def route_requirement_delete(component_id, requirement_id):
# get firmware component
rq = db.session.query(Requirement).filter(
Requirement.requirement_id == requirement_id).first()
if not rq:
flash('No requirement matched!', 'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# get the firmware for the requirement
md = rq.md
if md.component_id != component_id:
return _error_internal('Wrong component ID for requirement!')
if not md:
return _error_internal('No metadata matched!')
# security check
if not md.check_acl('@modify-requirements'):
flash('Permission denied: Unable to modify other vendor firmware',
'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# remove chid
db.session.delete(rq)
md.fw.mark_dirty()
db.session.commit()
# log
flash('Removed requirement %s' % rq.value, 'info')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='requires'))
def route_shard_search(kind, value):
"""
Show firmware with shards that match the value
"""
if kind == 'guid':
fws = db.session.query(Firmware).\
join(Component).\
join(ComponentShard).\
filter(ComponentShard.guid == value).\
order_by(Firmware.firmware_id.desc()).all()
elif kind == 'checksum':
fws = db.session.query(Firmware).\
join(Component).\
join(ComponentShard).\
join(ComponentShardChecksum).\
filter(ComponentShardChecksum.value == value).\
order_by(Firmware.firmware_id.desc()).all()
else:
return _error_internal('Invalid kind!')
if not fws:
return _error_internal('No shards matched!')
# filter by ACL
fws_safe = []
for fw in fws:
if fw.check_acl('@view'):
fws_safe.append(fw)
return render_template('firmware-search.html',
category='firmware',
state='search',
remote=None,
fws=fws_safe)
def route_login_oauth_authorized(plugin_id):
# find the plugin that can authenticate us
p = ploader.get_by_id(plugin_id)
if not p:
_error_internal('no plugin {}'.format(plugin_id))
if not hasattr(p, 'oauth_get_data'):
return _error_internal(
'no oauth support in plugin {}'.format(plugin_id))
try:
data = p.oauth_get_data()
if 'userPrincipalName' not in data:
return _error_internal('No userPrincipalName in profile')
except PluginError as e:
return _error_internal(str(e))
# auth check
created_account = False
user = db.session.query(User).filter(
User.username == data['userPrincipalName']).first()
if not user:
user = _create_user_for_oauth_username(data['userPrincipalName'])
if user:
db.session.add(user)
db.session.commit()
_event_log('Auto created user of type %s for vendor %s' %
(user.auth_type, user.vendor.group_id))
created_account = True
if not user:
flash('Failed to log in: no user for %s' % data['userPrincipalName'],
'danger')
return redirect(url_for('main.route_index'))
if not user.auth_type:
flash('Failed to log in: User account %s is disabled' % user.username,
'danger')
return redirect(url_for('main.route_index'))
if user.auth_type != 'oauth':
flash('Failed to log in: Only some accounts can log in using OAuth',
'danger')
return redirect(url_for('main.route_index'))
# sync the display name
if 'displayName' in data:
if user.display_name != data['displayName']:
user.display_name = data['displayName']
db.session.commit()
# success
login_user(user, remember=False)
g.user = user
if created_account:
flash('Logged in, and created account', 'info')
else:
flash('Logged in', 'info')
# set the access time
user.atime = datetime.datetime.utcnow()
db.session.commit()
return redirect(url_for('main.route_dashboard'))
def route_requirement_create(component_id):
""" Adds a requirement to a component """
# check we have data
for key in ['kind', 'value']:
if key not in request.form or not request.form[key]:
return _error_internal('No %s specified!' % key)
if request.form['kind'] not in ['hardware', 'firmware', 'id']:
return _error_internal('No valid kind specified!')
