def export_campaign_by_cid(cid):
g.setdefault('cid', cid)
download = request.args.get('download', default=False, type=str)
if download is not False:
# STart download process.
filename = ExpoManager.get_encrypted_file(current_user.user_email, cid,
download)
if filename is False:
return "False"
else:
return send_file("../Storage/ExportedCampaigns/" + filename,
as_attachment=True,
attachment_filename="filename")
else:
export_result = ExpoManager.export_campaign_database(
current_user.user_email, cid)
if export_result is not False:
return jsonify({
"filename": export_result[0],
"password": export_result[1]
})
return url_for("BaseImplantPage", cid=cid)
def show_tags():
g.setdefault(
'image',
cfg['awesome_image']) # Flask.g: a way to pass var to a template
#embed()
# Note tags=Tag.all() ... another way to pass var to a Jinja2 template
return render_template('index.html', tags=Tag.all())
def after_execute(conn, elt, multiparams, params, result):
duration = 1000 * (time.time() - conn.info['query_start_time'].pop(-1))
action = elt.__class__.__name__
if action == 'Select':
t = elt.froms[0]
while isinstance(t, _ORMJoin):
t = t.left
name = t.name
elif action in ['Update', 'Insert', 'Delete']:
name = elt.table.name
else:
# create/drop tables, sqlalchemy internal schema queries, etc
return
action = action.lower()
statsd_client.timing('db.{}.{}'.format(name, action), duration)
metrics_logger.debug("table=%s query=%s duration=%.2f", name, action,
duration)
if has_request_context():
g.setdefault('queries_count', 0)
g.setdefault('queries_duration', 0)
g.queries_count += 1
g.queries_duration += duration
return result
def fetch_admin_well_known(realm: str = "master"):
"""
Fetch and return the openid-configuration json object from
the Keycloak admin realm. Can also specify a different realm.
Requires an application context.
"""
# we can cache it in app context to reuse in other functions
cache_key = f"_{realm}_well_known"
cached = g.get(cache_key)
if cached is not None:
return cached
url = keycloak_host + f"/auth/realms/{realm}/.well-known/openid-configuration"
response = requests.get(url)
print(f"Well-known endpoint fetched at {url}")
if response.ok:
# https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
endpoints = dict(response.json())
set_g(cache_key, default=(endpoints))
return endpoints
app.logger.error(
f"Well-known endpoint fetch failed: {response.status_code} - {response.text}"
)
g.setdefault(cache_key, default=(None))
return None
def CampaignGraph(cid):
g.setdefault('cid', cid)
# -- If we receive a POST request then we will populate the page, this will be called AFTER the page has loaded.
if request.method=="POST":
blah = {'a':"1",'b':"v"}
return jsonify(blah)
return render_template("CampaignGraph.html")
def CampaignLogs(cid):
g.setdefault('cid',cid)
if request.method == "POST":
# -- Replace with pre-organised campaign logs - simplifies JS component.
# Get_CampaignLogs
return jsonify(ImpMgmt.Get_CampaignLogs(current_user.user_email, cid))
return render_template("CampaignLogs.html")
def after_execute(conn, elt, multiparams, params, result):
duration = 1000 * (time.time() - conn.info["query_start_time"].pop(-1))
action = elt.__class__.__name__
if action == "Select":
name = "unknown"
try:
name = _table_name_from_select_element(elt)
except Exception:
logging.exception("Failed finding table name.")
elif action in ["Update", "Insert", "Delete"]:
name = elt.table.name
else:
# create/drop tables, sqlalchemy internal schema queries, etc
return
action = action.lower()
metrics_logger.debug("table=%s query=%s duration=%.2f", name, action,
duration)
if has_request_context():
g.setdefault("queries_count", 0)
g.setdefault("queries_duration", 0)
g.queries_count += 1
g.queries_duration += duration
return result
def after_execute(conn, elt, multiparams, params, result):
duration = 1000 * (time.time() - conn.info['query_start_time'].pop(-1))
action = elt.__class__.__name__
if action == 'Select':
name = 'unknown'
try:
name = _table_name_from_select_element(elt)
except Exception:
logging.exception('Failed finding table name.')
