def test_oauth_login_upgrade():
"""Test that users who use MLC after having registered will be associated with their MLC account"""
app = create_kmactf(user_mode="teams")
app.config.update({
"OAUTH_CLIENT_ID": "kmactf_testing_client_id",
"OAUTH_CLIENT_SECRET": "kmactf_testing_client_secret",
"OAUTH_AUTHORIZATION_ENDPOINT":
"http://auth.localhost/oauth/authorize",
"OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token",
"OAUTH_API_ENDPOINT": "http://api.localhost/user",
})
with app.app_context():
register_user(app)
assert Users.query.count() == 2
set_config("registration_visibility", "private")
# Users should still be able to login
client = login_as_user(app)
client.get("/logout")
user = Users.query.filter_by(id=2).first()
assert user.oauth_id is None
assert user.team_id is None
login_with_mlc(app)
assert Users.query.count() == 2
# Logging in with MLC should insert an OAuth ID and team ID
user = Users.query.filter_by(id=2).first()
assert user.oauth_id
assert user.verified
assert user.team_id
destroy_kmactf(app)
def test_team_size_limit():
"""Only team_size amount of members can join a team"""
app = create_kmactf(user_mode="teams")
with app.app_context():
set_config("team_size", 1)
# Create a team with only one member
team = gen_team(app.db, member_count=1)
team_id = team.id
register_user(app)
with login_as_user(app) as client:
r = client.get("/teams/join")
assert r.status_code == 200
# User should be blocked from joining
with client.session_transaction() as sess:
data = {
"name": "team_name",
"password": "******",
"nonce": sess.get("nonce"),
}
r = client.post("/teams/join", data=data)
resp = r.get_data(as_text=True)
assert len(Teams.query.filter_by(id=team_id).first().members) == 1
assert "already reached the team size limit of 1" in resp
# Can the user join after the size has been bumped
set_config("team_size", 2)
r = client.post("/teams/join", data=data)
resp = r.get_data(as_text=True)
assert len(Teams.query.filter_by(id=team_id).first().members) == 2
destroy_kmactf(app)
def test_api_user_place_hidden_if_scores_hidden():
"""/api/v1/users/me should not reveal user place if scores aren't visible"""
app = create_kmactf()
with app.app_context():
register_user(app)
user = Users.query.filter_by(id=2).first()
simulate_user_activity(app.db, user=user)
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
set_config("score_visibility", "hidden")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
set_config("score_visibility", "admins")
with login_as_user(app, name="user") as client:
r = client.get("/api/v1/users/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/users/2", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
destroy_kmactf(app)
def test_that_view_challenges_unregistered_works():
"""Test that view_challenges_unregistered works"""
app = create_kmactf()
with app.app_context():
chal = gen_challenge(app.db, name=text_type("ЁЯР║"))
chal_id = chal.id
gen_hint(app.db, chal_id)
client = app.test_client()
r = client.get("/api/v1/challenges", json="")
assert r.status_code == 403
r = client.get("/api/v1/challenges")
assert r.status_code == 302
set_config("challenge_visibility", "public")
client = app.test_client()
r = client.get("/api/v1/challenges")
assert r.get_json()["data"]
r = client.get("/api/v1/challenges/1/solves")
assert r.get_json().get("data") is not None
data = {"submission": "not_flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt".format(chal_id),
json=data)
assert r.status_code == 403
assert r.get_json().get("data").get(
"status") == "authentication_required"
assert r.get_json().get("data").get("message") is None
destroy_kmactf(app)
def test_ctftime_prevents_accessing_challenges_after_ctf():
"""Test that the ctftime function prevents accessing challenges after the ctf"""
app = create_kmactf()
with app.app_context():
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_flag(app.db, challenge_id=chal.id, content=u"flag")
