def modify_user_information(context: Dict[str, Any],
modified_user_data: Dict[str,
Any], project_name: str):
role = modified_user_data['role']
email = modified_user_data['email']
responsibility = modified_user_data['responsibility']
phone = modified_user_data['phone_number']
organization = modified_user_data['organization']
user_domain.update(email, organization.lower(), 'company')
if responsibility and len(responsibility) <= 50:
project_domain.add_access(email, project_name, 'responsibility',
responsibility)
else:
util.cloudwatch_log(
context,
'Security: {email} Attempted to add responsibility to project \
{project} bypassing validation'.format(email=email,
project=project_name))
if phone and phone[1:].isdigit():
user_domain.add_phone_to_user(email, phone)
else:
util.cloudwatch_log(
context,
'Security: {email} Attempted to edit user phone bypassing \
validation'.format(email=email))
if role == 'customeradmin':
project_domain.add_user(project_name.lower(), email.lower(), role)
elif is_customeradmin(project_name, email):
project_domain.remove_user_access(project_name, email, 'customeradmin')
def __init__(self, project_name: str, user_email: str, role: str = None):
self.email: str = user_email
self.role: str = ''
self.responsibility: str = ''
self.phone_number: str = ''
self.organization: str = ''
self.first_login: str = '-'
self.last_login: _List[int] = [-1, -1]
self.list_projects: _List[int] = []
if not project_name:
projs_active = \
['{proj}: {description} - Active'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(self.email)]
projs_suspended = \
['{proj}: {description} - Suspended'.format(
proj=proj,
description=project_domain.get_description(proj))
for proj in user_domain.get_projects(
self.email, active=False)]
self.list_projects = projs_active + projs_suspended
last_login = user_domain.get_data(user_email, 'last_login')
if last_login == '1111-1-1 11:11:11' or not last_login:
self.last_login = [-1, -1]
else:
dates_difference = \
datetime.now() - datetime.strptime(last_login, '%Y-%m-%d %H:%M:%S')
diff_last_login = [dates_difference.days, dates_difference.seconds]
self.last_login = diff_last_login
self.first_login = user_domain.get_data(user_email, 'date_joined')
organization = user_domain.get_data(user_email, 'company')
self.organization = organization.title()
self.responsibility = has_responsibility(
project_name, user_email) if project_name else ''
self.phone_number = has_phone_number(user_email)
user_role = user_domain.get_data(user_email, 'role')
if project_name and is_customeradmin(project_name, user_email):
self.role = 'customer_admin'
elif user_role == 'customeradmin':
self.role = 'customer'
else:
self.role = user_role
if project_name and role:
if role == 'admin':
has_access = has_access_to_project(user_email, project_name,
self.role)
else:
has_access = user_domain.get_project_access(
user_email, project_name)
if not user_domain.get_data(user_email, 'email') or \
not has_access:
raise UserNotFound()
def _get_role(jwt_content, project_name=None):
"""Get role."""
role = get_user_role(jwt_content)
if project_name and role == 'customer':
email = jwt_content.get('user_email')
role = 'customeradmin' if is_customeradmin(
project_name, email) else 'customer'
return dict(role=role)
def resolve_role(self, info, project_name=None):
jwt_content = util.get_jwt_content(info.context)
role = get_user_role(jwt_content)
if project_name and role == 'customer':
email = jwt_content.get('user_email')
role = 'customeradmin' if is_customeradmin(project_name,
email) else 'customer'
self.role = role
return self.role
def _get_role(email, project_name):
"""Get role."""
user_role = user_domain.get_data(email, 'role')
if project_name and is_customeradmin(project_name, email):
role = 'customer_admin'
elif user_role == 'customeradmin':
role = 'customer'
else:
role = user_role
return dict(role=role)
def mutate(self, info, **query_args):
project_name = query_args.get('project_name')
success = False
user_data = util.get_jwt_content(info.context)
role = get_user_role(user_data)
modified_user_data = {
'email': query_args.get('email'),
'organization': query_args.get('organization'),
'responsibility': query_args.get('responsibility'),
'role': query_args.get('role'),
'phone_number': query_args.get('phone_number')
}
if (role == 'admin'
and modified_user_data['role'] in ['admin', 'analyst',
'customer', 'customeradmin']) \
or (is_customeradmin(project_name, user_data['user_email'])
and modified_user_data['role'] in ['customer', 'customeradmin']):
if user_domain.assign_role(modified_user_data['email'],
modified_user_data['role']):
modify_user_information(info.context, modified_user_data,
project_name)
success = True
else:
rollbar.report_message('Error: Couldn\'t update user role',
'error', info.context)
else:
rollbar.report_message(
'Error: Invalid role provided: ' + modified_user_data['role'],
'error', info.context)
if success:
util.invalidate_cache(project_name)
util.invalidate_cache(query_args.get('email'))
util.cloudwatch_log(
info.context, 'Security: Modified user data:{user} \
in {project} project succesfully'.format(
user=query_args.get('email'), project=project_name))
else:
util.cloudwatch_log(
info.context, 'Security: Attempted to modify user \
data:{user} in {project} project'.format(
user=query_args.get('email'), project=project_name))
ret = \
EditUser(success=success,
modified_user=User(project_name,
modified_user_data['email']))
return ret
def mutate(self, info, **query_args):
project_name = query_args.get('project_name')
success = False
user_data = util.get_jwt_content(info.context)
role = get_user_role(user_data)
new_user_data = {
'email': query_args.get('email'),
'organization': query_args.get('organization'),
'responsibility': query_args.get('responsibility', '-'),
'role': query_args.get('role'),
'phone_number': query_args.get('phone_number', '')
}
if (role == 'admin'
and new_user_data['role'] in ['admin', 'analyst', 'customer', 'customeradmin']) \
or (is_customeradmin(project_name, user_data['user_email'])
and new_user_data['role'] in ['customer', 'customeradmin']):
if create_new_user(info.context, new_user_data, project_name):
success = True
else:
rollbar.report_message(
'Error: Couldn\'t grant access to project', 'error',
info.context)
else:
rollbar.report_message(
'Error: Invalid role provided: ' + new_user_data['role'],
'error', info.context)
if success:
util.invalidate_cache(project_name)
util.invalidate_cache(query_args.get('email'))
util.cloudwatch_log(
info.context, 'Security: Given grant access to {user} \
in {project} project'.format(user=query_args.get('email'),
project=project_name))
else:
util.cloudwatch_log(
info.context, 'Security: Attempted to give grant \
access to {user} in {project} project'.format(
user=query_args.get('email'), project=project_name))
ret = \
GrantUserAccess(success=success,
granted_user=User(project_name,
new_user_data['email']))
return ret
def mutate(self, info, **parameters):
"""update vulnerabilities in database."""
min_value = 0
max_value = 1000000000
vulnerabilities = parameters.get('vulnerabilities')
finding_id = parameters.get('finding_id')
if parameters.get('severity') and parameters.get('severity') != -1:
if min_value > parameters.get('severity') or \
parameters.get('severity') > max_value:
raise InvalidSeverity([min_value, max_value])
user_data = util.get_jwt_content(info.context)
project_name = finding_domain.get_finding(finding_id)['projectName']
is_customer_admin = is_customeradmin(project_name,
user_data['user_email'])
result_update_vuln = update_treatments(vulnerabilities, finding_id,
parameters, info,
is_customer_admin)
if result_update_vuln:
util.invalidate_cache(finding_id)
result = UpdateTreatmentVuln(success=result_update_vuln)
return result