def add_new_screenshot(request):
"""
Add a new screenshot.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
description = request.POST.get('description', None)
reference = request.POST.get('source_reference', None)
method = request.POST.get('source_method', None)
tlp = request.POST.get('source_tlp', None)
tags = request.POST.get('tags', None)
source = request.POST.get('source_name', None)
oid = request.POST.get('oid', None)
otype = request.POST.get('otype', None)
screenshot_ids = request.POST.get('screenshot_ids', None)
screenshot = request.FILES.get('screenshot', None)
acl = get_acl_object(otype)
if user.has_access_to(acl.SCREENSHOTS_ADD):
result = add_screenshot(description, tags, source, method, reference, tlp,
user.username, screenshot, screenshot_ids, oid, otype)
else:
result = {"success":False,
"message":"User does not have permission to add screenshots."}
return HttpResponse(json.dumps(result),
content_type="application/json")
def remove_location(request, type_, id_):
"""
Remove an attributed location from a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param type_: CRITs type for the top-level object.
:type type_: str
:param id_: The ObjectId of the top-level object.
:type id_: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
data = request.POST
location_name = data.get('key').split('|')[0]
location_type = data.get('key').split('|')[1]
date = data.get('key').split('|')[2]
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_DELETE):
result = location_remove(id_,
type_,
location_name=location_name,
location_type=location_type,
date=date,
user=request.user.username)
return HttpResponse(json.dumps(result), content_type="application/json")
else:
result = {"success":False,
"message":"User does not have permission to remove location."}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
return render(request, "error.html", {"error": 'Expected AJAX POST.'})
def remove_comment(request, obj_type, obj_id):
"""
Remove a comment from a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param obj_type: The TLO Type.
:type obj_type: str
:param obj_id: The ObjectId of the top-level object.
:type obj_id: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
user = request.user
date = datetime.datetime.strptime(request.POST['key'],
settings.PY_DATETIME_FORMAT)
acl = get_acl_object(obj_type)
if user.has_access_to(acl.COMMENTS_DELETE):
result = comment_remove(obj_id, user.username, date)
else:
result = {"success":False,
"message":"User does not have permission to remove comments."}
return HttpResponse(json.dumps(result), content_type="application/json")
return render_to_response("error.html", {'error':'Expected AJAX/POST'})
def bulk_add_object(request):
"""
Bulk add objects.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
formdict = form_to_dict(AddObjectForm(request.user))
if request.method == "POST" and request.is_ajax():
acl = get_acl_object(request.POST['otype'])
user = request.user
if user.has_access_to(acl.OBJECTS_ADD):
response = parse_bulk_upload(request,
parse_row_to_bound_object_form,
add_new_handler_object_via_bulk,
formdict)
else:
response = {
'success': False,
'message': 'User does not have permission to add objects'
}
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
else:
return render_to_response(
'bulk_add_default.html', {
'formdict': formdict,
'title': "Bulk Add Objects",
'table_name': 'object'
}, RequestContext(request))
def service_run(request, name, crits_type, identifier):
"""
Run a service.
"""
request.user._setup()
if request.method == 'POST':
custom_config = request.POST
elif request.method == "GET":
# Run with no config...
custom_config = {}
user = request.user
acl = get_acl_object(crits_type)
if user.has_access_to(acl.SERVICES_EXECUTE):
result = run_service(name,
crits_type,
identifier,
user,
execute=settings.SERVICE_MODEL,
custom_config=custom_config,
is_triage_run=False)
else:
result = {"success":False,
"message":"User does not have permission to run services."}
if result['success'] == True:
return refresh_services(request, crits_type, identifier)
else:
return HttpResponse(json.dumps(result), content_type="application/json")
def remove_campaign(request, ctype, objectid):
"""
Remove an attributed Campaign from a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param ctype: CRITs type for the top-level object.
:type ctype: str
:param objectid: The ObjectId of the top-level object.
:type objectid: str
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
data = request.POST
acl = get_acl_object(ctype)
if user.has_access_to(acl.CAMPAIGNS_DELETE):
result = campaign_remove(ctype,
objectid,
campaign=data.get('key'),
analyst=request.user.username)
else:
result = {'success':False,
'message':'User does not have permission to delete campaign from TLO.'}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
return render_to_response("error.html",
{"error": 'Expected AJAX POST.'},
RequestContext(request))
def remove_campaign(request, ctype, objectid):
"""
Remove an attributed Campaign from a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param ctype: CRITs type for the top-level object.
:type ctype: str
:param objectid: The ObjectId of the top-level object.
:type objectid: str
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
data = request.POST
acl = get_acl_object(ctype)
if user.has_access_to(acl.CAMPAIGNS_DELETE):
result = campaign_remove(ctype,
objectid,
campaign=data.get('key'),
analyst=request.user.username)
else:
result = {
'success':
False,
'message':
'User does not have permission to delete campaign from TLO.'
}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return render(request, "error.html", {"error": 'Expected AJAX POST.'})
def service_run(request, name, crits_type, identifier):
"""
Run a service.
"""
request.user._setup()
if request.method == 'POST':
custom_config = request.POST
elif request.method == "GET":
# Run with no config...
custom_config = {}
user = request.user
acl = get_acl_object(crits_type)
if user.has_access_to(acl.SERVICES_EXECUTE):
result = run_service(name,
crits_type,
identifier,
user,
execute=settings.SERVICE_MODEL,
custom_config=custom_config,
is_triage_run=False)
else:
result = {
"success": False,
"message": "User does not have permission to run services."
