def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if not all(k in kwargs for k in ("name", "url", "project")): raise Exception("Mandatory fields of `name`, `url` and `project` not in mutation") else: try: ref_proj = str(kwargs['project']).strip() ref_project = Proj.objects.get(name=ref_proj) except DoesNotExist: return "No Project specified" ref_target = str(kwargs['name']).strip() try: Target.objects.get(name=ref_target) new_target = Target.objects(name=ref_target).update_one(name=ref_target, url=kwargs['url'], project=ref_project) updated = True except DoesNotExist: new_target = Target(name=ref_target, url=kwargs['url'], project=ref_project).save() created = True return CreateOrUpdateTarget(target=new_target) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): vuln_attributes = kwargs.get('vuln', {}) if not vuln_attributes: raise Exception("You need to specify a vuln key") else: if not all(k in vuln_attributes for k in ("name", "tool", "description", "project", "scan")): raise Exception("Mandatory fields not in Vulnerability Definition") else: try: ref_project = Proj.objects.get(name=vuln_attributes.get('project')) ref_scan = Scan.objects.get(name=vuln_attributes.get('scan')) new_vuln = Vulnerability(name=vuln_attributes['name'], tool=vuln_attributes['tool'], description=vuln_attributes['description'], cwe=vuln_attributes.get('cwe', 0), observation=vuln_attributes.get('observation', ''), severity=vuln_attributes.get('severity', 1), project=ref_project, remediation=vuln_attributes.get('remediation', '') ).save() ref_scan.update(add_to_set__vulnerabilities=new_vuln.id) except DoesNotExist: return "Project OR Target or Scan not found" except Exception as e: return e.args return CreateVulnerability(vulnerability=new_vuln) else: raise Exception("Unauthorized to perform action")
def resolve_vuls_by_cwe(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if 'cwe' in kwargs: if isinstance(kwargs['cwe'], int): return list(Vulnerability.objects(cwe=kwargs['cwe'])) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, short_name, description, project, user_story): if _validate_jwt(info.context['request'].headers): try: ref_proj = Proj.objects.get(name=project) except DoesNotExist as de: return de.args try: ref_user_story = UseCase.objects.get(short_name=user_story) except DoesNotExist as ude: return ude.args try: AbuseCase.objects.get(short_name=short_name) AbuseCase.objects(short_name=short_name).update_one(short_name=short_name, description=description, project=ref_proj, upsert=True) new_abuse_case = AbuseCase.objects.get(short_name=short_name) ref_user_story.update(add_to_set__abuses=[new_abuse_case.id]) updated = True created = False except DoesNotExist: new_abuse_case = AbuseCase(short_name=short_name, description=description, project=ref_proj).save() ref_user_story.update(add_to_set__abuses=[new_abuse_case.id]) updated = False created = True return CreateOrUpdateAbuserStory(abuser_story=new_abuse_case) else: raise Exception("Unauthorized to perform action")
def resolve_tgt_by_project(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if 'project' in kwargs: ref_project = Proj.objects.get(name=kwargs.get('project')) return Target.objects(project=ref_project.id) else: raise Exception("Unauthorized to perform action")
def resolve_vuls_by_scan(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if 'scan_name' in kwargs: ref_scan = Scan.objects.get(name=kwargs.get('scan_name')) return ref_scan else: raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): try: if 'userstory' in kwargs: attrs = kwargs['userstory'] my_proj = Proj.objects.get(name=attrs['project']) try: ref_user_story = UseCase.objects.get(short_name=attrs['short_name']) UseCase.objects(short_name=attrs['short_name']).update_one(short_name=attrs['short_name'], description=attrs['description'], project=my_proj, upsert=True) if 'part_of' in attrs: ref_user_story.update(part_of=attrs['part_of']) new_user_story = ref_user_story except DoesNotExist: new_user_story = UseCase() new_user_story.short_name = attrs['short_name'] new_user_story.description = attrs['description'] new_user_story.project = my_proj if 'part_of' in attrs: new_user_story.part_of = attrs['part_of'] new_user_story.save() return CreateOrUpdateUserStory(user_story=new_user_story) except DoesNotExist as de: return de.args except Exception as e: return e.args except Exception as me: return me.args else: raise Exception("Unauthorized to Perform