예제 #1
0
 def test_create_agent_valid_token(self, faraday_server_config, test_client,
                                   session):
     workspace = WorkspaceFactory.create()
     session.add(workspace)
     other_workspace = WorkspaceFactory.create()
     session.add(other_workspace)
     session.commit()
     secret = pyotp.random_base32()
     faraday_server_config.agent_registration_secret = secret
     faraday_server_config.agent_token_expiration = 60
     logout(test_client, [302])
     initial_agent_count = len(session.query(Agent).all())
     raw_data = get_raw_agent(name='new_agent',
                              token=pyotp.TOTP(secret, interval=60).now(),
                              workspaces=[workspace, other_workspace])
     res = test_client.post('/v3/agent_registration', data=raw_data)
     assert res.status_code == 201, (res.json, raw_data)
     assert len(session.query(Agent).all()) == initial_agent_count + 1
     assert workspace.name in res.json['workspaces']
     assert other_workspace.name in res.json['workspaces']
     assert len(res.json['workspaces']) == 2
     workspaces = Agent.query.get(res.json['id']).workspaces
     assert len(workspaces) == 2
     assert workspace in workspaces
     assert other_workspace in workspaces
예제 #2
0
    def test_run_fails(self, test_client, session,csrf_token):
        workspace = WorkspaceFactory.create()
        session.add(workspace)
        other_workspace = WorkspaceFactory.create()
        session.add(other_workspace)
        session.commit()
        agent = AgentFactory.create(
            workspaces=[workspace, other_workspace]
        )
        executor = ExecutorFactory.create(agent=agent)

        session.add(executor)
        session.commit()
        payload = {
            'csrf_token': csrf_token,
            'executorData': {
                "args": {
                    "param1": True
                },
                "executor": executor.name
            },
        }
        res = test_client.post(
            self.url(agent) + 'run/',
            json=payload
        )
        assert res.status_code == 404
예제 #3
0
 def test_create_agent_valid_token(self, faraday_server_config, test_client,
                                   session):
     workspace = WorkspaceFactory.create()
     session.add(workspace)
     other_workspace = WorkspaceFactory.create()
     session.add(other_workspace)
     session.commit()
     faraday_server_config.agent_token = 'sarasa'
     logout(test_client, [302])
     initial_agent_count = len(session.query(Agent).all())
     raw_data = get_raw_agent(
         name='new_agent',
         token='sarasa',
         workspaces=[workspace, other_workspace]
     )
     # /v2/agent_registration/
     res = test_client.post(self.check_url('/v2/agent_registration/'), data=raw_data)
     assert res.status_code == 201, (res.json, raw_data)
     assert len(session.query(Agent).all()) == initial_agent_count + 1
     assert workspace.name in res.json['workspaces']
     assert other_workspace.name in res.json['workspaces']
     assert len(res.json['workspaces']) == 2
     workspaces = Agent.query.get(res.json['id']).workspaces
     assert len(workspaces) == 2
     assert workspace in workspaces
     assert other_workspace in workspaces
예제 #4
0
    def test_bulk_delete_hosts_from_another_workspace(self, test_client, session):
        workspace_1 = WorkspaceFactory.create(name='workspace_1')
        host_of_ws_1 = HostFactory.create(workspace=workspace_1)
        workspace_2 = WorkspaceFactory.create(name='workspace_2')
        host_of_ws_2 = HostFactory.create(workspace=workspace_2)
        session.commit()

        # Try to delete workspace_2's host from workspace_1
        request_data = {'hosts_ids': [host_of_ws_2.id]}
        url = f'/v2/ws/{workspace_1.name}/hosts/bulk_delete/'
        delete_response = test_client.delete(url, data=request_data)

        assert delete_response.json['deleted_hosts'] == 0
예제 #5
0
def test_workspacestatusapi_success(api_rf):
    request = api_rf.get("/")

    project1 = ProjectFactory()
    workspace1 = WorkspaceFactory(project=project1, uses_new_release_flow=True)

    response = WorkspaceStatusAPI.as_view()(request, workspace_id=workspace1.name)
    assert response.status_code == 200
    assert response.data["uses_new_release_flow"]

    project2 = ProjectFactory()
    workspace2 = WorkspaceFactory(project=project2, uses_new_release_flow=False)
    response = WorkspaceStatusAPI.as_view()(request, workspace_id=workspace2.name)
    assert response.status_code == 200
    assert not response.data["uses_new_release_flow"]
예제 #6
0
    def test_load_itime(self, test_client, session):
        ws = WorkspaceFactory.create(name="abc")
        command = CommandFactory.create(workspace=ws)
        session.add(ws)
        session.add(command)
        session.commit()

