def test_get_admin_as_user():
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/admin")
assert r.status_code == 302
assert r.location.startswith("http://localhost/login")
destroy_kmactf(app)
def test_teams_get_user_mode():
"""Can a user get /teams if user mode"""
app = create_kmactf(user_mode="users")
with app.app_context():
register_user(app)
with login_as_user(app) as client:
r = client.get("/teams")
assert r.status_code == 404
destroy_kmactf(app)
def test_user_get_public_fails():
"""Can a registered user load /api/v1/users/2/fails"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/users/2/fails")
assert r.status_code == 200
destroy_kmactf(app)
def test_user_get_private_team_page():
"""Can a registered user load their private team page /user"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/user")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_team_delete_non_admin():
"""Can a user delete /api/v1/teams/<team_id> if not admin"""
app = create_kmactf(user_mode="teams")
with app.app_context():
gen_team(app.db)
with app.test_client() as client:
r = client.delete("/api/v1/teams/1", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_get_config_and_set_config():
"""Does get_config and set_config work properly"""
app = create_kmactf()
with app.app_context():
assert get_config("setup") == True
config = set_config("TEST_CONFIG_ENTRY", "test_config_entry")
assert config.value == "test_config_entry"
assert get_config("TEST_CONFIG_ENTRY") == "test_config_entry"
destroy_kmactf(app)
def test_api_user_delete_non_admin():
"""Can a user delete /api/v1/users/<user_id> if not admin"""
app = create_kmactf()
with app.app_context():
register_user(app)
with app.test_client() as client:
r = client.delete("/api/v1/teams/2", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_challenge_get_flags_admin():
"""Can a user get /api/v1/challenges/<challenge_id>/flags if admin"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/challenges/1/flags")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_user_get_me_fails_logged_in():
"""Can a user get /api/v1/users/me/fails if logged in"""
app = create_kmactf()
with app.app_context():
register_user(app)
with login_as_user(app) as client:
r = client.get("/api/v1/users/me/fails")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_challenge_get_solves_404():
"""Will a bad <challenge_id> at /api/v1/challenges/<challenge_id>/solves 404"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges/1/solves")
assert r.status_code == 404
destroy_kmactf(app)
def test_api_challenge_get_flags_non_admin():
"""Can a user get /api/v1/challenges/<challenge_id>/flags if not admin"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
with app.test_client() as client:
r = client.get("/api/v1/challenges/1/flags", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_challenge_attempt_post_public():
"""Can a public user post /api/v1/challenges/attempt"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
with app.test_client() as client:
r = client.post("/api/v1/challenges/attempt", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_challenge_get_solves_ctf_frozen():
"""Test users can only see challenge solves that happened before freeze time"""
app = create_kmactf()
with app.app_context():
register_user(app, name="user1", email="*****@*****.**")
register_user(app, name="user2", email="*****@*****.**")
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("freeze", "1507262400")
with freeze_time("2017-10-4"):
chal = gen_challenge(app.db)
chal_id = chal.id
gen_solve(app.db, user_id=2, challenge_id=chal_id)
chal2 = gen_challenge(app.db)
chal2_id = chal2.id
with freeze_time("2017-10-8"):
# User ID 2 solves Challenge ID 2
gen_solve(app.db, user_id=2, challenge_id=chal2_id)
# User ID 3 solves Challenge ID 1
gen_solve(app.db, user_id=3, challenge_id=chal_id)
# Challenge 1 has 2 solves
# Challenge 2 has 1 solve
# There should now be two solves assigned to the same user.
assert Solves.query.count() == 3
client = login_as_user(app, name="user2")
# Challenge 1 should have one solve (after freeze)
r = client.get("/api/v1/challenges/1")
data = r.get_json()["data"]
assert data["solves"] == 1
# Challenge 1 should have one solve (after freeze)
r = client.get("/api/v1/challenges/1/solves")
data = r.get_json()["data"]
assert len(data) == 1
# Challenge 2 should have a solve shouldn't be shown to the user
r = client.get("/api/v1/challenges/2/solves")
data = r.get_json()["data"]
assert len(data) == 0
# Admins should see data as an admin with no modifications
admin = login_as_user(app, name="admin")
r = admin.get("/api/v1/challenges/2/solves")
data = r.get_json()["data"]
assert len(data) == 1
# But should see as a user if the preview param is passed
r = admin.get("/api/v1/challenges/2/solves?preview=true")
data = r.get_json()["data"]
assert len(data) == 0
destroy_kmactf(app)
def test_api_user_get_awards():
"""Can a user get /api/v1/users/<user_id>/awards if logged in"""
app = create_kmactf()
with app.app_context():
register_user(app)
with login_as_user(app) as client:
r = client.get("/api/v1/users/2/awards")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_challenge_delete_non_admin():
"""Can a user delete /api/v1/challenges/<challenge_id> if not admin"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
with app.test_client() as client:
r = client.delete("/api/v1/challenges/1", json="")
assert r.status_code == 403
destroy_kmactf(app)
def test_api_page_get_admin():
"""Can a user get /api/v1/pages/<page_id> if admin"""
app = create_kmactf()
with app.app_context():
gen_page(app.db, title="title", route="/route", content="content")
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/pages/2", json="")
assert r.status_code == 200
destroy_kmactf(app)
def test_user_get_public_team_page():
"""Can a registered user load their public profile (/profile)"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/profile")
assert r.status_code == 200
destroy_kmactf(app)
def test_teams_join_get():
"""Can a user get /teams/join"""
app = create_kmactf(user_mode="teams")
with app.app_context():
register_user(app)
with login_as_user(app) as client:
r = client.get("/teams/join")
assert r.status_code == 200
destroy_kmactf(app)
def test_dynamic_challenge_value_isnt_affected_by_hidden_users():
app = create_kmactf(enable_plugins=True)
with app.app_context():
register_user(app)
client = login_as_user(app, name="admin", password="******")
challenge_data = {
"name": "name",
"category": "category",
"description": "description",
"value": 100,
"decay": 20,
"minimum": 1,
"state": "visible",
"type": "dynamic",
}
r = client.post("/api/v1/challenges", json=challenge_data)
assert r.get_json().get("data")["id"] == 1
gen_flag(app.db, challenge_id=1, content="flag")
