93 lines
4.1 KiB
Python
93 lines
4.1 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from CTFd.models import Teams, Users, db
|
|
from CTFd.utils.crypto import verify_password
|
|
from tests.helpers import (
|
|
create_ctfd,
|
|
destroy_ctfd,
|
|
gen_team,
|
|
login_as_user,
|
|
register_user,
|
|
)
|
|
|
|
|
|
def test_api_can_query_by_team_emails():
|
|
"""Can an admin user query /api/v1/teams using a teams's email address"""
|
|
app = create_ctfd(user_mode="teams")
|
|
with app.app_context():
|
|
gen_team(app.db, email="team@findme.com")
|
|
register_user(app, name="testuser", email="user@findme.com")
|
|
with login_as_user(app, "testuser") as client:
|
|
r = client.get("/api/v1/teams?field=email&q=findme", json=True)
|
|
assert r.status_code == 400
|
|
assert r.get_json()["errors"].get("field")
|
|
with login_as_user(app, "admin") as client:
|
|
r = client.get("/api/v1/teams?field=email&q=findme", json=True)
|
|
assert r.status_code == 200
|
|
assert r.get_json()["data"][0]["id"] == 1
|
|
assert r.get_json()["data"][0]["name"] == "team_name"
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_api_team_can_update_password_if_none_not_if_set():
|
|
app = create_ctfd(user_mode="teams")
|
|
with app.app_context():
|
|
# Create a user with a null password. Use raw SQL to bypass SQLAlchemy validates
|
|
gen_team(app.db, name="testteam", email="team@examplectf.com")
|
|
db.session.execute("UPDATE teams SET password=NULL WHERE name='testteam'")
|
|
team = Teams.query.filter_by(id=1).first()
|
|
db.session.commit()
|
|
assert team.password is None
|
|
|
|
# Login and test that we are authed
|
|
captain = Users.query.filter_by(id=2).first()
|
|
normal_user = Users.query.filter_by(id=3).first()
|
|
with login_as_user(app, captain.name) as client:
|
|
r = client.get("/api/v1/teams/me", json=True)
|
|
assert r.get_json()["data"]["id"] == team.id
|
|
assert r.status_code == 200
|
|
|
|
# Patch the team's password from NULL
|
|
team = Teams.query.filter_by(name="testteam").first()
|
|
assert team.password is None
|
|
data = {"password": "12345", "confirm": "password"}
|
|
r = client.patch("/api/v1/teams/me", json=data)
|
|
assert r.status_code == 200
|
|
|
|
# Verify password is now set
|
|
team = Teams.query.filter_by(name="testteam").first()
|
|
assert verify_password(plaintext="12345", ciphertext=team.password)
|
|
|
|
# Verify that password cannot be changed without valid password
|
|
data = {"password": "noset", "confirm": "noset"}
|
|
r = client.patch("/api/v1/teams/me", json=data)
|
|
resp = r.get_json()
|
|
assert resp["errors"]["confirm"] == ["Your previous password is incorrect"]
|
|
assert r.status_code == 400
|
|
|
|
# Verify that a normal user cannot change the team password
|
|
with login_as_user(app, normal_user.name) as client:
|
|
# Try changing the password for the team
|
|
data = {"password": "newpassword", "confirm": "12345"}
|
|
r = client.patch("/api/v1/teams/me", json=data)
|
|
assert r.status_code == 403
|
|
|
|
# Verify that team password has not changed
|
|
team = Teams.query.filter_by(name="testteam").first()
|
|
assert verify_password(plaintext="12345", ciphertext=team.password)
|
|
|
|
# Create a new team
|
|
new_team = gen_team(app.db, name="newteam", email="newteam@examplectf.com")
|
|
new_captain = Users.query.filter_by(id=new_team.captain_id).first()
|
|
|
|
# Verify that the captain from the new team cannot change the password of the original team
|
|
with login_as_user(app, new_captain.name) as client:
|
|
data = {"password": "newpassword", "confirm": "12345"}
|
|
r = client.patch("/api/v1/teams/1", json=data)
|
|
assert r.status_code == 403
|
|
|
|
# Verify that old test team password has not changed
|
|
team = Teams.query.filter_by(name="testteam").first()
|
|
assert verify_password(plaintext="12345", ciphertext=team.password)
|