Merge branch 'master' into kdctf-2023

.github/workflows/ci.yml

@@ -0,0 +1,102 @@
+name: CI
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  # Test with Tox, a recent Python version and libraries from PyPI
+  test_tox:
+    name: Test with Tox
+    runs-on: ubuntu-latest
+    container: python:3.10-bullseye
+    permissions:
+      # Required for "EnricoMi/publish-unit-test-result-action"
+      checks: write
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup dependencies
+        run: |
+          pip install tox
+          # Make sure we have our dependencies, which are not required for Tox but for `make build`
+          pip install -e .
+      - run: make build
+      - run: tox -e py310 -- --junitxml=.tox/py310/log/results.xml
+      - run: find .
+      - name: Publish unit test results
+        uses: EnricoMi/publish-unit-test-result-action@v1
+        if: always()
+        with:
+          files: .tox/py*/log/results.xml
+          comment_mode: "off"
+      - name: Archive unit test results
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: tox-test-results
+          path: .tox/py*/log/results.xml
+          if-no-files-found: error
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: tox-code-coverage-report
+          path: .tox/py*/log/htmlcov
+          if-no-files-found: error
+
+  build_deb_package:
+    name: Build Debian package
+    runs-on: ubuntu-latest
+    container: debian:bullseye
+    steps:
+      - uses: actions/checkout@v2
+      - run: echo 'deb http://deb.debian.org/debian/ bullseye-backports main' >> /etc/apt/sources.list
+      - run: apt-get --yes update
+      - run: apt-get --yes install --no-install-recommends devscripts dpkg-dev equivs
+      # It's a bit ugly to do this explicitly, but we really need Django from backports
+      - run: apt-get --yes install -t bullseye-backports python3-django
+      # Add `--yes` to mk-build-deps' default options for apt-get
+      - run: mk-build-deps --install --tool 'apt-get --yes -o Debug::pkgProblemResolver=yes --no-install-recommends' debian/control
+      - run: dpkg-buildpackage --unsigned-changes --unsigned-buildinfo
+      - run: mv ../ctf-gameserver_*.deb .
+      - name: Store Debian package
+        uses: actions/upload-artifact@v2
+        with:
+          name: deb-package
+          path: ctf-gameserver_*.deb
+          if-no-files-found: error
+
+  # Test with Python and libraries from Debian Stable sources
+  test_debian:
+    name: Test with Debian
+    runs-on: ubuntu-latest
+    container: debian:bullseye
+    needs: build_deb_package
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: deb-package
+      - run: echo 'deb http://deb.debian.org/debian/ bullseye-backports main' >> /etc/apt/sources.list
+      - run: apt-get --yes update
+      # It's a bit ugly to do this explicitly, but we really need Django from backports
+      - run: apt-get --yes install -t bullseye-backports python3-django
+      # Install our package in order to install its dependencies
+      - run: apt-get --yes install --no-install-recommends ./ctf-gameserver_*.deb
+      - run: apt-get --yes install make curl unzip python3-pytest python3-pytest-cov
+      - run: make build
+      - run: pytest-3 --junitxml=results.xml --cov=src --cov-report=term --cov-report=html tests
+      - name: Archive unit test results
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: debian-test-results
+          path: results.xml
+          if-no-files-found: error
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: debian-code-coverage-report
+          path: htmlcov
+          if-no-files-found: error

conf/checker/checkermaster.env

@@ -1,7 +1,5 @@
 CTF_DBNAME="DUMMY"
 CTF_DBUSER="DUMMY"
-CTF_STATEDBNAME="DUMMY"
-CTF_STATEDBUSER="DUMMY"
 
 CTF_SUDOUSER="ctf-checkerrunner"
 CTF_IPPATTERN="0.0.%s.2"

conf/web/prod_settings.py

@@ -8,9 +8,6 @@
 from ctf_gameserver.web.base_settings import *
 
 
-# The human-readable title of your CTF
-COMPETITION_NAME = ''
-
 # Content Security Policy header in the format `directive: [values]`, see e.g
 # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ for an explanation
 # The initially selected directives should cover most sensitive cases, but still allow YouTube embeds,
@@ -32,7 +29,7 @@
 # See https://docs.djangoproject.com/en/1.8/ref/settings/#databases
 DATABASES = {
     'default': {
-        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'ENGINE': 'django.db.backends.postgresql',
         'HOST': '',
         'PORT': '',
         'NAME': '',

debian/install

@@ -3,10 +3,7 @@ conf/checker/[email protected] lib/systemd/system
 examples/checker/sudoers.d/ctf-checker etc/sudoers.d
 
 conf/controller/controller.env etc/ctf-gameserver
-conf/controller/flagid.env etc/ctf-gameserver
 conf/controller/ctf-controller.service lib/systemd/system
-conf/controller/ctf-flagid.service lib/systemd/system
-conf/controller/ctf-flagid.timer lib/systemd/system
 
 conf/submission/submission.env etc/ctf-gameserver
 conf/submission/[email protected] lib/systemd/system

doc/source/general.rst

@@ -10,7 +10,7 @@ can be (somewhat) restricted.
 Checkermaster
 ^^^^^^^^^^^^^
 
- - full access on ``checkerstate``
+ - full access on ``scoring_checkerstate``
  - read on ``scoring_gamecontrol``
  - write on ``scoring_statuscheck``
  - write on ``scoring_statuscheck_id_seq``

doc/source/setup.rst

@@ -12,7 +12,6 @@ machine on that network. ctf-gameserver has been checked out and built
 
    createuser -P faustctf
    createdb -O faustctf faustctf
-   createdb -O faustctf checkerstate
 
 Website
 -------
@@ -56,19 +55,6 @@ submission service and even use iptables to do some loadbalancing. The
 submission server is using an event-based architecture and is
 single-threaded.
 
