Deployment qa

ansible/files/mui.service.conf

@@ -1,3 +1,5 @@
+pass quick from <administrators> label "administrators"
+
 # Allow moderator access to mui
 pass quick inet proto tcp from <moderators> to (egress:0) port { 80, 443 }
 pass in quick inet proto tcp to 127.0.0.1 port 8888 rdr-to 10.7.0.200

ansible/files/pf.conf

@@ -32,7 +32,6 @@ match on tun from <offense_activated> tag OFFENSE_REGISTERED
 block return quick to { 239.255.255.250, 224/8 }
 block return log
 block drop in log quick from <banned>
-pass quick from <administrators> label "administrators"
 pass quick from (self) label "selforigin"
 
 include "/etc/service.pf.conf"

ansible/files/pui.service.conf

@@ -1,12 +1,16 @@
 
 # Allow users to connect to port 80/443
+pass in quick on egress inet proto tcp from {<moderators>, <administrators>} to (egress:0) port 8888 rdr-to 127.0.0.1
+pass quick from <administrators> label "administrators"
+
 pass quick inet proto tcp from <moderators> to (egress:0) port { 80 , 443 } label "www-moderators"
 
 # FOR DT OPERATIONS
 pass in quick inet proto tcp from <maintenance> to port 80 rdr-to 127.0.0.1 port 8080 label "maintenance"
 pass in quick inet proto tcp from <maintenance> to port 443 rdr-to 127.0.0.1 port 8443 label "maintenance"
+block in quick on egress inet proto tcp from <maintenance> to (egress:0) port 8888
 
 pass in on egress inet proto tcp from <venue> to port { 80, 443 } label "www-normal"
 pass in on egress inet proto tcp to port { 80, 443 } label "www-normal"
+pass in quick on egress inet proto tcp to (egress:0) port 8888 rdr-to 127.0.0.1
 
-pass in quick inet proto tcp from (interconnect:network) to (interconnect:0) port 8888 rdr-to 127.0.0.1

ansible/files/vpn.service.conf

@@ -1,3 +1,5 @@
+pass quick from <administrators> label "administrators"
+
 # Allow moderators to access the service even when in maintenance
 pass quick on egress inet proto udp from <moderators> to (egress:0) port 1194 label "OpenVPN"
 

ansible/inventories/servers/group_vars/all.yml

@@ -1,8 +1,16 @@
 ## Replace the following with your fork of the repo
 GITHUB_REPO: git@github.com:echoCTF/echoCTF.RED.git
 GITHUB_OAUTH_TOKEN: YOUR-GITHUB-TOKEN-FOR-COMPOSER
-GITHUB_REPO_BRANCH: THE-DEFAULT-BRANCH
+GITHUB_REPO_BRANCH: main # change to your desired branch
 ## Domain with IN TXT space separated list `IN TXT "1.1.1.1 2.2.2.2"
 admins_domain: admin.example.com
 
-ansible_python_interpreter: "/usr/local/bin/python3.10"
+ansible_python_interpreter: "/usr/local/bin/python3"
+
+db_ip: "10.7.0.253"
+pui_ip: "10.7.0.200"
+mui_ip: "10.7.0.201"
+vpn_ip: "10.7.0.254"
+interconnect_interface: "vio1"
+pui_ext_ip: "1.2.3.4"
+mui_ext_ip: "1.2.3.4"

ansible/inventories/servers/group_vars/vpn.yml

@@ -1,17 +1,17 @@
 REPO: /root/sources
 vpngw: "vpngw.example.red"
-egress_if: "em0"
-targets_if: "em1"
-targets_if_ipv4: "10.0.160.254"
-targets_subnet: "10.0.160.0"
-targets_netmask: "255.255.255.0"
+egress_if: "vio0"
+targets_if: "vio1"
+targets_if_ipv4: "10.0.0.254"
+targets_subnet: "10.0.0.0"
+targets_netmask: "255.255.0.0"
 echoCTF_VPN_mgmt_passwd: "openvpn"
 offense_network: "10.10.0.0/16"
-db_host: "172.24.0.253"
+db_host: "10.7.0.253"
 db_name: "echoCTF"
 db_user: "vpnuser"
 db_pass: "vpnuserpass"
-interconnect_interface: em2
+interconnect_interface: vio2
 interconnect_interface_ip: 10.7.0.254
 ## Memcache port
 memc_port: 11211

