def get_reports_history():
history = []
user_email = request.args.get('user')
scans = []
if user_email is not None:
user = User.get_user(user_email)
if user is None:
return jsonify(success=False, reason='no-such-user')
# Get Sites
for site in user.sites():
for scan in Site.get_site_by_url(site).scans:
scans.append(scan)
scans.sort(key=lambda x : x.created, reverse = True)
# Get Scans for Sites
else:
for site in Site.query.all():
for scan in site.scans:
scans.append(scan)
for s in scans[:100]:
history.append(summarize_scan(s))
return jsonify(success=True, report=history)
def get_reports_sites():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = User.get_user(user_email)
if user is None:
return jsonify(success=False, reason='no-such-user')
if group_name:
group = Group.get_group(group_name)
if group is None:
return jsonify(success=False, reason='no-such-group')
site_list = map(lambda x: x.url, group.sites)
else:
site_list = user.sites()
for site_url in sorted(site_list):
site = Site.get_site_by_url(site_url)
if site is not None:
for plan in site.plans:
plan_name = plan.name
schedule = ScanSchedule.get_schedule(site.site_uuid, plan.plan_uuid)
crontab = None
scheduleEnabled = False
if schedule is not None:
crontab = schedule['crontab']
scheduleEnabled = schedule['enabled']
scans = []
for scan in site.scans:
if scan.plan is not None:
p = json.loads(scan.plan)
if p['name'] == plan_name:
scans.append(scan)
scan_for_site = []
for scan in scans:
config = json.loads(scan.configuration)
if config.get('target', None) == site_url:
scan_for_site.append(scan)
o = list(sorted(scan_for_site, cmp= lambda x, y: cmp(x.created, y, created)))
if len(o):
l = [o[0]]
else:
l = []
if len(l) == 1:
scan = summarize_scan(l[0])
s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')}
result.append({'target': site_url, 'plan': plan_name, 'scan': scan, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
else:
result.append({'target': site_url, 'plan': plan_name, 'scan': None, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
return jsonify(success=True, report=result)
def create_group():
group = request.json
# perform validations on incoming data; issue#132
if not group.get('name'):
return jsonify(success=False, reason='name-field-is-required')
userz = group.get('users', [])
sitez = group.get('sites', [])
if userz:
for user in userz:
if not User.get_user(user):
return jsonify(success=False, reason='user %s does not exist'%user)
if sitez:
for site in sitez:
if not Site.get_site_by_url(site):
return jsonify(success=False, reason='site %s does not exist'%site)
if Group.get_group(group['name']) is not None:
return jsonify(success=False, reason='group-already-exists')
# post-validation
# XXX - this is a horrible hack, we should grab the default admin user / admin group instead, not just use the first user/group in the list!!!!
admin_user = User.query.all()[0]
admin_group = None
if len(Group.query.all()) > 0:
admin_group = Group.query.all()[0]
new_group = Group(group['name'], admin_user.email, admin_group)
new_group.created = datetime.datetime.utcnow()
new_group.description = group.get('description', "")
db.session.add(new_group)
for user in userz:
new_group.users.append(User.get_user(user))
for site in sitez:
new_group.sites.append(Site.get_site_by_url(site))
db.session.commit()
new_group = Group.get_group(group['name'])
return jsonify(success=True, group=sanitize_group(new_group))
def get_plans_by_email(email):
user = User.get_user(email)
plans_by_site = map(lambda x:Site.get_site_by_url(x).plans, user.sites())
plans = []
for planlist in plans_by_site:
for plan in planlist:
if not plan in plans:
plans.append(plan)
return map(lambda x : x.dict(), plans)
def get_sites():
query = {}
url = request.args.get('url')
sitez = None
if url:
sitez = [ Site.get_site_by_url(url)]
else:
sitez = Site.query.all()
return jsonify(success=True, sites=map(lambda x : x.dict(), sitez))
def patch_group(group_name):
patch = request.json
group = Group.get_group(group_name)
if not group:
return jsonify(success=False, reason='no-such-group')
# Process the edits. These can probably be done in one operation.
for url in patch.get('addSites', []):
site = Site.get_site_by_url(url)
if not site:
return jsonoify(success = false, reason='no-such-site')
if not site in group.sites:
group.sites.append(site)
for url in patch.get('removeSites', []):
site = Site.get_site_by_url(url)
if not site:
return jsonoify(success = false, reason='no-such-site')
if site in group.sites:
group.sites.remove(site)
for email in patch.get('addUsers', []):
user = User.get_user(email)
if not user:
return jsonoify(success = false, reason='no-such-user')
if not user in group.users:
group.users.append(user)
for user in patch.get('removeUsers', []):
user = User.get_user(email)
if not user:
return jsonoify(success = false, reason='no-such-user')
if user in group.users:
group.users.remove(user)
db.session.commit()
group = Group.get_group(group_name)
return jsonify(success=True, group=sanitize_group(group))
def update_site(site_id):