Action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): attributes = kwargs.get('evidence', {}) if not attributes: raise Exception("Vulnerability Evidence doesn't have mandatory fields") else: if not all(k in attributes for k in ("name", "url", "vuln_id")): raise Exception("Mandatory fields `name`, `url` or `vuln_id` missing") else: ref_vuln = Vulnerability.objects.get(id=attributes.get('vuln_id')) new_evidence = VulnerabilityEvidence() new_evidence.name = attributes.get('name') new_evidence.url = attributes.get('url') if 'param' in attributes: new_evidence.param = attributes.get('param') if 'log' in attributes: new_evidence.log = attributes.get('log') if 'attack' in attributes: new_evidence.attack = attributes.get('attack') if 'other_info' in attributes: new_evidence.other_info = attributes.get('other_info') if 'evidence' in attributes: new_evidence.evidence = attributes.get('evidence') new_evidence.save() ref_vuln.update(add_to_set__evidences=new_evidence) return CreateVulnerabilityEvidence(new_evidence) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, name): if _validate_jwt(info.context['request'].headers): try: new_project = Proj(name=name).save() ok = True return CreateProject(project=new_project) except Exception as e: raise Exception(str(e)) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, target): if _validate_jwt(info.context['request'].headers): try: ref_target = Target.objects.get(name=target) new_scan = Scan().save() ref_target.update(add_to_set__scans=new_scan.id) except DoesNotExist: raise Exception("Target matching query does not exist") return CreateScan(scan=new_scan) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, scan_name): if _validate_jwt(info.context['request'].headers): try: ref_scan = Scan.objects.get(name=scan_name) if not ref_scan.synced: ref_scan.update(synced=True) return MarkScanSynced(scan=ref_scan) except DoesNotExist: raise Exception("Scan does not exist") else: raise Exception("Unauthorized to perform action")
def mutate(self, info, short_name): if _validate_jwt(info.context['request'].headers): try: name = str(short_name).strip() ref_case = AbuseCase.objects.get(short_name=name) ref_case.delete() return DeleteAbuserStory(ok=True) except DoesNotExist: raise Exception("Abuser Story does not exist") else: raise Exception("Not authorized to perform action")
def mutate(self, info, name): if _validate_jwt(info.context['request'].headers): try: name = str(name).strip() ref_case = Test.objects.get(name=name) ref_case.delete() return DeleteTestCase(ok=True) except DoesNotExist: raise Exception("Test Case does not exist") else: raise Exception("Not authorized to perform action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): case_attrs = kwargs.get('single_case') if not case_attrs: raise Exception("No Case Attributes") else: if not all(k in case_attrs for k in ("name", "test_case", "threat_model")): raise Exception( "mandatory fields not in test case specification") else: tool_list = case_attrs.get('tools', []) tag_list = case_attrs.get('tags', []) executed = case_attrs.get('executed', False) test_type = case_attrs.get('test_type', 'discovery') test_name = str(case_attrs['name']).strip() try: ref_case = Test.objects.get(name=test_name) if ref_case: Test.objects(name=ref_case).update_one( name=ref_case, test_case=case_attrs['test_case'], executed=executed, test_type=test_type, upsert=True) new_test_case = Test.objects.get(name=ref_case) except DoesNotExist: new_test_case = Test(name=ref_case, test_case=case_attrs['test_case'], tags=tag_list, tools=tool_list, executed=executed, test_type=test_type).save() try: ref_model = ThreatModel.objects.get( name=case_attrs['threat_model']) ref_model.update(add_to_set__tests=new_test_case) print(ref_model) except DoesNotExist: pass return CreateOrUpdateTestCase(case=new_test_case) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): try: attrs = kwargs['new_interaction'] ref_user_story = UseCase.objects.get(short_name=attrs['user_story_name']) new_interaction = Interaction(nature=attrs['nature'], data_flow=attrs['data_flow'], endpoint=attrs['endpoint'], project=ref_user_story.project).save() if attrs['nature'] == 'I': ref_user_story.update(add_to_set__relations=new_interaction) elif attrs['nature'] == 'E': ref_user_story.update(add_to_set__relations=new_interaction) else: raise Exception("Invalid type of Interaction") except DoesNotExist: raise Exception("The User Story doesn't seem to exist") else: raise Exception("Unauthorized to perform task")
