def create_invites():
recipient = request.json['recipient']
sender = request.json['sender']
recipient_user = users.find_one({'email': recipient})
recipient_invite = invites.find_one({'recipient': recipient})
sender_user = users.find_one({'email': sender})
# issue #120
# To ensure no duplicate invitation is allowed, and to ensure
# we don't corrupt user record in user table, any POST invitation
# must check
# (1) if user is not created in users collection - FALSE
# (2) if user is created, BUT status is not 'invited' - FALSE
# (3) recipient email is found in existing invitation record - FALSE
if not recipient_user:
return jsonify(success=False,
reason='recipient-not-found-in-user-record')
elif recipient_user.get('status') != 'invited':
return jsonify(success=False,
reason='recipient-already-joined')
if recipient_invite:
return jsonify(success=False,
reason='duplicate-invitation-not-allowed')
if not sender_user:
return jsonify(success=False,
reason='sender-not-found-in-user-record')
invite_id = str(uuid.uuid4())
# some users may not have name filled out?
invite = {'id': invite_id,
'recipient': recipient,
'recipient_name': recipient_user['name'] or recipient,
'sender': sender,
'sender_name': sender_user['name'] or sender,
'sent_on': None,
'accepted_on': None,
'status': 'pending',
'expire_on': None,
'max_time_allowed': request.json.get('max_time_allowed') \
or backend_config.get('invitation').get('max_time_allowed')}
backend_utils.send_invite(
invite['recipient'],
invite['recipient_name'],
invite['sender'],
invite['sender_name'],
request.json['base_url'],
invite_id)
invite['sent_on'] = datetime.datetime.utcnow()
invite['expire_on'] = invite['sent_on'] + \
datetime.timedelta(seconds=invite['max_time_allowed'])
invites.insert(invite)
return jsonify(success=True, invite=sanitize_invite(invite))
def update_user(user_email):
new_user = request.json
# Verify the incoming user: user must exist, groups must exist, role must exist
old_user = users.find_one({'email': user_email})
if old_user is None:
return jsonify(success=False, reason='unknown-user')
old_user['groups'] = _find_groups_for_user(user_email)
old_user['sites'] = _find_sites_for_user(user_email)
if 'groups' in new_user:
for group_name in new_user.get('groups', []):
if not _check_group_exists(group_name):
return jsonify(success=False, reason='unknown-group')
if 'role' in new_user:
if new_user["role"] not in ("user", "administrator"):
return jsonify(success=False, reason="invalid-role")
if 'status' in new_user:
if new_user['status'] not in ('active', 'banned'):
return jsonify(success=False, reason='unknown-status-option')
# Update the group memberships
if 'groups' in new_user:
# Add new groups
for group_name in new_user.get('groups', []):
if group_name not in old_user['groups']:
groups.update({'name': group_name},
{'$addToSet': {
'users': user_email
}})
# Remove old groups
for group_name in old_user['groups']:
if group_name not in new_user.get('groups', []):
groups.update({'name': group_name},
{'$pull': {
'users': user_email
}})
# Modify the user
changes = {}
if 'name' in new_user:
changes['name'] = new_user['name']
if 'role' in new_user:
changes['role'] = new_user['role']
if 'groups' in new_user:
changes['groups'] = new_user['groups']
if 'status' in new_user:
changes['status'] = new_user['status']
users.update({'email': user_email}, {'$set': changes})
# Return the updated user
user = users.find_one({'email': user_email})
if not user:
return jsonify(success=False, reason='unknown-user')
user['groups'] = _find_groups_for_user(user_email)
return jsonify(success=True, user=sanitize_user(user))
def login_user():
email = request.json['email']
user = users.find_one({'email': email})
if user:
if user['status'] == 'active':
timestamp = datetime.datetime.utcnow()
users.update({'email': email}, {'$set': {'last_login': timestamp}})
user = users.find_one({'email': email})
return jsonify(success=True, user=sanitize_user(user))
else:
return jsonify(success=False, reason=user['status'])
else:
return jsonify(success=False, reason='user-does-not-exist')
def login_user():
email = request.json['email']
