def wrapper(self, *args, **kwargs): if not has_admin_rights(self): user_id = _identify_user(self) LOGGER.warning('User %s (%s) tried to access admin REST service %s', user_id, get_audit_name_from_request(self), self.request.path) raise tornado.web.HTTPError(403, 'Access denied') return func(self, *args, **kwargs)
def wrapper(self, *args, **kwargs): if not has_admin_rights(self): user_id = _identify_user(self) LOGGER.warning('User %s (%s) tried to access admin REST service %s', user_id, get_audit_name_from_request(self), self.request.path) raise tornado.web.HTTPError(403, 'Access denied') return func(self, *args, **kwargs)
def open(self, execution_id): auth = self.application.auth if not auth.is_authenticated(self): return None executor = self.application.execution_service.get_active_executor( execution_id) # type: ScriptExecutor if not executor: raise Exception("Couldn't find corresponding process") self.executor = executor self.ioloop = tornado.ioloop.IOLoop.current() self.write_message(wrap_to_server_event("input", "your input >>")) self.write_message(wrap_script_output(" --- OUTPUT --- \n")) audit_name = get_audit_name_from_request(self) output_stream = executor.get_unsecure_output_stream() bash_formatting = executor.config.is_bash_formatting() pipe_output_to_http(output_stream, bash_formatting, self.safe_write) web_socket = self file_download_feature = self.application.file_download_feature class FinishListener(object): def finished(self): output_stream.wait_close() script_output = ''.join(output_stream.get_old_data()) try: downloadable_files = file_download_feature.prepare_downloadable_files( executor.config, script_output, executor.parameter_values, audit_name) for file in downloadable_files: filename = os.path.basename(file) relative_path = file_utils.relative_path( file, TEMP_FOLDER) web_socket.safe_write( wrap_to_server_event( 'file', { 'url': relative_path.replace( os.path.sep, '/'), 'filename': filename })) except: LOGGER.exception("Couldn't prepare downloadable files") web_socket.ioloop.add_callback(web_socket.close) executor.add_finish_listener(FinishListener())
def prepare(self): if self.request.method != 'POST': respond_error(self, 405, 'Method not allowed') return audit_name = get_audit_name_from_request(self) file_upload_feature = self.application.file_upload_feature upload_folder = file_upload_feature.prepare_new_folder(audit_name) self.request.connection.set_max_body_size(self.application.max_request_size_mb * BYTES_IN_MB) self.form_reader = StreamingFormReader(self.request.headers, upload_folder)
def validate_absolute_path(self, root, absolute_path): audit_name = get_audit_name_from_request(self) user_id = _identify_user(self) file_download_feature = self.application.file_download_feature file_path = file_utils.relative_path(absolute_path, os.path.abspath(root)) if not file_download_feature.allowed_to_download(file_path, user_id): LOGGER.warning('Access attempt from ' + user_id + '(' + audit_name + ') to ' + absolute_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def prepare(self): if self.request.method != 'POST': respond_error(self, 405, 'Method not allowed') return audit_name = get_audit_name_from_request(self) file_upload_feature = self.application.file_upload_feature upload_folder = file_upload_feature.prepare_new_folder(audit_name) self.request.connection.set_max_body_size(self.application.max_request_size_mb * BYTES_IN_MB) self.form_reader = StreamingFormReader(self.request.headers, upload_folder)
def validate_absolute_path(self, root, absolute_path): audit_name = get_audit_name_from_request(self) user_id = identify_user(self) file_download_feature = self.application.file_download_feature file_path = file_utils.relative_path(absolute_path, os.path.abspath(root)) if not file_download_feature.allowed_to_download(file_path, user_id): LOGGER.warning('Access attempt from ' + user_id + '(' + audit_name + ') to ' + absolute_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def validate_absolute_path(self, root, absolute_path): if not self.application.auth.is_enabled() and (absolute_path.endswith("/login.html")): raise tornado.web.HTTPError(404) relative_path = file_utils.relative_path(absolute_path, root) if self.is_admin_file(relative_path): if not has_admin_rights(self): user_id = identify_user(self) LOGGER.warning('User %s (%s) tried to access admin static file %s', user_id, get_audit_name_from_request(self), relative_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def has_admin_rights(request_handler): names = get_all_audit_names(request_handler) if AUTH_USERNAME in names: username = names[audit_utils.AUTH_USERNAME] else: username = names.get(audit_utils.IP) if not username: LOGGER.warning('has_admin_rights: could not resolve username for %s', get_audit_name_from_request(request_handler)) return False return request_handler.application.authorizer.is_admin(username)
