def add_translation(finding_id: int):
finding = FindingTemplate.query.filter_by(id=finding_id).one()
form = FindingTemplateAddTranslationForm(request.form)
current_langs = finding.langs
# Skip langs already presents
form.lang.choices = tuple(choice for choice in Language.choices()
if choice[0] not in current_langs)
context = dict(form=form, finding=finding)
if len(form.lang.choices) == 0:
flash('Finding {} already have all possible translations.'.format(
finding.name),
category='warning')
return redirect_back('.index')
if form.validate_on_submit():
if form.lang.data not in finding.langs:
data = dict(form.data)
data.pop('csrf_token', None)
FindingTemplateTranslation(finding_template=finding, **data)
else:
flash('Language {} already created for this finding.'.format(
form.lang.data),
category='danger')
return redirect_back('.index')
return render_template('findings/edit_translation.html', **context)
def delete_solution(finding_id: int, solution_name: str):
solution = Solution.query.filter_by(
finding_template_id=finding_id,
name=solution_name
).one()
solution.delete()
return redirect_back('.edit', finding_id=finding_id)
def edit(assessment_id):
assessment: Assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.owns(assessment) and not current_user.manages(
assessment.client):
abort(403)
if request.form:
form = AssessmentForm(request.form)
else:
form = AssessmentForm(**assessment.to_dict(),
auditors=assessment.auditors)
form.auditors.choices = User.get_choices(
User.user_type.in_(valid_auditors))
context = dict(assessment=assessment, form=form)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
auditors = data.pop('auditors', [])
assessment.set(**data)
assessment.auditors.clear()
assessment.auditors.extend(auditors)
return redirect_back('.index')
return render_template('assessments/edit.html', **context)
def download_reports(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
data = request.form.to_dict()
data.pop('action', None)
data.pop('csrf_token', None)
templates = set(request.form.getlist('template_name'))
templates = Template.query.filter(
and_(Template.name.in_(templates),
Template.client_id == assessment.client_id)).all()
if not templates:
flash('No report selected', 'danger')
return redirect_back('.reports', assessment_id=assessment_id)
report_path, report_file = generate_reports_bundle(assessment, templates)
return send_from_directory(report_path,
report_file,
mimetype='application/octet-stream',
as_attachment=True,
attachment_filename=report_file,
add_etags=False,
cache_timeout=0)
def edit_translation(finding_id: int, language: str):
language = Language[language]
translation = FindingTemplateTranslation.query.filter_by(
finding_template_id=finding_id, lang=language).one()
form_data = request.form.to_dict() or translation.to_dict()
form = FindingTemplateEditTranslationForm(**form_data)
context = dict(form=form, finding=translation.finding_template)
if config.BROKEN_REFS_TOKEN in translation.references:
form.references.errors = ('Possible broken references detected', )
if form.validate_on_submit():
if language in translation.finding_template.langs:
data = dict(form.data)
data.pop('csrf_token', None)
translation.set(**data)
else:
flash('Language {} not created for this finding.'.format(language),
category='danger')
return redirect_back('.edit', finding_id=finding_id)
return render_template('findings/edit_translation.html', **context)
def add_solution(finding_id: int, solution_name=None):
finding = FindingTemplate.query.filter_by(id=finding_id).one()
solution = None
if solution_name:
solution = Solution.query.filter_by(finding_template_id=finding_id,
name=solution_name).one()
form_data = solution.to_dict() if solution else request.form.to_dict()
form = FindingTemplateAddSolutionForm(**form_data)
context = dict(form=form, finding=finding)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
lang = data.get('lang')
name = data.get('name')
try:
Solution(finding_template=finding, **data)
db.session.commit()
return redirect_back('.index')
except IntegrityError:
db.session.rollback()
error = 'Solution name {} already exist for this finding.'.format(
name, lang)
form.name.errors.append(error)
return render_template('findings/edit_solution.html', **context)
def edit(template_id: int):
template = Template.query.filter_by(id=template_id).one()
form = TemplateEditForm()
if not request.form:
form = TemplateEditForm(**template.to_dict())
context = dict(template=template, form=form)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
file = data.pop('file')
try:
template.set(**data)
template.last_modified = datetime.now()
db.session.commit()
if file is not None:
file.save(os.path.join(template.template_path(),
template.file))
return redirect_back('.index')
except IntegrityError:
form.name.errors.append('Name already used')
db.session.rollback()
return render_template('templates/edit.html', **context)
def index():
form = LoginForm(request.form)
context = dict(form=form, need_otp=False)
if form.validate_on_submit():
controller = AuthController()
try:
controller.authenticate(form.username.data, form.password.data,
form.otp.data)
session.permanent = True
flash('Logged in successfully.', 'success')
return redirect_back('index.index')
except AuthException:
context['need_otp'] = True
if form.otp.data:
flash('Invalid credentials', 'danger')
else:
form.otp.errors.append('Google Authenticator OTP required.')