        # Timestamp of 14/12/2018
        itime = 1544745600.0
        data = {
            'command': command.command,
            'tool': command.tool,
            'itime': itime
        }

        res = test_client.put(
            '/v2/ws/{ws_name}/activities/{id}/'.format(ws_name=ws.name,
                                                       id=command.id),
            data=data,
        )

        # Changing res.json['itime'] to timestamp format of itime
        res_itime = res.json['itime'] / 1000
        assert res.status_code == 200
        assert res_itime == itime
예제 #7
0
def test_create_release_success():
    backend = BackendFactory()
    workspace = WorkspaceFactory()
    user = UserFactory()
    files = {"file1.txt": "hash"}
    release = releases.create_release(workspace, backend, user, files)
    assert release.requested_files == files
예제 #8
0
    def test_update_custom_field(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        custom_field = CustomFieldsSchemaFactory.create(
            table_name='vulnerability',
            field_name='cfield',
            field_type='str',
            field_order=1,
            field_display_name='CField',
        )
        vuln = VulnerabilityFactory.create(workspace=workspace, severity='low', confirmed=True)
        vuln.custom_fields = {'cfield': 'test'}
        session.add(workspace)
        session.add(custom_field)
        session.add(vuln)
        session.commit()

        assert vuln.confirmed is True

        searcher = Searcher(api(workspace, test_client, session))

        rules = [{
            'id': 'CHANGE_CUSTOM_FIELD',
            'model': 'Vulnerability',
            'object': "severity=low",
            'conditions': ['confirmed=True'],
            'actions': ["--UPDATE:cfield=CUSTOM_FIELD_UPDATED"]
        }]

        searcher.process(rules)

        vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
        assert vulns_count == 1
        vuln = session.query(Vulnerability).filter_by(workspace=workspace).first()
        assert vuln.custom_fields['cfield'] == 'CUSTOM_FIELD_UPDATED'
        check_command(vuln, session)
예제 #9
0
    def test_add_ref_to_duplicated_vuln(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        host = HostFactory.create(workspace=workspace)
        vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
                                           name='Duplicated Vuln',
                                           host=host, service=None)
        duplicated_vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
                                                      name='Duplicated Vuln 2',
                                                      host=host, service=None)
        session.add(workspace)
        session.add(vuln)
        session.add(duplicated_vuln)
        session.add(host)
        session.commit()

        first_vuln_id = vuln.id

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'ADD_REFS_DUPLICATED_VULNS',
            'model': 'Vulnerability',
            'fields': ['name'],
            'object': "severity=low --old",  # Without --old param Searcher deletes  all duplicated objects
            'conditions': ['severity=low'],
            'actions': ["--UPDATE:refs=REF_TEST"]
        }]

        vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
        assert vulns_count == 2

        searcher.process(rules)

        vuln1 = session.query(Vulnerability).get(first_vuln_id)
        assert len(vuln1.references) > 0
        assert list(vuln1.references)[0] == 'REF_TEST'
예제 #10
0
    def test_mail_notification(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace, severity='low')
        session.add(workspace)
        session.add(vuln)
        session.commit()

        mail_notification = MailNotification(
            '*****@*****.**',
            'testpass',
            'smtp.gmail.com',
            587
        )
        _api = api(workspace, test_client, session)
        searcher = Searcher(_api, mail_notification=mail_notification)
        rules = [{
            'id': 'SEND_MAIL',
            'model': 'Vulnerability',
            'object': "severity=low",
            'actions': ["--ALERT:[email protected]"]
        }]

        searcher.process(rules)

        assert searcher.mail_notification == mail_notification
예제 #11
0
    def test_remove_duplicated_by_name(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        host = HostFactory.create(workspace=workspace)
        vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
                                           name='Duplicated Vuln',
                                           host=host, service=None)
        duplicated_vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
                                                      name='Duplicated Vuln 2',
                                                      host=host, service=None)
        session.add(workspace)
        session.add(vuln)
        session.add(duplicated_vuln)
        session.add(host)
        session.commit()