ansible/inventories/servers/host_vars/mui.yml

@@ -1,9 +1,18 @@
 hostname: mui.mydomain
-moderator_domain: mui.mydomain
+domain_name: mui.mydomain
 backups:
   - { tgz: "/altroot/root.tgz", src: '/root' }
   - { tgz: "/altroot/etc.tgz", src: '/etc'  }
   - { tgz: "/altroot/varcron.tgz", src: '/var/cron'  }
   - { tgz: "/altroot/home.tgz", src: '/home'  }
 
-REPO: "/home/moderatorUI/{{moderator_domain}}"
+REPO: "/home/moderatorUI/{{domain_name}}"
+APP_USER: moderatorUI
+APP_SERVICES:
+  - php84_fpm
+  - moderator
+PRESERVE_PATHS:
+  - backend/web/identificationFiles/
+  - backend/config/db.php
+  - backend/config/cache.php
+  - backend/config/validationKey.php

ansible/inventories/servers/host_vars/pui.yml

@@ -1,10 +1,22 @@
 hostname: pui.mydomain
-offense_domain: pui.mydomain
+domain_name: pui.mydomain
 backups:
   - { tgz: "/altroot/root.tgz", src: '/root' }
   - { tgz: "/altroot/etc.tgz", src: '/etc'  }
   - { tgz: "/altroot/varcron.tgz", src: '/var/cron'  }
   - { tgz: "/altroot/var.tgz", src: '/var'  }
   - { tgz: "/altroot/home.tgz", src: '/home'  }
 
-REPO: "/home/participantUI/{{offense_domain}}"
+REPO: "/home/participantUI/{{domain_name}}"
+APP_USER: participantUI
+APP_SERVICES:
+  - php84_fpm
+  - participant
+PRESERVE_PATHS:
+  - frontend/web/images/avatars/
+  - frontend/web/images/targets/
+  - frontend/web/identificationFiles/
+  - frontend/config/db.php
+  - frontend/config/cache.php
+  - frontend/config/validationKey.php
+  - frontend/config/routes.php

ansible/runonce/db.yml

@@ -453,19 +453,6 @@
     - { cmd: "touch /etc/match-findings-pf.conf", creates: "/etc/match-findings-pf.conf" }
     - { cmd: "install -m 0500 /etc/examples/rc.local /etc/rc.local", creates: "/etc/rc.local" }
 
-  - name: Execute fw_update
-    command: fw_update -a
-
-  - name: Execute syspatch
-    command: syspatch
-    failed_when: result.rc not in [0,2]
-    register: result
-
-  - name: Re-Execute syspatch in case it updated it self on the previous run
-    command: syspatch
-    failed_when: result.rc not in [0,2]
-    register: result
-
   - name: Update crontab PATH variable
     cron:
       user: root
@@ -486,5 +473,18 @@
       - { name: "events checker", minute: "*/1",  job: "-ns /usr/local/sbin/mysql-events-checker" }
       - { name: "daily database backups", minute: "0",hour: "23",  job: "-ns /usr/local/sbin/database_backup" }
 
