def perform_pgp_validation_checks(self, store):
expired_or_expiring = []
for user in store.find(models.User):
if user.pgp_key_public and user.pgp_key_expiration != datetime_null():
if user.pgp_key_expiration < datetime_now():
expired_or_expiring.append(user_serialize_user(user, GLSettings.memory_copy.default_language))
if GLSettings.memory_copy.allow_unencrypted:
# The PGP key status should be downgraded only if the node
# accept non PGP mails/files to be sent/stored.
# If the node wont accept this the pgp key status
# will remain enabled and mail won't be sent by regular flow.
user.pgp_key_status = u'disabled'
user.pgp_key_info = None
user.pgp_key_public = None
user.pgp_key_fingerprint = None
user.pgp_key_expiration = None
elif user.pgp_key_expiration < datetime_now() - timedelta(days=15):
expired_or_expiring.append(user_serialize_user(user, GLSettings.memory_copy.default_language))
if expired_or_expiring:
if not GLSettings.memory_copy.disable_admin_notification_emails:
self.prepare_admin_pgp_alerts(store, expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(store, user_desc)
def perform_pgp_validation_checks(self, store):
expired_or_expiring = []
for user in store.find(models.User):
if user.pgp_key_public and user.pgp_key_expiration != datetime_null(
):
if user.pgp_key_expiration < datetime_now():
expired_or_expiring.append(
user_serialize_user(
user, GLSettings.memory_copy.default_language))
user.pgp_key_status = u'disabled'
user.pgp_key_info = None
user.pgp_key_public = None
user.pgp_key_fingerprint = None
user.pgp_key_expiration = None
elif user.pgp_key_expiration < datetime_now() - timedelta(
days=15):
expired_or_expiring.append(
user_serialize_user(
user, GLSettings.memory_copy.default_language))
if expired_or_expiring:
if not GLSettings.memory_copy.disable_admin_notification_emails:
self.prepare_admin_pgp_alerts(store, expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(store, user_desc)
def generate_password_reset_token(session, state, tid, username_or_email):
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
from globaleaks.handlers.user import user_serialize_user
users = session.query(models.User).filter(
or_(models.User.username == username_or_email,
models.User.mail_address == username_or_email),
models.User.tid == tid).distinct()
for user in users:
user.reset_password_token = generateRandomKey(32)
user.reset_password_date = datetime_now()
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': 'password_reset_validation',
'user': user_desc,
'reset_token': user.reset_password_token,
'node': db_admin_serialize_node(session, tid, user.language),
'notification': db_get_notification(session, tid, user.language)
}
state.format_and_send_mail(session, tid, user_desc, template_vars)
return {'redirect': '/login/passwordreset/requested'}
def serialize_obj(self, session, key, obj, tid, language):
obj_id = obj.id
cache_key = gen_cache_key(key, tid, obj_id, language)
cache_obj = None
if cache_key not in self.cache:
if key == 'user':
cache_obj = user_serialize_user(session, obj, language)
elif key == 'context':
cache_obj = admin_serialize_context(session, obj, language)
elif key == 'tip':
itip = session.query(models.InternalTip).filter(
models.InternalTip.id == obj.internaltip_id).one()
cache_obj = serialize_rtip(session, obj, itip, language)
elif key == 'message':
cache_obj = serialize_message(session, obj)
elif key == 'comment':
cache_obj = serialize_comment(session, obj)
elif key == 'file':
cache_obj = models.serializers.serialize_ifile(session, obj)
self.cache[cache_key] = cache_obj
return self.cache[cache_key]
def db_create_identityaccessrequest_notifications(session, tid, itip, rtip, iar):
users = session.query(models.User).filter(models.User.role == u'custodian', models.User.notification == True)
for user in users:
node = db_admin_serialize_node(session, tid, user.language)
context = session.query(models.Context).filter(models.Context.id == itip.context_id, models.Context.tid == tid).one()
data = {
'type': 'identity_access_request'
}
data['user'] = user_serialize_user(session, user, user.language)
data['tip'] = serialize_rtip(session, rtip, itip, user.language)
data['context'] = admin_serialize_context(session, context, user.language)
data['iar'] = serialize_identityaccessrequest(session, iar)
data['node'] = db_admin_serialize_node(session, tid, user.language)
if data['node']['mode'] != u'whistleblowing.it':
