Merge pull request #17 from nsec/initialize-repository-16

Implemented the CTF folder initialize command.

Author: MOBergeron

.deploy/track.yaml

@@ -71,8 +71,6 @@ def find_ctf_root_directory() -> str:
     while path != (path := os.path.dirname(p=path)):
         dir = os.listdir(path=path)
 
-        if ".git" not in dir:
-            continue
         if ".deploy" not in dir:
             continue
         if "challenges" not in dir:
@@ -82,7 +80,7 @@ def find_ctf_root_directory() -> str:
     if path == "/":
         if "CTF_ROOT_DIR" not in os.environ:
             LOG.critical(
-                msg='Could not automatically find the root directory nor the "CTF_ROOT_DIR" environment variable.'
+                msg='Could not automatically find the root directory nor the "CTF_ROOT_DIR" environment variable. To initialize a new root directory, use `ctf init [path]`'
             )
             exit(1)
         return os.environ.get("CTF_ROOT_DIR", default=".")
@@ -91,4 +89,7 @@ def find_ctf_root_directory() -> str:
     return path
 
 
-CTF_ROOT_DIRECTORY = find_ctf_root_directory()
+if len(sys.argv) > 1 and sys.argv[1] == "init":
+    CTF_ROOT_DIRECTORY = os.path.join(os.getcwd(), ".")
+else:
+    CTF_ROOT_DIRECTORY = find_ctf_root_directory()

ctf/__init__.py

@@ -92,6 +92,31 @@ def terraform_binary() -> str:
     return path
 
 
+def init(args: argparse.Namespace) -> None:
+    if os.path.isdir(os.path.join(args.path, "challenges")) or os.path.isdir(
+        os.path.join(args.path, ".deploy")
+    ):
+        LOG.error(f"Directory {args.path} is already initialized.")
+        exit(code=1)
+
+    challenge_dir = os.path.join(args.path, "challenges")
+    deploy_dir = os.path.join(args.path, ".deploy")
+
+    try:
+        os.mkdir(challenge_dir)
+        LOG.info(f"Created {challenge_dir}")
+        shutil.copytree(os.path.join(TEMPLATES_ROOT_DIRECTORY, ".deploy"), deploy_dir)
+        LOG.info(f"Created {deploy_dir}")
+    except Exception:
+        import traceback
+
+        if os.path.isdir(challenge_dir):
+            os.rmdir(challenge_dir)
+        if os.path.isdir(deploy_dir):
+            shutil.rmtree(deploy_dir)
+        LOG.critical(traceback.format_exc())
+
+
 def new(args: argparse.Namespace) -> None:
     LOG.info(msg=f"Creating a new track: {args.name}")
     if not re.match(pattern=r"^[a-z][a-z0-9\-]{0,61}[a-z0-9]$", string=args.name):
@@ -1310,6 +1335,18 @@ def main():
         help="Script version.",
     )
 
+    parser_init = subparsers.add_parser(
+        "init",
+        help="Initialize a folder with the default CTF structure.",
+    )
+    parser_init.set_defaults(func=init)
+    parser_init.add_argument(
+        "path",
+        nargs="?",
+        default=CTF_ROOT_DIRECTORY,
+        help="Initialize the folder at the given path.",
+    )
+
     parser_flags = subparsers.add_parser(
         "flags",
         help="Get flags from tracks",
@@ -1556,10 +1593,11 @@ def main():
         ENV["INCUS_REMOTE"] = args.remote
 
     if not os.path.isdir(s=(p := os.path.join(CTF_ROOT_DIRECTORY, "challenges"))):
-        LOG.error(
-            msg=f"Directory `{p}` not found. Make sure this script is ran from the root directory OR set the CTF_ROOT_DIR environment variable to the root directory."
-        )
-        exit(code=1)
+        if args.func.__name__ != "init":
+            LOG.error(
+                msg=f"Directory `{p}` not found. Make sure this script is ran from the root directory OR set the CTF_ROOT_DIR environment variable to the root directory."
+            )
+            exit(code=1)
 
     args.func(args=args)
 