+  - name: Execute fw_update
+    command: fw_update -a
+
+  - name: Execute syspatch
+    command: syspatch
+    failed_when: result.rc not in [0,2]
+    register: result
+
+  - name: Re-Execute syspatch in case it updated it self on the previous run
+    command: syspatch
+    failed_when: result.rc not in [0,2]
+    register: result
+
   - name: display post install message
     debug: msg="Make sure you've added your IP to the administrators.conf and reboot the system for the changes to take effect"

ansible/runonce/mui.yml

@@ -3,7 +3,7 @@
 - hosts: all
   gather_facts: false
   vars_prompt:
-    - name: "myname"
+    - name: "hostname"
       prompt: "1/7. System hostname?"
       default: "mui.example.local"
       private: no
@@ -41,7 +41,7 @@
       PHP_MINOR: "6"
       AUTOCONF: "2.69"
       AUTOMAKE: "1.16"
-      ICU_MAJOR: 76
+      ICU_MAJOR: 77
       ICU_MINOR: 1
     sysctl:
       kern.bufcachepercent: 30
@@ -97,9 +97,9 @@
       - "php-intl%{{versions.PHP}}"
       - "php-pdo_mysql%{{versions.PHP}}"
       - "php-zip%{{versions.PHP}}"
-      - "php-bcmath%{{versions.PHP}}"
+      #- "php-bcmath%{{versions.PHP}}"
       - "php-gmp%{{versions.PHP}}"
-      - "php-mcrypt%{{versions.PHP}}"
+      #- "php-mcrypt%{{versions.PHP}}"
       - "php-tidy%{{versions.PHP}}"
       - py3-pip
       - py3-requests
@@ -120,16 +120,16 @@
 
   - name: Set hostname
     hostname:
-      name: "{{myname}}"
+      name: "{{hostname}}"
 
   - name: Make hostname permanent (/etc/myname)
     copy:
-      content: "{{ myname }}\n"
+      content: "{{ hostname }}\n"
       dest: /etc/myname
 
   - name: Create fresh /etc/hosts
     copy:
-      content: "127.0.0.1 localhost\n{{db_ip}} db\n{{mui_ext_ip}} {{  myname.split('.')[0] | lower }} {{ myname }}\n"
+      content: "127.0.0.1 localhost\n{{db_ip}} db\n{{mui_ext_ip}} {{  hostname.split('.')[0] | lower }} {{ hostname }}\n"
       dest: /etc/hosts
 
   - name: Configure interconnect interface
@@ -271,8 +271,8 @@
       src: "{{item.src}}"
       dest: "{{item.dest}}"
     with_items:
-      - { src: '{{playbook_dir}}/../templates/httpd.conf.j2', dest: '/etc/httpd.conf', domain: '{{myname}}' }
-      - { src: '{{playbook_dir}}/../templates/acme-client.conf.j2', dest: '/etc/acme-client.conf', domain: '{{myname}}', challenge_dir: "/home/moderatortUI/acme/.well-known/acme-challenge/" }
+      - { src: '{{playbook_dir}}/../templates/httpd.conf.j2', dest: '/etc/httpd.conf', domain: '{{hostname}}' }
+      - { src: '{{playbook_dir}}/../templates/acme-client.conf.j2', dest: '/etc/acme-client.conf', domain: '{{hostname}}', challenge_dir: "/home/moderatortUI/acme/.well-known/acme-challenge/" }
 
   - name: Generate pf tables files
     command: "{{item.cmd}}"

ansible/runonce/pui.yml

@@ -4,7 +4,7 @@
   hosts: all
   gather_facts: false
   vars_prompt:
-    - name: "myname"
+    - name: "hostname"
       prompt: "1/7. System hostname?"
       default: "pui.example.local"
       private: no
@@ -54,7 +54,7 @@
       PHP_MINOR: "6"
       AUTOCONF: "2.69"
       AUTOMAKE: "1.16"
-      ICU_MAJOR: 76
+      ICU_MAJOR: 77
       ICU_MINOR: 1
     sysctl:
       kern.bufcachepercent: 30
@@ -102,9 +102,9 @@
       - "php-intl%{{versions.PHP}}"
       - "php-pdo_mysql%{{versions.PHP}}"
       - "php-zip%{{versions.PHP}}"
-      - "php-bcmath%{{versions.PHP}}"
+      #- "php-bcmath%{{versions.PHP}}"
       - "php-gmp%{{versions.PHP}}"
-      - "php-mcrypt%{{versions.PHP}}"
+      #- "php-mcrypt%{{versions.PHP}}"
       - certbot
       - py3-pip
       - py3-requests
@@ -125,16 +125,16 @@
 
