def test_reset(): app = create_kmactf() with app.app_context(): base_user = "******" for x in range(10): chal = gen_challenge(app.db, name="chal_name{}".format(x)) gen_flag(app.db, challenge_id=chal.id, content="flag") for x in range(10): user = base_user + str(x) user_email = user + "@kmactf.io" user_obj = gen_user(app.db, name=user, email=user_email) gen_award(app.db, user_id=user_obj.id) gen_solve(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_fail(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_tracking(app.db, user_id=user_obj.id) assert Users.query.count() == 11 # 11 because of the first admin user assert Challenges.query.count() == 10 register_user(app) client = login_as_user(app, name="admin", password="******") with client.session_transaction() as sess: data = {"nonce": sess.get("nonce")} client.post("/admin/reset", data=data) assert Users.query.count() == 0 assert Challenges.query.count() == 10 assert Solves.query.count() == 0 assert Fails.query.count() == 0 assert Tracking.query.count() == 0 destroy_kmactf(app)
def test_api_challenge_attempt_post_private(): """Can an private user post /api/v1/challenges/attempt""" app = create_ctfd() with app.app_context(): challenge_id = gen_challenge(app.db).id gen_flag(app.db, challenge_id) register_user(app) with login_as_user(app) as client: r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "wrong_flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'incorrect' r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'correct' r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'already_solved' challenge_id = gen_challenge(app.db).id gen_flag(app.db, challenge_id) with login_as_user(app) as client: for i in range(10): gen_fail(app.db, user_id=2, challenge_id=challenge_id) r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 429 assert r.get_json()['data']['status'] == 'ratelimited' destroy_ctfd(app) app = create_ctfd(user_mode="teams") with app.app_context(): challenge_id = gen_challenge(app.db).id gen_flag(app.db, challenge_id) register_user(app) team_id = gen_team(app.db).id user = Users.query.filter_by(id=2).first() user.team_id = team_id app.db.session.commit() with login_as_user(app) as client: r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "wrong_flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'incorrect' r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'correct' r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 200 assert r.get_json()['data']['status'] == 'already_solved' challenge_id = gen_challenge(app.db).id gen_flag(app.db, challenge_id) with login_as_user(app) as client: for i in range(10): gen_fail(app.db, user_id=2, team_id=team_id, challenge_id=challenge_id) r = client.post('/api/v1/challenges/attempt', json={"challenge_id": challenge_id, "submission": "flag"}) assert r.status_code == 429 assert r.get_json()['data']['status'] == 'ratelimited' destroy_ctfd(app)
def test_reset_team_mode(): app = create_ctfd(user_mode="teams") with app.app_context(): base_user = '******' base_team = 'team' for x in range(10): chal = gen_challenge(app.db, name='chal_name{}'.format(x)) gen_flag(app.db, challenge_id=chal.id, content='flag') for x in range(10): user = base_user + str(x) user_email = user + "@ctfd.io" user_obj = gen_user(app.db, name=user, email=user_email) team_obj = gen_team(app.db, name=base_team + str(x), email=base_team + str(x) + '@ctfd.io') team_obj.members.append(user_obj) team_obj.captain_id = user_obj.id app.db.session.commit() gen_award(app.db, user_id=user_obj.id) gen_solve(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_fail(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_tracking(app.db, user_id=user_obj.id) assert Teams.query.count() == 10 assert Users.query.count( ) == 51 # 10 random users, 40 users (10 teams * 4), 1 admin user assert Challenges.query.count() == 10 register_user(app) client = login_as_user(app, name="admin", password="******") with client.session_transaction() as sess: data = {"nonce": sess.get('nonce')} client.post('/admin/reset', data=data) assert Teams.query.count() == 0 assert Users.query.count() == 0 assert Challenges.query.count() == 10 assert Solves.query.count() == 0 assert Fails.query.count() == 0 assert Tracking.query.count() == 0 destroy_ctfd(app)
