def wrapper(self, *args, **kwargs):
if not has_admin_rights(self):
user_id = _identify_user(self)
LOGGER.warning('User %s (%s) tried to access admin REST service %s',
user_id, get_audit_name_from_request(self), self.request.path)
raise tornado.web.HTTPError(403, 'Access denied')
return func(self, *args, **kwargs)
def wrapper(self, *args, **kwargs):
if not has_admin_rights(self):
user_id = _identify_user(self)
LOGGER.warning('User %s (%s) tried to access admin REST service %s',
user_id, get_audit_name_from_request(self), self.request.path)
raise tornado.web.HTTPError(403, 'Access denied')
return func(self, *args, **kwargs)
def open(self, execution_id):
auth = self.application.auth
if not auth.is_authenticated(self):
return None
executor = self.application.execution_service.get_active_executor(
execution_id) # type: ScriptExecutor
if not executor:
raise Exception("Couldn't find corresponding process")
self.executor = executor
self.ioloop = tornado.ioloop.IOLoop.current()
self.write_message(wrap_to_server_event("input", "your input >>"))
self.write_message(wrap_script_output(" --- OUTPUT --- \n"))
audit_name = get_audit_name_from_request(self)
output_stream = executor.get_unsecure_output_stream()
bash_formatting = executor.config.is_bash_formatting()
pipe_output_to_http(output_stream, bash_formatting, self.safe_write)
web_socket = self
file_download_feature = self.application.file_download_feature
class FinishListener(object):
def finished(self):
output_stream.wait_close()
script_output = ''.join(output_stream.get_old_data())
try:
downloadable_files = file_download_feature.prepare_downloadable_files(
executor.config, script_output,
executor.parameter_values, audit_name)
for file in downloadable_files:
filename = os.path.basename(file)
relative_path = file_utils.relative_path(
file, TEMP_FOLDER)
web_socket.safe_write(
wrap_to_server_event(
'file', {
'url': relative_path.replace(
os.path.sep, '/'),
'filename': filename
}))
except:
LOGGER.exception("Couldn't prepare downloadable files")
web_socket.ioloop.add_callback(web_socket.close)
executor.add_finish_listener(FinishListener())
def prepare(self):
if self.request.method != 'POST':
respond_error(self, 405, 'Method not allowed')
return
audit_name = get_audit_name_from_request(self)
file_upload_feature = self.application.file_upload_feature
upload_folder = file_upload_feature.prepare_new_folder(audit_name)
self.request.connection.set_max_body_size(self.application.max_request_size_mb * BYTES_IN_MB)
self.form_reader = StreamingFormReader(self.request.headers, upload_folder)
def validate_absolute_path(self, root, absolute_path):
audit_name = get_audit_name_from_request(self)
user_id = _identify_user(self)
file_download_feature = self.application.file_download_feature
file_path = file_utils.relative_path(absolute_path, os.path.abspath(root))
if not file_download_feature.allowed_to_download(file_path, user_id):
LOGGER.warning('Access attempt from ' + user_id + '(' + audit_name + ') to ' + absolute_path)
raise tornado.web.HTTPError(403)
return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def prepare(self):
if self.request.method != 'POST':
respond_error(self, 405, 'Method not allowed')
return
audit_name = get_audit_name_from_request(self)
file_upload_feature = self.application.file_upload_feature
upload_folder = file_upload_feature.prepare_new_folder(audit_name)
self.request.connection.set_max_body_size(self.application.max_request_size_mb * BYTES_IN_MB)
self.form_reader = StreamingFormReader(self.request.headers, upload_folder)
def validate_absolute_path(self, root, absolute_path):
audit_name = get_audit_name_from_request(self)
user_id = identify_user(self)
file_download_feature = self.application.file_download_feature
file_path = file_utils.relative_path(absolute_path, os.path.abspath(root))
if not file_download_feature.allowed_to_download(file_path, user_id):
LOGGER.warning('Access attempt from ' + user_id + '(' + audit_name + ') to ' + absolute_path)
raise tornado.web.HTTPError(403)
return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def validate_absolute_path(self, root, absolute_path):
if not self.application.auth.is_enabled() and (absolute_path.endswith("/login.html")):
raise tornado.web.HTTPError(404)
relative_path = file_utils.relative_path(absolute_path, root)
if self.is_admin_file(relative_path):
if not has_admin_rights(self):
user_id = identify_user(self)
LOGGER.warning('User %s (%s) tried to access admin static file %s',
user_id, get_audit_name_from_request(self), relative_path)
raise tornado.web.HTTPError(403)
return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def has_admin_rights(request_handler):
names = get_all_audit_names(request_handler)
if AUTH_USERNAME in names:
username = names[audit_utils.AUTH_USERNAME]
else:
username = names.get(audit_utils.IP)
if not username:
LOGGER.warning('has_admin_rights: could not resolve username for %s',
get_audit_name_from_request(request_handler))
return False
return request_handler.application.authorizer.is_admin(username)
def validate_absolute_path(self, root, absolute_path):
if not self.application.auth.is_enabled() and (absolute_path.endswith("/login.html")):
raise tornado.web.HTTPError(404)
relative_path = file_utils.relative_path(absolute_path, root)
