def setAttribute(self,attr,value,sessionData=None):
if attr == "password" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,self.acl,attr,accessType="write"):
self.password = "******".format(auth.getENCFromPassword(value))
return True
return False
return super(_testFire, self).setAttribute(attr,value,sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None):
if not sessionData or db.fieldACLAccess(
sessionData, self.acl, attr, accessType="write"):
if attr == "customSearch":
value = helpers.unicodeEscapeDict(value)
return super(_ingaGetScanUp,
self).setAttribute(attr, value, sessionData=sessionData)
def deleteFlowLink(conductID, fromFlowID, toFlowID):
conductObj = conduct._conduct().getAsClass(api.g["sessionData"],
id=conductID)
if len(conductObj) == 1:
conductObj = conductObj[0]
else:
return {}, 404
access, accessIDs, adminBypass = db.ACLAccess(api.g["sessionData"],
conductObj.acl, "write")
if access:
fromFlow = [x for x in conductObj.flow if x["flowID"] == fromFlowID]
if len(fromFlow) > 0:
fromFlow = fromFlow[0]
for nextflow in fromFlow["next"]:
if nextflow["flowID"] == toFlowID:
if db.fieldACLAccess(api.g["sessionData"], conductObj.acl,
"flow", "delete"):
conductObj.flow[conductObj.flow.index(
fromFlow)]["next"].remove(nextflow)
conductObj.update(["flow"])
return {}, 200
return {}, 403
return {}, 404
else:
return {}, 403
def setAttribute(self, attr, value, sessionData=None):
if attr == "url" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.url = "ENC {0}".format(auth.getENCFromPassword(value))
return True
return False
return super(_microsoftteamswebhooksPostMessage,
self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None):
if attr == "apiToken" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.apiToken = "ENC {0}".format(
auth.getENCFromPassword(value))
return True
return False
return super(_shodanGetHostByIP,
self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None):
if attr == "apiToken" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.apiToken = "ENC {0}".format(
auth.getENCFromPassword(value))
return True
return False
return super(_whoisxmlapiDomainAvailabilityCheck,
self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None):
if attr == "client_secret" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.client_secret = "ENC {0}".format(
auth.getENCFromPassword(value))
return True
return False
return super(_azurebotserviceUpdateActivity,
self).setAttribute(attr, value, sessionData=sessionData)
def setAttribute(self, attr, value, sessionData=None):
if attr == "searchQuery":
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.humioJob = ""
self.searchQuery = value
return True
return False
if attr == "humioAPIToken" and not value.startswith("ENC "):
if db.fieldACLAccess(sessionData,
self.acl,
attr,
accessType="write"):
self.humioAPIToken = "ENC {0}".format(
auth.getENCFromPassword(value))
return True
return False
return super(_humioSearch, self).setAttribute(attr,
value,
sessionData=sessionData)
def updateModelObject(modelName, objectID):
class_ = loadModel(modelName)
if class_:
data = json.loads(api.request.data)
if data["action"] == "update":
updateItemsList = []
changeLog = {}
data = data["data"]
_class = class_.classObject()().getAsClass(
api.g["sessionData"], id=objectID)
if len(_class) == 1:
_class = _class[0]
# Builds list of permitted ACL
access, accessIDs, adminBypass = db.ACLAccess(
api.g["sessionData"], _class.acl, "write")
if access:
for dataKey, dataValue in data.items():
fieldAccessPermitted = True
# Checking if sessionData is permitted field level access
if _class.acl and not adminBypass:
fieldAccessPermitted = db.fieldACLAccess(
api.g["sessionData"], _class.acl,
dataKey, "write")
if fieldAccessPermitted:
# _id is a protected mongodb object and cant be updated
if dataKey != "_id":
if hasattr(_class, dataKey):
changeLog[dataKey] = {}
changeLog[dataKey][
"currentValue"] = getattr(
_class, dataKey)
if type(getattr(_class,
dataKey)) is str:
if dataValue:
if _class.setAttribute(
dataKey,
str(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
elif type(getattr(_class,
dataKey)) is int:
try:
if _class.setAttribute(
dataKey,
int(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
except ValueError:
if _class.setAttribute(
dataKey,
0,
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
elif type(getattr(
_class, dataKey)) is float:
try:
if _class.setAttribute(
dataKey,
float(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
except ValueError:
if _class.setAttribute(
dataKey,
0,
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
elif type(getattr(
_class, dataKey)) is bool:
# Convert string object to bool
if type(dataValue) is str:
if dataValue.lower(
) == "true":
dataValue = True
else:
dataValue = False
if _class.setAttribute(
dataKey,
dataValue,
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
elif type(getattr(
_class,
dataKey)) is dict or type(
getattr(
_class,
dataKey)) is list:
if dataValue:
if _class.setAttribute(
dataKey,
json.loads(
dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(
dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class,
dataKey)
# Commit back to database
if updateItemsList:
_class.update(updateItemsList)
# Adding audit record
if "_id" in api.g["sessionData"]:
audit._audit().add(
"model", "update", {
"_id":
api.g["sessionData"]["_id"],
"objects":
helpers.unicodeEscapeDict(
changeLog)
})
else:
audit._audit().add(
"model", "update", {
"objects":
helpers.unicodeEscapeDict(
changeLog)
})
return {}, 200
else:
return {}, 403
