def add_translation(finding_id: int): finding = FindingTemplate.query.filter_by(id=finding_id).one() form = FindingTemplateAddTranslationForm(request.form) current_langs = finding.langs # Skip langs already presents form.lang.choices = tuple(choice for choice in Language.choices() if choice[0] not in current_langs) context = dict(form=form, finding=finding) if len(form.lang.choices) == 0: flash('Finding {} already have all possible translations.'.format( finding.name), category='warning') return redirect_back('.index') if form.validate_on_submit(): if form.lang.data not in finding.langs: data = dict(form.data) data.pop('csrf_token', None) FindingTemplateTranslation(finding_template=finding, **data) else: flash('Language {} already created for this finding.'.format( form.lang.data), category='danger') return redirect_back('.index') return render_template('findings/edit_translation.html', **context)
def delete_solution(finding_id: int, solution_name: str): solution = Solution.query.filter_by( finding_template_id=finding_id, name=solution_name ).one() solution.delete() return redirect_back('.edit', finding_id=finding_id)
def edit(assessment_id): assessment: Assessment = Assessment.query.filter_by(id=assessment_id).one() if not current_user.owns(assessment) and not current_user.manages( assessment.client): abort(403) if request.form: form = AssessmentForm(request.form) else: form = AssessmentForm(**assessment.to_dict(), auditors=assessment.auditors) form.auditors.choices = User.get_choices( User.user_type.in_(valid_auditors)) context = dict(assessment=assessment, form=form) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) auditors = data.pop('auditors', []) assessment.set(**data) assessment.auditors.clear() assessment.auditors.extend(auditors) return redirect_back('.index') return render_template('assessments/edit.html', **context)
def download_reports(assessment_id): assessment = Assessment.query.filter_by(id=assessment_id).one() if not current_user.audits(assessment): abort(403) data = request.form.to_dict() data.pop('action', None) data.pop('csrf_token', None) templates = set(request.form.getlist('template_name')) templates = Template.query.filter( and_(Template.name.in_(templates), Template.client_id == assessment.client_id)).all() if not templates: flash('No report selected', 'danger') return redirect_back('.reports', assessment_id=assessment_id) report_path, report_file = generate_reports_bundle(assessment, templates) return send_from_directory(report_path, report_file, mimetype='application/octet-stream', as_attachment=True, attachment_filename=report_file, add_etags=False, cache_timeout=0)
def edit_translation(finding_id: int, language: str): language = Language[language] translation = FindingTemplateTranslation.query.filter_by( finding_template_id=finding_id, lang=language).one() form_data = request.form.to_dict() or translation.to_dict() form = FindingTemplateEditTranslationForm(**form_data) context = dict(form=form, finding=translation.finding_template) if config.BROKEN_REFS_TOKEN in translation.references: form.references.errors = ('Possible broken references detected', ) if form.validate_on_submit(): if language in translation.finding_template.langs: data = dict(form.data) data.pop('csrf_token', None) translation.set(**data) else: flash('Language {} not created for this finding.'.format(language), category='danger') return redirect_back('.edit', finding_id=finding_id) return render_template('findings/edit_translation.html', **context)
def add_solution(finding_id: int, solution_name=None): finding = FindingTemplate.query.filter_by(id=finding_id).one() solution = None if solution_name: solution = Solution.query.filter_by(finding_template_id=finding_id, name=solution_name).one() form_data = solution.to_dict() if solution else request.form.to_dict() form = FindingTemplateAddSolutionForm(**form_data) context = dict(form=form, finding=finding) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) lang = data.get('lang') name = data.get('name') try: Solution(finding_template=finding, **data) db.session.commit() return redirect_back('.index') except IntegrityError: db.session.rollback() error = 'Solution name {} already exist for this finding.'.format( name, lang) form.name.errors.append(error) return render_template('findings/edit_solution.html', **context)
def edit(template_id: int): template = Template.query.filter_by(id=template_id).one() form = TemplateEditForm() if not request.form: form = TemplateEditForm(**template.to_dict()) context = dict(template=template, form=form) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) file = data.pop('file') try: template.set(**data) template.last_modified = datetime.now() db.session.commit() if file is not None: file.save(os.path.join(template.template_path(), template.file)) return redirect_back('.index') except IntegrityError: form.name.errors.append('Name already used') db.session.rollback() return render_template('templates/edit.html', **context)
def index(): form = LoginForm(request.form) context = dict(form=form, need_otp=False) if form.validate_on_submit(): controller = AuthController() try: controller.authenticate(form.username.data, form.password.data, form.otp.data) session.permanent = True flash('Logged in successfully.', 'success') return redirect_back('index.index') except AuthException: context['need_otp'] = True if form.otp.data: flash('Invalid credentials', 'danger') else: form.otp.errors.append('Google Authenticator OTP required.') return render_template('index.html', **context)
def delete(template_id: int): template = Template.query.filter_by(id=template_id).one() os.remove(os.path.join(template.template_path(), template.file)) template.delete() return redirect_back('.index')
def new(): form = TemplateCreateNewForm() context = dict(form=form) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token') file = data.pop('file') filename = "{}.{}".format(uuid4(), file.filename.split('.')[-1]) data['file'] = filename upload_path = Template.template_path() if not os.path.exists(upload_path): os.makedirs(upload_path) try: db.session.add(Template(**data)) db.session.commit() file.save(os.path.join(upload_path, filename)) return redirect_back('.index') except IntegrityError: form.name.errors.append('Name already used') db.session.rollback() return render_template('templates/new.html', **context)
def add_template(client_id: int): client = Client.query.filter_by(id=client_id).one() if not current_user.manages(client): abort(403) form = TemplateCreateNewForm() context = dict(form=form, client=client) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) file = data.pop('file') filename = "{}.{}".format(uuid4(), file.filename.split('.')[-1]) data['file'] = filename upload_path = client.template_path() if not os.path.exists(upload_path): os.makedirs(upload_path) try: Template(client=client, **data) db.session.commit() file.save(os.path.join(upload_path, filename)) return redirect_back('.edit', client_id=client_id) except IntegrityError: form.name.errors.append('Name already used') db.session.rollback() return render_template('clients/add_template.html', **context)
def edit_finding(assessment_id, finding_id): assessment = Assessment.query.filter_by(id=assessment_id).one() if not current_user.audits(assessment): abort(403) finding = Finding.query.filter_by(id=finding_id).one() finding_dict = finding.to_dict() finding_dict['affected_resources'] = "\r\n".join( r.uri for r in finding.affected_resources) form_data = request.form.to_dict() or finding_dict form = FindingEditForm(**form_data) solutions = finding.template.solutions if finding.template else [] context = dict(assessment=assessment, form=form, finding=finding, solutions=solutions, solutions_dict={a.name: a.text for a in solutions}) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) affected_resources = data.pop('affected_resources', '').split('\n') try: finding.update_affected_resources( affected_resources) # TODO: Raise different exception finding.set(**data) return redirect_back('.findings', assessment_id=assessment_id) except ValueError as ex: form.affected_resources.errors.append(str(ex)) return render_template('assessments/panel/edit_finding.html', **context)
def del_user(username): user = User.query.filter_by(username=username).one() if user == current_user: flash('You can not delete yourself', 'danger') else: user.delete() return redirect_back('users.index')
def delete_findings(assessment_id, finding_id): finding = Finding.query.filter_by(id=finding_id).one() if not current_user.audits(finding.assessment): abort(403) finding.delete() flash("Findign deleted", "success") return redirect_back('.findings', assessment_id=assessment_id)
def delete_translation(finding_id: int, language: str): tranlsation = FindingTemplateTranslation.query.filter_by( finding_template_id=finding_id, lang=Language[language] ).one() tranlsation.delete() return redirect_back('.edit', finding_id=finding_id)
def delete(assessment_id): assessment = Assessment.query.filter_by(id=assessment_id).one() if not current_user.owns(assessment) and not current_user.manages( assessment.client): abort(403) assessment.delete() return redirect_back('.index')
def delete(client_id: int): client = Client.query.filter_by(id=client_id).one() if not current_user.owns(client): abort(403) client.delete() return redirect_back('.index')
def delete_template(client_id: int, template_name): client = Client.query.filter_by(id=client_id).one() if not current_user.manages(client): abort(403) template = Template.query.filter_by(name=template_name, client=client).one() os.remove(os.path.join(client.template_path(), template.file)) template.delete() return redirect_back('.edit', client_id=client_id)
def change_owner(client_id: int): client: Client = Client.query.filter_by(id=client_id).one() if not current_user.owns(client): abort(403) form = ClientChangeOwnerForm() form.owner.choices = User.get_choices(User.user_type.in_(valid_managers)) if form.validate_on_submit(): client.creator = form.owner.data return redirect_back('.index')
def edit(finding_id: int): finding = FindingTemplate.query.filter_by(id=finding_id).one() form_data = request.form.to_dict() or finding.to_dict() form = FindingTemplateEditForm(**form_data) context = dict(form=form, finding=finding) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) finding.set(**data) db.session.commit() return redirect_back('.index') return render_template('findings/details.html', **context)
def disable_otp(): form = OtpConfirmForm(request.form) if form.validate_on_submit(): try: if current_user.disable_otp(form.otp.data, form.password.data): flash('OTP disabled successfully', 'success') else: raise ValueError('invalid otp or password') except ValueError: flash('Invalid credentials, please try again.', 'danger') return redirect_back('users.index')
def new(): form = FindingTemplateCreateNewForm(request.form) context = dict( form=form ) if form.validate_on_submit(): data = dict(form.data) data_finding = {k: v for k, v in data.items() if k in FindingTemplate.__dict__} data_translation = {k: v for k, v in data.items() if k in FindingTemplateTranslation.__dict__} finding = FindingTemplate(creator=current_user, **data_finding) FindingTemplateTranslation(finding_template=finding, **data_translation) return redirect_back('.index') return render_template('findings/new.html', **context)
def add_user(): form = AddUserForm(request.form) if form.validate_on_submit(): username = form.username.data if form.password.data == form.passwordrep.data: try: user = User(username=username) user.set_database_passwd(form.password.data) except IntegrityError: flash('User {} already exist'.format(username), 'danger') db.session.rollback() else: flash('Password repeat invalid', 'danger') return redirect_back('users.index')
def delete_evidence(assessment_id, evidence_name): assessment = Assessment.query.filter_by(id=assessment_id).one() if not current_user.audits(assessment): abort(403) image = Image.query.filter_by(assessment=assessment, name=evidence_name).one() image_name = image.name image.delete() os.remove(os.path.join(assessment.evidence_path(), image_name)) flash("Evidence deleted", "success") return redirect_back(".evidences", assessment_id=assessment_id)
def edit(client_id: int): client: Client = Client.query.filter_by(id=client_id).one() if not current_user.manages(client): abort(403) if request.form: form = ClientForm(request.form) else: form = ClientForm(**client.to_dict(), managers=client.managers, auditors=client.auditors, templates=client.templates) form.managers.choices = User.get_choices( User.user_type.in_(valid_managers)) form.auditors.choices = User.get_choices( User.user_type.in_(valid_auditors)) form.templates.choices = Template.get_choices() change_owner_form = ClientChangeOwnerForm(owner=client.creator) change_owner_form.owner.choices = User.get_choices( User.user_type.in_(valid_managers)) context = dict(form=form, change_owner_form=change_owner_form, client=client) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) managers = data.pop('managers', []) auditors = data.pop('auditors', []) templates = data.pop('templates', []) client.set(**data) client.managers.clear() client.managers.extend(managers) client.auditors.clear() client.auditors.extend(auditors) client.templates.clear() client.templates.extend(templates) return redirect_back('.index') return render_template('clients/details.html', **context)
def new(): form = ClientForm(request.form) form.managers.choices = User.get_choices( User.user_type.in_(valid_managers)) form.auditors.choices = User.get_choices( User.user_type.in_(valid_auditors)) context = dict(form=form) if form.validate_on_submit(): data = form.data data.pop('csrf_token') Client(creator=current_user, **data) return redirect_back('.index') return render_template('clients/new.html', **context)
def edit_solution(finding_id: int, solution_name: str): solution = Solution.query.filter_by(finding_template_id=finding_id, name=solution_name).one() form_data = request.form.to_dict() or solution.to_dict() form = FindingTemplateEditSolutionForm(**form_data) context = dict(form=form, finding=solution.finding_template) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) solution.set(**data) return redirect_back('.edit', finding_id=finding_id) return render_template('findings/edit_solution.html', **context)
def add_assessment(client_id: int): client = Client.query.filter_by(id=client_id).one() if not current_user.audits(client): abort(403) form = AssessmentForm(request.form) form.auditors.choices = User.get_choices( User.user_type.in_(valid_auditors)) context = dict(form=form, client=client) if form.validate_on_submit(): data = dict(form.data) data.pop('csrf_token', None) Assessment(client=client, creator=current_user, **data) return redirect_back('.edit', client_id=client_id) return render_template('clients/add_assessment.html', **context)
def edit_user(username): user = User.query.filter_by(username=username).one() form_data = request.form.to_dict() or user.to_dict() form = EditUserForm(**form_data) context = dict( form=form ) if user != current_user: pass else: flash('You can not edit yourself', 'danger') return redirect_back('users.index') return render_template()
def change_passwd(): form = ChangePasswordForm() if form.validate_on_submit(): try: if form.newpassword.data == form.newpasswordrep.data: current_user.change_password( form.oldpassword.data, form.newpassword.data, form.otp.data ) flash('Password changed successfully', 'success') else: flash('Password repeat invalid', 'danger') except AuthException: flash('Invalid credentials', 'danger') return redirect_back('users.index')