def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if not all(k in kwargs for k in ("name", "url", "project")):
raise Exception("Mandatory fields of `name`, `url` and `project` not in mutation")
else:
try:
ref_proj = str(kwargs['project']).strip()
ref_project = Proj.objects.get(name=ref_proj)
except DoesNotExist:
return "No Project specified"
ref_target = str(kwargs['name']).strip()
try:
Target.objects.get(name=ref_target)
new_target = Target.objects(name=ref_target).update_one(name=ref_target,
url=kwargs['url'],
project=ref_project)
updated = True
except DoesNotExist:
new_target = Target(name=ref_target, url=kwargs['url'], project=ref_project).save()
created = True
return CreateOrUpdateTarget(target=new_target)
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
vuln_attributes = kwargs.get('vuln', {})
if not vuln_attributes:
raise Exception("You need to specify a vuln key")
else:
if not all(k in vuln_attributes for k in ("name", "tool", "description", "project", "scan")):
raise Exception("Mandatory fields not in Vulnerability Definition")
else:
try:
ref_project = Proj.objects.get(name=vuln_attributes.get('project'))
ref_scan = Scan.objects.get(name=vuln_attributes.get('scan'))
new_vuln = Vulnerability(name=vuln_attributes['name'], tool=vuln_attributes['tool'],
description=vuln_attributes['description'],
cwe=vuln_attributes.get('cwe', 0),
observation=vuln_attributes.get('observation', ''),
severity=vuln_attributes.get('severity', 1), project=ref_project,
remediation=vuln_attributes.get('remediation', '')
).save()
ref_scan.update(add_to_set__vulnerabilities=new_vuln.id)
except DoesNotExist:
return "Project OR Target or Scan not found"
except Exception as e:
return e.args
return CreateVulnerability(vulnerability=new_vuln)
else:
raise Exception("Unauthorized to perform action")
def resolve_vuls_by_cwe(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if 'cwe' in kwargs:
if isinstance(kwargs['cwe'], int):
return list(Vulnerability.objects(cwe=kwargs['cwe']))
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, short_name, description, project, user_story):
if _validate_jwt(info.context['request'].headers):
try:
ref_proj = Proj.objects.get(name=project)
except DoesNotExist as de:
return de.args
try:
ref_user_story = UseCase.objects.get(short_name=user_story)
except DoesNotExist as ude:
return ude.args
try:
AbuseCase.objects.get(short_name=short_name)
AbuseCase.objects(short_name=short_name).update_one(short_name=short_name,
description=description,
project=ref_proj, upsert=True)
new_abuse_case = AbuseCase.objects.get(short_name=short_name)
ref_user_story.update(add_to_set__abuses=[new_abuse_case.id])
updated = True
created = False
except DoesNotExist:
new_abuse_case = AbuseCase(short_name=short_name, description=description, project=ref_proj).save()
ref_user_story.update(add_to_set__abuses=[new_abuse_case.id])
updated = False
created = True
return CreateOrUpdateAbuserStory(abuser_story=new_abuse_case)
else:
raise Exception("Unauthorized to perform action")
def resolve_tgt_by_project(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if 'project' in kwargs:
ref_project = Proj.objects.get(name=kwargs.get('project'))
return Target.objects(project=ref_project.id)
else:
raise Exception("Unauthorized to perform action")
def resolve_vuls_by_scan(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if 'scan_name' in kwargs:
ref_scan = Scan.objects.get(name=kwargs.get('scan_name'))
return ref_scan
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
try:
if 'userstory' in kwargs:
attrs = kwargs['userstory']
my_proj = Proj.objects.get(name=attrs['project'])
try:
ref_user_story = UseCase.objects.get(short_name=attrs['short_name'])
UseCase.objects(short_name=attrs['short_name']).update_one(short_name=attrs['short_name'],
description=attrs['description'],
project=my_proj, upsert=True)
if 'part_of' in attrs:
ref_user_story.update(part_of=attrs['part_of'])
new_user_story = ref_user_story
except DoesNotExist:
new_user_story = UseCase()
new_user_story.short_name = attrs['short_name']
new_user_story.description = attrs['description']
new_user_story.project = my_proj
if 'part_of' in attrs:
new_user_story.part_of = attrs['part_of']
new_user_story.save()
return CreateOrUpdateUserStory(user_story=new_user_story)
except DoesNotExist as de:
return de.args
except Exception as e:
return e.args
except Exception as me:
return me.args
else:
raise Exception("Unauthorized to Perform Action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
attributes = kwargs.get('evidence', {})
if not attributes:
raise Exception("Vulnerability Evidence doesn't have mandatory fields")
else:
if not all(k in attributes for k in ("name", "url", "vuln_id")):
raise Exception("Mandatory fields `name`, `url` or `vuln_id` missing")
else:
ref_vuln = Vulnerability.objects.get(id=attributes.get('vuln_id'))
new_evidence = VulnerabilityEvidence()
new_evidence.name = attributes.get('name')
new_evidence.url = attributes.get('url')
if 'param' in attributes:
new_evidence.param = attributes.get('param')
