Adding support for open and closed registrations.

- Controlled by a deploy.py argument, which feeds into the CF template, and the env var of the Register lambda.
- This handles how new registration requests are handled, but that's about it.

Author: Riebart

Register.py

@@ -18,6 +18,10 @@
 HMAC_SECRET = os.environ["HMAC_SECRET"].encode("utf-8")
 API_URL = os.environ["API_URL"]
 
+# This will be "open" or "closed", which determins how email address that don't exist in the
+# registrants table are handled.
+REGISTRATION_MODE = os.environ["REGISTRATION_MODE"].lower()
+
 
 def sign_payload(data):
     sig = hmac.new(HMAC_SECRET, data.encode("utf-8"),
@@ -56,6 +60,9 @@ def post(event, contest):
 
     try:
         username = event["username"]
+        # In closed registration, this may pre-assigned, but we still want to ask for a username
+        # so we can let them down and confuse the registrants. :)
+        display_name = username
     except:
         return {"result": "failure"}
 
@@ -79,25 +86,48 @@ def post(event, contest):
                             "S": email
                         }})
 
-    # If the DDB item doesn't exist, or if it does and it hasn't yet been assigned a team ID
-    # then there is no duplicate problem.
-    if "Item" in item and "teamId" in item["Item"]:
-        return {"result": "failed_duplicate"}
+    # Registrations are duplicates if the email exists in the DDB table, and the "confirmationTime" column
+    # doesn't yet have a timestamp.
+    #
+    # Obvious, if the item is missing, the get_item() call returns no Item key.
+    if "Item" in item:
+        # Regardless of registration mode, if there is a confirmed registration for this email,
+        # don't permit another.
+        if "confirmationTime" in item["Item"]:
+            return {"result": "failed_duplicate"}
+        else:
+            # This is the case where the email exists, in which case the registration mode matters.
+
+            # The default behaviour is open registration.
+            # For closed registration, they needn't have a team ID, but they might, so if they do
+            # have one from the table already, use that.
+            if REGISTRATION_MODE == "closed":
+                team_id = int(item["Item"].get("team_id", {"N": team_id})["N"])
+                display_name = item["Item"].get("display_name", username)["S"]
+            else:  # REGISTRATION_MODE == "open", or any other value.
+                pass
+    else:
+        # In the case of closed registration, every email that tries to register must be part of
+        # the table already. If it isn't, it gets an "unauthorized" error response, but to prevent
+        # people trying to credential-stuff, we'll just say "unknown". 😺
+        if REGISTRATION_MODE == "closed":
+            return {"result": "failed_unknown"}
 
     confirmation_payload = {
         "email": email,
         "username": username,
         "teamId": team_id,
-        "registrationTime": time.time()
+        "registrationTime": time.time(),
+        "display_name": display_name
     }
 
     confirmation_token = sign_payload(json.dumps(confirmation_payload))
 
     ses.send_email(Destination={"ToAddresses": [email]},
-                   Source="The Big Kahuna CTF <ctf@example.com>",
+                   Source="CTF Registration <%s>" % os.environ["SES_EMAIL_SOURCE"],
                    Message={
                        "Subject": {
-                           "Data": "The Big Kahuna CTF - Confirm your email"
+                           "Data": "CTF Registration - Confirm your email"
                        },
                        "Body": {
                            "Html": {
@@ -130,9 +160,9 @@ def post(event, contest):
     <body class="vscode-light">
         <h1 id="ctf-registration">CTF Registration - Confirm your email</h1>
 <p>You've taken the first step towards registering in the CTF. We just need you to confirm your email, and we'll be on our way.</p>
-<p>Click the  <a href="%s">here</a> to confirm your registration.</p>
+<p>Click <a href="%s">here</a> to confirm your registration.</p>
 <p>See you soon!</p>
-<p>The Big Kahuna CTF Team</p>
+<p>The CTF Team</p>
     </body>
     </html>
                                """ %
@@ -159,6 +189,7 @@ def get_confirm(event, context):
     email = registration_payload["email"]
     team_id = registration_payload["teamId"]
     username = registration_payload["username"]
+    display_name = registration_payload["display_name"]
     registration_time = registration_payload["registrationTime"]
 
     ddb.put_item(TableName=event["RegistrantsTable"],
@@ -169,6 +200,9 @@ def get_confirm(event, context):
                      "username": {
                          "S": username
                      },
+                     "display_name": {
+                         "S": display_name
+                     },
                      "teamId": {
                          "N": str(team_id)
                      },
@@ -181,53 +215,61 @@ def get_confirm(event, context):
                  })
 