user = users.find_one({'email': email})
if user:
if user['status'] == 'active':
timestamp = datetime.datetime.utcnow()
users.update({'email': email}, {'$set': {'last_login': timestamp}})
user = users.find_one({'email': email})
return jsonify(success=True, user=sanitize_user(user))
else:
return jsonify(success=False, reason=user['status'])
else:
return jsonify(success=False, reason='user-does-not-exist')
def create_user():
user = request.json
# Verify incoming user: email must not exist yet, groups must exist, role must exist
if users.find_one({'email': user['email']}) is not None:
return jsonify(success=False, reason='user-already-exists')
for group_name in user.get('groups', []):
if not _check_group_exists(group_name):
return jsonify(success=False, reason='unknown-group')
if user.get("role") not in ("user", "administrator"):
return jsonify(success=False, reason="invalid-role")
new_user = {
'id': str(uuid.uuid4()),
'status': 'invited' if user.get('invitation') else 'active',
'email': user['email'],
'name': user.get('name'),
'role': user['role'],
'created': datetime.datetime.utcnow(),
'last_login': None,
'api_key': str(uuid.uuid4())
}
users.insert(new_user)
# Add the user to the groups - group membership is stored in the group objet, not in the user
for group_name in user.get('groups', []):
groups.update({'name': group_name},
{'$addToSet': {
'users': user['email']
}})
new_user['groups'] = user.get('groups', [])
return jsonify(success=True, user=sanitize_user(new_user))
def create_group():
group = request.json
# perform validations on incoming data; issue#132
if not group.get("name"):
return jsonify(success=False, reason="name-field-is-required")
userz = group.get("users")
sitez = group.get("sites")
if userz:
for user in userz:
if not users.find_one({"email": user}):
return jsonify(success=False, reason="user %s does not exist" % user)
if sitez:
for site in sitez:
if not sites.find_one({"name": site}):
return jsonify(success=False, reason="site %s does not exist" % site)
if groups.find_one({"name": group["name"]}) is not None:
return jsonify(success=False, reason="group-already-exists")
# post-validation
new_group = {
"id": str(uuid.uuid4()),
"name": group["name"],
"description": group.get("description", ""),
"sites": group.get("sites", []),
"users": group.get("users", []),
"created": datetime.datetime.utcnow(),
}
groups.insert(new_group)
return jsonify(success=True, group=sanitize_group(new_group))
def get_reports_sites():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
if group_name:
site_list = _find_sites_for_user_by_group_name(user_email, group_name)
else:
site_list = _find_sites_for_user(user_email)
for site_url in sorted(site_list):
site = sites.find_one({'url': site_url})
if site is not None:
for plan_name in site['plans']:
schedule = scanschedules.find_one({'site':site_url, 'plan':plan_name})
crontab = None
scheduleEnabled = False
if schedule is not None:
crontab = schedule['crontab']
scheduleEnabled = schedule['enabled']
l = list(scans.find({'configuration.target':site['url'], 'plan.name': plan_name}).sort("created", -1).limit(1))
if len(l) == 1:
scan = summarize_scan(sanitize_scan(l[0]))
s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')}
result.append({'target': site_url, 'plan': plan_name, 'scan': scan, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
else:
result.append({'target': site_url, 'plan': plan_name, 'scan': None, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
return jsonify(success=True, report=result)
def get_reports_issues():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
if group_name:
site_list = _find_sites_for_user_by_group_name(user_email, group_name)
else:
site_list = _find_sites_for_user(user_email)
for site_url in sorted(site_list):
r = {'target': site_url, 'issues': []}
site = sites.find_one({'url': site_url})
if site is not None:
for plan_name in site['plans']:
for s in scans.find({'configuration.target':site['url'], 'plan.name': plan_name}).sort("created", -1).limit(1):
for session in s['sessions']:
for issue in session['issues']:
r['issues'].append({'severity': issue['Severity'],