# get firmware component
md = db.session.query(Component).\
filter(Component.component_id == component_id).first()
if not md:
flash('No component matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not md.check_acl('@modify-requirements'):
flash('Permission denied: Unable to modify other vendor firmware',
'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# validate CHID is a valid GUID
if request.form['kind'] == 'hardware' and not _validate_guid(
request.form['value']):
flash(
'Cannot add requirement: %s is not a valid GUID' %
request.form['value'], 'warning')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='requires'))
# support empty too
compare = request.form.get('compare', None)
if not compare:
compare = None
version = request.form.get('version', None)
if not version:
version = None
depth = request.form.get('depth', None)
if not depth:
depth = None
# add requirement
rq = Requirement(kind=request.form['kind'],
value=request.form['value'].strip(),
compare=compare,
version=version,
depth=depth)
md.requirements.append(rq)
md.fw.mark_dirty()
db.session.commit()
flash('Added requirement', 'info')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='requires'))
def route_keyword_delete(component_id, keyword_id):
# get firmware component
kw = db.session.query(Keyword).filter(
Keyword.keyword_id == keyword_id).first()
if not kw:
flash('No keyword matched!', 'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# get the firmware for the keyword
md = kw.md
if md.component_id != component_id:
return _error_internal('Wrong component ID for keyword!')
if not md:
return _error_internal('No metadata matched!')
# security check
if not md.check_acl('@modify-keywords'):
flash('Permission denied: Unable to modify other vendor firmware',
'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# remove chid
db.session.delete(kw)
md.fw.mark_dirty()
db.session.commit()
# log
flash('Removed keyword %s' % kw.value, 'info')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='keywords'))
def route_certificate_create():
# only accept form data
if request.method != 'POST':
return redirect(url_for('main.route_profile'), code=302)
# security check
if not g.user.check_acl('@view-profile'):
flash('Permission denied: Unable to add certificate as account locked',
'danger')
return redirect(url_for('main.route_dashboard'))
# check was sent
if not 'file' in request.files:
return _error_internal('No file')
fileitem = request.files['file']
if not fileitem:
return _error_internal('No file object')
try:
text = fileitem.read().decode('utf8')
except UnicodeDecodeError as e:
flash('Invalid data received: %s' % str(e), 'warning')
return redirect(url_for('main.route_profile'), code=302)
if not text:
flash('No data recieved', 'warning')
return redirect(url_for('main.route_profile'), code=302)
if text.find('BEGIN CERTIFICATE') == -1:
flash('Certificate invalid, expected BEGIN CERTIFICATE', 'warning')
return redirect(url_for('main.route_profile'), code=302)
# get serial for blob
try:
info = _pkcs7_certificate_info(text)
except IOError as e:
flash('Certificate invalid, cannot parse: %s' % str(e), 'warning')
return redirect(url_for('main.route_profile'), code=302)
if 'serial' not in info:
flash('Certificate invalid, cannot parse serial', 'warning')
return redirect(url_for('main.route_profile'), code=302)
# check cert exists
crt = db.session.query(Certificate).filter(
Certificate.serial == info['serial']).first()
if crt:
flash('Certificate already in use', 'warning')
return redirect(url_for('main.route_profile'), code=302)
# success
crt = Certificate(g.user.user_id, info['serial'], text)
db.session.add(crt)
db.session.commit()
flash('Added client certificate with serial %s' % info['serial'],
'success')
return redirect(url_for('main.route_profile'), code=302)
def route_priority(issue_id, op):
# find issue
issue = db.session.query(Issue).\
filter(Issue.issue_id == issue_id).first()
if not issue:
flash('No issue found', 'info')
return redirect(url_for('issues.route_list'))
# security check
if not issue.check_acl('@modify'):
flash('Permission denied: Unable to change issue priority', 'danger')
return redirect(url_for('issues.route_list'))
# change integer priority
if op == 'up':
issue.priority += 1
elif op == 'down':
issue.priority -= 1