     ses.send_email(Destination={"ToAddresses": [email]},
-                   Source="The Big Kahuna CTF <ctf@example.com>",
+                   Source="CTF Registration <%s>" % os.environ["SES_EMAIL_SOURCE"],
                    Message={
                        "Subject": {
-                           "Data": "The Big Kahuna CTF Registration"
+                           "Data": "CTF Registration - Complete!"
                        },
                        "Body": {
                            "Html": {
                                "Charset":
                                "utf-8",
                                "Data":
-                               """
+                               f"""
 <!DOCTYPE html>
     <html>
-    <head>
-        <meta charset="UTF-8">
-        <title>CTF Registration</title>
-
-        <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Microsoft/vscode/extensions/markdown-language-features/media/markdown.css">
-        <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Microsoft/vscode/extensions/markdown-language-features/media/highlight.css">
 
-        <style>
-.task-list-item { list-style-type: none; } .task-list-item-checkbox { margin-left: -20px; vertical-align: middle; }
-</style>
-        <style>
-            body {
-                font-family: -apple-system, BlinkMacSystemFont, 'Segoe WPC', 'Segoe UI', 'Ubuntu', 'Droid Sans', sans-serif;
-                font-size: 14px;
-                line-height: 1.6;
-            }
-        </style>
-
-    </head>
-    <body class="vscode-light">
-        <h1 id="ctf-registration">CTF Registration</h1>
-<p>Congratulations %s! You've signed up for our CTF, The Big Kahuna CTF!</p>
-<ul>
-<li>When submitting your flags, your team ID is %d and you will show up as &quot;%s&quot; on the scores list</li>
-<li>To submit flags, head over to <a href="https://ctf.example.com/submit">https://ctf.example.com/submit</a></li>
-<li>To view the current standings, head over to <a href="https://ctf.example.com/scores">https://ctf.example.com/scores</a></li>
-</ul>
-<p>Enjoy and godspeed!</p>
-<p>Best wishes,
-The Big Kahuna CTF Team</p>
-
-    </body>
-    </html>
-""" % (username, team_id, username)
+<body>
+    <h1>Welcome to the 2019 CCDC event!</h1>
+    <p>To get you started, here's some important information and references. <ul>
+            <li>Your team name is "{display_name}"", and we have auto-generated a team ID for your team.</li>
+            <li>Your team ID is {team_id}</li>
+            <li>You'll need this team ID when submitting flags, <i>don't lose this</i>! To submit flags, you will need
+                to use the <a href="https://ccdc.zone/scores/submit">flag submission page</a>. </li>
+            <li>To see the scoreboard, go to the <a href="https://ccdc.zone/scores/dashboard">score dashboard</a></li>
+            <li>This team ID is unique to your team, so don't share it with members of other teams.</li>
+        </ul>
+    </p>
+    <p>Your team has been allocated an environment for today, complete with targets, as well as VMs for you to remote
+        into that will contain all of the tools you will need today. You can find your team's starting package <a
+            href="https://ccdc.zone/packages/{team_id}.zip">here</a>. <ul>
+            <li>This package contains passwords, private keys, hostnames, and other information to get you and your
+                teammates started.</li>
+            <li>Inside of the zip package, you'll see a few files that start with the word `jumpbox`. These files
+                contain the details for access your team's jumpboxes (<a target="_blank"
+                    href="https://en.wikipedia.org/wiki/Jump_server">Ref</a>). There are 5 jumpboxes for your team, so
+                you and your teammates can decide who gets which jumpbox (they are numbered for your convenience). </li>
+            <li><b>THE JUMP BOXES ARE NOT IN SCOPE OF THE EVENT.</b> They are provided as ready-made environments,
+                complete with all of the tools you will need during the event. If there are tools you want to use that
+                are not installed in the jumpboxes, you are welcome to install them (you have full Administrator
+                credentials to these jumpboxes), however <i>you do so at your own risk</i>. <b>IF YOU LOCK YOURSELF OUT
+                    OF YOUR JUMPBOX, WE WILL NOT PROVISION A NEW ONE AND YOU WILL NEED TO DEPEND ON YOUR TEAMMATES</b>.
+            </li>
+            <li>To access your chosen jumpbox, you will need to RDP into it using the hostname and credentials in the
+                corresponding file. Microsoft has documentation on how their applications (<a target="_blank"
+                    href="https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients">Ref</a>),
+                and for those on Linux we recommend using the <a target="_blank" href="https://remmina.org/">Remmina
+                    remote desktop client</a>.</li>
+        </ul>
+    </p>
+    <p> This should be enough to get you started, but you will need to read the <a href="https://ccdc.zone/documentation">official
+            complete documentation</a> for all of the information you will need to be successful today. </p>
+    <h2>Keep your email inbox open or notifications turned on, as we may be sending updates, hints, and notifications to
+        you by email throughout the day.</h2>
+
+</html>
+</body>
+"""
                            }
                        }
                    })
@@ -237,10 +279,11 @@ def get_confirm(event, context):
 
