def _GenerateRule(self, **kwargs):
"""Generate the rule for the blockable being voted on.
Args:
**kwargs: Arguments to be passed to the Bit9Rule constructor.
Returns:
An un-persisted Bit9Rule corresponding to the blockable being voted on.
"""
return bit9.Bit9Rule(parent=self.blockable.key,
rule_type=self.blockable.rule_type,
**kwargs)
def _SetInstallerPolicy(self, blockable_id, new_policy):
blockable = base_db.Blockable.get_by_id(blockable_id)
# pylint: disable=g-explicit-bool-comparison
installer_rule_query = bit9_db.Bit9Rule.query(
bit9_db.Bit9Rule.in_effect == True,
bit9_db.Bit9Rule.policy.IN(constants.RULE_POLICY.SET_INSTALLER),
ancestor=blockable.key)
# pylint: enable=g-explicit-bool-comparison
existing_rule = installer_rule_query.get()
if existing_rule:
if existing_rule.policy == new_policy:
return blockable.is_installer
else:
existing_rule.in_effect = False
existing_rule.put()
# Create the Bit9Rule associated with the installer state and a change set
# to commit it.
new_rule = bit9_db.Bit9Rule(
rule_type=blockable.rule_type,
in_effect=True,
policy=new_policy,
parent=blockable.key)
new_rule.put()
change = bit9_db.RuleChangeSet(
rule_keys=[new_rule.key],
change_type=new_rule.policy,
parent=blockable.key)
change.put()
message = 'User %s changed installer state to %s' % (
self.user.key.id(), new_policy)
tables.BINARY.InsertRow(
sha256=blockable.key.id(),
timestamp=datetime.datetime.utcnow(),
action=constants.BLOCK_ACTION.COMMENT,
state=blockable.state,
score=blockable.score,
platform=constants.PLATFORM.WINDOWS,
client=constants.CLIENT.BIT9,
first_seen_file_name=blockable.first_seen_name,
cert_fingerprint=blockable.cert_id,
comment=message)
change_set.DeferCommitBlockableChangeSet(blockable.key)
# Update the blockable's is_installer property.
blockable.is_installer = new_policy == constants.RULE_POLICY.FORCE_INSTALLER
blockable.put()
return blockable.is_installer
def _SetInstallerPolicy(self, blockable_id, new_policy):
blockable = base_db.Blockable.get_by_id(blockable_id)
# pylint: disable=g-explicit-bool-comparison
installer_rule_query = bit9_db.Bit9Rule.query(
bit9_db.Bit9Rule.in_effect == True,
bit9_db.Bit9Rule.policy.IN(constants.RULE_POLICY.SET_INSTALLER),
ancestor=blockable.key)
# pylint: enable=g-explicit-bool-comparison
existing_rule = installer_rule_query.get()
if existing_rule:
if existing_rule.policy == new_policy:
return blockable.is_installer
else:
existing_rule.in_effect = False
existing_rule.put()
# Create the Bit9Rule associated with the installer state and a change set
# to commit it.
new_rule = bit9_db.Bit9Rule(
rule_type=blockable.rule_type,
in_effect=True,
policy=new_policy,
parent=blockable.key)
new_rule.put()
change = bit9_db.RuleChangeSet(
rule_keys=[new_rule.key],
change_type=new_rule.policy,
parent=blockable.key)
change.put()
base_db.AuditLog.Create(
blockable,
'User %s changing installer state to %s' % (
self.user.key.id(), new_policy))
change_set.DeferCommitBlockableChangeSet(blockable.key)
# Update the blockable's is_installer property.
blockable.is_installer = new_policy == constants.RULE_POLICY.FORCE_INSTALLER
blockable.put()
return blockable.is_installer
def _CheckAndResolveInstallerState(blockable_key, bit9_policy):
"""Ensures Bit9's installer state is consistent with Upvote policy.
If there is no Upvote policy or the existing policy conflicts with Bit9's, the
function creates rules to reflect Bit9's policy.
Args:
blockable_key: The key of the blockable that was blocked.
bit9_policy: RULE_POLICY.SET_INSTALLER, The installer force policy reported
by Bit9.
Yields:
Whether the installer state was changed.
"""
logging.info(
'Detected forced installer policy in Bit9 for ID=%s: policy=%s',
blockable_key.id(), bit9_policy)
assert ndb.in_transaction(), 'Policy changes require a transaction'
# pylint: disable=g-explicit-bool-comparison
installer_query = bit9.Bit9Rule.query(
bit9.Bit9Rule.in_effect == True,
ndb.OR(
bit9.Bit9Rule.policy == constants.RULE_POLICY.FORCE_INSTALLER,
bit9.Bit9Rule.policy == constants.RULE_POLICY.FORCE_NOT_INSTALLER),
ancestor=blockable_key)
# pylint: enable=g-explicit-bool-comparison
installer_rule = yield installer_query.get_async()
logging.info('Forced installer policy in Upvote for ID=%s: policy=%s',
blockable_key.id(),
('NONE' if installer_rule is None else installer_rule.policy))
has_existing_rule = installer_rule is not None
has_conflicting_rule = (has_existing_rule and installer_rule.is_committed
and installer_rule.policy != bit9_policy)
if has_existing_rule and not has_conflicting_rule:
# The existing rule matches the forced Bit9 policy so no rules need to be
# created.
raise ndb.Return(False)
elif has_conflicting_rule:
# If there is a conflicting policy in Upvote, disable it so the new one can
# take effect.
logging.warning(
'Forced installer status in Bit9 conflicts with Upvote')
installer_rule.in_effect = False
yield installer_rule.put_async()
logging.info('Importing detected forced installer status from Bit9')
# Create a rule to reflect the policy in Bit9. It's marked committed and
# fulfilled because the data's already in Bit9, after all.
new_rule = bit9.Bit9Rule(rule_type=constants.RULE_TYPE.BINARY,
in_effect=True,
is_committed=True,
is_fulfilled=True,
policy=bit9_policy,
parent=blockable_key)
yield new_rule.put_async()
raise ndb.Return(True)