'summary': issue['Summary'],
'scan': { 'id': s['id'] },
'id': issue['Id']})
result.append(r)
return jsonify(success=True, report=result)
def create_group():
group = request.json
# perform validations on incoming data; issue#132
if not group.get('name'):
return jsonify(success=False, reason='name-field-is-required')
userz = group.get('users')
sitez = group.get('sites')
if userz:
for user in userz:
if not users.find_one({'email': user}):
return jsonify(success=False,
reason='user %s does not exist' % user)
if sitez:
for site in sitez:
if not sites.find_one({'url': site}):
return jsonify(success=False,
reason='site %s does not exist' % site)
if groups.find_one({'name': group['name']}) is not None:
return jsonify(success=False, reason='group-already-exists')
# post-validation
new_group = {
'id': str(uuid.uuid4()),
'name': group['name'],
'description': group.get('description', ""),
'sites': group.get('sites', []),
'users': group.get('users', []),
'created': datetime.datetime.utcnow()
}
groups.insert(new_group)
return jsonify(success=True, group=sanitize_group(new_group))
def create_user():
user = request.json
# Verify incoming user: email must not exist yet, groups must exist, role must exist
if users.find_one({'email': user['email']}) is not None:
return jsonify(success=False, reason='user-already-exists')
for group_name in user.get('groups', []):
if not _check_group_exists(group_name):
return jsonify(success=False, reason='unknown-group')
if user.get("role") not in ("user", "administrator"):
return jsonify(success=False, reason="invalid-role")
new_user = { 'id': str(uuid.uuid4()),
'status': 'invited' if user.get('invitation') else 'active',
'email': user['email'],
'name': user.get('name'),
'role': user['role'],
'created': datetime.datetime.utcnow(),
'last_login': None }
users.insert(new_user)
# Add the user to the groups - group membership is stored in the group objet, not in the user
for group_name in user.get('groups', []):
groups.update({'name':group_name},{'$addToSet': {'users': user['email']}})
new_user['groups'] = user.get('groups', [])
return jsonify(success=True, user=sanitize_user(new_user))
def create_group():
group = request.json
# perform validations on incoming data; issue#132
if not group.get('name'):
return jsonify(success=False, reason='name-field-is-required')
userz = group.get('users')
sitez = group.get('sites')
if userz:
for user in userz:
if not users.find_one({'email': user}):
return jsonify(success=False, reason='user %s does not exist'%user)
if sitez:
for site in sitez:
if not sites.find_one({'name': site}):
return jsonify(success=False, reason='site %s does not exist'%site)
if groups.find_one({'name': group['name']}) is not None:
return jsonify(success=False, reason='group-already-exists')
# post-validation
new_group = { 'id': str(uuid.uuid4()),
'name': group['name'],
'description': group.get('description', ""),
'sites': group.get('sites', []),
'users': group.get('users', []),
'created': datetime.datetime.utcnow() }
groups.insert(new_group)
return jsonify(success=True, group=sanitize_group(new_group))
def create_invites():
recipient = request.json['recipient']
sender = request.json['sender']
recipient_user = users.find_one({'email': recipient})
recipient_invite = invites.find_one({'recipient': recipient})
sender_user = users.find_one({'email': sender})
# issue #120
# To ensure no duplicate invitation is allowed, and to ensure
# we don't corrupt user record in user table, any POST invitation
# must check
# (1) if user is not created in users collection - FALSE
# (2) if user is created, BUT status is not 'invited' - FALSE
# (3) recipient email is found in existing invitation record - FALSE
if not recipient_user:
return jsonify(success=False,
reason='recipient-not-found-in-user-record')
elif recipient_user.get('status') != 'invited':
return jsonify(success=False, reason='recipient-already-joined')
if recipient_invite:
return jsonify(success=False,
reason='duplicate-invitation-not-allowed')
if not sender_user:
return jsonify(success=False, reason='sender-not-found-in-user-record')
invite_id = str(uuid.uuid4())
