def test_s3_sync(): conn = boto3.resource('s3', region_name='us-east-1') conn.create_bucket(Bucket='bucket') app = create_ctfd() with app.app_context(): app.config['UPLOAD_PROVIDER'] = 's3' app.config['AWS_ACCESS_KEY_ID'] = 'AKIAIOSFODNN7EXAMPLE' app.config[ 'AWS_SECRET_ACCESS_KEY'] = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' app.config['AWS_S3_BUCKET'] = 'bucket' uploader = S3Uploader() uploader.sync() fake_file = BytesIO('fakedfile'.encode()) path = uploader.upload(fake_file, 'fake_file.txt') full_path = os.path.join(app.config['UPLOAD_FOLDER'], path) try: uploader.sync() with open(full_path) as f: assert f.read() == 'fakedfile' finally: rmdir(os.path.dirname(full_path)) destroy_ctfd(app)
def test_s3_sync(): conn = boto3.resource("s3", region_name="us-east-1") conn.create_bucket(Bucket="bucket") app = create_ctfd() with app.app_context(): app.config["UPLOAD_PROVIDER"] = "s3" app.config["AWS_ACCESS_KEY_ID"] = "AKIAIOSFODNN7EXAMPLE" app.config[ "AWS_SECRET_ACCESS_KEY"] = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" app.config["AWS_S3_BUCKET"] = "bucket" uploader = S3Uploader() uploader.sync() fake_file = BytesIO("fakedfile".encode()) path = uploader.upload(fake_file, "fake_file.txt") full_path = os.path.join(app.config["UPLOAD_FOLDER"], path) try: uploader.sync() with open(full_path) as f: assert f.read() == "fakedfile" finally: rmdir(os.path.dirname(full_path)) destroy_ctfd(app)
def test_user_can_access_files(): app = create_ctfd() with app.app_context(): from CTFd.utils.uploads import rmdir chal = gen_challenge(app.db) chal_id = chal.id path = app.config.get('UPLOAD_FOLDER') location = os.path.join(path, 'test_file_path', 'test.txt') directory = os.path.dirname(location) model_path = os.path.join('test_file_path', 'test.txt') try: os.makedirs(directory) with open(location, 'wb') as obj: obj.write('testing file load'.encode()) f = gen_file(app.db, location=model_path, challenge_id=chal_id) url = url_for('views.files', path=model_path) # Unauthed user should return 403 with app.test_client() as client: r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' # Authed user should be able to see the files register_user(app) client = login_as_user(app) r = client.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == 'testing file load' with freeze_time("2017-10-7"): set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST # Authed users shouldn't be able to see files if the CTF hasn't started client = login_as_user(app) r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' # Admins should be able to see files if the CTF hasn't started admin = login_as_user(app, "admin") r = admin.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == 'testing file load' finally: rmdir(directory) destroy_ctfd(app)
def test_user_can_access_files_if_view_after_ctf(): app = create_ctfd() with app.app_context(): from CTFd.utils.uploads import rmdir chal = gen_challenge(app.db) chal_id = chal.id path = app.config.get("UPLOAD_FOLDER") md5hash = hexencode(os.urandom(16)) location = os.path.join(path, md5hash, "test.txt") directory = os.path.dirname(location) model_path = os.path.join(md5hash, "test.txt") try: os.makedirs(directory) with open(location, "wb") as obj: obj.write("testing file load".encode()) gen_file(app.db, location=model_path, challenge_id=chal_id) register_user(app) with login_as_user(app) as client: req = client.get("/api/v1/challenges/1") data = req.get_json() file_url = data["data"]["files"][0] # After ctf end with freeze_time("2017-10-7"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("end", "1507262400") r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" set_config("view_after_ctf", True) r = client.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" # Unauthed users should be able to download if view_after_ctf client = app.test_client() r = client.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" finally: rmdir(directory) destroy_ctfd(app)
def test_user_can_access_files_with_auth_token(): app = create_ctfd() with app.app_context(): from CTFd.utils.uploads import rmdir chal = gen_challenge(app.db) chal_id = chal.id path = app.config.get("UPLOAD_FOLDER") md5hash = hexencode(os.urandom(16)).decode("utf-8") location = os.path.join(path, md5hash, "test.txt") directory = os.path.dirname(location) model_path = os.path.join(md5hash, "test.txt") try: os.makedirs(directory) with open(location, "wb") as obj: obj.write("testing file load".encode()) gen_file(app.db, location=model_path, challenge_id=chal_id) url = url_for("views.files", path=model_path) register_user(app) with login_as_user(app) as client: req = client.get("/api/v1/challenges/1") data = req.get_json() file_url = data["data"]["files"][0] with app.test_client() as client: r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" r = client.get( url_for( "views.files", path=model_path, token="random_token_that_shouldnt_work", ) ) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" r = client.