elif action in ['Update', 'Insert', 'Delete']:
name = elt.table.name
else:
# create/drop tables, sqlalchemy internal schema queries, etc
return
action = action.lower()
statsd_client.timing('db.{}.{}'.format(name, action), duration)
metrics_logger.debug("table=%s query=%s duration=%.2f", name, action,
duration)
if has_request_context():
g.setdefault('queries_count', 0)
g.setdefault('queries_duration', 0)
g.queries_count += 1
g.queries_duration += duration
return result
def get_all_rules(auth):
key = FLASK_RULES_KEY
if key not in g:
all_rules = gs_util.get_all_security_acl_rules(auth)
g.setdefault(key, all_rules)
return g.get(key)
def after_execute(conn, elt, multiparams, params, result):
duration = 1000 * (time.time() - conn.info['query_start_time'].pop(-1))
action = elt.__class__.__name__
if action == 'Select':
name = 'unknown'
try:
name = _table_name_from_select_element(elt)
except Exception:
logging.exception('Failed finding table name.')
elif action in ['Update', 'Insert', 'Delete']:
name = elt.table.name
else:
# create/drop tables, sqlalchemy internal schema queries, etc
return
action = action.lower()
statsd_client.timing('db.{}.{}'.format(name, action), duration)
metrics_logger.debug("table=%s query=%s duration=%.2f", name, action,
duration)
if has_request_context():
g.setdefault('queries_count', 0)
g.setdefault('queries_duration', 0)
g.queries_count += 1
g.queries_duration += duration
return result
def generate_image_gallery():
# get the database if it does not exist
if not (app.config['DB_PARAM'] in g):
g.setdefault(app.config['DB_PARAM'],
default=get_database(app.config['DB_NAME']))
db = g.get(app.config['DB_PARAM'])
db_cursor = db.cursor()
# try to authenticate the user
check_session_token(db, db_cursor)
current_user = g.get(app.config['USER_PARAM'])
# check for unread messages
check_unread_messages(db_cursor, current_user)
display_images = []
db_cursor.execute('SELECT userid, imgfile FROM images')
# get data on each image
for (userid, imgfile) in db_cursor:
image = ImageInfo()
image.userid = userid
image.path = url_for('send_user_image', img_name=imgfile)
display_images.append(image)
return render_template('images.html',
images=display_images,
cur_user=current_user)
def generate_user_list():
# get the database if it does not exist
if not (app.config['DB_PARAM'] in g):
g.setdefault(app.config['DB_PARAM'],
default=get_database(app.config['DB_NAME']))
db = g.get(app.config['DB_PARAM'])
db_cursor = db.cursor()
# try to authenticate the user
check_session_token(db, db_cursor)
current_user = g.get(app.config['USER_PARAM'])
# check for unread messages
check_unread_messages(db_cursor, current_user)
user_list = []
db_cursor.execute('SELECT userid, username FROM users')
for (userid, username) in db_cursor:
user = UserInfo()
user.id = userid
user.name = username
user_list.append(user)
return render_template('userlist.html',
users=user_list,
cur_user=current_user)
def pre_handler(search_params=None, **kw):
query = search_params.pop('search', None)
#print(query, file=sys.stderr)
if query is not None:
hits, total = cls.search(query, 1, 64)
g.setdefault('search_ids', hits)
if ('order_by' in search_params):
g.setdefault('has_order', True)
def BaseImplantPage(cid):
g.setdefault('cid', cid)
# -- This needs to return the implant_input.html template if any implants exist, if not reuturn ImplantMain
# -- also need to work out the CID across the pages...
Implants = db.Get_AllCampaignImplants(cid)
if len(Implants) >0:
return render_template("implant_input.html", Implants=Implants)
return render_template("ImplantMain.html",cid=cid, Msg="No implants have called back in association with this campaign - create an implant base and use the stager page.")
def get_all_active_implants(cid):
g.setdefault('cid', cid)
implant_list = UsrMgmt.campaign_get_all_implant_base_from_cid(current_user.user_email, cid)
if implant_list is not False:
if len(implant_list) > 0:
return render_template("implant_input.html", Implants=implant_list)
msg = "No implants have called back in association with this campaign - create an implant base and use the stager page."
