def test_create_agent_valid_token(self, faraday_server_config, test_client,
session):
workspace = WorkspaceFactory.create()
session.add(workspace)
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
session.commit()
secret = pyotp.random_base32()
faraday_server_config.agent_registration_secret = secret
faraday_server_config.agent_token_expiration = 60
logout(test_client, [302])
initial_agent_count = len(session.query(Agent).all())
raw_data = get_raw_agent(name='new_agent',
token=pyotp.TOTP(secret, interval=60).now(),
workspaces=[workspace, other_workspace])
res = test_client.post('/v3/agent_registration', data=raw_data)
assert res.status_code == 201, (res.json, raw_data)
assert len(session.query(Agent).all()) == initial_agent_count + 1
assert workspace.name in res.json['workspaces']
assert other_workspace.name in res.json['workspaces']
assert len(res.json['workspaces']) == 2
workspaces = Agent.query.get(res.json['id']).workspaces
assert len(workspaces) == 2
assert workspace in workspaces
assert other_workspace in workspaces
def test_run_fails(self, test_client, session,csrf_token):
workspace = WorkspaceFactory.create()
session.add(workspace)
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
session.commit()
agent = AgentFactory.create(
workspaces=[workspace, other_workspace]
)
executor = ExecutorFactory.create(agent=agent)
session.add(executor)
session.commit()
payload = {
'csrf_token': csrf_token,
'executorData': {
"args": {
"param1": True
},
"executor": executor.name
},
}
res = test_client.post(
self.url(agent) + 'run/',
json=payload
)
assert res.status_code == 404
def test_create_agent_valid_token(self, faraday_server_config, test_client,
session):
workspace = WorkspaceFactory.create()
session.add(workspace)
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
session.commit()
faraday_server_config.agent_token = 'sarasa'
logout(test_client, [302])
initial_agent_count = len(session.query(Agent).all())
raw_data = get_raw_agent(
name='new_agent',
token='sarasa',
workspaces=[workspace, other_workspace]
)
# /v2/agent_registration/
res = test_client.post(self.check_url('/v2/agent_registration/'), data=raw_data)
assert res.status_code == 201, (res.json, raw_data)
assert len(session.query(Agent).all()) == initial_agent_count + 1
assert workspace.name in res.json['workspaces']
assert other_workspace.name in res.json['workspaces']
assert len(res.json['workspaces']) == 2
workspaces = Agent.query.get(res.json['id']).workspaces
assert len(workspaces) == 2
assert workspace in workspaces
assert other_workspace in workspaces
def test_bulk_delete_hosts_from_another_workspace(self, test_client, session):
workspace_1 = WorkspaceFactory.create(name='workspace_1')
host_of_ws_1 = HostFactory.create(workspace=workspace_1)
workspace_2 = WorkspaceFactory.create(name='workspace_2')
host_of_ws_2 = HostFactory.create(workspace=workspace_2)
session.commit()
# Try to delete workspace_2's host from workspace_1
request_data = {'hosts_ids': [host_of_ws_2.id]}
url = f'/v2/ws/{workspace_1.name}/hosts/bulk_delete/'
delete_response = test_client.delete(url, data=request_data)
assert delete_response.json['deleted_hosts'] == 0
def test_workspacestatusapi_success(api_rf):
request = api_rf.get("/")
project1 = ProjectFactory()
workspace1 = WorkspaceFactory(project=project1, uses_new_release_flow=True)
response = WorkspaceStatusAPI.as_view()(request, workspace_id=workspace1.name)
assert response.status_code == 200
assert response.data["uses_new_release_flow"]
project2 = ProjectFactory()
workspace2 = WorkspaceFactory(project=project2, uses_new_release_flow=False)
response = WorkspaceStatusAPI.as_view()(request, workspace_id=workspace2.name)
assert response.status_code == 200
assert not response.data["uses_new_release_flow"]
def test_load_itime(self, test_client, session):
ws = WorkspaceFactory.create(name="abc")
command = CommandFactory.create(workspace=ws)
session.add(ws)
session.add(command)
session.commit()
# Timestamp of 14/12/2018
itime = 1544745600.0
