Exemplo n.º 1
0
def get_reports_history():
    history = []
    user_email = request.args.get('user')
    scans = []
    if user_email is not None:
        user = User.get_user(user_email)
        if user is None:
            return jsonify(success=False, reason='no-such-user')

        
        # Get Sites
        for site in user.sites():
            for scan in Site.get_site_by_url(site).scans:
                scans.append(scan)

        scans.sort(key=lambda x : x.created, reverse = True)
        # Get Scans for Sites
    else:
        for site in Site.query.all():
            for scan in site.scans:
                scans.append(scan)

    for s in scans[:100]:
            history.append(summarize_scan(s))
    return jsonify(success=True, report=history)
Exemplo n.º 2
0
def get_reports_sites():
    result = []
    group_name = request.args.get('group_name')
    user_email = request.args.get('user')

    if user_email is not None:
        # User specified, so return recent scans for each site/plan that the user can see
        user = User.get_user(user_email)
        if user is None:
            return jsonify(success=False, reason='no-such-user')
        if group_name:
            group = Group.get_group(group_name)
            if group is None:
                return jsonify(success=False, reason='no-such-group')

            site_list = map(lambda x: x.url, group.sites)
        else:
            site_list = user.sites()
        for site_url in sorted(site_list):
            site = Site.get_site_by_url(site_url)
            if site is not None:
                for plan in site.plans:
                    plan_name = plan.name
                    schedule = ScanSchedule.get_schedule(site.site_uuid, plan.plan_uuid)

                    crontab = None
                    scheduleEnabled = False
                    if schedule is not None:
                        crontab = schedule['crontab']
                        scheduleEnabled = schedule['enabled']

                    scans = []
                    for scan in site.scans:
                        if scan.plan is not None:
                            p = json.loads(scan.plan)
                            if p['name'] == plan_name:
                                scans.append(scan)                    

                    scan_for_site = []
                    for scan in scans:
                        config = json.loads(scan.configuration)
                        
                        if config.get('target', None) == site_url:
                            scan_for_site.append(scan)


                    o = list(sorted(scan_for_site, cmp= lambda x, y: cmp(x.created, y, created)))
                    if len(o):
                     l = [o[0]]
                    else:
                     l = []         
                    
                    if len(l) == 1:
                        scan = summarize_scan(l[0])
                        s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')}
                        result.append({'target': site_url, 'plan': plan_name, 'scan': scan, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
                    else:
                        result.append({'target': site_url, 'plan': plan_name, 'scan': None, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
    return jsonify(success=True, report=result)
Exemplo n.º 3
0
def create_group():
    group = request.json


    # perform validations on incoming data; issue#132
    if not group.get('name'):
        return jsonify(success=False, reason='name-field-is-required')

    userz = group.get('users', [])
    sitez = group.get('sites', [])

    if userz:
        for user in userz:
            if not User.get_user(user):
                return jsonify(success=False, reason='user %s does not exist'%user)
    if sitez:
        for site in sitez:
            if not Site.get_site_by_url(site):
                return jsonify(success=False, reason='site %s does not exist'%site)

    if Group.get_group(group['name']) is not None:
        return jsonify(success=False, reason='group-already-exists')

    # post-validation
    # XXX - this is a horrible hack, we should grab the default admin user / admin group instead, not just use the first user/group in the list!!!!
    admin_user = User.query.all()[0]
    admin_group = None
    if len(Group.query.all()) > 0:
        admin_group = Group.query.all()[0]
    new_group = Group(group['name'], admin_user.email, admin_group)
    new_group.created = datetime.datetime.utcnow()
    new_group.description = group.get('description', "")

    db.session.add(new_group)
    
    for user in userz:
        new_group.users.append(User.get_user(user))
        

    for site in sitez:
        new_group.sites.append(Site.get_site_by_url(site))

    db.session.commit()

    new_group = Group.get_group(group['name'])
    return jsonify(success=True, group=sanitize_group(new_group))
Exemplo n.º 4
0
def get_plans_by_email(email):
    user = User.get_user(email)
    plans_by_site = map(lambda x:Site.get_site_by_url(x).plans, user.sites())
    plans = []
    for planlist in plans_by_site:
        for plan in planlist:
            if not plan in plans:
                plans.append(plan)
    return map(lambda x : x.dict(), plans)
Exemplo n.º 5
0
def get_sites():
    query = {}
    url = request.args.get('url')
    sitez = None
    if url:
        sitez = [ Site.get_site_by_url(url)]
    else:
        sitez = Site.query.all()

    return jsonify(success=True, sites=map(lambda x : x.dict(), sitez))
Exemplo n.º 6
0
def patch_group(group_name):

    patch = request.json

    group = Group.get_group(group_name)
    
    if not group:
        return jsonify(success=False, reason='no-such-group')