return render_template("ImplantMain.html", cid=cid, Msg=msg)
def decorated_function(*args, **kwargs):
workspace = request.view_args['workspace']
mapname = request.view_args['mapname']
info = get_complete_map_info(workspace, mapname)
assert FLASK_INFO_KEY not in g, g.get(FLASK_INFO_KEY)
# current_app.logger.info(f"Setting INFO of map {workspace}:{mapname}")
g.setdefault(FLASK_INFO_KEY, info)
result = function(*args, **kwargs)
return result
def BaseImplantSettings(cid):
# Allows updating the permissions of users in a campaign, and the visualisation of allowed users.
g.setdefault('cid', cid)
if request.method == "POST":
UsrMgmt.AddUserToCampaign(current_user.user_email, request.form, cid)
return redirect(url_for('BaseImplantSettings', cid=cid))
else:
users = UsrMgmt.get_current_campaign_users_settings_list(current_user.user_email, cid)
return render_template("settings/CampaignSettings.html", users=users)
def display_active_implant(cid, uik=None):
g.setdefault('cid', cid)
implants = ImpMgmt.get_active_campaign_implants(current_user.user_email, cid)
if uik is not None:
if type(implants) == list:
for implant in implants:
if int(implant['unique_implant_id']) == int(uik):
return render_template("implant/ActiveImplants.html", imp=implants, render=implant)
return render_template("implant/ActiveImplants.html", imp=implants)
def NewImplant(cid):
# -- set SID and user DB to convert --#
g.setdefault('cid',cid)
if request.method =="POST":
result, result_text= ImpMgmt.CreateNewImplant(cid, request.form, current_user.user_email)
if result==True:
return render_template('CreateImplant.html', success=result_text)
else:
return render_template('CreateImplant.html', error=result_text)
return render_template('CreateImplant.html')
def get_sftp(self):
ssh_client = g.get('ssh_%s' % self.name, None)
if ssh_client is None:
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(**self.ssh_options)
g.setdefault('ssh_%s' % self.name, ssh_client)
sftp = g.get('sftp_%s' % self.name, None)
if sftp is None or sftp.sock.closed:
g.setdefault('sftp_%s' % self.name, ssh_client.open_sftp())
def set_g(name: str, default: Any = None):
"""
Helper function. Overwrite the given key name in g with default.
Requires an application context.
"""
# Flask's g object is like a dict in every way except this
if name in g:
g.pop(name)
g.setdefault(name, default=default)
def decorator(*args, **kwargs):
token = _token_extractor()
user = _user_decode(token)
g.setdefault('user', user)
auth_func = auth_kwargs.pop('auth_func', None)
auth_cls = auth_kwargs.pop('auth_cls', None)
callback = _get_authorization_callback(auth_func, auth_cls, args)
# jwt_authorize params take preference to Flask route params in case of name collision.
kwargs.update(auth_kwargs)
_check_authorization(user, callback, **kwargs)
return fn(*args, **kwargs)
def BaseImplantSettings(cid):
# -- Gather Data for settings:
# -- Users + read/write/none
# -- Implant List
g.setdefault('cid', cid)
Users = db.Get_SettingsUsers(cid, current_user.user_email)
if request.method == "POST":
print(request.form)
UsrMgmt.AddUserToCampaign(current_user.user_email, request.form, cid)
return redirect(url_for('BaseImplantSettings', cid=cid))
else:
print(Users)
return render_template("settings/CampaignSettings.html", users=Users)
def display_active_implant(cid, uik=None):
g.setdefault('cid', cid)
implants = ImpMgmt.get_active_campaign_implants(current_user.user_email, cid)
print("::",uik)
if uik is not None:
print("aa")
if type(implants) == list:
for x in implants:
print("! {}::{}",uik,x['unique_implant_id'])
if int(x['unique_implant_id']) == int(uik):
print("aaaaa")
return render_template("implant/ActiveImplants.html", imp=implants, render=x)
return render_template("implant/ActiveImplants.html", imp=implants)
def ImplantStager(cid):
g.setdefault('cid', cid)
# -- get request: return list of implants --
# -- Will update to a dropdown when exporting Word docs etc is possible -- #
if request.method == "POST":
if 'id' in request.args:
try:
if int(request.args['id']):
print("this is int")
except:
print("error")
