def create_user(data):
log("A new user created", "MEDIUM", "PASS")
my_secure_rng = random.SystemRandom()
val_num(data.get('privilege'))
pincode = my_secure_rng.randrange(10000000, 99999999)
username = pincode
email = data.get('email')
access = "False"
activated = "False"
privilege_id = 0
# New users can only edit:read:delete
if data.get('privilege') == 1:
log("User triggered error creating new user", "MEDIUM", "FAIL")
return {'message': 'User could not be created'}
else:
privilege_id = data.get('privilege')
password = ""
user = users(privilege_id, pincode, username, password, access, activated, email)
db.session.add(user)
db.session.commit()
result = users.query.filter(users.email == email).one()
# Add user to default groupmember issue #422
groupmember = groupmembers.query.order_by(desc(groupmembers.memberID)).first()
groupmemberUser = groupmembers(groupmember.memberID + 1, result.userID, groupmember.groupID, groupmember.ownerID, None)
db.session.add(groupmemberUser)
db.session.commit()
return result
def get_comment_items(data):
log("User requested specific comment item", "LOW", "PASS")
val_alpha_num(data.get('checklistID'))
val_num(data.get('sprintID'))
sprint_id = data.get('sprintID')
checklist_id = data.get('checklistID')
result = comments.query.filter(comments.sprintID == sprint_id).filter(comments.checklistID == checklist_id).order_by(desc(comments.date)).paginate(1, 50, False)
return result
def delete_project(project_id, user_id):
log("User deleted project", "MEDIUM", "PASS")
val_num(project_id)
val_num(user_id)
project = (projects.query.filter(projects.projectID == project_id).filter(
projects.userID == user_id).one())
db.session.delete(project)
db.session.commit()
return {'message': 'Project successfully deleted'}
def get(self, checklist_id, checklist_type):
"""
Returns a checklist item.
* Privileges required: **none**
"""
val_alpha_num_special(checklist_id)
val_num(checklist_type)
result = get_checklist_item(checklist_id, checklist_type)
return result, 200, security_headers()
def get(self, code_id, solution_id):
"""
Returns status if solution was correct for code item.
* Privileges required: **none**
"""
val_num(code_id)
val_num(solution_id)
result = get_labs_code_status(code_id, solution_id)
return result, 200, security_headers()
def test_val_num(self):
"""Test if the val_num method is working"""
self.assertTrue(val_num(1337))
try:
self.assertFalse(val_num("woopwoop"))
self.assertFalse(val_num("woop woop 1337"))
self.assertFalse(val_num("woop %$*@><'1337"))
except BadRequest:
return True
def delete(self, id):
"""
Delete a checklist type.
* Privileges required: **delete**
"""
val_num(id)
validate_privilege(self, 'delete')
result = delete_checklist_type(id)
return result, 200, security_headers()
def delete(self, id):
"""
Delete questions.
* Privileges required: **delete**
"""
val_num(id)
validate_privilege(self, 'delete')
result = delete_question(id)
return result, 200, security_headers()
def delete_sprint(sprint_id, user_id):
log("User deleted sprint", "MEDIUM", "PASS")
val_num(sprint_id)
val_num(user_id)
result = (project_sprints.query.filter(
project_sprints.sprintID == sprint_id).one())
db.session.delete(result)
db.session.commit()
return {'message': 'Sprint successfully deleted'}
def get(self, id):
"""
Returns sprints stats.
* Privileges required: **read**
"""
val_num(id)
validate_privilege(self, 'read')
result = stats_sprint(id)
return result, 200, security_headers()
def get(self, question_id):
"""
Returns a list of checklist items correlated to question sprint identifier
* Privileges required: **read**
"""
val_num(question_id)
validate_privilege(self, 'read')
result = get_checklist_item_question_sprint(question_id)
return result, 200, security_headers()
def get(self, id):
"""
Create new project item.
* Privileges required: **edit**
"""
val_num(id)
result = get_project_item(id)
validate_privilege(self, 'edit')
return result, 200, security_headers()
def test_val_num(self):
"""Test if the val_num method is working"""
self.assertTrue(val_num(1337))
try:
self.assertFalse(val_num("woopwoop"))
self.assertFalse(val_num("woop woop 1337"))
self.assertFalse(val_num("woop %$*@><'1337"))
except BadRequest:
return True
def delete(self, id):
"""
Deletes code item.