else:
return _error_internal('Operation %s invalid!', op)
db.session.commit()
# show details
return redirect(url_for('issues.route_list'))
def route_list_analytics(page):
vendors = db.session.query(Vendor).\
order_by(Vendor.display_name).\
options(joinedload('fws')).all()
if page == 'publicfw':
labels, data_stable, data_testing = _get_vendorlist_stats(vendors, _count_vendor_fws_public)
return render_template('vendorlist-analytics.html', vendors=vendors,
category='vendors',
title='Total number of public firmware files',
page=page, labels=labels,
data_stable=data_stable,
data_testing=data_testing)
if page == 'downloads':
labels, data_stable, data_testing = _get_vendorlist_stats(vendors, _count_vendor_fws_downloads)
return render_template('vendorlist-analytics.html', vendors=vendors,
category='vendors',
title='Percentage of firmware downloads',
page=page, labels=labels,
data_stable=_abs_to_pc(data_stable, data_testing),
data_testing=_abs_to_pc(data_testing, data_stable))
if page == 'devices':
labels, data_stable, data_testing = _get_vendorlist_stats(vendors, _count_vendor_fws_devices)
return render_template('vendorlist-analytics.html', vendors=vendors,
category='vendors',
title='Total number of supported devices',
page=page, labels=labels,
data_stable=data_stable,
data_testing=data_testing)
return _error_internal('Vendorlist kind invalid')
def route_checksum_delete(component_id, checksum_id):
# get firmware component
csum = db.session.query(Checksum).filter(Checksum.checksum_id == checksum_id).first()
if not csum:
flash('No checksum matched!', 'danger')
return redirect(url_for('components.route_show', component_id=component_id))
# get the component for the checksum
md = csum.md
if md.component_id != component_id:
flash('Wrong component ID for checksum', 'danger')
return redirect(url_for('components.route_show', component_id=component_id))
if not md:
return _error_internal('No metadata matched!')
# security check
if not md.check_acl('@modify-checksums'):
flash('Permission denied: Unable to modify other vendor firmware', 'danger')
return redirect(url_for('components.route_show', component_id=component_id))
# remove chid
md.fw.mark_dirty()
db.session.delete(csum)
db.session.commit()
# log
flash('Removed device checksum', 'info')
return redirect(url_for('components.route_show',
component_id=md.component_id,
page='checksums'))
def route_limit_create():
# get details about the firmware
fw = db.session.query(Firmware).\
filter(Firmware.firmware_id == request.form['firmware_id']).first()
if not fw:
flash('No firmware matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not fw.check_acl('@modify-limit'):
flash('Permission denied: Unable to add restriction', 'danger')
return redirect(
url_for('firmware.route_show', firmware_id=fw.firmware_id))
# ensure has enough data
for key in ['value', 'firmware_id']:
if key not in request.form:
return _error_internal('No %s form data found!', key)
# add restriction
fl = FirmwareLimit(firmware_id=request.form['firmware_id'],
value=request.form['value'],
user_agent_glob=request.form['user_agent_glob'],
response=request.form['response'])
db.session.add(fl)
db.session.commit()
fl.fw.mark_dirty()
db.session.commit()
flash('Added limit', 'info')
return redirect(
url_for('firmware.route_limits', firmware_id=fl.firmware_id))
def route_namespace_create(vendor_id):
""" Allows changing a vendor [ADMIN ONLY] """
# check exists
vendor = db.session.query(Vendor).filter(
Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to get vendor details: No a vendor with that group ID',
'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
if 'value' in request.form:
ns = Namespace(value=request.form['value'], user=g.user)
elif 'value' in request.args:
ns = Namespace(value=request.args['value'], user=g.user)
else:
return _error_internal('No value')
if not ns.is_valid:
flash(
'Failed to add namespace: Invalid value, expecting something like com.dell',
'warning')
return redirect(
url_for('vendors.route_namespaces', vendor_id=vendor_id))
vendor.namespaces.append(ns)
db.session.commit()
flash('Added namespace', 'info')
return redirect(url_for('vendors.route_namespaces', vendor_id=vendor_id),
302)
def route_firmware(state=None):
"""
Show all firmware uploaded by this user or vendor.