data = {
'command': command.command,
'tool': command.tool,
'itime': itime
}
res = test_client.put(
'/v2/ws/{ws_name}/activities/{id}/'.format(ws_name=ws.name,
id=command.id),
data=data,
)
# Changing res.json['itime'] to timestamp format of itime
res_itime = res.json['itime'] / 1000
assert res.status_code == 200
assert res_itime == itime
def test_create_release_success():
backend = BackendFactory()
workspace = WorkspaceFactory()
user = UserFactory()
files = {"file1.txt": "hash"}
release = releases.create_release(workspace, backend, user, files)
assert release.requested_files == files
def test_update_custom_field(self, api, session, test_client):
workspace = WorkspaceFactory.create()
custom_field = CustomFieldsSchemaFactory.create(
table_name='vulnerability',
field_name='cfield',
field_type='str',
field_order=1,
field_display_name='CField',
)
vuln = VulnerabilityFactory.create(workspace=workspace, severity='low', confirmed=True)
vuln.custom_fields = {'cfield': 'test'}
session.add(workspace)
session.add(custom_field)
session.add(vuln)
session.commit()
assert vuln.confirmed is True
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CHANGE_CUSTOM_FIELD',
'model': 'Vulnerability',
'object': "severity=low",
'conditions': ['confirmed=True'],
'actions': ["--UPDATE:cfield=CUSTOM_FIELD_UPDATED"]
}]
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
assert vulns_count == 1
vuln = session.query(Vulnerability).filter_by(workspace=workspace).first()
assert vuln.custom_fields['cfield'] == 'CUSTOM_FIELD_UPDATED'
check_command(vuln, session)
def test_add_ref_to_duplicated_vuln(self, api, session, test_client):
workspace = WorkspaceFactory.create()
host = HostFactory.create(workspace=workspace)
vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
name='Duplicated Vuln',
host=host, service=None)
duplicated_vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
name='Duplicated Vuln 2',
host=host, service=None)
session.add(workspace)
session.add(vuln)
session.add(duplicated_vuln)
session.add(host)
session.commit()
first_vuln_id = vuln.id
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'ADD_REFS_DUPLICATED_VULNS',
'model': 'Vulnerability',
'fields': ['name'],
'object': "severity=low --old", # Without --old param Searcher deletes all duplicated objects
'conditions': ['severity=low'],
'actions': ["--UPDATE:refs=REF_TEST"]
}]
vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
assert vulns_count == 2
searcher.process(rules)
vuln1 = session.query(Vulnerability).get(first_vuln_id)
assert len(vuln1.references) > 0
assert list(vuln1.references)[0] == 'REF_TEST'
def test_mail_notification(self, api, session, test_client):
workspace = WorkspaceFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace, severity='low')
session.add(workspace)
session.add(vuln)
session.commit()
mail_notification = MailNotification(
'*****@*****.**',
'testpass',
'smtp.gmail.com',
587
)
_api = api(workspace, test_client, session)
searcher = Searcher(_api, mail_notification=mail_notification)
rules = [{
'id': 'SEND_MAIL',
'model': 'Vulnerability',
'object': "severity=low",
'actions': ["--ALERT:[email protected]"]
}]
searcher.process(rules)
assert searcher.mail_notification == mail_notification
def test_remove_duplicated_by_name(self, api, session, test_client):
workspace = WorkspaceFactory.create()
host = HostFactory.create(workspace=workspace)
vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
name='Duplicated Vuln',
host=host, service=None)
duplicated_vuln = VulnerabilityFactory.create(workspace=workspace, severity='low',
name='Duplicated Vuln 2',
host=host, service=None)
session.add(workspace)
session.add(vuln)
session.add(duplicated_vuln)
session.add(host)
session.commit()
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'REMOVE_DUPLICATED_VULNS',
'model': 'Vulnerability',
'fields': ['name'],
'object': "severity=low --old", # Without --old param Searcher deletes all duplicated objects
'actions': ["--DELETE:"]
}]
vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
assert vulns_count == 2
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(workspace=workspace).count()
assert vulns_count == 1
def test_jobrequestapicreate_success(api_rf, pipeline_config):
backend = BackendFactory()
workspace = WorkspaceFactory()
user = UserFactory()
token = user.rotate_token()
assert not JobRequest.objects.exists()
data = {
"workspace": workspace.name,
"backend": backend.slug,
"sha": "123",
"project_definition": pipeline_config,
"requested_actions": ["test"],
}
request = api_rf.post("/",
HTTP_AUTHORIZATION=f"{user.username}:{token}",
data=data)
response = JobRequestAPICreate.as_view()(request)
assert response.status_code == 201, response.data
assert JobRequest.objects.count() == 1
job_request = JobRequest.objects.first()
assert job_request.workspace == workspace
def test_jobapiupdate_notifications_on_with_move_to_completed(api_rf, mocker):
workspace = WorkspaceFactory()
job_request = JobRequestFactory(workspace=workspace, will_notify=True)
job = JobFactory(job_request=job_request, status="running")
now = timezone.now()
mocked_send = mocker.patch("jobserver.api.jobs.send_finished_notification",
autospec=True)
data = [
{
"identifier": job.identifier,
"job_request_id": job_request.identifier,
"action": "test",
"status": "succeeded",
"status_code": "",
"status_message": "",
"created_at": minutes_ago(now, 2),
"started_at": minutes_ago(now, 1),
"updated_at": now,
"completed_at": seconds_ago(now, 30),
},
]
request = api_rf.post(
"/",
HTTP_AUTHORIZATION=job_request.backend.auth_token,
data=data,
format="json",
)
response = JobAPIUpdate.as_view()(request)
mocked_send.assert_called_once()
assert response.status_code == 200
def test_confirm_vuln(self, api, session, test_client):
workspace = WorkspaceFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace,
severity='low',
confirmed=False)
session.add(workspace)
session.add(vuln)
session.commit()
assert vuln.confirmed is False
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CONFIRM_VULN',
'model': 'Vulnerability',
'object': "severity=low",
'actions': ["--UPDATE:confirmed=True"]
}]
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(
workspace=workspace).count()
assert vulns_count == 1
vuln = session.query(Vulnerability).filter_by(
workspace=workspace).first()
assert vuln.confirmed is True
def test_get_workspaced_other_fails(self, test_client, session):
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
agent = AgentFactory.create(workspaces=[other_workspace], active=True)
session.commit()
res = test_client.get(self.url(agent))
assert res.status_code == 404
def test_update_agent_add_a_inexistent_workspace(self, test_client,
session):
workspace = WorkspaceFactory.create()
session.add(workspace)
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
agent = AgentFactory.create(workspaces=[workspace], active=True)
session.commit()
raw_agent = self.create_raw_agent(
workspaces=[workspace, other_workspace])
raw_agent["workspaces"] = ["donotexist"]
res = test_client.put(self.url(agent.id), data=raw_agent)
assert res.status_code == 404
workspaces = Agent.query.get(agent.id).workspaces
assert len(workspaces) == 1
assert workspace in workspaces
def test_severity_info_med_2(self, api, session, test_client):
workspace = WorkspaceFactory.create()
vuln = VulnerabilityWebFactory.create(workspace=workspace,
severity='informational')
session.add(workspace)
session.add(vuln)
session.commit()
assert vuln.severity == 'informational'
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CONFIRM_VULN',
'model': 'Vulnerability',
'object': "severity=info",
'actions': ["--UPDATE:severity=med"]
}]
searcher.process(rules)
vulns_count = session.query(VulnerabilityWeb).filter_by(
workspace=workspace).count()
assert vulns_count == 1
vuln = session.query(VulnerabilityWeb).filter_by(
workspace=workspace).first()
assert vuln.severity == 'medium'
def test_bulk_delete_hosts_without_hosts_ids(self, test_client):
ws = WorkspaceFactory.create(name="abc")
