Merge pull request #89 from commjoen/helm-chart

Helm cleanup

Author: commjoen

.github/workflows/codeql-analysis.yml

@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go', 'javascript' ]
+        language: [ 'javascript' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 

.github/workflows/publish.yml

@@ -30,7 +30,6 @@ jobs:
     strategy:
       matrix:
         component:
-          - unusued-progress-watchdog
           - cleaner
           - wrongsecrets-balancer
     steps:

.github/workflows/test.yml

@@ -1,4 +1,6 @@
 on: [push, pull_request]
+permissions:
+  contents: read
 name: "Run Tests"
 jobs:
   cleaner:
@@ -46,14 +48,3 @@ jobs:
         run: |
           cd wrongsecrets-balancer
           npm test -- --ci --color --verbose
-  #disabled as for now: we cannot use it yet
-  # progressWatchdog:
-  #   name: ProgressWatchdog
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v3
-  #     - name: "Test ProgressWatchdog"
-  #       run: |
-  #         cd progress-watchdog
-  #         go vet
-  #         go test -cover

build-an-deploy.sh

@@ -7,13 +7,21 @@ echo "For example docker-desktop with its included k8s cluster"
 echo "Usage: ./build-an-deploy.sh"
 
 source ./scripts/check-available-commands.sh
-checkCommandsAvailable helm docker kubectl
+checkCommandsAvailable helm docker kubectl yq
 
 version="$(uuidgen)"
-
+WRONGSECRETS_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecrets.image')
+WRONGSECRETS_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecrets.tag')
+WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.image')
+WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.tag')
+echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG." 
+echo "If you see an authentication failure: pull them manually by the following 2 commands"
+echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'" 
+echo "'docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG'" &
+docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG &
+docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG &
 docker build -t local/wrongsecrets-balancer:$version ./wrongsecrets-balancer &
 docker build -t local/cleaner:$version ./cleaner &
-
 wait
 
 helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Never" --set="balancer.repository=local/wrongsecrets-balancer" --set="balancer.tag=$version" --set="wrongsecretsCleanup.repository=local/cleaner" --set="wrongsecretsCleanup.tag=$version"

cleaner/src/main.js

@@ -1,14 +1,11 @@
-const { KubeConfig, AppsV1Api, CoreV1Api } = require('@kubernetes/client-node');
+const { KubeConfig, AppsV1Api } = require('@kubernetes/client-node');
 
 const { parseTimeDurationString, msToHumanReadable } = require('./time');
 
-const Namespace = process.env['NAMESPACE'];
-
 const kc = new KubeConfig();
 kc.loadFromCluster();
 
 const k8sAppsApi = kc.makeApiClient(AppsV1Api);
-const k8sCoreApi = kc.makeApiClient(CoreV1Api);
 
 const MaxInactiveDuration = process.env['MAX_INACTIVE_DURATION'];
 const MaxInactiveDurationInMs = parseTimeDurationString(MaxInactiveDuration);
@@ -36,7 +33,7 @@ async function main() {
   };
 
   console.log(
-    `Looking for WrongSecerets Instances which have been inactive for more than ${MaxInactiveDuration}.`
+    `Looking for Instances & namespaces which have been inactive for more than ${MaxInactiveDuration}.`
   );
   const instances = await k8sAppsApi.listDeploymentForAllNamespaces(
     true,
@@ -51,7 +48,7 @@ async function main() {
   for (const instance of instances.body.items) {
     const instanceName = instance.metadata.name;
     const lastConnectTimestamps = parseInt(
-      instance.metadata.annotations['wrongsecrets.owasp.dev/lastRequest'],
+      instance.metadata.annotations['wrongsecrets-ctf-party/lastRequest'],
       10
     );
 