# some users may not have name filled out?
invite = {'id': invite_id,
'recipient': recipient,
'recipient_name': recipient_user['name'] or recipient,
'sender': sender,
'sender_name': sender_user['name'] or sender,
'sent_on': None,
'accepted_on': None,
'status': 'pending',
'expire_on': None,
'max_time_allowed': request.json.get('max_time_allowed') \
or backend_config.get('email').get('max_time_allowed'),
'notify_when': request.json.get('notify_when', [])}
send_email('invite',
invite,
extra_data={'base_url': request.json['base_url']})
invite['sent_on'] = datetime.datetime.utcnow()
invite['expire_on'] = invite['sent_on'] + \
datetime.timedelta(seconds=invite['max_time_allowed'])
invites.insert(invite)
return jsonify(success=True, invite=sanitize_invite(invite))
def update_invite(id):
timenow = datetime.datetime.utcnow()
action = request.json['action'].lower()
invitation = invites.find_one({'id': id})
if invitation:
max_time_allowed = invitation.get('max_time_allowed') \
or backend_config.get('invitation').get('max_time_allowed')
recipient = invitation['recipient']
recipient_name = invitation['recipient_name']
sender = invitation['sender']
sender_name = invitation['sender_name']
sent_on = invitation['sent_on']
accepted_on = invitation['accepted_on']
expire_on = invitation['expire_on']
user = users.find_one({'email': recipient})
if user is None:
return jsonify(success=False, reason="user-not-created")
if accepted_on is not None:
return jsonify(success=False, reason="invitation-has-been-used")
if not action in ('resend', 'accept', 'decline'):
return jsonify(success=False, reason='invalid-action')
if action == 'resend':
new_id = str(uuid.uuid4())
base_url = request.json['base_url']
backend_utils.send_invite(recipient, recipient_name, sender, sender_name, base_url, new_id)
# generate new record
sent_on = datetime.datetime.utcnow()
expire_on = sent_on + datetime.timedelta(seconds=max_time_allowed)
invitation['id'] = new_id
invitation['sent_on'] = sent_on
invitation['expire_on'] = expire_on
invites.update({'id': id}, {'$set':
{'sent_on': invitation['sent_on'],
'id': invitation['id']}})
return jsonify(success=True, invite=sanitize_invite(invitation))
elif action == 'accept':
# if time now is ahead of expire_on, the delta is negative
if (expire_on - timenow).seconds < 0:
invitation['status'] = 'expired'
invites.update({'id': id}, {'$set': {'status': 'expired'}})
return jsonify(success=False, reason='invitation-expired')
else:
invitation['status'] = 'used'
invitation['accepted_on'] = datetime.datetime.utcnow()
invites.update({'id': id},{'$set':
{'accepted_on': invitation['accepted_on'],
'status': 'used'}})
users.update({'email': recipient}, {'$set':
{'status': 'active'}})
return jsonify(success=True, invite=sanitize_invite(invitation))
elif action == 'decline':
invitation['status'] = 'declined'
invites.update({'id': id}, {'$set': {'status': 'decline'}})
return jsonify(success=True, invite=sanitize_invite(invitation))
else:
return jsonify(success=False, reason='invitation-does-not-exist')
def update_user(user_email):
new_user = request.json
# Verify the incoming user: user must exist, groups must exist, role must exist
old_user = users.find_one({'email': user_email})
if old_user is None:
return jsonify(success=False, reason='unknown-user')
old_user['groups'] = _find_groups_for_user(user_email)
old_user['sites'] = _find_sites_for_user(user_email)
if 'groups' in new_user:
for group_name in new_user.get('groups', []):
if not _check_group_exists(group_name):
return jsonify(success=False, reason='unknown-group')
if 'role' in new_user:
if new_user["role"] not in ("user", "administrator"):
return jsonify(success=False, reason="invalid-role")
if 'status' in new_user:
if new_user['status'] not in ('active', 'banned'):