# TODO: Replace with content from webpage request.
return send_file(StagerGen.GenerateSingleStagerFile(cid, current_user.user_email,"docx"), attachment_filename='file.docx')
return render_template("ImplantStagerPage.html", implantList=StagerGen.GenerateStaticStagers(cid, current_user.user_email))
def send(cls, notification, skipQueue=False):
if isinstance(notification, dict):
# Wrap a raw dictionary in a notification class
from indico.legacy.webinterface.mail import GenericNotification
notification = GenericNotification(notification)
# enqueue emails if we have a rh and do not skip queuing, otherwise send immediately
rh = g.get('rh')
mailData = cls._prepare(notification)
if mailData:
if skipQueue or not rh:
cls._send(mailData)
else:
g.setdefault('email_queue', []).append(mailData)
def process_like():
# get the database if it does not exist
if not (app.config['DB_PARAM'] in g):
g.setdefault(app.config['DB_PARAM'],
default=get_database(app.config['DB_NAME']))
db = g.get(app.config['DB_PARAM'])
db_cursor = db.cursor()
# try to authenticate the user
check_session_token(db, db_cursor)
current_user = g.get(app.config['USER_PARAM'])
# if not authenticated reject
if not current_user:
return 'Not Authenticated!', 403
imageid = request.form['imgid']
# make sure the image exists
db_cursor.execute('SELECT userid FROM images WHERE imageid=%s',
(imageid, ))
if (len(db_cursor.fetchall())) != 1:
return 'Image does not exist!', 400
# check if user already liked post
db_cursor.execute(
'SELECT userid FROM likes WHERE userid=%s AND likesthisimageid=%s',
(current_user.id, imageid))
post_like = db_cursor.fetchall()
if len(post_like) != 0:
return 'Already Liked Image!', 400
# add current user to list of users that liked post
db_cursor.execute(
'INSERT INTO likes (userid, likesthisimageid) VALUES (%s, %s)',
(current_user.id, imageid))
# now increment the like count
db_cursor.execute('UPDATE images SET likes=likes+1 WHERE imageid=%s',
(imageid, ))
db.commit()
# now send the new like to all connected clients
send_data = {}
send_data['imageid'] = imageid
new_app.emit('new-like', send_data, room='general-notifications')
return 'Successfully submitted like!'
def process_comment():
# get the database if it does not exist
if not (app.config['DB_PARAM'] in g):
g.setdefault(app.config['DB_PARAM'],
default=get_database(app.config['DB_NAME']))
db = g.get(app.config['DB_PARAM'])
db_cursor = db.cursor()
# try to authenticate the user
check_session_token(db, db_cursor)
current_user = g.get(app.config['USER_PARAM'])
# if not authenticated reject
if not current_user:
return 'Not Authenticated!', 403
imageid = request.form['imgid']
comtext = request.form['comment'].strip()
if len(comtext) == 0:
return 'Cannot send blank comment!', 400
if len(comtext) > app.config['MAX_COMMENT_LENGTH']:
return 'Comment too long!', 400
# make sure the image exists
db_cursor.execute('SELECT userid FROM images WHERE imageid=%s',
(imageid, ))
if (len(db_cursor.fetchall())) != 1:
return 'Image does not exist!', 400
# now add the comment to the database
db_cursor.execute(
'INSERT INTO comments (imageid, userid, comtext) VALUES (%s, %s, %s)',
(imageid, current_user.id, comtext))
db.commit()
# now send the new comment to all connected clients
send_data = {}
com_info = MessageInfo()
com_info.userid = current_user.id
com_info.username = current_user.name
com_info.message = comtext
send_data['imageid'] = imageid
send_data['html'] = render_template('one-comment.html', comment=com_info)
new_app.emit('new-comment-full', send_data, room='general-notifications')
return 'Successfully submitted comment!'
def validate_auth(user, password):
user_collection = app.db.users
user = user_collection.find_one({'username': user})
if user is None:
return False
else:
# check if the hash we generate based on auth matches stored hash
encodedPassword = password.encode('utf-8')
if bcrypt.hashpw(encodedPassword,
user['password']) == user['password']:
g.setdefault('user', user)
return True
else:
return False
def check_session_token(db, cursor):
# try to get token from cookies
token = request.cookies.get(app.config['SESSION_COOKIE_NAME'])
if not token:
g.setdefault(app.config['USER_PARAM'], default=None)
return
try:
token_hash = hashlib.scrypt(b''.fromhex(token),
salt=app.config['TOKEN_SALT'],
n=app.config['SC_N'],
r=app.config['SC_R'],
p=app.config['SC_P'])
except Exception:
g.setdefault(app.config['USER_PARAM'], default=None)
return
cursor.execute(
'SELECT userid, username, sessionexpiration, csrftoken FROM users WHERE sessioncookiehash=%s',
(token_hash.hex(), ))
data = cursor.fetchall()
if not (len(data) == 1):
g.setdefault(app.config['USER_PARAM'], default=None)
return
# get information about user
user = UserInfo()
for (userid, username, sessionexpiration, csrftoken) in data:
user.id = userid
user.name = username
user.session_expiration = sessionexpiration
user.csrf_token = csrftoken
# make sure the token has not expired, update db if so
if user.session_expiration <= datetime.date.today():
cursor.execute(
'UPDATE users SET sessioncookiehash=NULL, csrftoken=NULL WHERE userid=%s',
(user.id, ))
db.commit()
g.setdefault(app.config['USER_PARAM'], default=None)
return
# now set the actual user
g.setdefault(app.config['USER_PARAM'], default=user)
def preload_relationships(cls, query, *relationships, **kwargs):
"""Preload relationships for all objects from a query.
