def verify_and_call(*args, **kwargs):
context = args[1].context
event_id = kwargs.get('event_id') \
if kwargs.get('identifier') is None else kwargs.get('identifier')
user_data = util.get_jwt_content(context)
user_data['subscribed_projects'] = \
user_domain.get_projects(user_data['user_email'])
user_data['subscribed_projects'] += \
user_domain.get_projects(user_data['user_email'], active=False)
user_data['role'] = get_user_role(user_data)
event_project = event_domain.get_event(event_id).get('project_name')
if not re.match('^[0-9]*$', event_id):
rollbar.report_message('Error: Invalid event id format', 'error',
context)
raise GraphQLError('Invalid event id format')
try:
if not ENFORCER_BASIC.enforce(user_data, event_project.lower()):
util.cloudwatch_log(
context, 'Security: \
Attempted to retrieve event-related info without permission')
raise GraphQLError('Access denied')
except AttributeDoesNotExist:
return GraphQLError('Access denied: Missing attributes')
return func(*args, **kwargs)
def verify_and_call(*args, **kwargs):
context = args[1].context
project_name = kwargs.get('project_name')
user_data = util.get_jwt_content(context)
user_data['subscribed_projects'] = \
user_domain.get_projects(user_data['user_email'])
user_data['subscribed_projects'] += \
user_domain.get_projects(user_data['user_email'], active=False)
user_data['role'] = get_user_role(user_data)
if not project_name:
rollbar.report_message('Error: Empty fields in project', 'error',
context)
raise GraphQLError('Access denied')
try:
if not ENFORCER_BASIC.enforce(user_data, project_name.lower()):
util.cloudwatch_log(
context, 'Security: \
Attempted to retrieve {project} project info without permission'.format(
project=kwargs.get('project_name')))
raise GraphQLError('Access denied')
util.cloudwatch_log(
context, 'Security: Access to {project} project'.format(
project=kwargs.get('project_name')))
except AttributeDoesNotExist:
return GraphQLError('Access denied')
return func(*args, **kwargs)
def __init__(self, project_name: str, user_email: str, role: str = None):
self.email: str = user_email
self.role: str = ''
self.responsibility: str = ''
self.phone_number: str = ''
self.organization: str = ''
self.first_login: str = '-'
self.last_login: _List[int] = [-1, -1]
self.list_projects: _List[int] = []
if not project_name:
projs_active = \
['{proj}: {description} - Active'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(self.email)]
projs_suspended = \
['{proj}: {description} - Suspended'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(
self.email, active=False)]
self.list_projects = projs_active + projs_suspended
last_login = user_domain.get_data(user_email, 'last_login')
if last_login == '1111-1-1 11:11:11' or not last_login:
self.last_login = [-1, -1]
else:
dates_difference = \
datetime.now() - datetime.strptime(last_login, '%Y-%m-%d %H:%M:%S')
diff_last_login = [dates_difference.days, dates_difference.seconds]
self.last_login = diff_last_login
self.first_login = user_domain.get_data(user_email, 'date_joined')
organization = user_domain.get_data(user_email, 'company')
self.organization = organization.title()
self.responsibility = has_responsibility(
project_name, user_email) if project_name else ''
self.phone_number = has_phone_number(user_email)
user_role = user_domain.get_data(user_email, 'role')
if project_name and is_customeradmin(project_name, user_email):
self.role = 'customer_admin'
elif user_role == 'customeradmin':
self.role = 'customer'
else:
self.role = user_role
if project_name and role:
if role == 'admin':
has_access = has_access_to_project(user_email, project_name,
self.role)
else:
has_access = user_domain.get_project_access(
user_email, project_name)
if not user_domain.get_data(user_email, 'email') or \
not has_access:
raise UserNotFound()
def _get_list_projects(email, project_name):
"""Get list projects."""
list_projects = list()
if not project_name:
projs_active = \
['{proj}: {description} - Active'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(email)]
projs_suspended = \
['{proj}: {description} - Suspended'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(
email, active=False)]
list_projects = projs_active + projs_suspended
return dict(list_projects=list_projects)
def resolve_projects(self, info):
jwt_content = util.get_jwt_content(info.context)
user_email = jwt_content.get('user_email')
for project in user_domain.get_projects(user_email):
self.projects.append(
Project(project_name=project,
description=project_domain.get_description(project)))
return self.projects
def _get_projects(jwt_content):
"""Get projects."""
projects = []
user_email = jwt_content.get('user_email')
for project in user_domain.get_projects(user_email):
description = project_domain.get_description(project)
projects.append(
dict(name=project, description=description)
)
return dict(projects=projects)
def generate_complete_report(request):
user_data = util.get_jwt_content(request)
projects = user_domain.get_projects(user_data['user_email'])
book = load_workbook('/usr/src/app/app/techdoc/templates/COMPLETE.xlsx')
sheet = book.active
project_col = 1
finding_col = 2
vuln_where_col = 3
vuln_specific_col = 4
treatment_col = 5
treatment_mgr_col = 6
row_offset = 2
row_index = row_offset
for project in projects:
findings = project_domain.get_released_findings(
project, 'finding_id, finding, treatment')
for finding in findings:
vulns = finding_dal.get_vulnerabilities(finding['finding_id'])
for vuln in vulns:
sheet.cell(row_index, vuln_where_col, vuln['where'])
sheet.cell(row_index, vuln_specific_col, vuln['specific'])
sheet.cell(row_index, project_col, project.upper())
sheet.cell(row_index, finding_col, '{name!s} (#{id!s})'.format(
name=finding['finding'].encode('utf-8'),
id=finding['finding_id']))
sheet.cell(row_index, treatment_col, finding['treatment'])
sheet.cell(row_index, treatment_mgr_col,
vuln.get('treatment_manager', 'Unassigned'))
row_index += 1
username = user_data['user_email'].split('@')[0].encode('utf8', 'ignore')
filename = 'complete_report.xlsx'
filepath = '/tmp/{username}-{filename}'.format(filename=filename,
username=username)
book.save(filepath)
with open(filepath, 'rb') as document:
response = HttpResponse(document.read())
response['Content-Type'] = 'application/vnd.openxmlformats\
-officedocument.spreadsheetml.sheet'
response['Content-Disposition'] = 'inline;filename={filename}'.format(
filename=filename)
return response
