mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 05:54:19 +01:00
3af98b17d5
* Bootstrap v4 (#490) * Upgrading original theme to use Bootstrap v4 and overall improve use of utility classes * Fixing graph issues. Colors per team & cleaner hover * The solves tab now shows relative time instead of absolute time * Redesign admin theme * Updating modals and changing form name from desc to description * Moving CSS config from Pages to Config page * Adding IP address count to statistics * Move control of certain modals (files, flags, tags, hints) to challenges page * Expanding size of config page * Combining statistics and graphs pages * Moving percentage solved to the statistics page instead of the admin challenges page * Rename Keys.key_type to Keys.type (#459) (#478) * Rename keys.key_type to keys.type (#459) * Fixing previous migration to not be worried about key_type v type * Fixing loading of challenge type plugins * Switching from Handlebars to Nunjucks (#491) * Switching from Handlebars to Nunjucks * Allow admins to unlock hints before CTF begins and test that this is not allowed for regular users * Authed only (#492) * Adding authed_only decorator and adding next to url_for * Adding a basic preview to hints (#494) * Hints have a preview now for creating and updating hints. HTML and markdown are still allowed. * Ezq (#495) * Adding ezq as a simple wrapper around bootstrap modals * Use tabs not spaces and remove gray background on inputs * Adding title & draft to Pages. Making page preview open a new tab (#497) * Adding title & draft to Pages. * Making page preview open a new tab instead of render in the existing tab * Draft pages cannot be seen without a preview * Update check (#499) * Add update_check function * Notify user that a CTFd update is available in the admin panel * Adding update_check tests * Ratelimit (#500) * Implementing a ratelimit function * Fix error page formatting * Add rate limiting tests * Rate limit authentication functions and rate limit admin send email function * Load user solves before we load challenges to avoid unstyled buttons (#502) * Add a challenge preview (#503) * Adding a challenge preview to the admin panel * Change /admin/chals/<int:chalid> to /admin/chal/<int:chalid> * Adding codecov (#504) * Test coverage at https://codecov.io/gh/CTFd/CTFd * Sendmail improvements (#505) * Add get_smtp timeout, add sendmail error messages * Adding more error handling to sendmail * Adding Flask-Script (#507) * Pause ctf (#508) * Implement CTF pausing * Test CTF pausing * Fix loading challenges for users (#510) * Fix loading challenges for users * Temporarily switch themes in test * Pause help text (#509) * Adding pause help text * Pages authed (#511) * Adding authentication options to pages * Adding tests for accessing pages while draft & auth_required * Merging master into 1.1 (#513) * Name the core theme and remove the original theme
373 lines
12 KiB
Python
373 lines
12 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from tests.helpers import *
|
|
from CTFd.models import Teams, Challenges
|
|
from CTFd.utils import get_config, set_config, override_template, sendmail, verify_email, ctf_started, ctf_ended
|
|
from CTFd.plugins.challenges import get_chal_class
|
|
from freezegun import freeze_time
|
|
from mock import patch
|
|
|
|
import json
|
|
|
|
|
|
def test_admin_panel():
|
|
"""Does the admin panel return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin')
|
|
assert r.status_code == 302
|
|
r = client.get('/admin/statistics')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_pages():
|
|
"""Does admin pages return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/pages')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_teams():
|
|
"""Does admin teams return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/teams')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_scoreboard():
|
|
"""Does admin scoreboard return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/scoreboard')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_chals():
|
|
"""Does admin chals return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/chals')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_statistics():
|
|
"""Does admin statistics return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/statistics')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_config():
|
|
"""Does admin config return a 200 by default"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
r = client.get('/admin/config')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_access_challenges_before_ctftime():
|
|
'''Admins can see and solve challenges despite it being before ctftime'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
|
|
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
|
|
register_user(app)
|
|
chal = gen_challenge(app.db)
|
|
chal_id = chal.id
|
|
flag = gen_flag(app.db, chal=chal.id, flag=u'flag')
|
|
|
|
with freeze_time("2017-10-2"):
|
|
client = login_as_user(app, name='admin', password='password')
|
|
r = client.get('/chals')
|
|
assert r.status_code == 200
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
"key": 'flag',
|
|
"nonce": sess.get('nonce')
|
|
}
|
|
r = client.post('/chal/{}'.format(chal_id), data=data)
|
|
assert r.status_code == 200
|
|
solve_count = app.db.session.query(app.db.func.count(Solves.id)).first()[0]
|
|
assert solve_count == 1
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_create_challenges():
|
|
'''Test that admins can create new challenges'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': '💫',
|
|
'category': '💫',
|
|
'description': 'description',
|
|
'value': 100,
|
|
'key_type[0]': 'static',
|
|
'key': 'flag',
|
|
'max_attempts': 5,
|
|
'nonce': sess.get('nonce'),
|
|
'chaltype': 'standard'
|
|
}
|
|
r = client.post('/admin/chal/new', data=data)
|
|
assert r.status_code == 302
|
|
|
|
assert Challenges.query.count() == 1
|
|
chal = Challenges.query.filter_by(id=1).first()
|
|
assert chal.name == '💫'
|
|
assert chal.category == '💫'
|
|
assert chal.max_attempts == 5
|
|
assert chal.description == 'description'
