Merge pull request #61 from commjoen/ease-configuration

make accounts configurable

Author: commjoen

aws/build-an-deploy-aws.sh

@@ -109,4 +109,4 @@ wait
 DEFAULT_PASSWORD=thankyou
 #TODO: REWRITE ABOVE, REWRITE THE HARDCODED DEPLOYMENT VALS INTO VALUES AND OVERRIDE THEM HERE!
 echo "default password is ${DEFAULT_PASSWORD}"
-helm upgrade --install mj ../helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.87aws" --set="balancer.replicas=4" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
+helm upgrade --install mj ../helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set"balancer.env.IRSA_ROLE=arn:aws:iam::${ACCOUNT_ID}:role/wrongsecrets-secret-manager" --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.87aws" --set="balancer.replicas=4" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"

aws/main.tf

@@ -87,7 +87,7 @@ module "eks" {
     disk_type       = "gp3"
     disk_throughput = 150
     disk_iops       = 3000
-    instance_types  = ["t3a.large"]
+    instance_types  = ["t3a.xlarge"]
 
     iam_role_additional_policies = [
       "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml

@@ -55,7 +55,13 @@ spec:
             - name: K8S_ENV
               value: {{ .Values.balancer.env.K8S_ENV }}
             - name: IRSA_ROLE
-              value: "arn:aws:iam::233483431651:role/wrongsecrets-secret-manager" #REPLACE WITH THE ACTUAL AWS ROLE IF IN AWS MODE
+              value: {{ .Values.balancer.env.IRSA_ROLE }} #REPLACE WITH THE ACTUAL AWS ROLE IF IN AWS MODE
+            - name: WRONGSECRETS_TAG
+              value: {{ .Values.wrongsecrets.tag}}
+            - name: SECRETS_MANAGER_SECRET_ID_1
+              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_1 }}
+            - name: SECRETS_MANAGER_SECRET_ID_2
+              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_2 }}
             - name: COOKIEPARSER_SECRET
               valueFrom:
                 secretKeyRef:

helm/wrongsecrets-ctf-party/values.yaml

@@ -69,6 +69,9 @@ balancer:
     REACT_APP_S3_BUCKET_URL : 's3://funstuff'
     K8S_ENV: 'k8s' #oraws
     REACT_APP_ACCESS_PASSWORD: '' #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
+    IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager
+    SECRETS_MANAGER_SECRET_ID_1: 'wrongsecret'
+    SECRETS_MANAGER_SECRET_ID_2: 'wrongsecret-2'
   metrics:
     # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
     enabled: true
@@ -93,7 +96,7 @@ wrongsecrets:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsens/wrongsecrets
-  tag: 1.5.3-no-vault
+  tag: 1.5.5-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/commjoen/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
   # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file

wrongsecrets-balancer/src/kubernetes.js

@@ -16,6 +16,9 @@ const k8sCustomAPI = kc.makeApiClient(CustomObjectsApi);
 const k8sRBACAPI = kc.makeApiClient(RbacAuthorizationV1Api);
 const k8sNetworkingApi = kc.makeApiClient(NetworkingV1Api);
 const awsAccountEnv = process.env.IRSA_ROLE || 'youdidnotprovideanirsarole,goodluck';
+const secretsmanagerSecretName1 = process.env.SECRETS_MANAGER_SECRET_ID_1 || 'wrongsecret';
+const secretsmanagerSecretName2 = process.env.SECRETS_MANAGER_SECRET_ID_2 || 'wrongsecret-2';
+const wrongSecretsContainterTag = process.env.WRONGSECRETS_TAG || '1.5.4-no-vault';
 const heroku_wrongsecret_ctf_url = process.env.REACT_APP_HEROKU_WRONGSECRETS_URL || 'not_ets';
 
 const { get } = require('./config');
@@ -136,8 +139,7 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => {
           containers: [
             {
               name: 'wrongsecrets',
-              //TODO REPLACE HARDCODED BELOW WITH PROPPER GETS: image: `${get('wrongsecrets.image')}:${get('wrongsecrets.tag')}`,
-              image: 'jeroenwillemsen/wrongsecrets:1.5.5RC1-no-vault',
+              image: `jeroenwillemsen/wrongsecrets:${wrongSecretsContainterTag}`,
               imagePullPolicy: get('wrongsecrets.imagePullPolicy'),
               // resources: get('wrongsecrets.resources'),
               securityContext: {
@@ -285,8 +287,7 @@ const createAWSSecretsProviderForTeam = async (team) => {
     spec: {
       provider: 'aws',
       parameters: {
-        objects:
-          '- objectName: "wrongsecret"\n  objectType: "secretsmanager"\n- objectName: "wrongsecret-2"\n  objectType: "secretsmanager"\n',
+        objects: `- objectName: "${secretsmanagerSecretName1}"\n  objectType: "secretsmanager"\n- objectName: "${secretsmanagerSecretName2}"\n  objectType: "secretsmanager"\n`,
       },
     },
   };
@@ -393,8 +394,7 @@ const createAWSDeploymentForTeam = async ({ team, passcodeHash }) => {
           containers: [
             {
               name: 'wrongsecrets',
-              //TODO REPLACE HARDCODED BELOW WITH PROPPER GETS: image: `${get('wrongsecrets.image')}:${get('wrongsecrets.tag')}`,
-              image: 'jeroenwillemsen/wrongsecrets:1.5.4-no-vault',
+              image: `jeroenwillemsen/wrongsecrets:${wrongSecretsContainterTag}`,
               imagePullPolicy: get('wrongsecrets.imagePullPolicy'),
               // resources: get('wrongsecrets.resources'),
               securityContext: {

wrongsecrets-balancer/ui/src/pages/JoinPage.js

@@ -52,6 +52,10 @@ export const JoinPage = injectIntl(({ intl }) => {
 
   async function sendJoinRequest() {
     try {
+      if(!teamname || teamname.length === 0){
+        setFailed(true);
+        return;
+      }
       if (dynamics.enable_password) {
         const hmacvalue = cryptoJS
           .HmacSHA256(`${teamname}`, 'hardcodedkey')
@@ -207,7 +211,7 @@ export const JoinPage = injectIntl(({ intl }) => {
             <FormattedMessage id="password" defaultMessage="Password" />
           </Label>
           <Input
-            type="text"
+            type="password"
             id="password"
             data-test-id="password-input"
             name="password"