예제 #1
0
 def setAttribute(self, attr, value, sessionData=None):
     if not sessionData or db.fieldACLAccess(
             sessionData, self.acl, attr, accessType="write"):
         if attr == "customSearch":
             value = helpers.unicodeEscapeDict(value)
     return super(_ingaGetScanUp,
                  self).setAttribute(attr, value, sessionData=sessionData)
예제 #2
0
    def run(self, data, persistentData, actionResult):
        if not hasattr(self, "plain_apiToken"):
            self.plain_apiToken = auth.getPasswordFromENC(self.apiToken)

        queryString = helpers.evalString(self.queryString, {"data": data})
        facetsString = helpers.evalString(self.facetsString, {"data": data})
        sapi = shodan._shodanapi(self.plain_apiToken)
        response = sapi.hostSearch(queryString, facetsString)
        responseData = response.text
        if response.status_code == 200:
            responseData = json.loads(responseData)
            for x, responseDataItem in enumerate(responseData["matches"]):
                responseData["matches"][x] = helpers.unicodeEscapeDict(
                    responseDataItem)
                try:
                    responseData["matches"][x]["ssl"]["cert"]["serial"] = str(
                        responseDataItem["ssl"]["cert"]["serial"])
                except:
                    pass
        actionResult["result"] = True
        actionResult["rc"] = response.status_code
        actionResult["data"] = responseData
        return actionResult
예제 #3
0
        def updateModelObject(modelName, objectID):
            class_ = loadModel(modelName)
            if class_:
                data = json.loads(api.request.data)
                if data["action"] == "update":
                    updateItemsList = []
                    changeLog = {}
                    data = data["data"]
                    _class = class_.classObject()().getAsClass(
                        api.g["sessionData"], id=objectID)
                    if len(_class) == 1:
                        _class = _class[0]
                        # Builds list of permitted ACL
                        access, accessIDs, adminBypass = db.ACLAccess(
                            api.g["sessionData"], _class.acl, "write")
                        if access:
                            for dataKey, dataValue in data.items():
                                fieldAccessPermitted = True
                                # Checking if sessionData is permitted field level access
                                if _class.acl and not adminBypass:
                                    fieldAccessPermitted = db.fieldACLAccess(
                                        api.g["sessionData"], _class.acl,
                                        dataKey, "write")

                                if fieldAccessPermitted:
                                    # _id is a protected mongodb object and cant be updated
                                    if dataKey != "_id":
                                        if hasattr(_class, dataKey):
                                            changeLog[dataKey] = {}
                                            changeLog[dataKey][
                                                "currentValue"] = getattr(
                                                    _class, dataKey)
                                            if type(getattr(_class,
                                                            dataKey)) is str:
                                                if dataValue:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            str(dataValue),
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                                            elif type(getattr(_class,
                                                              dataKey)) is int:
                                                try:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            int(dataValue),
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                                                except ValueError:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            0,
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                                            elif type(getattr(
                                                    _class, dataKey)) is float:
                                                try:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            float(dataValue),
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                                                except ValueError:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            0,
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                                            elif type(getattr(
                                                    _class, dataKey)) is bool:
                                                # Convert string object to bool
                                                if type(dataValue) is str:
                                                    if dataValue.lower(
                                                    ) == "true":
                                                        dataValue = True
                                                    else:
                                                        dataValue = False
                                                if _class.setAttribute(
                                                        dataKey,
                                                        dataValue,
                                                        sessionData=api.
                                                        g["sessionData"]):
                                                    updateItemsList.append(
                                                        dataKey)
                                                    changeLog[dataKey][
                                                        "newValue"] = getattr(
                                                            _class, dataKey)
                                            elif type(getattr(
                                                    _class,
                                                    dataKey)) is dict or type(
                                                        getattr(
                                                            _class,
                                                            dataKey)) is list:
                                                if dataValue:
                                                    if _class.setAttribute(
                                                            dataKey,
                                                            json.loads(
                                                                dataValue),
                                                            sessionData=api.
                                                            g["sessionData"]):
                                                        updateItemsList.append(
                                                            dataKey)
                                                        changeLog[dataKey][
                                                            "newValue"] = getattr(
                                                                _class,
                                                                dataKey)
                            # Commit back to database
                            if updateItemsList:
                                _class.update(updateItemsList)
                                # Adding audit record
                                if "_id" in api.g["sessionData"]:
                                    audit._audit().add(
                                        "model", "update", {
                                            "_id":
                                            api.g["sessionData"]["_id"],
                                            "objects":
                                            helpers.unicodeEscapeDict(
                                                changeLog)
                                        })
                                else:
                                    audit._audit().add(
                                        "model", "update", {
                                            "objects":
                                            helpers.unicodeEscapeDict(
                                                changeLog)
                                        })
                            return {}, 200
                        else:
                            return {}, 403
            return {}, 404
예제 #4
0
def setConductFlow(conductID, flowID):
    # List of attributes that are prevented from updating - this needs to be made more dynamic and part of class design
    unsafeUpdateList = [
        "_id", "classID", "lastCheck", "lastRun", "lastResult", "workerID",
        "startCheck"
    ]