def validate_absolute_path(self, root, absolute_path): if not self.application.auth.is_enabled() and (absolute_path.endswith("/login.html")): raise tornado.web.HTTPError(404) relative_path = file_utils.relative_path(absolute_path, root) if self.is_admin_file(relative_path): if not has_admin_rights(self): user_id = _identify_user(self) LOGGER.warning('User %s (%s) tried to access admin static file %s', user_id, get_audit_name_from_request(self), relative_path) raise tornado.web.HTTPError(403) return super(AuthorizedStaticFileHandler, self).validate_absolute_path(root, absolute_path)
def post(self): script_name = None audit_name = get_audit_name_from_request(self) try: arguments = tornado_utils.get_form_arguments(self) execution_info = external_model.to_execution_info(arguments) script_name = execution_info.script config = self.application.config_service.load_config(script_name) if not config: message = 'Script with name "' + str(script_name) + '" not found' LOGGER.error(message) respond_error(self, 400, message) return if not can_access_script(config, self): LOGGER.warning('Access to the script "' + script_name + '" is denied for ' + audit_name) respond_error(self, 403, 'Access to the script is denied') return file_upload_feature = self.application.file_upload_feature if self.request.files: for key, value in self.request.files.items(): file_info = value[0] file_path = file_upload_feature.save_file(file_info.filename, file_info.body, audit_name) execution_info.param_values[key] = file_path model_helper.prepare_multiselect_values(execution_info.param_values, config.parameters) valid_parameters = model_helper.validate_parameters(execution_info.param_values, config) if not valid_parameters: message = 'Received invalid parameters' LOGGER.error(message) respond_error(self, 400, message) return user_id = _identify_user(self) all_audit_names = get_all_audit_names(self) LOGGER.info('Calling script ' + script_name + '. User ' + str(all_audit_names)) execution_id = self.application.execution_service.start_script( config, execution_info.param_values, user_id, all_audit_names) self.write(str(execution_id)) except Exception as e: LOGGER.exception("Error while calling the script") if hasattr(e, "strerror") and e.strerror: error_output = e.strerror else: error_output = "Unknown error occurred, contact the administrator" result = " --- ERRORS --- \n" result += error_output if script_name: script = str(script_name) else: script = "Some script" audit_name = audit_name self.application.alerts_service.send_alert( script + ' NOT STARTED', "Couldn't start the script " + script + ' by ' + audit_name + '.\n\n' + result) respond_error(self, 500, result)
def on_close(self): if self.executor.config.kill_on_disconnect: self.executor.kill() audit_name = get_audit_name_from_request(self) LOGGER.info(audit_name + ' disconnected')
def get_audit_name(request_handler): audit_name = audit_utils.get_audit_name_from_request(request_handler) return normalize_hostname(audit_name)
def on_close(self): audit_name = get_audit_name_from_request(self) LOGGER.info(audit_name + ' disconnected')
def post(self, user): script_name = None audit_name = get_audit_name_from_request(self) try: arguments = tornado_utils.get_form_arguments(self) execution_info = external_model.to_execution_info(arguments) script_name = execution_info.script config_model = self.application.config_service.create_config_model( script_name, user) if not config_model: message = 'Script with name "' + str( script_name) + '" not found' LOGGER.error(message) respond_error(self, 400, message) return parameter_values = execution_info.param_values if self.request.files: file_upload_feature = self.application.file_upload_feature for key, value in self.request.files.items(): file_info = value[0] file_path = file_upload_feature.save_file( file_info.filename, file_info.body, audit_name) parameter_values[key] = file_path try: config_model.set_all_param_values(parameter_values) normalized_values = dict(config_model.parameter_values) except InvalidValueException as e: message = 'Invalid parameter %s value: %s' % (e.param_name, str(e)) LOGGER.error(message) respond_error(self, 400, message) return user_id = _identify_user(self) all_audit_names = get_all_audit_names(self) LOGGER.info('Calling script ' + script_name + '. User ' + str(all_audit_names)) execution_id = self.application.execution_service.start_script( config_model, normalized_values, user_id, all_audit_names) self.write(str(execution_id)) except ConfigNotAllowedException: LOGGER.warning('Access to the script "' + script_name + '" is denied for ' + audit_name) respond_error(self, 403, 'Access to the script is denied') return except Exception as e: LOGGER.exception("Error while calling the script") if hasattr(e, "strerror") and e.strerror: error_output = e.strerror else: error_output = "Unknown error occurred, contact the administrator" result = " --- ERRORS --- \n" result += error_output if script_name: script = str(script_name) else: script = "Some script" audit_name = audit_name self.application.alerts_service.send_alert( script + ' NOT STARTED', "Couldn't start the script " + script + ' by ' + audit_name + '.\n\n' + result) respond_error(self, 500, result)
def on_close(self): audit_name = get_audit_name_from_request(self) LOGGER.info(audit_name + ' disconnected')
def get_audit_name(request_handler): audit_name = audit_utils.get_audit_name_from_request(request_handler) return normalize_hostname(audit_name)