bouvet / nord-juice-shop Goto Github PK
View Code? Open in Web Editor NEWA collection of scripts to automate the deployment of MultiJuicer and CTFd in Kubernetes
License: Apache License 2.0
A collection of scripts to automate the deployment of MultiJuicer and CTFd in Kubernetes
License: Apache License 2.0
For HTTPS certificates to be acquired and used
Using the .env template's default ([email protected]
, which is an invalid domain), the certificate acquisiton process fails due to invalid domain
E0410 09:32:12.711413 1 setup.go:271] cert-manager/controller/clusterissuers "msg"="skipping retrying account registration as a BadRequest response was returned from the ACME server" "error"="400 urn:ietf:params:acme:error:invalidContact: Error creating new account :: contact email \"[email protected]\" has invalid domain : Domain name does not end with a valid public suffix (TLD)"
July 6th at 16:00 - https://event.bouvet.no/events/view/29409fdf-392b-4124-96ed-47bf60f6c4c6
Deploy to test upon merging to main, in order to ensure that deployment succeeds.
In order to manage the CTFd deployment, we should incorporate it into our preexisting deployment script so that all resources are created/destroyed upon deployment/taking it down.
deploy_ctfd()
(see here for an example)destroy_ctfd()
(see here for an example)The following GitHub Actions are needed and need to be set up. While the exact MultiJuicer setup script is not yet ready, the setup of the actions can still be made.
manage-azure-deployment.sh
)manage-multijuicer.sh
) (blocked by #5 and #14)generate-challenges.sh
)manage-ctfd.sh
) (blocked by #58) (awaits #60)The actions should both be triggered manually and after a merge to the master branch.
The github actions also need to be allowed to deploy resources in azure. Look into federated credentials for connecting github actions to azure.
https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
https://github.com/marketplace/actions/azure-cli-action#workflow-to-execute-an-az-cli-script-of-a-specific-cli-version-via-file-present-in-your-repository
See MultiJuicer docs
We have several ways to choose from when it comes to the deployment of the CTFd instance for our multi-juicer CTF setup. In short, the three alternatives are
We've previously landed on going for the Helm chart, as it aligns well with our current setup, is maintained, and significantly reduces the workload incl. manual labor we'd need for the other two options. Details can be seen in the comments of issue #8.
Use the bman46/CTFd-Helm helm chart
values.yml
:
ctfd.yml
containing the values to override--set
, such as --set redis.auth.password=$REDIS_PASS
We've made a similar approach with our multi-juicer setup:
Based on the default values defined in the multi-juicer configuration values.yml
, we firstly identified the values we wished to override.
Next, we created juicer.yml
and proceeded to override the values from values.yml
.
Finally, we identified the secret values we wished to override (such as passwords and other information we want to keep secret), and added them to the deployment using the --set
flag. The task here is to identify and make a list of the variables. They will be consumed in the deployment script which is part of #25 (see https://github.com/bouvet/nord-juice-shop/blob/feat/monitoring-setup-script/manage-multijuicer.sh#L119-L127 for an example with multi-juicer variables)
Requirements include:
Document the requirements
We should consider setting up release-please
to assist in creating versioned releases with automatically generated changelogs.
Set up release-please to create releases with automatically generated changelogs.
JuiceShop uses a secret value, CTF_KEY, which is used as a seed for CTF flags. This should be passed to CTFd in order to ensure that flags submitted on CTFd are successfully validated.
See https://github.com/juice-shop/juice-shop-ctf#configuration-file for more information
We currently expect the user to have full access to the Azure subscription in question (i.e. Owner), as we have not outlined the required permission set for deployment.
We should identify and document all required permissions, in order to ensure that we use Azure IAM role grants with the permissions that are strictly required.
Favicon + logo
The MultiJuicer setup automatically creates a NSG for the cluster, ref the medium post. After it is created we need to add rules that block all incoming traffic and then whitelist/allow the specific IP ranges we want. This process needs to be scripted. We also need to figure out how to specify 'Norwegian IPs' or otherwise identify the IPs we want.