ctf/__main__.py

@@ -0,0 +1,135 @@
+- name: Pre-deployment system cleanup
+  hosts: all
+  order: shuffle
+  gather_facts: false
+  any_errors_fatal: true
+
+  tasks:
+    - name: Make network configuration static
+      ansible.builtin.shell: |
+        [ ! -e /run/systemd/resolve/resolv.conf ] && exit 0
+        rm -f /etc/resolv.conf || true
+        cat /run/systemd/resolve/resolv.conf > /etc/resolv.conf
+      when: 'nsec_production | default(False)'
+      changed_when: true
+
+    - name: Mask most systemd units
+      ansible.builtin.shell: |
+        for i in \
+            apt-daily-upgrade.service \
+            apt-daily-upgrade.timer \
+            apt-daily.service \
+            apt-daily.timer \
+            console-getty.service \
+            console-setup.service \
+            dmesg.service \
+            dpkg-db-backup.service \
+            dpkg-db-backup.timer \
+            e2scrub_all.service \
+            e2scrub_all.timer \
+            e2scrub_reap.service \
+            emergency.service \
+            fstrim.service \
+            fstrim.timer \
+            getty-static.service \
+            [email protected] \
+            initrd-cleanup.service \
+            initrd-parse-etc.service \
+            initrd-switch-root.service \
+            initrd-udevadm-cleanup-db.service \
+            keyboard-setup.service \
+            kmod-static-nodes.service \
+            ldconfig.service \
+            logrotate.service \
+            logrotate.timer \
+            [email protected] \
+            modprobe@dm_mod.service \
+            [email protected] \
+            [email protected] \
+            [email protected] \
+            motd-news.service \
+            motd-news.timer \
+            netplan-ovs-cleanup.service \
+            rescue.service \
+            rsyslog.service \
+            setvtrgb.service \
+            syslog.socket \
+            systemd-ask-password-console.service \
+            systemd-ask-password-wall.service \
+            systemd-battery-check.service \
+            systemd-bsod.service \
+            systemd-confext.service \
+            systemd-fsck-root.service \
+            systemd-fsckd.service \
+            systemd-fsckd.socket \
+            systemd-hibernate-resume.service \
+            systemd-initctl.service \
+            systemd-initctl.socket \
+            systemd-journal-catalog-update.service \
+            systemd-journal-flush.service \
+            systemd-journald-dev-log.socket \
+            systemd-journald.service \
+            systemd-journald.socket \
+            systemd-pcrextend.socket \
+            systemd-pcrlock-file-system.service \
+            systemd-pcrlock-firmware-code.service \
+            systemd-pcrlock-firmware-config.service \
+            systemd-pcrlock-machine-id.service \
+            systemd-pcrlock-make-policy.service \
+            systemd-pcrlock-secureboot-authority.service \
+            systemd-pcrlock-secureboot-policy.service \
+            systemd-pcrmachine.service \
+            systemd-pcrphase-initrd.service \
+            systemd-pcrphase-sysinit.service \
+            systemd-pcrphase.service \
+            systemd-random-seed.service \
+            systemd-repart.service \
+            systemd-soft-reboot.service \
+            systemd-sysctl.service \
+            systemd-sysext.service \
+            systemd-sysext.socket \
+            systemd-sysupdate-reboot.service \
+            systemd-sysupdate-reboot.timer \
+            systemd-sysupdate.service \
+            systemd-sysupdate.timer \
+            systemd-sysusers.service \
+            systemd-timesyncd.service \
+            systemd-tpm2-setup-early.service \
+            systemd-tpm2-setup.service \
+            systemd-update-done.service \
+            systemd-update-utmp-runlevel.service \
+            systemd-update-utmp.service \
+            ua-reboot-cmds.service \
+            ua-timer.service \
+            ua-timer.timer \
+            ubuntu-advantage.service; do
+          ln -s /dev/null /etc/systemd/system/${i} || true
+        done
+      changed_when: true
+
+    - name: Mask network systemd units
+      ansible.builtin.shell: |
+        for i in \
+            networkd-dispatcher.service \
+            systemd-network-generator.service \
+            systemd-networkd-wait-online.service \
+            systemd-networkd.service \
+            systemd-networkd.socket \
+            systemd-resolved.service \
+            systemd-udev-settle.service \
+            systemd-udev-trigger.service \
+            systemd-udevd-control.socket \
+            systemd-udevd-kernel.socket \
+            systemd-udevd.service; do
+          ln -s /dev/null /etc/systemd/system/${i} || true
+        done
+      when: 'nsec_production | default(False)'
+      changed_when: true
+
+    - name: Remove all cron jobs
+      ansible.builtin.shell: |
+        rm -f /etc/cron.*/* || true
+      changed_when: true
+
+    - name: Reboot the instance
+      ansible.builtin.reboot:

ctf/templates/.deploy/cleanup.yaml

@@ -0,0 +1,14 @@
+- name: Pre-deployment Common
+  hosts: all
+  order: shuffle
+  gather_facts: false
+  any_errors_fatal: true
+
+  tasks:
+    - name: Distro update and Python3 install
+      ansible.builtin.raw: |
+        apt update && apt upgrade -y && apt install -y python3
+      changed_when: true
+
+- name: Importing cleanup.yaml Playbook
+  ansible.builtin.import_playbook: cleanup.yaml

ctf/templates/.deploy/common.yaml

@@ -0,0 +1,6 @@
+resource "incus_network_zone" "this" {
+  remote = var.incus_remote
+
+  name        = "ctf"
+  description = "DNS zone for the internal .ctf TLD"
+}

ctf/templates/.deploy/common/dns.tf

@@ -0,0 +1,13 @@
+variable "incus_remote" {
+  default = "local"
+  type    = string
+}
+
+variable "deploy" {
+  default = "dev"
+  type    = string
+}
+
+locals {
+  track = yamldecode(file("${path.module}/../track.yaml"))
+}

ctf/templates/.deploy/common/variables.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">=1.5.7"
+  required_providers {
+    incus = {
+      source  = "lxc/incus"
+      version = ">=0.1.3"
+    }
+  }
+}

ctf/templates/.deploy/common/versions.tf

@@ -18,7 +18,7 @@ dependencies = [
     "black",
     "tabulate==0.9.0",
 ]
-version = "1.1.3"
+version = "1.1.4"
 classifiers = [
     "Programming Language :: Python :: 3",
     "Operating System :: OS Independent",