    conductObj = conduct._conduct().query(api.g["sessionData"],
                                          id=conductID)["results"]
    conductObj = conductObj[0]
    conductObj = conduct._conduct().getAsClass(api.g["sessionData"],
                                               id=conductObj["_id"])
    if len(conductObj) == 1:
        conductObj = conductObj[0]
    else:
        return {}, 404
    flow = [x for x in conductObj.flow if x["flowID"] == flowID]
    if len(flow) == 1:
        flow = flow[0]
        data = json.loads(api.request.data)
        modelFlowObject = None
        # Check if the modelType and object are unchanged
        if "type" in flow:
            if flow["type"] == "trigger":
                modelFlowObject = trigger._trigger().getAsClass(
                    api.g["sessionData"],
                    id=flow["{0}{1}".format(flow["type"], "ID")])
                if len(modelFlowObject) == 1:
                    modelFlowObject = modelFlowObject[0]
                modelFlowObjectType = "trigger"
            if flow["type"] == "action":
                modelFlowObject = action._action().getAsClass(
                    api.g["sessionData"],
                    id=flow["{0}{1}".format(flow["type"], "ID")])
                if len(modelFlowObject) == 1:
                    modelFlowObject = modelFlowObject[0]
                modelFlowObjectType = "action"

            # Was it possible to load an existing object
            if modelFlowObject:
                # Check that the object model is still the same
                if modelFlowObject.classID == data["newClassID"]:
                    # Get flow object correct class
                    _class = model._model().getAsClass(
                        api.g["sessionData"], id=modelFlowObject.classID)
                    if len(_class) == 1:
                        _class = _class[0]
                        _class = _class.classObject()
                    else:
                        return {}, 404
                    modelFlowObject = _class().getAsClass(
                        api.g["sessionData"], id=modelFlowObject._id)
                    if len(modelFlowObject) == 1:
                        modelFlowObject = modelFlowObject[0]
                    else:
                        return {}, 404
                else:
                    modelFlowObject = None

        # New object required
        if not modelFlowObject:
            _class = model._model().getAsClass(api.g["sessionData"],
                                               id=data["newClassID"])
            if _class:
                _class = _class[0].classObject()
                # Bug exists as name value is not requried by db class but is for core models - this could result in an error if new model is added that does not accept name within new function override
                newFlowObjectID = _class().new(flow["flowID"]).inserted_id

                # Working out by bruteforce which type this is ( try and load it by parent class and check for error) - get on trigger if it does not exist will return None
                modelFlowObjectType = "action"
                if len(trigger._trigger().getAsClass(api.g["sessionData"],
                                                     id=newFlowObjectID)) > 0:
                    modelFlowObjectType = "trigger"
                modelFlowObject = _class().getAsClass(api.g["sessionData"],
                                                      id=newFlowObjectID)
                if len(modelFlowObject) == 1:
                    modelFlowObject = modelFlowObject[0]
                else:
                    return {}, 404
                modelFlowObject.acl = {
                    "ids": [{
                        "accessID": api.g["sessionData"]["primaryGroup"],
                        "read": True,
                        "write": True,
                        "delete": True
                    }]
                }
                modelFlowObject.update(["acl"])

                # Set conduct flow to correct type and objectID
                flow["type"] = modelFlowObjectType
                flow["{0}{1}".format(modelFlowObjectType,
                                     "ID")] = str(newFlowObjectID)
                conductObj.update(["flow"], sessionData=api.g["sessionData"])

