Submission server/infrastructure for the SRS challenge at FIC https://fic.srs.epita.fr/
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Go to file
Renovate Bot 389c771916
continuous-integration/drone/push Build is failing Details
chore(deps): lock file maintenance
3 days ago
admin Can lock theme 1 week ago
backend Can lock theme 1 week ago
configs configs: Enable gzip_static module 4 months ago
dashboard qa-svelte: initial commit 5 months ago
evdist evdist: Fix some segv 10 months ago
fickit-pkg fickit: Add kexec 10 months ago
frontend chore(deps): lock file maintenance 3 days ago
libfic ui: Mark locked theme as « Confidential » 1 week ago
nixos nixos: backend server 5 months ago
password_paper password_paper: Update 10 months ago
qa chore(deps): lock file maintenance 3 days ago
remote remote-challenge-sync-airbus: WIP 10 months ago
repochecker repochecker/videos: Use subtitle track language as grammar check lang 2 months ago
settings settings: Convert JSON strings to the given type 5 months ago
udev udev: ready to FIC2019 4 years ago
.dockerignore Add some files to .dockerignore 5 months ago
.drone-manifest-fic-admin.yml CI: create Docker manifest image 2 years ago
.drone-manifest-fic-backend.yml CD: Fix deployment of fic-backend image 2 years ago
.drone-manifest-fic-dashboard.yml CI: create Docker manifest image 2 years ago
.drone-manifest-fic-evdist.yml evdist: New project to handle settings programming 10 months ago
.drone-manifest-fic-frontend.yml CI: create Docker manifest image 2 years ago
.drone-manifest-fic-nginx.yml Introduce fic-nginx 2 years ago
.drone-manifest-fic-qa.yml CI: create Docker manifest image 2 years ago
.drone-manifest-fic-repochecker.yml CI: add Dockerfile for repochecker (used for student's CI) 2 years ago
.drone.yml Ignore failure on binaries deployment 2 weeks ago
.gitignore nixos: backend server 5 months ago
Dockerfile-admin chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-backend chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-dashboard chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-evdist chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-frontend chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-frontend-ui chore(deps): update node docker tag to v19 5 months ago
Dockerfile-nginx chore(deps): update node docker tag to v19 5 months ago
Dockerfile-qa chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-remote-challenge-sync-airbus chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-remote-scores-sync-zqds chore(deps): update alpine docker tag to v3.17 4 months ago
Dockerfile-repochecker Revert "repochecker: grammalecte.net is down" 2 months ago
LICENSE Add LICENSE: chose MIT 5 years ago
README.md Update README.md 2 years ago
backup_fic2016.sql svelte-migrate: updated files 5 months ago
db-202206081630.sql.gz svelte-migrate: updated files 5 months ago
default.nix Add Nix flakes 10 months ago
docker-compose.yml configs: Update scripts and config for new ui 2 years ago
entrypoint-frontend.sh Follow SvelteKit 5 months ago
fic2022-teams.sql svelte-migrate: updated files 5 months ago
fickit-backend.yml fickit used at FIC 5 months ago
fickit-boot.yml fickit: Update boot image 10 months ago
fickit-frontend.yml fickit used at FIC 5 months ago
fickit-prepare.yml fickit: Use DHCP during preparation and update 10 months ago
fickit-update.yml fickit: Use DHCP during preparation and update 10 months ago
flake.lock Add Nix flakes 10 months ago
flake.nix nixos: backend server 5 months ago
go.mod chore(deps): update module github.com/go-git/go-git/v5 to v5.6.1 2 weeks ago
go.sum chore(deps): update module github.com/go-git/go-git/v5 to v5.6.1 2 weeks ago
htdocs-admin admin: Embed static assets into binary 2 years ago
htdocs-dashboard dashboard: came back online 4 years ago
qa-fill-todo.sh QA: Add new script to migrate QA content from a DB to another 2 years ago
qa-fill-view.sh QA: Add new script to migrate QA content from a DB to another 2 years ago
qa-merge-db.sh QA: Add new script to migrate QA content from a DB to another 2 years ago
renovate.json renovate: Enable lock-file maintenance 2 months ago
repochecker-epita-rules.so svelte-migrate: updated files 5 months ago
shell.nix Add Nix flakes 10 months ago
update-deps.sh deps: Update vendorSha256 with script. 7 months ago

README.md

FIC Forensic CTF Platform

This is a CTF server for distributing and validating challenges. It is design to be robust, so it uses some uncommon technics like client certificate for authentication, lots of state of the art cryptographic methods and aims to be deployed in a DMZ network architecture.

This is a monorepo, containing several micro-services :

  • admin is the web interface and API used to control the challenge and doing synchronization.
  • backend is an inotify reacting service that handles submissions checking and team's files generation.
  • dashboard is a public interface to explain and follow the conquest, aims to animate the challenge for visitors.
  • frontend is only responsible for receiving submissions. It is the only dynamic part accessibe to players, so it's codebase is reduce to the minimum. It does not parse or try to understand players submissions, it just write it down to a file in the file system. Parsing and treatment is made by the backend.
  • qa is an interface dedicated to challenge development, it stores reports to be treated by challenges creators.
  • remote/scores-sync-zqds is an inotify reacting service that allows us to synchronize scores with the ZQDS scoring platform.
  • repochecker is a side project to check offline for synchronization issues.

