def get_reports_history(): history = [] user_email = request.args.get('user') scans = [] if user_email is not None: user = User.get_user(user_email) if user is None: return jsonify(success=False, reason='no-such-user') # Get Sites for site in user.sites(): for scan in Site.get_site_by_url(site).scans: scans.append(scan) scans.sort(key=lambda x : x.created, reverse = True) # Get Scans for Sites else: for site in Site.query.all(): for scan in site.scans: scans.append(scan) for s in scans[:100]: history.append(summarize_scan(s)) return jsonify(success=True, report=history)
def get_reports_sites(): result = [] group_name = request.args.get('group_name') user_email = request.args.get('user') if user_email is not None: # User specified, so return recent scans for each site/plan that the user can see user = User.get_user(user_email) if user is None: return jsonify(success=False, reason='no-such-user') if group_name: group = Group.get_group(group_name) if group is None: return jsonify(success=False, reason='no-such-group') site_list = map(lambda x: x.url, group.sites) else: site_list = user.sites() for site_url in sorted(site_list): site = Site.get_site_by_url(site_url) if site is not None: for plan in site.plans: plan_name = plan.name schedule = ScanSchedule.get_schedule(site.site_uuid, plan.plan_uuid) crontab = None scheduleEnabled = False if schedule is not None: crontab = schedule['crontab'] scheduleEnabled = schedule['enabled'] scans = [] for scan in site.scans: if scan.plan is not None: p = json.loads(scan.plan) if p['name'] == plan_name: scans.append(scan) scan_for_site = [] for scan in scans: config = json.loads(scan.configuration) if config.get('target', None) == site_url: scan_for_site.append(scan) o = list(sorted(scan_for_site, cmp= lambda x, y: cmp(x.created, y, created))) if len(o): l = [o[0]] else: l = [] if len(l) == 1: scan = summarize_scan(l[0]) s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')} result.append({'target': site_url, 'plan': plan_name, 'scan': scan, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled}) else: result.append({'target': site_url, 'plan': plan_name, 'scan': None, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled}) return jsonify(success=True, report=result)
def create_group(): group = request.json # perform validations on incoming data; issue#132 if not group.get('name'): return jsonify(success=False, reason='name-field-is-required') userz = group.get('users', []) sitez = group.get('sites', []) if userz: for user in userz: if not User.get_user(user): return jsonify(success=False, reason='user %s does not exist'%user) if sitez: for site in sitez: if not Site.get_site_by_url(site): return jsonify(success=False, reason='site %s does not exist'%site) if Group.get_group(group['name']) is not None: return jsonify(success=False, reason='group-already-exists') # post-validation # XXX - this is a horrible hack, we should grab the default admin user / admin group instead, not just use the first user/group in the list!!!! admin_user = User.query.all()[0] admin_group = None if len(Group.query.all()) > 0: admin_group = Group.query.all()[0] new_group = Group(group['name'], admin_user.email, admin_group) new_group.created = datetime.datetime.utcnow() new_group.description = group.get('description', "") db.session.add(new_group) for user in userz: new_group.users.append(User.get_user(user)) for site in sitez: new_group.sites.append(Site.get_site_by_url(site)) db.session.commit() new_group = Group.get_group(group['name']) return jsonify(success=True, group=sanitize_group(new_group))
def get_plans_by_email(email): user = User.get_user(email) plans_by_site = map(lambda x:Site.get_site_by_url(x).plans, user.sites()) plans = [] for planlist in plans_by_site: for plan in planlist: if not plan in plans: plans.append(plan) return map(lambda x : x.dict(), plans)
def get_sites(): query = {} url = request.args.get('url') sitez = None if url: sitez = [ Site.get_site_by_url(url)] else: sitez = Site.query.all() return jsonify(success=True, sites=map(lambda x : x.dict(), sitez))
def patch_group(group_name): patch = request.json group = Group.get_group(group_name) if not group: return jsonify(success=False, reason='no-such-group') # Process the edits. These can probably be done in one operation. for url in patch.get('addSites', []): site = Site.get_site_by_url(url) if not site: return jsonoify(success = false, reason='no-such-site') if not site in group.sites: group.sites.append(site) for url in patch.get('removeSites', []): site = Site.get_site_by_url(url) if not site: return jsonoify(success = false, reason='no-such-site') if site in group.sites: group.sites.remove(site) for email in patch.get('addUsers', []): user = User.get_user(email) if not user: return jsonoify(success = false, reason='no-such-user') if not user in group.users: group.users.append(user) for user in patch.get('removeUsers', []): user = User.get_user(email) if not user: return jsonoify(success = false, reason='no-such-user') if user in group.users: group.users.remove(user) db.session.commit() group = Group.get_group(group_name) return jsonify(success=True, group=sanitize_group(group))