}
if result['success'] == True:
return refresh_services(request, crits_type, identifier)
else:
return HttpResponse(json.dumps(result),
content_type="application/json")
def bulk_add_object(request):
"""
Bulk add objects.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
formdict = form_to_dict(AddObjectForm(request.user))
if request.method == "POST" and request.is_ajax():
acl = get_acl_object(request.POST['otype'])
user = request.user
if user.has_access_to(acl.OBJECTS_ADD):
response = parse_bulk_upload(
request,
parse_row_to_bound_object_form,
add_new_handler_object_via_bulk,
formdict)
else:
response = {'success':False,
'message':'User does not have permission to add objects'}
return HttpResponse(json.dumps(response,
default=json_handler),
content_type="application/json")
else:
return render_to_response('bulk_add_default.html',
{'formdict': formdict,
'title': "Bulk Add Objects",
'table_name': 'object'},
RequestContext(request))
def add_new_screenshot(request):
"""
Add a new screenshot.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
description = request.POST.get('description', None)
reference = request.POST.get('source_reference', None)
method = request.POST.get('source_method', None)
tlp = request.POST.get('source_tlp', None)
tags = request.POST.get('tags', None)
source = request.POST.get('source_name', None)
oid = request.POST.get('oid', None)
otype = request.POST.get('otype', None)
screenshot_ids = request.POST.get('screenshot_ids', None)
screenshot = request.FILES.get('screenshot', None)
acl = get_acl_object(otype)
if user.has_access_to(acl.SCREENSHOTS_ADD):
result = add_screenshot(description, tags, source, method, reference,
tlp, user.username, screenshot, screenshot_ids,
oid, otype)
else:
result = {
"success": False,
"message": "User does not have permission to add screenshots."
}
return HttpResponse(json.dumps(result), content_type="application/json")
def update_relationship_type(request):
"""
Update relationship type. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
user = request.user
acl = get_acl_object(request.POST['my_type'])
if user.has_access_to(acl.RELATIONSHIPS_EDIT):
results = update_relationship_types(left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
new_type=request.POST['new_relationship'],
analyst=request.user.username)
else:
results = {'success':False,
'message':'User does not have permission to update relationship.'}
if results['success']:
message = "Successfully updated relationship: %s" % results['message']
result = {'success': True, 'message': message}
else:
message = "Error updating relationship: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render(request, "error.html",
{"error" : error })
def edit_campaign(request, ctype, objectid):
"""
Edit an attributed Campaign for a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param ctype: CRITs type for the top-level object.
:type ctype: str
:param objectid: The ObjectId of the top-level object.
:type objectid: str
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
form = CampaignForm(request.POST)
acl = get_acl_object(ctype)
if user.has_access_to(acl.CAMPAIGNS_EDIT):
if form.is_valid():
data = form.cleaned_data
campaign = data['name']
confidence = data['confidence']
description = data['description']
related = data['related']
analyst = request.user.username
try:
date = datetime.datetime.strptime(data['date'],
settings.PY_DATETIME_FORMAT)
except ValueError:
date = datetime.datetime.now()
result = campaign_edit(ctype,
objectid,
campaign,
confidence,
description,
date,
related,
analyst)
if result['success']:
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
result.update({'form': form.as_table()})
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False,
'form': form.as_table()}),
content_type="application/json")
else:
result ={'success': False,
'message':'User does not have permission to edit Campaign.'}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False}),
content_type="application/json")
def add_new_relationship(request):
"""
Add a new relationship. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
form = ForgeRelationshipForm(request.POST)
user = request.user
choices = [(c,c) for c in RelationshipTypes.values(sort=True)]
form.fields['forward_relationship'].choices = choices
if form.is_valid():
cleaned_data = form.cleaned_data
# Get user permission to verify the user can forge relationships...
# Should we check permission on both the forward and reverse TLO for this?
acl = get_acl_object(cleaned_data.get('forward_type'))
if user.has_access_to(acl.RELATIONSHIPS_ADD):
results = forge_relationship(type_=cleaned_data.get('forward_type'),
id_=cleaned_data.get('forward_value'),
right_type=cleaned_data.get('reverse_type'),
right_id=cleaned_data.get('dest_id'),
rel_type=cleaned_data.get('forward_relationship'),
rel_date=cleaned_data.get('relationship_date'),
user=request.user.username,
rel_reason=cleaned_data.get('rel_reason'),
rel_confidence=cleaned_data.get('rel_confidence'),
get_rels=True)
else:
results = {"success":False,
"message":"User does not have permission to forge relationships"}
if results['success'] == True:
relationship = {'type': cleaned_data.get('forward_type'),
'value': cleaned_data.get('forward_value')}
message = render_to_string('relationships_listing_widget.html',
{'relationship': relationship,
'nohide': True,
'relationships': results['relationships']},
RequestContext(request))
result = {'success': True, 'message': message}
else:
message = "Error adding relationship: %s" % results['message']
result = {'success': False, 'message': message}
else:
message = "Invalid Form: %s" % form.errors
form = form.as_table()
result = {'success': False, 'form': form, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def add_location(request, type_, id_):
"""
Attribute a location to a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param type_: CRITs type for the top-level object.
:type type_: str
:param id_: The ObjectId of the top-level object.
:type id_: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
form = AddLocationForm(request.POST)
result = {}
if form.is_valid():
data = form.cleaned_data
location_type = data['location_type']
location_name = data['country']
description = data['description']
latitude = data['latitude']
longitude = data['longitude']
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_ADD):
result = location_add(id_,
type_,
location_type,
location_name,
user,
description=description,
latitude=latitude,
longitude=longitude)
else:
result = {
"success": False,
"message":
"User does not have permission to add locations."
}
if result['success']:
return HttpResponse(json.dumps(result),
content_type="application/json")
result['form'] = form.as_table()
result['success'] = False
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({
'success': False,
'message': "Expected AJAX request."
}),
content_type="application/json")
def campaign_add(request, ctype, objectid):
"""
Attribute a Campaign to a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param ctype: CRITs type for the top-level object.
