add some documentation for CTFd and make some pre-commit fixes

bendehaan · bendehaan · commit 30c8386b46d7 · 2022-11-09T17:50:53.000+01:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -46,11 +46,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -59,7 +59,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |
diff --git a/.github/workflows/minikube-k8s-test.yml b/.github/workflows/minikube-k8s-test.yml
@@ -28,7 +28,7 @@ jobs:
           kubernetes-version: v1.23.12
       - name: test script
         run: |
-          eval $(minikube docker-env)  
+          eval $(minikube docker-env)
           ./build-an-deploy.sh
           while [[ $(kubectl get pods -l app=wrongsecrets-balancer -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for wrongsecrets-balancer" && sleep 2; done
           kubectl logs deployments/wrongsecrets-balancer -f >> pod.log &
diff --git a/.gitignore b/.gitignore
@@ -14,4 +14,4 @@ db.zip
 .DS_Store
 .letsencrypt
 
-*.auto.tfvars
+*.auto.tfvars
diff --git a/aws/README.md b/aws/README.md
@@ -8,14 +8,14 @@ Please make sure that the account in which you run this exercise has either Clou
 
 Have the following tools installed:
 
--   AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
--   EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
--   Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
--   Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
--   Wget - [Installation](https://www.jcchouinard.com/wget/)
--   Helm [Installation](https://helm.sh/docs/intro/install/)
--   Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
--   jq [Installation](https://stedolan.github.io/jq/download/)
+- AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
+- EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
+- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
+- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+- Wget - [Installation](https://www.jcchouinard.com/wget/)
+- Helm [Installation](https://helm.sh/docs/intro/install/)
+- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
+- jq [Installation](https://stedolan.github.io/jq/download/)
 
 Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as `awsuser`.
 
@@ -55,6 +55,7 @@ Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.
 Are you done playing? Please run `terraform destroy` twice to clean up.
 
 ### Test it
+
 When you have completed the installation steps, you can do `kubectl port-forward service/wrongsecrets-balancer 3000:3000` and then go to [http://localhost:3000](http://localhost:3000).
 