In the production setup, each micro-service runs in a dedicated container, isolated from each other. Moreover, two physical machines should be used:

  • deimos communicates with players: displaying the web interface, authenticate teams and players, storing contest files and handling submissions retrieval without understanding them. It can't access phobos so its job stop after writing requests on the filesystem.
  • phobos is hidden from players, isolated from the network. It can only access deimos via a restricted ssh connection, to retrieve requests from deimos filesystem and pushing to it newly generated static files.

So, the general filesystem is organized this way:

  • DASHBOARD contains files structuring the content of the dashboard screen(s).
  • FILES stores the contest file to be downloaded by players. To be accessible without authentication and to avoid bruteforce, each file is placed into a directory with a hashed name (the original file name is preserved). It's rsynced as is to deimos.
  • PKI takes care of the PKI used for the client certiciate authorization process, and more generaly, all authentication related files (htpasswd, dexidp config, ...). Only the shared subdirectory is shared with deimos, private key and teams P12 don't go out.
  • SETTINGS stores the challenge config as wanted by admins. It's not always the config in use: it uses can be delayed waiting for a trigger.
  • SETTINGSDIST is the challenge configuration in use. It is the one shared with players.
  • startingblock keep the started state of the challenge. This helps nginx to know when it can start distributing exercices related files.
  • TEAMS stores the static files generated by the backend, there is one subdirectory by team (id of the team), plus some files at the root, which are common to all teams. There is also symlink pointing to team directory, each symlink represent an authentication association (certificate ID, OpenID username, htpasswd user, ...).
  • submissions is the directory where the frontend writes requests. It creates subdirectories at the name of the authentication association, as seen in TEAMS, backend then resolve the association regarding TEAMS directory. There is also a special directory to handle team registration.

Local developer setup

Using Docker

Use docker-compose build, then docker-compose up to launch the infrastructure.

After booting, you'll be able to reach the main interface at: http://localhost:8042/ and the admin one at: http://localhost:8081/.

Import folder

Local import folder

The following changes is only required if your are trying to change the local import folder ~/fic location.

Make the following changes inside this file docker-compose.yml:

23    volumes:
24 -     - ~/fic:/mnt/fic:ro
24 +     - <custom-path-to-import-folder>/fic:/mnt/fic:ro
Owncloud import folder

If your are trying to use the folder available with the Owncloud service, make the following changes inside this file docker-compose.yml:

29 -    command: --baseurl /admin/ -localimport /mnt/fic -localimportsymlink
29 +    command: --baseurl /admin/ -clouddav=https://owncloud.srs.epita.fr/remote.php/webdav/FIC%202019/ -clouduser <login_x> -cloudpass '<passwd>'

Manual builds

Running this project requires a web server (configuration is given for nginx), a database (currently supporting only MySQL/MariaDB), a Go compiler for the revision 1.16 at least and a inotify-aware system.

  1. First, you'll need to retrieve the dependencies:

     go mod vendor
    
  2. Then, build the three Go projects:

     go build -o fic-admin ./admin
     go build -o fic-backend ./backend
     go build -o fic-dashboard ./dashboard
     go build -o fic-frontend ./frontend
     go build -o fic-qa ./qa
     go build -o fic-repochecker ./repochecker
     ...
    
  3. Before launching anything, you need to create a database:

     mysql -u root -p <<EOF
     CREATE DATABASE fic;
     CREATE USER fic@localhost IDENTIFIED BY 'fic';
     GRANT ALL ON fic.* TO fic@localhost;
     EOF
    

    By default, expected credentials for development purpose is fic, for both username, password and database name. If you want to use other credentials, define the corresponding environment variable: MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD and MYSQL_DATABASE. Those variables are the one used by the mysql docker image, so just link them together if you use containers.

  4. Launch it!

     ./fic-admin &
    

    After initializing the database, the server will listen on http://localhost:8081/: this is the administration part.

     ./fic-backend &
    

    This daemon generates static and team related files and then waits for new submissions (expected in submissions directory). It only watchs modifications on the file system, it has no web interface.

     ./fic-frontend &
    

    This one exposes an API that gives time synchronization to clients and handle submission reception (but without treating them).

     ./fic-dashboard &
    

    This last server runs the public dashboard. It serves all file, without the need of a webserver. It listens on port 8082 by default.

For the moment, a web server is mandatory to serve static files, look at the samples given in the configs/nginx directory. You need to pick one base configation flavor in the configs/nginx/base directory, and associated with an authentication mechanism in configs/nginx/auth (named the file fic-auth.conf in /etc/nginx), and also pick the corresponding configs/nginx/get-team file, you named fic-get-team.conf.