make hmac key configurable in deployment

commjoen · commjoen · commit dd0f4dd52461 · 2022-10-03T05:25:47.000+02:00
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml
@@ -60,6 +60,8 @@ spec:
               value: {{ .Values.wrongsecrets.tag}}
             - name: WRONGSECRETS_DESKTOP_TAG
               value: 1.5.7RC1
+            - name: REACT_APP_CREATE_TEAM_HMAC_KEY
+              value: hardcodedkey
             - name: SECRETS_MANAGER_SECRET_ID_1
               value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_1 }}
             - name: SECRETS_MANAGER_SECRET_ID_2
diff --git a/wrongsecrets-balancer/src/app.js b/wrongsecrets-balancer/src/app.js
@@ -66,6 +66,7 @@ app.get('/balancer/dynamics', (req, res) => {
     heroku_wrongsecret_ctf_url: process.env['REACT_APP_HEROKU_WRONGSECRETS_URL'],
     ctfd_url: process.env['REACT_APP_CTFD_URL'],
     s3_bucket_url: process.env['REACT_APP_S3_BUCKET_URL'],
+    hmac_key: process.env['REACT_APP_CREATE_TEAM_HMAC_KEY'],
     enable_password: usePassword,
   });
 });
diff --git a/wrongsecrets-balancer/src/teams/teams.js b/wrongsecrets-balancer/src/teams/teams.js
@@ -10,7 +10,7 @@ const accessPassword = process.env.REACT_APP_ACCESS_PASSWORD;
 
 const validator = expressJoiValidation.createValidator();
 const k8sEnv = process.env.K8S_ENV || 'k8s';
-
+const hmac_key = process.env.REACT_APP_CREATE_TEAM_HMAC_KEY;
 const router = express.Router();
 
 const {
@@ -96,7 +96,7 @@ async function validateHMAC(req, res, next) {
     const { team } = req.params;
     const { hmacvalue } = req.body;
     const validationValue = crypto
-      .createHmac('sha256', 'hardcodedkey')
+      .createHmac('sha256', hmac_key)
       .update(`${team}`, 'utf-8')
       .digest('hex');
     if (validationValue === hmacvalue) {
diff --git a/wrongsecrets-balancer/ui/src/pages/JoinPage.js b/wrongsecrets-balancer/ui/src/pages/JoinPage.js
@@ -58,7 +58,7 @@ export const JoinPage = injectIntl(({ intl }) => {
       }
       if (dynamics.enable_password) {
         const hmacvalue = cryptoJS
-          .HmacSHA256(`${teamname}`, 'hardcodedkey')
+          .HmacSHA256(`${teamname}`, dynamics.hmac_key)
           .toString(cryptoJS.enc.Hex);
         const { data } = await axios.post(`/balancer/teams/${teamname}/join`, {
           passcode,
@@ -68,7 +68,7 @@ export const JoinPage = injectIntl(({ intl }) => {
         navigate(`/teams/${teamname}/joined/`, { state: { passcode: data.passcode } });
       } else {
         const hmacvalue = cryptoJS
-          .HmacSHA256(`${teamname}`, 'hardcodedkey')
+          .HmacSHA256(`${teamname}`, dynamics.hmac_key)
           .toString(cryptoJS.enc.Hex);
         const { data } = await axios.post(`/balancer/teams/${teamname}/join`, {
           passcode,
@@ -99,6 +99,7 @@ export const JoinPage = injectIntl(({ intl }) => {
     heroku_wrongsecret_ctf_url: process.env['REACT_APP_HEROKU_WRONGSECRETS_URL'],
     ctfd_url: process.env['REACT_APP_CTFD_URL'],
     s3_bucket_url: process.env['REACT_APP_S3_BUCKET_URL'],
+    hmac_key: process.env['REACT_APP_CREATE_TEAM_HMAC_KEY'],
     enable_password: false,
   };
 
