def get(self): """Handles GET requests.""" log_type = self.request.get('log_type') base_handler.VerifyPermissions( permissions.MASTER, base.GetCurrentUser(), log_type) start = self.request.get('start_next', None) log_model = models_util.TypeNameToLogModel(log_type) logs_query = log_model.all() logs_query.order('-paginate_mtime') if start: logs_query.filter('paginate_mtime <', start) logs = logs_query.fetch(PER_PAGE + 1) more = len(logs) == PER_PAGE + 1 start_next = None if more: start_next = logs[-1].paginate_mtime logs = [db.to_dict(log) for log in logs[:PER_PAGE]] for log in logs: log['user'] = str(log['user']) log['mtime'] = str(log['mtime']) params = { 'logs': logs, 'log_type': log_type, 'more': more, 'start': start, 'start_next': start_next, } self.response.out.write(util.ToSafeJson(params))
def get(self): params = collections.defaultdict(dict) search_perms = handlers.VerifyAllPermissionTypes(permissions.SEARCH) if search_perms[permissions.TYPE_BITLOCKER]: params['bitlocker'][ 'fields'] = models.BitLockerVolume.SEARCH_FIELDS if search_perms[permissions.TYPE_FILEVAULT]: params['filevault'][ 'fields'] = models.FileVaultVolume.SEARCH_FIELDS if search_perms[permissions.TYPE_LUKS]: params['luks']['fields'] = models.LuksVolume.SEARCH_FIELDS if search_perms[permissions.TYPE_PROVISIONING]: provisioning_fields = models.ProvisioningVolume.SEARCH_FIELDS params['provisioning']['fields'] = provisioning_fields can_retrieve_own = False retrieve_own_perms = handlers.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) for volume_type in retrieve_own_perms: if retrieve_own_perms[volume_type]: params[volume_type][permissions.RETRIEVE_OWN] = True can_retrieve_own = True if can_retrieve_own: params['user'] = base.GetCurrentUser().user.nickname() self.response.out.write(util.ToSafeJson(params))
def get(self): params = collections.defaultdict(dict) search_perms = base_handler.VerifyAllPermissionTypes( permissions.SEARCH) for model_type in search_perms: if not search_perms[model_type]: continue model = model_util.TypeNameToModel(model_type) if not hasattr(model, 'SEARCH_FIELDS'): continue params[model_type]['fields'] = model.SEARCH_FIELDS can_retrieve_own = False retrieve_own_perms = base_handler.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) for volume_type in retrieve_own_perms: if retrieve_own_perms[volume_type]: params[volume_type][permissions.RETRIEVE_OWN] = True can_retrieve_own = True if can_retrieve_own: params['user'] = base.GetCurrentUser().user.nickname() self.response.out.write(util.ToSafeJson(params))
def get(self, serials): base_handler.VerifyPermissions(permissions.RETRIEVE, base.GetCurrentUser(), permissions.TYPE_APPLE_FIRMWARE) inventory_service = service_factory.GetInventoryService() res = { 'active': [], 'retired': [], } for serial in serials.split(','): if not inventory_service.IsRetiredMac(serial): res['active'].append(serial) continue entity = firmware.AppleFirmwarePassword.GetLatestForTarget(serial) if entity: firmware.AppleFirmwarePasswordAccessLog.Log( message='GET', entity=entity, request=self.request) res['retired'].append({ 'serial': serial, 'password': entity.password }) else: res['retired'].append({'serial': serial, 'password': '******'}) self.response.write(util.ToSafeJson(res))
def RetrieveSecret(self, volume_uuid): """Handles a GET request to retrieve a secret.""" self.VerifyXsrfToken(base_settings.GET_PASSPHRASE_ACTION) if self.request.get('id'): try: entity = self.SECRET_MODEL.get(db.Key(self.request.get('id'))) except datastore_errors.BadKeyError: raise models.AccessError('volume id is malformed') else: entity = self.SECRET_MODEL.GetLatestByUuid(volume_uuid, tag=self.request.get( 'tag', 'default')) if not entity: raise models.AccessError('Volume not found: %s' % volume_uuid) user = models.GetCurrentUser() self.CheckRetrieveAuthorization(entity=entity, user=user) self.AUDIT_LOG_MODEL.Log(message='GET', entity=entity, request=self.request) # Send retrieval email if user is not retrieving their own secret. if entity.owner not in (user.user.email(), user.user.nickname()): SendRetrievalEmail(self.PERMISSION_TYPE, entity, user) escrow_secret = str(entity.secret).strip() if isinstance(entity, models.ProvisioningVolume): # We don't want to display barcodes for users retrieving provisioning # passwords as seeing the barcodes frightens and confuses them. escrow_barcode_svg = None qr_img_url = None else: escrow_barcode_svg = None if len(escrow_secret) <= 100: qr_img_url = ( 'https://chart.googleapis.com/chart?chs=245x245&cht=qr&chl=' + cgi.escape(escrow_secret)) else: qr_img_url = None if entity.ESCROW_TYPE_NAME == models.ProvisioningVolume.ESCROW_TYPE_NAME: recovery_str = 'Temporary password' else: recovery_str = '%s key' % entity.ESCROW_TYPE_NAME params = { 'volume_type': self.SECRET_MODEL.ESCROW_TYPE_NAME, 'volume_uuid': entity.volume_uuid, 'qr_img_url': qr_img_url, 'escrow_secret': escrow_secret, 'checksum': entity.checksum, 'recovery_str': recovery_str, } params[self.JSON_SECRET_NAME] = escrow_secret self.response.out.write(util.ToSafeJson(params))
def RetrieveSecret(self, target_id): """Handles a GET request to retrieve a secret. Args: target_id: str, Target ID to fetch the secret for. Raises: base.AccessError: given target_id is malformed. base.NotFoundError: no secret was found for the given target_id. """ self.VerifyXsrfToken(base_settings.GET_PASSPHRASE_ACTION) if self.request.get('id'): try: entity = self.SECRET_MODEL.get(db.Key(self.request.get('id'))) except datastore_errors.BadKeyError: raise base.AccessError('target_id is malformed') else: entity = self.SECRET_MODEL.GetLatestForTarget(target_id, tag=self.request.get( 'tag', 'default')) if not entity: raise base.NotFoundError('Passphrase not found: target_id %s' % target_id) self.CheckRetrieveAuthorizationAndNotifyOwner(entity=entity) self.AUDIT_LOG_MODEL.Log(message='GET', entity=entity, request=self.request) escrow_secret = str(entity.secret).strip() escrow_barcode_svg = None qr_img_url = None if self.QRCODE_DURING_PASSPHRASE_RETRIEVAL: if len(escrow_secret) <= 100: qr_img_url = ( 'https://chart.googleapis.com/chart?chs=245x245&cht=qr&chl=' + cgi.escape(escrow_secret)) recovery_str = self._PassphraseTypeName(entity) params = { 'volume_type': self.SECRET_MODEL.ESCROW_TYPE_NAME, 'volume_uuid': entity.target_id, 'qr_img_url': qr_img_url, 'escrow_secret': escrow_secret, 'checksum': entity.checksum, 'recovery_str': recovery_str, } params[self.JSON_SECRET_NAME] = escrow_secret if entity.active: entity.UpdateMutableProperty('force_rekeying', True) self.response.out.write(util.ToSafeJson(params))
def get(self, type_name, target_id): """Handles GET requests.""" user = base.GetCurrentUser() tag = self.request.get('tag', 'default') entity = models_util.TypeNameToModel(type_name).GetLatestForTarget( target_id, tag) if not entity: # TODO(b/35954370) notify users about missing passphrases. self.response.write(util.ToSafeJson(False)) return if entity.owner != user.email: logging.warning('owner mismatch %s %s', entity.owner, user.email) # Passphrase retrieval is necessary for rekeying so we abort. self.response.write(util.ToSafeJson(False)) return self.response.write(util.ToSafeJson(bool(entity.force_rekeying)))
def get(self): # pylint: disable=g-bad-name """Handles GET requests.""" self.VerifyPermissions(permissions.RETRIEVE_CREATED_BY, permission_type=permissions.TYPE_PROVISIONING) volumes = ProvisioningVolumesForUser(users.get_current_user(), PROVISIONING_FILTER_SECONDS) volumes = [volume.ToDict() for volume in volumes] self.response.out.write(util.ToSafeJson(volumes))
def get(self): """Handles GET requests.""" base_handler.VerifyPermissions(permissions.RETRIEVE_CREATED_BY, base.GetCurrentUser(), permissions.TYPE_PROVISIONING) volumes = ProvisioningVolumesForUser(users.get_current_user(), PROVISIONING_FILTER_SECONDS) volumes = [volume.ToDict() for volume in volumes] self.response.out.write(util.ToSafeJson(volumes))
