def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_account.j2'
self.method = req.params['method']
#リクエストのパスワードとセッション情報のそれが同一の場合は変更しない。
jvn = session.get(get_session_key(req))
if req.params['passwd'] == jvn.passwd:
hash_code = jvn.passwd
else:
hash_code = make_passwd(req.params['passwd'])
def do_execute(db):
rec = Account(req.params, hash_code)
ret, self.error_message = rec.validate(db, self.method)
if ret == False:
self.jinja_html_file = 'jvn_account_edit.j2'
self.ui = rec
setPrivs(self, rec.privs)
return
if self.method == 'regist':
db.add(rec)
elif self.method == 'modify':
rec = db.query(Account).filter_by(
user_id=req.params['user_id']).first()
rec.passwd = hash_code
rec.user_name = req.params['user_name']
rec.email = req.params['email']
rec.department = req.params['department']
rec.privs = req.params['privs']
return db.query(Account).order_by(Account.user_id).all()
self.result = do_transaction(do_execute, self)
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_develop_complete.j2'
def do_execute(db):
records = []
i = 0
while True:
vendor = "vendor" + str(i + 1)
product = "product" + str(i + 1)
cpe = "cpe" + str(i + 1)
fs_manage = "fs_manage" + str(i + 1)
if not cpe in req.params: break
rec = db.query(Product).filter_by(cpe=req.params[cpe]).first()
rec.edit = 0
rec.fs_manage = req.params[fs_manage]
records.append(
(fs_manage_code2ui(req.params[fs_manage]),
req.params[vendor], req.params[product], req.params[cpe]))
i += 1
return records
self.result = do_transaction(do_execute, self)
def check_login(self, req, session):
"""Check login
"""
def select_user(db):
return db.query(Account).filter_by(user_id = req.params[LOGIN_USER_KEY]).first()
login_ok = False
if LOGIN_USER_KEY in req.params:
rec = do_transaction(select_user,self)
if rec:
salt = rec.passwd[:29]
passwd = bcrypt.hashpw(req.params['jvn_passwd'].encode('utf-8'),
salt.encode('utf-8')).decode('utf-8')
if rec.passwd != passwd:
self.error_message = 'アカウントIDもしくはパスワードが違います。'
else:
self.login_user = JvnUser((rec.user_id,rec.user_name,rec.email,rec.department,rec.privs))
session[LOGIN_USER_KEY] = self.login_user
login_ok = True
elif True == auth_pop_user(req.params[LOGIN_USER_KEY],req.params['jvn_passwd']):
self.login_user = session[LOGIN_USER_KEY] = JvnUser((req.params[LOGIN_USER_KEY],))
login_ok = True
else:
self.error_message = 'アカウントIDもしくはパスワードが違います。'
else:
# セッション情報にユーザーIDがある場合は認証済みとする。
if LOGIN_USER_KEY in session :
self.login_user = session.get(LOGIN_USER_KEY)
login_ok = True
return login_ok
def test_do_transaction(self):
testemail = "*****@*****.**"
t = JvnTest()
result = do_transaction(lambda db : db.query(Account).filter_by(email = testemail).order_by(Account.user_id).all(), t)
users = ['admin','guest']
for i, r in enumerate(result):
self.assertEqual(r.user_id, users[i])
def test_account_04(self):
row = {}
row['user_id'] = "testtaro"
password = "******"
row['user_name'] = ""
row['email'] = "*****@*****.**"
row['department'] = 'user'
row['privs'] = 'admin'
account = Account(row,password)
def db_execute(db):
(b,m) = account.validate(db, 'regist')
self.assertEqual(b, False)
self.assertEqual(m, "入力されていない項目があります。(全て必須項目です。)")
t = JvnTest()
do_transaction(db_execute, t)
def test_account_16(self):
row = {}
row['user_id'] = "test_taro"
password = "******"
row['user_name'] = ("a" * 255)
row['email'] = "testtaro"
row['department'] = ("a" * 32)
row['privs'] = ("a" * 8)
account = Account(row,password)
def db_execute(db):
(b,m) = account.validate(db, 'regist')
self.assertEqual(b, False)
self.assertEqual(m, "メールアドレスの形式が正しくありません。")
t = JvnTest()
do_transaction(db_execute, t)
def test_account_15(self):
row = {}
row['user_id'] = "admin"
password = "******"
row['user_name'] = ("a" * 255)
row['email'] = "*****@*****.**"
row['department'] = ("a" * 32)
row['privs'] = ("a" * 8)
account = Account(row,password)
def db_execute(db):
(b,m) = account.validate(db, 'regist')
self.assertEqual(b, False)
self.assertEqual(m, "既にアカウントが存在してます。")
t = JvnTest()