"""
# pre-filter by user ID or vendor
if g.user.check_acl('@analyst') or g.user.check_acl('@qa'):
stmt = db.session.query(Firmware).\
filter((Firmware.vendor_id == g.user.vendor.vendor_id) | \
(Firmware.vendor_odm_id == g.user.vendor.vendor_id))
else:
stmt = db.session.query(Firmware).\
filter(Firmware.user_id == g.user.user_id)
if not state:
remote = None
elif state == 'embargo':
remote = g.user.vendor.remote
stmt = stmt.filter(Firmware.remote_id == remote.remote_id)
elif state in ['private', 'testing', 'stable', 'deleted']:
remote = db.session.query(Remote).filter(Remote.name == state).one()
stmt = stmt.filter(Firmware.remote_id == remote.remote_id)
else:
return _error_internal('no state of %s' % state)
stmt = stmt.options(joinedload('tests'))
fws = stmt.order_by(Firmware.timestamp.desc()).all()
return render_template('firmware-search.html',
category='firmware',
state=state,
remote=remote,
fws=fws)
def route_modify(firmware_id):
""" Modifies the firmware properties """
# find firmware
fw = db.session.query(Firmware).filter(
Firmware.firmware_id == firmware_id).first()
if not fw:
return _error_internal("No firmware %s" % firmware_id)
# security check
if not fw.check_acl('@modify'):
flash('Permission denied: Insufficient permissions to modify firmware',
'danger')
return redirect(url_for('firmware.route_show',
firmware_id=firmware_id))
# set new metadata values
if 'failure_minimum' in request.form:
fw.failure_minimum = request.form['failure_minimum']
if 'failure_percentage' in request.form:
fw.failure_percentage = request.form['failure_percentage']
# modify
db.session.commit()
flash('Firmware updated', 'info')
return redirect(url_for('firmware.route_limits', firmware_id=firmware_id))
def route_keyword_create(component_id):
""" Adds one or more keywords to the existing component """
# check we have data
for key in ['value']:
if key not in request.form or not request.form[key]:
return _error_internal('No %s specified!' % key)
# get firmware component
md = db.session.query(Component).\
filter(Component.component_id == component_id).first()
if not md:
flash('No component matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not md.check_acl('@modify-keywords'):
flash('Permission denied: Unable to modify other vendor firmware',
'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# add keyword
md.add_keywords_from_string(request.form['value'])
md.fw.mark_dirty()
db.session.commit()
flash('Added keywords', 'info')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='keywords'))
def route_upload(vendor_id):
# check exists
vendor = db.session.query(Vendor).filter(
Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to modify vendor: No a vendor with that group ID',
'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
# not correct parameters
if not 'file' in request.files:
return _error_internal('No file')
# write the pixmap
buf = request.files['file'].read()
hmac_dig = _vendor_hash(vendor)
fn = os.path.join(app.config['UPLOAD_DIR'],
'vendor-{}.png'.format(hmac_dig))
with open(fn, 'wb') as f:
f.write(buf)
vendor.icon = os.path.basename(fn)
db.session.commit()
flash('Modified vendor', 'info')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id), 302)
def route_login_oauth(plugin_id):
# find the plugin that can authenticate us
p = ploader.get_by_id(plugin_id)
if not p:
return _error_internal('no plugin {}'.format(plugin_id))
if not p.oauth_authorize:
return _error_internal(
'no oauth support in plugin {}'.format(plugin_id))
try:
return p.oauth_authorize(
url_for('main.route_login_oauth_authorized',
plugin_id=plugin_id,
_external=True))
except PluginError as e:
return _error_internal(str(e))
def route_create():
""" Add a vendor [ADMIN ONLY] """
# only accept form data
if request.method != 'POST':
return redirect(url_for('vendors.route_list_admin'))
if not 'group_id' in request.form:
return _error_internal('Unable to add vendor as no data')
if db.session.query(Vendor).filter(Vendor.group_id == request.form['group_id']).first():
flash('Failed to add vendor: Group ID already exists', 'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
if len(request.form['group_id']) > 80:
flash('Failed to add vendor: Group ID is too long', 'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
r = Remote(name='embargo-%s' % request.form['group_id'])
db.session.add(r)
db.session.commit()
v = Vendor(group_id=request.form['group_id'], remote_id=r.remote_id)
db.session.add(v)
db.session.commit()
flash('Added vendor %s' % request.form['group_id'], 'info')
# asynchronously rebuilt
_async_regenerate_remote.apply_async(args=(r.remote_id,), queue='metadata')
return redirect(url_for('vendors.route_show', vendor_id=v.vendor_id), 302)
def route_undelete(firmware_id):
""" Undelete a firmware entry and also restore the file from disk """
# check firmware exists in database
fw = db.session.query(Firmware).filter(Firmware.firmware_id == firmware_id).first()
if not fw:
flash('No firmware {} exists'.format(firmware_id), 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not fw.check_acl('@undelete'):
flash('Permission denied: Insufficient permissions to undelete firmware', 'danger')
return redirect(url_for('firmware.route_show', firmware_id=firmware_id))
# find private remote
remote = db.session.query(Remote).filter(Remote.name == 'private').first()
if not remote:
return _error_internal('No private remote')
# move file back to the right place
path = os.path.join(app.config['RESTORE_DIR'], fw.filename)
if os.path.exists(path):
path_new = os.path.join(app.config['DOWNLOAD_DIR'], fw.filename)
shutil.move(path, path_new)
# put back to the private state
fw.remote_id = remote.remote_id
fw.events.append(FirmwareEvent(remote_id=fw.remote_id, user_id=g.user.user_id))
db.session.commit()
flash('Firmware undeleted', 'info')
return redirect(url_for('firmware.route_show', firmware_id=firmware_id))
def route_condition_create(issue_id):
# ensure has enough data
for key in ['key', 'value', 'compare']:
if key not in request.form:
return _error_internal('No %s form data found!' % key)
# security check
issue = db.session.query(Issue).\
filter(Issue.issue_id == issue_id).first()
if not issue:
flash('No issue found', 'info')
return redirect(url_for('issues.route_conditions', issue_id=issue_id))
if not issue.check_acl('@modify'):
flash('Permission denied: Unable to add condition to issue', 'danger')
return redirect(url_for('issues.route_list'))
# already exists
if db.session.query(Condition).\
filter(Condition.key == request.form['key']).\
filter(Condition.issue_id == issue_id).first():
flash('Failed to add condition to issue: Key %s already exists' % request.form['key'], 'info')
return redirect(url_for('issues.route_conditions', issue_id=issue_id))
# add condition
db.session.add(Condition(issue_id=issue_id,
key=request.form['key'],
value=request.form['value'],
compare=request.form['compare']))
db.session.commit()
flash('Added condition', 'info')
return redirect(url_for('issues.route_conditions', issue_id=issue_id))
def route_export_create(vendor_id):
# check exists
vendor = db.session.query(Vendor).filter(Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to add affiliate: No a vendor with that ID', 'warning')
return redirect(url_for('vendors.route_exports', vendor_id=vendor_id), 302)
if not 'export_id' in request.form:
return _error_internal('No value')
# security check
if not vendor.check_acl('@modify-exports'):
flash('Permission denied: Unable to add vendor country', 'danger')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id))
# check if it already exists
export_id = request.form['export_id']
export_ids = _convert_export_ids(vendor)
if export_id in export_ids:
flash('Failed to add country: Already blocked %s' % export_id, 'warning')
return redirect(url_for('vendors.route_exports', vendor_id=vendor_id), 302)
# add a new ODM -> OEM country
export_ids.append(export_id)
vendor.banned_country_codes = ','.join(export_ids)
db.session.commit()
flash('Added blocked country %s' % export_id, 'info')
return redirect(url_for('vendors.route_exports', vendor_id=vendor_id), 302)
def route_checksum_create(component_id):
""" Adds a checksum to a component """
# check we have data
for key in ['value']:
if key not in request.form or not request.form[key]:
return _error_internal('No %s specified!' % key)