 def get(event, contest):
     items = ddb.scan(TableName=event["RegistrantsTable"])
+    pairs = set([(item["teamId"]["N"], item["display_name"]["S"]) for item in items.get("Items", [])])
     return [{
-        "team_id": item["teamId"]["N"],
-        "team_name": item["username"]["S"]
-    } for item in items.get("Items", [])]
+        "team_id": t[0],
+        "team_name": t[1]
+    } for t in pairs]
 
 
 def lambda_handler(event, context):

cloudformation.yaml

@@ -70,6 +70,14 @@ Parameters:
   HMACSecret:
     Description: String that is used as the secret key for the HMAC to validate emails during registration.
     Type: String
+  RegistrationMode:
+    Description: Determines whether to permit registration from emails that aren't already in the DB.
+      This does not exempt registrants from confirming their email address, as we still need to know that
+      we can contact them at that address.
+    Type: String
+    AllowedValues:
+      - Open
+      - Closed
 
 Conditions:
   TallyCodePlaceholder:
@@ -438,8 +446,10 @@ Resources:
         Variables:
           XraySampleRate: !Ref XraySampleRate
           SCORECARD_LOG_EVENTS: "TRUE"
+          SES_EMAIL_SOURCE: !Ref SESEmailSource
           SES_REGION: !Ref SESRegion
           HMAC_SECRET: !Ref HMACSecret
+          REGISTRATION_MODE: !Ref RegistrationMode
           API_URL: !Sub https://${API}.execute-api.${AWS::Region}.amazonaws.com/Main
       Runtime: python3.6
       Handler: Register.lambda_handler

deploy.py

@@ -92,6 +92,16 @@ def main():
         help=
         """A list of tags as a dict to use as tag keys and values for the CloudFormation stack."""
     )
+    parser.add_argument(
+        "--registration-mode",
+        required=False,
+        default="Open",
+        type=lambda v: {k:k for k in ["Open", "Closed"]}[v],
+        help="""
+        Determines whether to permit registration from emails that aren't already in the DB.
+        This does not exempt registrants from confirming their email address, as we still need to
+        know that we can contact them at that address."""
+    )
     pargs = parser.parse_args()
 
     if pargs.registration_email_source is not None and pargs.hmac_secret is None:
@@ -110,17 +120,17 @@ def main():
                 exit(2)
 
     print("Building code zip files for deployment...")
-    tally_code = (str(uuid.uuid1()),
+    tally_code = (str(uuid.uuid4()),
                   zip_files([
                       "ScoreCardTally.py", "S3KeyValueStore.py",
                       "XrayChain.py", "util.py"
                   ]))
-    submit_code = (str(uuid.uuid1()),
+    submit_code = (str(uuid.uuid4()),
                    zip_files([
                        "ScoreCardSubmit.py", "S3KeyValueStore.py",
                        "XrayChain.py", "util.py"
                    ]))
-    register_code = (str(uuid.uuid1()),
+    register_code = (str(uuid.uuid4()),
                      zip_files(["Register.py", "XrayChain.py", "util.py"]))
 
     print("Uploading code zip files to S3 bucket (%s)..." % pargs.code_bucket)
@@ -151,6 +161,12 @@ def main():
             "ParameterValue": pargs.registration_email_source
         })
 
+    if pargs.registration_mode is not None:
+        stack_params.append({
+            "ParameterKey": "RegistrationMode",
+            "ParameterValue": pargs.registration_mode
+        })
+
     if pargs.hmac_secret is not None:
         stack_params.append({
             "ParameterKey": "HMACSecret",

webassets/register.html

@@ -75,6 +75,9 @@
             <div ng-show="submission_status == 'failed_duplicate'">
                 <label style="float:center;color:darkorange">Username already exists.</label>
             </div>
+            <div ng-show="submission_status == 'failed_unknown'">
+                <label style="float:center;color:darkmagenta">Unknown error encountered.</label>
+            </div>
         </div>
     </div>
 </body>