def get(self, type_name, target_id): """Handles GET requests.""" user = base.GetCurrentUser() tag = self.request.get('tag', 'default') entity = models_util.TypeNameToModel( type_name).GetLatestForTarget(target_id, tag) if not entity: if memcache.Client().get(target_id, namespace='experimental_rekey'): logging.info('experimental_rekey %s', target_id) self.response.write(util.ToSafeJson('experimental')) return self.response.write(util.ToSafeJson(False)) return if entity.owner != user.email: logging.warning( 'owner mismatch %s %s', entity.owner, user.email) # Passphrase retrieval is necessary for rekeying so we abort. self.response.write(util.ToSafeJson(False)) return self.response.write(util.ToSafeJson(bool(entity.force_rekeying)))
def RetrieveSecret(self, target_id): """Handles a GET request to retrieve a secret.""" self.VerifyXsrfToken(base_settings.GET_PASSPHRASE_ACTION) if self.request.get('id'): try: entity = self.SECRET_MODEL.get(db.Key(self.request.get('id'))) except datastore_errors.BadKeyError: raise base.AccessError('target_id is malformed') else: entity = self.SECRET_MODEL.GetLatestForTarget( target_id, tag=self.request.get('tag', 'default')) if not entity: raise base.AccessError('Passphrase not found: target_id %s' % target_id) user = base.GetCurrentUser() self.CheckRetrieveAuthorization(entity=entity, user=user) self.AUDIT_LOG_MODEL.Log(message='GET', entity=entity, request=self.request) # Send retrieval email if user is not retrieving their own secret. if entity.owner not in (user.user.email(), user.user.nickname()): SendRetrievalEmail(self.PERMISSION_TYPE, entity, user) escrow_secret = str(entity.secret).strip() escrow_barcode_svg = None qr_img_url = None if self.QRCODE_DURING_PASSPHRASE_RETRIEVAL: if len(escrow_secret) <= 100: qr_img_url = ( 'https://chart.googleapis.com/chart?chs=245x245&cht=qr&chl=' + cgi.escape(escrow_secret)) recovery_str = self._PassphraseTypeName(entity) params = { 'volume_type': self.SECRET_MODEL.ESCROW_TYPE_NAME, 'volume_uuid': entity.target_id, 'qr_img_url': qr_img_url, 'escrow_secret': escrow_secret, 'checksum': entity.checksum, 'recovery_str': recovery_str, } params[self.JSON_SECRET_NAME] = escrow_secret self.response.out.write(util.ToSafeJson(params))
def get(self): # pylint: disable=g-bad-name """Handles GET requests.""" log_type = self.request.get('log_type') self.VerifyPermissions(permissions.MASTER, permission_type=log_type) start = self.request.get('start_next', None) if log_type == 'bitlocker': log_model = models.BitLockerAccessLog elif log_type == 'duplicity': log_model = models.DuplicityAccessLog elif log_type == 'filevault': log_model = models.FileVaultAccessLog elif log_type == 'luks': log_model = models.LuksAccessLog elif log_type == 'provisioning': log_model = models.ProvisioningAccessLog else: raise ValueError('Unknown log_type') logs_query = log_model.all() logs_query.order('-paginate_mtime') if start: logs_query.filter('paginate_mtime <', start) logs = logs_query.fetch(PER_PAGE + 1) more = len(logs) == PER_PAGE + 1 start_next = None if more: start_next = logs[-1].paginate_mtime logs = [db.to_dict(log) for log in logs[:PER_PAGE]] for log in logs: log['user'] = str(log['user']) log['mtime'] = str(log['mtime']) params = { 'logs': logs, 'log_type': log_type, 'more': more, 'start': start, 'start_next': start_next, } self.response.out.write(util.ToSafeJson(params))
def get(self): """Handles GET requests.""" if self.request.get('json', '0') != '1': search_type = self.request.get('search_type') field1 = urllib.quote(self.request.get('field1')) value1 = urllib.quote(self.request.get('value1').strip()) prefix_search = urllib.quote(self.request.get( 'prefix_search', '0')) if search_type and field1 and value1: self.redirect('/ui/#/search/%s/%s/%s/%s' % (search_type, field1, value1, prefix_search)) else: self.redirect('/ui/', permanent=True) return tag = self.request.get('tag', 'default') search_type = self.request.get('search_type') field1 = self.request.get('field1') value1 = self.request.get('value1').strip() prefix_search = self.request.get('prefix_search', '0') == '1' try: model = models_util.TypeNameToModel(search_type) except ValueError: raise passphrase_handler.InvalidArgumentError( 'Invalid search_type %s' % search_type) if not (field1 and value1): raise base_handler.InvalidArgumentError('Missing field1 or value1') # Get the user's search and retrieve permissions for all permission types. search_perms = base_handler.VerifyAllPermissionTypes( permissions.SEARCH) retrieve_perms = base_handler.