admin/CTFd
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

init CTFd source
Some checks are pending
Linting / Linting (3.11) (push) Waiting to run
Details
Mirror core-theme / mirror (push) Waiting to run
Details

Browse Source
This commit is contained in:
gkr
2025-12-25 09:39:21 +08:00
commit 2e06f92c64
1047 changed files with 150349 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

950
tests/users/test_challenges.py Normal file
View File

@@ -0,0 +1,950 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from datetime import datetime, timedelta
from freezegun import freeze_time
from CTFd.models import Challenges, Fails, Ratelimiteds, Solves
from CTFd.utils import set_config, text_type
from tests.helpers import (
create_ctfd,
destroy_ctfd,
gen_challenge,
gen_fail,
gen_flag,
gen_hint,
login_as_user,
register_user,
)
def test_user_get_challenges():
"""
Can a registered user load /challenges
"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/challenges")
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_chals():
"""
Can a registered user load /chals
"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/api/v1/challenges")
assert r.status_code == 200
destroy_ctfd(app)
def test_viewing_challenges():
"""
Test that users can see added challenges
"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
gen_challenge(app.db)
r = client.get("/api/v1/challenges")
chals = r.get_json()["data"]
assert len(chals) == 1
destroy_ctfd(app)
def test_viewing_challenge():
"""Test that users can see individual challenges"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
gen_challenge(app.db)
r = client.get("/api/v1/challenges/1")
assert r.get_json()
destroy_ctfd(app)
# def test_chals_solves():
# """Test that the /chals/solves endpoint works properly"""
# app = create_ctfd()
# with app.app_context():
# # Generate 5 users
# for c in range(1, 6):
# name = "user{}".format(c)
# email = "user{}@examplectf.com".format(c)
# register_user(app, name=name, email=email, password="password")
#
# # Generate 5 challenges
# for c in range(6):
# chal1 = gen_challenge(app.db, value=100)
#
# user_ids = list(range(2, 7))
# chal_ids = list(range(1, 6))
# for u in user_ids:
# for c in chal_ids:
# gen_solve(app.db, teamid=u, chalid=c)
# chal_ids.pop()
#
# client = login_as_user(app, name="user1")
#
# with client.session_transaction() as sess:
# r = client.get('/chals/solves')
# output = r.get_data(as_text=True)
# saved = json.loads('''{
# "1": 5,
# "2": 4,
# "3": 3,
# "4": 2,
# "5": 1,
# "6": 0
# }
# ''')
# received = json.loads(output)
# assert saved == received
# set_config('hide_scores', True)
# with client.session_transaction():
# r = client.get('/chals/solves')
# output = r.get_data(as_text=True)
# saved = json.loads('''{
# "1": -1,
# "2": -1,
# "3": -1,
# "4": -1,
# "5": -1,
# "6": -1
# }
# ''')
# received = json.loads(output)
# assert saved == received
# destroy_ctfd(app)
def test_submitting_correct_flag():
"""Test that correct flags are correct"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal.id, content="flag")
data = {"submission": "flag", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_submitting_correct_static_case_insensitive_flag():
"""Test that correct static flags are correct if the static flag is marked case_insensitive"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal.id, content="flag", data="case_insensitive")
data = {"submission": "FLAG", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_submitting_correct_regex_case_insensitive_flag():
"""Test that correct regex flags are correct if the regex flag is marked case_insensitive"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(
app.db,
challenge_id=chal.id,
type="regex",
content="flag",
data="case_insensitive",
)
data = {"submission": "FLAG", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_submitting_invalid_regex_flag():
"""Test that invalid regex flags are errored out to the user"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(
app.db,
challenge_id=chal.id,
type="regex",
content="**",
data="case_insensitive",
)
data = {"submission": "FLAG", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "incorrect"
assert resp.get("message") == "Regex parse error occured"
destroy_ctfd(app)
def test_submitting_incorrect_flag():
"""Test that incorrect flags are incorrect"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal.id, content="flag")
data = {"submission": "notflag", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "incorrect"
assert resp.get("message") == "Incorrect"
destroy_ctfd(app)
def test_submitting_unicode_flag():
"""Test that users can submit a unicode flag"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal.id, content="你好")
with client.session_transaction():
data = {"submission": "你好", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_challenges_with_max_attempts():