 Want to know how well your cluster is holding up? Check with
@@ -64,14 +65,30 @@ Want to know how well your cluster is holding up? Check with
     kubectl top pods
 ```
 
+### Configuring CTFd
+
+You can use the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf) to generate CTFd configuration files.
+
+Follow the following steps:
+
+```shell
+    npm install -g juice-shop-ctf-cli@9.1.2
+    juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.
+```
+
+Now visit the CTFd instance and setup your CTF. If you haven't set up a load balancer/ingress, the you can use `kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "app.kubernetes.io/name=ctfd,app.kubernetes.io/instance=ctfd" -o jsonpath="{.items[0].metadata.name}") 8000:8000` and go to `localhost:8000` to visit CTFd.
+
+Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
+Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
+
 ### Clean it up
 
 When you're done:
 
 1. Kill the port forward.
 2. Run the cleanup script: `cleanup-aws-autoscaling-and-helm.sh`
 3. Run `terraform destroy` to clean up the infrastructure.
-    1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
+   1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
 4. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
 5. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
 6. Run `rm terraform.tfstate*` to remove local state files.
@@ -96,6 +113,7 @@ Do the following:
 Note that you might have to do some manual cleanups after that.
 
 ## Terraform documentation
+
 The documentation below is auto-generated to give insight on what's created via Terraform.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -120,8 +138,8 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.29.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.14.4 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.2 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.18.1 |
 
 ## Resources
 
@@ -130,7 +148,9 @@ The documentation below is auto-generated to give insight on what's created via
 | [aws_iam_policy.secret_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.user_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.user_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.irsa_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.user_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
@@ -143,18 +163,21 @@ The documentation below is auto-generated to give insight on what's created via
 | [random_password.password2](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_role_for_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role_with_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.user_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.user_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.22"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
+| <a name="input_extra_allowed_ip_ranges"></a> [extra\_allowed\_ip\_ranges](#input\_extra\_allowed\_ip\_ranges) | Allowed IP ranges in addition to creator IP | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 
 ## Outputs
diff --git a/aws/build-an-deploy-aws.sh b/aws/build-an-deploy-aws.sh
@@ -121,7 +121,7 @@ helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
   --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" \
   --set="balancer.replicas=4" \
   --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" \
-  --set="wrongsecrets.ctfKey=test"
+  --set="wrongsecrets.ctfKey=test" # this key isn't actually necessary in a setup with CTFd
 
 # Install CTFd
 
@@ -132,4 +132,4 @@ helm -n ctfd install ctfd oci://ghcr.io/bman46/ctfd/ctfd \
   --set="mariadb.auth.rootPassword=${$(openssl rand -base64 24)}" \
   --set="mariadb.auth.password=${$(openssl rand -base64 24)}" \
   --set="mariadb.auth.replicationPassword=${$(openssl rand -base64 24)}" \
-  --set="env.open.SECRET_KEY=test"
+  --set="env.open.SECRET_KEY=test" # this key isn't actually necessary in a setup with CTFd
diff --git a/aws/cluster-autoscaler-policy.json b/aws/cluster-autoscaler-policy.json
@@ -28,4 +28,4 @@
             "Resource": "*"
         }
     ]
-}
+}
diff --git a/aws/shared-state/README.md b/aws/shared-state/README.md
@@ -13,7 +13,7 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.38.0 |
 
 ## Modules
 
diff --git a/build-an-deploy.sh b/build-an-deploy.sh
@@ -14,9 +14,9 @@ WRONGSECRETS_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecr
 WRONGSECRETS_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecrets.tag')
 WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.image')
 WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.tag')
-echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG." 
+echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG."
 echo "If you see an authentication failure: pull them manually by the following 2 commands"
-echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'" 
+echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'"
 echo "'docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG'" &
 docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG &
 docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG &
diff --git a/guides/production-notes/production-notes.md b/guides/production-notes/production-notes.md
@@ -32,4 +32,3 @@ juiceShop:
   maxInstances: 42
   ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE"
 ```
-
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/role.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/role.yaml
@@ -38,10 +38,9 @@ rules:
   - apiGroups: ['secrets-store.csi.x-k8s.io']
     resources: ['secretproviderclasses']
     verbs: ['create', 'get', 'list', 'delete']
-  - apiGroups: ['networking.k8s.io'] 
+  - apiGroups: ['networking.k8s.io']
     resources: ['networkpolicies']
     verbs: ['create', 'get', 'list', 'delete']
   - apiGroups: ['']
     resources: ['endpoints']
     verbs: [ 'get', 'list']
-    
diff --git a/readme.md b/readme.md
@@ -1,4 +1,5 @@
 # WrongSecrets CTF Party
+
 _Powered by MultiJuicer_
 [![CodeQL](https://github.com/OWASP/wrongsecrets-ctf-party/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/OWASP/wrongsecrets-ctf-party/actions/workflows/codeql-analysis.yml)
 [![Pre-commit check](https://github.com/OWASP/wrongsecrets-ctf-party/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/OWASP/wrongsecrets-ctf-party/actions/workflows/pre-commit.yml)
@@ -8,13 +9,15 @@ _Powered by MultiJuicer_
 Want to play OWASP WrongSecrets in a large group in CTF mode, but not go over all the hassle of setting up local copies of OWASP WrongSecrets? Here is OWASP WrongSecrets CTF Party! This is a fork of OWASP MultiJuicer, which is adapted to become a dynamic multi-tenant setup for doing a CTF together!
 
 Note that we:
+
 - have a [Webtop](https://docs.linuxserver.io/images/docker-webtop) integrated for each player
 - have a WrongSecrets instance integrated for each player
 - A working admin interface which can restart both or delete both (by deleting the full namespace)
 - Do not support any progress watchdog as you will have access to it, we therefore disabled it.
 - It can cleanup old & unused namespaces automatically.
 
 ## Special thanks
+
 Special thanks to [@madhuakula](https://github.com/madhuakula), [@bendehaan](https://github.com/bendehaan) , and [@mikewoudenberg](https://github.com/mikewoudenberg) for making this port a reality!
 
 ### Sponsorships
@@ -37,18 +40,20 @@ We would like to thank the following parties for helping us out:
 
 [1Password](https://github.com/1Password/1password-teams-open-source/pull/552) for granting us an open source license to 1Password for the secret detection testbed.
 
-
 ## What you need to know
+
 This environment uses a webtop and an instance of wrongsecrets per user. This means that you need per user:
+
 - 2.5 CPU (min = 0.5 , limit = 2.5)
 - 3.5 GB RAM (min 1 GB, limit = 3.5GB)
 - 8GB HD (min 3 GB, limit = 8GB)
 
-
 ### Running this on minikube
+
 A 3-6 contestant game can be played on a local minikube with updated cpu & memory settings (e.g. 6 virtual CPUs, 9 GB ram).
 
 ### Running this on AWS EKS with larger groups
+
 A 100 contestant game can be played on the AWS setup, which will require around 200 (100-250) CPUs, 300 (250-350) GB Ram, and 800 GB of storage available in the cluster. Note that we have configured everything based on autoscaling in AWS. This means that you can often start with a cluster about 20% of the size of the "limit" numbers and then see how things evolve. You will hardly hit those limits, unless all players are very actively fuzzing the WrongSecrets app, while runnign heavy appss on their Webtops. Instead, you will see that you are using just 25% of what is provided in numbers here. So, by using our terraform (including an autoscaling managed nodegroup), you can reduce the cost of your CTF by a lot!
 