data['notification'] = db_get_notification(session, tid, user.language)
else:
data['notification'] = db_get_notification(session, 1, user.language)
subject, body = Templating().get_mail_subject_and_body(data)
session.add(models.Mail({
'address': data['user']['mail_address'],
'subject': subject,
'body': body,
'tid': tid
}))
def get_user_list(store, language):
"""
Returns:
(list) the list of users
"""
users = store.find(models.User)
return [user_serialize_user(user, language) for user in users]
def generate_password_reset_token(session, state, tid, username_or_email, allow_admin_reset=False):
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
from globaleaks.handlers.user import user_serialize_user
users = session.query(models.User).filter(
or_(models.User.username == username_or_email,
models.User.mail_address == username_or_email),
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid
).distinct()
for user in users:
if not allow_admin_reset and user.role == u'admin':
continue
user.reset_password_token = generateRandomKey(32)
user.reset_password_date = datetime_now()
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': 'password_reset_validation',
'user': user_desc,
'reset_token': user.reset_password_token,
'node': db_admin_serialize_node(session, 1, user.language),
'notification': db_get_notification(session, tid, user.language)
}
state.format_and_send_mail(session, tid, user_desc, template_vars)
def receiver_serialize_receiver(store, receiver, user, language):
user = store.find(models.User, id=receiver.id).one()
contexts = [
id
for id in store.find(models.ReceiverContext.context_id,
models.ReceiverContext.receiver_id == receiver.id)
]
ret_dict = user_serialize_user(store, user, language)
ret_dict.update({
'can_postpone_expiration':
GLSettings.memory_copy.can_postpone_expiration
or receiver.can_postpone_expiration,
'can_delete_submission':
GLSettings.memory_copy.can_delete_submission
or receiver.can_delete_submission,
'can_grant_permissions':
GLSettings.memory_copy.can_grant_permissions
or receiver.can_grant_permissions,
'tip_notification':
receiver.tip_notification,
'contexts':
contexts
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys,
language)
def perform_pgp_validation_checks(self, session):
tenant_expiry_map = {1: []}
for user in db_get_expired_or_expiring_pgp_users(
session, self.state.tenant_cache.keys()):
user_desc = user_serialize_user(
session, user,
self.state.tenant_cache[user.tid].default_language)
tenant_expiry_map.setdefault(user.tid, []).append(user_desc)
log.info('Removing expired PGP key of: %s',
user.username,
tid=user.tid)
if user.pgp_key_expiration < datetime_now():
user.pgp_key_public = ''
user.pgp_key_fingerprint = ''
user.pgp_key_expiration = datetime_null()
for tid, expired_or_expiring in tenant_expiry_map.items():
if self.state.tenant_cache[
tid].notification.disable_admin_notification_emails:
continue
if expired_or_expiring:
self.prepare_admin_pgp_alerts(session, tid,
expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(session, tid, user_desc)
def admin_serialize_receiver(store, receiver, language):
"""
Serialize the specified receiver
:param language: the language in which to localize data
:return: a dictionary representing the serialization of the receiver
"""
contexts = [
rc.context_id
for rc in store.find(models.ReceiverContext,
models.ReceiverContext.receiver_id == receiver.id)
]
ret_dict = user_serialize_user(receiver.user, language)
ret_dict.update({
'can_delete_submission': receiver.can_delete_submission,
'can_postpone_expiration': receiver.can_postpone_expiration,
'can_grant_permissions': receiver.can_grant_permissions,
'mail_address': receiver.user.mail_address,
'configuration': receiver.configuration,
'contexts': contexts,
'tip_notification': receiver.tip_notification,
'presentation_order': receiver.presentation_order
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys,
language)
def receiver_serialize_receiver(receiver, language):
ret_dict = user_serialize_user(receiver.user, language)
if receiver.user.role == 'custodian':
can_postpone_expiration = False
can_delete_submission = False
can_grant_permissions = False
tip_notification = False
contexts = []
else:
can_postpone_expiration = GLSettings.memory_copy.can_postpone_expiration or receiver.can_postpone_expiration
can_delete_submission = GLSettings.memory_copy.can_delete_submission or receiver.can_delete_submission
