forked from juice-shop/juice-shop
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Block new user registration if registering via MLC (juice-shop#840)
* Block new user registration if registering via MLC * Allow login with MLC while registration is disabled
- Loading branch information
Showing
4 changed files
with
182 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
#!/usr/bin/env python | ||
# -*- coding: utf-8 -*- | ||
|
||
from tests.helpers import * | ||
from CTFd.utils import set_config | ||
|
||
|
||
def test_oauth_not_configured(): | ||
"""Test that OAuth redirection fails if OAuth settings aren't configured""" | ||
app = create_ctfd() | ||
with app.app_context(): | ||
with app.test_client() as client: | ||
r = client.get('/oauth', follow_redirects=False) | ||
assert r.location == 'http://localhost/login' | ||
r = client.get(r.location) | ||
resp = r.get_data(as_text=True) | ||
assert "OAuth Settings not configured" in resp | ||
destroy_ctfd(app) | ||
|
||
|
||
def test_oauth_configured_flow(): | ||
"""Test that MLC integration works properly but does not allow registration (account creation) if disabled""" | ||
app = create_ctfd(user_mode="teams") | ||
app.config.update({ | ||
'OAUTH_CLIENT_ID': 'ctfd_testing_client_id', | ||
'OAUTH_CLIENT_SECRET': 'ctfd_testing_client_secret', | ||
'OAUTH_AUTHORIZATION_ENDPOINT': 'http://auth.localhost/oauth/authorize', | ||
'OAUTH_TOKEN_ENDPOINT': 'http://auth.localhost/oauth/token', | ||
'OAUTH_API_ENDPOINT': 'http://api.localhost/user', | ||
}) | ||
with app.app_context(): | ||
set_config('registration_visibility', 'private') | ||
assert Users.query.count() == 1 | ||
assert Teams.query.count() == 0 | ||
|
||
client = login_with_mlc(app, raise_for_error=False) | ||
|
||
assert Users.query.count() == 1 | ||
|
||
# Users shouldn't be able to register because registration is disabled | ||
resp = client.get('http://localhost/login').get_data(as_text=True) | ||
assert 'Public registration is disabled' in resp | ||
|
||
set_config('registration_visibility', 'public') | ||
client = login_with_mlc(app) | ||
|
||
# Users should be able to register now | ||
assert Users.query.count() == 2 | ||
user = Users.query.filter_by(email='user@ctfd.io').first() | ||
assert user.oauth_id == 1337 | ||
assert user.team_id == 1 | ||
|
||
# Teams should be created | ||
assert Teams.query.count() == 1 | ||
team = Teams.query.filter_by(id=1).first() | ||
assert team.oauth_id == 1234 | ||
|
||
client.get('/logout') | ||
|
||
# Users should still be able to login if registration is disabled | ||
set_config('registration_visibility', 'private') | ||
client = login_with_mlc(app) | ||
with client.session_transaction() as sess: | ||
assert sess['id'] | ||
assert sess['name'] | ||
assert sess['type'] | ||
assert sess['email'] | ||
assert sess['nonce'] | ||
destroy_ctfd(app) | ||
|
||
|
||
def test_oauth_login_upgrade(): | ||
"""Test that users who use MLC after having registered will be associated with their MLC account""" | ||
app = create_ctfd(user_mode="teams") | ||
app.config.update({ | ||
'OAUTH_CLIENT_ID': 'ctfd_testing_client_id', | ||
'OAUTH_CLIENT_SECRET': 'ctfd_testing_client_secret', | ||
'OAUTH_AUTHORIZATION_ENDPOINT': 'http://auth.localhost/oauth/authorize', | ||
'OAUTH_TOKEN_ENDPOINT': 'http://auth.localhost/oauth/token', | ||
'OAUTH_API_ENDPOINT': 'http://api.localhost/user', | ||
}) | ||
with app.app_context(): | ||
register_user(app) | ||
assert Users.query.count() == 2 | ||
set_config('registration_visibility', 'private') | ||
|
||
# Users should still be able to login | ||
client = login_as_user(app) | ||
client.get('/logout') | ||
|
||
user = Users.query.filter_by(id=2).first() | ||
assert user.oauth_id is None | ||
assert user.team_id is None | ||
|
||
login_with_mlc(app) | ||
|
||
assert Users.query.count() == 2 | ||
|
||
# Logging in with MLC should insert an OAuth ID and team ID | ||
user = Users.query.filter_by(id=2).first() | ||
assert user.oauth_id | ||
assert user.verified | ||
assert user.team_id | ||
destroy_ctfd(app) |