-The database for the checkerstate needs to be set up manually and
-should contain exactly one table:
-
-.. code-block:: sql
-
-   CREATE TABLE checkerstate (
-     team_net_no INTEGER,
-     service_id INTEGER,
-     identifier CHARACTER VARYING (128),
-     data TEXT,
-     PRIMARY KEY (team_net_no, service_id, identifier)
-   );
-
 Checker
 -------
 

docs/checkers/go-library.md

@@ -23,7 +23,8 @@ API
 To create a Checker Script, implement the `checkerlib.Checker` interface with the following methods:
 
 * `PlaceFlag(ip string, team int, tick int) (checkerlib.Result, error)`: Called once per Script execution to
-  place a flag for the current tick. Use `checkerlib.GetFlag(tick, nil)` to get the flag.
+  place a flag for the current tick. Use `checkerlib.GetFlag(tick, nil)` to get the flag and (optionally)
+  `SetFlagID(data string)` to store the flag ID.
 * `CheckService(ip string, team int) (Result, error)`: Called once per Script execution to determine general
   service health.
 * `CheckFlag(ip string, team int, tick int) (checkerlib.Result, error)`: Determine if the flag for the given

docs/checkers/index.md

@@ -76,10 +76,22 @@ source code line.
 Persistent State
 ----------------
 Through special load and store commands to the Master, Checker Scripts can keep persistent state cross
-ticks. State is identified by a string key and may consist of arbitrary binary data. State is kept
-separately per team (and service), but not separated by tick. The Master makes sure that state stored in
+ticks. State is identified by a string key and must consist of valid UTF-8 data. However, [Checker Script
+libraries](#checker-script-libraries) may allow to store arbitrary data and handle serialization. State is
+kept separately per team (and service), but not separated by tick. The Master makes sure that state stored in
 one tick can be loaded in subsequent ones, regardless of the Master instances involved.
 
+Flag IDs
+--------
+In some cases, you want to provide teams with an identifier which helps retrieving an individual Flag. For
+example, consider a case where an exploit allows read access to a key/value store. To get Flag data, teams
+still have to know the keys under which valid Flags are stored. This can also help to reduce load on your
+service, because keys don't have to be brute-forced and a listing is not necessary.
+
+For this purpose, we provide the concept of **Flag IDs**. One ID can be stored per Flag by the Checker
+Script. It is provided to teams as JSON by the CTF Gameserver web component. Flag IDs must be UTF-8 strings
+with a maximum length of 100 characters. They are purely optional, not every service needs to provide them.
+
 IPC Protocol
 ------------
 All communication with the Master is initiated by the Checker Script. The Master will handle the Script's

docs/checkers/python-library.md

@@ -46,6 +46,7 @@ care of calling your methods, merging the results and submitting them to the Che
 
 ### Functions
 * `get_flag(tick: int) -> str`: Get the flag for the given tick (for the checked team).
+* `set_flagid(data: str) -> None`: Store the Flag ID for the current tick.
 * `store_state(key: str, data: Any) -> None`: Store arbitrary Python data persistently across runs.
 * `load_state(key: str) -> Any`: Retrieve data stored through `store_state()`.
 * `run_check(checker_cls: Type[BaseChecker]) -> None`: Start the check.

examples/checker/example_checker.env

@@ -1,5 +1,4 @@
 CTF_SERVICE="example_slug"
 CTF_CHECKERSCRIPT="/path/to/example_checker.py"
-CTF_MAXCHECKDURATION="90"
 CTF_CHECKERCOUNT="1"
 CTF_INTERVAL="10"

go/checkerlib/lib.go

@@ -141,7 +141,17 @@ func genFlag(team, service, timestamp int, payload, secret []byte) string {
 	mac := d.Sum(nil)
 
 	b.Write(mac[:9])
-	return "FAUST_" + base64.StdEncoding.EncodeToString(b.Bytes())
+	return "FLAG_" + base64.StdEncoding.EncodeToString(b.Bytes())
+}
+
+// SetFlagID stores the Flag ID for the current team and tick.
+func SetFlagID(data string) {
+	if ipc.in != nil {
+		ipc.SendRecv("FLAGID", data)
+		// Wait for acknowledgement, result is ignored
+	} else {
+		log.Printf("Storing Flag ID: %q", data)
+	}
 }
 
 // StoreState allows a Checker Script to store data (serialized via