Merge branch 'master' into refactor/stricter-typechecking

Author: ethanwu10

.github/workflows/ci.yml

@@ -115,10 +115,5 @@ jobs:
         password: ${{ secrets.DOCKERHUB_PASS }}
         repository: redpwn/rctf
         # TODO: handle tagging releases correctly
-        tags: ${{ github.sha }}
+        tags: master,${{ github.sha }}
         # TODO: add cache_froms once we have full releases
-    - name: Deploy installer
-      uses: netlify/actions/build@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        NETLIFY_SITE_ID: ${{ secrets.NETLIFY_INSTALL_SITE_ID }}

.gitignore

@@ -10,7 +10,6 @@ yarn-error.log*
 /conf.d/*
 !/conf.d/.keep
 /docs/site
-/install/build
 
 # Upload provider dir
 /uploads

docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2.2'
 services:
   rctf:
-    image: redpwn/rctf:${RCTF_GIT_COMMIT}
+    image: redpwn/rctf:${RCTF_GIT_REF}
     restart: always
     ports:
       - '127.0.0.1:8080:80'
@@ -11,11 +11,6 @@ services:
       - .env
     environment:
       - PORT=80
-      - RCTF_DATABASE_HOST=postgres
-      - RCTF_DATABASE_DATABASE=rctf
-      - RCTF_DATABASE_USERNAME=rctf
-      - RCTF_REDIS_HOST=redis
-      - RCTF_DATABASE_MIGRATE=before
     volumes:
       - ./conf.d:/app/conf.d
     depends_on:

install/_redirects

@@ -67,14 +67,14 @@ do_install() {
 
   info "Configuring rCTF..."
 
-  RCTF_GIT_COMMIT="${RCTF_GIT_COMMIT:-"{{git_commit}}"}"
+  RCTF_GIT_REF="${RCTF_GIT_REF:-"master"}"
 
   mkdir -p conf.d data/rctf-postgres data/rctf-redis
 
   printf "%s\n" \
   "RCTF_DATABASE_PASSWORD=$(get_key)" \
   "RCTF_REDIS_PASSWORD=$(get_key)" \
-  "RCTF_GIT_COMMIT=$RCTF_GIT_COMMIT" \
+  "RCTF_GIT_REF=$RCTF_GIT_REF" \
   > .env
 
   printf "%s\n" \
@@ -94,9 +94,20 @@ do_install() {
   "endTime: $(date -d +1week +%s)000" \
   > conf.d/02-ctf.yaml
 
+  printf "%s\n" \
+  "database:" \
+  "  sql:" \
+  "    host: postgres" \
+  "    user: rctf" \
+  "    database: rctf" \
+  "  redis:" \
+  "    host: redis" \
+  "  migrate: before" \
+  > conf.d/03-db.yaml
+
   info "Downloading rCTF..."
 
-  curl -fsSO "https://raw.githubusercontent.com/redpwn/rctf/$RCTF_GIT_COMMIT/docker-compose.yml"
+  curl -fsSO "https://raw.githubusercontent.com/redpwn/rctf/$RCTF_GIT_REF/docker-compose.yml"
   docker-compose pull
 
   info "Finished installation to ${RCTF_INSTALL_PATH}."

install/build.sh

@@ -14,21 +14,43 @@ export enum tokenKinds {
   ctftimeAuth = 4
 }
 
-export enum VerifyTokenKinds {
-  update = 'update',
-  register = 'register'
-}
+export type VerifyTokenKinds = 'update' | 'register' | 'recover'
 
 export type AuthTokenData = string
+
 export type TeamTokenData = string
-export interface VerifyTokenData {
+
+interface BaseVerifyTokenData {
   verifyId: string
   kind: VerifyTokenKinds
+}
+
+export interface RegisterVerifyTokenData extends BaseVerifyTokenData {
+  kind: 'register'
+  email: User['email']
+  name: User['name']
+  division: User['division']
+}
+
+export interface UpdateVerifyTokenData extends BaseVerifyTokenData {
+  kind: 'update'
   userId: User['id']
   email: User['email']
   division: User['division']
 }
-export type CtftimeAuthTokenData = string
+
+export interface RecoverTokenData extends BaseVerifyTokenData {
+  kind: 'recover'
+  userId: User['id']
+  email: User['email']
+}
+
+export type VerifyTokenData = RegisterVerifyTokenData | UpdateVerifyTokenData | RecoverTokenData
+
+export interface CtftimeAuthTokenData {
+  name: User['name']
+  ctftimeId: User['ctftimeId']
+}
 
 // Internal map of type definitions for typing purposes only -
 // this type does not describe a real data-structure

install/install.sh

@@ -7,9 +7,9 @@ import { ExtractQueryType } from './util'
 export interface User {
   id: string;
   name: string;
-  email: string;
+  email?: string;
   division: keyof ServerConfig['divisions'];
-  ctftimeId: string;
+  ctftimeId?: string;
   perms: number;
 }
 

server/auth/token.ts

@@ -1,6 +1,6 @@
 import config, { ServerConfig } from '../config/server'
 
-type ACLCheck = (email: string) => boolean
+type ACLCheck = (email: string | undefined) => boolean
 
 export interface ACL {
   match: string;
@@ -16,11 +16,11 @@ interface CompiledACL {
 let acls: CompiledACL[]
 
 const restrictionChecks: { [checkType: string]: (value: string) => ACLCheck } = {
-  domain: value => email => email.endsWith('@' + value),
+  domain: value => email => email?.endsWith('@' + value) ?? false,
   email: value => email => email === value,
   regex: value => {
     const re = new RegExp(value)
-    return email => re.test(email)
+    return email => email === undefined ? false : re.test(email)
   },
   any: value => email => true // eslint-disable-line @typescript-eslint/no-unused-vars
 }
@@ -45,7 +45,7 @@ export const compileACLs = (): void => {
 
 compileACLs()
 
-export const allowedDivisions = (email: string): string[] => {
+export const allowedDivisions = (email: string | undefined): string[] => {
   for (const acl of acls) {
     if (acl.check(email)) {
       return acl.divisions
@@ -54,6 +54,6 @@ export const allowedDivisions = (email: string): string[] => {
   return []
 }
 
-export const divisionAllowed = (email: string, division: string): boolean => {
+export const divisionAllowed = (email: string | undefined, division: string): boolean => {
   return allowedDivisions(email).includes(division)
 }

server/database/users.ts

@@ -85,3 +85,28 @@ test.serial('throws error on invalid matcher', t => {
   error = t.throws(restrict.compileACLs)
   t.is(error.message, 'Unrecognized ACL matcher "__proto__"')
 })
+
+test.serial('denies no email with all matchers except any', t => {
+  config.divisionACLs = [{
+    match: 'domain',
+    value: 'good-domain.com',
+    divisions: ['domain']
+  }, {
+    match: 'email',
+    value: '[email protected]',
+    divisions: ['email']
+  }, {
+    match: 'regex',
+    value: '^regex-email(-[a-z]+)[email protected]$',
+    divisions: ['regex']
+  }, {
+    match: 'any',
+    value: '',
+    divisions: ['any']
+  }]
+  restrict.compileACLs()
+  t.false(restrict.divisionAllowed(undefined, 'domain'))
+  t.false(restrict.divisionAllowed(undefined, 'email'))
+  t.false(restrict.divisionAllowed(undefined, 'regex'))
+  t.true(restrict.divisionAllowed(undefined, 'any'))
+})