:type ctype: str
:param objectid: The ObjectId of the top-level object.
:type objectid: str
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
form = CampaignForm(request.POST)
result = {}
acl = get_acl_object(ctype)
if user.has_access_to(acl.CAMPAIGNS_ADD):
if form.is_valid():
data = form.cleaned_data
campaign = data['name']
confidence = data['confidence']
description = data['description']
related = data['related']
analyst = request.user.username
result = campaign_addh(campaign,
confidence,
description,
related,
analyst,
ctype,
objectid,
update=False)
if result['success']:
return HttpResponse(json.dumps(result),
content_type="application/json")
result['form'] = form.as_table()
result['success'] = False
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
result['success'] = False
result[
'message'] = 'User does not have permission to add campaign to TLO.'
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({
'success': False,
'message': "Expected AJAX request."
}),
content_type="application/json")
def obj_get_list(self, bundle, **kwargs):
"""
Placeholder for overriding the default tastypie function in the future.
"""
user = bundle.request.user
acl = get_acl_object(bundle.obj._meta['crits_type'])
if not acl or (bundle.obj._meta['crits_type'] == 'Screenshot' or user.has_access_to(acl.READ)):
return super(CRITsAPIResource, self).obj_get_list(bundle=bundle, **kwargs)
else:
raise NotImplementedError('You do not have access to this object.')
def campaign_add(request, ctype, objectid):
"""
Attribute a Campaign to a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param ctype: CRITs type for the top-level object.
:type ctype: str
:param objectid: The ObjectId of the top-level object.
:type objectid: str
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
form = CampaignForm(request.POST)
result = {}
acl = get_acl_object(ctype)
if user.has_access_to(acl.CAMPAIGNS_ADD):
if form.is_valid():
data = form.cleaned_data
campaign = data['name']
confidence = data['confidence']
description = data['description']
related = data['related']
analyst= request.user.username
result = campaign_addh(campaign,
confidence,
description,
related,
analyst,
ctype,
objectid,
update=False)
if result['success']:
return HttpResponse(json.dumps(result),
content_type="application/json")
result['form'] = form.as_table()
result['success'] = False
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
result['success'] = False
result['message'] = 'User does not have permission to add campaign to TLO.'
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False,
'message': "Expected AJAX request."}),
content_type="application/json")
def obj_create(self, bundle, **kwargs):
"""
Handles creating Comments through the API.
:param bundle: Bundle containing the information to create the Comment.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
user = bundle.request.user
comment = bundle.data.get('comment', None)
obj_type = bundle.data.get('object_type', None)
obj_id = bundle.data.get('object_id', None)
content = {'return_code': 1, 'type': 'Comment', 'success': False}
if not obj_type:
content['message'] = 'Must provide an object type.'
self.crits_response(content)
if not obj_id:
content['message'] = 'Must provide an object id.'
self.crits_response(content)
if not comment:
content['message'] = 'Must provide a comment.'
self.crits_response(content)
data = {
'comment': comment,
'object_type': obj_type,
'object_id': obj_id,
'url_key': obj_id
}
acl = get_acl_object(obj_type)
if user.has_access_to(acl.COMMENTS_ADD):
retVal = comment_add(data, obj_type, obj_id, '', {}, user.username)
else:
message = 'You do not have permission to add comment to type %s.' % obj_type
retVal = False
content['message'] = message
content['success'] = False
content['status_code'] = 1
if retVal and "Comment added successfully!" in retVal.content:
content['success'] = True
content['return_code'] = 0
content['message'] = 'Comment added successfully!'
self.crits_response(content)
def add_location(request, type_, id_):
"""
Attribute a location to a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param type_: CRITs type for the top-level object.
:type type_: str
:param id_: The ObjectId of the top-level object.
:type id_: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
form = AddLocationForm(request.POST)
result = {}
if form.is_valid():
data = form.cleaned_data
location_type = data['location_type']
location_name = data['country']
description = data['description']
latitude = data['latitude']
longitude = data['longitude']
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_ADD):
result = location_add(id_,
type_,
location_type,
location_name,
user,
description=description,
latitude=latitude,
longitude=longitude)
else:
result = {"success":False,
"message":"User does not have permission to add locations."}
if result['success']:
return HttpResponse(json.dumps(result),
content_type="application/json")
result['form'] = form.as_table()
result['success'] = False
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False,
'message': "Expected AJAX request."}),
content_type="application/json")
def obj_create(self, bundle, **kwargs):
"""
Handles creating Comments through the API.
:param bundle: Bundle containing the information to create the Comment.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
user = bundle.request.user
comment = bundle.data.get('comment', None)
obj_type = bundle.data.get('object_type', None)
obj_id = bundle.data.get('object_id', None)
content = {'return_code': 1,
'type': 'Comment',
'success': False}
if not obj_type:
content['message'] = 'Must provide an object type.'
self.crits_response(content)
if not obj_id:
content['message'] = 'Must provide an object id.'
self.crits_response(content)
if not comment:
content['message'] = 'Must provide a comment.'
self.crits_response(content)
data = {'comment': comment,
'object_type': obj_type,
'object_id': obj_id,
'url_key': obj_id}
acl = get_acl_object(obj_type)
if user.has_access_to(acl.COMMENTS_ADD):
retVal = comment_add(data, obj_type, obj_id, '', {}, user.username)
else:
message = 'You do not have permission to add comment to type %s.' % obj_type
retVal = False
content['message'] = message
content['success'] = False
content['status_code'] = 1
if retVal and "Comment added successfully!" in retVal.content:
content['success'] = True
content['return_code'] = 0
content['message'] = 'Comment added successfully!'
self.crits_response(content)
def obj_get_list(self, bundle, **kwargs):
"""
Placeholder for overriding the default tastypie function in the future.