|
|
assert chal.value == 100
|
|
assert chal.type == 'standard'
|
|
|
|
assert Keys.query.count() == 1
|
|
key = Keys.query.filter_by(id=1).first()
|
|
assert key.type == 'static'
|
|
assert key.flag == 'flag'
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_update_challenges():
|
|
'''Test that admins can update challenges'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
chal = gen_challenge(app.db)
|
|
chal_id = chal.id
|
|
|
|
assert Challenges.query.count() == 1
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'id': chal_id,
|
|
'name': '💫',
|
|
'category': '💫',
|
|
'description': 'description',
|
|
'value': 100,
|
|
'key_type[0]': 'static',
|
|
'max_attempts': '',
|
|
'nonce': sess.get('nonce'),
|
|
'chaltype': 'standard'
|
|
}
|
|
r = client.post('/admin/chal/update', data=data)
|
|
|
|
assert Challenges.query.count() == 1
|
|
chal_check = Challenges.query.filter_by(id=chal_id).first()
|
|
assert chal_check.name == '💫'
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_delete_challenges():
|
|
'''Test that admins can delete challenges'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
chal = gen_challenge(app.db)
|
|
chal_id = chal.id
|
|
|
|
assert Challenges.query.count() == 1
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'id': chal_id,
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/chal/delete', data=data)
|
|
assert r.get_data(as_text=True) == '1'
|
|
|
|
assert Challenges.query.count() == 0
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_chal_detail_returns_proper_data():
|
|
"""Test that the /admin/chals/<int:chalid> endpoint returns the proper data"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
chal = gen_challenge(app.db)
|
|
chal_class = get_chal_class(chal.type)
|
|
data = {
|
|
'id': chal.id,
|
|
'name': chal.name,
|
|
'value': chal.value,
|
|
'description': chal.description,
|
|
'category': chal.category,
|
|
'hidden': chal.hidden,
|
|
'max_attempts': chal.max_attempts,
|
|
'type': chal.type,
|
|
'type_data': {
|
|
'id': chal_class.id,
|
|
'name': chal_class.name,
|
|
'templates': chal_class.templates,
|
|
'scripts': chal_class.scripts,
|
|
}
|
|
}
|
|
|
|
assert Challenges.query.count() == 1
|
|
|
|
r = client.get('/admin/chal/1')
|
|
response = json.loads(r.get_data(as_text=True))
|
|
|
|
assert data == response
|
|
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admins_can_create_teams():
|
|
'''Test that admins can create new teams'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': 'TunnelBunnies',
|
|
'password': 'fUnn3lJuNK135',
|
|
'email': 'scary.hares@trace.us',
|
|
'website': 'https://scary-hares.trace.us/',
|
|
'affiliation': 'Energizer',
|
|
'country': 'USA',
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/team/new', data=data)
|
|
assert r.status_code == 200
|
|
|
|
team = Teams.query.filter_by(id=2).first()
|
|
assert team
|
|
assert team.name == 'TunnelBunnies'
|
|
assert team.email == 'scary.hares@trace.us'
|
|
assert team.website == 'https://scary-hares.trace.us/'
|
|
assert team.affiliation == 'Energizer'
|
|
assert team.country == 'USA'
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_create_team_without_required_fields():
|
|
'''Test that an admin can't create a new team without the required fields'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': '',
|
|
'password': '',
|
|
'email': '',
|
|
'website': '',
|
|
'affiliation': '',
|
|
'country': '',
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/team/new', data=data)
|
|
assert r.status_code == 200
|
|
|
|
response = json.loads(r.get_data(as_text=True))
|
|
assert 'data' in response
|
|
assert len(response['data']) == 3
|
|
assert 'The team requires a name' in response['data']
|
|
assert 'The team requires an email' in response['data']
|
|
assert 'The team requires a password' in response['data']
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_create_team_with_existing_name():
|
|
'''Test that an admin can't create a new team with an existing name'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': 'admin',
|
|
'password': 'fUnn3lJuNK135',
|
|
'email': 'scary.hares@trace.us',
|
|
'website': 'https://scary-hares.trace.us/',
|
|
'affiliation': 'Energizer',
|
|
'country': 'USA',
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/team/new', data=data)
|
|
assert r.status_code == 200
|
|
|
|
response = json.loads(r.get_data(as_text=True))
|
|
assert 'data' in response
|
|
assert len(response['data']) == 1
|
|
assert 'That name is taken' in response['data']
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_create_team_with_existing_email():
|
|
'''Test that an admin can't create a new team with an existing email'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': 'TunnelBunnies',
|
|
'password': 'fUnn3lJuNK135',
|
|
'email': 'admin@ctfd.io',
|
|
'website': 'https://scary-hares.trace.us/',
|
|
'affiliation': 'Energizer',
|
|
'country': 'USA',
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/team/new', data=data)
|
|
assert r.status_code == 200
|
|
|
|
response = json.loads(r.get_data(as_text=True))
|
|
assert 'data' in response
|
|
assert len(response['data']) == 1
|
|
assert 'That email is taken' in response['data']
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_admin_create_team_with_invalid_website():
|
|
'''Test that an admin can't create a new team with an invalid website'''
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
client = login_as_user(app, name="admin", password="password")
|
|
|
|
with client.session_transaction() as sess:
|
|
data = {
|
|
'name': 'TunnelBunnies',
|
|
'password': 'fUnn3lJuNK135',
|
|
'email': 'scary.hares@trace.us',
|
|
'website': 'ftp://scary-hares.trace.us/',
|
|
'affiliation': 'Energizer',
|
|
'country': 'USA',
|
|
'nonce': sess.get('nonce'),
|
|
}
|
|
r = client.post('/admin/team/new', data=data)
|
|
assert r.status_code == 200
|
|
|
|
response = json.loads(r.get_data(as_text=True))
|
|
assert 'data' in response
|
|
assert len(response['data']) == 1
|
|
assert 'Websites must start with http:// or https://' in response['data']
|
|
destroy_ctfd(app)
|