can_grant_permissions = GLSettings.memory_copy.can_grant_permissions or receiver.can_grant_permissions
tip_notification = receiver.tip_notification
contexts = [c.id for c in receiver.contexts]
ret_dict.update({
'can_postpone_expiration': can_postpone_expiration,
'can_delete_submission': can_delete_submission,
'can_grant_permissions': can_grant_permissions,
'tip_notification': tip_notification,
'contexts': contexts
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys, language)
def get_user_list(session, tid, language):
"""
Returns:
(list) the list of users
"""
users = session.query(models.User).filter(models.User.tid == tid)
return [user_serialize_user(session, user, language) for user in users]
def db_generate_password_reset_token(session, user):
"""
Transaction for issuing password reset tokens
:param session: An ORM session
:param user: The user for which issuing a password reset token
"""
user.reset_password_token = generateRandomKey()
user.reset_password_date = datetime_now()
if user.last_login > datetime_null():
template = 'password_reset_validation'
else:
template = 'account_activation'
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': template,
'user': user_desc,
'reset_token': user.reset_password_token,
'node': db_admin_serialize_node(session, user.tid, user.language),
'notification': db_get_notification(session, user.tid, user.language)
}
State.format_and_send_mail(session, user.tid, user_desc, template_vars)
def db_create_identityaccessrequest_notifications(session, tid, itip, rtip,
iar):
users = session.query(models.User).filter(models.User.role == u'custodian',
models.User.notification == True)
for user in users:
node = db_admin_serialize_node(session, tid, user.language)
context = session.query(models.Context).filter(
models.Context.id == itip.context_id,
models.Context.tid == tid).one()
data = {'type': 'identity_access_request'}
data['user'] = user_serialize_user(session, user, user.language)
data['tip'] = serialize_rtip(session, rtip, itip, user.language)
data['context'] = admin_serialize_context(session, context,
user.language)
data['iar'] = serialize_identityaccessrequest(session, iar)
data['node'] = db_admin_serialize_node(session, tid, user.language)
if data['node']['mode'] == u'default':
data['notification'] = db_get_notification(session, tid,
user.language)
else:
data['notification'] = db_get_notification(session, 1,
user.language)
subject, body = Templating().get_mail_subject_and_body(data)
session.add(
models.Mail({
'address': data['user']['mail_address'],
'subject': subject,
'body': body,
'tid': tid
}))
def db_generate_password_reset_token(session,
state,
tid,
username_or_email,
allow_admin_reset=False):
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
from globaleaks.handlers.user import user_serialize_user
users = session.query(models.User).filter(
or_(models.User.username == username_or_email,
models.User.mail_address == username_or_email),
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid).distinct()
for user in users:
if not allow_admin_reset and user.role == u'admin':
continue
user.reset_password_token = generateRandomKey(32)
user.reset_password_date = datetime_now()
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': 'password_reset_validation',
'user': user_desc,
'reset_token': user.reset_password_token,
'node': db_admin_serialize_node(session, 1, user.language),
'notification': db_get_notification(session, tid, user.language)
}
state.format_and_send_mail(session, tid, user_desc, template_vars)
def serialize_obj(self, store, key, obj, language):
obj_id = obj.id
cache_key = key + '-' + obj_id + '-' + language
cache_obj = None
if cache_key not in self.cache:
if key == 'user':
cache_obj = user_serialize_user(store, obj, language)
elif key == 'context':
cache_obj = admin_serialize_context(store, obj, language)
elif key == 'tip':
itip = store.find(models.InternalTip,
id=obj.internaltip_id).one()
cache_obj = serialize_rtip(store, obj, itip, language)
elif key == 'message':
cache_obj = serialize_message(store, obj)
elif key == 'comment':
cache_obj = serialize_comment(store, obj)
elif key == 'file':
cache_obj = models.serializers.serialize_ifile(store, obj)
self.cache[cache_key] = cache_obj
return self.cache[cache_key]
def create_custodian(store, request, language):
"""
Currently this function simply serialize the custodian user.
In the future this will serialize the admin model with its peculiatieis.
"""
return user_serialize_user(db_create_custodian(store, request, language),
language)
def get_user_list(store, language):
"""
Returns:
(list) the list of users
"""
users = store.find(models.User)
return [user_serialize_user(user, language) for user in users]
def admin_serialize_receiver(receiver, language):
"""
Serialize the specified receiver
:param language: the language in which to localize data
:return: a dictionary representing the serialization of the receiver
"""
ret_dict = user_serialize_user(receiver.user, language)
ret_dict.update({
'can_delete_submission':
receiver.can_delete_submission,
'can_postpone_expiration':
receiver.can_postpone_expiration,
'mail_address':
receiver.user.mail_address,
'ping_mail_address':
receiver.ping_mail_address,
'configuration':
receiver.configuration,
'contexts': [c.id for c in receiver.contexts],
'tip_notification':
receiver.tip_notification,
'ping_notification':
receiver.ping_notification,
'presentation_order':
receiver.presentation_order,
'tip_expiration_threshold':
receiver.tip_expiration_threshold,
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys,
language)
def receiver_serialize_receiver(session, tid, receiver, user, language):
user = session.query(models.User).filter(
models.User.id == receiver.id, models.User.tid == tid).one_or_none()
contexts = [x[0] for x in session.query(models.ReceiverContext.context_id) \
.filter(models.ReceiverContext.receiver_id == receiver.id, \
models.User.id == receiver.id,
models.User.tid == tid)]
ret_dict = user_serialize_user(session, user, language)
ret_dict.update({
'can_postpone_expiration':
State.tenant_cache[tid].can_postpone_expiration
or receiver.can_postpone_expiration,
'can_delete_submission':
State.tenant_cache[tid].can_delete_submission
or receiver.can_delete_submission,
'can_grant_permissions':
State.tenant_cache[tid].can_grant_permissions
or receiver.can_grant_permissions,
'tip_notification':
receiver.tip_notification,
'contexts':
contexts
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys,
language)
def receiver_serialize_receiver(session, tid, user, language):
# take only contexts for the current tenant
contexts = [x[0] for x in session.query(models.ReceiverContext.context_id) \
.filter(models.ReceiverContext.receiver_id == user.id,
models.UserTenant.user_id == user.id,
models.UserTenant.tenant_id == tid)]
ret_dict = user_serialize_user(session, user, language)
ret_dict.update({
'can_postpone_expiration':
State.tenant_cache[tid].can_postpone_expiration
or user.can_postpone_expiration,
'can_delete_submission':
State.tenant_cache[tid].can_delete_submission
or user.can_delete_submission,
'can_grant_permissions':
State.tenant_cache[tid].can_grant_permissions
or user.can_grant_permissions,
'notification':
user.notification,
'contexts':
contexts
})
return ret_dict
def db_get_admin_users(session, tid):
return [
user_serialize_user(session, user,
State.tenant_cache[tid].default_language)
for user in session.query(models.User).filter(
models.User.tid == tid, models.User.role == u'admin')
]
def get_tip_export(session, tid, user_id, rtip_id, language):
rtip, itip = db_access_rtip(session, tid, user_id, rtip_id)
user, context = session.query(models.User, models.Context) \
.filter(models.User.id == rtip.receiver_id,
models.Context.id == models.InternalTip.context_id,
models.InternalTip.id == rtip.internaltip_id,
models.User.tid == tid).one()
rtip_dict = serialize_rtip(session, rtip, itip, language)
export_dict = {
'type':
'export_template',
'node':
db_admin_serialize_node(session, tid, language),
'notification':
db_get_notification(session, tid, language),
'tip':
rtip_dict,
'crypto_tip_prv_key':
rtip.crypto_tip_prv_key,
'user':
user_serialize_user(session, user, language),
'context':
admin_serialize_context(session, context, language),
'comments':
rtip_dict['comments'],
'messages':
rtip_dict['messages'],
'files': [],
'submission_statuses':
db_retrieve_all_submission_statuses(session, tid, language)
}
for rfile in session.query(models.ReceiverFile).filter(
models.ReceiverFile.receivertip_id == rtip_id):
rfile.last_access = datetime_now()
rfile.downloads += 1
file_dict = models.serializers.serialize_rfile(session, tid, rfile)
file_dict['name'] = 'files/' + file_dict['name']
file_dict['path'] = os.path.join(Settings.attachments_path,