"""
user = bundle.request.user
acl = get_acl_object(bundle.obj._meta['crits_type'])
if not acl or (bundle.obj._meta['crits_type'] == 'Screenshot'
or user.has_access_to(acl.READ)):
return super(CRITsAPIResource, self).obj_get_list(bundle=bundle,
**kwargs)
else:
raise NotImplementedError('You do not have access to this object.')
def break_relationship(request):
"""
Remove a relationship. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
acl = get_acl_object(request.POST['my_type'])
user = request.user
if user.has_access_to(acl.RELATIONSHIPS_DELETE):
results = delete_relationship(
left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
analyst=request.user.username)
else:
results = {
"success": False,
"message":
"User does not have permission to delete relationship."
}
if results['success']:
relationship = {
'type': request.POST['my_type'],
'value': request.POST['my_value']
}
message = render_to_string(
'relationships_listing_widget.html', {
'relationship': relationship,
'nohide': True,
'relationships': results['relationships']
},
request=request)
result = {'success': True, 'message': message}
else:
message = "Error deleting relationship: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX POST"
return render(request, "error.html", {"error": error})
def update_relationship_confidence(request):
"""
Update relationship confidence. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
new_confidence = request.POST['new_confidence']
acls = get_acl_object(request.POST['my_type'])
user = request.user
if new_confidence not in ('unknown', 'low', 'medium', 'high'):
result = {'success': False, 'message': 'Unknown confidence level.'}
return HttpResponse(json.dumps(result),
content_type="application/json")
elif not user.has_access_to(acl.RELATIONSHIPS_EDIT):
result = {
'success': False,
'message':
'User does not have permission to edit relationship.'
}
else:
result = update_relationship_confidences(
left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
analyst=request.user.username,
new_confidence=new_confidence)
if result['success']:
message = "Successfully updated relationship: %s" % result[
'message']
result = {'success': True, 'message': message}
else:
message = "Error updating relationship: %s" % result['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX POST"
return render(request, "error.html", {"error": error})
def delete_this_object(request):
"""
Delete an object. Should be an AJAX POST.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
error = ""
if request.method == 'POST':
if request.is_ajax():
type_ = request.POST['coll']
oid = request.POST['oid']
user = request.user
result = ""
message = ""
object_type = request.POST.get('object_type')
value = request.POST['value']
acl = get_acl_object(type_)
if user.has_access_to(acl.OBJECTS_DELETE):
results = delete_object(type_,
oid,
object_type,
value,
user.username)
else:
results = {'success': False,
'message':'User does not have permission to delete objects.'}
if results['success']:
message = results['message']
result = {'success': True, 'message': message}
else:
message = "Error deleting object: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX"
else:
error = "Expected POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def add_update_comment(request, method, obj_type, obj_id):
"""
Add/update a comment for a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param method: If this is a new comment or an update (set to "update").
:type method: str
:param obj_type: The type of the top-level object.
:type obj_type: str
:param obj_id: The ObjectId of the top-level object.
:type obj_id: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
form = AddCommentForm(request.POST)
if form.is_valid():
cleaned_data = form.cleaned_data
subscr = cleaned_data.get('subscribable', False)
user = request.user
acl = get_acl_object(obj_type)
if method == "update":
if user.has_access_to(acl.COMMENTS_EDIT):
return comment_update(cleaned_data, obj_type, obj_id,
subscr, user.username)
else:
result = {"success":False,
"message":"User does not have permission to edit comments."}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
if user.has_access_to(acl.COMMENTS_ADD):
return comment_add(cleaned_data, obj_type, obj_id, method,
subscr, user.username)
else:
result = {"success":False,
"message":"User does not have permission to add comments."}
return HttpResponse(json.dumps(result),
content_type="application/json")
return HttpResponse(json.dumps({'success':False,
'form':form.as_table()}),
content_type="application/json")
return render_to_response("error.html", {'error':'Expected AJAX/POST'})
def delete_this_object(request):
"""
Delete an object. Should be an AJAX POST.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
error = ""
if request.method == 'POST':
if request.is_ajax():
type_ = request.POST['coll']
oid = request.POST['oid']
user = request.user
result = ""
message = ""
object_type = request.POST.get('object_type')
value = request.POST['value']
acl = get_acl_object(type_)
if user.has_access_to(acl.OBJECTS_DELETE):
results = delete_object(type_,
oid,
object_type,
value,
user.username)
else:
results = {'success': False,
'message':'User does not have permission to delete objects.'}
if results['success']:
message = results['message']
result = {'success': True, 'message': message}
else:
message = "Error deleting object: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX"
else:
error = "Expected POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def update_relationship_confidence(request):
"""
Update relationship confidence. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
new_confidence = request.POST['new_confidence']
acls = get_acl_object(request.POST['my_type'])
user = request.user
if new_confidence not in ('unknown', 'low', 'medium', 'high'):
result = {'success': False,
'message': 'Unknown confidence level.'}
return HttpResponse(json.dumps(result), content_type="application/json")
elif not user.has_access_to(acl.RELATIONSHIPS_EDIT):
result = {'success': False,
'message': 'User does not have permission to edit relationship.'}
else:
result = update_relationship_confidences(left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
analyst=request.user.username,
new_confidence=new_confidence)
if result['success']:
message = "Successfully updated relationship: %s" % result['message']
result = {'success': True, 'message': message}
else:
message = "Error updating relationship: %s" % result['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def edit_location(request, type_, id_):
"""
Edit a location. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST':
location_type = request.POST.get('location_type', None)
location_name = request.POST.get('location_name', None)
date = request.POST.get('date', None)
description = request.POST.get('description', None)
latitude = request.POST.get('latitude', None)
longitude = request.POST.get('longitude', None)
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_EDIT):
return HttpResponse(json.dumps(
location_edit(type_,
id_,
location_name,
location_type,
date,
user,
description=description,
latitude=latitude,
longitude=longitude)),
content_type="application/json")
else:
result = {
"success": False,
"message": "User does not have permission to edit location."