return jsonify(success=False, reason='unknown-status-option')
# Update the group memberships
if 'groups' in new_user:
# Add new groups
for group_name in new_user.get('groups', []):
if group_name not in old_user['groups']:
groups.update({'name':group_name},{'$addToSet': {'users': user_email}})
# Remove old groups
for group_name in old_user['groups']:
if group_name not in new_user.get('groups', []):
groups.update({'name':group_name},{'$pull': {'users': user_email}})
# Modify the user
changes = {}
if 'name' in new_user:
changes['name'] = new_user['name']
if 'role' in new_user:
changes['role'] = new_user['role']
if 'groups' in new_user:
changes['groups'] = new_user['groups']
if 'status' in new_user:
changes['status'] = new_user['status']
users.update({'email': user_email}, {'$set': changes})
# Return the updated user
user = users.find_one({'email': user_email})
if not user:
return jsonify(success=False, reason='unknown-user')
user['groups'] = _find_groups_for_user(user_email)
return jsonify(success=True, user=sanitize_user(user))
def get_user(email):
email = email.lower()
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='no-such-user')
user['groups'] = _find_groups_for_user(user['email'])
user['sites'] = _find_sites_for_user(user['email'])
return jsonify(success=True, user=sanitize_user(user))
def get_user(email):
email = email.lower()
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='no-such-user')
user['groups'] = _find_groups_for_user(user['email'])
user['sites'] = _find_sites_for_user(user['email'])
return jsonify(success=True, user=sanitize_user(user))
def delete_user(user_email):
user = users.find_one({'email': user_email})
if not user:
return jsonify(success=False, reason='no-such-user')
# Remove the user
users.remove({'email': user_email})
# Remove user group membership
remove_group_association(user_email)
return jsonify(success=True)
def delete_user(user_email):
user = users.find_one({'email': user_email})
if not user:
return jsonify(success=False, reason='no-such-user')
# Remove the user
users.remove({'email': user_email})
# Remove user group membership
remove_group_association(user_email)
return jsonify(success=True)
def delete_user(user_email):
user = users.find_one({'email': user_email})
if not user:
return jsonify(success=False, reason='no-such-user')
# Remove the user
users.remove({'email': user_email})
# Remove user group membership
for group_name in _find_groups_for_user(user_email):
groups.update({'name':group_name},{'$pull': {'users': user_email}})
return jsonify(success=True)
def get_reports_sites():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
if group_name:
site_list = _find_sites_for_user_by_group_name(
user_email, group_name)
else:
site_list = _find_sites_for_user(user_email)
for site_url in sorted(site_list):
site = sites.find_one({'url': site_url})
if site is not None:
for plan_name in site['plans']:
schedule = scanschedules.find_one({
'site': site_url,
'plan': plan_name
})
crontab = None
scheduleEnabled = False
if schedule is not None:
crontab = schedule['crontab']
scheduleEnabled = schedule['enabled']
l = list(
scans.find({
'configuration.target': site['url'],
'plan.name': plan_name
}).sort("created", -1).limit(1))
if len(l) == 1:
scan = summarize_scan(sanitize_scan(l[0]))
s = {
v: scan.get(v)
for v in ('id', 'created', 'state', 'issues')
}
result.append({
'target': site_url,
'plan': plan_name,
'scan': scan,
'crontab': crontab,
'scheduleEnabled': scheduleEnabled
})
else:
result.append({
'target': site_url,
'plan': plan_name,
'scan': None,
'crontab': crontab,
'scheduleEnabled': scheduleEnabled
})
return jsonify(success=True, report=result)
def has_permission(*args, **kwargs):
email = request.args.get('email')
if email:
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='User does not exist.')
if user['role'] == 'user':
plan_name = request.view_args['plan_name']
if not _check_plan_by_email(email, plan_name):
return jsonify(success=False, reason="Plan does not exist.")
return view(*args, **kwargs) # if groupz.count is not zero, or user is admin
def has_permission(*args, **kwargs):
email = request.args.get('email')
if email:
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='user-does-not-exist')
scan = scans.find_one({"id": kwargs['scan_id']})
if user['role'] == 'user':
groupz = groups.find({'users': email, 'sites': scan['configuration']['target']})
if not groupz.count():
return jsonify(success=False, reason='not-found')
return view(*args, **kwargs) # if groupz.count is not zero, or user is admin
def get_reports_history():
history = []
user_email = request.args.get('user')
if user_email is not None:
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
for s in scans.find({'configuration.target': {'$in': _find_sites_for_user(user_email)}}).sort("created", -1).limit(100):
history.append(summarize_scan(sanitize_scan(s)))
else:
for s in scans.find({}).sort("created", -1).limit(100):
history.append(summarize_scan(sanitize_scan(s)))
return jsonify(success=True, report=history)
def has_permission(*args, **kwargs):
email = request.args.get('email')
if email:
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='User does not exist.')
if user['role'] == 'user':
plan_name = request.view_args['plan_name']
if not _check_plan_by_email(email, plan_name):
return jsonify(success=False,
reason="Plan does not exist.")
return view(*args,
**kwargs) # if groupz.count is not zero, or user is admin
def delete_invite(id):
invitation = invites.find_one({'id': id})
if not invitation:
return jsonify(success=False, reason='no-such-invitation')
# do not delete users that are not invite pending (bug #123)
email = invitation['recipient']
user = users.find_one({'email': email})
if user and user.get('status') == "invited":
users.remove(user)
# bug #133 delete user associations
remove_group_association(email)
invites.remove({'id': id})
return jsonify(success=True)
def delete_invite(id):
invitation = invites.find_one({'id': id})
if not invitation:
return jsonify(success=False, reason='no-such-invitation')
# do not delete users that are not invite pending (bug #123)
email = invitation['recipient']
user = users.find_one({'email': email})
if user and user.get('status') == "invited":
users.remove(user)
# bug #133 delete user associations
remove_group_association(email)
invites.remove({'id': id})
return jsonify(success=True)
def delete_invite(id):
invitation = invites.find_one({'id': id})
if not invitation:
return jsonify(success=False, reason='no-such-invitation')
# do not delete users that are not invite pending (bug #123)
email = invitation['recipient']
user = users.find_one({'email': email})
if user and user.get('status') == "invited":
users.remove(user)
# bug #133 delete user associations
for group_name in _find_groups_for_user(email):
groups.update({'name':group_name}, {'$pull': {'users': email}})
for site in _find_sites_for_user(email):
sites.update({'url':site}, {'$pull': {'users': email}})
invites.remove({'id': id})
return jsonify(success=True)
def get_reports_history():
history = []
user_email = request.args.get('user')
if user_email is not None:
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
for s in scans.find({
'configuration.target': {
'$in': _find_sites_for_user(user_email)
}
}).sort("created", -1).limit(100):
history.append(summarize_scan(sanitize_scan(s)))
else:
for s in scans.find({}).sort("created", -1).limit(100):
history.append(summarize_scan(sanitize_scan(s)))
return jsonify(success=True, report=history)
def has_permission(*args, **kwargs):
email = request.args.get("email")
# If the task is scheduled by crontab, proceed with the task
if email == "cron":
return view(*args, **kwargs)
if email:
user = users.find_one({"email": email})
if not user:
return jsonify(success=False, reason="user-does-not-exist")
scan = scans.find_one({"id": kwargs["scan_id"]})
if user["role"] == "user":
groupz = groups.find({"users": email, "sites": scan["configuration"]["target"]})
if not groupz.count():
return jsonify(success=False, reason="not-found")
return view(*args, **kwargs) # if groupz.count is not zero, or user is admin
def get_reports_sites():
result = []
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
for site_url in sorted(_find_sites_for_user(user_email)):
site = sites.find_one({'url': site_url})
if site is not None:
for plan_name in site['plans']:
l = list(scans.find({'configuration.target':site['url'], 'plan.name': plan_name}).sort("created", -1).limit(1))
if len(l) == 1:
scan = summarize_scan(sanitize_scan(l[0]))
s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')}
result.append({'target': site_url, 'plan': plan_name, 'scan': scan})
else:
result.append({'target': site_url, 'plan': plan_name, 'scan': None})
return jsonify(success=True, report=result)
def has_permission(*args, **kwargs):
email = request.args.get('email')
# If the task is scheduled by crontab, proceed with the task
if email == 'cron':
return view(*args, **kwargs)
if email:
user = users.find_one({'email': email})
if not user:
return jsonify(success=False, reason='user-does-not-exist')
scan = scans.find_one({"id": kwargs['scan_id']})
if user['role'] == 'user':
groupz = groups.find({
'users': email,
'sites': scan['configuration']['target']
})
if not groupz.count():
return jsonify(success=False, reason='not-found')
return view(*args,
**kwargs) # if groupz.count is not zero, or user is admin
def get_reports_issues():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = users.find_one({'email': user_email})
if user is None:
return jsonify(success=False, reason='no-such-user')
if group_name:
site_list = _find_sites_for_user_by_group_name(
user_email, group_name)
else:
site_list = _find_sites_for_user(user_email)
for site_url in sorted(site_list):
r = {'target': site_url, 'issues': []}
site = sites.find_one({'url': site_url})
if site is not None:
for plan_name in site['plans']:
for s in scans.find({
'configuration.target': site['url'],
'plan.name': plan_name
}).sort("created", -1).limit(1):
for session in s['sessions']:
for issue in session['issues']:
r['issues'].append({
'severity':
issue['Severity'],
'summary':
issue['Summary'],
'scan': {
'id': s['id']
},
'id':
issue['Id']
})
result.append(r)
return jsonify(success=True, report=result)
def update_invite(id):
timenow = datetime.datetime.utcnow()
action = request.json['action'].lower()
invitation = invites.find_one({'id': id})
if invitation:
max_time_allowed = invitation.get('max_time_allowed') \
or backend_config.get('invitation').get('max_time_allowed')
recipient = invitation['recipient']
recipient_name = invitation['recipient_name']
sender = invitation['sender']
sender_name = invitation['sender_name']
sent_on = invitation['sent_on']
accepted_on = invitation['accepted_on']
expire_on = invitation['expire_on']
user = users.find_one({'email': recipient})
if user is None:
return jsonify(success=False, reason="user-not-created")
if accepted_on is not None:
return jsonify(success=False, reason="invitation-has-been-used")
if not action in ('resend', 'accept', 'decline'):
return jsonify(success=False, reason='invalid-action')
if action == 'resend':
new_id = str(uuid.uuid4())
base_url = request.json['base_url']
send_email('invite', invitation, extra_data={'base_url': base_url})
# generate new record
sent_on = datetime.datetime.utcnow()
expire_on = sent_on + datetime.timedelta(seconds=max_time_allowed)
invitation['id'] = new_id
invitation['sent_on'] = sent_on
invitation['expire_on'] = expire_on
invites.update({'id': id}, {
'$set': {
'sent_on': invitation['sent_on'],
'id': invitation['id']
}
})
return jsonify(success=True, invite=sanitize_invite(invitation))
elif action == 'accept':
# if time now is ahead of expire_on, the delta is negative
if (expire_on - timenow).seconds < 0:
invitation['status'] = 'expired'
invites.update({'id': id}, {'$set': {'status': 'expired'}})
return jsonify(success=False, reason='invitation-expired')
else:
invitation['status'] = 'used'
invitation['accepted_on'] = datetime.datetime.utcnow()
invites.update({'id': id}, {
'$set': {
'accepted_on': invitation['accepted_on'],
'status': 'used'
}
})
users.update({'email': recipient}, {'$set':
{'status': 'active', \
'email': request.json['login']}})
if invitation['recipient'] != request.json['login']:
update_group_association(invitation['recipient'],
request.json['login'])
# if user's persona email is different
invitation['recipient'] = request.json['login']
# notify inviter if he chooses to receive such notification
if "accept" in invitation['notify_when']:
send_email('accept', invitation)
return jsonify(success=True,
invite=sanitize_invite(invitation))
elif action == 'decline':
invitation['status'] = 'declined'
invites.update({'id': id}, {'$set': {'status': 'declined'}})
users.remove(user)
remove_group_association(invitation['recipient'])
# notify inviter if he chooses to
if "decline" in invitation['notify_when']:
send_email('decline', invitation)
return jsonify(success=True, invite=sanitize_invite(invitation))
else:
return jsonify(success=False, reason='invitation-does-not-exist')
def update_invite(id):
timenow = datetime.datetime.utcnow()
action = request.json['action'].lower()
invitation = invites.find_one({'id': id})
if invitation:
max_time_allowed = invitation.get('max_time_allowed') \
or backend_config.get('invitation').get('max_time_allowed')
recipient = invitation['recipient']
recipient_name = invitation['recipient_name']
sender = invitation['sender']
sender_name = invitation['sender_name']
sent_on = invitation['sent_on']
accepted_on = invitation['accepted_on']
expire_on = invitation['expire_on']
user = users.find_one({'email': recipient})
if user is None:
return jsonify(success=False, reason="user-not-created")
if accepted_on is not None:
return jsonify(success=False, reason="invitation-has-been-used")
if not action in ('resend', 'accept', 'decline'):
return jsonify(success=False, reason='invalid-action')
if action == 'resend':
new_id = str(uuid.uuid4())
base_url = request.json['base_url']
send_email('invite', invitation, extra_data={'base_url': base_url})
# generate new record
sent_on = datetime.datetime.utcnow()
expire_on = sent_on + datetime.timedelta(seconds=max_time_allowed)
invitation['id'] = new_id
invitation['sent_on'] = sent_on
invitation['expire_on'] = expire_on
invites.update({'id': id}, {'$set':
{'sent_on': invitation['sent_on'],
'id': invitation['id']}})
return jsonify(success=True, invite=sanitize_invite(invitation))
elif action == 'accept':
# if time now is ahead of expire_on, the delta is negative
if (expire_on - timenow).seconds < 0:
invitation['status'] = 'expired'
invites.update({'id': id}, {'$set': {'status': 'expired'}})
return jsonify(success=False, reason='invitation-expired')
else:
invitation['status'] = 'used'
invitation['accepted_on'] = datetime.datetime.utcnow()
invites.update({'id': id},{'$set':
{'accepted_on': invitation['accepted_on'],
'status': 'used'}})
users.update({'email': recipient}, {'$set':
{'status': 'active', \
'email': request.json['login']}})
if invitation['recipient'] != request.json['login']:
update_group_association(invitation['recipient'], request.json['login'])
# if user's persona email is different
invitation['recipient'] = request.json['login']
# notify inviter if he chooses to receive such notification
if "accept" in invitation['notify_when']:
send_email('accept', invitation)
return jsonify(success=True, invite=sanitize_invite(invitation))
elif action == 'decline':
invitation['status'] = 'declined'
invites.update({'id': id}, {'$set': {'status': 'declined'}})
users.remove(user)
remove_group_association(invitation['recipient'])
# notify inviter if he chooses to
if "decline" in invitation['notify_when']:
send_email('decline', invitation)
return jsonify(success=True, invite=sanitize_invite(invitation))
else:
return jsonify(success=False, reason='invitation-does-not-exist')