"""Test that users are locked out of a challenge after they reach max_attempts"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
chal = Challenges.query.filter_by(id=chal.id).first()
chal_id = chal.id
chal.max_attempts = 3
app.db.session.commit()
gen_flag(app.db, challenge_id=chal.id, content="flag")
for _ in range(3):
data = {"submission": "notflag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
wrong_keys = Fails.query.count()
assert wrong_keys == 3
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert resp.get("message") == "Not accepted. You have 0 tries remaining"
solves = Solves.query.count()
assert solves == 0
destroy_ctfd(app)
def test_challenges_with_max_attempts_timeout_behavior():
"""Test that users are temporarily locked out of a challenge after reaching max_attempts with timeout behavior"""
app = create_ctfd()
with app.app_context():
set_config("max_attempts_behavior", "timeout")
set_config("max_attempts_timeout", 300) # 300 seconds timeout for test
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
chal = Challenges.query.filter_by(id=chal.id).first()
chal_id = chal.id
chal.max_attempts = 2
app.db.session.commit()
gen_flag(app.db, challenge_id=chal.id, content="flag")
for _ in range(2):
data = {"submission": "notflag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
# Should be locked out now
with freeze_time(timedelta(seconds=0)):
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "Not accepted. Try again in 300 seconds" in resp.get("message")
# Use freeze_time to advance time by 290 seconds
with freeze_time(timedelta(seconds=290)):
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "Not accepted. Try again in 10 seconds" in resp.get("message")
# Use freeze_time to advance time by 301 seconds
with freeze_time(timedelta(seconds=301)):
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
# Should be correct now
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
destroy_ctfd(app)
def test_challenges_with_max_attempts_timeout_ratelimit():
"""Test that max_attempts timeout ratelimit and global ratelimit work together correctly"""
app = create_ctfd()
with app.app_context():
set_config("max_attempts_behavior", "timeout")
set_config("max_attempts_timeout", 30) # 30 seconds timeout for test
register_user(app)
client = login_as_user(app)
# Challenge 1 with max_attempts = 5
chal1 = gen_challenge(app.db)
chal1_obj = Challenges.query.filter_by(id=chal1.id).first()
chal1_obj.max_attempts = 5
app.db.session.commit()
gen_flag(app.db, challenge_id=chal1.id, content="flag1")
# Challenge 2 with no max_attempts
chal2 = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal2.id, content="flag2")
base_time = datetime.utcnow()
# Submit 5 wrong attempts to challenge 1 (triggers max_attempts ratelimit)
with freeze_time(base_time):
for _ in range(5):
data = {"submission": "wrong", "challenge_id": chal1.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
# 6th attempt should be blocked by max_attempts timeout
data = {"submission": "flag1", "challenge_id": chal1.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "Try again in 30 seconds" in resp.get("message")
# Now submit 5 more wrong attempts to challenge 2 (total 10 fails, triggers global ratelimit)
for i in range(6):
data = {"submission": "wrong", "challenge_id": chal2.id}
r = client.post("/api/v1/challenges/attempt", json=data)
if i < 5:
assert r.status_code == 200
else:
# 11th attempt should be blocked by global ratelimit (60 seconds)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "You're submitting flags too fast" in resp.get("message")
# Check counts
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 10
assert (
ratelimiteds == 2
) # One max_attempts ratelimit + one global ratelimit
# After 30 seconds, max_attempts timeout should release but global ratelimit (60s) still active
with freeze_time(base_time + timedelta(seconds=31)):
# Try challenge 1 - should still be blocked by global ratelimit
data = {"submission": "flag1", "challenge_id": chal1.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "Try again in 30 seconds" in resp.get("message")
ratelimiteds = Ratelimiteds.query.count()
assert ratelimiteds == 3 # Another ratelimit entry
# After 60 seconds, both ratelimits should be released
with freeze_time(base_time + timedelta(seconds=61)):
# Should be able to solve challenge 1 now
data = {"submission": "flag1", "challenge_id": chal1.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
# Verify solve was recorded
solves = Solves.query.count()
assert solves == 1
destroy_ctfd(app)
def test_challenges_max_attempts_timeout_config_change():
"""Test that changing max_attempts_timeout resets attempt count because cache key changes"""
app = create_ctfd()
with app.app_context():
set_config("max_attempts_behavior", "timeout")
set_config("max_attempts_timeout", 300) # Start with 300 seconds
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