}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected POST"
return render_to_response("error.html", {"error": error},
RequestContext(request))
def break_relationship(request):
"""
Remove a relationship. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
acl = get_acl_object(request.POST['my_type'])
user = request.user
if user.has_access_to(acl.RELATIONSHIPS_DELETE):
results = delete_relationship(left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
analyst=request.user.username)
else:
results = {"success":False,
"message":"User does not have permission to delete relationship."}
if results['success']:
relationship = {'type': request.POST['my_type'],
'value': request.POST['my_value']}
message = render_to_string('relationships_listing_widget.html',
{'relationship': relationship,
'nohide': True,
'relationships': results['relationships']},
RequestContext(request))
result = {'success': True, 'message': message}
else:
message = "Error deleting relationship: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def update_objects_value(request):
"""
Update an object's value. Should be an AJAX POST.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
type_ = request.POST['coll']
oid = request.POST['oid']
object_type = request.POST.get('type')
value = request.POST['value']
new_value = request.POST['new_value']
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.OBJECTS_EDIT):
results = update_object_value(type_,
oid,
object_type,
value,
new_value,
user)
else:
results = {'success':False,
'message':'User does not have permission to modify object.'}
if results['success']:
message = "Successfully updated object value: %s" % results['message']
result = {'success': True, 'message': message}
else:
message = "Error updating object value: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def update_objects_value(request):
"""
Update an object's value. Should be an AJAX POST.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
type_ = request.POST['coll']
oid = request.POST['oid']
object_type = request.POST.get('type')
value = request.POST['value']
new_value = request.POST['new_value']
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.OBJECTS_EDIT):
results = update_object_value(type_,
oid,
object_type,
value,
new_value,
user)
else:
results = {'success':False,
'message':'User does not have permission to modify object.'}
if results['success']:
message = "Successfully updated object value: %s" % results['message']
result = {'success': True, 'message': message}
else:
message = "Error updating object value: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def edit_location(request, type_, id_):
"""
Edit a location. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST':
location_type = request.POST.get('location_type', None)
location_name = request.POST.get('location_name', None)
date = request.POST.get('date', None)
description = request.POST.get('description', None)
latitude = request.POST.get('latitude', None)
longitude = request.POST.get('longitude', None)
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_EDIT):
return HttpResponse(json.dumps(location_edit(type_,
id_,
location_name,
location_type,
date,
user,
description=description,
latitude=latitude,
longitude=longitude)),
content_type="application/json")
else:
result = {"success":False,
"message":"User does not have permission to edit location."}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected POST"
return render_to_response("error.html",
{"error": error},
RequestContext(request))
def remove_location(request, type_, id_):
"""
Remove an attributed location from a top-level object. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param type_: CRITs type for the top-level object.
:type type_: str
:param id_: The ObjectId of the top-level object.
:type id_: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
data = request.POST
location_name = data.get('key').split('|')[0]
location_type = data.get('key').split('|')[1]
date = data.get('key').split('|')[2]
user = request.user
acl = get_acl_object(type_)
if user.has_access_to(acl.LOCATIONS_DELETE):
result = location_remove(id_,
type_,
location_name=location_name,
location_type=location_type,
date=date,
user=request.user.username)
return HttpResponse(json.dumps(result), content_type="application/json")
else:
result = {"success":False,
"message":"User does not have permission to remove location."}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
return render_to_response("error.html",
{"error": 'Expected AJAX POST.'},
RequestContext(request))
def update_relationship_type(request):
"""
Update relationship type. Should be an AJAX POST.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
user = request.user
acl = get_acl_object(request.POST['my_type'])
if user.has_access_to(acl.RELATIONSHIPS_EDIT):
results = update_relationship_types(left_type=request.POST['my_type'],
left_id=request.POST['my_value'],
right_type=request.POST['reverse_type'],
right_id=request.POST['dest_id'],
rel_type=request.POST['forward_relationship'],
rel_date=request.POST['relationship_date'],
new_type=request.POST['new_relationship'],
analyst=request.user.username)
else:
results = {'success':False,
'message':'User does not have permission to update relationship.'}
if results['success']:
message = "Successfully updated relationship: %s" % results['message']
result = {'success': True, 'message': message}
else:
message = "Error updating relationship: %s" % results['message']
result = {'success': False, 'message': message}
return HttpResponse(json.dumps(result), content_type="application/json")
else:
error = "Expected AJAX POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def get_table_data(request=None,
obj=None,
user=None,
searchTerm="",
search_type=None,
includes=[],
excludes=[],
maxRows=25,
sort={},
pageNumber=1):
"""
gets the records needed for the table, can be called via ajax on the
saved_search.html or the above ConstructTable function
"""
from crits.core.handlers import get_query, data_query
response = {"Result": "ERROR"}
obj_type = get_obj_type_from_string(obj)
acl = get_acl_object(obj)
if not user:
user = request.user
# Build the query
term = ""
#if its being called from saved_search.html
if not user.has_access_to(acl.READ):
resp = {}
resp['Result'] = "ERROR"
resp['msg'] = "User does not have permission to view object."