request_data = {'hosts_ids': []}
delete_response = test_client.delete(f'/v2/ws/{ws.name}/hosts/bulk_delete/', data=request_data)
assert delete_response.status_code == 400
def test_delete_vulns_with_dynamic_values(self, api, session, test_client):
workspace = WorkspaceFactory.create()
vuln1 = VulnerabilityFactory.create(workspace=workspace, name="TEST1")
vuln2 = VulnerabilityFactory.create(workspace=workspace, name="TEST2")
session.add(workspace)
session.add(vuln1)
session.add(vuln2)
session.commit()
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'DELETE_VULN_{{name}}',
'model': 'Vulnerability',
'object': "regex=^{{name}}",
'actions': ["--DELETE:"],
'values': [{
'name': 'TEST1'
}, {
'name': 'TEST2'
}]
}]
vulns_count = session.query(Vulnerability).filter_by(
workspace=workspace).count()
assert vulns_count == 2
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(
workspace=workspace).count()
assert vulns_count == 0
def test_update_host_with_all_fields(self, api, session, test_client):
workspace = WorkspaceFactory.create()
host = HostFactory.create(workspace=workspace,
os='Unix',
ip="10.25.86.39",
owned=False,
description='HDesc',
mac='MAC')
session.add(workspace)
session.add(host)
session.commit()
assert host.owned is False
assert host.os == 'Unix'
assert host.ip == "10.25.86.39"
assert host.description == 'HDesc'
assert host.mac == 'MAC'
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id':
'UPDATE_HOST',
'model':
'Host',
'object':
"ip=10.25.86.39 owned=False os=Unix",
'actions': ["--UPDATE:description=HDescUp", "--UPDATE:mac=MAC2"]
}]
searcher.process(rules)
host = session.query(Host).filter_by(workspace=workspace).first()
assert host.description == 'HDescUp'
assert host.mac == 'MAC2'
def test_update_severity_by_creator(self, api, session, test_client):
workspace = WorkspaceFactory.create()
host = HostFactory.create(workspace=workspace)
user = UserFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace,
tool='Nessus',
severity='low',
host=host,
creator=user,
service=None)
session.add(workspace)
session.add(vuln)
session.add(host)
session.commit()
vuln_id = vuln.id
assert vuln.severity == 'low'
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CHANGE_SEVERITY_INSIDE_HOST',
'model': 'Vulnerability',
'object':
f'creator={user.username}', # Without --old param Searcher deletes all duplicated objects
'conditions': ['tool=Nessus'],
'actions': ["--UPDATE:severity=info"]
}]
searcher.process(rules)
vuln = session.query(Vulnerability).get(vuln_id)
assert vuln.severity == 'informational'
def test_update_severity_by_values_with_space_2(self, api, session,
test_client):
workspace = WorkspaceFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace,
name='Cross-domain Referer leakage',
severity='low',
service=None)
session.add(workspace)
session.add(vuln)
session.commit()
vuln_id = vuln.id
assert vuln.severity == 'low'
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CHANGE_SEVERITY',
'model': 'Vulnerability',
'object':
"name=Cross-domain%Referer%leakage", # Without --old param Searcher deletes all duplicated objects
'conditions': ['name=Cross-domain%Referer%leakage'],
'actions': ["--UPDATE:severity=info"]
}]
searcher.process(rules)
vuln = session.query(Vulnerability).get(vuln_id)
assert vuln.severity == 'informational'
def test_searcher_update_rules(self, api, session, test_client):
workspace = WorkspaceFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace, severity='low')
session.add(workspace)
session.add(vuln)
session.commit()
assert vuln.severity == 'low'
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'CHANGE_SEVERITY',
'model': 'Vulnerability',
'object': "severity=low",
'actions': ["--UPDATE:severity=med"]
}]
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(
workspace=workspace).count()
assert vulns_count == 1
vuln = session.query(Vulnerability).filter_by(
workspace=workspace).first()
assert vuln.severity == 'medium'
check_command(vuln, session)
def test_apply_template_by_id(self, api, session, test_client):
