Skip to content

Add dojo Command-Line Application #964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

Add dojo Command-Line Application #964

wants to merge 21 commits into from

Conversation

@TheodorKitzenmaier
Copy link
Contributor

@TheodorKitzenmaier TheodorKitzenmaier commented Oct 22, 2025
edited
Loading

Overview

Adds a command line application, dojo, which allows for limited interaction with a custom set of integration APIs. The application authenticates using the DOJO_AUTH_TOKEN environment variable, which has been changed to be a set of signed values tying the token to the user and their current challenge.

In order to allow for communication between the application and the dojo, challenge containers have been given network access to the nginx container. In theory the iptables configuration in dojo/dojo-init should ensure that this is the only other container that the challenge containers can access, but someone more familiar with iptables should sanity check this.

Integrations

Added a new namespace to the pwn.college api, integrations. Endpoints within the integrations namespace expect requests to use the auth_token AuthToken header to provide the current container's authentication token.

Command

whoami

A simple command which prints out information about the current user. Prints the user's name and id.

Invoked by calling dojo whoami in a terminal.

@TheodorKitzenmaier
Updated Container Auth Token
7c5b33b 
Container auth token is now a signed token instead of a random byte string.
- The server signs the account id, challenge id, and an additional string.
- The challenge ID is included to ensure that the token matches the active challenge.

This allows for verification of the owner of the token and efficient authentication of challenge containers.
@TheodorKitzenmaier
Container Token Validation Returns UserID and ChallengeID
b3286f6 
Changed return from just the user id to both the user and challenge ids.
- Required for challenge matching.
@TheodorKitzenmaier
Added Container Token Authenticated API Endpoint
5c386bf 
Added the API endpoint for use by internal container integration.

Key features:
- Gets an authentication token from request headers (auth_token).
- Performs authentication that the token is correctly signed and matches the active challenge container.
- API calls create a session for the duration of the request.
    - The session is destroyed upon completion of the request.
@TheodorKitzenmaier
Opened CTFD to challenge containers.
a0c70f3 
CTFD is open with IP 10.0.0.117.
- iptables configured to accept connections from 10.0.0.0/8 (challenge containers?) to 10.0.0.117 (ctfd).
@TheodorKitzenmaier
Added note about Flask
f340e42 
If we were to use the before/teardown_request decorators, it would have to be applied to the entire application.
- The overhead of this seems excessive, and I see no advantage in running the session teardown check on every endpoing.
- Why Flask does not offer the ability to specify before/after/teardown at the namespace level, I do not know.
@TheodorKitzenmaier
Switched Container Communication to Nginx
ba17663 
Challenge containers now communicate with the nginx container instead of the ctfd container.
@TheodorKitzenmaier
Convert tabs to spaces.
ce673ec
@TheodorKitzenmaier
Added Dojo Application to Nix
ed9ae02 
Added a python application, starting with a whoami command.
@TheodorKitzenmaier
Added Dojo CLI Test
707c87c 
Added a testcase for the dojo cli application.
- WHOAMI command is tested to ensure it returns the name of the random user.
@TheodorKitzenmaier
Container Tokens Timeout After 6 Hours
1a5d92c 
Switched from URLSafeSerializer to URLSafeTimedSerializer to ensure that container tokens are only valid for the maximum lifespan of a container.
@TheodorKitzenmaier
Fix Dojo-CLI path.
a9c631f 
dojo-cli.nix is at ./core, not ./code...
@TheodorKitzenmaier
Updated dojo-cli to use Urllib
e4f0445 
Switched from `Requests` to `Urllib`.
@TheodorKitzenmaier
WIP fix for CLI
ed69d79 
Custom auth token header isn't showing up for some reason.
@TheodorKitzenmaier
Fix Integration WHOAMI Endpoint.
bf34e66 
Switched from using auth_token as header to AuthToken.
- Headers with underscores are dropped?

Fixed incorrect signing of container token.
- Docker was incorrectly using `challenge.challenge_id` instead of `challenge.id`.
@codecov
Copy link

codecov bot commented Oct 28, 2025

Codecov Report

❌ Patch coverage is 85.93750% with 9 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
dojo_plugin/api/v1/integration.py 80.85% 9 Missing ⚠️

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodorKitzenmaier