def require_auth(): if request.method == "OPTIONS": return auth = request.headers.get("Authorization") g.auth_user = None if auth and auth.startswith("Bearer "): token = auth.split(" ", 1)[1] g.auth_user = User.verify_session_token(token) # Not a session token? Maybe APIKey token if g.auth_user is None: g.auth_user = APIKey.verify_token(token) # Still nothing? Maybe legacy API key if g.auth_user is None: g.auth_user = User.verify_legacy_token(token) if g.auth_user is not None: getLogger().warning( "'%s' used legacy auth token for authentication", g.auth_user.login) if g.auth_user: if (app_config.mwdb.enable_maintenance and g.auth_user.login != app_config.mwdb.admin_login): raise Forbidden("Maintenance underway. Please come back later.") if g.auth_user.disabled: raise Forbidden("User has been disabled.")
def require_auth(): if request.method == "OPTIONS": return auth = request.headers.get("Authorization") g.auth_user = None if auth and auth.startswith("Bearer "): token = auth.split(" ", 1)[1] g.auth_user = User.verify_session_token(token) # Not a session token? Maybe APIKey token if g.auth_user is None: g.auth_user = APIKey.verify_token(token) # Still nothing? Maybe legacy API key if g.auth_user is None: g.auth_user = User.verify_legacy_token(token) if g.auth_user is not None: getLogger().warning( "'%s' used legacy auth token for authentication", g.auth_user.login ) if g.auth_user: if ( app_config.mwdb.enable_maintenance and g.auth_user.login != app_config.mwdb.admin_login ): raise Forbidden("Maintenance underway. Please come back later.") if g.auth_user.disabled: raise Forbidden("User has been disabled.") if app_config.mwdb.enable_rate_limit and not g.auth_user.has_rights( Capabilities.unlimited_requests ): """ Single sample view in malwarefront generates 7 requests (6 GET, 1 POST) """ if request.method == "GET": """ DownloadResource is token-based and shouldn't be limited """ if request.endpoint != api.endpoint_for(DownloadResource): # 1000 per 10 seconds rate_limit("get-request", 10, 1000) # 2000 per 1 minute rate_limit("get-request", 60, 2000) # 6000 per 5 minutes rate_limit("get-request", 5 * 60, 6000) # 10000 per 15 minutes rate_limit("get-request", 15 * 60, 10000) else: # 10 per 10 seconds rate_limit("set-request", 10, 10) # 30 per 1 minute rate_limit("set-request", 60, 30) # 100 per 5 minutes rate_limit("set-request", 5 * 60, 100) # 200 per 15 minutes rate_limit("set-request", 15 * 60, 200)
def log_request(response): response_time = datetime.utcnow() - g.request_start_time response_size = response.calculate_content_length() getLogger().info('request', extra={'path': request.path, 'arguments': request.args, 'method': request.method, 'status': response.status_code, 'response_time': response_time, 'response_size': response_size}) return response
def log_request(response): response_time = datetime.utcnow() - g.request_start_time response_size = response.calculate_content_length() getLogger().info( "request", extra={ "path": request.path, "arguments": request.args, "method": request.method, "status": response.status_code, "response_time": response_time, "response_size": response_size, }, ) return response
import contextlib import functools import importlib import pkgutil import sys from mwdb.core.app import api, app from mwdb.core.config import app_config from mwdb.core.log import getLogger from mwdb.core.util import is_subdir from mwdb.model import Config, File, Object, TextBlob logger = getLogger() _plugin_handlers = [] loaded_plugins = {} class PluginAppContext(object): def register_hook_handler(self, hook_handler_cls): global _plugin_handlers _plugin_handlers.append(hook_handler_cls()) def register_resource(self, resource, *urls, **kwargs): api.add_resource(resource, *urls, **kwargs) def register_converter(self, converter_name, converter): app.url_map.converters[converter_name] = converter def register_schema_spec(self, schema_name, schema): api.spec.components.schema(schema_name, schema=schema)
from functools import wraps from json import JSONDecodeError from flask import g, request from marshmallow import EXCLUDE, ValidationError from werkzeug.exceptions import BadRequest, Forbidden, Unauthorized from mwdb.core import log from mwdb.model import Config, File, Object, TextBlob logger = log.getLogger() def requires_capabilities(*required_caps): """ Decorator for endpoints which require specific permission. Available capabilities are declared in capabilities.Capabilities """ def decorator(f): @wraps(f) def endpoint(*args, **kwargs): for required_cap in required_caps: if not g.auth_user.has_rights(required_cap): raise Forbidden(f"You don't have required capability " f"({required_cap}) to perform this action") return f(*args, **kwargs) return endpoint return decorator