions
* Closes #659
* Rename Challenges.hidden to Challenges.state
* Start to clean up API and front end integration starting with profile updating
* Slightly cleaner code
* Clean API to respond with success, data, and status codes
* Simpler COUNTRIES_LIST and update profile to use COUNTRIES_LIST
* Lookup country code in users page. Update front end calls to get API data properly
* Fix some API endpoints and fix JS to process new responses
* Update config.py to support new values
* Closes #635
* Update some code to handle user types, add email domain whitelisting
* Write a logging wrapper
* Use logging wrapper for submissions
* Close #656
* Break up config.html to make it easier to maintain
* Fix logging, domain_whitelist, and config
* Improving views.py, starting to add Announcements
* Starting announcements front end
* Make it easier to see large images, clean up some more REST API differences
* Closes #668
* Update Proxyfix config to REVERSE_PROXY
* Add announcements front end
* Move creation/edit modals into seperate files. Start moving user updating into their admin profile pages.
* Update font-awesome to 5.4.1
* Switch to user-edit icon
* Update the update_check function to send up more anonymous data for statistics purposes.
* Start work on #640
* Add the user action modals and update API to fix responses
* Fix admin teams page
* Add challenge requirements
* Implement anonymous locked challenges
* Team editting from admin panel
* Switch from simple cache to filesystem cache
* Implements a Cache backed server side session (#658) and fixes Users editting endpoint
* Add our messaging for docs
* Closes #700
* Remove invalid import
* Move challenge enditting around a whole lot and probably break a bunch of things
* Show challenge names in prerequisites instead of challenge IDs
* Closes #661
* Change user templates to use url_for
* Remove extra function
* Rewrite admin panel to use url_for
* Fix events to work under subdirectories
* Start cleaning up config panel
* Fix filesystem uploader; deprecate view_challenges_unregistered, view_scoreboard_if_authed, prevent_registration, view_after_ctf; implement new visibility decorators
* Remove workshop mode, fix some glitches with the new visibility settings
* Fix ctf_logo on core theme
* Fix setup errors
* Removing default from get_config b/c of memoization issues and getting some tests working
* Relax email regex validation rule (#693)
* Update to pycodestyle and fix new lint errors
* Add a ctf_id to update_check
* Change challenge plugin layout. Rename mailgun configs to be more descriptive (Closes #702)
* Detect if people try to set routes with '/' to simplify #690
* Closes #690
* Clean up some code
* Clean up challenge submit to rate limit
* Fix js version compatability issue
* Close some TODOs
* Hide challenges if not authenticated
* Make set_config reset the cache for those config values
* Return 404 on empty challenges for /api/v1/<challenge_id>/solves
* Fix setting boolean configs
* Properly change account config settings
* Move datetimes to isoformat (Closes #703)
* Remove all .isoformat() calls because it isn't UTC aware (ends in Z). Switch to isoformat function & filter
* Make /v1/submissions endpoint work for admin submission creation
* Make oauth_id unique for Users and Teams
* Move challenge submission endpoint and implement mark solved. Fix some isoformat issues.
* Only show team's missing challenges if in team mode
* Adding support for Hints & Unlocks
* Update challenge submission url
* Fix encoding functions in Python3
* Fix hexencode in Python3
* Added functional tests for challenges API for non-admin users (#705)
* Set hint default type to be standard
* Fix some JS issues. Closes #704
* Implement session.regenerate on top of the CachingSessionInterface
* Challenge challenge attempt responses from numbers to strings
* Fix password updating for UserSchema
* Remove leftover challenge submission code
* Remove old migrations :(, resolve challenge requirements not loading correctly, move migration functions
*  Added functional tests for challenges/hints/admin API (#710)
* Fix helpers and re-add JSONLite
* Install MySQL 5.7
* Try more mysql
* Update password for mysql
* Fixing issuse in Users.get_solves
* Add new import/export code
* Switch to CTFdSerializer for Python 3
* Re-implement import exports and add a very flaky test
* Redesign submissions API response
* Get export to roundtrip in tests
* Int score b/c Decimal is not JSON serializeable
* Remove unused route methods
* Fix POST /api/v1/configs and start adding admin tests
* Add user_id and team_id to top/10
* Fix admin creating Teams
* Fix Team website validation
* Change admins_only to reply with a 403 if the request is JSON
* Organize admin tests and fix authed_only to return 403 on unauthed
* Adding check_account_visibility, check_score_visibility for /api/v1/teams/<team_id>/(solves|awards|fails)
* Fix teams/me endpoints again
* Fix users/me endpoints to return 403 if unauthed
* Fix Python 3 config API
* Add fetch and promise polyfills. (#712)
* Add exec to docker-entrypoint.sh (#713)
* Display import_ctf Exceptions via repr (#651)
- Wraps exceptions on `/admin/import` returned to users in a `repr()`, making debugging easier.