        # Updating new or existing modeFlowObject
        if modelFlowObject:
            updateItemsList = []
            changeLog = {}
            # Getting schema information so types can be set correctly
            class_ = model._model().getAsClass(api.g["sessionData"],
                                               id=modelFlowObject.classID)
            if class_:
                _class = modelFlowObject
                # Builds list of permitted ACL
                access, accessIDs, adminBypass = db.ACLAccess(
                    api.g["sessionData"], _class.acl, "write")
                if access:
                    for dataKey, dataValue in data.items():
                        fieldAccessPermitted = True
                        # Checking if sessionData is permitted field level access
                        if _class.acl and not adminBypass:
                            fieldAccessPermitted = db.fieldACLAccess(
                                api.g["sessionData"], _class.acl, dataKey,
                                "write")
                        if fieldAccessPermitted:
                            # Change update database entry _id
                            if dataKey not in unsafeUpdateList:
                                if hasattr(_class, dataKey):
                                    changeLog[dataKey] = {}
                                    changeLog[dataKey][
                                        "currentValue"] = getattr(
                                            _class, dataKey)
                                    if type(getattr(_class, dataKey)) is str:
                                        if dataValue:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    str(dataValue),
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                                    elif type(getattr(_class, dataKey)) is int:
                                        try:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    int(dataValue),
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                                        except ValueError:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    0,
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                                    elif type(getattr(_class,
                                                      dataKey)) is float:
                                        try:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    float(dataValue),
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                                        except ValueError:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    0,
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                                    elif type(getattr(_class,
                                                      dataKey)) is bool:
                                        if _class.setAttribute(
                                                dataKey,
                                                bool(dataValue),
                                                sessionData=api.
                                                g["sessionData"]):
                                            updateItemsList.append(dataKey)
                                            changeLog[dataKey][
                                                "newValue"] = getattr(
                                                    _class, dataKey)
                                    elif type(getattr(
                                            _class, dataKey)) is dict or type(
                                                getattr(_class,
                                                        dataKey)) is list:
                                        if dataValue:
                                            if _class.setAttribute(
                                                    dataKey,
                                                    json.loads(dataValue),
                                                    sessionData=api.
                                                    g["sessionData"]):
                                                updateItemsList.append(dataKey)
                                                changeLog[dataKey][
                                                    "newValue"] = getattr(
                                                        _class, dataKey)
                    # Commit back to database
                    if updateItemsList:
                        _class.update(updateItemsList,
                                      sessionData=api.g["sessionData"])
                        # Adding audit record
                        if "_id" in api.g["sessionData"]:
                            audit._audit().add(
                                "model", "update", {
                                    "_id": api.g["sessionData"]["_id"],
                                    "objects":
                                    helpers.unicodeEscapeDict(changeLog)
                                })
                        else:
                            audit._audit().add("model", "update", {
                                "objects":
                                helpers.unicodeEscapeDict(changeLog)
                            })
                    return {"type": modelFlowObjectType}, 200
                else:
                    return {}, 403
    return {}, 404
예제 #5
0
    def run(self, data, persistentData, actionResult):
        # Is this a clear event passed by the occurrence clear notifier?
        if "clearOccurrence" in data:
            actionResult["result"] = True
            actionResult["rc"] = 205
            return actionResult
        elif "000000000001010000000000" in str(self._id):
            actionResult["result"] = True
            actionResult["rc"] = 201
            actionResult[
                "msg"] = "Occurrence ran within codify, always results in 201 created"
            return actionResult

        match = "{0}-{1}".format(
            self._id,
            helpers.evalString(self.occurrenceMatchString, {"data": data}))
        # Check for existing occurrence matches
        foundOccurrence = cache.globalCache.get("occurrenceCacheMatch",
                                                match,
                                                getOccurrenceObject,
                                                customCacheTime=self.lullTime,
                                                nullUpdate=True)
        if foundOccurrence == None:
            # Raising new occurrence and assuming the database took the object as expected
            newOccurrence = occurrence._occurrence().bulkNew(
                self, match, helpers.unicodeEscapeDict(data), self.acl,
                self.bulkClass)
            cache.globalCache.insert("occurrenceCacheMatch", match,
                                     newOccurrence)
            logging.debug(
                "Occurrence Created async, actionID='{0}'".format(self._id), 7)
            actionResult["result"] = True
            actionResult["rc"] = 201
            try:
                persistentData["plugin"]["occurrence"].append(newOccurrence)
            except:
                persistentData["plugin"]["occurrence"] = [newOccurrence]
            arrayIndex = len(persistentData["plugin"]["occurrence"]) - 1
            actionResult["occurrenceIndex"] = arrayIndex
            return actionResult
        else:
            if foundOccurrence._id != "":
                # Checking if we should only update db when less than half lullTime is left ( reduced db load )
                if self.dbSlowUpdate and (int(time.time()) -
                                          foundOccurrence.lastOccurrenceTime
                                          ) < self.lullTime / 2:
                    actionResult["result"] = True
                    actionResult["rc"] = 302
                    return actionResult
                # Updating existing occurrences
                foundOccurrence.lastOccurrenceTime = int(time.time())
                foundOccurrence.lullTime = (
                    foundOccurrence.lastOccurrenceTime + self.lullTime)
                foundOccurrence.lullTimeExpired = self.lullTimeExpiredCount
                foundOccurrence.bulkUpdate(
                    ["lastOccurrenceTime", "lullTime", "lullTimeExpired"],
                    self.bulkClass)
                actionResult["data"]["occurrenceData"] = foundOccurrence.data
                logging.debug(
                    "Occurrence Updated, occurrenceID='{0}' actionID='{1}'".
                    format(foundOccurrence._id, self._id), 7)
                actionResult["result"] = True
                actionResult["rc"] = 302
                try:
                    persistentData["plugin"]["occurrence"].append(
                        foundOccurrence)
                except:
                    persistentData["plugin"]["occurrence"] = [foundOccurrence]
                arrayIndex = len(persistentData["plugin"]["occurrence"]) - 1
                actionResult["occurrenceIndex"] = arrayIndex
                return actionResult
            else:
                logging.debug(
                    "Occurrence Update Failed - NO ID, actionID='{0}'".format(
                        self._id), 7)
                actionResult["result"] = False
                actionResult["rc"] = 500
                return actionResult
예제 #6
0
 def getStatistics(self, xyStatisticsDict):
     query = {"_id": db.ObjectId(self._id)}
     doc = self._dbCollection.find_one(query)
     return helpers.unicodeEscapeDict(doc["statistics"])