def get_reports_issues(): result = [] group_name = request.args.get('group_name') user_email = request.args.get('user') if user_email is not None: # User specified, so return recent scans for each site/plan that the user can see user = User.get_user(user_email) if user is None: return jsonify(success=False, reason='no-such-user') site_list = [] if group_name: # get list of sites for group site_list = _find_sites_for_user_by_group_name(user_email, group_name) g = Group.get_group(group_name) if g: for site in g.sites: site_list.append(site.url) else: site_list = User.get_user(user_email).sites() for site_url in sorted(site_list): r = {'target': site_url, 'issues': []} site = Site.get_site_by_url(site_url) if site is not None: scan_list = [] for scan in site.scans: scan_list.append(scan) if len(scan_list) > 0: scan_list.sort(key=lambda x : x.created, reverse=True) s = scan_list[0] for session in s.sessions: for issue in session.issues: r['issues'].append({'severity': issue.severity, 'summary': issue.summary, 'scan': { 'id': s.scan_uuid}, 'id': issue.issue_uuid}) result.append(r) return jsonify(success=True, report=result)
def post_scan_create(): # try to decode the configuration configuration = request.json # See if the plan exists plan = Plan.get_plan(configuration['plan']) if not plan: return jsonify(success=False) # Merge the configuration # Create a scan object scan = Scan() scan.meta = json.dumps({ "user": configuration['user'], "tags": [] } ) scan.configuration = json.dumps(configuration['configuration']) scan.site = Site.get_site_by_url(configuration['configuration']['target']) scan.plan = json.dumps( { "name": plan.name, "revision": 0 }) db.session.add(scan) db.session.commit() for step in plan.workflows: session_configuration = {} if step.configuration: session_configuration = json.loads(step.configuration) session_configuration.update(configuration['configuration']) session = Session() session.configuration = json.dumps(session_configuration) session.description = step.description session.plugin = json.dumps(Plugin.plugins[step.plugin_name]['descriptor']) scan.sessions.append(session) db.session.add(session) db.session.commit() db.session.commit() return jsonify(success=True, scan=sanitize_scan(scan))
def create_site(): site = request.json # Verify incoming site: url must be valid, groups must exist, plans must exist if not _check_site_url(site.get('url')): return jsonify(success=False, reason='invalid-url') if not site.get('url', None): return jsonify(success=False, reason='missing-required-field') for group in site.get('groups', []): if not Group.get_group(group): return jsonify(success=False, reason='unknown-group') for plan_name in site.get('plans', []): if not Plan.get_plan(plan_name): return jsonify(success=False, reason='unknown-plan') if Site.get_site_by_url(site['url']) is not None: return jsonify(success=False, reason='site-already-exists') # Create the site new_site = Site(site['url']) for plan in site.get('plans', []): new_site.plans.append(Plan.get_plan(plan)) new_site.created = datetime.datetime.utcnow() for group in site.get('groups', []): new_site.groups.append(Group.get_group(group)) if site.get('verification',{}).get('enabled',False): new_site.verification_enabled = True new_site.verification_value = str(uuid.uuid4()) else: new_site.verification_enabled = False new_site.verification_value = None db.session.add(new_site) db.session.commit() new_site = Site.get_site(new_site.site_uuid) # Return the new site return jsonify(success=True, site=new_site.dict())
def setCredentials(): cred_data = request.json site = Site.get_site_by_url(cred_data.get('site')) if not site: return jsonify(message="no-such-site", success=False) plan = Plan.get_plan(cred_data.get('plan')) if not plan: return jsonify(message="no-such-site", success=False) authData = cred_data.get('authData') siteCreds = SiteCredential.get_credential(site.id, plan.id) if not siteCreds: siteCreds = SiteCredential(site.id, plan.id) db.session.add(siteCreds) #update all fields, preserving values for which none was provided siteCreds.site_id = site.id siteCreds.plan_id = plan.id siteCreds.username = authData.get('username', siteCreds.username) siteCreds.emailaddress = authData.get('email', siteCreds.emailaddress) siteCreds.script = authData.get('script', siteCreds.script) siteCreds.url = authData.get('url', siteCreds.url) siteCreds.username_path = authData.get('meusername_field_xpathhod', siteCreds.username_path) siteCreds.password_path = authData.get('password_field_xpath', siteCreds.password_path) siteCreds.method = authData.get('method', siteCreds.method) siteCreds.cookies = authData.get('expected_cookies', siteCreds.cookies) siteCreds.before_login_path = authData.get('before_login_element_xpath', siteCreds.before_login_path) siteCreds.after_login_path = authData.get('after_login_element_xpath', siteCreds.after_login_path) siteCreds.button_path = authData.get('before_login_element_xpath', siteCreds.button_path) db.session.commit() return jsonify(credential = siteCreds.dict(), success=True)