resp['Records'] = ""
elif request and request.is_ajax():
resp = get_query(obj_type, request)
#if its calling to get data for the dashbaord
elif user and search_type:
resp = get_query_without_request(obj_type, user, searchTerm,
search_type)
else:
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
if resp['Result'] in ["ERROR", "IGNORE"]:
return resp
query = resp['query']
term = resp['term']
sortBy = []
if 'direction' in sort:
if sort['direction'] == 'asc':
sortBy.append(sort['field'])
elif sort['direction'] == 'desc':
sortBy.append("-" + sort['field'])
skip = (int(pageNumber) - 1) * 25
if request:
response = data_query(obj_type,
user=request.user,
query=query,
projection=includes,
limit=int(maxRows),
sort=sortBy,
skip=skip)
else:
response = data_query(obj_type,
user=user,
query=query,
projection=includes,
limit=maxRows,
sort=sortBy,
skip=skip)
if response['result'] == "ERROR":
return {'Result': "ERROR", 'Message': response['msg']}
response['crits_type'] = obj_type
# Escape term for rendering in the UI.
response['term'] = cgi.escape(term)
response['data'] = response['data'].to_dict(excludes, includes)
response['Records'] = parseDocObjectsToStrings(response.pop('data'), obj)
response['TotalRecordCount'] = response.pop('count')
response['Result'] = response.pop('result')
if request:
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
else:
return response
def obj_create(self, bundle, **kwargs):
"""
Handles creating Screenshots through the API.
:param bundle: Bundle containing the information to create the
Screenshot.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
user = bundle.request.user
type_ = bundle.data.get('upload_type', None)
content = {'return_code': 1, 'type': 'Screenshot'}
if not type_:
content['message'] = 'Must provide an upload type.'
self.crits_response(content)
if type_ not in ('ids', 'screenshot'):
content['message'] = 'Not a valid upload type.'
self.crits_response(content)
if type_ == 'ids':
screenshot_ids = bundle.data.get('screenshot_ids', None)
screenshot = None
elif type_ == 'screenshot':
screenshot = bundle.data.get('filedata', None)
screenshot_ids = None
if not screenshot:
content[
'message'] = "Upload type of 'screenshot' but no file uploaded."
self.crits_response(content)
description = bundle.data.get('description', None)
tags = bundle.data.get('tags', None)
source = bundle.data.get('source', None)
method = bundle.data.get('method', None)
reference = bundle.data.get('reference', None)
tlp = bundle.data.get('tlp', 'amber')
oid = bundle.data.get('oid', None)
otype = bundle.data.get('otype', None)
if not oid or not otype or not source or not (screenshot
or screenshot_ids):
content['message'] = "You must provide a valid set of information."
self.crits_response(content)
acl = get_acl_object(otype)
if not user.has_access_to(acl.SCREENSHOTS_ADD):
content[
'message'] = 'User does not have permission to create Object.'
self.crits_response(content)
result = add_screenshot(description, tags, source, method, reference,
tlp, user.username, screenshot, screenshot_ids,
oid, otype)
if result.get('message'):
content['message'] = result.get('message')
if result.get('id'):
url = reverse('api_dispatch_detail',
kwargs={
'resource_name': 'screenshots',
'api_name': 'v1',
'pk': result.get('id')
})
content['url'] = url
content['id'] = result.get('id')
if result['success']:
content['return_code'] = 0
self.crits_response(content)
def add_new_object(request):
"""
Add a new object.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST':
analyst = "%s" % request.user
user = request.user
result = ""
message = ""
my_type = request.POST['otype']
acl = get_acl_object(my_type)
if user.has_access_to(acl.OBJECTS_ADD):
form = AddObjectForm(user,
request.POST,
request.FILES)
if not form.is_valid() and 'value' not in request.FILES:
message = "Invalid Form: %s" % form.errors
form = form.as_table()
response = json.dumps({'message': message,
'form': form,
'success': False})
if request.is_ajax():
return HttpResponse(response, content_type="application/json")
else:
return render_to_response("file_upload_response.html",
{'response':response},
RequestContext(request))
source = request.POST['source_name']
oid = request.POST['oid']
object_type = request.POST['object_type']
method = request.POST['source_method']
reference = request.POST['source_reference']
tlp = request.POST['source_tlp']
add_indicator = request.POST.get('add_indicator', None)
data = None
# if it was a file upload, handle the file appropriately
if 'value' in request.FILES:
data = request.FILES['value']
value = request.POST.get('value', None)
if isinstance(value, basestring):
value = value.strip()
results = add_object(my_type,
oid,
object_type,
source,
method,
reference,
tlp,
user.username,
value=value,
file_=data,
add_indicator=add_indicator,
is_sort_relationships=True)
else:
results = {'success':False,
'message':'User does not have permission to add object'}
if results['success']:
subscription = {
'type': my_type,
'id': oid
}
if results.get('relationships', None):
relationship = {'type': my_type,
'value': oid}
relationships = results['relationships']
html = render_to_string('objects_listing_widget.html',
{'objects': results['objects'],
'relationships': relationships,
'subscription': subscription},
RequestContext(request))
result = {'success': True,
'html': html,
'message': results['message']}
rel_msg = render_to_string('relationships_listing_widget.html',
{'relationship': relationship,
'nohide': True,
'relationships': relationships},
RequestContext(request))
result['rel_made'] = True
result['rel_msg'] = rel_msg
else:
html = render_to_string('objects_listing_widget.html',
{'objects': results['objects'],
'subscription': subscription},
RequestContext(request))
result = {'success': True,
'html': html,
'message': results['message']}
else:
message = "Error adding object: %s" % results['message']
result = {'success': False, 'message': message}
if request.is_ajax():
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return render_to_response("file_upload_response.html",
{'response': json.dumps(result)},
RequestContext(request))
else:
error = "Expected POST"