if 'log' in attributes:
new_evidence.log = attributes.get('log')
if 'attack' in attributes:
new_evidence.attack = attributes.get('attack')
if 'other_info' in attributes:
new_evidence.other_info = attributes.get('other_info')
if 'evidence' in attributes:
new_evidence.evidence = attributes.get('evidence')
new_evidence.save()
ref_vuln.update(add_to_set__evidences=new_evidence)
return CreateVulnerabilityEvidence(new_evidence)
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, name):
if _validate_jwt(info.context['request'].headers):
try:
new_project = Proj(name=name).save()
ok = True
return CreateProject(project=new_project)
except Exception as e:
raise Exception(str(e))
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, target):
if _validate_jwt(info.context['request'].headers):
try:
ref_target = Target.objects.get(name=target)
new_scan = Scan().save()
ref_target.update(add_to_set__scans=new_scan.id)
except DoesNotExist:
raise Exception("Target matching query does not exist")
return CreateScan(scan=new_scan)
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, scan_name):
if _validate_jwt(info.context['request'].headers):
try:
ref_scan = Scan.objects.get(name=scan_name)
if not ref_scan.synced:
ref_scan.update(synced=True)
return MarkScanSynced(scan=ref_scan)
except DoesNotExist:
raise Exception("Scan does not exist")
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, short_name):
if _validate_jwt(info.context['request'].headers):
try:
name = str(short_name).strip()
ref_case = AbuseCase.objects.get(short_name=name)
ref_case.delete()
return DeleteAbuserStory(ok=True)
except DoesNotExist:
raise Exception("Abuser Story does not exist")
else:
raise Exception("Not authorized to perform action")
def mutate(self, info, name):
if _validate_jwt(info.context['request'].headers):
try:
name = str(name).strip()
ref_case = Test.objects.get(name=name)
ref_case.delete()
return DeleteTestCase(ok=True)
except DoesNotExist:
raise Exception("Test Case does not exist")
else:
raise Exception("Not authorized to perform action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
case_attrs = kwargs.get('single_case')
if not case_attrs:
raise Exception("No Case Attributes")
else:
if not all(k in case_attrs
for k in ("name", "test_case", "threat_model")):
raise Exception(
"mandatory fields not in test case specification")
else:
tool_list = case_attrs.get('tools', [])
tag_list = case_attrs.get('tags', [])
executed = case_attrs.get('executed', False)
test_type = case_attrs.get('test_type', 'discovery')
test_name = str(case_attrs['name']).strip()
try:
ref_case = Test.objects.get(name=test_name)
if ref_case:
Test.objects(name=ref_case).update_one(
name=ref_case,
test_case=case_attrs['test_case'],
executed=executed,
test_type=test_type,
upsert=True)
new_test_case = Test.objects.get(name=ref_case)
except DoesNotExist:
new_test_case = Test(name=ref_case,
test_case=case_attrs['test_case'],
tags=tag_list,
tools=tool_list,
executed=executed,
test_type=test_type).save()
try:
ref_model = ThreatModel.objects.get(
name=case_attrs['threat_model'])
ref_model.update(add_to_set__tests=new_test_case)
print(ref_model)
except DoesNotExist:
pass
return CreateOrUpdateTestCase(case=new_test_case)
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
try:
attrs = kwargs['new_interaction']
ref_user_story = UseCase.objects.get(short_name=attrs['user_story_name'])
new_interaction = Interaction(nature=attrs['nature'],
data_flow=attrs['data_flow'], endpoint=attrs['endpoint'],
project=ref_user_story.project).save()
if attrs['nature'] == 'I':
ref_user_story.update(add_to_set__relations=new_interaction)
elif attrs['nature'] == 'E':
ref_user_story.update(add_to_set__relations=new_interaction)
else:
raise Exception("Invalid type of Interaction")
except DoesNotExist:
raise Exception("The User Story doesn't seem to exist")
else:
raise Exception("Unauthorized to perform task")
def get_story_by_cwe(req, resp, *, cwe):
if req.method == 'post':
if _validate_jwt(req.headers):
cwe = int(cwe)
pipeline = [{"$match": {"cwe": cwe}}, {
"$lookup": {"from": "abuse_case", "localField": "_id", "foreignField": "models",
"as": "abuses_model"}}, {"$lookup": {"from": "use_case", "localField": "_id",
"foreignField": "scenarios", "as": "usecases_model"}},
{"$lookup": {"from": "project", "localField": "project",
"foreignField": "_id", "as": "project_model"}},
]
cwe_list = json.loads(dumps(list(ThreatModel.objects.aggregate(*pipeline))))
resp.media = cwe_list
return resp
else:
resp.status_code = api.status_codes.HTTP_403
resp.media = {'error': "Unauthorized to perform action"}
return resp
def resolve_search_threat_scenario(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if kwargs.get('project_name'):
try:
ref_project = Proj.objects.get(name=kwargs.get('project_name'))
return ThreatModel.objects(project=ref_project.id)
except DoesNotExist as de:
return de
else:
for single in kwargs.keys():
if '__' in single:
val = kwargs[single]
kwargs.pop(single)
other_val = single.replace('__', '.')