# get firmware component
md = db.session.query(Component).\
filter(Component.component_id == component_id).first()
if not md:
flash('No component matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not md.check_acl('@modify-checksums'):
flash('Permission denied: Unable to modify other vendor firmware',
'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# validate is a valid hash
hash_value = request.form['value']
if _is_sha1(hash_value):
hash_kind = 'SHA1'
elif _is_sha256(hash_value):
hash_kind = 'SHA256'
else:
flash('%s is not a recognised SHA1 or SHA256 hash' % hash_value,
'warning')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='checksums'))
# check it's not already been added
for csum in md.device_checksums:
if csum.value == hash_value:
flash('%s has already been added' % hash_value, 'warning')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='checksums'))
# add checksum
csum = Checksum(kind=hash_kind, value=hash_value)
md.device_checksums.append(csum)
md.fw.mark_dirty()
md.fw.signed_timestamp = None
db.session.commit()
_async_sign_fw.apply_async(args=(md.fw.firmware_id, ), queue='firmware')
flash('Added device checksum', 'info')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='checksums'))
def route_issue_create(component_id):
""" Adds one or more CVEs to the existing component """
# check we have data
for key in ['value']:
if key not in request.form or not request.form[key]:
return _error_internal('No %s specified!' % key)
# get firmware component
md = db.session.query(Component).\
filter(Component.component_id == component_id).first()
if not md:
flash('No component matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not md.check_acl('@modify-updateinfo'):
flash('Permission denied: Unable to modify firmware', 'danger')
return redirect(
url_for('components.route_show', component_id=component_id))
# add issue
for value in request.form['value'].split(','):
if value in md.issue_values:
flash('Already exists: {}'.format(value), 'info')
continue
if value.startswith('CVE-'):
issue = ComponentIssue(kind='cve', value=value)
elif value.startswith('DSA-'):
issue = ComponentIssue(kind='dell', value=value)
elif value.startswith('LEN-'):
issue = ComponentIssue(kind='lenovo', value=value)
elif value.startswith('INTEL-SA-'):
issue = ComponentIssue(kind='intel', value=value)
else:
flash('Issue invalid: {}'.format(value), 'danger')
return redirect(
url_for('components.route_show',
component_id=component_id,
page='issues'))
if issue.problem:
flash('Issue invalid: {}'.format(issue.problem.description),
'danger')
return redirect(
url_for('components.route_show',
component_id=component_id,
page='issues'))
flash('Added {}'.format(value), 'info')
md.issues.append(issue)
md.fw.mark_dirty()
md.fw.signed_timestamp = None
db.session.commit()
_async_sign_fw.apply_async(args=(md.fw.firmware_id, ), queue='firmware')
return redirect(
url_for('components.route_show',
component_id=md.component_id,
page='issues'))
def route_affiliation_change(firmware_id):
""" Changes the assigned vendor ID for the firmware """
# change the vendor
if 'vendor_id' not in request.form:
return _error_internal('No vendor ID specified')
# find firmware
fw = db.session.query(Firmware).filter(
Firmware.firmware_id == firmware_id).first()
if not fw:
flash('No firmware matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not fw.check_acl('@modify-affiliation'):
flash(
'Permission denied: Insufficient permissions to change affiliation',
'danger')
return redirect(url_for('firmware.route_show',
firmware_id=firmware_id))
vendor_id = int(request.form['vendor_id'])
if vendor_id == fw.vendor_id:
flash('No affiliation change required', 'info')
return redirect(
url_for('firmware.route_affiliation', firmware_id=fw.firmware_id))
if not g.user.check_acl('@admin') and \
not g.user.vendor.is_affiliate_for(vendor_id) and \
vendor_id != g.user.vendor_id:
flash(
'Insufficient permissions to change affiliation to {}'.format(
vendor_id), 'danger')
return redirect(url_for('firmware.route_show',
firmware_id=firmware_id))
old_vendor = fw.vendor
fw.vendor_id = vendor_id
db.session.commit()
