def get_evidence(request, project, evidence_type, findingid, fileid):
username = request.session['username']
role = request.session['role']
if (evidence_type in ['drafts', 'findings']
and has_access_to_finding(username, findingid, role)) \
or (evidence_type == 'events'
and has_access_to_event(username, findingid, role)):
if fileid is None:
rollbar.report_message('Error: Missing evidence image ID',
'error', request)
return HttpResponse("Error - Unsent image ID",
content_type="text/html")
key_list = key_existing_list(f'{project.lower()}/{findingid}/{fileid}')
if key_list:
for k in key_list:
start = k.find(findingid) + len(findingid)
localfile = "/tmp" + k[start:]
ext = {'.png': '.tmp', '.gif': '.tmp'}
localtmp = util.replace_all(localfile, ext)
CLIENT_S3.download_file(BUCKET_S3, k, localtmp)
return retrieve_image(request, localtmp)
else:
return util.response([], 'Access denied or evidence not found', True)
else:
util.cloudwatch_log(
request,
'Security: Attempted to retrieve evidence without permission')
return util.response([], 'Access denied or evidence not found', True)
def validation_project_to_pdf(request, lang, doctype):
if lang not in ["es", "en"]:
rollbar.report_message('Error: Unsupported language', 'error', request)
return util.response([], 'Unsupported language', True)
if doctype not in ["tech", "executive"]:
rollbar.report_message('Error: Unsupported doctype', 'error', request)
return util.response([], 'Unsupported doctype', True)
return None
def test_response(self):
data = 'this is data'
message = 'this is a test'
error = '500'
test_data = response(data, message, error)
expected_output = {
'data': 'this is data',
'message': 'this is a test',
'error': '500'
}
assert json.loads(test_data.content.decode('utf-8')) == expected_output
def project_to_xls(request, lang, project):
"Create the technical report"
username = request.session['username'].split("@")[0]
if project.strip() == "":
rollbar.report_message(
'Error: Empty fields in project', 'error', request)
return util.response([], 'Empty fields', True)
if not has_access_to_project(request.session['username'],
project, request.session['role']):
util.cloudwatch_log(
request,
'Security: Attempted to export project xls without permission')
return util.response([], 'Access denied', True)
if lang not in ["es", "en"]:
rollbar.report_message('Error: Unsupported language', 'error', request)
return util.response([], 'Unsupported language', True)
findings = finding_domain.get_findings(
project_domain.list_findings(project.lower()))
if findings:
findings = [cast_new_vulnerabilities(
get_open_vuln_by_type(finding['findingId'], request), finding)
for finding in findings]
else:
rollbar.report_message(
'Project {} does not have findings in dynamo'.format(project),
'warning',
request)
return util.response([], 'Empty fields', True)
data = util.ord_asc_by_criticidad(findings)
it_report = ITReport(project, data, username)
filepath = it_report.result_filename
reports.set_xlsx_password(filepath, time.strftime('%d%m%Y') + username)
with open(filepath, 'rb') as document:
response = HttpResponse(document.read())
response['Content-Type'] = ('application/vnd.openxmlformats'
'-officedocument.spreadsheetml.sheet')
response['Content-Disposition'] = 'inline;filename={}.xlsx'.format(
project)
return response
def authorize_and_call(*args, **kwargs):
request = args[0]
# Verify role if the user is logged in
if 'username' in request.session and request.session['registered']:
if request.session['role'] not in roles:
return util.response([], 'Access denied', True)
else:
# The user is not even authenticated. Redirect to login
return HttpResponse('<script> \
var getUrl=window.location.hash.substr(1); \
localStorage.setItem("url_inicio",getUrl); \
location = "/integrates/index" ; </script>')
return func(*args, **kwargs)
def download_vulnerabilities(request, findingid):
"""Download a file with all the vulnerabilities."""
if not has_access_to_finding(request.session['username'], findingid,
request.session['role']):
util.cloudwatch_log(request,
'Security: \
Attempted to retrieve vulnerabilities without permission')
return util.response([], 'Access denied', True)
else:
finding = get_vulnerabilities_by_type(findingid)
data_yml = {}
vuln_types = {'ports': dict, 'lines': dict, 'inputs': dict}
if finding:
for vuln_key, cast_fuction in list(vuln_types.items()):
if finding.get(vuln_key):
data_yml[vuln_key] = list(map(cast_fuction, list(finding.get(vuln_key))))
else:
# This finding does not have this type of vulnerabilities
pass
else:
# This finding does not have new vulnerabilities
pass
project = finding_domain.get_finding(findingid)['projectName']
file_name = '/tmp/{project}-{finding_id}.yaml'.format(
finding_id=findingid, project=project)
stream = open(file_name, 'w')
yaml.safe_dump(data_yml, stream, default_flow_style=False)
try:
with open(file_name, 'rb') as file_obj:
response = HttpResponse(file_obj.read(), content_type='text/x-yaml')
response['Content-Disposition'] = \
'attachment; filename="{project}-{finding_id}.yaml"'.format(
finding_id=findingid, project=project)
return response
except IOError:
rollbar.report_message('Error: Invalid vulnerabilities file format', 'error', request)
return util.response([], 'Invalid vulnerabilities file format', True)
def project_to_pdf(request, lang, project, doctype):
"Export a project to a PDF"
assert project.strip()
if not has_access_to_project(request.session['username'],
project, request.session['role']):
util.cloudwatch_log(request, 'Security: Attempted to export project'
' pdf without permission')
return util.response([], 'Access denied', True)
else:
user = request.session['username'].split('@')[0]
validator = validation_project_to_pdf(request, lang, doctype)
if validator is not None:
return validator
findings = finding_domain.get_findings(
project_domain.list_findings(project.lower()))
findings = [cast_new_vulnerabilities(
get_open_vuln_by_type(finding['findingId'], request), finding)
for finding in findings]
description = project_domain.get_description(project.lower())
pdf_maker = CreatorPDF(lang, doctype)
secure_pdf = SecurePDF()
findings_ord = util.ord_asc_by_criticidad(findings)
findings = pdf_evidences(findings_ord)
report_filename = ''
if doctype == 'tech':
pdf_maker.tech(findings, project, description)
report_filename = secure_pdf.create_full(user,
pdf_maker.out_name,
project)
else:
return HttpResponse(
'Disabled report generation', content_type='text/html')
if not os.path.isfile(report_filename):
rollbar.report_message(
'Couldn\'t generate pdf report', 'error', request)
return HttpResponse(
'Couldn\'t generate pdf report', content_type='text/html')
with open(report_filename, 'rb') as document:
response = HttpResponse(document.read(),
content_type='application/pdf')
response['Content-Disposition'] = \
'inline;filename={}_IT.pdf'.format(project)
return response
def login(request) -> JsonResponse:
""" Authentication service defintion. """
username = request.session['username']
return util.response([], 'Bienvenido ' + username, False)