def get_story_by_cwe(req, resp, *, cwe): if req.method == 'post': if _validate_jwt(req.headers): cwe = int(cwe) pipeline = [{"$match": {"cwe": cwe}}, { "$lookup": {"from": "abuse_case", "localField": "_id", "foreignField": "models", "as": "abuses_model"}}, {"$lookup": {"from": "use_case", "localField": "_id", "foreignField": "scenarios", "as": "usecases_model"}}, {"$lookup": {"from": "project", "localField": "project", "foreignField": "_id", "as": "project_model"}}, ] cwe_list = json.loads(dumps(list(ThreatModel.objects.aggregate(*pipeline)))) resp.media = cwe_list return resp else: resp.status_code = api.status_codes.HTTP_403 resp.media = {'error': "Unauthorized to perform action"} return resp
def resolve_search_threat_scenario(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if kwargs.get('project_name'): try: ref_project = Proj.objects.get(name=kwargs.get('project_name')) return ThreatModel.objects(project=ref_project.id) except DoesNotExist as de: return de else: for single in kwargs.keys(): if '__' in single: val = kwargs[single] kwargs.pop(single) other_val = single.replace('__', '.') kwargs[other_val] = val print(kwargs) return ThreatModel.objects(__raw__=kwargs) else: raise Exception("Unauthorized to perform action")
def resolve_relations(self, info): if _validate_jwt(info.context['request'].headers): return list(Interaction.objects.all()) else: raise Exception("Unauthorized to perform action")
def resolve_repo_by_name(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): return Repo.objects.get(short_name=kwargs.get('short_name')) else: raise Exception("Unauthorized to perform action")
def mutate(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if 't_model' in kwargs: model_attribs = kwargs['t_model'] print(model_attribs['project']) if not all(k in model_attribs for k in ("name", "vul_name", "description", "project")): raise Exception("Mandatory parameters are not in the mutation") else: try: cwe_val = model_attribs.get('cwe', 0) related_cwes = model_attribs.get('related_cwes', []) mitigations = model_attribs.get('mitigations', []) severity = int(model_attribs.get('severity', 1)) test_cases = model_attribs.get('tests', []) project = model_attribs.get('project') ref_proj = Proj.objects.get(name=project) try: ThreatModel.objects.get(name=model_attribs.get('name')) new_threat_model = ThreatModel.objects(name=model_attribs.get('name')).update_one( name=model_attribs.get('name'), vul_name=model_attribs.get('vul_name'), cwe=cwe_val, severity=severity, related_cwes=related_cwes, mitigations=mitigations, description=model_attribs.get('description'), project = ref_proj, tests=test_cases, upsert=True ) new_threat_model = ThreatModel.objects.get(name=model_attribs.get('name')) except DoesNotExist: new_threat_model = ThreatModel(name=model_attribs.get('name'), vul_name=model_attribs.get('vul_name'), cwe=cwe_val, severity=severity, related_cwes=related_cwes, mitigations=mitigations, description=model_attribs.get('description'), project = ref_proj, tests=test_cases ).save() except Exception as e: return e.args if 'abuser_stories' in model_attribs: abuses = model_attribs.get('abuser_stories') for single in abuses: try: ref_abuse = AbuseCase.objects.get(short_name=single) linked_tm = ThreatModel.objects.get(name=model_attribs.get('name')) ref_abuse.update(add_to_set__models=[linked_tm.id]) except DoesNotExist: pass if 'user_story' in model_attribs: try: features = model_attribs.get('user_story') ref_use = UseCase.objects.get(short_name=features) ref_use.update(add_to_set__scenarios=new_threat_model) except DoesNotExist: raise Exception("Feature/User Story mentioned does not exist") return CreateOrUpdateThreatModel(threat_model=new_threat_model) else: raise Exception("Unauthorized to perform action")
def resolve_abuser_story_by_name(self, info, **kwargs): if _validate_jwt(info.context['request'].headers): if 'short_name' in kwargs: return AbuseCase.objects.get(short_name=kwargs['short_name']) else: raise Exception("Unauthorized to perform action")
def resolve_abuser_stories(self, info): if _validate_jwt(info.context['request'].headers): return list(AbuseCase.objects.all()) else: raise Exception("Unauthorized to perform action")
def resolve_scenarios(self, info): if _validate_jwt(info.context['request'].headers): return list(ThreatModel.objects.all()) else: raise Exception("Unauthorized to perform action")