chal = Challenges.query.filter_by(id=chal.id).first()
chal_id = chal.id
chal.max_attempts = 3
app.db.session.commit()
gen_flag(app.db, challenge_id=chal.id, content="flag")
# Make 3 wrong attempts (hit the limit)
for _ in range(3):
data = {"submission": "notflag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
# Verify we're locked out
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert "300 seconds" in resp.get("message")
# Change the max_attempts_timeout config (this changes the cache key)
set_config("max_attempts_timeout", 30) # Change to 30 seconds
# Jump forward in time to ensure we're past the new 30 second rate limit
with freeze_time(timedelta(seconds=35)):
# Now we should be able to submit again because the cache key changed
# Old submissions have also fallen off the 30 second window
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
resp = r.get_json()["data"]
assert resp.get("status") == "correct"
assert resp.get("message") == "Correct"
# Verify solve was recorded
solves = Solves.query.count()
assert solves == 1
# Verify the fail count is still accurate (3 fails from before)
fails = Fails.query.count()
assert fails == 3
ratelimiteds = Ratelimiteds.query.count()
assert ratelimiteds == 1
destroy_ctfd(app)
def test_challenge_kpm_limit_no_freeze():
"""Test that users are properly ratelimited when submitting flags"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_flag(app.db, challenge_id=chal.id, content="flag")
for _ in range(11):
with client.session_transaction():
data = {"submission": "notflag", "challenge_id": chal_id}
client.post("/api/v1/challenges/attempt", json=data)
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 10
assert ratelimiteds == 1
# We just want a consistent flag response countdown
with freeze_time(timedelta(seconds=0)):
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 10
assert ratelimiteds == 2
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert (
resp.get("message")
== "You're submitting flags too fast. Try again in 60 seconds."
)
solves = Solves.query.count()
assert solves == 0
destroy_ctfd(app)
def test_challenge_kpm_limit_freeze_time():
"""Test that users are properly ratelimited when submitting flags"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
gen_flag(app.db, challenge_id=chal.id, content="flag")
base_time = datetime.utcnow()
# First section: Use API to generate 10 fails + 1 ratelimit
with freeze_time(base_time):
for _ in range(11):
with client.session_transaction():
data = {"submission": "notflag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 10
assert ratelimiteds == 1
# Within the 1 min time frame we should still be ratelimited
with freeze_time(base_time + timedelta(seconds=11)):
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 429
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 10
assert ratelimiteds == 2
resp = r.get_json()["data"]
assert resp.get("status") == "ratelimited"
assert (
resp.get("message")
== "You're submitting flags too fast. Try again in 50 seconds."
)
# Generate 10 more fails at +60 seconds using gen_fail because freezegun cannot patch to sqlalchemy's default
for _ in range(10):
fail = gen_fail(app.db, user_id=2, challenge_id=chal_id, provided="notflag")
fail.date = base_time + timedelta(seconds=60)
app.db.session.commit()
# The 11th attempt via API should trigger another ratelimit
with freeze_time(base_time + timedelta(seconds=60)):
data = {"submission": "notflag", "challenge_id": chal_id}
client.post("/api/v1/challenges/attempt", json=data)
wrong_keys = Fails.query.count()
ratelimiteds = Ratelimiteds.query.count()
assert wrong_keys == 20
assert ratelimiteds == 3
destroy_ctfd(app)
def test_that_view_challenges_unregistered_works():
"""Test that view_challenges_unregistered works"""
app = create_ctfd()
with app.app_context():
chal = gen_challenge(app.db, name=text_type("🐺"))
chal_id = chal.id
gen_hint(app.db, chal_id)
client = app.test_client()
r = client.get("/api/v1/challenges", json="")
assert r.status_code == 403
r = client.get("/api/v1/challenges")
assert r.status_code == 302
set_config("challenge_visibility", "public")
client = app.test_client()
r = client.get("/api/v1/challenges")
assert r.get_json()["data"]
r = client.get("/api/v1/challenges/1/solves")
assert r.get_json().get("data") is not None
data = {"submission": "not_flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
assert r.get_json().get("data").get("status") == "authentication_required"
assert r.get_json().get("data").get("message") is None
destroy_ctfd(app)
def test_hidden_challenge_is_unreachable():
"""Test that hidden challenges return 404 and do not insert a solve or wrong key"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db, state="hidden")
gen_flag(app.db, challenge_id=chal.id, content="flag")
chal_id = chal.id
assert Challenges.query.count() == 1
r = client.get("/api/v1/challenges", json="")
data = r.get_json().get("data")
