def setAttribute(self,attr,value,sessionData=None): if attr == "password" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData,self.acl,attr,accessType="write"): self.password = "******".format(auth.getENCFromPassword(value)) return True return False return super(_testFire, self).setAttribute(attr,value,sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None): if not sessionData or db.fieldACLAccess( sessionData, self.acl, attr, accessType="write"): if attr == "customSearch": value = helpers.unicodeEscapeDict(value) return super(_ingaGetScanUp, self).setAttribute(attr, value, sessionData=sessionData)
def deleteFlowLink(conductID, fromFlowID, toFlowID): conductObj = conduct._conduct().getAsClass(api.g["sessionData"], id=conductID) if len(conductObj) == 1: conductObj = conductObj[0] else: return {}, 404 access, accessIDs, adminBypass = db.ACLAccess(api.g["sessionData"], conductObj.acl, "write") if access: fromFlow = [x for x in conductObj.flow if x["flowID"] == fromFlowID] if len(fromFlow) > 0: fromFlow = fromFlow[0] for nextflow in fromFlow["next"]: if nextflow["flowID"] == toFlowID: if db.fieldACLAccess(api.g["sessionData"], conductObj.acl, "flow", "delete"): conductObj.flow[conductObj.flow.index( fromFlow)]["next"].remove(nextflow) conductObj.update(["flow"]) return {}, 200 return {}, 403 return {}, 404 else: return {}, 403
def setAttribute(self, attr, value, sessionData=None): if attr == "url" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.url = "ENC {0}".format(auth.getENCFromPassword(value)) return True return False return super(_microsoftteamswebhooksPostMessage, self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None): if attr == "apiToken" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.apiToken = "ENC {0}".format( auth.getENCFromPassword(value)) return True return False return super(_shodanGetHostByIP, self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None): if attr == "apiToken" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.apiToken = "ENC {0}".format( auth.getENCFromPassword(value)) return True return False return super(_whoisxmlapiDomainAvailabilityCheck, self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None): if attr == "client_secret" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.client_secret = "ENC {0}".format( auth.getENCFromPassword(value)) return True return False return super(_azurebotserviceUpdateActivity, self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None): if attr == "searchQuery": if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.humioJob = "" self.searchQuery = value return True return False if attr == "humioAPIToken" and not value.startswith("ENC "): if db.fieldACLAccess(sessionData, self.acl, attr, accessType="write"): self.humioAPIToken = "ENC {0}".format( auth.getENCFromPassword(value)) return True return False return super(_humioSearch, self).setAttribute(attr, value, sessionData=sessionData)
def updateModelObject(modelName, objectID): class_ = loadModel(modelName) if class_: data = json.loads(api.request.data) if data["action"] == "update": updateItemsList = [] changeLog = {} data = data["data"] _class = class_.classObject()().getAsClass( api.g["sessionData"], id=objectID) if len(_class) == 1: _class = _class[0] # Builds list of permitted ACL access, accessIDs, adminBypass = db.ACLAccess( api.g["sessionData"], _class.acl, "write") if access: for dataKey, dataValue in data.items(): fieldAccessPermitted = True # Checking if sessionData is permitted field level access if _class.acl and not adminBypass: fieldAccessPermitted = db.fieldACLAccess( api.g["sessionData"], _class.acl, dataKey, "write") if fieldAccessPermitted: # _id is a protected mongodb object and cant be updated if dataKey != "_id": if hasattr(_class, dataKey): changeLog[dataKey] = {} changeLog[dataKey][ "currentValue"] = getattr( _class, dataKey) if type(getattr(_class, dataKey)) is str: if dataValue: if _class.setAttribute( dataKey, str(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr(_class, dataKey)) is int: try: if _class.setAttribute( dataKey, int(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) except ValueError: if _class.setAttribute( dataKey, 0, sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr( _class, dataKey)) is float: try: if _class.setAttribute( dataKey, float(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) except ValueError: if _class.setAttribute( dataKey, 0, sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr( _class, dataKey)) is bool: # Convert string object to bool if type(dataValue) is str: if dataValue.lower( ) == "true": dataValue = True else: dataValue = False if _class.setAttribute( dataKey, dataValue, sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr( _class, dataKey)) is dict or type( getattr( _class, dataKey)) is list: if dataValue: if _class.setAttribute( dataKey, json.loads( dataValue), sessionData=api. g["sessionData"]): updateItemsList.append( dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) # Commit back to database if updateItemsList: _class.update(updateItemsList) # Adding audit record if "_id" in api.g["sessionData"]: audit._audit().add( "model", "update", { "_id": api.g["sessionData"]["_id"], "objects": helpers.unicodeEscapeDict( changeLog) }) else: audit._audit().add( "model", "update", { "objects": helpers.unicodeEscapeDict( changeLog) }) return {}, 200 else: return {}, 403 return {}, 404