return {}, 404
def setConductFlow(conductID, flowID):
# List of attributes that are prevented from updating - this needs to be made more dynamic and part of class design
unsafeUpdateList = [
"_id", "classID", "lastCheck", "lastRun", "lastResult", "workerID",
"startCheck"
]
conductObj = conduct._conduct().query(api.g["sessionData"],
id=conductID)["results"]
conductObj = conductObj[0]
conductObj = conduct._conduct().getAsClass(api.g["sessionData"],
id=conductObj["_id"])
if len(conductObj) == 1:
conductObj = conductObj[0]
else:
return {}, 404
flow = [x for x in conductObj.flow if x["flowID"] == flowID]
if len(flow) == 1:
flow = flow[0]
data = json.loads(api.request.data)
modelFlowObject = None
# Check if the modelType and object are unchanged
if "type" in flow:
if flow["type"] == "trigger":
modelFlowObject = trigger._trigger().getAsClass(
api.g["sessionData"],
id=flow["{0}{1}".format(flow["type"], "ID")])
if len(modelFlowObject) == 1:
modelFlowObject = modelFlowObject[0]
modelFlowObjectType = "trigger"
if flow["type"] == "action":
modelFlowObject = action._action().getAsClass(
api.g["sessionData"],
id=flow["{0}{1}".format(flow["type"], "ID")])
if len(modelFlowObject) == 1:
modelFlowObject = modelFlowObject[0]
modelFlowObjectType = "action"
# Was it possible to load an existing object
if modelFlowObject:
# Check that the object model is still the same
if modelFlowObject.classID == data["newClassID"]:
# Get flow object correct class
_class = model._model().getAsClass(
api.g["sessionData"], id=modelFlowObject.classID)
if len(_class) == 1:
_class = _class[0]
_class = _class.classObject()
else:
return {}, 404
modelFlowObject = _class().getAsClass(
api.g["sessionData"], id=modelFlowObject._id)
if len(modelFlowObject) == 1:
modelFlowObject = modelFlowObject[0]
else:
return {}, 404
else:
modelFlowObject = None
# New object required
if not modelFlowObject:
_class = model._model().getAsClass(api.g["sessionData"],
id=data["newClassID"])
if _class:
_class = _class[0].classObject()
# Bug exists as name value is not requried by db class but is for core models - this could result in an error if new model is added that does not accept name within new function override
newFlowObjectID = _class().new(flow["flowID"]).inserted_id
# Working out by bruteforce which type this is ( try and load it by parent class and check for error) - get on trigger if it does not exist will return None
modelFlowObjectType = "action"
if len(trigger._trigger().getAsClass(api.g["sessionData"],
id=newFlowObjectID)) > 0:
modelFlowObjectType = "trigger"
modelFlowObject = _class().getAsClass(api.g["sessionData"],
id=newFlowObjectID)
if len(modelFlowObject) == 1:
modelFlowObject = modelFlowObject[0]
else:
return {}, 404
modelFlowObject.acl = {
"ids": [{
"accessID": api.g["sessionData"]["primaryGroup"],
"read": True,
"write": True,
"delete": True
}]
}
modelFlowObject.update(["acl"])
# Set conduct flow to correct type and objectID
flow["type"] = modelFlowObjectType
flow["{0}{1}".format(modelFlowObjectType,
"ID")] = str(newFlowObjectID)
conductObj.update(["flow"], sessionData=api.g["sessionData"])
# Updating new or existing modeFlowObject
if modelFlowObject:
updateItemsList = []
changeLog = {}
# Getting schema information so types can be set correctly
class_ = model._model().getAsClass(api.g["sessionData"],
id=modelFlowObject.classID)
if class_:
_class = modelFlowObject
# Builds list of permitted ACL
access, accessIDs, adminBypass = db.ACLAccess(
api.g["sessionData"], _class.acl, "write")
if access:
for dataKey, dataValue in data.items():
fieldAccessPermitted = True
# Checking if sessionData is permitted field level access
if _class.acl and not adminBypass:
fieldAccessPermitted = db.fieldACLAccess(
api.g["sessionData"], _class.acl, dataKey,
"write")
if fieldAccessPermitted:
# Change update database entry _id
if dataKey not in unsafeUpdateList:
if hasattr(_class, dataKey):
changeLog[dataKey] = {}
changeLog[dataKey][
"currentValue"] = getattr(
_class, dataKey)
if type(getattr(_class, dataKey)) is str:
if dataValue:
if _class.setAttribute(
dataKey,
str(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
elif type(getattr(_class, dataKey)) is int:
try:
if _class.setAttribute(
dataKey,
int(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
except ValueError:
if _class.setAttribute(
dataKey,
0,
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
elif type(getattr(_class,
dataKey)) is float:
try:
if _class.setAttribute(
dataKey,
float(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
except ValueError:
if _class.setAttribute(
dataKey,
0,
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
elif type(getattr(_class,
dataKey)) is bool:
if _class.setAttribute(
dataKey,
bool(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
elif type(getattr(
_class, dataKey)) is dict or type(
getattr(_class,
dataKey)) is list:
if dataValue:
if _class.setAttribute(
dataKey,
json.loads(dataValue),
sessionData=api.
g["sessionData"]):
updateItemsList.append(dataKey)
changeLog[dataKey][
"newValue"] = getattr(
_class, dataKey)
# Commit back to database
if updateItemsList:
_class.update(updateItemsList,
sessionData=api.g["sessionData"])
# Adding audit record
if "_id" in api.g["sessionData"]:
audit._audit().add(
"model", "update", {
"_id": api.g["sessionData"]["_id"],
"objects":
helpers.unicodeEscapeDict(changeLog)
})
else:
audit._audit().add("model", "update", {
"objects":
helpers.unicodeEscapeDict(changeLog)
})
return {"type": modelFlowObjectType}, 200
else:
return {}, 403
return {}, 404