* Add error messages to the admin panel, fix schemas for users, start working on UI for imports/exports
* Make unauthed challenge submission attempt return 403 instead of 302, Fix user deletion, fix associated tests, remove TODOs
* Remove old means of creating solves
* Remove most of the content from teams.js and users.js
* Remove extra code from /challenges.js
* Fix POST'ing & PATCH'ing pages
* Make (users|teams)/fails return only count to users. Fix public score graphs to factor in awards
* Fix admin side scoregraphs. Fix Awardschemas for admins
* Add requirements to db migration
* Adding some team decorators
* Fix require_team_mode decorator
* Make verified emails decorator return 403 on JSON requests
* Redo initial revision
* Add SQLiteJSON back
* Adding ratelimit to /redirect and removing POST from /oauth
* Fix PATCH tags
* Actually fix PATCH tags
* Simplify 500.html
* Added tests for challenges, awards, files, flags, hints ... (#723)
* Added tests for challenges, awards, files, flags, hints, notifications, pages, submissions, tags
* Fix user data validation functions, Fix hidden challenges and include test
* Add a locked state to attempt
* OAuth teams get verified, use logging functions in redirect route
* Removing extra print call
* Update requirements.txt
* Fix possible AttributeError
* Start work on #716
* Closes #717
* Fix issue patching teams
* Rename .j2 to .html, implement preview for challenges if admin
* Move admin/challenge.html to admin/challenges/challenge.html
* Remove old modals
* Add Reset CTF button (#639)
* Add Reset link to config.html
* Delete Tracking
* files handler should return a 404 on files it cant find
* Denote official teams (#729), make scoregraph fill to zero
* Remove old javascript files, make some challenge elements refresh by reloading
* Fix team editting modals to work more reliably
* Fix rendering of CTF paused
* Remove hide_scores funtion and roll it into scores visibility
* Log to stdout/stderr by default (#719)
* Fix user searching
* Remove searching for users/teams by country
* Add badges to admin team and user pages, implement user banning (#643)
* Remove shell.py, clean up admin team.html, add tests for banned users, teams
* Start cleaning up dynamic_challenges to meet new challenge type plugin format
* Remove POST method from teams.public
* Add credentials: 'same-origin' to all fetch calls (#734)
* Add challenge preview, add challenge deletion, fix file deletions when deleting challenges
* Fix imports UI (#735)
* Show prerequisites before adding a blank one (#738), Refresh all challenges after a submission (#739)
* Admins can see hidden challenges
* Fix some UI elements, fix loading location hash, set version to be 2.0.0
* Clean up some challenge plugin pages
* Add default for flag type
* Fix Python3 bytes/str issues
* Add in MLC urls and support user mode for oauth
* Fix seeing user graphs when scores are hidden, clean up setup.html, add links to MLC oauth
* Add state parameter support
* Use URLSafeTimedSerializer wrapper for sending token based emails
* setting APPLICATION_ROOT from env var (#732)
* Rearrange config.py and update README
* Updating README
This commit is contained in:
Kevin Chung
2018-11-19 23:16:14 -05:00
committed by GitHub
parent 41933cc367
commit c8031b38c2
378 changed files with 25728 additions and 13502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

324
CTFd/auth.py
View File

@@ -1,17 +1,21 @@
import logging
import os
import re
import time
from flask import current_app as app, render_template, request, redirect, url_for, session, Blueprint
from itsdangerous import TimedSerializer, BadTimeSignature, Signer, BadSignature
from flask import current_app as app, render_template, request, redirect, url_for, session, Blueprint, abort
from passlib.hash import bcrypt_sha256
from CTFd.models import db, Teams
from CTFd import utils
from CTFd.utils import ratelimit
from CTFd.models import db, Users, Teams
from CTFd.utils import get_config, get_app_config
from CTFd.utils.decorators import ratelimit
from CTFd.utils import user as current_user
from CTFd.utils import config, validators