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'REMOVE_DUPLICATED_VULNS',
            'model': 'Vulnerability',
            'fields': ['name'],
            'object': "severity=low --old",  # Without --old param Searcher deletes  all duplicated objects
            'actions': ["--DELETE:"]
        }]

        vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
        assert vulns_count == 2

        searcher.process(rules)

        vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
        assert vulns_count == 1
예제 #12
0
def test_jobrequestapicreate_success(api_rf, pipeline_config):
    backend = BackendFactory()
    workspace = WorkspaceFactory()
    user = UserFactory()
    token = user.rotate_token()

    assert not JobRequest.objects.exists()

    data = {
        "workspace": workspace.name,
        "backend": backend.slug,
        "sha": "123",
        "project_definition": pipeline_config,
        "requested_actions": ["test"],
    }
    request = api_rf.post("/",
                          HTTP_AUTHORIZATION=f"{user.username}:{token}",
                          data=data)

    response = JobRequestAPICreate.as_view()(request)

    assert response.status_code == 201, response.data
    assert JobRequest.objects.count() == 1

    job_request = JobRequest.objects.first()
    assert job_request.workspace == workspace
예제 #13
0
def test_jobapiupdate_notifications_on_with_move_to_completed(api_rf, mocker):
    workspace = WorkspaceFactory()
    job_request = JobRequestFactory(workspace=workspace, will_notify=True)
    job = JobFactory(job_request=job_request, status="running")

    now = timezone.now()

    mocked_send = mocker.patch("jobserver.api.jobs.send_finished_notification",
                               autospec=True)

    data = [
        {
            "identifier": job.identifier,
            "job_request_id": job_request.identifier,
            "action": "test",
            "status": "succeeded",
            "status_code": "",
            "status_message": "",
            "created_at": minutes_ago(now, 2),
            "started_at": minutes_ago(now, 1),
            "updated_at": now,
            "completed_at": seconds_ago(now, 30),
        },
    ]
    request = api_rf.post(
        "/",
        HTTP_AUTHORIZATION=job_request.backend.auth_token,
        data=data,
        format="json",
    )

    response = JobAPIUpdate.as_view()(request)

    mocked_send.assert_called_once()
    assert response.status_code == 200
예제 #14
0
    def test_confirm_vuln(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace,
                                           severity='low',
                                           confirmed=False)
        session.add(workspace)
        session.add(vuln)
        session.commit()

        assert vuln.confirmed is False

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'CONFIRM_VULN',
            'model': 'Vulnerability',
            'object': "severity=low",
            'actions': ["--UPDATE:confirmed=True"]
        }]

        searcher.process(rules)
        vulns_count = session.query(Vulnerability).filter_by(
            workspace=workspace).count()
        assert vulns_count == 1
        vuln = session.query(Vulnerability).filter_by(
            workspace=workspace).first()
        assert vuln.confirmed is True
예제 #15
0
 def test_get_workspaced_other_fails(self, test_client, session):
     other_workspace = WorkspaceFactory.create()
     session.add(other_workspace)
     agent = AgentFactory.create(workspaces=[other_workspace], active=True)
     session.commit()
     res = test_client.get(self.url(agent))
     assert res.status_code == 404
예제 #16
0
 def test_update_agent_add_a_inexistent_workspace(self, test_client,
                                                  session):
     workspace = WorkspaceFactory.create()
     session.add(workspace)
     other_workspace = WorkspaceFactory.create()
     session.add(other_workspace)
     agent = AgentFactory.create(workspaces=[workspace], active=True)
     session.commit()
     raw_agent = self.create_raw_agent(
         workspaces=[workspace, other_workspace])
     raw_agent["workspaces"] = ["donotexist"]
     res = test_client.put(self.url(agent.id), data=raw_agent)
     assert res.status_code == 404
     workspaces = Agent.query.get(agent.id).workspaces
     assert len(workspaces) == 1
     assert workspace in workspaces
예제 #17
0
    def test_severity_info_med_2(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        vuln = VulnerabilityWebFactory.create(workspace=workspace,
                                              severity='informational')
        session.add(workspace)
        session.add(vuln)
        session.commit()

        assert vuln.severity == 'informational'

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'CONFIRM_VULN',
            'model': 'Vulnerability',
            'object': "severity=info",
            'actions': ["--UPDATE:severity=med"]
        }]

        searcher.process(rules)
        vulns_count = session.query(VulnerabilityWeb).filter_by(
            workspace=workspace).count()
        assert vulns_count == 1
        vuln = session.query(VulnerabilityWeb).filter_by(
            workspace=workspace).first()
        assert vuln.severity == 'medium'
예제 #18
0
    def test_bulk_delete_hosts_without_hosts_ids(self, test_client):
        ws = WorkspaceFactory.create(name="abc")
        request_data = {'hosts_ids': []}

        delete_response = test_client.delete(f'/v2/ws/{ws.name}/hosts/bulk_delete/', data=request_data)

        assert delete_response.status_code == 400
예제 #19
0
    def test_delete_vulns_with_dynamic_values(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        vuln1 = VulnerabilityFactory.create(workspace=workspace, name="TEST1")
        vuln2 = VulnerabilityFactory.create(workspace=workspace, name="TEST2")
        session.add(workspace)
        session.add(vuln1)
        session.add(vuln2)
        session.commit()