Script has to do the following:
Create a workflow for execution of the manage-ctfd.sh
script. Should be separated from deploy-ctf.yml
(due to differing purpose and the need to wait for TLS cert propagation post-deployment)
Each time we set up a new instance of the CTFd service (typically every time we deploy), we have to manually intervene by completing the configuration steps in CTFd. This includes creating a new user, configuring the settings, and importing the custom pages defined in guides-and-tips/
. Rather than doing this manually, we should consider generating the user JSON and config JSON to reduce the amount of manual work required.
Currently, we generate the challenges file for CTFd with the script generate-challenges.sh
, which produces a ZIP file containing challenges.json
, among other things. This is manually uploaded to CTFd after configuration has taken place.
By extending this script, we could potentially include all common configurations in the zip file and upload it directly, eliminating the need for manual steps.
generate-challenges.sh
to
juice-shop-ctf-cli
Install MultiJuicer using Helm and configure values specified in their production checklist. Clone the repo.
Read Medium post - MultiJuicer.
Settings:
Receiving an AuthorizationFailed error should cause the script to abort.
Creating Resource Group 'MultiJuicerTest' in 'norwayeast'
ERROR: (AuthorizationFailed) The client '<REDACTED>' with object id '<REDACTED>' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/<REDACTED>/resourcegroups/MultiJuicerTest' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Creating AKS cluster 'juicy-k8s'
ERROR: (AuthorizationFailed) The client '<REDACTED>' with object id '<REDACTED>' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/<REDACTED>/resourcegroups/MultiJuicerTest' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
[...]
manage-azure-delpoyment.sh
as a user without permission to create resources (e.g. as the Service Principal)Create presentation to present to participants during MulitJuicer workshops (before hacking begins).
Depending on skill level of participants, presentation should include a short tutorial on using the JuiceShop and also tips on how to start hacking (SQL injections, XSS, etc)
Must be ready for #6
Link to PowerPoint is found in OneDrive folder, bookmarked in slack-channel
[...]
Waiting for juice-shop instance to be ready...
pod/t-ctfd-config-gen-juiceshop-67b75dd6f5-mtflv condition met
Opening temporary tunnel to a juice-shop pod
SUCCESS
Writing juice-shop-ctf config to file
SUCCESS
Importing challenges from JuiceShop
Generate OWASP Juice Shop challenge archive for setting up CTFd, FBCTF or RootTheBox score server
Failed to fetch snippet from API! AggregateError
ERROR: juice-shop-ctf-cli failed to generate the CTFd config file
Currently, the generate-challenges.sh
script does one thing - it generates the CTFd challenges CSV by wrapping the various steps involved in running juice-shop-ctf-cli
into a single command.
This requires that an active instance of juice-shop is created in the multi-juicer cluster (from which the challenges are retrieved), which must be done by creating a team in the multi-juicer balancer. This currently blocks a fully automated setup.
When deploying the services (with manage-multijuicer.sh
), the CTFd instance is deployed in an unconfigured state. This means that manual configuration has to be done, including creating the admin account. Theoretically, this could be hijacked by some other party (although we could wipe it, having control of the infrastructure/kubernetes cluster).
The admin must also manually import the generated challenges (as well as the guides).
Extend the generate-challenges.sh
script to:
/setup
endpoint of CTFd, similarly to how interaction is done via the browser by an administrator configuring the instance/admin/import/csv
endpoint, importing the generated challenges CSVgen
: generate challenges (producing a CSV)import
: import challenges (importing the specified CSV)cfg
: configure the CTFd instancepages
: import the custom pages, such as the guides/tips pages (./guides-and-tips
)run
: All of the abovePresent the CTF stuff on the tech-meeting
Need these things ready by the tech-meeting:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.