def clone(self, request, short_name=''): from oda.apps.odaweb.views import make_copy oda_master = OdaMaster.get_by_short_name(short_name) if oda_master.owner == request.user: raise OdaRestException("Don't copy an oda_master you already own") the_copy = make_copy(oda_master, request.user) return Response(the_copy.short_name)
def load_examples(owner=None): EXAMPLES_DIR = os.path.join( os.path.dirname(oda.apps.odaweb.examples.__file__), 'examples') for example in Examples: short_name = example['short_name'] valid_file_storage_id = True if OdaMaster.objects.filter(short_name=short_name).exists(): print('Example %s already exists in the database' % short_name) oda_master = OdaMaster.objects.filter( short_name=short_name).first() else: oda_master = OdaMaster( short_name=short_name, project_name=example['project_name'], owner=owner, default_permission=OdaMasterPermissionLevel.read.value) print('Adding example %s to database' % short_name) if 'data' in example: example_data = ''.join(example['data'].split()) odb_file = OdbFile( BinaryString(example_data, example['options']['architecture'])) elif 'file_name' in example: odb_file = OdbFile( BinaryFile(os.path.join(EXAMPLES_DIR, example['file_name']), example['options']['target'], example['options']['architecture'])) odb_file.execute(LoadOperation()) odb_file.execute(PassiveScanOperation()) if 'comments' in example: for vma, msg in example['comments']: odb_file.execute(CreateCommentOperation(vma, msg)) print("Adding Comment %s To %s" % (msg, str(odb_file))) if 'labels' in example: for vma, label in example['labels']: odb_file.execute(CreateLabelOperation(vma, label)) print("Saving label %s To %s" % (label, str(odb_file))) oda_master.odb_file = odb_file oda_master.save()
def can_edit(self, request, **kwargs): oda_master = OdaMaster.get_by_short_name(kwargs['short_name']) if oda_master == None: return Response(status=status.HTTP_404_NOT_FOUND, data='This document cannot be found') own = (oda_master.get_user_permission_level( request.user) == OdaMasterPermissionLevel.edit) return Response(own)
def permissions(self, request, **kwargs): oda_master = OdaMaster.get_by_short_name(kwargs['short_name']) if not oda_master: raise OdaRestException('ODA Master ' + kwargs['short_name'] + ' not found.') permissions = oda_master.odamasterpermission_set.all() serializer = OdaMasterPermissionSerializer(permissions, many=True) headers = self.get_success_headers(serializer.data) return Response(serializer.data, status=status.HTTP_200_OK, headers=headers)
def test_list_permissions_on_oda_master(self): otheruser = OdaUser(username='******') otheruser.save() oda_master = OdaMaster.get_by_short_name('mkdir') perm = Permission.objects.get(codename='read_odamaster') OdaMasterPermission.objects.create(master=oda_master, user=otheruser, permission=perm) response = self.client.get('/odaweb/api/masters/mkdir/', format='json') self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data['permissions'][0]['username'], 'otheruser') self.assertEqual(response.data['permissions'][0]['permission'], 'read')
def permission(self, request, **kwargs): permission = self.request.data.get('permission') username = self.request.data.get('username') usergroup = self.request.data.get('usergroup') if permission is None or (username is None and usergroup is None): raise OdaRestException( 'Must specify permission and username or usergroup.') oda_master = OdaMaster.get_by_short_name(kwargs['short_name']) if not oda_master: raise OdaRestException('ODA Master ' + kwargs['short_name'] + ' not found.') not_found = None try: perm = Permission.objects.get(codename=permission + '_odamaster') user = OdaUser.objects.get_by_natural_key( username) if username else None group = self.request.user.groups.get( name=usergroup) if usergroup else None if not user and not group: raise OdaRestException('Must specify user or group.') args = {'master': oda_master, 'permission': perm} if user: args['user'] = user if group: args['group'] = group if request.method == 'POST': OdaMasterPermission.objects.create(**args) serializer = self.get_serializer(oda_master) headers = self.get_success_headers(serializer.data) return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers) if request.method == 'DELETE': OdaMasterPermission.objects.get(**args).delete() return Response(status=status.HTTP_204_NO_CONTENT) except OdaUser.DoesNotExist: not_found = 'User' except OdaMasterPermission.DoesNotExist: not_found = 'OdaMasterPermission' except Group.DoesNotExist: not_found = 'Group' except Permission.DoesNotExist: not_found = 'Permission' if not_found: raise OdaRestException(not_found + ' not found.') raise OdaRestException