do_transaction(db_execute, t)
def test_account_13(self):
row = {}
row['user_id'] = "testtaro"
password = "******"
row['user_name'] = ("a" * 255)
row['email'] = "*****@*****.**"
row['department'] = ("a" * 33)
row['privs'] = 'admin'
account = Account(row,password)
def db_execute(db):
(b,m) = account.validate(db, 'regist')
self.assertEqual(b, False)
self.assertEqual(m, "最大桁数をこえている項目があります。")
t = JvnTest()
do_transaction(db_execute, t)
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_account.j2'
def do_execute(db):
rec = db.query(Account).filter_by(
user_id=req.params['delete_user_id']).first()
db.delete(rec)
return db.query(Account).order_by(Account.user_id).all()
self.result = do_transaction(do_execute, self)
def test_product_01(self):
t = JvnTest()
r = do_transaction(lambda db : db.query(Product).filter_by(pid = 1).first(), t)
self.assertEqual(r.pid,1)
self.assertEqual(r.pname,'Sun Solaris 2.5 (SPARC)')
self.assertEqual(r.cpe,'cpe:/o:sun:solaris:2.5::sparc')
self.assertEqual(r.vid,1)
self.assertEqual(r.fs_manage,'not_cover_item')
self.assertEqual(r.edit,0)
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_ticket_complete.j2'
self.identifier = req.params['identifier']
ui = session.get(get_session_key(req))
def do_execute(db):
rec = db.query(Vulnerability).filter_by(
identifier=self.identifier).first()
rec.ticket_modified_date = datetime.datetime.now()
do_transaction(do_execute, self)
records = []
for i in range(0, ui.total_count):
records.append((req.params["vname" + str(i + 1)],
req.params["pname" + str(i + 1)],
req.params["cpe" + str(i + 1)]))
self.result = records
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_account_edit.j2'
self.ui = do_transaction(
lambda db: db.query(Account).filter_by(user_id=req.params[
'user_id']).first(), self)
state = JvnState()
state.passwd = self.ui.passwd
session[get_session_key(req)] = state
self.readonly = 'readonly'
self.method = 'modify'
setPrivs(self, self.ui.privs)
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_operation_complete.j2'
ui = session.get(get_session_key(req))
def do_execute(db):
records = []
for i in range(0, ui.total_count):
checkbox = "check" + str(i + 1)
if checkbox in req.params:
rec = db.query(Product).filter_by(
cpe=req.params[checkbox]).first()
rec.edit = 1
records.append((req.params["vname" + str(i + 1)],
req.params["pname" + str(i + 1)],
req.params[checkbox]))
return records
self.result = do_transaction(do_execute, self)
def test_jvn_vulnerability_01(self):
identifier = 'JVNDB-1998-000002'
description = 'Sun Solaris の ndd コマンドには、不正な TCP/IP のカーネルパラメータを設定されてしまう脆弱性が存在します。'
t = JvnTest()
r = do_transaction(lambda db : db.query(Vulnerability).filter_by(identifier = identifier).first(), t)
self.assertEqual(r.identifier,'JVNDB-1998-000002')
self.assertEqual(r.title,'Sun Solaris の ndd コマンドにおけるサービス運用妨害 (DoS) の脆弱性')
self.assertEqual(r.link, 'https://jvndb.jvn.jp/ja/contents/1998/JVNDB-1998-000002.html')
self.assertEqual(r.description,description)
self.assertEqual(r.issued_date.year,2007)
self.assertEqual(r.issued_date.month,4)
self.assertEqual(r.issued_date.day,1)
self.assertEqual(r.issued_date.hour,0)
self.assertEqual(r.issued_date.minute,0)
self.assertEqual(r.issued_date.second, 0)
self.assertEqual(r.modified_date.year,2007)
self.assertEqual(r.modified_date.month,4)
self.assertEqual(r.modified_date.day,1)
self.assertEqual(r.modified_date.hour,0)
self.assertEqual(r.modified_date.minute,0)
self.assertEqual(r.modified_date.second, 0)
self.assertEqual(r.public_date.year,1998)
self.assertEqual(r.public_date.month,3)
self.assertEqual(r.public_date.day,11)
self.assertEqual(r.public_date.hour,0)
self.assertEqual(r.public_date.minute,0)
self.assertEqual(r.public_date.second, 0)
self.assertEqual(r.cweid,'CWE-78')
self.assertEqual(r.cwetitle,'OSコマンドインジェクション')
def do_logic(self, req, res, session):
self.jinja_html_file = 'jvn_account.j2'
self.result = do_transaction(
lambda db: db.query(Account).order_by(Account.user_id).all(), self)