return render_to_response("error.html",
{"error" : error },
RequestContext(request))
def bulk_add_object_inline(request):
"""
Bulk add objects inline.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
formdict = form_to_dict(AddObjectForm(request.user))
if request.method == "POST" and request.is_ajax():
user = request.user
acl = get_acl_object(request.POST['otype'])
if user.has_access_to(acl.OBJECTS_ADD):
response = parse_bulk_upload(
request,
parse_row_to_bound_object_form,
add_new_handler_object_via_bulk,
formdict)
secondary_data_array = response.get('secondary')
if secondary_data_array:
latest_secondary_data = secondary_data_array[-1]
class_type = class_from_id(
latest_secondary_data['type'],
latest_secondary_data['id'])
subscription = {'type': latest_secondary_data['type'],
'id': latest_secondary_data['id'],
'value': latest_secondary_data['id']}
object_listing_html = render_to_string('objects_listing_widget.html',
{'objects': class_type.sort_objects(),
'subscription': subscription},
RequestContext(request))
response['html'] = object_listing_html
is_relationship_made = False
for secondary_data in secondary_data_array:
if secondary_data.get('relationships'):
is_relationship_made = True
break
if is_relationship_made == True:
rel_html = render_to_string('relationships_listing_widget.html',
{'relationship': subscription,
'relationships': class_type.sort_relationships(request.user, meta=True)},
RequestContext(request))
response['rel_msg'] = rel_html
response['rel_made'] = True
return HttpResponse(json.dumps(response,
default=json_handler),
content_type="application/json")
else:
is_prevent_initial_table = request.GET.get('isPreventInitialTable', False)
is_use_item_source = request.GET.get('useItemSource', False)
if is_use_item_source == True or is_use_item_source == "true":
otype = request.GET.get('otype')
oid = request.GET.get('oid')
# Get the item with the type and ID from the database
obj = class_from_id(otype, oid)
if obj:
source_field_name = get_source_field_for_class(otype)
if source_field_name:
# If the item has a source, then use the source value
# to set as the default source
if hasattr(obj, "source"):
source_field = get_field_from_label("source", formdict)
earliest_source = None
earliest_date = None
# Get the earliest source, compared by date
for source in obj.source:
for source_instance in source.instances:
if earliest_source == None or source_instance.date < earliest_date:
earliest_date = source_instance.date
earliest_source = source
if earliest_source:
source_field['initial'] = earliest_source.name
return render_to_response('bulk_add_object_inline.html',
{'formdict': formdict,
'title': "Bulk Add Objects",
'is_prevent_initial_table': is_prevent_initial_table,
'table_name': 'object_inline'},
RequestContext(request))
def get_table_data(request=None,obj=None,user=None,searchTerm="",
search_type=None, includes=[], excludes=[], maxRows=25,
sort={}, pageNumber=1):
"""
gets the records needed for the table, can be called via ajax on the
saved_search.html or the above ConstructTable function
"""
from crits.core.handlers import get_query, data_query
response = {"Result": "ERROR"}
obj_type = get_obj_type_from_string(obj)
acl = get_acl_object(obj)
if not user:
user = request.user
# Build the query
term = ""
#if its being called from saved_search.html
if not user.has_access_to(acl.READ):
resp = {}
resp['Result'] = "ERROR"
resp['msg'] = "User does not have permission to view object."
resp['Records'] = ""
elif request and request.is_ajax():
resp = get_query(obj_type, request)
#if its calling to get data for the dashbaord
elif user and search_type:
resp = get_query_without_request(obj_type, user, searchTerm, search_type)
else:
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
if resp['Result'] in ["ERROR", "IGNORE"]:
return resp
query = resp['query']
term = resp['term']
sortBy = []
if 'direction' in sort:
if sort['direction'] == 'asc':
sortBy.append(sort['field'])
elif sort['direction'] == 'desc':
sortBy.append("-"+sort['field'])
skip = (int(pageNumber)-1)*25
if request:
response = data_query(obj_type, user=request.user, query=query,
projection=includes, limit=int(maxRows), sort=sortBy, skip=skip)
else:
response = data_query(obj_type, user=user, query=query,
projection=includes, limit=maxRows, sort=sortBy,skip=skip)
if response['result'] == "ERROR":
return {'Result': "ERROR", 'Message': response['msg']}
response['crits_type'] = obj_type
# Escape term for rendering in the UI.
response['term'] = cgi.escape(term)
response['data'] = response['data'].to_dict(excludes, includes)
response['Records'] = parseDocObjectsToStrings(response.pop('data'), obj)
response['TotalRecordCount'] = response.pop('count')
response['Result'] = response.pop('result')
if request:
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
else:
return response
def obj_create(self, bundle, **kwargs):
"""
Handles creating Screenshots through the API.
:param bundle: Bundle containing the information to create the
Screenshot.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
user = bundle.request.user
type_ = bundle.data.get('upload_type', None)
content = {'return_code': 1,
'type': 'Screenshot'}
if not type_:
content['message'] = 'Must provide an upload type.'
self.crits_response(content)
if type_ not in ('ids', 'screenshot'):
content['message'] = 'Not a valid upload type.'
self.crits_response(content)
if type_ == 'ids':
screenshot_ids = bundle.data.get('screenshot_ids', None)
screenshot = None
elif type_ == 'screenshot':
screenshot = bundle.data.get('filedata', None)
screenshot_ids = None
if not screenshot:
content['message'] = "Upload type of 'screenshot' but no file uploaded."
self.crits_response(content)
description = bundle.data.get('description', None)
tags = bundle.data.get('tags', None)
source = bundle.data.get('source', None)
method = bundle.data.get('method', None)
reference = bundle.data.get('reference', None)
tlp = bundle.data.get('tlp', 'amber')
oid = bundle.data.get('oid', None)
otype = bundle.data.get('otype', None)
if not oid or not otype or not source or not (screenshot or screenshot_ids):
content['message'] = "You must provide a valid set of information."