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" # Unauthed users shouldn't be able to see files if the CTF is admins only set_config("challenge_visibility", "admins") r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" set_config("challenge_visibility", "private") with freeze_time("2017-10-5"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("start", "1507262400") # Unauthed users shouldn't be able to see files if the CTF hasn't started r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" with freeze_time("2017-10-5"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("start", "1507262400") for v in ("public", "private"): set_config("challenge_visibility", v) # Unauthed users shouldn't be able to see files if the CTF hasn't started client = app.test_client() r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Authed users shouldn't be able to see files if the CTF hasn't started client = login_as_user(app) r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Admins should be able to see files if the CTF hasn't started admin = login_as_user(app, "admin") r = admin.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" with freeze_time("2017-10-7"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("end", "1507262400") for v in ("public", "private"): set_config("challenge_visibility", v) # Unauthed users shouldn't be able to see files if the CTF has ended client = app.test_client() r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Authed users shouldn't be able to see files if the CTF has ended client = login_as_user(app) r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Admins should be able to see files if the CTF has ended admin = login_as_user(app, "admin") r = admin.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" finally: rmdir(directory) destroy_ctfd(app)
def test_user_can_access_files(): app = create_ctfd() with app.app_context(): from CTFd.utils.uploads import rmdir chal = gen_challenge(app.db) chal_id = chal.id path = app.config.get("UPLOAD_FOLDER") location = os.path.join(path, "test_file_path", "test.txt") directory = os.path.dirname(location) model_path = os.path.join("test_file_path", "test.txt") try: os.makedirs(directory) with open(location, "wb") as obj: obj.write("testing file load".encode()) gen_file(app.db, location=model_path, challenge_id=chal_id) url = url_for("views.files", path=model_path) # Unauthed user should be able to see challenges if challenges are public set_config("challenge_visibility", "public") with app.test_client() as client: r = client.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" # Unauthed user should not be able to see challenges if challenges are private set_config("challenge_visibility", "private") with app.test_client() as client: r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Authed user should be able to see files if challenges are private register_user(app) client = login_as_user(app) r = client.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" with freeze_time("2017-10-5"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("start", "1507262400") for v in ("public", "private"): set_config("challenge_visibility", v) # Unauthed users shouldn't be able to see files if the CTF hasn't started client = app.test_client() r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Authed users shouldn't be able to see files if the CTF hasn't started client = login_as_user(app) r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Admins should be able to see files if the CTF hasn't started admin = login_as_user(app, "admin") r = admin.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" with freeze_time("2017-10-7"): # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST set_config("end", "1507262400") for v in ("public", "private"): set_config("challenge_visibility", v) # Unauthed users shouldn't be able to see files if the CTF has ended client = app.test_client() r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Authed users shouldn't be able to see files if the CTF has ended client = login_as_user(app) r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != "testing file load" # Admins should be able to see files if the CTF has ended admin = login_as_user(app, "admin") r = admin.get(url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" finally: rmdir(directory) destroy_ctfd(app)
def test_user_can_access_files_with_auth_token(): app = create_ctfd() with app.app_context(): from CTFd.utils.uploads import rmdir chal = gen_challenge(app.db) chal_id = chal.id path = app.config.get('UPLOAD_FOLDER') md5hash = hexencode(os.urandom(16)).decode('utf-8') location = os.path.join(path, md5hash, 'test.txt') directory = os.path.dirname(location) model_path = os.path.join(md5hash, 'test.txt') try: os.makedirs(directory) with open(location, 'wb') as obj: obj.write('testing file load'.encode()) gen_file(app.db, location=model_path, challenge_id=chal_id) url = url_for('views.files', path=model_path) register_user(app) with login_as_user(app) as client: req = client.get('/api/v1/challenges/1') data = req.get_json() file_url = data['data']['files'][0] with app.test_client() as client: r = client.get(url) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' r = client.get( url_for('views.files', path=model_path, token="random_token_that_shouldnt_work")) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' r = client.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == 'testing file load' # Unauthed users shouldn't be able to see files if the CTF is admins only set_config('challenge_visibility', 'admins') r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' set_config('challenge_visibility', 'private') with freeze_time("2017-10-7"): set_config( 'end', '1507262400' ) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST # Unauthed users shouldn't be able to see files if the CTF hasn't started r = client.get(file_url) assert r.status_code == 403 assert r.get_data(as_text=True) != 'testing file load' finally: rmdir(directory) destroy_ctfd(app)