Security: Fix checking of admin tokens in CWS

When the login endpoint of the CWS API was called with an admin token,
but no admin token was configured, login succeeded.

This allowed attackers to impersonate any CWS user in CMS instances with
no admin token configured.

Thanks to Samet Akıllı <ssametakilli@gmail.com> for reporting the issue.

Author: gollux

cms/server/contest/authentication.py

@@ -123,8 +123,11 @@ def log_failed_attempt(msg, *args):
         return None, None
 
     if admin_token != "":
-        if (config.contest_web_server.contest_admin_token is not None
-            and admin_token != config.contest_web_server.contest_admin_token):
+        if config.contest_admin_token is None:
+            log_failed_attempt("admin token not configured")
+            return None, None
+
+        if admin_token != config.contest_admin_token:
             log_failed_attempt("invalid admin token")
             return None, None
 

cmstestsuite/unit_tests/server/contest/authentication_test.py

@@ -451,6 +451,19 @@ def test_impersonation_overrides_ip_lock(self):
         self.assertImpersonationSuccess(ip_address="10.0.0.1")
         self.assertImpersonationSuccess(ip_address="10.0.1.1")
 
+    def test_impersonation_failure(self):
+        with patch.object(config, "contest_admin_token", "admin-token"):
+            _, cookie = validate_login(
+                self.session, self.contest, self.timestamp, "otheruser",
+                "", ipaddress.ip_address("10.0.0.2"), "wrong-token")
+            self.assertIsNone(cookie)
+
+    def test_impersonation_no_config(self):
+        _, cookie = validate_login(
+            self.session, self.contest, self.timestamp, "otheruser",
+            "", ipaddress.ip_address("10.0.0.2"), "wrong-token")
+        self.assertIsNone(cookie)
+
 
 if __name__ == "__main__":
     unittest.main()