def verify_and_call(*args, **kwargs):
context = args[1].context
event_id = kwargs.get('event_id') \
if kwargs.get('identifier') is None else kwargs.get('identifier')
user_data = util.get_jwt_content(context)
user_data['subscribed_projects'] = \
user_domain.get_projects(user_data['user_email'])
user_data['subscribed_projects'] += \
user_domain.get_projects(user_data['user_email'], active=False)
user_data['role'] = get_user_role(user_data)
event_project = event_domain.get_event(event_id).get('project_name')
if not re.match('^[0-9]*$', event_id):
rollbar.report_message('Error: Invalid event id format', 'error',
context)
raise GraphQLError('Invalid event id format')
try:
if not ENFORCER_BASIC.enforce(user_data, event_project.lower()):
util.cloudwatch_log(
context, 'Security: \
Attempted to retrieve event-related info without permission')
raise GraphQLError('Access denied')
except AttributeDoesNotExist:
return GraphQLError('Access denied: Missing attributes')
return func(*args, **kwargs)
def get_unsolved_events(project: str) -> List[EventType]:
events = project_domain.list_events(project)
event_list = []
for event in events:
event_attr = event_domain.get_event(event)
event_list.append(event_attr)
unsolved_events = list(filter(is_a_unsolved_event, event_list))
return unsolved_events
def resolve_update_event(_, info, event_id, **kwargs):
"""Resolve update_event mutation."""
success = event_domain.update_event(event_id, **kwargs)
if success:
project_name = event_domain.get_event(event_id).get('project_name')
util.invalidate_cache(event_id)
util.invalidate_cache(project_name)
util.cloudwatch_log(info.context,
f'Security: Updated event {event_id} succesfully')
return dict(success=success)
def has_access_to_event(user: str, event_id: str, role: str) -> bool:
""" Verify if the user has access to a event submission. """
has_access = False
# Skip this check for admin users since they don't have any assigned projects
if role == 'admin':
has_access = True
else:
finding = event_domain.get_event(event_id)
has_access = has_access_to_project(
user, str(finding.get('project_name', '')), role)
return has_access
def test_solve_event():
assert event_domain.solve_event(
event_id='538745942',
affectation=1,
analyst_email='*****@*****.**',
date=parse_datetime('2019-12-09T05:00:00.000Z'))
event = event_domain.get_event('538745942')
assert event['historic_state'][-1]['state'] == 'SOLVED'
with pytest.raises(EventAlreadyClosed):
assert event_domain.solve_event(
event_id='538745942',
affectation=1,
analyst_email='*****@*****.**',
date=parse_datetime('2019-12-09T05:00:00.000Z'))
def resolve_solve_event(_, info, event_id, affectation, date):
"""Resolve solve_event mutation."""
analyst_email = util.get_jwt_content(info.context)['user_email']
success = event_domain.solve_event(event_id, affectation, analyst_email,
date)
if success:
project_name = event_domain.get_event(event_id).get('project_name')
util.invalidate_cache(event_id)
util.invalidate_cache(project_name)
util.cloudwatch_log(info.context,
f'Security: Solved event {event_id} succesfully')
else:
util.cloudwatch_log(info.context,
f'Security: Attempted to solve event {event_id}')
return dict(success=success)
def resolve_project_name(args, kwargs):
"""Get project name based on args passed."""
if args[0] and hasattr(args[0], 'name'):
project_name = args[0].name
elif 'project_name' in kwargs:
project_name = kwargs['project_name']
elif 'finding_id' in kwargs:
project_name = \
finding_dal.get_attributes(kwargs['finding_id'], ['project_name']).get('project_name')
elif 'draft_id' in kwargs:
project_name = \
finding_dal.get_attributes(kwargs['draft_id'], ['project_name']).get('project_name')
elif 'event_id' in kwargs:
project_name = \
event_domain.get_event(kwargs['event_id']).get('project_name')
else:
project_name = None
return project_name
def resolve_event(_, info, identifier):
"""Resolve event query."""
util.cloudwatch_log(
info.context, f'Security: Access to Event: {identifier} succesfully')
return event_domain.get_event(identifier)
def test_get_event():
event_id = '418900971'
test_data = event_domain.get_event(event_id)
expected_output = 'unittesting'
assert test_data.get('project_name') == expected_output