file_dict['filename'])
file_dict['forged'] = False
export_dict['files'].append(file_dict)
for wf in session.query(models.WhistleblowerFile).filter(
models.WhistleblowerFile.receivertip_id == models.ReceiverTip.id,
models.ReceiverTip.internaltip_id == rtip.internaltip_id,
models.InternalTip.id == rtip.internaltip_id):
file_dict = models.serializers.serialize_wbfile(session, tid, wf)
file_dict['name'] = 'files_from_recipients/' + file_dict['name']
file_dict['path'] = os.path.join(Settings.attachments_path,
file_dict['filename'])
file_dict[
'forged'] = True # To be removed as soon it will be encrypted
export_dict['files'].append(file_dict)
return export_dict
def get_tip_export(session, tid, user_id, rtip_id, language):
rtip, itip = db_access_rtip(session, tid, user_id, rtip_id)
user, context = session.query(models.User, models.Context) \
.filter(models.User.id == rtip.receiver_id,
models.Context.id == models.InternalTip.context_id,
models.InternalTip.id == rtip.internaltip_id,
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid).one()
rtip_dict = serialize_rtip(session, rtip, itip, language)
export_dict = {
'type': u'export_template',
'node': db_admin_serialize_node(session, tid, language),
'notification': db_get_notification(session, tid, language),
'tip': rtip_dict,
'user': user_serialize_user(session, user, language),
'context': admin_serialize_context(session, context, language),
'comments': rtip_dict['comments'],
'messages': rtip_dict['messages'],
'files': []
}
export_template = Templating().format_template(
export_dict['notification']['export_template'],
export_dict).encode('utf-8')
export_template = msdos_encode(text_type(export_template,
'utf-8')).encode('utf-8')
export_dict['files'].append({
'fo': BytesIO(export_template),
'name': "data.txt"
})
for rfile in session.query(models.ReceiverFile).filter(
models.ReceiverFile.receivertip_id == rtip_id):
rfile.last_access = datetime_now()
rfile.downloads += 1
file_dict = models.serializers.serialize_rfile(session, tid, rfile)
file_dict['name'] = 'files/' + file_dict['name']
file_dict['path'] = os.path.join(Settings.attachments_path,
file_dict['filename'])
export_dict['files'].append(file_dict)
for wf in session.query(models.WhistleblowerFile).filter(
models.WhistleblowerFile.receivertip_id == models.ReceiverTip.id,
models.ReceiverTip.internaltip_id == rtip.internaltip_id,
models.InternalTip.id == rtip.internaltip_id):
file_dict = models.serializers.serialize_wbfile(session, tid, wf)
file_dict['name'] = 'files_from_recipients/' + file_dict['name']
file_dict['path'] = os.path.join(Settings.attachments_path,
file_dict['filename'])
export_dict['files'].append(file_dict)
return export_dict
def db_admin_update_user(session, tid, user_session, user_id, request,
language):
"""
Transaction for updating an existing user
:param session: An ORM session
:param tid: A tenant ID
:param user_session: The current user session
:param user_id: The ID of the user to update
:param request: The request data
:param language: The language of the request
:return: The serialized descriptor of the updated object
"""
fill_localized_keys(request, models.User.localized_keys, language)
user = db_get_user(session, tid, user_id)
if user.username != request['username']:
check = session.query(models.User).filter(
models.User.username == request['username'],
models.User.tid == tid).one_or_none()
if check is not None:
raise errors.InputValidationError('Username already in use')
user.update(request)
password = request['password']
if password and (not user.crypto_pub_key or user_session.ek):
if user.crypto_pub_key and user_session.ek:
enc_key = GCE.derive_key(password.encode(), user.salt)
crypto_escrow_prv_key = GCE.asymmetric_decrypt(
user_session.cc, Base64Encoder.decode(user_session.ek))
if tid == 1:
user_cc = GCE.asymmetric_decrypt(
crypto_escrow_prv_key,
Base64Encoder.decode(user.crypto_escrow_bkp1_key))
else:
user_cc = GCE.asymmetric_decrypt(
crypto_escrow_prv_key,
Base64Encoder.decode(user.crypto_escrow_bkp2_key))
user.crypto_prv_key = Base64Encoder.encode(
GCE.symmetric_encrypt(enc_key, user_cc))
if user.hash_alg != 'ARGON2':
user.hash_alg = 'ARGON2'
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(password, user.salt)
user.password_change_date = datetime_now()