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'DELETE_VULN_{{name}}',
            'model': 'Vulnerability',
            'object': "regex=^{{name}}",
            'actions': ["--DELETE:"],
            'values': [{
                'name': 'TEST1'
            }, {
                'name': 'TEST2'
            }]
        }]

        vulns_count = session.query(Vulnerability).filter_by(
            workspace=workspace).count()
        assert vulns_count == 2

        searcher.process(rules)

        vulns_count = session.query(Vulnerability).filter_by(
            workspace=workspace).count()
        assert vulns_count == 0
예제 #20
0
    def test_update_host_with_all_fields(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        host = HostFactory.create(workspace=workspace,
                                  os='Unix',
                                  ip="10.25.86.39",
                                  owned=False,
                                  description='HDesc',
                                  mac='MAC')
        session.add(workspace)
        session.add(host)
        session.commit()

        assert host.owned is False
        assert host.os == 'Unix'
        assert host.ip == "10.25.86.39"
        assert host.description == 'HDesc'
        assert host.mac == 'MAC'

        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id':
            'UPDATE_HOST',
            'model':
            'Host',
            'object':
            "ip=10.25.86.39 owned=False os=Unix",
            'actions': ["--UPDATE:description=HDescUp", "--UPDATE:mac=MAC2"]
        }]

        searcher.process(rules)

        host = session.query(Host).filter_by(workspace=workspace).first()
        assert host.description == 'HDescUp'
        assert host.mac == 'MAC2'
예제 #21
0
    def test_update_severity_by_creator(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        host = HostFactory.create(workspace=workspace)
        user = UserFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace,
                                           tool='Nessus',
                                           severity='low',
                                           host=host,
                                           creator=user,
                                           service=None)
        session.add(workspace)
        session.add(vuln)

        session.add(host)
        session.commit()

        vuln_id = vuln.id
        assert vuln.severity == 'low'
        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'CHANGE_SEVERITY_INSIDE_HOST',
            'model': 'Vulnerability',
            'object':
            f'creator={user.username}',  # Without --old param Searcher deletes  all duplicated objects
            'conditions': ['tool=Nessus'],
            'actions': ["--UPDATE:severity=info"]
        }]

        searcher.process(rules)
        vuln = session.query(Vulnerability).get(vuln_id)
        assert vuln.severity == 'informational'
예제 #22
0
    def test_update_severity_by_values_with_space_2(self, api, session,
                                                    test_client):
        workspace = WorkspaceFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace,
                                           name='Cross-domain Referer leakage',
                                           severity='low',
                                           service=None)

        session.add(workspace)
        session.add(vuln)
        session.commit()

        vuln_id = vuln.id
        assert vuln.severity == 'low'
        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'CHANGE_SEVERITY',
            'model': 'Vulnerability',
            'object':
            "name=Cross-domain%Referer%leakage",  # Without --old param Searcher deletes  all duplicated objects
            'conditions': ['name=Cross-domain%Referer%leakage'],
            'actions': ["--UPDATE:severity=info"]
        }]

        searcher.process(rules)
        vuln = session.query(Vulnerability).get(vuln_id)
        assert vuln.severity == 'informational'
예제 #23
0
    def test_searcher_update_rules(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace, severity='low')
        session.add(workspace)
        session.add(vuln)
        session.commit()
        assert vuln.severity == 'low'

        searcher = Searcher(api(workspace, test_client, session))

        rules = [{
            'id': 'CHANGE_SEVERITY',
            'model': 'Vulnerability',
            'object': "severity=low",
            'actions': ["--UPDATE:severity=med"]
        }]

        searcher.process(rules)
        vulns_count = session.query(Vulnerability).filter_by(
            workspace=workspace).count()
        assert vulns_count == 1
        vuln = session.query(Vulnerability).filter_by(
            workspace=workspace).first()
        assert vuln.severity == 'medium'
        check_command(vuln, session)
예제 #24
0
    def test_apply_template_by_id(self, api, session, test_client):
        workspace = WorkspaceFactory.create()
        template = VulnerabilityTemplateFactory.create()
        vuln = VulnerabilityFactory.create(workspace=workspace,
                                           severity='low',
                                           confirmed=False)
        session.add(workspace)
        session.add(vuln)
        session.add(template)
        session.commit()