def test_permission_delete_group(self): group = Group.objects.create(name='mygroup') self.user.groups.add(group) oda_master = OdaMaster.get_by_short_name('mkdir') perm = Permission.objects.get(codename='read_odamaster') OdaMasterPermission.objects.create(master=oda_master, group=group, permission=perm) response = self.client.delete('/odaweb/api/masters/mkdir/permission/', { 'usergroup': 'mygroup', 'permission': 'read', }, format='json') self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
def test_permission_delete_user(self): otheruser = OdaUser(username='******') otheruser.save() oda_master = OdaMaster.get_by_short_name('mkdir') perm = Permission.objects.get(codename='read_odamaster') OdaMasterPermission.objects.create(master=oda_master, user=otheruser, permission=perm) response = self.client.delete('/odaweb/api/masters/mkdir/permission/', { 'username': '******', 'permission': 'read', }, format='json') self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
def has_permission(self, request, view): if isinstance(view, OdaMasterViewSet): # Permission enforcement for OdaMaster listing is done using queryset if view.action == 'list': return True short_name = view.kwargs.get('short_name') or request.query_params.get( 'short_name') or request.data.get('short_name') if short_name is not None: oda_master = OdaMaster.get_by_short_name(short_name) if oda_master is not None: permission_level = oda_master.get_user_permission_level( request.user) if permission_level == OdaMasterPermissionLevel.edit: return True if permission_level == OdaMasterPermissionLevel.read and request.method == 'GET': return True return False raise OdaRestException('Bad or missing short_name')
def set_default_permission_level(self, request, **kwargs): oda_master = OdaMaster.get_by_short_name(kwargs['short_name']) new_permission_level = OdaMasterPermissionLevel[ request.data['permission_level']] oda_master.set_default_permission_level(new_permission_level) return Response({'permission_level': new_permission_level.value})
def branches(self, request, **kwargs): oda_master = OdaMaster.get_by_short_name(kwargs['short_name']) odb_file = oda_master.odb_file branches = odb_file.get_structure_list(Branch) return Response( {'branches': [BranchSerializer(x).data for x in branches]})
def upload(request): form = UploadFileForm(request.POST, request.FILES) status = 200 filename = 'unknown' if 'filedata' in request.FILES: filename = request.FILES['filedata'].name if form.is_valid(): project_name = form.cleaned_data['project_name'] default_sharing_level = OdaMasterPermissionLevel[ form.cleaned_data['default_sharing_level']] filedata = form.cleaned_data['filedata'] idbImport = IdbImport(filedata) if idbImport.is_idb(): binary_file = BinaryFile.create_from_idb(filedata) binary_file.save() arch, target = idbImport.guess_arch() description = idbImport.describe() else: binary_file = BinaryFile.create(filedata) binary_file.save() description = binary_file.desc() arch, target = Disassembler.guess_bfd_arch( binary_file.file_handle().name) oda_master = OdaMaster(short_name=id_generator(), project_name=project_name, default_permission=default_sharing_level.value, ipAddress=request.META.get('REMOTE_ADDR')) if request.user.is_authenticated(): oda_master.owner = request.user oda_master.save() request.session["disassembly_id"] = oda_master.short_name request.session["disassembly_token"] = { 'id': oda_master.short_name, 'version': 0 } binary_file.binary_options.architecture = arch binary_file.binary_options.target = target binary_file.binary_options.save() odb_file = OdbFile(BinaryFileModel(binary_file.id)) # todo this should not be saved until after user has committed options oda_master.odb_file = odb_file oda_master.save() data = { 'short_name': oda_master.short_name, 'revision': oda_master.revision, 'arch': arch, 'target': target, 'file_format': description, } else: status = 413 data = { 'error': 'Invalid File "%s", maximum size is %d kb' % (filename, UploadFileForm.MAX_UPLOAD_SIZE_KB) } return HttpResponse(json.dumps(data), content_type='application/json', status=status)