kwargs[other_val] = val
print(kwargs)
return ThreatModel.objects(__raw__=kwargs)
else:
raise Exception("Unauthorized to perform action")
def resolve_relations(self, info):
if _validate_jwt(info.context['request'].headers):
return list(Interaction.objects.all())
else:
raise Exception("Unauthorized to perform action")
def resolve_repo_by_name(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
return Repo.objects.get(short_name=kwargs.get('short_name'))
else:
raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if 't_model' in kwargs:
model_attribs = kwargs['t_model']
print(model_attribs['project'])
if not all(k in model_attribs for k in ("name", "vul_name", "description", "project")):
raise Exception("Mandatory parameters are not in the mutation")
else:
try:
cwe_val = model_attribs.get('cwe', 0)
related_cwes = model_attribs.get('related_cwes', [])
mitigations = model_attribs.get('mitigations', [])
severity = int(model_attribs.get('severity', 1))
test_cases = model_attribs.get('tests', [])
project = model_attribs.get('project')
ref_proj = Proj.objects.get(name=project)
try:
ThreatModel.objects.get(name=model_attribs.get('name'))
new_threat_model = ThreatModel.objects(name=model_attribs.get('name')).update_one(
name=model_attribs.get('name'),
vul_name=model_attribs.get('vul_name'),
cwe=cwe_val, severity=severity,
related_cwes=related_cwes,
mitigations=mitigations,
description=model_attribs.get('description'),
project = ref_proj,
tests=test_cases, upsert=True
)
new_threat_model = ThreatModel.objects.get(name=model_attribs.get('name'))
except DoesNotExist:
new_threat_model = ThreatModel(name=model_attribs.get('name'),
vul_name=model_attribs.get('vul_name'),
cwe=cwe_val, severity=severity,
related_cwes=related_cwes,
mitigations=mitigations,
description=model_attribs.get('description'),
project = ref_proj,
tests=test_cases
).save()
except Exception as e:
return e.args
if 'abuser_stories' in model_attribs:
abuses = model_attribs.get('abuser_stories')
for single in abuses:
try:
ref_abuse = AbuseCase.objects.get(short_name=single)
linked_tm = ThreatModel.objects.get(name=model_attribs.get('name'))
ref_abuse.update(add_to_set__models=[linked_tm.id])
except DoesNotExist:
pass
if 'user_story' in model_attribs:
try:
features = model_attribs.get('user_story')
ref_use = UseCase.objects.get(short_name=features)
ref_use.update(add_to_set__scenarios=new_threat_model)
except DoesNotExist:
raise Exception("Feature/User Story mentioned does not exist")
return CreateOrUpdateThreatModel(threat_model=new_threat_model)
else:
raise Exception("Unauthorized to perform action")
def resolve_abuser_story_by_name(self, info, **kwargs):
if _validate_jwt(info.context['request'].headers):
if 'short_name' in kwargs:
return AbuseCase.objects.get(short_name=kwargs['short_name'])
else:
raise Exception("Unauthorized to perform action")
def resolve_abuser_stories(self, info):
if _validate_jwt(info.context['request'].headers):
return list(AbuseCase.objects.all())
else:
raise Exception("Unauthorized to perform action")
def resolve_scenarios(self, info):
if _validate_jwt(info.context['request'].headers):
return list(ThreatModel.objects.all())
else:
raise Exception("Unauthorized to perform action")
