Merge branch 'master' into master

Author: KreativeThinker

src/pwncore/config.py

@@ -1,5 +1,8 @@
 import os
+import bcrypt
 from dataclasses import dataclass
+import warnings
+from passlib.hash import bcrypt_sha256
 
 """
 Sample messages:
@@ -42,6 +45,8 @@
     "users_not_found": 24,
 }
 
+admin_hash_value = os.environ.get("PWNCORE_ADMIN_HASH", bcrypt_sha256.hash('pwncore'))
+using_default_admin = os.environ.get("PWNCORE_ADMIN_HASH") is None
 
 @dataclass
 class Config:
@@ -58,15 +63,15 @@ class Config:
     staticfs_url: str
     staticfs_data_dir: str
     staticfs_jwt_secret: str
-
+    admin_hash: str  
 
 config = Config(
-    development=True,
+    development=False,
     # db_url="sqlite://:memory:",
     db_url=os.environ.get("DATABASE_URL", "sqlite://:memory:"),
-    docker_url=None,  # None for default system docker
+    # docker_url=None,  # None for default system docker
     # Or set it to an arbitrary URL for testing without Docker
-    # docker_url="http://google.com",
+    docker_url="http://google.com",
     flag="C0D",
     max_containers_per_team=3,
     jwt_secret="mysecret",
@@ -77,4 +82,9 @@ class Config:
     staticfs_url="http://localhost:8080",
     staticfs_data_dir=os.environ.get("STATIC_DATA_DIR", "/data"),
     staticfs_jwt_secret="PyMioVKFXHymQd+n7q5geOsT6fSYh3gDVw3GqilW+5U="
+    admin_hash=admin_hash_value,
 )
+
+# Warn in production if env not loaded
+if not config.development and using_default_admin:
+    warnings.warn("Default admin hash being used in production!", RuntimeWarning)

src/pwncore/routes/admin.py

@@ -2,7 +2,7 @@
 from datetime import date
 
 from fastapi import APIRouter, Request, Response
-from passlib.hash import bcrypt
+from passlib.hash import bcrypt, bcrypt_sha256
 from tortoise.transactions import atomic, in_transaction
 
 import pwncore.containerASD as containerASD
@@ -29,7 +29,6 @@
 if config.development:
     logging.basicConfig(level=logging.INFO)
 
-ADMIN_HASH = "$2b$12$USIGDWgl8WSgSoGauDTKE.ZAKyInaJn84fsZ.ARA6FmntIZeNCTUq"
 NAMES = [
     "Mimas",
     "Enceladus",
@@ -57,7 +56,7 @@ async def _del_cont(id: str):
 async def calculate_team_coins(
     response: Response, req: Request
 ):  # Inefficient, anyways will be used only once
-    if not bcrypt.verify((await req.body()).strip(), ADMIN_HASH):
+    if not bcrypt_sha256.verify((await req.body()).strip(), config.admin_hash):  # Use config.admin_hash
         response.status_code = 401
         return
     async with in_transaction():
@@ -88,7 +87,7 @@ async def calculate_team_coins(
 async def init_db(
     response: Response, req: Request
 ):  # Inefficient, anyways will be used only once
-    if not bcrypt.verify((await req.body()).strip(), ADMIN_HASH):
+    if not bcrypt_sha256.verify((await req.body()).strip(), config.admin_hash):  
         response.status_code = 401
         return
     await Problem.create(