def api_get_scan_results():
scan_id = request.args.get('scan')
if not scan_id:
return {'error': 'scan-not-found'}
# Check for invalid scan_id numbers
try:
scan_id = int(scan_id)
# <3 :atoll
if scan_id < 1 or scan_id > 2147483646: # the first rule of autoincrement club
raise ValueError
except ValueError:
return {'error': 'invalid-scan-id'}
# Get all the test results for the given scan id
tests = dict(database.select_test_results(scan_id))
# For each test, get the test score description and add that in
for test in tests:
tests[test]['score_description'] = get_score_description(
tests[test]['result'])
return tests
def api_get_scan_results():
scan_id = request.args.get('scan')
if not scan_id:
return {'error': 'scan-not-found'}
# Get all the test results for the given scan id
tests = dict(database.select_test_results(scan_id))
# For each test, get the test score description and add that in
for test in tests:
tests[test]['score_description'] = get_score_description(tests[test]['result'])
return tests
def api_get_scan_results():
scan_id = request.args.get('scan')
if not scan_id:
return {'error': 'scan-not-found'}
# Get all the test results for the given scan id
tests = dict(database.select_test_results(scan_id))
# For each test, get the test score description and add that in
for test in tests:
tests[test]['score_description'] = get_score_description(
tests[test]['result'])
return tests
def api_get_scan_results():
scan_id = request.args.get('scan')
if not scan_id:
return {'error': 'scan-not-found'}
# Check for invalid scan_id numbers
try:
scan_id = int(scan_id)
# <3 :atoll
if scan_id < 1 or scan_id > 2147483646: # the first rule of autoincrement club
raise ValueError
except ValueError:
return {'error': 'invalid-scan-id'}
# Get all the test results for the given scan id
tests = dict(database.select_test_results(scan_id))
# For each test, get the test score description and add that in
for test in tests:
tests[test]['score_description'] = get_score_description(tests[test]['result'])
return tests
def scan(hostname, **kwargs):
"""Performs an Observatory scan, but doesn't require any database/redis
backing. Given the lowered security concerns due to not being a public
API, you can use this to scan arbitrary ports and paths.
Args:
hostname (str): domain name for host to be scanned
Kwargs:
http_port (int): port to scan for HTTP, instead of 80
https_port (int): port to be scanned for HTTPS, instead of 443
path (str): path to scan, instead of "/"
verify (bool): whether to enable or disable certificate verification,
enabled by default. This can allow tested sites to pass the HSTS
and HPKP tests, even with self-signed certificates.
cookies (dict): Cookies sent to the system being scanned. Matches the
requests cookie dict.
headers (dict): HTTP headers sent to the system being scanned. Format
matches the requests headers dict.
Returns:
A dict representing the analyze (scan) and getScanResults (test) API call. Example:
{
'scan': {
'grade': 'A'
...
},
'test': {
'content-security-policy': {
'pass': True
...
}
}
}
"""
# Always allow localhost scans when run in this way
httpobs.conf.SCANNER_ALLOW_LOCALHOST = True
# Attempt to retrieve all the resources, not capturing exceptions
reqs = retrieve_all(hostname, **kwargs)
# If we can't connect at all, let's abort the test
if reqs['responses']['auto'] is None:
return {'error': 'site down'}
# Get all the results
results = [test(reqs) for test in tests]
for result in results:
result['score_description'] = get_score_description(result['result'])
# Get the score, grade, etc.
grades = get_grade_and_likelihood_for_score(100 + sum([result.get('score_modifier', 0) for result in results]))
tests_passed = sum([1 if result.get('pass') else 0 for result in results])
# Return the results
return({
'scan': {
'grade': grades[1],
'likelihood_indicator': grades[2],
'response_headers': dict(reqs['responses']['auto'].headers),
'score': grades[0],
'tests_failed': NUM_TESTS - tests_passed,
'tests_passed': tests_passed,
'tests_quantity': NUM_TESTS,
},
'tests': {result.pop('name'): result for result in results}
})
def scan(hostname, **kwargs):
"""Performs an Observatory scan, but doesn't require any database/redis
backing. Given the lowered security concerns due to not being a public
API, you can use this to scan arbitrary ports and paths.
Args:
hostname (str): domain name for host to be scanned. Must not include
protocol (http://, https://) or port number (:80).