   - name: Set hostname
     hostname:
-      name: "{{myname}}"
+      name: "{{hostname}}"
 
   - name: Make hostname permanent (/etc/myname)
     copy:
-      content: "{{ myname }}\n"
+      content: "{{ hostname }}\n"
       dest: /etc/myname
 
   - name: Create fresh /etc/hosts
     copy:
-      content: "127.0.0.1 localhost\n{{db_ip}} db\n{{pui_ext_ip}} {{  myname.split('.')[0] | lower }} {{ myname }}\n"
+      content: "127.0.0.1 localhost\n{{db_ip}} db\n{{pui_ext_ip}} {{  hostname.split('.')[0] | lower }} {{ hostname }}\n"
       dest: /etc/hosts
 
   - name: Configure interconnect interface
@@ -488,10 +488,12 @@
     command: "{{item}}"
     with_items:
       - mkdir -p /home/participantUI/{{domain_name}}/frontend/web/assets
+      - mkdir -p /home/participantUI/{{domain_name}}/frontend/web/identificationFiles
       - mkdir -p /home/participantUI/{{domain_name}}/frontend/web/images/avatars/team
       - mkdir -p /var/log/cron
       - chown -R participantUI /home/participantUI/{{domain_name}}/frontend/web/assets
       - chown -R participantUI /home/participantUI/{{domain_name}}/frontend/web/images/avatars/
+      - chown -R participantUI /home/participantUI/{{domain_name}}/frontend/web/identificationFiles
       - ln -sf /home/participantUI/{{domain_name}}/frontend/yii /usr/local/bin/frontend
 
   - name: configure participant rc.d
@@ -612,7 +614,7 @@
 
   - name: Grab wsserver
     get_url:
-      url: "https://github.com/echoCTF/ws-server/releases/download/v1.0.0/wsserver-openbsd-amd64.zip"
+      url: "https://github.com/echoCTF/ws-server/releases/latest/download/wsserver-openbsd-amd64.zip"
       dest: /tmp/wsserver.zip
 
   - name: Extract wsserver
@@ -627,7 +629,7 @@
       content: |
         [program:wsserver]
         user = participantUI
-        command = /usr/local/bin/wsserver -addr "127.0.0.1:8888" -db mysql -dsn "participantUI:participantUI@{{db_ip}}/echoCTF" -max-queued 20
+        command = /usr/local/bin/wsserver-openbsd-amd64 -addr "127.0.0.1:8888" -db mysql -dsn "participantUI:participantUI@tcp({{db_ip}})/echoCTF" -max-queued 20
         stdout_logfile=/var/log/wsserver.log
         stdout_logfile_maxbytes=0
         redirect_stderr=true

ansible/runonce/vpngw.yml

@@ -568,7 +568,7 @@
       creates: "{{item.creates|default(omit)}}"
       chdir: "{{item.chdir|default(omit)}}"
     with_items:
-    - { cmd: "ln -s {{APP_DIR}}/backend/yii /usr/local/bin/backend"}
+    - { cmd: "ln -sf {{APP_DIR}}/backend/yii /usr/local/bin/backend"}
     - { cmd: "openssl dhparam -out /etc/openvpn/dh.pem 2048", creates: "/etc/openvpn/dh.pem" }
     - { cmd: "openvpn --genkey secret /etc/openvpn/private/vpn-ta.key", creates: "/etc/openvpn/private/vpn-ta.key" }
     - { cmd: "{{APP_DIR}}/backend/yii migrate --interactive=0" }

