Merge pull request #16 from hsasctf/wip/ipauth

IP Authentication

Author: c-goes

ctfdbapi/app/__init__.py

@@ -39,16 +39,13 @@ def not_found(error):
     return render_template('404.html'), 404
 
 
-# admin
-
 
 from db.models import TeamScore, AttendingTeam, Event, Team, Submission, Flag, Challenge, Member, User, Catering, Food, \
     Tick, TeamServiceState, TeamScriptsRunStatus, Script, ScriptPayload, ScriptRun
 
 import flask_admin as admin
 from flask_admin.contrib import sqla
 
-# ADMIN
 from flask import request, Response
 from werkzeug.exceptions import HTTPException
 

ctfdbapi/app/web/__init__.py

@@ -1,3 +1,5 @@
+from functools import wraps
+
 from sqlalchemy import func
 
 from flask_httpauth import HTTPBasicAuth
@@ -9,11 +11,12 @@
 from db.database import db_session
 from db.models import TeamScore, AttendingTeam, Event, Team, Submission, Flag, Challenge, Member, User, Catering, Food, \
     Tick, TeamServiceState, TeamScriptsRunStatus, Script, ScriptPayload, ScriptRun
+from app.api import verify_flag
 
 from hashlib import sha512
 
 import redis
-import requests
+import ipaddress
 
 web = Blueprint('web', __name__,
                 template_folder='templates')
@@ -22,95 +25,60 @@
 redis_client = redis.StrictRedis(host='localhost', port=6379, db=0)
 
 
-def get_attacking_team():
-    team = Team.query.filter(func.lower(Team.team_name) == func.lower(get_real_username(auth.username()))).first()
-    event = Event.query.order_by(Event.id.desc()).first()
-    attacking_team = AttendingTeam.query.filter_by(team=team, event=event).first()
-    return attacking_team
-
-
-@auth.get_password
-def get_password(username):
-    event = Event.query.order_by(Event.id.desc()).first()
-
-    try_split = username.rsplit("-", 1)
-    if len(try_split) == 2:
-        if try_split[1] == "admin":
-            real_username = try_split[0]
-            team = Team.query.filter(func.lower(Team.team_name) == func.lower(real_username)).first()
-
-            if AttendingTeam.query.filter_by(team=team, event=event).first():
-                db_session.remove()
-                return current_app.config["ADMIN_CREDENTIALS"][1]
-            else:
-                db_session.remove()
-                return None
-    team = Team.query.filter(func.lower(Team.team_name) == func.lower(username)).first()
-
-    # only attending teams can login
-    if not AttendingTeam.query.filter_by(team=team, event=event).first():
-        return None
-
-    db_session.remove()
-    return team.password
+def get_team_num(ip):
+    request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
 
+def find_team(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
+        try:
+            a, b, c, d = [int(x) for x in ip.split(".")]
+            assert a == 10
+            assert b in [40, 41, 42, 43]
+            event = Event.query.order_by(Event.id.desc()).first()
+            ateam = AttendingTeam.query.filter_by(subnet=c, event=event).one_or_none()
+            team = ateam.team if ateam is not None else None
+            if not team:
+                return redirect(url_for('web.error'))
+            kwargs['team'] = team
+            kwargs['ateam'] = ateam
+        except Exception as e:
+            return redirect(url_for('error'))
+        return f(*args, **kwargs)
+    return decorated_function
 
-@auth.hash_password
-def hash_password(username, password):
-    event = Event.query.order_by(Event.id.desc()).first()
 
-    try_split = username.rsplit("-", 1)
-    if len(try_split) == 2:
-        if try_split[1] == "admin":
-            real_username = try_split[0]
-            team = Team.query.filter(func.lower(Team.team_name) == func.lower(real_username)).first()
+@web.route("/error")
+def error():
+    return "ERROR, are you connected to VPN or are in the correct subnet?"
 
-            if AttendingTeam.query.filter_by(team=team, event=event).first():
-                db_session.remove()
-                return current_app.config["ADMIN_CREDENTIALS"][1]
-            else:
-                db_session.remove()
-                return None
-
-    team = Team.query.filter(func.lower(Team.team_name) == func.lower(username)).first()
-    if not AttendingTeam.query.filter_by(team=team, event=event).first():
-        return None
-
-    db_session.remove()
-    pw_salt = "{}{}".format(password, team.password_salt)
-    return sha512(pw_salt.encode("utf8")).hexdigest()
-
-
-def get_real_username(username):
-    """allows admins to login as TEAMNAME-admin instead of TEAMNAME but with admin password"""
-    try_split = username.rsplit("-", 1)
-    if len(try_split) == 2:
-        if try_split[1] == "admin":
-            real_username = try_split[0]
-            return real_username
-
-    return username
 
 
 @web.route("/")
-@auth.login_required
-def index():
+@find_team
+def index(team=None, ateam=None):
     return render_template('index.html')
 