* Privileges required: **delete**
"""
val_num(id)
validate_privilege(self, 'delete')
result = delete_code_item(id)
return result, 200, security_headers()
def get_comment_items(data):
log("User requested specific comment item", "LOW", "PASS")
val_alpha_num(data.get('checklistID'))
val_num(data.get('sprintID'))
sprint_id = data.get('sprintID')
checklist_id = data.get('checklistID')
result = comments.query.filter(comments.sprintID == sprint_id).filter(
comments.checklistID == checklist_id).order_by(desc(
comments.date)).paginate(1, 50, False)
return result
def get(self, id, question_id):
"""
Update a checklist item correlated to question
* Privileges required: **edit**
"""
val_num(id)
val_num(question_id)
validate_privilege(self, 'edit')
result = update_checklist_question_correlation(id, question_id)
return result, 200, security_headers()
def get_checklist_items(id_checklist):
log("User requested list of checklist items", "LOW", "PASS")
val_num(id_checklist)
# 0 = ASVS
# 1 = MASVS
if (id_checklist == 0):
result = checklists_kb.query.filter(checklists_kb.kbID < 400).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
else:
result = checklists_kb.query.filter((checklists_kb.kbID >= 400) & (checklists_kb.kbID < 800)).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
return order_checklist_items(result, False, 0)
def delete(self, checklist_kb_id, code_id):
"""
Delete code example item from requirements
* Privileges required: **delete**
"""
val_num(checklist_kb_id)
val_num(code_id)
validate_privilege(self, 'delete')
result = delete_code_item_checklist_kb(checklist_kb_id, code_id)
return result, 200, security_headers()
def delete(self, checklist_id, checklist_type):
"""
Delete a checklist item.
* Privileges required: **delete**
"""
val_num(checklist_type)
val_alpha_num_special(checklist_id)
validate_privilege(self, 'delete')
result = delete_checklist_item(checklist_id, checklist_type)
return result, 200, security_headers()
def get_checklist_items_lvl(lvl):
log("User requested list of checklist items based on level", "LOW", "PASS")
val_num(lvl)
if lvl == 1:
result = checklists_kb.query.filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1)).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 2:
result = checklists_kb.query.filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2)).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 3:
result = checklists_kb.query.filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2) | checklists_kb.checklist_items.has(level = 3)).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
return result
def update_kb_item(kb_id, data):
log("User requested update a specific kb item", "LOW", "PASS")
val_num(kb_id)
val_alpha_num(data.get('title'))
result = kb_items.query.filter(kb_items.kbID == kb_id).one()
result.title = data.get('title')
result.content = data.get('content')
db.session.add(result)
db.session.commit()
return {'message': 'KB item successfully updated'}
def get_sprint_results_audit_export(sprint_id, user_id):
log("User requested specific sprint audit export", "MEDIUM", "PASS")
val_num(sprint_id)
val_num(user_id)
result = checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.status == 5).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).paginate(1, 500, False)
return {'message': export_failed_results(result)}
def get_sprint_results_audit(sprint_id, user_id):
log("User requested specific sprint audit items", "MEDIUM", "PASS")
val_num(sprint_id)
val_num(user_id)
result = checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.status == 5).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).paginate(1, 500, False)
return result
def put(self, checklist_kb_id, code_id):
"""
Correlate code example item to requirements
* Privileges required: **edit**
"""
val_num(checklist_kb_id)
val_num(code_id)
validate_privilege(self, 'edit')
result = create_code_item_checklist_kb(checklist_kb_id, code_id)
return result, 200, security_headers()
def stats_sprint(project_id):
log("User requested specific project sprint stats", "MEDIUM", "PASS")
val_num(project_id)
sprint_info = (project_sprints.query.filter(
project_sprints.projectID == project_id).all())
sprint = []
for result in sprint_info:
sprint_id = result.sprintID
sprint_desc = result.sprintDesc
sprint_name = result.sprintName
sprint_open = (checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.kbID > 0).filter(
checklists_results.status == 1).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).count())
sprint_closed = (checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.kbID > 0).filter(
checklists_results.status == 2).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).count())
sprint_accepted = (checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.kbID > 0).filter(
checklists_results.status == 3).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).count())
sprint_sec_ack = (checklists_results.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.kbID > 0).filter(
checklists_results.status == 4).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).count())
sprint_sec_fail = (projects.query.filter(
checklists_results.sprintID == sprint_id).filter(
checklists_results.kbID > 0).filter(
checklists_results.status == 5).group_by(
checklists_results.checklistID).group_by(
checklists_results.checklistID).count())
checklist_type = projects.query.filter(
projects.projectID == project_id).one()
total = sprint_open + sprint_closed + sprint_accepted + sprint_sec_ack + sprint_sec_fail
sprint.append({
'sprint_id': sprint_id,
'sprint_desc': sprint_desc,
'sprint_name': sprint_name,
'sprint_open': sprint_open,
'sprint_closed': sprint_closed,
'sprint_accepted': sprint_accepted,
'sprint_sec_ack': sprint_sec_ack,
'sprint_sec_fail': sprint_sec_fail,
'sprint_items_total': total
})
return sprint
def put(self, id):
"""
Manage an user.