with freeze_time("2017-10-7"):
client = login_as_user(app)
r = client.get("/challenges")
assert r.status_code == 403
with client.session_transaction() as sess:
data = {
"submission": "flag",
"challenge_id": chal_id,
"nonce": sess.get("nonce"),
}
r = client.post("/api/v1/challenges/attempt", data=data)
assert r.status_code == 403
solve_count = app.db.session.query(app.db.func.count(
Solves.id)).first()[0]
assert solve_count == 0
destroy_kmactf(app)
def integrations():
if is_admin() or is_setup() is False:
name = request.values.get("name")
state = request.values.get("state")
try:
state = unserialize(state, max_age=3600)
except (BadSignature, BadTimeSignature):
state = False
except Exception:
state = False
if state:
if name == "mlc":
mlc_client_id = request.values.get("mlc_client_id")
mlc_client_secret = request.values.get("mlc_client_secret")
set_config("oauth_client_id", mlc_client_id)
set_config("oauth_client_secret", mlc_client_secret)
return render_template("admin/integrations.html")
else:
abort(404)
else:
abort(403)
else:
abort(403)
def test_api_team_place_hidden_if_scores_hidden():
"""/api/v1/teams/me should not reveal team place if scores aren't visible"""
app = create_kmactf(user_mode="teams")
with app.app_context():
gen_team(app.db)
app.db.session.commit()
gen_award(app.db, user_id=2, team_id=1)
u = Users.query.filter_by(id=2).first()
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] == "1st"
set_config("score_visibility", "hidden")
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
set_config("score_visibility", "admins")
with login_as_user(app, name=u.name) as client:
r = client.get("/api/v1/teams/me", json="")
resp = r.get_json()
assert resp["data"]["place"] is None
with login_as_user(app, name="admin") as client:
r = client.get("/api/v1/teams/1", json="")
resp = r.get_json()
print(resp)
assert resp["data"]["place"] == "1st"
destroy_kmactf(app)
def test_unlocking_hints_with_cost_during_ended_ctf():
"""Test that hints with a cost are not unlocked if the CTF has ended"""
app = create_kmactf()
with app.app_context():
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_hint(app.db, chal_id, cost=10)
gen_award(app.db, user_id=2)
set_config(
"start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end", "1507262400"
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
with freeze_time("2017-11-4"):
client = login_as_user(app)
r = client.get("/api/v1/hints/1")
assert r.get_json().get("data") is None
assert r.status_code == 403
r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
assert r.status_code == 403
assert r.get_json()
r = client.get("/api/v1/hints/1")
assert r.status_code == 403
user = Users.query.filter_by(id=2).first()
assert user.score == 100
assert Unlocks.query.count() == 0
destroy_kmactf(app)
def test_api_user_change_name():
"""Can a user change their name via the API"""
app = create_kmactf()
with app.app_context():
register_user(app)
with login_as_user(app) as client:
r = client.patch("/api/v1/users/me", json={"name": "user2"})
assert r.status_code == 200
resp = r.get_json()
assert resp["data"]["name"] == "user2"
assert resp["success"] is True
r = client.patch("/api/v1/users/me", json={"name": None})
resp = r.get_json()
print(resp)
assert r.status_code == 400
assert resp["errors"]["name"] == ["Field may not be null."]
assert resp["success"] is False
set_config("name_changes", False)
r = client.patch("/api/v1/users/me", json={"name": "new_name"})
assert r.status_code == 400
resp = r.get_json()
assert "name" in resp["errors"]
assert resp["success"] is False
set_config("name_changes", True)
r = client.patch("/api/v1/users/me", json={"name": "new_name"})
assert r.status_code == 200
resp = r.get_json()
assert resp["data"]["name"] == "new_name"
assert resp["success"] is True
destroy_kmactf(app)
def test_unlocking_hints_with_cost_during_frozen_ctf():
"""Test that hints with a cost are unlocked if the CTF is frozen."""