workspace = WorkspaceFactory.create()
template = VulnerabilityTemplateFactory.create()
vuln = VulnerabilityFactory.create(workspace=workspace,
severity='low',
confirmed=False)
session.add(workspace)
session.add(vuln)
session.add(template)
session.commit()
template_name = template.name
template_id = template.id
searcher = Searcher(api(workspace, test_client, session))
rules = [{
'id': 'APPLY_TEMPLATE',
'model': 'Vulnerability',
'object': "severity=low",
'actions': [f"--UPDATE:template={template_id}"]
}]
searcher.process(rules)
vulns_count = session.query(Vulnerability).filter_by(
workspace=workspace).count()
assert vulns_count == 1
vuln = session.query(Vulnerability).filter_by(
workspace=workspace).first()
assert vuln.name == template_name
def test_verify_created_vulns_with_host_and_service_verification(
self, session, test_client):
workspace = WorkspaceFactory.create()
command = EmptyCommandFactory.create(workspace=workspace)
host = HostFactory.create(workspace=workspace)
service = ServiceFactory.create(workspace=workspace)
vuln = VulnerabilityFactory.create(severity='critical',
workspace=workspace,
host=host,
service=None)
vuln_med = VulnerabilityFactory.create(severity='medium',
workspace=workspace,
service=service,
host=None)
session.flush()
CommandObjectFactory.create(command=command,
object_type='host',
object_id=host.id,
workspace=workspace)
CommandObjectFactory.create(command=command,
object_type='vulnerability',
object_id=vuln.id,
workspace=workspace)
CommandObjectFactory.create(command=command,
object_type='service',
object_id=service.id,
workspace=workspace)
CommandObjectFactory.create(command=command,
object_type='vulnerability',
object_id=vuln_med.id,
workspace=workspace)
session.commit()
res = test_client.get(
self.url(workspace=command.workspace) + 'activity_feed/')
assert res.status_code == 200
assert res.json == [{
u'_id':
command.id,
u'command':
command.command,
u'import_source':
u'shell',
u'tool':
command.tool,
u'user':
command.user,
u'date':
time.mktime(command.start_date.timetuple()) * 1000,
u'params':
command.params,
u'hosts_count':
1,
u'services_count':
1,
u'vulnerabilities_count':
2,
u'criticalIssue':
1
}]
def test_get_workspaced(self, test_client, session):
workspace = WorkspaceFactory.create()
session.add(workspace)
agent = AgentFactory.create(workspaces=[self.workspace], active=True)
session.commit()
res = test_client.get(self.url(agent))
assert res.status_code == 200
assert 'workspaces' not in res.json
def test_update_agent_delete_a_workspace(self, test_client, session):
workspace = WorkspaceFactory.create()
session.add(workspace)
other_workspace = WorkspaceFactory.create()
session.add(other_workspace)
agent = AgentFactory.create(workspaces=[workspace, other_workspace],
active=True)
session.commit()
raw_agent = self.create_raw_agent(workspaces=[workspace])
res = test_client.put(self.url(agent.id), data=raw_agent)
assert res.status_code == 200
assert len(res.json['workspaces']) == 1
assert other_workspace.name not in res.json['workspaces']
assert workspace.name in res.json['workspaces']
workspaces = Agent.query.get(agent.id).workspaces
assert len(workspaces) == 1
assert workspaces[0] == workspace
def test_releaseworkspaceapi_post_without_backend_token(api_rf):
workspace = WorkspaceFactory()
request = api_rf.post("/")
response = ReleaseWorkspaceAPI.as_view()(request, workspace_name=workspace.name)
assert response.status_code == 403
def test_no_file_in_request(self, test_client, session):
ws = WorkspaceFactory.create(name="abc")
session.add(ws)
session.commit()
res = test_client.post(f'/v3/ws/{ws.name}/upload_report')
assert res.status_code == 400
def test_bulk_delete_hosts_invalid_characters_in_request(
self, test_client):
ws = WorkspaceFactory.create(name="abc")
request_data = {'hosts_ids': [-1, 'test']}
delete_response = test_client.delete(
'/v2/ws/{0}/hosts/bulk_delete/'.format(ws.name), data=request_data)
assert delete_response.json['deleted_hosts'] == 0