def update_plan(plan_name):
plan = Plan.get_plan(plan_name)
if not plan:
return jsonify(success=False, reason='no-such-plan')
new_plan = request.json
new_workflow = create_workflows_from_json(new_plan['workflow'])
if not new_workflow:
return jsonify(success=False, reason='invalid-plan')
plan.name = new_plan.get("name", plan.name)
plan.description = new_plan.get("description", plan.description)
old_flows = map(lambda x: x, plan.workflows)
for flow in old_flows:
plan.workflows.remove(flow)
for new_flow in new_workflow:
db.session.add(new_flow)
plan.workflows.append(new_flow)
db.session.commit()
return jsonify(success=True, plan=sanitize_plan(Plan.get_plan(plan.name)))
def create_plan():
plan = request.json
# Verify incoming plan
if Plan.get_plan(plan['name']) is not None:
return jsonify(success=False, reason='plan-already-exists')
workflows = create_workflows_from_json(plan['workflow'])
if not workflows:
return jsonify(success=False, reason='invalid-plan-exists')
# Create the plan
new_plan = Plan()
new_plan.name = plan['name']
new_plan.description = plan['description']
db.session.add(new_plan)
db.session.commit()
for workflow in workflows:
db.session.add(workflow)
new_plan.workflows.append(workflow)
db.session.commit()
plan = Plan.get_plan(new_plan.name)
# Return the new plan
if not plan:
return jsonify(success=False)
return jsonify(success=True, plan=sanitize_plan(plan))
def delete_plan(plan_name):
plan = Plan.get_plan(plan_name)
if not plan:
return jsonify(success=False, reason="Plan does not exist.")
# XX assess the impact of deleting a plan against existing scans?
db.session.delete(plan)
db.session.commit()
return jsonify(success=True)
def create_site():
site = request.json
# Verify incoming site: url must be valid, groups must exist, plans must exist
if not _check_site_url(site.get('url')):
return jsonify(success=False, reason='invalid-url')
if not site.get('url', None):
return jsonify(success=False, reason='missing-required-field')
for group in site.get('groups', []):
if not Group.get_group(group):
return jsonify(success=False, reason='unknown-group')
for plan_name in site.get('plans', []):
if not Plan.get_plan(plan_name):
return jsonify(success=False, reason='unknown-plan')
if Site.get_site_by_url(site['url']) is not None:
return jsonify(success=False, reason='site-already-exists')
# Create the site
new_site = Site(site['url'])
for plan in site.get('plans', []):
new_site.plans.append(Plan.get_plan(plan))
new_site.created = datetime.datetime.utcnow()
for group in site.get('groups', []):
new_site.groups.append(Group.get_group(group))
if site.get('verification',{}).get('enabled',False):
new_site.verification_enabled = True
new_site.verification_value = str(uuid.uuid4())
else:
new_site.verification_enabled = False
new_site.verification_value = None
db.session.add(new_site)
db.session.commit()
new_site = Site.get_site(new_site.site_uuid)
# Return the new site
return jsonify(success=True, site=new_site.dict())
def update_site(site_id):
new_site = request.json
# Verify incoming site. It must exist, groups must exist, plans must exist.
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
for group in new_site.get('groups', []):
if not Group.get_group(group):
return jsonify(success=False, reason='unknown-group')
for plan_name in new_site.get('plans', []):
if not Plan.get_plan(plan_name):
return jsonify(success=False, reason='unknown-plan')
if 'groups' in new_site:
# purge groups
for group in site.groups:
site.groups.remove(group)
# insert desired groups
for group_name in new_site.get('groups', []):
site.groups.append(Group.get_group(group_name))
if 'plans' in new_site:
#purge plans
for plan in site.plans:
site.plans.remove(plan)
#add new plans
for plan_name in new_site['plans']:
site.plans.append(Plan.get_plan(plan_name))
db.session.commit()
# Return the updated site
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
return jsonify(success=True, site=site.dict())
def get_plans():
name = request.args.get('name')
if name:
plan = Plan.get_plan(name)
if not plan:
return jsonify(success=False, reason="no-such-plan")
else:
return jsonify(success=True, plans=[plan.dict()])
else:
email = request.args.get('email')
if email:
plans = get_plans_by_email(email)
else:
plans = map(lambda x : x.dict(), Plan.query.all())
return jsonify(success=True, plans=plans)
def post_scan_create():
# try to decode the configuration
configuration = request.json
# See if the plan exists
plan = Plan.get_plan(configuration['plan'])
if not plan:
return jsonify(success=False)
# Merge the configuration
# Create a scan object
scan = Scan()
scan.meta = json.dumps({ "user": configuration['user'], "tags": [] } )
scan.configuration = json.dumps(configuration['configuration'])
scan.site = Site.get_site_by_url(configuration['configuration']['target'])
scan.plan = json.dumps( { "name": plan.name, "revision": 0 })
db.session.add(scan)
db.session.commit()
for step in plan.workflows:
session_configuration = {}
if step.configuration:
session_configuration = json.loads(step.configuration)
session_configuration.update(configuration['configuration'])
session = Session()
session.configuration = json.dumps(session_configuration)
session.description = step.description
session.plugin = json.dumps(Plugin.plugins[step.plugin_name]['descriptor'])
scan.sessions.append(session)
db.session.add(session)
db.session.commit()
db.session.commit()
return jsonify(success=True, scan=sanitize_scan(scan))
def setCredentials():
cred_data = request.json
site = Site.get_site_by_url(cred_data.get('site'))
if not site:
return jsonify(message="no-such-site", success=False)
plan = Plan.get_plan(cred_data.get('plan'))
if not plan:
return jsonify(message="no-such-site", success=False)
authData = cred_data.get('authData')
siteCreds = SiteCredential.get_credential(site.id, plan.id)
if not siteCreds:
siteCreds = SiteCredential(site.id, plan.id)
db.session.add(siteCreds)
#update all fields, preserving values for which none was provided
siteCreds.site_id = site.id
siteCreds.plan_id = plan.id
siteCreds.username = authData.get('username', siteCreds.username)
siteCreds.emailaddress = authData.get('email', siteCreds.emailaddress)
siteCreds.script = authData.get('script', siteCreds.script)
siteCreds.url = authData.get('url', siteCreds.url)
siteCreds.username_path = authData.get('meusername_field_xpathhod', siteCreds.username_path)
siteCreds.password_path = authData.get('password_field_xpath', siteCreds.password_path)
siteCreds.method = authData.get('method', siteCreds.method)
siteCreds.cookies = authData.get('expected_cookies', siteCreds.cookies)
siteCreds.before_login_path = authData.get('before_login_element_xpath', siteCreds.before_login_path)
siteCreds.after_login_path = authData.get('after_login_element_xpath', siteCreds.after_login_path)
siteCreds.button_path = authData.get('before_login_element_xpath', siteCreds.button_path)
db.session.commit()
return jsonify(credential = siteCreds.dict(), success=True)
def get_plan_by_plan_name(plan_name):
return Plan.get_plan(plan_name)