* Privileges required: **none**
"""
data = request.json
val_alpha(data.get('active'))
val_num(id)
validate_privilege(self, 'manage')
result = manage_user(id, data)
return result, 200, security_headers()
def delete_kb_item(kb_id):
log("User deleted kb item", "MEDIUM", "PASS")
val_num(kb_id)
try:
kb_item = KBItem.query.filter(KBItem.kb_id == kb_id).first()
db.session.delete(kb_item)
db.session.commit()
except:
db.session.rollback()
raise
return {'message': 'KB item successfully deleted'}
def delete_code_item(code_id):
log("User deleted code item", "MEDIUM", "PASS")
val_num(code_id)
codeItem = (CodeItem.query.filter(CodeItem.id == code_id).one())
try:
db.session.delete(codeItem)
db.session.commit()
except:
db.session.rollback()
raise
return {'message': 'Code example item successfully deleted'}
def get_checklist_items(id_checklist):
log("User requested list of checklist items", "LOW", "PASS")
val_num(id_checklist)
# 0 = ASVS
# 1 = MASVS
if (id_checklist == 0):
result = checklists_kb.query.filter(checklists_kb.kbID < 400).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
else:
result = checklists_kb.query.filter((checklists_kb.kbID >= 400) & (checklists_kb.kbID < 800)).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
return order_checklist_items(result, False, 0)
def put(self, kb_id):
"""
Update a kb item.
* Privileges required: **edit**
"""
data = request.json
val_num(kb_id)
val_alpha_num_special(data.get('title'))
validate_privilege(self, 'edit')
result = update_kb_item(kb_id, data)
return result, 200, security_headers()
def get_checklist_item(checklist_id, id_checklist):
log("User requested specific checklist item", "LOW", "PASS")
val_float(checklist_id)
val_num(id_checklist)
# 0 = ASVS
# 1 = MASVS
if (id_checklist == 0):
result = checklists_kb.query.filter((checklists_kb.checklistID == checklist_id) & (checklists_kb.kbID < 400)).one()
else:
result = checklists_kb.query.filter((checklists_kb.checklistID == checklist_id) & (checklists_kb.kbID >= 400) & (checklists_kb.kbID < 800)).one()
return result
def delete_project(project_id, user_id):
log("User deleted project", "MEDIUM", "PASS")
val_num(project_id)
try:
project = (Project.query.filter(Project.id == project_id).one())
db.session.delete(project)
db.session.commit()
except Exception as e:
db.session.rollback()
raise
return {'message': 'Project successfully deleted'}
def put(self, id):
"""
Update a checklist type.
* Privileges required: **edit**
"""
data = request.json
val_num(id)
val_alpha_num_special(data.get('name'))
val_alpha_num_special(data.get('description'))
validate_privilege(self, 'edit')
result = update_checklist_category(id, data)
return result, 200, security_headers()
def put(self, category_id):
"""
Create a new checklist type.