def setConductFlow(conductID, flowID): # List of attributes that are prevented from updating - this needs to be made more dynamic and part of class design unsafeUpdateList = [ "_id", "classID", "lastCheck", "lastRun", "lastResult", "workerID", "startCheck" ] conductObj = conduct._conduct().query(api.g["sessionData"], id=conductID)["results"] conductObj = conductObj[0] conductObj = conduct._conduct().getAsClass(api.g["sessionData"], id=conductObj["_id"]) if len(conductObj) == 1: conductObj = conductObj[0] else: return {}, 404 flow = [x for x in conductObj.flow if x["flowID"] == flowID] if len(flow) == 1: flow = flow[0] data = json.loads(api.request.data) modelFlowObject = None # Check if the modelType and object are unchanged if "type" in flow: if flow["type"] == "trigger": modelFlowObject = trigger._trigger().getAsClass( api.g["sessionData"], id=flow["{0}{1}".format(flow["type"], "ID")]) if len(modelFlowObject) == 1: modelFlowObject = modelFlowObject[0] modelFlowObjectType = "trigger" if flow["type"] == "action": modelFlowObject = action._action().getAsClass( api.g["sessionData"], id=flow["{0}{1}".format(flow["type"], "ID")]) if len(modelFlowObject) == 1: modelFlowObject = modelFlowObject[0] modelFlowObjectType = "action" # Was it possible to load an existing object if modelFlowObject: # Check that the object model is still the same if modelFlowObject.classID == data["newClassID"]: # Get flow object correct class _class = model._model().getAsClass( api.g["sessionData"], id=modelFlowObject.classID) if len(_class) == 1: _class = _class[0] _class = _class.classObject() else: return {}, 404 modelFlowObject = _class().getAsClass( api.g["sessionData"], id=modelFlowObject._id) if len(modelFlowObject) == 1: modelFlowObject = modelFlowObject[0] else: return {}, 404 else: modelFlowObject = None # New object required if not modelFlowObject: _class = model._model().getAsClass(api.g["sessionData"], id=data["newClassID"]) if _class: _class = _class[0].classObject() # Bug exists as name value is not requried by db class but is for core models - this could result in an error if new model is added that does not accept name within new function override newFlowObjectID = _class().new(flow["flowID"]).inserted_id # Working out by bruteforce which type this is ( try and load it by parent class and check for error) - get on trigger if it does not exist will return None modelFlowObjectType = "action" if len(trigger._trigger().getAsClass(api.g["sessionData"], id=newFlowObjectID)) > 0: modelFlowObjectType = "trigger" modelFlowObject = _class().getAsClass(api.g["sessionData"], id=newFlowObjectID) if len(modelFlowObject) == 1: modelFlowObject = modelFlowObject[0] else: return {}, 404 modelFlowObject.acl = { "ids": [{ "accessID": api.g["sessionData"]["primaryGroup"], "read": True, "write": True, "delete": True }] } modelFlowObject.update(["acl"]) # Set conduct flow to correct type and objectID flow["type"] = modelFlowObjectType flow["{0}{1}".format(modelFlowObjectType, "ID")] = str(newFlowObjectID) conductObj.update(["flow"], sessionData=api.g["sessionData"]) # Updating new or existing modeFlowObject if modelFlowObject: updateItemsList = [] changeLog = {} # Getting schema information so types can be set correctly class_ = model._model().getAsClass(api.g["sessionData"], id=modelFlowObject.classID) if class_: _class = modelFlowObject # Builds list of permitted ACL access, accessIDs, adminBypass = db.ACLAccess( api.g["sessionData"], _class.acl, "write") if access: for dataKey, dataValue in data.items(): fieldAccessPermitted = True # Checking if sessionData is permitted field level access if _class.acl and not adminBypass: fieldAccessPermitted = db.fieldACLAccess( api.g["sessionData"], _class.acl, dataKey, "write") if fieldAccessPermitted: # Change update database entry _id if dataKey not in unsafeUpdateList: if hasattr(_class, dataKey): changeLog[dataKey] = {} changeLog[dataKey][ "currentValue"] = getattr( _class, dataKey) if type(getattr(_class, dataKey)) is str: if dataValue: if _class.setAttribute( dataKey, str(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr(_class, dataKey)) is int: try: if _class.setAttribute( dataKey, int(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) except ValueError: if _class.setAttribute( dataKey, 0, sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr(_class, dataKey)) is float: try: if _class.setAttribute( dataKey, float(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) except ValueError: if _class.setAttribute( dataKey, 0, sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr(_class, dataKey)) is bool: if _class.setAttribute( dataKey, bool(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) elif type(getattr( _class, dataKey)) is dict or type( getattr(_class, dataKey)) is list: if dataValue: if _class.setAttribute( dataKey, json.loads(dataValue), sessionData=api. g["sessionData"]): updateItemsList.append(dataKey) changeLog[dataKey][ "newValue"] = getattr( _class, dataKey) # Commit back to database if updateItemsList: _class.update(updateItemsList, sessionData=api.g["sessionData"]) # Adding audit record if "_id" in api.g["sessionData"]: audit._audit().add( "model", "update", { "_id": api.g["sessionData"]["_id"], "objects": helpers.unicodeEscapeDict(changeLog) }) else: audit._audit().add("model", "update", { "objects": helpers.unicodeEscapeDict(changeLog) }) return {"type": modelFlowObjectType}, 200 else: return {}, 403 return {}, 404