def verify_and_call(*args, **kwargs):
context = args[1].context
event_id = kwargs.get('event_id') \
if kwargs.get('identifier') is None else kwargs.get('identifier')
user_data = util.get_jwt_content(context)
user_data['subscribed_projects'] = \
user_domain.get_projects(user_data['user_email'])
user_data['subscribed_projects'] += \
user_domain.get_projects(user_data['user_email'], active=False)
user_data['role'] = get_user_role(user_data)
event_project = event_domain.get_event(event_id).get('project_name')
if not re.match('^[0-9]*$', event_id):
rollbar.report_message('Error: Invalid event id format', 'error',
context)
raise GraphQLError('Invalid event id format')
try:
if not ENFORCER_BASIC.enforce(user_data, event_project.lower()):
util.cloudwatch_log(
context, 'Security: \
Attempted to retrieve event-related info without permission')
raise GraphQLError('Access denied')
except AttributeDoesNotExist:
return GraphQLError('Access denied: Missing attributes')
return func(*args, **kwargs)
def verify_and_call(*args, **kwargs):
context = args[1].context
project_name = kwargs.get('project_name')
user_data = util.get_jwt_content(context)
user_data['subscribed_projects'] = \
user_domain.get_projects(user_data['user_email'])
user_data['subscribed_projects'] += \
user_domain.get_projects(user_data['user_email'], active=False)
user_data['role'] = get_user_role(user_data)
if not project_name:
rollbar.report_message('Error: Empty fields in project', 'error',
context)
raise GraphQLError('Access denied')
try:
if not ENFORCER_BASIC.enforce(user_data, project_name.lower()):
util.cloudwatch_log(
context, 'Security: \
Attempted to retrieve {project} project info without permission'.format(
project=kwargs.get('project_name')))
raise GraphQLError('Access denied')
util.cloudwatch_log(
context, 'Security: Access to {project} project'.format(
project=kwargs.get('project_name')))
except AttributeDoesNotExist:
return GraphQLError('Access denied')
return func(*args, **kwargs)
def resolve_comments(self, info):
user_data = util.get_jwt_content(info.context)
curr_user_role = get_user_role(user_data)
self.comments = [
Comment(**comment) for comment in project_domain.list_comments(
self.name, curr_user_role)]
return self.comments
def _get_role(jwt_content, project_name=None):
"""Get role."""
role = get_user_role(jwt_content)
if project_name and role == 'customer':
email = jwt_content.get('user_email')
role = 'customeradmin' if is_customeradmin(
project_name, email) else 'customer'
return dict(role=role)
def resolve_observations(self, info):
""" Resolve observations attribute """
user_data = util.get_jwt_content(info.context)
curr_user_role = get_user_role(user_data)
self.observations = [
Comment(**obs)
for obs in comment_domain.get_observations(self.id, curr_user_role)
]
return self.observations
def resolve_comments(self, info):
""" Resolve comments attribute """
user_data = util.get_jwt_content(info.context)
curr_user_role = get_user_role(user_data)
self.comments = [
Comment(**comment)
for comment in comment_domain.get_comments(self.id, curr_user_role)
]
return self.comments
def resolve_role(self, info, project_name=None):
jwt_content = util.get_jwt_content(info.context)
role = get_user_role(jwt_content)
if project_name and role == 'customer':
email = jwt_content.get('user_email')
role = 'customeradmin' if is_customeradmin(project_name,
email) else 'customer'
self.role = role
return self.role
def mutate(self, info, **kwargs):
user_data = util.get_jwt_content(info.context)
user_role = get_user_role(user_data)
success = project_domain.create_project(
user_data['user_email'], user_role, **kwargs)
if success:
project = kwargs.get('project_name').lower()
util.invalidate_cache(user_data['user_email'])
util.cloudwatch_log(
info.context,
f'Security: Created project {project} succesfully')
return CreateProject(success=success)
def mutate(self, info, **query_args):
project_name = query_args.get('project_name')
success = False
user_data = util.get_jwt_content(info.context)
role = get_user_role(user_data)
modified_user_data = {
'email': query_args.get('email'),
'organization': query_args.get('organization'),
'responsibility': query_args.get('responsibility'),
'role': query_args.get('role'),
'phone_number': query_args.get('phone_number')
}
if (role == 'admin'
and modified_user_data['role'] in ['admin', 'analyst',
'customer', 'customeradmin']) \
or (is_customeradmin(project_name, user_data['user_email'])
and modified_user_data['role'] in ['customer', 'customeradmin']):
if user_domain.assign_role(modified_user_data['email'],
modified_user_data['role']):