self.crits_response(content)
acl = get_acl_object(otype)
if not user.has_access_to(acl.SCREENSHOTS_ADD):
content['message'] = 'User does not have permission to create Object.'
self.crits_response(content)
result = add_screenshot(description, tags, source, method, reference,
tlp, user.username, screenshot, screenshot_ids, oid, otype)
if result.get('message'):
content['message'] = result.get('message')
if result.get('id'):
url = reverse('api_dispatch_detail',
kwargs={'resource_name': 'screenshots',
'api_name': 'v1',
'pk': result.get('id')})
content['url'] = url
content['id'] = result.get('id')
if result['success']:
content['return_code'] = 0
self.crits_response(content)
def add_new_object(request):
"""
Add a new object.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST':
analyst = "%s" % request.user
user = request.user
result = ""
message = ""
my_type = request.POST['otype']
acl = get_acl_object(my_type)
if user.has_access_to(acl.OBJECTS_ADD):
form = AddObjectForm(user, request.POST, request.FILES)
if not form.is_valid() and 'value' not in request.FILES:
message = "Invalid Form: %s" % form.errors
form = form.as_table()
response = json.dumps({
'message': message,
'form': form,
'success': False
})
if request.is_ajax():
return HttpResponse(response,
content_type="application/json")
else:
return render_to_response("file_upload_response.html",
{'response': response},
RequestContext(request))
source = request.POST['source_name']
oid = request.POST['oid']
object_type = request.POST['object_type']
method = request.POST['source_method']
reference = request.POST['source_reference']
tlp = request.POST['source_tlp']
add_indicator = request.POST.get('add_indicator', None)
data = None
# if it was a file upload, handle the file appropriately
if 'value' in request.FILES:
data = request.FILES['value']
value = request.POST.get('value', None)
if isinstance(value, basestring):
value = value.strip()
results = add_object(my_type,
oid,
object_type,
source,
method,
reference,
tlp,
user.username,
value=value,
file_=data,
add_indicator=add_indicator,
is_sort_relationships=True)
else:
results = {
'success': False,
'message': 'User does not have permission to add object'
}
if results['success']:
subscription = {'type': my_type, 'id': oid}
if results.get('relationships', None):
relationship = {'type': my_type, 'value': oid}
relationships = results['relationships']
html = render_to_string(
'objects_listing_widget.html', {
'objects': results['objects'],
'relationships': relationships,
'subscription': subscription
}, RequestContext(request))
result = {
'success': True,
'html': html,
'message': results['message']
}
rel_msg = render_to_string(
'relationships_listing_widget.html', {
'relationship': relationship,
'nohide': True,
'relationships': relationships
}, RequestContext(request))
result['rel_made'] = True
result['rel_msg'] = rel_msg
else:
html = render_to_string('objects_listing_widget.html', {
'objects': results['objects'],
'subscription': subscription
}, RequestContext(request))
result = {
'success': True,
'html': html,
'message': results['message']
}
else:
message = "Error adding object: %s" % results['message']
result = {'success': False, 'message': message}
if request.is_ajax():
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return render_to_response("file_upload_response.html",
{'response': json.dumps(result)},
RequestContext(request))
else:
error = "Expected POST"
return render_to_response("error.html", {"error": error},
RequestContext(request))
def bulk_add_object_inline(request):
"""
Bulk add objects inline.
:param request: The Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
formdict = form_to_dict(AddObjectForm(request.user))
if request.method == "POST" and request.is_ajax():
user = request.user
acl = get_acl_object(request.POST['otype'])
if user.has_access_to(acl.OBJECTS_ADD):
response = parse_bulk_upload(request,
parse_row_to_bound_object_form,
add_new_handler_object_via_bulk,
formdict)
secondary_data_array = response.get('secondary')
if secondary_data_array:
latest_secondary_data = secondary_data_array[-1]
class_type = class_from_id(latest_secondary_data['type'],
latest_secondary_data['id'])
subscription = {
'type': latest_secondary_data['type'],
'id': latest_secondary_data['id'],
'value': latest_secondary_data['id']
}
object_listing_html = render_to_string(
'objects_listing_widget.html', {
'objects': class_type.sort_objects(),
'subscription': subscription
}, RequestContext(request))
response['html'] = object_listing_html
is_relationship_made = False
for secondary_data in secondary_data_array:
if secondary_data.get('relationships'):
is_relationship_made = True
break
if is_relationship_made == True:
rel_html = render_to_string(
'relationships_listing_widget.html', {
'relationship':
subscription,
'relationships':
class_type.sort_relationships(request.user,
meta=True)
}, RequestContext(request))
response['rel_msg'] = rel_html
response['rel_made'] = True
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
else:
is_prevent_initial_table = request.GET.get('isPreventInitialTable',
False)
is_use_item_source = request.GET.get('useItemSource', False)
if is_use_item_source == True or is_use_item_source == "true":
otype = request.GET.get('otype')
oid = request.GET.get('oid')
# Get the item with the type and ID from the database
obj = class_from_id(otype, oid)
if obj:
source_field_name = get_source_field_for_class(otype)
if source_field_name:
# If the item has a source, then use the source value
# to set as the default source
if hasattr(obj, "source"):
source_field = get_field_from_label("source", formdict)
earliest_source = None
earliest_date = None
# Get the earliest source, compared by date
for source in obj.source:
for source_instance in source.instances:
if earliest_source == None or source_instance.date < earliest_date:
earliest_date = source_instance.date
earliest_source = source
if earliest_source:
source_field['initial'] = earliest_source.name
return render_to_response(
'bulk_add_object_inline.html', {
'formdict': formdict,
'title': "Bulk Add Objects",
'is_prevent_initial_table': is_prevent_initial_table,
'table_name': 'object_inline'
}, RequestContext(request))