@@ -60,33 +57,26 @@ async function main() {
     const currentTime = new Date().getTime();
 
     const timeDifference = currentTime - lastConnectTimestamps;
-
+    var teamname = instance.metadata.labels.team;
     if (timeDifference > MaxInactiveDurationInMs) {
       console.log(
-        `Deleting Instance: '${instanceName}'. Instance hasn't been used in ${msToHumanReadable(
+        `Instance: '${instanceName}'. Instance hasn't been used in ${msToHumanReadable(
           timeDifference
         )}.`
       );
+      console.log(`Instance belongs to namespace ${teamname}`);
       try {
-        await k8sAppsApi.deleteNamespacedDeployment(instanceName, Namespace);
+        console.log(`not yet implemented, but would be deleting namespace ${teamname} now`);
+        // await k8sAppsApi.deleteNamespacedDeployment(instanceName, teamname);
         counts.successful.deployments++;
       } catch (error) {
         counts.failed.deployments++;
-        console.error(
-          `Failed to delete deployment: '${instanceName}' from namespace '${Namespace}'`
-        );
+        console.error(`Failed to delete namespace '${teamname}'`);
         console.error(error);
       }
-      try {
-        await k8sCoreApi.deleteNamespacedService(instanceName, Namespace);
-        counts.successful.services++;
-      } catch (error) {
-        counts.failed.services++;
-        console.error(`Failed to delete service: '${instanceName}' from namespace '${Namespace}'`);
-      }
     } else {
       console.log(
-        `Not deleting Instance: '${instanceName}'. Been last active ${msToHumanReadable(
+        `Not deleting Instance: '${instanceName}' from '${teamname}'. Been last active ${msToHumanReadable(
           timeDifference
         )} ago.`
       );

guides/k8s/k8s.md

@@ -1,6 +1,8 @@
 # Example Setup with kubernetes(k8s)
 
 **WARNING:** It takes into account that you already have k8s cluster setup.
+**WARNING-2:** this document is not yet up to date, it will be fixed in [https://github.com/commjoen/wrongsecrets-ctf-party/issues/79](https://github.com/commjoen/wrongsecrets-ctf-party/issues/79).
+
 
 ## Prerequisites
 

guides/production-notes/production-notes.md

@@ -4,10 +4,12 @@ To ensure MultiJuicer runs as smoothly during your CTF's / trainings / workshops
 
 1. Set `.balancer.cookie.cookieParserSecret` to a random alpha-numeric value (recommended length 24 chars), this value is used to sign cookies. If you don't set this, each `helm upgrade` you run will generate a new one, which invalidates all user sessions, forcing users to rejoin their team.
 2. As you are running this with https (right?), you should set `balancer.cookie.secure` to `true`. This marks the cookie used to associate a browser with a team to transmitted via https only.
-3. Make sure the value you have configured for `juiceShop.maxInstances` fits your CTF / training / whatever you are running. The default is set to only allow 10 instances. Set to -1 to remove any restrictions.
+3. Make sure the value you have configured for `wrongsecrets.maxInstances` & `virtualdesktop.maxInstances` fits your CTF / training / whatever you are running. The default is set to only allow 10 instances. Set to -1 to remove any restrictions.
 4. Set `balancer.replicas` to at least 2, so that you have at least one fall back JuiceBalancer when one crashes or the node it lives on goes down.
 5. When running a CTF with JuiceShop challenge flags, make sure to change `juiceShop.ctfKey` from the default. Otherwise users will be able to generate their own flags relatively easily. See
 6. When using prometheus metrics, e.g. when you have followed the [Monitoring SetUp Guide](https://github.com/iteratec/multi-juicer/blob/main/guides/monitoring-setup/monitoring.md) you'll want to change `balancer.metrics.basicAuth.password` to a non default values. Otherwise users can use the default value to access the technical metrics of the JuiceBalancer pods.
+7. If you host this CTF in a public domain, change the `balancer.env.REACT_APP_ACCESS_PASSWORD` to a password you communicate to your users at the start of teh CTF.
+8. Make sure to rotate the `balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY` HMAC key for anti-infra-creation-fuzzing as well into something else than 'hardcodedkey' when you see players generating 100s of instances in minutes.
 