# do we need to regenerate remotes?
if fw.remote.name.startswith('embargo'):
fw.vendor.remote.is_dirty = True
fw.user.vendor.remote.is_dirty = True
old_vendor.remote.is_dirty = True
fw.remote_id = fw.vendor.remote.remote_id
fw.events.append(
FirmwareEvent(remote_id=fw.remote_id, user_id=g.user.user_id))
fw.mark_dirty()
db.session.commit()
flash('Changed firmware vendor', 'info')
# asynchronously sign
_async_regenerate_remote.apply_async(args=(fw.remote.remote_id, ),
queue='metadata')
return redirect(url_for('firmware.route_show', firmware_id=fw.firmware_id))
def route_restriction_create(vendor_id):
""" Allows changing a vendor [ADMIN ONLY] """
# check exists
vendor = db.session.query(Vendor).filter(Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to get vendor details: No a vendor with that group ID', 'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
if not 'value' in request.form:
return _error_internal('No value')
vendor.restrictions.append(Restriction(value=request.form['value']))
db.session.commit()
flash('Added restriction', 'info')
return redirect(url_for('vendors.route_restrictions', vendor_id=vendor_id), 302)
def route_affiliation_create(vendor_id):
""" Allows changing a vendor [ADMIN ONLY] """
# check exists
vendor = db.session.query(Vendor).filter(
Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to add affiliate: No a vendor with that group ID',
'warning')
return redirect(
url_for('vendors.route_affiliations', vendor_id=vendor_id), 302)
if not 'vendor_id_odm' in request.form:
return _error_internal('No value')
# security check
if not vendor.check_acl('@modify-affiliations'):
flash('Permission denied: Unable to add vendor affiliation', 'danger')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id))
# check if it already exists
vendor_id_odm = int(request.form['vendor_id_odm'])
for rel in vendor.affiliations:
if rel.vendor_id_odm == vendor_id_odm:
flash(
'Failed to add affiliate: Already a affiliation with that ODM',
'warning')
return redirect(
url_for('vendors.route_affiliations', vendor_id=vendor_id),
302)
# add a new ODM -> OEM affiliation
aff = Affiliation(vendor_id=vendor_id, vendor_id_odm=vendor_id_odm)
for action in [
'@delete', '@modify', '@undelete', '@modify-updateinfo', '@view',
'@retry', '@waive'
]:
aff.actions.append(AffiliationAction(action=action, user=g.user))
vendor.affiliations.append(aff)
db.session.commit()
flash('Added affiliation {}'.format(aff.affiliation_id), 'info')
return redirect(url_for('vendors.route_affiliations', vendor_id=vendor_id),
302)
def route_create():
# ensure has enough data
if 'value' not in request.form:
return _error_internal('No form data found!')
value = request.form['value']
if not value or not value.startswith('X-') or value.find(' ') != -1:
flash('Failed to add category: Value needs to be a valid group name', 'warning')
return redirect(url_for('categories.route_list'))
# already exists
if db.session.query(Category).filter(Category.value == value).first():
flash('Failed to add category: The category already exists', 'info')
return redirect(url_for('categories.route_list'))
# add category
cat = Category(value=request.form['value'])
db.session.add(cat)
db.session.commit()
flash('Added category', 'info')
return redirect(url_for('categories.route_show', category_id=cat.category_id))
def route_create():
# ensure has enough data
if 'value' not in request.form:
return _error_internal('No form data found!')