    # Process the edits. These can probably be done in one operation.

    for url in patch.get('addSites', []):
        site = Site.get_site_by_url(url)
        if not site:
            return jsonoify(success = false, reason='no-such-site')
        if not site in group.sites:
            group.sites.append(site)

    for url in patch.get('removeSites', []):
        site = Site.get_site_by_url(url)
        if not site:
            return jsonoify(success = false, reason='no-such-site')
        if site in group.sites:
            group.sites.remove(site)
    
    for email in patch.get('addUsers', []):
        user = User.get_user(email)
        if not user:
            return jsonoify(success = false, reason='no-such-user')
        if not user in group.users:
            group.users.append(user)

    for user in patch.get('removeUsers', []):
        user = User.get_user(email)
        if not user:
            return jsonoify(success = false, reason='no-such-user')
        if user in group.users:
            group.users.remove(user)

    db.session.commit()
    group = Group.get_group(group_name)
    return jsonify(success=True, group=sanitize_group(group))
Exemplo n.º 7
0
def update_site(site_id):
    new_site = request.json
    # Verify incoming site. It must exist, groups must exist, plans must exist.
    site = Site.get_site(site_id)

    if not site:
        return jsonify(success=False, reason='no-such-site')
    
    for group in new_site.get('groups', []):
        if not Group.get_group(group):
            return jsonify(success=False, reason='unknown-group')
    for plan_name in new_site.get('plans', []):
        if not Plan.get_plan(plan_name):
            return jsonify(success=False, reason='unknown-plan')

    

    if 'groups' in new_site:
        # purge groups
        for group in site.groups:
            site.groups.remove(group)

        # insert desired groups
        for group_name in new_site.get('groups', []):
            site.groups.append(Group.get_group(group_name))

    if 'plans' in new_site:
        #purge plans
        for plan in site.plans:
            site.plans.remove(plan)
        #add new plans
        for plan_name in new_site['plans']:
            site.plans.append(Plan.get_plan(plan_name))

    db.session.commit()
    # Return the updated site
    site = Site.get_site(site_id)
    if not site:
        return jsonify(success=False, reason='no-such-site')
    return jsonify(success=True, site=site.dict())
Exemplo n.º 8
0
def create_site():
    site = request.json
    # Verify incoming site: url must be valid, groups must exist, plans must exist

    if not _check_site_url(site.get('url')):
        return jsonify(success=False, reason='invalid-url')
    if not site.get('url', None):
        return jsonify(success=False, reason='missing-required-field')
    for group in site.get('groups', []):
        if not Group.get_group(group):
            return jsonify(success=False, reason='unknown-group')
    for plan_name in site.get('plans', []):
        if not Plan.get_plan(plan_name):
            return jsonify(success=False, reason='unknown-plan')
    if Site.get_site_by_url(site['url']) is not None:
        return jsonify(success=False, reason='site-already-exists')




    # Create the site
    new_site = Site(site['url'])

    for plan in site.get('plans', []):
        new_site.plans.append(Plan.get_plan(plan))
    new_site.created = datetime.datetime.utcnow()

    for group in site.get('groups', []):
        new_site.groups.append(Group.get_group(group))

    if site.get('verification',{}).get('enabled',False):
        new_site.verification_enabled = True
        new_site.verification_value = str(uuid.uuid4())
    else:
        new_site.verification_enabled = False
        new_site.verification_value = None

    db.session.add(new_site)
    db.session.commit()
    new_site = Site.get_site(new_site.site_uuid)
    # Return the new site
    return jsonify(success=True, site=new_site.dict())
Exemplo n.º 9
0
def get_reports_issues():
    result = []
    group_name = request.args.get('group_name')
    user_email = request.args.get('user')
    if user_email is not None:
        # User specified, so return recent scans for each site/plan that the user can see
        user = User.get_user(user_email)
        if user is None:
            return jsonify(success=False, reason='no-such-user')
        site_list = []
        if group_name:
            # get list of sites for group

            site_list = _find_sites_for_user_by_group_name(user_email, group_name)
            
            g = Group.get_group(group_name)
            if g:
                for site in g.sites:
                    site_list.append(site.url)


