refactor the scripts after LKS2023 try-run for general usability

chrisandoryan · Nov 7, 2023 · 84e148a · 84e148a
1 parent 0301554
commit 84e148a
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -14,18 +14,30 @@ The so-called stack consists of:
 - VPC, Subnet & Routing, and other networking configurations.
 
 ## How It Works
-Instead of directly update the value of the user/root flag inside the CTF instance on every ticks, **Gateflag** sets up two specific API endpoints that the players can call to get their user/root flag. These endpoints are protected with IAM and ACL policies, so the endpoint that emits **root flag** can only be called by the **root user**, and endpoint that emits **user flag** can only be called by the **normal user**.
+Instead of directly update the value of the user/root flag inside the CTF instance on every ticks, **Gateflag** sets up two specific API endpoints (with AWS API Gateway) that the players can call to get their user/root flag. These endpoints are protected with IAM and ACL policies, so the endpoint that emits **root flag** can only be called by the **root user**, and endpoint that emits **user flag** can only be called by the **normal user**.
 
 ![Takeflag Binary](./documentation/takeflag_binary.png "How to Get Flag in Gateflag")
 
 ### POV: CTF Administrator
-As the administrator, TBA.
+As the CTF Administrator, TBA.
+
+Then, after deploying the cloud infrastructure, you may want to adjust the Flag Server to receive and process the incoming requests relayed by the AWS API Gateway. Your Flag Server will receive a request similar to this:
+```
+TBA.
+```
 
 ### POV: CTF Participants
 As a participant, after *pwning* your way into the machine, you just have to execute `/usr/local/bin/takeflag` binary. You'll get the flag depending on what user you're currently on: if you're **root**, you'll get the **root flag**, and vice versa.
 
 ## How to Deploy
-Clone the repository:
+There are two ways to check this project out.
+
+#### Simple Deployment
+Follow this section to simply test the project and see what cloud resources it creates. The overall configuration is located at `dist/template.yaml`. 
+
+Please note that this configuration will only create 1 EC2 instance that acts as the CTF player's machine. If you need to create more machines (for more players), please refer to the **Provisioned Deployment** section.
+
+First, clone the repository:
 ```
 git clone https://github.com/chrisandoryan/Gateflag.git
 cd Gateflag/
@@ -36,6 +48,7 @@ aws cloudformation deploy --template-file ./aws/template.yaml --stack-name gatef
 ```
 Before you can use AWS CLI to deploy this project using CloudFormation, you need to install CLI on your machine and configure it using your credentials (access key/secret key). See [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
 
-## Future Improvements
-- Implement Access Key / Secret Key rotation with Systems Manager and Lambda function.
-- 
+#### Provisioned Deployment
+TBA.
+
+## Future Improvements
diff --git a/aws/take_flag.py → dist/take_flag.py b/aws/take_flag.py → dist/take_flag.py
diff --git a/aws/template.yaml → dist/template.yaml b/aws/template.yaml → dist/template.yaml
@@ -26,7 +26,7 @@ Parameters:
     Description: The KeyPair configuration to connect to EC2 instances.
   FlagTakerScript:
     Type: String
-    Default: https://raw.githubusercontent.com/chrisandoryan/Gateflag/main/aws/take_flag.py
+    Default: https://raw.githubusercontent.com/chrisandoryan/Gateflag/main/dist/take_flag.py
     Description: Script that automates the flag-taking process inside EC2 CTF instances.
   CTFBoxLowPrivilegeUser:
     Type: String
@@ -87,7 +87,7 @@ Resources:
           - StatusCode: 200
         RequestParameters:
           integration.request.header.x-source-ip: context.identity.sourceIp
-          integration.request.header.x-invoker-account-id: context.identity.accountId
+          integration.request.header.x-user-arn: context.identity.userArn
       MethodResponses:
         - StatusCode: "200"
           ResponseModels:

diff --git a/lks/.gitignore → scripts/.gitignore b/lks/.gitignore → scripts/.gitignore
diff --git a/lks/aws_config.py → scripts/aws_config.py b/lks/aws_config.py → scripts/aws_config.py
@@ -4,7 +4,7 @@
 AWS_SECRET_ACCESS_KEY = os.getenv('AWS_SECRET_ACCESS_KEY', '')
 AWS_REGION_NAME = 'ap-southeast-1'
 
-ENVIRONMENT_NAME = 'GateflagLKS'
+ENVIRONMENT_NAME = 'Gateflag'
 GLOBAL_TEMPLATE_FILE = 'global.yaml'
 TEAM_TEMPLATE_FILE = 'team.yaml'
 

diff --git a/lks/global.yaml → scripts/global.yaml b/lks/global.yaml → scripts/global.yaml
@@ -79,7 +79,7 @@ Resources:
         RequestParameters:
           integration.request.header.x-adce-secret: __GATEFLAG_SECRET__
           integration.request.header.x-source-ip: context.identity.sourceIp
-          integration.request.header.x-userarn: context.identity.userArn
+          integration.request.header.x-user-arn: context.identity.userArn
       MethodResponses:
         - StatusCode: "200"
           ResponseModels:

diff --git a/lks/provisioner.py → scripts/provision.py b/lks/provisioner.py → scripts/provision.py
diff --git a/lks/rollback.py → scripts/rollback.py b/lks/rollback.py → scripts/rollback.py
@@ -1,4 +1,4 @@
-from provisioner import get_stack_name, deploy, TEAM, delete_stack
+from dist.provision import get_stack_name, deploy, TEAM, delete_stack
 import aws_config
 import boto3
 import json

diff --git a/lks/team.yaml → scripts/team.yaml b/lks/team.yaml → scripts/team.yaml
@@ -20,7 +20,7 @@ Parameters:
     Description: The KeyPair configuration to connect to EC2 instances.
   FlagTakerScript:
     Type: String
-    Default: https://raw.githubusercontent.com/chrisandoryan/Gateflag/main/aws/take_flag.py
+    Default: https://raw.githubusercontent.com/chrisandoryan/Gateflag/main/dist/take_flag.py
     Description: Script that automates the flag-taking process inside EC2 CTF instances.
   CTFBoxLowPrivilegeUser:
     Type: String