        template_name = template.name
        template_id = template.id
        searcher = Searcher(api(workspace, test_client, session))
        rules = [{
            'id': 'APPLY_TEMPLATE',
            'model': 'Vulnerability',
            'object': "severity=low",
            'actions': [f"--UPDATE:template={template_id}"]
        }]

        searcher.process(rules)
        vulns_count = session.query(Vulnerability).filter_by(
            workspace=workspace).count()
        assert vulns_count == 1
        vuln = session.query(Vulnerability).filter_by(
            workspace=workspace).first()
        assert vuln.name == template_name
예제 #25
0
 def test_verify_created_vulns_with_host_and_service_verification(
         self, session, test_client):
     workspace = WorkspaceFactory.create()
     command = EmptyCommandFactory.create(workspace=workspace)
     host = HostFactory.create(workspace=workspace)
     service = ServiceFactory.create(workspace=workspace)
     vuln = VulnerabilityFactory.create(severity='critical',
                                        workspace=workspace,
                                        host=host,
                                        service=None)
     vuln_med = VulnerabilityFactory.create(severity='medium',
                                            workspace=workspace,
                                            service=service,
                                            host=None)
     session.flush()
     CommandObjectFactory.create(command=command,
                                 object_type='host',
                                 object_id=host.id,
                                 workspace=workspace)
     CommandObjectFactory.create(command=command,
                                 object_type='vulnerability',
                                 object_id=vuln.id,
                                 workspace=workspace)
     CommandObjectFactory.create(command=command,
                                 object_type='service',
                                 object_id=service.id,
                                 workspace=workspace)
     CommandObjectFactory.create(command=command,
                                 object_type='vulnerability',
                                 object_id=vuln_med.id,
                                 workspace=workspace)
     session.commit()
     res = test_client.get(
         self.url(workspace=command.workspace) + 'activity_feed/')
     assert res.status_code == 200
     assert res.json == [{
         u'_id':
         command.id,
         u'command':
         command.command,
         u'import_source':
         u'shell',
         u'tool':
         command.tool,
         u'user':
         command.user,
         u'date':
         time.mktime(command.start_date.timetuple()) * 1000,
         u'params':
         command.params,
         u'hosts_count':
         1,
         u'services_count':
         1,
         u'vulnerabilities_count':
         2,
         u'criticalIssue':
         1
     }]
예제 #26
0
 def test_get_workspaced(self, test_client, session):
     workspace = WorkspaceFactory.create()
     session.add(workspace)
     agent = AgentFactory.create(workspaces=[self.workspace], active=True)
     session.commit()
     res = test_client.get(self.url(agent))
     assert res.status_code == 200
     assert 'workspaces' not in res.json
예제 #27
0
 def test_update_agent_delete_a_workspace(self, test_client, session):
     workspace = WorkspaceFactory.create()
     session.add(workspace)
     other_workspace = WorkspaceFactory.create()
     session.add(other_workspace)
     agent = AgentFactory.create(workspaces=[workspace, other_workspace],
                                 active=True)
     session.commit()
     raw_agent = self.create_raw_agent(workspaces=[workspace])
     res = test_client.put(self.url(agent.id), data=raw_agent)
     assert res.status_code == 200
     assert len(res.json['workspaces']) == 1
     assert other_workspace.name not in res.json['workspaces']
     assert workspace.name in res.json['workspaces']
     workspaces = Agent.query.get(agent.id).workspaces
     assert len(workspaces) == 1
     assert workspaces[0] == workspace
예제 #28
0
def test_releaseworkspaceapi_post_without_backend_token(api_rf):
    workspace = WorkspaceFactory()

    request = api_rf.post("/")

    response = ReleaseWorkspaceAPI.as_view()(request, workspace_name=workspace.name)

    assert response.status_code == 403
예제 #29
0
    def test_no_file_in_request(self, test_client, session):
        ws = WorkspaceFactory.create(name="abc")
        session.add(ws)
        session.commit()

        res = test_client.post(f'/v3/ws/{ws.name}/upload_report')

        assert res.status_code == 400
예제 #30
0
    def test_bulk_delete_hosts_invalid_characters_in_request(
            self, test_client):
        ws = WorkspaceFactory.create(name="abc")
        request_data = {'hosts_ids': [-1, 'test']}
        delete_response = test_client.delete(
            '/v2/ws/{0}/hosts/bulk_delete/'.format(ws.name), data=request_data)

        assert delete_response.json['deleted_hosts'] == 0