from CTFd.utils import email
from CTFd.utils.security.auth import login_user, logout_user
from CTFd.utils.logging import log
from CTFd.utils.decorators.visibility import check_registration_visibility
from CTFd.utils.modes import TEAMS_MODE, USERS_MODE
from CTFd.utils.security.signing import serialize, unserialize, SignatureExpired, BadSignature, BadTimeSignature
import base64
import requests
auth = Blueprint('auth', __name__)
@@ -19,40 +23,34 @@ auth = Blueprint('auth', __name__)
@auth.route('/confirm', methods=['POST', 'GET'])
@auth.route('/confirm/<data>', methods=['GET'])
@ratelimit(method="POST", limit=10, interval=60)
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
def confirm(data=None):
if not get_config('verify_emails'):
# If the CTF doesn't care about confirming email addresses then redierct to challenges
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('challenges.listing'))
logger = logging.getLogger('regs')
# User is confirming email account
if data and request.method == "GET":
try:
s = TimedSerializer(app.config['SECRET_KEY'])
email = s.loads(utils.base64decode(data), max_age=1800)
except BadTimeSignature:
user_email = unserialize(data, max_age=1800)
except (BadTimeSignature, SignatureExpired):
return render_template('confirm.html', errors=['Your confirmation link has expired'])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('confirm.html', errors=['Your confirmation token is invalid'])
team = Teams.query.filter_by(email=email).first_or_404()
team = Users.query.filter_by(email=user_email).first_or_404()
team.verified = True
log('registrations', format="[{date}] {ip} - successful password reset for {name}")
db.session.commit()
logger.warn("[{date}] {ip} - {username} confirmed their account".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')
))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
if current_user.authed():
return redirect(url_for('challenges.listing'))
return redirect(url_for('auth.login'))
# User is trying to start or restart the confirmation flow
if not utils.authed():
if not current_user.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
team = Users.query.filter_by(id=session['id']).first_or_404()
if data is None:
if request.method == "POST":
@@ -60,17 +58,12 @@ def confirm_user(data=None):
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
logger.warn("[{date}] {ip} - {username} initiated a confirmation email resend".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')
))
email.verify_email_address(team.email)
log('registrations', format="[{date}] {ip} - {name} initiated a confirmation email resend")
return render_template('confirm.html', team=team, infos=['Your confirmation email has been resent!'])
elif request.method == "GET":
# User has been directed to the confirm page
team = Teams.query.filter_by(id=session['id']).first_or_404()
team = Users.query.filter_by(id=session['id']).first_or_404()
if team.verified:
# If user is already verified, redirect to their profile
return redirect(url_for('views.profile'))
@@ -81,13 +74,10 @@ def confirm_user(data=None):
@auth.route('/reset_password/<data>', methods=['POST', 'GET'])
@ratelimit(method="POST", limit=10, interval=60)
def reset_password(data=None):
logger = logging.getLogger('logins')
if data is not None:
try:
s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data), max_age=1800)
except BadTimeSignature:
name = unserialize(data, max_age=1800)
except (BadTimeSignature, SignatureExpired):
return render_template('reset_password.html', errors=['Your link has expired'])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('reset_password.html', errors=['Your reset token is invalid'])
@@ -95,24 +85,20 @@ def reset_password(data=None):
if request.method == "GET":
return render_template('reset_password.html', mode='set')
if request.method == "POST":
team = Teams.query.filter_by(name=name).first_or_404()
team = Users.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
db.session.commit()
logger.warn("[{date}] {ip} - successful password reset for {username}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')