 
 @web.route('/config')
-@auth.login_required
-def get_config():
-    return jsonify({'ctf_name': current_app.config["CTF_NAME"], 'team_name': get_real_username(auth.username())})
+@find_team
+def get_config(team=None, ateam=None):
+    team_name = "UNKNOWN"
+    try:
+        team_name = team.team_name
+    except AttributeError:
+        pass
+    finally:
+        return jsonify({'ctf_name': current_app.config["CTF_NAME"], 'team_name': team_name})
 
 
-from app.api import verify_flag
 
 
 @web.route('/flag', methods=['POST'])
-@auth.login_required
-def submit_flag():
-    attacking_team = get_attacking_team()
+@find_team
+def submit_flag(team=None, ateam=None):
+    attacking_team = ateam
 
     return verify_flag(int(attacking_team.id), request.get_json()['flag'])
 
@@ -121,27 +89,26 @@ def get_scores():
 
 
 @web.route('/services')
-@auth.login_required
-def get_services():
+@find_team
+def get_services(team=None, ateam=None):
     return redis_client.get('ctf_services')
 
 
 @web.route('/jeopardies')
-@auth.login_required
-def get_jeopardies():
+@find_team
+def get_jeopardies(team=None, ateam=None):
     return redis_client.get('ctf_jeopardy_list')
 
 
 @web.route('/services_status')
-@auth.login_required
-def get_services_status():
+@find_team
+def get_services_status(team=None, ateam=None):
     status = json.loads(redis_client.get('ctf_services_status'))
     result = {}
 
-    team = get_attacking_team()
 
     for state in status:
-        if state['team_id'] == team.id:
+        if state['team_id'] == ateam.id:
             for entry in state['services']:
                 result[entry['service_id']] = entry['state']
 
@@ -152,8 +119,3 @@ def get_services_status():
 @web.route('/tick_change_time')
 def get_tick_duration():
     return redis_client.get('ctf_tick_change_time')
-
-
-@web.route('/logout')
-def logout():
-    return ('Logout', 401, {'WWW-Authenticate': 'Basic realm="Login required"'})

ctfdbapi/app/web/templates/index.html

@@ -58,13 +58,6 @@ <h3>
                             </h3>
                         </a>
                     </li>
-                    <li class='btn'>
-                        <a href='/logout'>
-                            <h2>
-                                Logout
-                            </h2>
-                        </a>
-                    </li>
 
 
                 </div>

ctfdbapi/dashboard_worker.py

@@ -86,7 +86,7 @@ def ctf_services(self):
                             'team_id': attending_team_id,
                             'flag_id': flag_ids[attending_team_id][str(service_id)],
                         } for attending_team_id in
-                        dict(list(filter(lambda kv: str(service_id) in kv[1], flag_ids.items())))  # TODO TEST THIS!!
+                        dict(list(filter(lambda kv: str(service_id) in kv[1], flag_ids.items())))
                     ]
                 }
 

ctfdbapi/db/models.py

@@ -13,6 +13,7 @@
 from sqlalchemy import UniqueConstraint, create_engine
 from sqlalchemy.dialects.mysql import TINYINT
 from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.ext.hybrid import hybrid_property
 from sqlalchemy.orm import backref, relationship
 from sqlalchemy.sql.ddl import CreateTable
 
@@ -206,7 +207,7 @@ class Submission(ModelBase):
     flag = relationship('Flag',
                         backref=backref('submissions', cascade="all, delete-orphan", lazy='dynamic'))
 
-    # should be None/NULL when no matching flag could be found
+    # TODO should be None/NULL when no matching flag could be found
     submitted_string = Column(String(128), nullable=False)
 
     def __str__(self):

ctfdbapi/demo1.py

@@ -28,6 +28,9 @@
 
 def delete_prev_demos():
     Event.query.filter_by(is_demo=1).delete()
+    Team.query.filter_by(team_name="test1").delete()
+    Team.query.filter_by(team_name="test2").delete()
+    Team.query.filter_by(team_name="test3").delete()
     db_session.commit()
 
 
@@ -170,7 +173,6 @@ def stop_tmux_sessions():
         from urllib.parse import quote
 
         logger.info("-----")
-        logger.warning("Firefox recommended")
         logger.info(
             "or login as Admin using this URL: http://{}@10.38.1.1:4999/admin/".format(':'.join(ADMIN_CREDENTIALS)))
         logger.info("-----")

ctfdbapi/requirements.txt

@@ -55,3 +55,4 @@ urllib3==1.21.1
 waitress==1.3.0
 Werkzeug==0.12.2
 WTForms==2.1
+pytest

docs/development.md

@@ -105,7 +105,7 @@ EOF
 
 
 1. connect (from host) to openvpn using `openvpn --config roles/vpn/files/client_configs/client-teamXXX.ovpn`
-1. http://10.38.1.1:5000/ (Login for CTF teams with flag input, scores, jeopardies). Login as team without knowing the (hashed) password: Username: TEAMNAME-admin (example: mtga-admin) Password: *defined in ctfdbapi/config.py*
+1. http://10.38.1.1:5000/ (Webapp for CTF teams with flag input, scores).
 1. The containers have the timezone UTC, so Attack&Defense Start timestamp must be specified in UTC in the database
 1. Admin interface http://10.38.1.1:4999/admin (use password from ctfdbapi/config.py)