assert data == []
r = client.get("/api/v1/challenges/1", json="")
assert r.status_code == 404
data = r.get_json().get("data")
assert data is None
data = {"submission": "flag", "challenge_id": chal_id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 404
r = client.post("/api/v1/challenges/attempt?preview=true", json=data)
assert r.status_code == 404
assert r.get_json().get("data") is None
solves = Solves.query.count()
assert solves == 0
wrong_keys = Fails.query.count()
assert wrong_keys == 0
destroy_ctfd(app)
def test_hidden_challenge_is_unsolveable():
"""Test that hidden challenges return 404 and do not insert a solve or wrong key"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db, state="hidden")
gen_flag(app.db, challenge_id=chal.id, content="flag")
data = {"submission": "flag", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 404
solves = Solves.query.count()
assert solves == 0
wrong_keys = Fails.query.count()
assert wrong_keys == 0
destroy_ctfd(app)
def test_invalid_requirements_are_rejected():
"""Test that invalid requirements JSON blobs are rejected by the API"""
app = create_ctfd()
with app.app_context():
gen_challenge(app.db)
gen_challenge(app.db)
with login_as_user(app, "admin") as client:
# Test None/null values
r = client.patch(
"/api/v1/challenges/1", json={"requirements": {"prerequisites": [None]}}
)
assert r.status_code == 400
assert r.get_json() == {
"success": False,
"errors": {
"requirements": [
"Challenge requirements cannot have a null prerequisite"
]
},
}
# Test empty strings
r = client.patch(
"/api/v1/challenges/1", json={"requirements": {"prerequisites": [""]}}
)
assert r.status_code == 400
assert r.get_json() == {
"success": False,
"errors": {
"requirements": [
"Challenge requirements cannot have a null prerequisite"
]
},
}
# Test a valid integer
r = client.patch(
"/api/v1/challenges/1", json={"requirements": {"prerequisites": [2]}}
)
assert r.status_code == 200
destroy_ctfd(app)
def test_challenge_with_requirements_is_unsolveable():
"""Test that a challenge with a requirement is unsolveable without first solving the requirement"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal1 = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal1.id, content="flag")
requirements = {"prerequisites": [1]}
chal2 = gen_challenge(app.db, requirements=requirements)
app.db.session.commit()
gen_flag(app.db, challenge_id=chal2.id, content="flag")
r = client.get("/api/v1/challenges")
challenges = r.get_json()["data"]
assert len(challenges) == 1
assert challenges[0]["id"] == 1
r = client.get("/api/v1/challenges/2")
assert r.status_code == 403
assert r.get_json().get("data") is None
# Attempt to solve hidden Challenge 2
data = {"submission": "flag", "challenge_id": 2}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
assert r.get_json().get("data") is None
# Solve Challenge 1
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
resp = r.get_json()["data"]
assert resp["status"] == "correct"
# Challenge 2 should now be visible
r = client.get("/api/v1/challenges")
challenges = r.get_json()["data"]
assert len(challenges) == 2
r = client.get("/api/v1/challenges/2")
assert r.status_code == 200
assert r.get_json().get("data")["id"] == 2
# Attempt to solve the now-visible Challenge 2
data = {"submission": "flag", "challenge_id": 2}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
assert resp["status"] == "correct"
destroy_ctfd(app)
def test_challenges_cannot_be_solved_while_paused():
"""Test that challenges cannot be solved when the CTF is paused"""
app = create_ctfd()
with app.app_context():
set_config("paused", True)
register_user(app)
client = login_as_user(app)
r = client.get("/challenges")
assert r.status_code == 200
# Assert that there is a paused message
data = r.get_data(as_text=True)
assert "paused" in data
chal = gen_challenge(app.db)
gen_flag(app.db, challenge_id=chal.id, content="flag")
data = {"submission": "flag", "challenge_id": chal.id}
r = client.post("/api/v1/challenges/attempt", json=data)
# Assert that the JSON message is correct
resp = r.get_json()["data"]
assert r.status_code == 403
assert resp["status"] == "paused"
assert resp["message"] == "CTFd is paused"
# There are no solves saved
solves = Solves.query.count()
assert solves == 0
# There are no wrong keys saved
wrong_keys = Fails.query.count()
assert wrong_keys == 0
destroy_ctfd(app)
def test_challenge_board_under_view_after_ctf():
"""Test that the challenge board does not show an error under view_after_ctf"""
app = create_ctfd()
with app.app_context():
set_config("view_after_ctf", True)
set_config(
"start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end", "1507262400"
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
client = login_as_user(app)
gen_challenge(app.db)
gen_flag(app.db, challenge_id=1, content="flag")
gen_challenge(app.db)
gen_flag(app.db, challenge_id=2, content="flag")