))
log('logins', format="[{date}] {ip} - successful password reset for {name}")
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
email_address = request.form['email'].strip()
team = Users.query.filter_by(email=email_address).first()
errors = []
if utils.can_send_mail() is False:
if config.can_send_mail() is False:
return render_template(
'reset_password.html',
errors=['Email could not be sent due to server misconfiguration']
@@ -124,7 +110,7 @@ def reset_password(data=None):
errors=['If that account exists you will receive an email, please check your inbox']
)
utils.forgot_password(email, team.name)
email.forgot_password(email_address, team.name)
return render_template(
'reset_password.html',
@@ -134,27 +120,36 @@ def reset_password(data=None):
@auth.route('/register', methods=['POST', 'GET'])
@check_registration_visibility
@ratelimit(method="POST", limit=10, interval=5)
def register():
logger = logging.getLogger('regs')
if not utils.can_register():
return redirect(url_for('auth.login'))
if request.method == 'POST':
errors = []
name = request.form['name']
email = request.form['email']
email_address = request.form['email']
password = request.form['password']
name_len = len(name) == 0
names = Teams.query.add_columns('name', 'id').filter_by(name=name).first()
emails = Teams.query.add_columns('email', 'id').filter_by(email=email).first()
names = Users.query.add_columns('name', 'id').filter_by(name=name).first()
emails = Users.query.add_columns('email', 'id').filter_by(email=email_address).first()
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = utils.check_email_format(request.form['email'])
team_name_email_check = utils.check_email_format(name)
valid_email = validators.validate_email(request.form['email'])
team_name_email_check = validators.validate_email(name)
local_id, _, domain = email_address.partition('@')
domain_whitelist = get_config('domain_whitelist')
if not valid_email:
errors.append("Please enter a valid email address")
if domain_whitelist:
domain_whitelist = domain_whitelist.split(',')
if domain not in domain_whitelist:
errors.append(
"Only email addresses under {domains} may register".format(
domains=', '.join(domain_whitelist))
)
if names:
errors.append('That team name is already taken')
if team_name_email_check is True:
@@ -169,42 +164,41 @@ def register():
errors.append('Pick a longer team name')
if len(errors) > 0:
return render_template('register.html', errors=errors, name=request.form['name'], email=request.form['email'], password=request.form['password'])
return render_template(
'register.html',
errors=errors,
name=request.form['name'],
email=request.form['email'],
password=request.form['password']
)
else:
with app.app_context():
team = Teams(name, email.lower(), password)
db.session.add(team)
user = Users(
name=name.strip(),
email=email_address.lower(),
password=password.strip()
)
db.session.add(user)
db.session.commit()
db.session.flush()
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = utils.sha512(os.urandom(10))
login_user(user)
if utils.can_send_mail() and utils.get_config('verify_emails'): # Confirming users is enabled and we can send email.
logger = logging.getLogger('regs')
logger.warn("[{date}] {ip} - {username} registered (UNCONFIRMED) with {email}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=request.form['name'].encode('utf-8'),
email=request.form['email'].encode('utf-8')
))
utils.verify_email(team.email)
if config.can_send_mail() and get_config('verify_emails'): # Confirming users is enabled and we can send email.
log('registrations', format="[{date}] {ip} - {name} registered (UNCONFIRMED) with {email}")
email.verify_email_address(user.email)
db.session.close()
return redirect(url_for('auth.confirm_user'))
return redirect(url_for('auth.confirm'))
else: # Don't care about confirming users
if utils.can_send_mail(): # We want to notify the user that they have registered.
utils.sendmail(request.form['email'], "You've successfully registered for {}".format(utils.get_config('ctf_name')))
if config.can_send_mail(): # We want to notify the user that they have registered.