app = create_kmactf()
with app.app_context():
set_config(
"freeze", "1507262400"
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
with freeze_time("2017-10-4"):
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_hint(app.db, chal_id, cost=10)
gen_award(app.db, user_id=2)
with freeze_time("2017-10-8"):
client = login_as_user(app)
client.get("/api/v1/hints/1")
client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
r = client.get("/api/v1/hints/1")
resp = r.get_json()["data"]
assert resp.get("content") == "This is a hint"
user = Users.query.filter_by(id=2).first()
assert user.score == 100
destroy_kmactf(app)
def test_api_user_change_email_under_whitelist():
"""Test that users can only change emails to ones in the whitelist"""
app = create_kmactf()
with app.app_context():
register_user(app)
set_config("domain_whitelist",
"whitelisted.com, whitelisted.org, whitelisted.net")
with login_as_user(app) as client:
r = client.patch(
"/api/v1/users/me",
json={
"email": "*****@*****.**",
"confirm": "password"
},
)
assert r.status_code == 400
resp = r.get_json()
assert resp["errors"]["email"]
assert resp["success"] is False
r = client.patch(
"/api/v1/users/me",
json={
"email": "*****@*****.**",
"confirm": "password"
},
)
assert r.status_code == 200
resp = r.get_json()
assert resp["data"]["email"] == "*****@*****.**"
assert resp["success"] is True
destroy_kmactf(app)
def test_sendmail_with_smtp_from_db_config(mock_smtp):
"""Does sendmail work properly with simple SMTP mail servers using database configuration"""
app = create_kmactf()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "*****@*****.**"
msg = "this is a test"
sendmail(to_addr, msg)
ctf_name = get_config("ctf_name")
email_msg = MIMEText(msg)
email_msg["Subject"] = "Message from {0}".format(ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
mock_smtp.return_value.sendmail.assert_called_once_with(
from_addr, [to_addr], email_msg.as_string())
destroy_kmactf(app)
def test_team_size_limit():
"""Only team_size amount of members can join a team even via MLC"""
app = create_kmactf(user_mode="teams")
app.config.update({
"OAUTH_CLIENT_ID": "kmactf_testing_client_id",
"OAUTH_CLIENT_SECRET": "kmactf_testing_client_secret",
"OAUTH_AUTHORIZATION_ENDPOINT":
"http://auth.localhost/oauth/authorize",
"OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token",
"OAUTH_API_ENDPOINT": "http://api.localhost/user",
})
with app.app_context():
set_config("team_size", 1)
team = gen_team(app.db, member_count=1, oauth_id=1234)
team_id = team.id
login_with_mlc(app,
team_name="team_name",
team_oauth_id=1234,
raise_for_error=False)
assert len(Teams.query.filter_by(id=team_id).first().members) == 1
set_config("team_size", 2)
login_with_mlc(app, team_name="team_name", team_oauth_id=1234)
assert len(Teams.query.filter_by(id=team_id).first().members) == 2
destroy_kmactf(app)
def test_ctftime_prevents_accessing_challenges_before_ctf():
"""Test that the ctftime function prevents users from accessing challenges before the ctf"""
app = create_kmactf()
with app.app_context():
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_flag(app.db, challenge_id=chal.id, content=u"flag")
with freeze_time("2017-10-3"): # CTF has not started yet.
client = login_as_user(app)
r = client.get("/challenges")
assert r.status_code == 403
with client.session_transaction() as sess:
data = {"key": "flag", "nonce": sess.get("nonce")}
r = client.get("/api/v1/challenges/{}".format(chal_id), data=data)
data = r.get_data(as_text=True)
assert r.status_code == 403
solve_count = app.db.session.query(app.db.func.count(
Solves.id)).first()[0]
assert solve_count == 0
destroy_kmactf(app)
def test_ctf_started():
"""
Tests that the ctf_started function returns the correct value
:return:
"""
app = create_kmactf()
with app.app_context():
assert ctf_started() is True
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
with freeze_time("2017-10-3"):
ctf_started()
assert ctf_started() is False
with freeze_time("2017-10-5"):
assert ctf_started() is True
with freeze_time("2017-10-7"):
assert ctf_started() is True
destroy_kmactf(app)
def test_api_challenge_get_solves_ctf_frozen():
"""Test users can only see challenge solves that happened before freeze time"""
app = create_kmactf()
with app.app_context():
register_user(app, name="user1", email="*****@*****.**")
register_user(app, name="user2", email="*****@*****.**")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("freeze", "1507262400")
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=2, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
# User ID 2 solves Challenge ID 2
gen_solve(app.db, user_id=2, challenge_id=chal2_id)
# User ID 3 solves Challenge ID 1
gen_solve(app.db, user_id=3, challenge_id=chal_id)