# CTF hasn't started yet. There should be an error message.
with freeze_time("2017-10-3"):
r = client.get("/challenges")
assert r.status_code == 403
assert "has not started yet" in r.get_data(as_text=True)
data = {"submission": "flag", "challenge_id": 2}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
assert Solves.query.count() == 0
# CTF is ongoing. Normal operation.
with freeze_time("2017-10-5"):
r = client.get("/challenges")
assert r.status_code == 200
assert "has ended" not in r.get_data(as_text=True)
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
assert r.get_json()["data"]["status"] == "correct"
assert Solves.query.count() == 1
# CTF is now over. There should be a message and challenges should show submission status but not store solves
with freeze_time("2017-10-7"):
r = client.get("/challenges")
assert r.status_code == 200
assert "has ended" in r.get_data(as_text=True)
data = {"submission": "flag", "challenge_id": 2}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
assert r.get_json()["data"]["status"] == "correct"
assert Solves.query.count() == 1
destroy_ctfd(app)
def test_challenges_under_view_after_ctf():
app = create_ctfd()
with app.app_context(), freeze_time("2017-10-7"):
set_config(
"start", "1507089600"
) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config(
"end", "1507262400"
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
client = login_as_user(app)
gen_challenge(app.db)
gen_flag(app.db, challenge_id=1, content="flag")
r = client.get("/challenges")
assert r.status_code == 403
r = client.get("/api/v1/challenges")
assert r.status_code == 403
assert r.get_json().get("data") is None
r = client.get("/api/v1/challenges/1")
assert r.status_code == 403
assert r.get_json().get("data") is None
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
assert r.get_json().get("data") is None
assert Solves.query.count() == 0
data = {"submission": "notflag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 403
assert r.get_json().get("data") is None
assert Fails.query.count() == 0
set_config("view_after_ctf", True)
r = client.get("/challenges")
assert r.status_code == 200
r = client.get("/api/v1/challenges")
assert r.status_code == 200
assert r.get_json()["data"][0]["id"] == 1
r = client.get("/api/v1/challenges/1")
assert r.status_code == 200
assert r.get_json()["data"]["id"] == 1
data = {"submission": "flag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
assert r.get_json()["data"]["status"] == "correct"
assert Solves.query.count() == 0
data = {"submission": "notflag", "challenge_id": 1}
r = client.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
assert r.get_json()["data"]["status"] == "incorrect"
assert Fails.query.count() == 0
destroy_ctfd(app)
def test_challenges_admin_only_as_user():
app = create_ctfd()
with app.app_context():
set_config("challenge_visibility", "admins")
register_user(app)
admin = login_as_user(app, name="admin")
gen_challenge(app.db)
gen_flag(app.db, challenge_id=1, content="flag")
r = admin.get("/challenges")
assert r.status_code == 200
r = admin.get("/api/v1/challenges", json="")
assert r.status_code == 200
r = admin.get("/api/v1/challenges/1", json="")
assert r.status_code == 200
data = {"submission": "flag", "challenge_id": 1}
r = admin.post("/api/v1/challenges/attempt", json=data)
assert r.status_code == 200
destroy_ctfd(app)