 ## Status - Experimental release
@@ -62,26 +67,28 @@ The different setups are explained in [OWASP WrongSecrets CTF-instructions](http
 ### Approach 1: 3-domain setup
 
 You need 3 things:
+
 - This infrastructure
 - The actual place where correct answers are exchanged for CTFD-flags. This can be your fly.dev/heroku/etc. or local container of WrongSecrets running in CTF mode with the additional key setup for challenge 8.
 - A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application.
 
 ### Approach 2: 2-domain setup
 
 You need 2 things:
-- This infrastructure
-- A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application.
 
+- This infrastructure
+- A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application (this can be the helm chart included in the EKS installation script)
 
 ### General Helm usage
 
 This setup works best if you have Calico installed as your CNI, if you want to use the helm directly, without the AWS Challenges, do:
 
 ```shell
 
-helm upgrade --install mj ./helm/wrongsecrets-ctf-party 
+helm upgrade --install mj ./helm/wrongsecrets-ctf-party
 
 ```
+
 from this repo. We will host the helm chart soon for you.
 
 ### Play with Minikube:
@@ -96,6 +103,7 @@ eval $(minikube docker-env)
 kubectl port-forward service/wrongsecrets-balancer 3000:3000
 
 ```
+
 Want to know whether your system is holding up? use
 
 ```shell
@@ -108,11 +116,10 @@ kubectl top pods
 
 ** NOTE: SEE SECTIONS ABOVE ABOUT WHAT YOU NEED AND THE COST OF THINGS: This project is not responsible, and will not pay for any part of your AWS bill. **
 
-For AWS EKS follow the instrucrtions in the `/aws` folder.
+For AWS EKS follow the instructions in the `/aws` folder. This setup also includes a helm installation of CTFd.
 
 Then open a browser and go to [localhost:3000](http:localhost:3000) and have fun :D .
 
-
 ### Some production notes
 
 See [production notes](./guides/production-notes/production-notes.md) for a checklist of values you'll likely need to configure before using Wrongsecrets-ctf-party in proper events.
@@ -122,6 +129,8 @@ See [production notes](./guides/production-notes/production-notes.md) for a chec
 You got some options on how to setup the stack, with some option to customize the WrongSecrets and Virtual desktop instances to your own liking.
 You can find the default config values under: [helm/wrongsecrets-ctf-party/values.yaml](helm/wrongsecrets-ctf-party/values.yaml)
 
+The default ctfd config values are here: [aws/k8s/ctfd-values.yaml](aws/k8s/ctfd-values.yaml). Note that these values are not used, and instead only se in the file [aws/build-an-deploy-aws.sh](aws/build-an-deploy-aws.sh).
+
 Download & Save the file and tell helm to use your config file over the default by running:
 
 ```sh
@@ -134,6 +143,12 @@ helm install -f values.yaml wrongsecrets-ctf-party ./wrongsecrets-ctf-party/helm
 helm delete wrongsecrets-ctf-party
 ```
 
+And if you are running AWS (including CTFd):
+
+```sh
+helm delete ctfd -n ctfd
+```
+
 ## FAQ
 
 ### Why a custom LoadBalancer?
@@ -165,7 +180,6 @@ kubectl get -l app=wrongsecrets -o custom-columns-file=wrongsecrets.txt deployme
 
 There are a few more ways how you can check whether all is going well: have a look in the [/scripts](/scripts/) folder for various tools that can help you to see if there are too many namespaces created for instance. This does require you to export the teams and players from ctfd.
 
-
 ### Did somebody actually ask any of these questions?
 
 No 😉
diff --git a/scripts/delete-unused-ns.sh b/scripts/delete-unused-ns.sh
@@ -31,6 +31,6 @@ else
         kubectl delete ns $NAMESPACE
         echo "deleted $NAMESPACE"
     fi
-    
+
 fi
-done
+done
diff --git a/scripts/list-unused-ns.sh b/scripts/list-unused-ns.sh
@@ -26,6 +26,6 @@ else
         echo "did NOT find $NO_TDASH_NAMESPACE in users and teams"
         echo $NAMESPACE >> unusedteams.txt
     fi
-    
+
 fi
-done
+done
diff --git a/scripts/patch-nsp-for-kubectl.sh b/scripts/patch-nsp-for-kubectl.sh
diff --git a/wrongsecrets-balancer/ui/src/Components.js b/wrongsecrets-balancer/ui/src/Components.js

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,4 @@`
`28`	`28`	`"Resource": "*"`
`29`	`29`	`}`
`30`	`30`	`]`
`31`		`-}`
	`31`	`+}`