# Make a solve as a regular user. This should not affect the value.
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
resp = r.get_json()["data"]
assert resp["status"] == "correct"
# Make solves as hidden users. Also should not affect value
for i, team_id in enumerate(range(2, 26)):
name = "user{}".format(team_id)
email = "user{}@kmactf.io".format(team_id)
# We need to bypass rate-limiting so gen_user instead of register_user
user = gen_user(app.db, name=name, email=email)
user.hidden = True
app.db.session.commit()
with app.test_client() as client:
# We need to bypass rate-limiting so creating a fake user instead of logging in
with client.session_transaction() as sess:
sess["id"] = team_id
sess["name"] = name
sess["type"] = "user"
sess["email"] = email
sess["nonce"] = "fake-nonce"
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
resp = r.get_json()["data"]
assert resp["status"] == "correct"
chal = DynamicChallenge.query.filter_by(id=1).first()
assert chal.value == chal.initial
destroy_kmactf(app)
def test_api_challenge_delete_admin():
"""Can a user delete /api/v1/challenges/<challenge_id> if admin"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
with login_as_user(app, "admin") as client:
r = client.delete("/api/v1/challenges/1", json="")
assert r.status_code == 200
assert r.get_json().get("data") is None
destroy_kmactf(app)
def test_api_flag_types_get_admin():
"""Can a user get /api/v1/flags/types[/<type_name>] if admin"""
app = create_kmactf()
with app.app_context():
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/flags/types", json="")
assert r.status_code == 200
r = client.get("/api/v1/flags/types/static", json="")
assert r.status_code == 200
destroy_kmactf(app)
def test_viewing_challenge():
"""Test that users can see individual challenges"""
app = create_kmactf()
with app.app_context():
register_user(app)
client = login_as_user(app)
gen_challenge(app.db)
r = client.get("/api/v1/challenges/1")
assert r.get_json()
destroy_kmactf(app)
def test_api_flag_get_admin():
"""Can a user get /api/v1/flags/<flag_id> if admin"""
app = create_kmactf()
with app.app_context():
gen_challenge(app.db)
gen_flag(app.db, 1)
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/flags/1", json="")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_submission_delete_admin():
"""Can a user patch /api/v1/submissions/<submission_id> if admin"""
app = create_kmactf()
with app.app_context():
gen_solve(app.db, user_id=1)
with login_as_user(app, "admin") as client:
r = client.delete("/api/v1/submissions/1", json="")
assert r.status_code == 200
assert r.get_json().get("data") is None
destroy_kmactf(app)
def test_user_get_another_public_team_page():
"""Can a registered user load the public profile of another user (/users/1)"""
app = create_kmactf()
with app.app_context():
register_user(app, name="user1", email="*****@*****.**") # ID 2
register_user(app, name="user2", email="*****@*****.**") # ID 3
client = login_as_user(app, name="user2")
r = client.get("/users/2")
assert r.status_code == 200
destroy_kmactf(app)
def test_user_get_another_public_fails():
"""Can a registered user load public fails page of another user"""
app = create_kmactf()
with app.app_context():
register_user(app, name="user1", email="*****@*****.**") # ID 2
register_user(app, name="user2", email="*****@*****.**") # ID 3
client = login_as_user(app, name="user2")
r = client.get("/api/v1/users/2/fails")
assert r.status_code == 200
destroy_kmactf(app)
def test_api_submissions_get_admin():
"""Can a user get /api/v1/submissions if admin"""
app = create_kmactf()
with app.app_context():
with login_as_user(app, "admin") as client:
r = client.get("/api/v1/submissions", json="")
assert r.status_code == 200
r = client.get("/api/v1/submissions?user_id=1", json="")
assert r.status_code == 200
destroy_kmactf(app)
def test_not_found():
"""Should return a 404 for pages that are not found"""
app = create_kmactf()
with app.app_context():
with app.test_client() as client:
r = client.get("/this-should-404")
assert r.status_code == 404
r = client.post("/this-should-404")
assert r.status_code == 404
destroy_kmactf(app)
def test_admin_standings():
app = create_kmactf(user_mode="teams")
with app.app_context():
setup_app(app)
standings = get_standings(admin=True)
assert standings[0].name == "team1"
assert standings[0].score == 100
def test_oauth_not_configured():
"""Test that OAuth redirection fails if OAuth settings aren't configured"""
app = create_kmactf()
with app.app_context():
with app.test_client() as client:
r = client.get("/oauth", follow_redirects=False)
assert r.location == "http://localhost/login"
r = client.get(r.location)
resp = r.get_data(as_text=True)
assert "OAuth Settings not configured" in resp
destroy_kmactf(app)