backend/modules/settings/views/sysconfig/configure.php

@@ -48,6 +48,7 @@
       <div class="col-sm-3"><?= $form->field($model, 'player_monthly_rankings')->checkbox()->hint('Show monthly leaderboards by points?') ?></div>
       <div class="col-sm-3"><?= $form->field($model, 'country_rankings')->checkbox()->hint('Show country based leaderboards?') ?></div>
       <div class="col-sm-3"><?= $form->field($model, 'team_only_leaderboards')->checkbox()->hint('Show only team based leaderboards?') ?></div>
+      <div class="col-sm-3"><?= $form->field($model, 'writeup_rankings')->checkbox()->hint('Enable writeup rankings?') ?></div>
     </div>
     <hr />
 
@@ -69,7 +70,6 @@
         <div class="col-sm-2"><?= $form->field($model, 'target_hide_inactive')->checkbox()->hint('Hide inactive targets from listings?') ?></div>
         <div class="col-sm-2"><?= $form->field($model, 'target_guest_view_deny')->checkbox()->hint('Hide targets from guests?') ?></div>
         <div class="col-sm-2"><?= $form->field($model, 'network_view_guest')->checkbox()->hint('Allow guests to view networks?') ?></div>
-        <div class="col-sm-2"><?= $form->field($model, 'writeup_rankings')->checkbox()->hint('Enable writeup ratings?') ?></div>
         <div class="col-sm-2"><?= $form->field($model, 'stream_player_target_help')->checkbox()->hint('Log writeup activations on activity stream?') ?></div>
         <div class="col-sm-2"><?= $form->field($model, 'log_failed_claims')->checkbox()->hint('Log failed treasure claims?') ?></div>
         <div class="col-sm-2"><?= $form->field($model, 'force_findings_to_claim')->checkbox()->hint('Force findings before claim?') ?></div>

contrib/sample-migrations/m000000_000003_add_extra_docker_servers.php

@@ -10,11 +10,8 @@ class m000000_000003_add_extra_docker_servers extends Migration
   public $minsrv = 1;
   public $maxsrv = 4;
   public $server =  [
-    'name' => 'docker%d',
-    'ip' => '%d',
     'network' => 'AAnet',
     'service' => 'docker',
-    'connstr' => 'tcp://10.0.0.%d:2376',
     'provider_id' => 'vultr'
   ];
   /**
@@ -23,7 +20,7 @@ class m000000_000003_add_extra_docker_servers extends Migration
   public function safeUp()
   {
     for ($i = $this->minsrv; $i <= $this->maxsrv; $i++) {
-      $this->server['name'] = sprintf("docker%0d", $i);
+      $this->server['name'] = sprintf("docker%02d", $i);
       $this->server['ip'] = ip2long('10.0.0.' . $i);
       $this->server['connstr'] = sprintf("tcp://10.0.0.%d:2376", $i);
       $this->upsert('server', $this->server);
@@ -36,7 +33,7 @@ public function safeUp()
   public function safeDown()
   {
     for ($i = $this->minsrv; $i <= $this->maxsrv; $i++) {
-      $this->server['name'] = sprintf("docker%0d", $i);
+      $this->server['name'] = sprintf("docker%02d", $i);
       $this->server['ip'] = ip2long('10.0.0.' . $i);
       $this->server['connstr'] = sprintf("tcp://10.0.0.%d:2376", $i);
       $this->delete('server', $this->server);

frontend/components/PlayerEvents.php

@@ -20,11 +20,7 @@ public static function giveInitialHint($event)
 
   public static function sendInitialNotification($event)
   {
-    $n=new \app\models\Notification;
-    $n->player_id=$event->sender->id;
-    $n->archived=0;
-    $n->body=$n->title=\Yii::t('app',"Hi there, don't forget to read the Instructions");
-    $n->save();
+    $event->sender->notify('info',\Yii::t('app',"Hi there, don't forget to read the Instructions"),\Yii::t('app',"Hi there, don't forget to read the Instructions"));
   }
 
   public static function addStream($event)