if self.is_admin_file(relative_path):
if not has_admin_rights(self):
user_id = _identify_user(self)
LOGGER.warning('User %s (%s) tried to access admin static file %s',
user_id, get_audit_name_from_request(self), relative_path)
raise tornado.web.HTTPError(403)
return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def post(self):
script_name = None
audit_name = get_audit_name_from_request(self)
try:
arguments = tornado_utils.get_form_arguments(self)
execution_info = external_model.to_execution_info(arguments)
script_name = execution_info.script
config = self.application.config_service.load_config(script_name)
if not config:
message = 'Script with name "' + str(script_name) + '" not found'
LOGGER.error(message)
respond_error(self, 400, message)
return
if not can_access_script(config, self):
LOGGER.warning('Access to the script "' + script_name + '" is denied for ' + audit_name)
respond_error(self, 403, 'Access to the script is denied')
return
file_upload_feature = self.application.file_upload_feature
if self.request.files:
for key, value in self.request.files.items():
file_info = value[0]
file_path = file_upload_feature.save_file(file_info.filename, file_info.body, audit_name)
execution_info.param_values[key] = file_path
model_helper.prepare_multiselect_values(execution_info.param_values, config.parameters)
valid_parameters = model_helper.validate_parameters(execution_info.param_values, config)
if not valid_parameters:
message = 'Received invalid parameters'
LOGGER.error(message)
respond_error(self, 400, message)
return
user_id = _identify_user(self)
all_audit_names = get_all_audit_names(self)
LOGGER.info('Calling script ' + script_name + '. User ' + str(all_audit_names))
execution_id = self.application.execution_service.start_script(
config,
execution_info.param_values,
user_id,
all_audit_names)
self.write(str(execution_id))
except Exception as e:
LOGGER.exception("Error while calling the script")
if hasattr(e, "strerror") and e.strerror:
error_output = e.strerror
else:
error_output = "Unknown error occurred, contact the administrator"
result = " --- ERRORS --- \n"
result += error_output
if script_name:
script = str(script_name)
else:
script = "Some script"
audit_name = audit_name
self.application.alerts_service.send_alert(
script + ' NOT STARTED',
"Couldn't start the script " + script + ' by ' + audit_name + '.\n\n'
+ result)
respond_error(self, 500, result)
def on_close(self):
if self.executor.config.kill_on_disconnect:
self.executor.kill()
audit_name = get_audit_name_from_request(self)
LOGGER.info(audit_name + ' disconnected')
def get_audit_name(request_handler):
audit_name = audit_utils.get_audit_name_from_request(request_handler)
return normalize_hostname(audit_name)
def on_close(self):
audit_name = get_audit_name_from_request(self)
LOGGER.info(audit_name + ' disconnected')
def post(self, user):
script_name = None
audit_name = get_audit_name_from_request(self)
try:
arguments = tornado_utils.get_form_arguments(self)
execution_info = external_model.to_execution_info(arguments)
script_name = execution_info.script
config_model = self.application.config_service.create_config_model(
script_name, user)
if not config_model:
message = 'Script with name "' + str(
script_name) + '" not found'
LOGGER.error(message)
respond_error(self, 400, message)
return
parameter_values = execution_info.param_values
if self.request.files:
file_upload_feature = self.application.file_upload_feature
for key, value in self.request.files.items():
file_info = value[0]
file_path = file_upload_feature.save_file(
file_info.filename, file_info.body, audit_name)
parameter_values[key] = file_path
try:
config_model.set_all_param_values(parameter_values)
normalized_values = dict(config_model.parameter_values)
except InvalidValueException as e:
message = 'Invalid parameter %s value: %s' % (e.param_name,
str(e))
LOGGER.error(message)
respond_error(self, 400, message)
return
user_id = _identify_user(self)
all_audit_names = get_all_audit_names(self)
LOGGER.info('Calling script ' + script_name + '. User ' +
str(all_audit_names))
execution_id = self.application.execution_service.start_script(
config_model, normalized_values, user_id, all_audit_names)
self.write(str(execution_id))
except ConfigNotAllowedException:
LOGGER.warning('Access to the script "' + script_name +
'" is denied for ' + audit_name)
respond_error(self, 403, 'Access to the script is denied')
return
except Exception as e:
LOGGER.exception("Error while calling the script")
if hasattr(e, "strerror") and e.strerror:
error_output = e.strerror
else:
error_output = "Unknown error occurred, contact the administrator"
result = " --- ERRORS --- \n"
result += error_output
if script_name:
script = str(script_name)
else:
script = "Some script"
audit_name = audit_name
self.application.alerts_service.send_alert(
script + ' NOT STARTED', "Couldn't start the script " +
script + ' by ' + audit_name + '.\n\n' + result)
respond_error(self, 500, result)
def on_close(self):
audit_name = get_audit_name_from_request(self)
LOGGER.info(audit_name + ' disconnected')
def get_audit_name(request_handler):
audit_name = audit_utils.get_audit_name_from_request(request_handler)
return normalize_hostname(audit_name)