return render_template('index.html', **context)
def delete(template_id: int):
template = Template.query.filter_by(id=template_id).one()
os.remove(os.path.join(template.template_path(), template.file))
template.delete()
return redirect_back('.index')
def new():
form = TemplateCreateNewForm()
context = dict(form=form)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token')
file = data.pop('file')
filename = "{}.{}".format(uuid4(), file.filename.split('.')[-1])
data['file'] = filename
upload_path = Template.template_path()
if not os.path.exists(upload_path):
os.makedirs(upload_path)
try:
db.session.add(Template(**data))
db.session.commit()
file.save(os.path.join(upload_path, filename))
return redirect_back('.index')
except IntegrityError:
form.name.errors.append('Name already used')
db.session.rollback()
return render_template('templates/new.html', **context)
def add_template(client_id: int):
client = Client.query.filter_by(id=client_id).one()
if not current_user.manages(client):
abort(403)
form = TemplateCreateNewForm()
context = dict(form=form, client=client)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
file = data.pop('file')
filename = "{}.{}".format(uuid4(), file.filename.split('.')[-1])
data['file'] = filename
upload_path = client.template_path()
if not os.path.exists(upload_path):
os.makedirs(upload_path)
try:
Template(client=client, **data)
db.session.commit()
file.save(os.path.join(upload_path, filename))
return redirect_back('.edit', client_id=client_id)
except IntegrityError:
form.name.errors.append('Name already used')
db.session.rollback()
return render_template('clients/add_template.html', **context)
def edit_finding(assessment_id, finding_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
finding = Finding.query.filter_by(id=finding_id).one()
finding_dict = finding.to_dict()
finding_dict['affected_resources'] = "\r\n".join(
r.uri for r in finding.affected_resources)
form_data = request.form.to_dict() or finding_dict
form = FindingEditForm(**form_data)
solutions = finding.template.solutions if finding.template else []
context = dict(assessment=assessment,
form=form,
finding=finding,
solutions=solutions,
solutions_dict={a.name: a.text
for a in solutions})
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
affected_resources = data.pop('affected_resources', '').split('\n')
try:
finding.update_affected_resources(
affected_resources) # TODO: Raise different exception
finding.set(**data)
return redirect_back('.findings', assessment_id=assessment_id)
except ValueError as ex:
form.affected_resources.errors.append(str(ex))
return render_template('assessments/panel/edit_finding.html', **context)
def del_user(username):
user = User.query.filter_by(username=username).one()
if user == current_user:
flash('You can not delete yourself', 'danger')
else:
user.delete()
return redirect_back('users.index')
def delete_findings(assessment_id, finding_id):
finding = Finding.query.filter_by(id=finding_id).one()
if not current_user.audits(finding.assessment):
abort(403)
finding.delete()
flash("Findign deleted", "success")
return redirect_back('.findings', assessment_id=assessment_id)
def delete_translation(finding_id: int, language: str):
tranlsation = FindingTemplateTranslation.query.filter_by(
finding_template_id=finding_id,
lang=Language[language]
).one()
tranlsation.delete()
return redirect_back('.edit', finding_id=finding_id)
def delete(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.owns(assessment) and not current_user.manages(
assessment.client):
abort(403)
assessment.delete()
return redirect_back('.index')
def delete(client_id: int):
client = Client.query.filter_by(id=client_id).one()
if not current_user.owns(client):
abort(403)
client.delete()
return redirect_back('.index')
def delete_template(client_id: int, template_name):
client = Client.query.filter_by(id=client_id).one()
if not current_user.manages(client):
abort(403)
template = Template.query.filter_by(name=template_name,
client=client).one()
os.remove(os.path.join(client.template_path(), template.file))
template.delete()
return redirect_back('.edit', client_id=client_id)
def change_owner(client_id: int):
client: Client = Client.query.filter_by(id=client_id).one()
if not current_user.owns(client):
abort(403)
form = ClientChangeOwnerForm()
form.owner.choices = User.get_choices(User.user_type.in_(valid_managers))
if form.validate_on_submit():
client.creator = form.owner.data
return redirect_back('.index')
def edit(finding_id: int):
finding = FindingTemplate.query.filter_by(id=finding_id).one()
form_data = request.form.to_dict() or finding.to_dict()
form = FindingTemplateEditForm(**form_data)
context = dict(form=form, finding=finding)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
finding.set(**data)
db.session.commit()
return redirect_back('.index')
return render_template('findings/details.html', **context)
def disable_otp():
form = OtpConfirmForm(request.form)
if form.validate_on_submit():
try:
if current_user.disable_otp(form.otp.data, form.password.data):
flash('OTP disabled successfully', 'success')
else:
raise ValueError('invalid otp or password')
except ValueError:
flash('Invalid credentials, please try again.', 'danger')
return redirect_back('users.index')
def new():
form = FindingTemplateCreateNewForm(request.form)
context = dict(
form=form
)
if form.validate_on_submit():
data = dict(form.data)
data_finding = {k: v for k, v in data.items() if k in FindingTemplate.__dict__}
data_translation = {k: v for k, v in data.items() if k in FindingTemplateTranslation.__dict__}
finding = FindingTemplate(creator=current_user, **data_finding)
FindingTemplateTranslation(finding_template=finding, **data_translation)
return redirect_back('.index')
return render_template('findings/new.html', **context)
def add_user():
form = AddUserForm(request.form)
if form.validate_on_submit():
username = form.username.data
if form.password.data == form.passwordrep.data:
try:
user = User(username=username)
user.set_database_passwd(form.password.data)
except IntegrityError:
flash('User {} already exist'.format(username), 'danger')
db.session.rollback()
else:
flash('Password repeat invalid', 'danger')
return redirect_back('users.index')
def delete_evidence(assessment_id, evidence_name):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
image = Image.query.filter_by(assessment=assessment,
name=evidence_name).one()
image_name = image.name
image.delete()
os.remove(os.path.join(assessment.evidence_path(), image_name))
flash("Evidence deleted", "success")
return redirect_back(".evidences", assessment_id=assessment_id)
def edit(client_id: int):
client: Client = Client.query.filter_by(id=client_id).one()
if not current_user.manages(client):
abort(403)
if request.form:
form = ClientForm(request.form)
else:
form = ClientForm(**client.to_dict(),
managers=client.managers,
auditors=client.auditors,
templates=client.templates)
form.managers.choices = User.get_choices(
User.user_type.in_(valid_managers))
form.auditors.choices = User.get_choices(
User.user_type.in_(valid_auditors))
form.templates.choices = Template.get_choices()
change_owner_form = ClientChangeOwnerForm(owner=client.creator)
change_owner_form.owner.choices = User.get_choices(
User.user_type.in_(valid_managers))
context = dict(form=form,
change_owner_form=change_owner_form,
client=client)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
managers = data.pop('managers', [])
auditors = data.pop('auditors', [])
templates = data.pop('templates', [])
client.set(**data)
client.managers.clear()
client.managers.extend(managers)
client.auditors.clear()
client.auditors.extend(auditors)
client.templates.clear()
client.templates.extend(templates)
return redirect_back('.index')
return render_template('clients/details.html', **context)
def new():
form = ClientForm(request.form)
form.managers.choices = User.get_choices(
User.user_type.in_(valid_managers))
form.auditors.choices = User.get_choices(
User.user_type.in_(valid_auditors))
context = dict(form=form)
if form.validate_on_submit():
data = form.data
data.pop('csrf_token')
Client(creator=current_user, **data)
return redirect_back('.index')
return render_template('clients/new.html', **context)
def edit_solution(finding_id: int, solution_name: str):
solution = Solution.query.filter_by(finding_template_id=finding_id,
name=solution_name).one()
form_data = request.form.to_dict() or solution.to_dict()
form = FindingTemplateEditSolutionForm(**form_data)
context = dict(form=form, finding=solution.finding_template)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
solution.set(**data)
return redirect_back('.edit', finding_id=finding_id)
return render_template('findings/edit_solution.html', **context)
def add_assessment(client_id: int):
client = Client.query.filter_by(id=client_id).one()
if not current_user.audits(client):
abort(403)
form = AssessmentForm(request.form)
form.auditors.choices = User.get_choices(
User.user_type.in_(valid_auditors))
context = dict(form=form, client=client)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
Assessment(client=client, creator=current_user, **data)
return redirect_back('.edit', client_id=client_id)
return render_template('clients/add_assessment.html', **context)
def edit_user(username):
user = User.query.filter_by(username=username).one()
form_data = request.form.to_dict() or user.to_dict()
form = EditUserForm(**form_data)
context = dict(
form=form
)
if user != current_user:
pass
else:
flash('You can not edit yourself', 'danger')
return redirect_back('users.index')
return render_template()
def change_passwd():
form = ChangePasswordForm()
if form.validate_on_submit():
try:
if form.newpassword.data == form.newpasswordrep.data:
current_user.change_password(
form.oldpassword.data,
form.newpassword.data,
form.otp.data
)
flash('Password changed successfully', 'success')
else:
flash('Password repeat invalid', 'danger')
except AuthException:
flash('Invalid credentials', 'danger')
return redirect_back('users.index')