# Challenge 1 has 2 solves
# Challenge 2 has 1 solve
# There should now be two solves assigned to the same user.
assert Solves.query.count() == 3
client = login_as_user(app, name="user2")
# Challenge 1 should have one solve (after freeze)
r = client.get("/api/v1/challenges/1")
data = r.get_json()["data"]
assert data["solves"] == 1
# Challenge 1 should have one solve (after freeze)
r = client.get("/api/v1/challenges/1/solves")
data = r.get_json()["data"]
assert len(data) == 1
# Challenge 2 should have a solve shouldn't be shown to the user
r = client.get("/api/v1/challenges/2/solves")
data = r.get_json()["data"]
assert len(data) == 0
# Admins should see data as an admin with no modifications
admin = login_as_user(app, name="admin")
r = admin.get("/api/v1/challenges/2/solves")
data = r.get_json()["data"]
assert len(data) == 1
# But should see as a user if the preview param is passed
r = admin.get("/api/v1/challenges/2/solves?preview=true")
data = r.get_json()["data"]
assert len(data) == 0
destroy_kmactf(app)
def patch(self):
req = request.get_json()
for key, value in req.items():
set_config(key=key, value=value)
clear_config()
clear_standings()
return {"success": True}
def test_api_challenges_get_visibility_public():
"""Can a public user get /api/v1/challenges if challenge_visibility is private/public"""
app = create_kmactf()
with app.app_context():
set_config("challenge_visibility", "public")
with app.test_client() as client:
r = client.get("/api/v1/challenges")
assert r.status_code == 200
set_config("challenge_visibility", "private")
r = client.get("/api/v1/challenges", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_challenges_get_visibility_private():
"""Can a private user get /api/v1/challenges if challenge_visibility is private/public"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges")
assert r.status_code == 200
set_config("challenge_visibility", "public")
r = client.get("/api/v1/challenges")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_challenge_list_user_ctftime():
"""Can the user load /api/v1/challenges if ctftime is over"""
app = create_kmactf()
with app.app_context(), freeze_time("2017-10-7"):
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_challenge_get_non_existing():
"""Will a bad <challenge_id> at /api/v1/challenges/<challenge_id> 404"""
app = create_kmactf()
with app.app_context(), freeze_time("2017-10-5"):
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges/1")
assert r.status_code == 404
destroy_kmactf(app)
def update_check(force=False):
"""
Makes a request to kmactf to check if there is a new version of KMActf available. The service is provided in return
for users opting in to anonymous usage data collection. Users can opt-out of update checks by specifying
UPDATE_CHECK = False in config.py
:param force:
:return:
"""
# If UPDATE_CHECK is disabled don't check for updates at all.
if app.config.get("UPDATE_CHECK") is False:
return
# Don't do an update check if not setup
if is_setup() is False:
return
# Get when we should check for updates next.
next_update_check = get_config("next_update_check") or 0
# If we have passed our saved time or we are forcing we should check.
update = (next_update_check < time.time()) or force
if update:
try:
name = str(get_config("ctf_name")) or ""
params = {
"ctf_id": sha256(name),
"current": app.VERSION,
"python_version_raw": sys.hexversion,
"python_version": python_version(),
"db_driver": db.session.bind.dialect.name,
"challenge_count": Challenges.query.count(),
"user_mode": get_config("user_mode"),
"user_count": Users.query.count(),
"team_count": Teams.query.count(),
"theme": get_config("ctf_theme"),
"upload_provider": get_app_config("UPLOAD_PROVIDER"),
}
check = requests.post("https://actvn.edu.vn/",
json=params,
timeout=0.1).json()
except requests.exceptions.RequestException:
pass
except ValueError:
pass
else:
try:
latest = check["resource"]["tag"]
html_url = check["resource"]["html_url"]
if StrictVersion(latest) > StrictVersion(app.VERSION):
set_config("version_latest", html_url)
elif StrictVersion(latest) <= StrictVersion(app.VERSION):
set_config("version_latest", None)
next_update_check_time = check["resource"].get(
"next", int(time.time() + 43200))
set_config("next_update_check", next_update_check_time)
except KeyError:
set_config("version_latest", None)
def test_update_check_notifies_user():
"""If an update is available, admin users are notified in the panel"""
app = create_kmactf()
with app.app_context():
app.config["UPDATE_CHECK"] = True
set_config("version_latest",
"https://github.com/KMActf/KMActf/releases/tag/9.9.9")
client = login_as_user(app, name="admin", password="******")
r = client.get("/admin/config")
assert r.status_code == 200
response = r.get_data(as_text=True)
assert "https://github.com/KMActf/KMActf/releases/tag/9.9.9" in response
destroy_kmactf(app)
def test_sendmail_with_mailgun_from_db_config(fake_post_request):
"""Does sendmail work properly with Mailgun using database configuration"""