* Privileges required: **edit**
"""
validate_privilege(self, 'edit')
data = request.json
val_num(category_id)
val_alpha_num_special(data.get('name'))
val_alpha_num_special(data.get('description'))
result = create_checklist_type(data, category_id)
return result, 200, security_headers()
def delete_checklist_type(checklist_type_id):
log("User deleted checklist type", "MEDIUM", "PASS")
val_num(checklist_type_id)
checklist_types = ChecklistType.query.get(checklist_type_id)
try:
db.session.delete(checklist_types)
db.session.commit()
except:
db.session.rollback()
raise
return {'message': 'Checklist type successfully deleted'}
def manage_user(user_id, data):
log("Manage user triggered", "HIGH", "PASS")
val_num(user_id)
val_alpha(data.get('active'))
status_activated = data.get('active')
result = users.query.filter(users.userID == user_id).one()
if users.query.filter(users.userID == user_id).one():
result.access = status_activated
db.session.add(result)
db.session.commit()
return {'message': 'User successfully managed'}
else:
log("User triggered error managing failed", "HIGH", "FAIL")
return {'message': 'User could not be managed'}
def get_checklist_items_lvl(lvl):
log("User requested list of checklist items based on level", "LOW", "PASS")
val_num(lvl)
# ASVS kbID's below 400
# MASVS kbID's between 400 and 799
if lvl == 1: # ASVS Level 1
result = checklists_kb.query.filter((checklists_kb.kbID >= 0) & (checklists_kb.kbID < 400) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 2: # ASVS Level 2
result = checklists_kb.query.filter((checklists_kb.kbID >= 0) & (checklists_kb.kbID < 400) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 3: # ASVS Level 3
result = checklists_kb.query.filter((checklists_kb.kbID >= 0) & (checklists_kb.kbID < 400) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2) | checklists_kb.checklist_items.has(level = 3))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 4: # MASVS Level 1
result = checklists_kb.query.filter((checklists_kb.kbID >= 400) & (checklists_kb.kbID < 1000) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 5: # MASVS Level 2
result = checklists_kb.query.filter((checklists_kb.kbID >= 400) & (checklists_kb.kbID < 1000) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
elif lvl == 6: # MASVS Level R
result = checklists_kb.query.filter((checklists_kb.kbID >= 400) & (checklists_kb.kbID < 1000) & (checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2) | checklists_kb.checklist_items.has(level = 'R'))).group_by(checklists_kb.checklistID).paginate(1, 1500, False)
return order_checklist_items(result, True, lvl)
def store_post_questions(user_id, data):
log("User stored new post question list", "MEDIUM", "PASS")
val_num(user_id)
for result in data.get('questions'):
val_alpha_num(result['checklistID'])
val_num(result['status'])
val_num(result['projectID'])
val_num(result['sprintID'])
val_num(result['kbID'])
post_checklist_id = result['checklistID']
post_result = result['status']
post_project_id = result['projectID']
post_sprint_id = result['sprintID']
post_kb_id = result['kbID']
post = checklists_post(post_checklist_id, post_project_id, post_sprint_id, post_result, post_kb_id)
db.session.add(post)
db.session.commit()
return {'message': 'Post questions successfully stored'}
def create_user(data):
log("A new user created", "MEDIUM", "PASS")
my_secure_rng = secrets.SystemRandom()
val_num(data.get('privilege'))
pincode = my_secure_rng.randrange(10000000, 99999999)
username = pincode
email = data.get('email')
access = "False"
activated = "False"
privilege_id = 0
# New users can only edit:read:delete
if data.get('privilege') == 1:
log("User triggered error creating new user", "MEDIUM", "FAIL")
return {'message': 'User could not be created'}
else:
privilege_id = data.get('privilege')
password = ""
user = users(privilege_id, pincode, username, password, access, activated, email)
db.session.add(user)
db.session.commit()
result = users.query.filter(users.email == email).one()
return result
def activate_user(user_id, data):
log("User is activated", "HIGH", "PASS")
val_num(user_id)
val_num(data.get('accessToken'))
val_alpha_num(data.get('username'))
username = data.get('username')
username = username.replace(" ", "")
result = users.query.filter(users.userID == user_id).one()
if result.activated == "False":
if result.email == data.get('email'):
if data.get('password') == data.get('repassword'):