modify_user_information(info.context, modified_user_data,
project_name)
success = True
else:
rollbar.report_message('Error: Couldn\'t update user role',
'error', info.context)
else:
rollbar.report_message(
'Error: Invalid role provided: ' + modified_user_data['role'],
'error', info.context)
if success:
util.invalidate_cache(project_name)
util.invalidate_cache(query_args.get('email'))
util.cloudwatch_log(
info.context, 'Security: Modified user data:{user} \
in {project} project succesfully'.format(
user=query_args.get('email'), project=project_name))
else:
util.cloudwatch_log(
info.context, 'Security: Attempted to modify user \
data:{user} in {project} project'.format(
user=query_args.get('email'), project=project_name))
ret = \
EditUser(success=success,
modified_user=User(project_name,
modified_user_data['email']))
return ret
def mutate(self, info, **parameters):
if parameters.get('type') in ['comment', 'observation']:
user_data = util.get_jwt_content(info.context)
role = get_user_role(user_data)
if parameters.get('type') == 'observation' and \
role not in ['analyst', 'admin']:
util.cloudwatch_log(
info.context, 'Security: \
Unauthorized role attempted to add observation')
raise GraphQLError('Access denied')
user_email = user_data['user_email']
comment_id = int(round(time() * 1000))
comment_data = {
'user_id':
comment_id,
'comment_type':
parameters.get('type'),
'content':
parameters.get('content'),
'fullname':
str.join(' ',
[user_data['first_name'], user_data['last_name']]),
'parent':
int(parameters.get('parent')),
}
success = finding_domain.add_comment(
user_email=user_email,
comment_data=comment_data,
finding_id=parameters.get('finding_id'),
is_remediation_comment=False)
else:
raise GraphQLError('Invalid comment type')
if success:
util.invalidate_cache(parameters.get('finding_id'))
util.cloudwatch_log(
info.context, 'Security: Added comment in\
finding {id} succesfully'.format(
id=parameters.get('finding_id')))
else:
util.cloudwatch_log(
info.context, 'Security: Attempted to add \
comment in finding {id}'.format(
id=parameters.get('finding_id')))
ret = AddFindingComment(success=success, comment_id=comment_id)
return ret
def mutate(self, info, **query_args):
project_name = query_args.get('project_name')
success = False
user_data = util.get_jwt_content(info.context)
role = get_user_role(user_data)
new_user_data = {
'email': query_args.get('email'),
'organization': query_args.get('organization'),
'responsibility': query_args.get('responsibility', '-'),
'role': query_args.get('role'),
'phone_number': query_args.get('phone_number', '')
}
if (role == 'admin'
and new_user_data['role'] in ['admin', 'analyst', 'customer', 'customeradmin']) \
or (is_customeradmin(project_name, user_data['user_email'])
and new_user_data['role'] in ['customer', 'customeradmin']):
if create_new_user(info.context, new_user_data, project_name):
success = True
else:
rollbar.report_message(
'Error: Couldn\'t grant access to project', 'error',
info.context)
else:
rollbar.report_message(
'Error: Invalid role provided: ' + new_user_data['role'],
'error', info.context)
if success:
util.invalidate_cache(project_name)
util.invalidate_cache(query_args.get('email'))
util.cloudwatch_log(
info.context, 'Security: Given grant access to {user} \
in {project} project'.format(user=query_args.get('email'),
project=project_name))
else:
util.cloudwatch_log(
info.context, 'Security: Attempted to give grant \
access to {user} in {project} project'.format(
user=query_args.get('email'), project=project_name))
ret = \
GrantUserAccess(success=success,
granted_user=User(project_name,
new_user_data['email']))
return ret
def verify_and_call(*args, **kwargs):
context = args[1].context
user_data = util.get_jwt_content(context)
user_data['role'] = get_user_role(user_data)
project_name = resolve_project_name(args, kwargs)
project_data = resolve_project_data(project_name)
action = '{}.{}'.format(func.__module__, func.__qualname__)
action = action.replace('.', '_')
try:
if not ENFORCER_ACTION.enforce(user_data, project_data, action):
util.cloudwatch_log(
context, 'Security: \
Unauthorized role attempted to perform operation')
raise GraphQLError('Access denied')
except AttributeDoesNotExist:
util.cloudwatch_log(
context, 'Security: \
Unauthorized role attempted to perform operation')
raise GraphQLError('Access denied')
return func(*args, **kwargs)
def resolve_user(self, info, project_name, user_email):
""" Resolve for user data """
role = services.get_user_role(util.get_jwt_content(info.context))
return User(project_name, user_email, role=role)