new_site = request.json
# Verify incoming site. It must exist, groups must exist, plans must exist.
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
for group in new_site.get('groups', []):
if not Group.get_group(group):
return jsonify(success=False, reason='unknown-group')
for plan_name in new_site.get('plans', []):
if not Plan.get_plan(plan_name):
return jsonify(success=False, reason='unknown-plan')
if 'groups' in new_site:
# purge groups
for group in site.groups:
site.groups.remove(group)
# insert desired groups
for group_name in new_site.get('groups', []):
site.groups.append(Group.get_group(group_name))
if 'plans' in new_site:
#purge plans
for plan in site.plans:
site.plans.remove(plan)
#add new plans
for plan_name in new_site['plans']:
site.plans.append(Plan.get_plan(plan_name))
db.session.commit()
# Return the updated site
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
return jsonify(success=True, site=site.dict())
def create_site():
site = request.json
# Verify incoming site: url must be valid, groups must exist, plans must exist
if not _check_site_url(site.get('url')):
return jsonify(success=False, reason='invalid-url')
if not site.get('url', None):
return jsonify(success=False, reason='missing-required-field')
for group in site.get('groups', []):
if not Group.get_group(group):
return jsonify(success=False, reason='unknown-group')
for plan_name in site.get('plans', []):
if not Plan.get_plan(plan_name):
return jsonify(success=False, reason='unknown-plan')
if Site.get_site_by_url(site['url']) is not None:
return jsonify(success=False, reason='site-already-exists')
# Create the site
new_site = Site(site['url'])
for plan in site.get('plans', []):
new_site.plans.append(Plan.get_plan(plan))
new_site.created = datetime.datetime.utcnow()
for group in site.get('groups', []):
new_site.groups.append(Group.get_group(group))
if site.get('verification',{}).get('enabled',False):
new_site.verification_enabled = True
new_site.verification_value = str(uuid.uuid4())
else:
new_site.verification_enabled = False
new_site.verification_value = None
db.session.add(new_site)
db.session.commit()
new_site = Site.get_site(new_site.site_uuid)
# Return the new site
return jsonify(success=True, site=new_site.dict())
def get_reports_issues():
result = []
group_name = request.args.get('group_name')
user_email = request.args.get('user')
if user_email is not None:
# User specified, so return recent scans for each site/plan that the user can see
user = User.get_user(user_email)
if user is None:
return jsonify(success=False, reason='no-such-user')
site_list = []
if group_name:
# get list of sites for group
site_list = _find_sites_for_user_by_group_name(user_email, group_name)
g = Group.get_group(group_name)
if g:
for site in g.sites:
site_list.append(site.url)
else:
site_list = User.get_user(user_email).sites()
for site_url in sorted(site_list):
r = {'target': site_url, 'issues': []}
site = Site.get_site_by_url(site_url)
if site is not None:
scan_list = []
for scan in site.scans:
scan_list.append(scan)
if len(scan_list) > 0:
scan_list.sort(key=lambda x : x.created, reverse=True)
s = scan_list[0]
for session in s.sessions:
for issue in session.issues:
r['issues'].append({'severity': issue.severity,
'summary': issue.summary,
'scan': { 'id': s.scan_uuid},
'id': issue.issue_uuid})
result.append(r)
return jsonify(success=True, report=result)
def get_scans():
limit = request.args.get('limit', 3)
if limit: limit = int(limit)
site_id = request.args.get('site_id')
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
scanlist = list(site.scans)
scanlist.sort(key=lambda x : x.created, reverse = True)
scanlist = scanlist[:limit]
results = map(lambda x : summarize_scan(x), scanlist)
return jsonify(success=True, scans=results)
def post_scan_create():
# try to decode the configuration
configuration = request.json
# See if the plan exists
plan = Plan.get_plan(configuration['plan'])
if not plan:
return jsonify(success=False)
# Merge the configuration
# Create a scan object
scan = Scan()
scan.meta = json.dumps({ "user": configuration['user'], "tags": [] } )
scan.configuration = json.dumps(configuration['configuration'])
scan.site = Site.get_site_by_url(configuration['configuration']['target'])
scan.plan = json.dumps( { "name": plan.name, "revision": 0 })
db.session.add(scan)
db.session.commit()
for step in plan.workflows:
session_configuration = {}
if step.configuration:
session_configuration = json.loads(step.configuration)
session_configuration.update(configuration['configuration'])
session = Session()
session.configuration = json.dumps(session_configuration)
session.description = step.description
session.plugin = json.dumps(Plugin.plugins[step.plugin_name]['descriptor'])
scan.sessions.append(session)
db.session.add(session)
db.session.commit()
db.session.commit()
return jsonify(success=True, scan=sanitize_scan(scan))
def setCredentials():
cred_data = request.json
site = Site.get_site_by_url(cred_data.get('site'))
if not site:
return jsonify(message="no-such-site", success=False)
plan = Plan.get_plan(cred_data.get('plan'))
if not plan:
return jsonify(message="no-such-site", success=False)
authData = cred_data.get('authData')
siteCreds = SiteCredential.get_credential(site.id, plan.id)
if not siteCreds:
siteCreds = SiteCredential(site.id, plan.id)
db.session.add(siteCreds)
#update all fields, preserving values for which none was provided
siteCreds.site_id = site.id
siteCreds.plan_id = plan.id
siteCreds.username = authData.get('username', siteCreds.username)
siteCreds.emailaddress = authData.get('email', siteCreds.emailaddress)
siteCreds.script = authData.get('script', siteCreds.script)
siteCreds.url = authData.get('url', siteCreds.url)
siteCreds.username_path = authData.get('meusername_field_xpathhod', siteCreds.username_path)
siteCreds.password_path = authData.get('password_field_xpath', siteCreds.password_path)
siteCreds.method = authData.get('method', siteCreds.method)
siteCreds.cookies = authData.get('expected_cookies', siteCreds.cookies)
siteCreds.before_login_path = authData.get('before_login_element_xpath', siteCreds.before_login_path)
siteCreds.after_login_path = authData.get('after_login_element_xpath', siteCreds.after_login_path)
siteCreds.button_path = authData.get('before_login_element_xpath', siteCreds.button_path)
db.session.commit()
return jsonify(credential = siteCreds.dict(), success=True)
def get_site(site_id):
site = Site.get_site(site_id)
if not site:
return jsonify(success=False, reason='no-such-site')
return jsonify(success=True, site=site.dict())
def _find_groups_for_site(site):
return Site.get_site(site).groups