 ## TLDR
 
@@ -22,8 +24,12 @@ balancer:
   metrics:
     basicAuth:
       password: "ROTATE_THIS_YOU_LAZY_ASS"
+  env:
+    REACT_APP_ACCESS_PASSWORD: 'CHANGE_THIS_ASS_WELL'
+    REACT_APP_CREATE_TEAM_HMAC_KEY: 'PLEASE_CHANGE_ME'
 
 juiceShop:
   maxInstances: 42
   ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE"
 ```
+

helm/wrongsecrets-ctf-party/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: wrongsecrets-ctf-party
 description: Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
-icon: https://raw.githubusercontent.com/iteratec/multi-juicer/main/images/multijuicer-icon-only.png
+icon: https://github.com/commjoen/wrongsecrets/blob/master/icon.png?raw=true
 
 home: https://github.com/
 sources:
@@ -28,10 +28,10 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 5.0.0-beta.0
+version: 0.1.0-alpha
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 5.0.0-beta.0
+appVersion: 1.5.8
 
 dependencies: []

helm/wrongsecrets-ctf-party/README.md.gotmpl

@@ -1,17 +1,21 @@
-![MultiJuicer, Multi User Juice Shop Platform](https://raw.githubusercontent.com/iteratec/multi-juicer/main/images/multijuicer-cover.svg)
+![WrongSecrets CTF Party, to use WrongSecrets for CTF or online Education](https://raw.githubusercontent.com/commjoen/wrongsecrets/master/icon.png)
+_Powered by MultiJuicer_
 
-Running CTFs and Security Trainings with [OWASP Juice Shop](https://github.com/bkimminich/juice-shop) is usually quite tricky, Juice Shop just isn't intended to be used by multiple users at a time.
-Instructing everybody how to start Juice Shop on their own machine works ok, but takes away too much valuable time.
+Running CTFs and Security Trainings with [OWASP WrongSecrets](https://github.com/commjoen/wrongsecrets) is usually quite tricky, WrongSecrets can be used by multiple users at one time, but this can cause issues when people start fuzzing.
+Instructing everybody how to start WrongSecrets on their own machine works ok, but takes away too much valuable time.
+Next, installing the additional tools required to learn basics of reverse-engineering might take to much time as well.
 
-MultiJuicer gives you the ability to run separate Juice Shop instances for every participant on a central kubernetes cluster, to run events without the need for local Juice Shop instances.
+WrongSecrets CTF Party gives you the ability to run separate WrongSecrets instances for every participant on a central kubernetes cluster, to run events without the need for local WrongSecrets instances.
 
 **What it does:**
 
-- dynamically create new Juice Shop instances when needed
-- runs on a single domain, comes with a LoadBalancer sending the traffic to the participants Juice Shop instance
+- dynamically create new WrongSecrets instance when needed
+- dynamically create new WrongSecret virtual desktop instances with all the addiontal tooling required to do the CTF/training when needed
+- runs on a single domain, comes with a LoadBalancer sending the traffic to the participants WrongSecrets instance
 - backup and auto apply challenge progress in case of Juice Shop container restarts
 - cleanup old & unused instances automatically
 
+It follows the same architecture as MultiJuicer below:
 ![MultiJuicer, High Level Architecture Diagram](https://raw.githubusercontent.com/iteratec/multi-juicer/main/high-level-architecture.svg)
 
 ## Configuration

helm/wrongsecrets-ctf-party/archived-templates/unusued-progress-watchdog/deployment.yaml

@@ -15,5 +15,5 @@ rules:
     verbs: ['get', 'delete']
   - apiGroups: [''] # "" indicates the core API group
     resources: ['namespaces']
-    verbs: ['get', 'delete']
+    verbs: ['get', 'delete', 'list']
 {{- end }}

helm/wrongsecrets-ctf-party/archived-templates/unusued-progress-watchdog/role.yaml

@@ -24,7 +24,7 @@ data:
         "enabled": true
       },
   {{- end }}
-      "juiceShop": {
+      "wrongsecrets": {
         "image": {{ .Values.wrongsecrets.image | quote }},
         "tag": {{ .Values.wrongsecrets.tag | quote }},
         "imagePullPolicy": {{ .Values.imagePullPolicy | quote }},

helm/wrongsecrets-ctf-party/archived-templates/unusued-progress-watchdog/rolebinding.yaml

@@ -61,7 +61,7 @@ spec:
             - name: WRONGSECRETS_TAG
               value: {{ .Values.wrongsecrets.tag}}
             - name: WRONGSECRETS_DESKTOP_TAG
-              value: 1.5.7
+              value: 1.5.8
             - name: REACT_APP_CREATE_TEAM_HMAC_KEY
               value: hardcodedkey
             - name: SECRETS_MANAGER_SECRET_ID_1