email.sendmail(
request.form['email'],
"You've successfully registered for {}".format(get_config('ctf_name'))
)
logger.warn("[{date}] {ip} - {username} registered with {email}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=request.form['name'].encode('utf-8'),
email=request.form['email'].encode('utf-8')
))
log('registrations', "[{date}] {ip} - {name} registered with {email}")
db.session.close()
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('challenges.listing'))
else:
return render_template('register.html')
@@ -212,65 +206,149 @@ def register():
@auth.route('/login', methods=['POST', 'GET'])
@ratelimit(method="POST", limit=10, interval=5)
def login():
logger = logging.getLogger('logins')
if request.method == 'POST':
errors = []
name = request.form['name']
# Check if the user submitted an email address or a team name
if utils.check_email_format(name) is True:
team = Teams.query.filter_by(email=name).first()
if validators.validate_email(name) is True:
user = Users.query.filter_by(email=name).first()
else:
team = Teams.query.filter_by(name=name).first()
user = Users.query.filter_by(name=name).first()
if user:
if user and bcrypt_sha256.verify(request.form['password'], user.password):
session.regenerate()
login_user(user)
log('logins', "[{date}] {ip} - {name} logged in")
if team:
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = utils.sha512(os.urandom(10))
db.session.close()
logger.warn("[{date}] {ip} - {username} logged in".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=session['username'].encode('utf-8')
))
if request.args.get('next') and utils.is_safe_url(request.args.get('next')):
if request.args.get('next') and validators.is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('challenges.listing'))
else: # This user exists but the password is wrong
logger.warn("[{date}] {ip} - submitted invalid password for {username}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')
))
else:
# This user exists but the password is wrong
log('logins', "[{date}] {ip} - submitted invalid password for {name}")
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else: # This user just doesn't exist
logger.warn("[{date}] {ip} - submitted invalid account information".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip()
))
else:
# This user just doesn't exist
log('logins', "[{date}] {ip} - submitted invalid account information")
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
@auth.route('/oauth')
def oauth_login():
endpoint = get_app_config('OAUTH_AUTHORIZATION_ENDPOINT') \
or get_config('oauth_authorization_endpoint') \
or 'https://auth.majorleaguecyber.org/oauth/authorize'
if get_config('user_mode') == 'teams':
scope = 'profile team'
else:
scope = 'profile'
client_id = get_app_config('OAUTH_CLIENT_ID') or get_config('oauth_client_id')
redirect_url = "{endpoint}?response_type=code&client_id={client_id}&scope={scope}&state={state}".format(
endpoint=endpoint,
client_id=client_id,
scope=scope,
state=session['nonce']
)
return redirect(redirect_url)
@auth.route('/redirect', methods=['GET'])
@ratelimit(method="GET", limit=10, interval=60)
def oauth_redirect():
oauth_code = request.args.get('code')
state = request.args.get('state')
if session['nonce'] != state:
log('logins', "[{date}] {ip} - OAuth State validation mismatch")
abort(500)
if oauth_code:
url = get_app_config('OAUTH_TOKEN_ENDPOINT') \
or get_config('oauth_token_endpoint') \
or 'https://auth.majorleaguecyber.org/oauth/token'
client_id = get_app_config('OAUTH_CLIENT_ID') or get_config('oauth_client_id')
client_secret = get_app_config('OAUTH_CLIENT_SECRET') or get_config('oauth_client_secret')
headers = {
'content-type': 'application/x-www-form-urlencoded'
}
data = {
'code': oauth_code,
'client_id': client_id,
'client_secret': client_secret,
'grant_type': 'authorization_code'
}
token_request = requests.post(url, data=data, headers=headers)
if token_request.status_code == requests.codes.ok:
token = token_request.json()['access_token']
user_url = get_app_config('OAUTH_API_ENDPOINT') \
or get_config('oauth_api_endpoint') \
or 'http://api.majorleaguecyber.org/user'
headers = {
'Authorization': 'Bearer ' + str(token),
'Content-type': 'application/json'
}
api_data = requests.get(url=user_url, headers=headers).json()
user_id = api_data['id']
user_name = api_data['name']
user_email = api_data['email']
user = Users.query.filter_by(email=user_email).first()
if user is None:
user = Users(
name=user_name,
email=user_email,
oauth_id=user_id,
verified=True
)
db.session.add(user)
db.session.commit()
if get_config('user_mode') == TEAMS_MODE:
team_id = api_data['team']['id']
team_name = api_data['team']['name']
team = Teams.query.filter_by(oauth_id=team_id).first()
if team is None:
team = Teams(
name=team_name,
oauth_id=team_id
)
db.session.add(team)
db.session.commit()
team.members.append(user)
db.session.commit()
login_user(user)
return redirect(url_for('challenges.listing'))
else:
log('logins', "[{date}] {ip} - OAuth token retrieval failure")
abort(500)
else:
log('logins', "[{date}] {ip} - Received redirect without OAuth code")
abort(500)
@auth.route('/logout')
def logout():
if utils.authed():
session.clear()
if current_user.authed():
logout_user()
return redirect(url_for('views.static_html'))