Kwargs:
http_port (int): port to scan for HTTP, instead of 80
https_port (int): port to be scanned for HTTPS, instead of 443
path (str): path to scan, instead of "/"
verify (bool): whether to enable or disable certificate verification,
enabled by default. This can allow tested sites to pass the HSTS
and HPKP tests, even with self-signed certificates.
cookies (dict): Cookies sent to the system being scanned. Matches the
requests cookie dict.
headers (dict): HTTP headers sent to the system being scanned. Format
matches the requests headers dict.
Returns:
A dict representing the analyze (scan) and getScanResults (test) API call. Example:
{
'scan': {
'grade': 'A'
...
},
'test': {
'content-security-policy': {
'pass': True
...
}
}
}
"""
# Always allow localhost scans when run in this way
httpobs.conf.SCANNER_ALLOW_LOCALHOST = True
# Attempt to retrieve all the resources, not capturing exceptions
reqs = retrieve_all(hostname, **kwargs)
# If we can't connect at all, let's abort the test
if reqs['responses']['auto'] is None:
return {'error': 'site down'}
# Get all the results
results = [test(reqs) for test in tests]
for result in results:
result['score_description'] = get_score_description(result['result'])
# Get the score, grade, etc.
grades = get_grade_and_likelihood_for_score(
100 + sum([result.get('score_modifier', 0) for result in results]))
tests_passed = sum([1 if result.get('pass') else 0 for result in results])
# Return the results
return ({
'scan': {
'grade': grades[1],
'likelihood_indicator': grades[2],
'response_headers': dict(reqs['responses']['auto'].headers),
'score': grades[0],
'tests_failed': NUM_TESTS - tests_passed,
'tests_passed': tests_passed,
'tests_quantity': NUM_TESTS,
},
'tests': {result.pop('name'): result
for result in results}
})
def scan(hostname, **kwargs):
"""Performs an Observatory scan, but doesn't require any database/redis
backing. Given the lowered security concerns due to not being a public
API, you can use this to scan arbitrary ports and paths.
Args:
hostname (str): domain name for host to be scanned. Must not include
protocol (http://, https://) or port number (:80).
Kwargs:
http_port (int): port to scan for HTTP, instead of 80
https_port (int): port to be scanned for HTTPS, instead of 443
path (str): path to scan, instead of "/"
verify (bool): whether to enable or disable certificate verification,
enabled by default. This can allow tested sites to pass the HSTS
and HPKP tests, even with self-signed certificates.
cookies (dict): Cookies sent to the system being scanned. Matches the
requests cookie dict.
headers (dict): HTTP headers sent to the system being scanned. Format
matches the requests headers dict.
Returns:
A dict representing the analyze (scan) and getScanResults (test) API call. Example:
{
'scan': {
'grade': 'A'
...
},
'test': {
'content-security-policy': {
'pass': True
...
}
}
}
"""
# Always allow localhost scans when run in this way
httpobs.conf.SCANNER_ALLOW_LOCALHOST = True
# Attempt to retrieve all the resources, not capturing exceptions
reqs = retrieve_all(hostname, **kwargs)
# If we can't connect at all, let's abort the test
if reqs['responses']['auto'] is None:
return {'error': 'site down'}
# Code based on httpobs.database.insert_test_results
tests_failed = tests_passed = 0
score_with_extra_credit = uncurved_score = 100
results = {}
for test in tests:
# Get result for this test
result = test(reqs)
# Add the result with a score_description
result['score_description'] = get_score_description(result['result'])
results[result.pop('name')] = result
# Keep track of how many tests passed or failed
if result.get('pass'):
tests_passed += 1
else:
tests_failed += 1
# And keep track of the score
score_modifier = result.get('score_modifier')
score_with_extra_credit += score_modifier
if score_modifier < 0:
uncurved_score += score_modifier
# Only record the full score if the uncurved score already receives an A
score = score_with_extra_credit if uncurved_score >= MINIMUM_SCORE_FOR_EXTRA_CREDIT else uncurved_score
# Get the score, grade, etc.
score, grade, likelihood_indicator = get_grade_and_likelihood_for_score(
score)
# Return the results
return ({
'scan': {
'grade': grade,
'likelihood_indicator': likelihood_indicator,
'response_headers': dict(reqs['responses']['auto'].headers),
'score': score,
'tests_failed': tests_failed,
'tests_passed': tests_passed,
'tests_quantity': NUM_TESTS,
},
'tests': results
})
def test_get_score_description(self):
self.assertEquals('Preloaded via the HTTP Public Key Pinning (HPKP) preloading process',
get_score_description('hpkp-preloaded'))