value = request.form['value']
if not value or value.find(' ') != -1:
flash('Failed to add version format: Value needs to be valid',
'warning')
return redirect(url_for('verfmts.route_list'))
# already exists
if db.session.query(Verfmt).filter(Verfmt.value == value).first():
flash('Failed to add version format: Already exists', 'info')
return redirect(url_for('verfmts.route_list'))
# add verfmt
verfmt = Verfmt(value=request.form['value'])
db.session.add(verfmt)
db.session.commit()
flash('Added version format', 'info')
return redirect(url_for('verfmts.route_show', verfmt_id=verfmt.verfmt_id))
def route_create():
# ensure has enough data
if 'kind' not in request.form:
return _error_internal('No form data found!')
kind = request.form['kind']
if not kind or not kind.islower() or kind.find(' ') != -1:
flash('Failed to add claim: Value needs to be a lower case word',
'warning')
return redirect(url_for('claims.route_list'))
# already exists
if db.session.query(Claim).filter(Claim.kind == kind).first():
flash('Failed to add claim: The claim already exists', 'info')
return redirect(url_for('claims.route_list'))
# add claim
claim = Claim(kind=kind, summary=request.form.get('summary'))
db.session.add(claim)
db.session.commit()
flash('Added claim', 'info')
return redirect(url_for('claims.route_show', claim_id=claim.claim_id))
def route_issue_create(component_id):
""" Adds one or more CVEs to the existing component """
# check we have data
for key in ['value']:
if key not in request.form or not request.form[key]:
return _error_internal('No %s specified!' % key)
# get firmware component
md = db.session.query(Component).\
filter(Component.component_id == component_id).first()
if not md:
flash('No component matched!', 'danger')
return redirect(url_for('firmware.route_firmware'))
# security check
if not md.check_acl('@modify-updateinfo'):
flash('Permission denied: Unable to modify firmware', 'danger')
return redirect(url_for('components.route_show', component_id=component_id))
# add CVE
for value in request.form['value'].split(','):
if value in md.issue_values:
flash('Already exists: {}'.format(value), 'info')
continue
issue = ComponentIssue(kind="cve", value=value)
if issue.problem:
flash('CVE invalid: {}'.format(issue.problem.description), 'danger')
return redirect(url_for('components.route_show',
component_id=component_id,
page='issues'))
flash('Added {}'.format(value), 'info')
md.issues.append(issue)
md.fw.mark_dirty()
db.session.commit()
return redirect(url_for('components.route_show',
component_id=md.component_id,
page='issues'))
def route_create():
""" Add a vendor [ADMIN ONLY] """
# only accept form data
if request.method != 'POST':
return redirect(url_for('vendors.route_list_admin'))
if not 'group_id' in request.form:
return _error_internal('Unable to add vendor as no data')
if db.session.query(Vendor).filter(
Vendor.group_id == request.form['group_id']).first():
flash('Failed to add vendor: Group ID already exists', 'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
if len(request.form['group_id']) > 80:
flash('Failed to add vendor: Group ID is too long', 'warning')
return redirect(url_for('vendors.route_list_admin'), 302)
# use a random access token, unless running in debug mode
if app.config.get('DEBUG', None):
access_token = request.form['group_id'].replace('-', '_')
else:
access_token = secrets.token_hex(nbytes=32)
r = Remote(name='embargo-%s' % request.form['group_id'],
access_token=access_token,
is_dirty=True)
db.session.add(r)
db.session.commit()
v = Vendor(group_id=request.form['group_id'], remote_id=r.remote_id)
db.session.add(v)
db.session.commit()
flash('Added vendor %s' % request.form['group_id'], 'info')
# asynchronously rebuilt
_async_regenerate_remote.apply_async(args=(r.remote_id, ),
queue='metadata')
return redirect(url_for('vendors.route_show', vendor_id=v.vendor_id), 302)
