def get_evidence(request, project, evidence_type, findingid, fileid):
    username = request.session['username']
    role = request.session['role']
    if (evidence_type in ['drafts', 'findings']
        and has_access_to_finding(username, findingid, role)) \
            or (evidence_type == 'events'
                and has_access_to_event(username, findingid, role)):
        if fileid is None:
            rollbar.report_message('Error: Missing evidence image ID',
                                   'error', request)
            return HttpResponse("Error - Unsent image ID",
                                content_type="text/html")
        key_list = key_existing_list(f'{project.lower()}/{findingid}/{fileid}')
        if key_list:
            for k in key_list:
                start = k.find(findingid) + len(findingid)
                localfile = "/tmp" + k[start:]
                ext = {'.png': '.tmp', '.gif': '.tmp'}
                localtmp = util.replace_all(localfile, ext)
                CLIENT_S3.download_file(BUCKET_S3, k, localtmp)
                return retrieve_image(request, localtmp)
        else:
            return util.response([], 'Access denied or evidence not found', True)
    else:
        util.cloudwatch_log(
            request,
            'Security: Attempted to retrieve evidence without permission')
        return util.response([], 'Access denied or evidence not found', True)
def validation_project_to_pdf(request, lang, doctype):
    if lang not in ["es", "en"]:
        rollbar.report_message('Error: Unsupported language', 'error', request)
        return util.response([], 'Unsupported language', True)
    if doctype not in ["tech", "executive"]:
        rollbar.report_message('Error: Unsupported doctype', 'error', request)
        return util.response([], 'Unsupported doctype', True)
    return None
 def test_response(self):
     data = 'this is data'
     message = 'this is a test'
     error = '500'
     test_data = response(data, message, error)
     expected_output = {
         'data': 'this is data',
         'message': 'this is a test',
         'error': '500'
     }
     assert json.loads(test_data.content.decode('utf-8')) == expected_output
def project_to_xls(request, lang, project):
    "Create the technical report"
    username = request.session['username'].split("@")[0]
    if project.strip() == "":
        rollbar.report_message(
            'Error: Empty fields in project', 'error', request)
        return util.response([], 'Empty fields', True)
    if not has_access_to_project(request.session['username'],
                                 project, request.session['role']):
        util.cloudwatch_log(
            request,
            'Security: Attempted to export project xls without permission')
        return util.response([], 'Access denied', True)
    if lang not in ["es", "en"]:
        rollbar.report_message('Error: Unsupported language', 'error', request)
        return util.response([], 'Unsupported language', True)
    findings = finding_domain.get_findings(
        project_domain.list_findings(project.lower()))
    if findings:
        findings = [cast_new_vulnerabilities(
            get_open_vuln_by_type(finding['findingId'], request), finding)
            for finding in findings]
    else:
        rollbar.report_message(
            'Project {} does not have findings in dynamo'.format(project),
            'warning',
            request)
        return util.response([], 'Empty fields', True)
    data = util.ord_asc_by_criticidad(findings)
    it_report = ITReport(project, data, username)
    filepath = it_report.result_filename
    reports.set_xlsx_password(filepath, time.strftime('%d%m%Y') + username)

    with open(filepath, 'rb') as document:
        response = HttpResponse(document.read())
        response['Content-Type'] = ('application/vnd.openxmlformats'
                                    '-officedocument.spreadsheetml.sheet')
        response['Content-Disposition'] = 'inline;filename={}.xlsx'.format(
            project)
    return response
        def authorize_and_call(*args, **kwargs):
            request = args[0]
            # Verify role if the user is logged in
            if 'username' in request.session and request.session['registered']:
                if request.session['role'] not in roles:
                    return util.response([], 'Access denied', True)
            else:
                # The user is not even authenticated. Redirect to login
                return HttpResponse('<script> \
                               var getUrl=window.location.hash.substr(1); \
                  localStorage.setItem("url_inicio",getUrl); \
                  location = "/integrates/index" ; </script>')

            return func(*args, **kwargs)
def download_vulnerabilities(request, findingid):
    """Download a file with all the vulnerabilities."""
    if not has_access_to_finding(request.session['username'], findingid,
                                 request.session['role']):
        util.cloudwatch_log(request,
                            'Security: \
Attempted to retrieve vulnerabilities without permission')
        return util.response([], 'Access denied', True)
    else:
        finding = get_vulnerabilities_by_type(findingid)
        data_yml = {}
        vuln_types = {'ports': dict, 'lines': dict, 'inputs': dict}
        if finding:
            for vuln_key, cast_fuction in list(vuln_types.items()):
                if finding.get(vuln_key):
                    data_yml[vuln_key] = list(map(cast_fuction, list(finding.get(vuln_key))))
                else:
                    # This finding does not have this type of vulnerabilities
                    pass
        else:
            # This finding does not have new vulnerabilities
            pass
        project = finding_domain.get_finding(findingid)['projectName']
        file_name = '/tmp/{project}-{finding_id}.yaml'.format(
            finding_id=findingid, project=project)
        stream = open(file_name, 'w')
        yaml.safe_dump(data_yml, stream, default_flow_style=False)
        try:
            with open(file_name, 'rb') as file_obj:
                response = HttpResponse(file_obj.read(), content_type='text/x-yaml')
                response['Content-Disposition'] = \
                    'attachment; filename="{project}-{finding_id}.yaml"'.format(
                        finding_id=findingid, project=project)
                return response
        except IOError:
            rollbar.report_message('Error: Invalid vulnerabilities file format', 'error', request)
            return util.response([], 'Invalid vulnerabilities file format', True)
def project_to_pdf(request, lang, project, doctype):
    "Export a project to a PDF"
    assert project.strip()
    if not has_access_to_project(request.session['username'],
                                 project, request.session['role']):
        util.cloudwatch_log(request, 'Security: Attempted to export project'
                                     ' pdf without permission')
        return util.response([], 'Access denied', True)
    else:
        user = request.session['username'].split('@')[0]
        validator = validation_project_to_pdf(request, lang, doctype)
        if validator is not None:
            return validator
        findings = finding_domain.get_findings(
            project_domain.list_findings(project.lower()))
        findings = [cast_new_vulnerabilities(
            get_open_vuln_by_type(finding['findingId'], request), finding)
            for finding in findings]
        description = project_domain.get_description(project.lower())

        pdf_maker = CreatorPDF(lang, doctype)
        secure_pdf = SecurePDF()
        findings_ord = util.ord_asc_by_criticidad(findings)
        findings = pdf_evidences(findings_ord)
        report_filename = ''
        if doctype == 'tech':
            pdf_maker.tech(findings, project, description)
            report_filename = secure_pdf.create_full(user,
                                                     pdf_maker.out_name,
                                                     project)
        else:
            return HttpResponse(
                'Disabled report generation', content_type='text/html')
        if not os.path.isfile(report_filename):
            rollbar.report_message(
                'Couldn\'t generate pdf report', 'error', request)
            return HttpResponse(
                'Couldn\'t generate pdf report', content_type='text/html')
        with open(report_filename, 'rb') as document:
            response = HttpResponse(document.read(),
                                    content_type='application/pdf')
            response['Content-Disposition'] = \
                'inline;filename={}_IT.pdf'.format(project)
        return response
def login(request) -> JsonResponse:
    """ Authentication service defintion. """
    username = request.session['username']
    return util.response([], 'Bienvenido ' + username, False)