app = create_kmactf()
with app.app_context():
app.config["MAILGUN_API_KEY"] = "key-1234567890-file-config"
app.config[
"MAILGUN_BASE_URL"] = "https://api.mailgun.net/v3/file.faked.com"
# db values should take precedence over file values
set_config("mailgun_api_key", "key-1234567890-db-config")
set_config("mailgun_base_url",
"https://api.mailgun.net/v3/db.faked.com")
from_addr = get_config("mailfrom_addr") or app.config.get(
"MAILFROM_ADDR")
to_addr = "*****@*****.**"
msg = "this is a test"
sendmail(to_addr, msg)
ctf_name = get_config("ctf_name")
email_msg = MIMEText(msg)
email_msg["Subject"] = "Message from {0}".format(ctf_name)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
fake_response = Mock()
fake_post_request.return_value = fake_response
fake_response.status_code = 200
status, message = sendmail(to_addr, msg)
args, kwargs = fake_post_request.call_args
assert args[0] == "https://api.mailgun.net/v3/db.faked.com/messages"
assert kwargs["auth"] == ("api", u"key-1234567890-db-config")
assert kwargs["timeout"] == 1.0
assert kwargs["data"] == {
"to": ["*****@*****.**"],
"text": "this is a test",
"from": "KMActf <*****@*****.**>",
"subject": "Message from KMActf",
}
assert fake_response.status_code == 200
assert status is True
assert message == "Email sent"
destroy_kmactf(app)
def test_invalid_confirmation_links():
"""Test that invalid confirmation links are reported to the user"""
app = create_kmactf()
with app.app_context():
set_config("verify_emails", True)
register_user(app, email="*****@*****.**")
client = login_as_user(app, name="user", password="******")
# [email protected] "2012-01-14 03:21:34"
confirm_link = "http://localhost/confirm/a8375iyu<script>alert(1)<script>hn3048wueorighkgnsfg"
r = client.get(confirm_link)
assert "Your confirmation token is invalid" in r.get_data(as_text=True)
user = Users.query.filter_by(email="*****@*****.**").first()
assert user.verified is not True
destroy_kmactf(app)
def test_api_challenge_get_solves_ctftime_private():
"""Can a private user get /api/v1/challenges/<challenge_id>/solves if ctftime is over"""
app = create_kmactf()
with app.app_context(), freeze_time("2017-10-7"):
gen_challenge(app.db)
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges/1/solves")
assert r.status_code == 200
set_config("start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end",
"1507262400") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
r = client.get("/api/v1/challenges/1/solves")
assert r.status_code == 403
destroy_kmactf(app)
def test_expired_confirmation_links():
"""Test that expired confirmation links are reported to the user"""
app = create_kmactf()
with app.app_context(), freeze_time("2019-02-24 03:21:34"):
set_config("verify_emails", True)
register_user(app, email="*****@*****.**")
client = login_as_user(app, name="user", password="******")
# [email protected] "2012-01-14 03:21:34"
confirm_link = "http://localhost/confirm/InVzZXJAdXNlci5jb20i.TxD0vg.cAGwAy8cK1T0saEEbrDEBVF2plI"
r = client.get(confirm_link)
assert "Your confirmation link has expired" in r.get_data(as_text=True)
user = Users.query.filter_by(email="*****@*****.**").first()
assert user.verified is not True
destroy_kmactf(app)
def reset():
if request.method == "POST":
# Truncate Users, Teams, Submissions, Solves, Notifications, Awards, Unlocks, Tracking
Tracking.query.delete()
Solves.query.delete()
Submissions.query.delete()
Awards.query.delete()
Unlocks.query.delete()
Users.query.delete()
Teams.query.delete()
set_config("setup", False)
db.session.commit()
cache.clear()
logout_user()
db.session.close()
return redirect(url_for("views.setup"))
return render_template("admin/reset.html")
def test_get_config_and_set_config():
"""Does get_config and set_config work properly"""
app = create_kmactf()
with app.app_context():
assert get_config("setup") == True
config = set_config("TEST_CONFIG_ENTRY", "test_config_entry")
assert config.value == "test_config_entry"
assert get_config("TEST_CONFIG_ENTRY") == "test_config_entry"
destroy_kmactf(app)
def test_user_can_access_files_if_view_after_ctf():
app = create_kmactf()
with app.app_context():
from KMActf.utils.uploads import rmdir
chal = gen_challenge(app.db)
chal_id = chal.id
path = app.config.get("UPLOAD_FOLDER")
md5hash = hexencode(os.urandom(16))
location = os.path.join(path, md5hash, "test.txt")
directory = os.path.dirname(location)
model_path = os.path.join(md5hash, "test.txt")
try:
os.makedirs(directory)
with open(location, "wb") as obj:
obj.write("testing file load".encode())
gen_file(app.db, location=model_path, challenge_id=chal_id)
register_user(app)
with login_as_user(app) as client:
req = client.get("/api/v1/challenges/1")
data = req.get_json()
file_url = data["data"]["files"][0]
# After ctf end
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
set_config("view_after_ctf", True)
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally:
rmdir(directory)
destroy_kmactf(app)