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) retrieve_created = base_handler.VerifyAllPermissionTypes( permissions.RETRIEVE_CREATED_BY) # user is performing a search, ensure they have permissions. if (not search_perms.get(search_type) and not retrieve_perms.get(search_type) and not retrieve_created.get(search_type)): raise base.AccessDeniedError('User lacks %s permission' % search_type) try: passphrases = _PassphrasesForQuery(model, field1, value1, prefix_search) except ValueError: self.error(httplib.NOT_FOUND) return skipped = False if not search_perms.get(search_type): results_len = len(passphrases) email = base.GetCurrentUser().user.email() passphrases = [x for x in passphrases if x.owner == email] skipped = len(passphrases) != results_len too_many_results = len(passphrases) >= MAX_PASSPHRASES_PER_QUERY passphrases = [ v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag ] if model.ALLOW_OWNER_CHANGE: for passphrase in passphrases: if not passphrase['active']: continue link = '/api/internal/change-owner/%s/%s/' % (search_type, passphrase['id']) passphrase['change_owner_link'] = link self.response.out.write( util.ToSafeJson({ 'passphrases': passphrases, 'too_many_results': too_many_results, 'results_access_warning': skipped, }))
def get(self): # pylint: disable=g-bad-name """Handles GET requests.""" # TODO(user): Users with retrieve_own should not need to search to # retrieve their escrowed secrets. if self.request.get('json', '0') != '1': search_type = self.request.get('search_type') field1 = urllib.quote(self.request.get('field1')) value1 = urllib.quote(self.request.get('value1').strip()) prefix_search = urllib.quote(self.request.get( 'prefix_search', '0')) if search_type and field1 and value1: self.redirect('/ui/#/search/%s/%s/%s/%s' % (search_type, field1, value1, prefix_search)) else: self.redirect('/ui/', permanent=True) return tag = self.request.get('tag', 'default') search_type = self.request.get('search_type') field1 = self.request.get('field1') value1 = self.request.get('value1').strip() prefix_search = self.request.get('prefix_search', '0') == '1' try: model = volumes.TypeNameToModel(search_type) except ValueError: raise handlers.InvalidArgumentError('Invalid search_type %s' % search_type) if not (field1 and value1): raise handlers.InvalidArgumentError('Missing field1 or value1') # Get the user's search and retrieve permissions for all permission types. search_perms = handlers.VerifyAllPermissionTypes(permissions.SEARCH) retrieve_perms = handlers.VerifyAllPermissionTypes( permissions.RETRIEVE_OWN) retrieve_created = handlers.VerifyAllPermissionTypes( permissions.RETRIEVE_CREATED_BY) # user is performing a search, ensure they have permissions. if (not search_perms.get(search_type) and not retrieve_perms.get(search_type) and not retrieve_created.get(search_type)): raise base.AccessDeniedError('User lacks %s permission' % search_type) # TODO(user): implement multi-field search by building query here # or better yet using JavaScript. q = '%s:%s' % (field1, value1) try: passphrases = _PassphrasesForQuery(model, q, prefix_search) except ValueError: self.error(httplib.NOT_FOUND) return if not search_perms.get(search_type): username = base.GetCurrentUser().user.nickname() passphrases = [x for x in passphrases if x.owner == username] passphrases = [ v.ToDict(skip_secret=True) for v in passphrases if v.tag == tag ] if model.ALLOW_OWNER_CHANGE: for passphrase in passphrases: if not passphrase['active']: continue link = '/api/internal/change-owner/%s/%s/' % (search_type, passphrase['id']) passphrase['change_owner_link'] = link self.response.out.write(util.ToSafeJson(passphrases))