if data.get('accessToken') == result.accessToken:
pw_hash = generate_password_hash(data.get('password')).decode('utf-8')
result.password = pw_hash
result.access = "True"
result.activated = "True"
result.userName = username
db.session.add(result)
db.session.commit()
return {'message': 'User successfully activated'}
else:
log("User triggered error activation failed", "HIGH", "FAIL")
return {'message': 'User could not be activated'}
def store_pre_questions(user_id, data):
log("User stored new pre question list", "MEDIUM", "PASS")
val_num(user_id)
question = data.get('questions')
val_num(question[0]['projectID'])
project_id = question[0]['projectID']
project_results = project_sprints.query.filter(project_sprints.projectID == project_id).one()
sprint_id = project_results.sprintID
projects_result = projects.query.filter(projects.projectID == project_id).one()
project_lvl = projects_result.level
status = 1
pre_item = "True"
for result in data.get('questions'):
val_num(result['question_pre_ID'])
val_alpha(result['result'])
val_num(result['projectID'])
question_pre_ID = result['question_pre_ID']
question_result = result['result']
question_project_id = result['projectID']
questions = question_pre_results(question_project_id, question_pre_ID, question_result)
db.session.add(questions)
db.session.commit()
questions_results = question_pre_results.query.filter(question_pre_results.projectID == question_project_id).filter(question_pre_results.result == "False").all()
for results in questions_results:
project_id = results.projectID
questionpreID = results.question_pre_ID
if project_lvl == 1:
checklists = checklists_kb.query.filter(checklists_kb.question_pre_ID == questionpreID).filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
elif project_lvl == 2:
checklists = checklists_kb.query.filter(checklists_kb.question_pre_ID == questionpreID).filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
elif project_lvl == 3:
checklists = checklists_kb.query.filter(checklists_kb.question_pre_ID == questionpreID).filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2) | checklists_kb.checklist_items.has(level = 3)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
for row in checklists:
checklists_query = checklists_results(row.checklistID, project_id, sprint_id, status, pre_item, row.kbID)
db.session.add(checklists_query)
db.session.commit()
if project_lvl == 1:
checklists_first = checklists_kb.query.filter(checklists_kb.include_first == "True").filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
elif project_lvl == 2:
checklists_first = checklists_kb.query.filter(checklists_kb.include_first == "True").filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
elif project_lvl == 3:
checklists_first = checklists_kb.query.filter(checklists_kb.include_first == "True").filter(checklists_kb.checklist_items.has(level = 0) | checklists_kb.checklist_items.has(level = 1) | checklists_kb.checklist_items.has(level = 2) | checklists_kb.checklist_items.has(level = 3)).group_by(checklists_kb.checklistID).order_by(checklists_kb.checklistID).all()
for row in checklists_first:
checklists_query_first = checklists_results(row.checklistID, question_project_id, sprint_id, status, pre_item, row.kbID)
db.session.add(checklists_query_first)
db.session.commit()
return {'message': 'Pre questions successfully created'}
def new_comment_item(user_id, data):
log("User requested update a specific comment item", "LOW", "PASS")
val_num(user_id)
val_alpha_num(data.get('checklistID'))
val_num(data.get('sprintID'))
val_num(data.get('status'))
val_alpha_num_special(data.get('comment'))
sprint_id = data.get('sprintID')
checklist_id = data.get('checklistID')
status = data.get('status')
comment = data.get('comment')
now = datetime.datetime.now()
dateLog = now.strftime("%Y-%m-%d %H:%M:%S")
result = comments(sprint_id, checklist_id, user_id, status, comment, dateLog)
db.session.add(result)
db.session.commit()
result = checklists_results.query.filter(checklists_results.sprintID == sprint_id).filter(checklists_results.checklistID == checklist_id).all()
for row in result:
row.status = status
db.session.add(row)
db.session.commit()
return {'message': 'Comment item successfully created'}
def get_code_item(code_id):
log("User requested code item", "LOW", "PASS")
val_num(code_id)
result = code_items.query.filter(code_items.codeID == code_id).one()
return result