:param query: A SQLAlchemy query object.
:param relationships: The names of relationships to preload.
:param strategy: The loading strategy to use for the
relationships. Defaults to `joinedload` and
can be any callable that takes a relationship
name and returns a query option.
"""
assert cls.allow_relationship_preloading
strategy = kwargs.pop('strategy', joinedload)
assert not kwargs # no other kwargs allowed
cache = g.setdefault('relationship_cache',
{}).setdefault(cls, {
'data': {},
'relationships': set()
})
missing_relationships = set(relationships) - cache['relationships']
if not missing_relationships:
return
query = query.options(*map(strategy, missing_relationships))
data_cache = cache['data']
for obj in query:
obj_cache = data_cache.setdefault(obj, {})
for rel in missing_relationships:
obj_cache[rel] = getattr(obj, rel)
cache['relationships'] |= missing_relationships
def NewImplant(cid):
# -- set SID and user DB to convert --#
g.setdefault('cid', cid)
profiles = ImpMgmt.get_network_profile_options()
if request.method == "POST":
result, result_text = ImpMgmt.create_new_implant(
cid, request.form, current_user.user_email)
if result is True:
return render_template('CreateImplant.html',
profiles=profiles,
success=result_text), 200
else:
return render_template('CreateImplant.html',
profiles=profiles,
error=result_text), 409
return render_template('CreateImplant.html', profiles=profiles)
def allocate_friendly_ids(cls, event, n):
"""Allocate n Contribution friendly_ids.
This is needed so that we can allocate all IDs in one go. Not doing
so could result in DB deadlocks. All operations that create more than
one contribution should use this method.
:param event: the :class:`Event` in question
:param n: the number of ids to pre-allocate
"""
from indico.modules.events import Event
fid = increment_and_get(Event._last_friendly_contribution_id, Event.id == event.id, n)
friendly_ids = g.setdefault('friendly_ids', {})
friendly_ids.setdefault(cls, {})[event.id] = range(fid - n + 1, fid + 1)
def preload_events(ids, lightweight=True, persons=False):
"""Preload events so they are in SA's identity cache
This is useful for legacy pages where we have to show large
numbers of events without being able to query them from the
db cleanly.
:param ids: An iterable of IDs or Conference objects
:param lightweight: Only load dates and title
:param persons: Also load the person links
"""
cache = g.setdefault('_event_cache', {})
ids = {int(getattr(id_, 'id', id_)) for id_ in ids} - cache.viewkeys()
query = Event.find(Event.id.in_(ids))
if lightweight:
query = query.options(load_only('id', 'title', 'start_dt', 'end_dt', 'timezone'))
if persons:
query = query.options(joinedload('person_links'))
cache.update((e.id, e) for e in query)
def preload_relationships(cls, query, *relationships, **kwargs):
"""Preload relationships for all objects from a query.
:param query: A SQLAlchemy query object.
:param relationships: The names of relationships to preload.
:param strategy: The loading strategy to use for the
relationships. Defaults to `joinedload` and
can be any callable that takes a relationship
name and returns a query option.
"""
assert cls.allow_relationship_preloading
strategy = kwargs.pop('strategy', joinedload)
assert not kwargs # no other kwargs allowed
cache = g.setdefault('relationship_cache', {}).setdefault(cls, {'data': {}, 'relationships': set()})
missing_relationships = set(relationships) - cache['relationships']
if not missing_relationships:
return
query = query.options(*map(strategy, missing_relationships))
data_cache = cache['data']
for obj in query:
obj_cache = data_cache.setdefault(obj, {})
for rel in missing_relationships:
obj_cache[rel] = getattr(obj, rel)
cache['relationships'] |= missing_relationships
def _event_moved(conf, old_parent, new_parent, **kwargs):
if new_parent.getCategoryPath()[0] != '0':
g.setdefault('detached_events_moved', set()).add(conf.as_event)
return
event = conf.as_event
event.category_id = int(new_parent.id)
def _init_livesync_g():
g.setdefault('livesync_changes', defaultdict(set))
def init_email_queue():
"""Enable email queueing for the current context."""
g.setdefault('email_queue', [])