#!/usr/bin/env python # -*- coding: utf-8 -*- from CTFd.utils import set_config from tests.helpers import * from freezegun import freeze_time import json def test_api_hint_404(): """Can the users 404 /api/v1/hints/ if logged in/out""" app = create_ctfd() with app.app_context(): register_user(app) client = login_as_user(app) r = client.get('/api/v1/hints/1') assert r.status_code == 404 destroy_ctfd(app) def test_api_hint_visibility(): """Can the users load /api/v1/hints/ if logged in/out""" app = create_ctfd() with app.app_context(): chal = gen_challenge(app.db) gen_hint(app.db, chal.id) with app.test_client() as non_logged_in_user: r = non_logged_in_user.get('/api/v1/hints/1') assert r.status_code == 302 register_user(app) client = login_as_user(app) r = client.get('/api/v1/hints/1') assert r.status_code == 200 destroy_ctfd(app) def test_api_hint_visibility_ctftime(): """Can the users load /api/v1/hints/ if not ctftime""" app = create_ctfd() with app.app_context(), freeze_time("2017-10-7"): set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST chal = gen_challenge(app.db) gen_hint(app.db, chal.id) register_user(app) client = login_as_user(app) r = client.get('/api/v1/hints/1') assert r.status_code == 403 destroy_ctfd(app) def test_api_hint_locked(): """Can the users unlock /api/v1/hints/ if they don't have enough points""" app = create_ctfd() with app.app_context(): chal = gen_challenge(app.db) gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard") register_user(app) client = login_as_user(app) r = client.get('/api/v1/hints/1') assert r.status_code == 200 r = client.post('/api/v1/unlocks', json={"target": 1, "type": "hints"}) assert r.status_code == 400 destroy_ctfd(app) def test_api_hint_unlocked(): """Can the users unlock /api/v1/hints/ if they have enough points""" app = create_ctfd() with app.app_context(): chal = gen_challenge(app.db) gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard") register_user(app) # Give user points with an award gen_award(app.db, 2) client = login_as_user(app) r = client.get('/api/v1/hints/1') assert r.status_code == 200 r = client.post('/api/v1/unlocks', json={"target": 1, "type": "hints"}) assert r.status_code == 200 r = client.get('/api/v1/hints/1') assert r.status_code == 200 destroy_ctfd(app) def test_api_hints_admin_access(): """Can the users access /api/v1/hints if not admin""" app = create_ctfd() with app.app_context(): register_user(app) client = login_as_user(app) r = client.get('/api/v1/hints') assert r.status_code == 302 r = client.post('/api/v1/hints', json="") assert r.status_code == 403 destroy_ctfd(app) def test_api_hint_admin_access(): """Can the users patch/delete /api/v1/hint/ if not admin""" app = create_ctfd() with app.app_context(): chal = gen_challenge(app.db) gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard") admin = login_as_user(app, "admin") register_user(app) client = login_as_user(app) r = client.patch('/api/v1/hints/1', json="") assert r.status_code == 403 r = client.delete('/api/v1/hints/1', json="") assert r.status_code == 403 r_admin = admin.patch('/api/v1/hints/1', json={"cost": 2}) assert r_admin.status_code == 200 r_admin = admin.delete('/api/v1/hints/1', json="") assert r_admin.status_code == 200 destroy_ctfd(app)