        else:
            site_list = User.get_user(user_email).sites()


        for site_url in sorted(site_list):
            r = {'target': site_url, 'issues': []}
            site = Site.get_site_by_url(site_url)
            if site is not None:
                scan_list = []
                for scan in site.scans:
                    scan_list.append(scan)

                if len(scan_list) > 0:
                    scan_list.sort(key=lambda x : x.created, reverse=True)
                    s = scan_list[0]
                    for session in s.sessions:
                            for issue in session.issues:
                                r['issues'].append({'severity': issue.severity,
                                                    'summary': issue.summary,
                                                    'scan': { 'id': s.scan_uuid},
                                                    'id': issue.issue_uuid})    

                
            result.append(r)
    return jsonify(success=True, report=result)
Exemplo n.º 10
0
def get_scans():
    limit = request.args.get('limit', 3)
    if limit: limit = int(limit)
    site_id = request.args.get('site_id')
    
    site = Site.get_site(site_id)

    if not site:
        return jsonify(success=False, reason='no-such-site')


    scanlist = list(site.scans)
    scanlist.sort(key=lambda x : x.created, reverse = True)

    scanlist = scanlist[:limit]

    results = map(lambda x : summarize_scan(x), scanlist)

    return jsonify(success=True, scans=results)
Exemplo n.º 11
0
def post_scan_create():
    # try to decode the configuration
    configuration = request.json
    
    # See if the plan exists
    plan = Plan.get_plan(configuration['plan'])
    if not plan:
        return jsonify(success=False)
    # Merge the configuration
    # Create a scan object

    scan = Scan()

    scan.meta = json.dumps({ "user": configuration['user'], "tags": [] } )

    scan.configuration = json.dumps(configuration['configuration'])
    scan.site = Site.get_site_by_url(configuration['configuration']['target'])

    scan.plan = json.dumps( { "name": plan.name, "revision": 0 })

    db.session.add(scan)
    db.session.commit()
    for step in plan.workflows:

        session_configuration = {}
        if step.configuration:
         session_configuration = json.loads(step.configuration)
        session_configuration.update(configuration['configuration'])


        session = Session()
        session.configuration = json.dumps(session_configuration)
        session.description = step.description

        session.plugin = json.dumps(Plugin.plugins[step.plugin_name]['descriptor'])

        scan.sessions.append(session)
        db.session.add(session)
        db.session.commit()

    db.session.commit()

    return jsonify(success=True, scan=sanitize_scan(scan))
Exemplo n.º 12
0
def setCredentials():
    cred_data = request.json
    site = Site.get_site_by_url(cred_data.get('site'))
    if not site:
        return jsonify(message="no-such-site", success=False)
    plan = Plan.get_plan(cred_data.get('plan'))
    if not plan:
        return jsonify(message="no-such-site", success=False)

    authData = cred_data.get('authData')


    siteCreds = SiteCredential.get_credential(site.id, plan.id)

    if not siteCreds:
        siteCreds = SiteCredential(site.id, plan.id)
        db.session.add(siteCreds)

    #update all fields, preserving values for which none was provided
    siteCreds.site_id = site.id
    siteCreds.plan_id = plan.id
    siteCreds.username = authData.get('username', siteCreds.username)
    siteCreds.emailaddress = authData.get('email', siteCreds.emailaddress)
    siteCreds.script = authData.get('script', siteCreds.script)
    siteCreds.url = authData.get('url', siteCreds.url)
    siteCreds.username_path = authData.get('meusername_field_xpathhod', siteCreds.username_path)
    siteCreds.password_path = authData.get('password_field_xpath', siteCreds.password_path)
    siteCreds.method = authData.get('method', siteCreds.method)
    siteCreds.cookies = authData.get('expected_cookies', siteCreds.cookies)
    siteCreds.before_login_path = authData.get('before_login_element_xpath', siteCreds.before_login_path)
    siteCreds.after_login_path = authData.get('after_login_element_xpath', siteCreds.after_login_path)
    siteCreds.button_path = authData.get('before_login_element_xpath', siteCreds.button_path)


    db.session.commit()
    return jsonify(credential = siteCreds.dict(), success=True)
Exemplo n.º 13
0
def get_site(site_id):
    site = Site.get_site(site_id)
    if not site:
        return jsonify(success=False, reason='no-such-site')
    return jsonify(success=True, site=site.dict())
Exemplo n.º 14
0
def _find_groups_for_site(site):
    return Site.get_site(site).groups