Limit total number of teams (#1867)

* Adds support for a total teams limit

.dockerignore

@@ -15,3 +15,5 @@ CTFd/uploads/**/*
 **/node_modules
 **/*.pyc
 **/__pycache__
+.venv*
+venv*

.gitignore

@@ -8,6 +8,8 @@ __pycache__/
 # Distribution / packaging
 .Python
 env/
+venv*
+.venv*
 build/
 develop-eggs/
 dist/

.prettierignore

@@ -8,3 +8,6 @@ CTFd/themes/**/vendor/
 *.svg
 *.mp3
 *.webm
+.pytest_cache
+venv*
+.venv*

CTFd/auth.py

@@ -1,7 +1,7 @@
 import base64
 
 import requests
-from flask import Blueprint
+from flask import Blueprint, abort
 from flask import current_app as app
 from flask import redirect, render_template, request, session, url_for
 from itsdangerous.exc import BadSignature, BadTimeSignature, SignatureExpired
@@ -510,6 +510,16 @@ def oauth_redirect():
 
                 team = Teams.query.filter_by(oauth_id=team_id).first()
                 if team is None:
+                    num_teams_limit = int(get_config("num_teams", default=0))
+                    num_teams = Teams.query.filter_by(
+                        banned=False, hidden=False
+                    ).count()
+                    if num_teams_limit and num_teams >= num_teams_limit:
+                        abort(
+                            403,
+                            description=f"Reached the maximum number of teams ({num_teams_limit}). Please join an existing team.",
+                        )
+
                     team = Teams(name=team_name, oauth_id=team_id, captain_id=user.id)
                     db.session.add(team)
                     db.session.commit()

CTFd/forms/config.py

@@ -43,6 +43,9 @@ class AccountSettingsForm(BaseForm):
         widget=NumberInput(min=0),
         description="Amount of users per team (Teams mode only)",
     )
+    num_teams = IntegerField(
+        widget=NumberInput(min=0), description="Max number of teams (Teams mode only)",
+    )
     verify_emails = SelectField(
         "Verify Emails",
         description="Control whether users must confirm their email addresses before playing",

CTFd/teams.py

@@ -197,6 +197,14 @@ def new():
             description="Team creation is currently disabled. Please join an existing team.",
         )
 
+    num_teams_limit = int(get_config("num_teams", default=0))
+    num_teams = Teams.query.filter_by(banned=False, hidden=False).count()
+    if num_teams_limit and num_teams >= num_teams_limit:
+        abort(
+            403,
+            description=f"Reached the maximum number of teams ({num_teams_limit}). Please join an existing team.",
+        )
+
     user = get_current_user_attrs()
     if user.team_id:
         errors.append("You are already in a team. You cannot join another.")

CTFd/themes/admin/templates/configs/accounts.html

@@ -38,6 +38,14 @@
 			</small>
 		</div>
 
+		<div class="form-group">
+			{{ form.num_teams.label }}
+			{{ form.num_teams(class="form-control", value=num_teams) }}
+			<small class="form-text text-muted">
+				{{ form.num_teams.description }}
+			</small>
+		</div>
+
 		<div class="form-group">
 			{{ form.team_disbanding.label }}
 			{{ form.team_disbanding(class="form-control", value=team_disbanding) }}

tests/oauth/test_teams.py

@@ -30,3 +30,42 @@ def test_team_size_limit():
         login_with_mlc(app, team_name="team_name", team_oauth_id=1234)
         assert len(Teams.query.filter_by(id=team_id).first().members) == 2
     destroy_ctfd(app)
+
+
+def test_num_teams_limit():
+    """Only num_teams teams can be created even via MLC"""
+    app = create_ctfd(user_mode="teams")
+    app.config.update(
+        {
+            "OAUTH_CLIENT_ID": "ctfd_testing_client_id",
+            "OAUTH_CLIENT_SECRET": "ctfd_testing_client_secret",
+            "OAUTH_AUTHORIZATION_ENDPOINT": "http://auth.localhost/oauth/authorize",
+            "OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token",
+            "OAUTH_API_ENDPOINT": "http://api.localhost/user",
+        }
+    )
+    with app.app_context():
+        set_config("num_teams", 1)
+        gen_team(app.db, member_count=1, oauth_id=1234)
+        login_with_mlc(
+            app,
+            name="foobar",
+            email="foobar@a.com",
+            oauth_id=111,
+            team_name="foobar",
+            team_oauth_id=1111,
+            raise_for_error=False,
+        )
+        assert Teams.query.count() == 1
+
+        set_config("num_teams", 2)
+        login_with_mlc(
+            app,
+            name="foobarbaz",
+            email="foobarbaz@a.com",
+            oauth_id=222,
+            team_name="foobarbaz",
+            team_oauth_id=2222,
+        )
+        assert Teams.query.count() == 2
+    destroy_ctfd(app)

tests/teams/test_teams.py

@@ -181,6 +181,40 @@ def test_team_size_limit():
     destroy_ctfd(app)
 
 
+def test_num_teams_limit():
+    """Only num_teams teams can be created"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        set_config("num_teams", 1)
+
+        # Create a team
+        gen_team(app.db, member_count=1)
+
+        register_user(app)
+        with login_as_user(app) as client:
+            r = client.get("/teams/new")
+            assert r.status_code == 403
+
+            # team should be blocked from creation
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "team1",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/teams/new", data=data)
+            resp = r.get_data(as_text=True)
+            assert Teams.query.count() == 1
+            assert "Reached the maximum number of teams" in resp
+
+            # Can the team be created after the num has been bumped
+            set_config("num_teams", 2)
+            r = client.post("/teams/new", data=data)
+            resp = r.get_data(as_text=True)
+            assert Teams.query.count() == 2
+    destroy_ctfd(app)
+
+
 def test_team_creation_disable():
     app = create_ctfd(user_mode="teams")
     with app.app_context():