def test_api_user_get_fails_after_freze_time(): """Can a user get /api/v1/users/<user_id>/fails after freeze time""" app = create_ctfd(user_mode="users") with app.app_context(): register_user(app, name="user1", email="*****@*****.**") register_user(app, name="user2", email="*****@*****.**") # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("freeze", "1507262400") with freeze_time("2017-10-4"): chal = gen_challenge(app.db) chal_id = chal.id chal2 = gen_challenge(app.db) chal2_id = chal2.id gen_fail(app.db, user_id=2, challenge_id=chal_id) with freeze_time("2017-10-8"): chal2 = gen_fail(app.db, user_id=2, challenge_id=chal2_id) # There should now be two fails assigned to the same user. assert Fails.query.count() == 2 # User 2 should have 2 fail when seen by themselves client = login_as_user(app, name="user1") r = client.get("/api/v1/users/me/fails") assert r.get_json()["meta"]["count"] == 2 # User 2 should have 1 fail when seen by another user client = login_as_user(app, name="user2") r = client.get("/api/v1/users/2/fails") assert r.get_json()["meta"]["count"] == 1 # Admins should see all fails for the user admin = login_as_user(app, name="admin") r = admin.get("/api/v1/users/2/fails") assert r.get_json()["meta"]["count"] == 2 destroy_ctfd(app)
def test_api_team_get_fails_after_freze_time(): """Can a user get /api/v1/teams/<team_id>/fails after freeze time""" app = create_ctfd(user_mode="teams") with app.app_context(): register_user(app) team = gen_team(app.db, name="team1", email="*****@*****.**", member_count=1) team_member = team.members[0] tm_name = team_member.name set_config("freeze", "1507262400") with freeze_time("2017-10-4"): chal = gen_challenge(app.db) chal_id = chal.id chal2 = gen_challenge(app.db) chal2_id = chal2.id gen_fail(app.db, user_id=3, team_id=1, challenge_id=chal_id) with freeze_time("2017-10-8"): gen_fail(app.db, user_id=3, team_id=1, challenge_id=chal2_id) assert Fails.query.count() == 2 with login_as_user(app) as client: r = client.get("/api/v1/teams/1/fails") assert r.get_json()["meta"]["count"] == 1 with login_as_user(app, name=tm_name) as client: r = client.get("/api/v1/teams/me/fails") assert r.get_json()["meta"]["count"] == 2 with login_as_user(app, name="admin") as client: r = client.get("/api/v1/teams/1/fails") assert r.get_json()["meta"]["count"] == 2 destroy_ctfd(app)
def test_reset(): app = create_ctfd() with app.app_context(): base_user = "******" for x in range(10): chal = gen_challenge(app.db, name="chal_name{}".format(x)) gen_flag(app.db, challenge_id=chal.id, content="flag") gen_hint(app.db, challenge_id=chal.id) gen_file( app.db, location="{name}/{name}.file".format(name=chal.name), challenge_id=chal.id, ) for x in range(10): user = base_user + str(x) user_email = user + "@ctfd.io" user_obj = gen_user(app.db, name=user, email=user_email) gen_award(app.db, user_id=user_obj.id) gen_solve(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_fail(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_tracking(app.db, user_id=user_obj.id) # Add PageFiles for x in range(5): gen_file( app.db, location="page_file{name}/page_file{name}.file".format(name=x), page_id=1, ) assert Users.query.count() == 11 # 11 because of the first admin user assert Challenges.query.count() == 10 assert ( Files.query.count() == 15 ) # This should be 11 because ChallengeFiles=10 and PageFiles=5 assert Flags.query.count() == 10 assert Hints.query.count() == 10 assert Submissions.query.count() == 20 assert Pages.query.count() == 1 assert Tracking.query.count() == 10 client = login_as_user(app, name="admin", password="******") with client.session_transaction() as sess: data = {"nonce": sess.get("nonce"), "pages": "on"} r = client.post("/admin/reset", data=data) assert r.location.endswith("/admin/statistics") assert Pages.query.count() == 0 assert Users.query.count() == 11 assert Challenges.query.count() == 10 assert Tracking.query.count() == 11 assert Files.query.count() == 10 with client.session_transaction() as sess: data = {"nonce": sess.get("nonce"), "notifications": "on"} r = client.post("/admin/reset", data=data) assert r.location.endswith("/admin/statistics") assert Notifications.query.count() == 0 assert Users.query.count() == 11 assert Challenges.query.count() == 10 assert Tracking.query.count() == 11 with client.session_transaction() as sess: data = {"nonce": sess.get("nonce"), "challenges": "on"} r = client.post("/admin/reset", data=data) assert r.location.endswith("/admin/statistics") assert Challenges.query.count() == 0 assert Flags.query.count() == 0 assert Hints.query.count() == 0 assert Files.query.count() == 0 assert Tags.query.count() == 0 assert Users.query.count() == 11 assert Tracking.query.count() == 11 with client.session_transaction() as sess: data = {"nonce": sess.get("nonce"), "submissions": "on"} r = client.post("/admin/reset", data=data) assert r.location.endswith("/admin/statistics") assert Submissions.query.count() == 0 assert Solves.query.count() == 0 assert Fails.query.count() == 0 assert Awards.query.count() == 0 assert Unlocks.query.count() == 0 assert Users.query.count() == 11 assert Challenges.query.count() == 0 assert Flags.query.count() == 0 assert Tracking.query.count() == 0 with client.session_transaction() as sess: data = {"nonce": sess.get("nonce"), "accounts": "on"} r = client.post("/admin/reset", data=data) assert r.location.endswith("/setup") assert Users.query.count() == 0 assert Solves.query.count() == 0 assert Fails.query.count() == 0 assert Tracking.query.count() == 0 destroy_ctfd(app)