user.password_change_needed = True
# The various options related in manage PGP keys are used here.
parse_pgp_options(user, request)
return user_serialize_user(session, user, language)
def get_receiver_list(session, tid, language):
"""
Returns:
(list) the list of recipients
"""
users = session.query(models.User).filter(models.User.role == u'receiver',
models.User.tid == tid)
return [user_serialize_user(session, user, language) for user in users]
def get_user_list(session, tid, language):
"""
Returns:
(list) the list of users
"""
users = session.query(models.User).filter(models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid)
return [user_serialize_user(session, user, language) for user in users]
def perform_pgp_validation_checks(self, store):
expired_or_expiring = []
for user in store.find(models.User):
if user.pgp_key_public and user.pgp_key_expiration != datetime_null():
if user.pgp_key_expiration < datetime_now():
expired_or_expiring.append(user_serialize_user(user, GLSettings.memory_copy.default_language))
user.pgp_key_public = None
user.pgp_key_fingerprint = None
user.pgp_key_expiration = None
elif user.pgp_key_expiration < datetime_now() - timedelta(days=15):
expired_or_expiring.append(user_serialize_user(user, GLSettings.memory_copy.default_language))
if expired_or_expiring:
if not GLSettings.memory_copy.notif.disable_admin_notification_emails:
self.prepare_admin_pgp_alerts(store, expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(store, user_desc)
def create_user(session, tid, request, language):
"""
Transaction for creating a new user
:param session: An ORM session
:param tid: A tenant ID
:param request: The request data
:param language: The language of the request
:return: The serialized descriptor of the created object
"""
return user_serialize_user(session, db_create_user(session, tid, request, language), language)
def receiver_serialize_receiver(receiver, language):
ret_dict = user_serialize_user(receiver.user, language)
ret_dict.update({
'can_postpone_expiration': GLSettings.memory_copy.can_postpone_expiration or receiver.can_postpone_expiration,
'can_delete_submission': GLSettings.memory_copy.can_delete_submission or receiver.can_delete_submission,
'can_grant_permissions': GLSettings.memory_copy.can_grant_permissions or receiver.can_grant_permissions,
'tip_notification': receiver.tip_notification,
'contexts': [c.id for c in receiver.contexts]
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys, language)
def receiver_serialize_receiver(receiver, language):
ret_dict = user_serialize_user(receiver.user, language)
ret_dict.update({
'can_postpone_expiration': GLSettings.memory_copy.can_postpone_expiration or receiver.can_postpone_expiration,
'can_delete_submission': GLSettings.memory_copy.can_delete_submission or receiver.can_delete_submission,
'can_grant_permissions': GLSettings.memory_copy.can_grant_permissions or receiver.can_grant_permissions,
'tip_notification': receiver.tip_notification,
'contexts': [c.id for c in receiver.contexts]
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys, language)
def db_check_for_expiring_submissions(self, session):
for tid in self.state.tenant_state:
threshold = datetime_now() + timedelta(
hours=self.state.tenant_cache[tid].notification.
tip_expiration_threshold)
for user in session.query(models.User).filter(
models.User.role == u'receiver',
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid):
itip_ids = [
id[0]
for id in session.query(models.InternalTip.id).filter(
models.InternalTip.tid == tid, models.ReceiverTip.
internaltip_id == models.InternalTip.id,
models.InternalTip.expiration_date < threshold,
models.ReceiverTip.receiver_id == user.id)
]
if not len(itip_ids):
continue
earliest_expiration_date = session.query(func.min(models.InternalTip.expiration_date)) \
.filter(models.InternalTip.id.in_(itip_ids)).one()[0]
user_desc = user_serialize_user(session, user, user.language)
data = {
'type':
u'tip_expiration_summary',
'node':
db_admin_serialize_node(session, tid, user.language),
'notification':
db_get_notification(session, tid, user.language),
'user':
user_desc,
'expiring_submission_count':
len(itip_ids),
'earliest_expiration_date':
datetime_to_ISO8601(earliest_expiration_date)
}
subject, body = Templating().get_mail_subject_and_body(data)
session.add(
models.Mail({
'tid': tid,
'address': user_desc['mail_address'],
'subject': subject,
'body': body
}))
def get_tip_export(store, user_id, rtip_id, language):
rtip, itip = db_access_rtip(store, user_id, rtip_id)
user, context = store.find(
(models.User, models.Context), models.User.id == rtip.receiver_id,
models.Context.id == models.InternalTip.context_id,
models.InternalTip.id == rtip.internaltip_id).one()
rtip_dict = serialize_rtip(store, rtip, itip, language)
export_dict = {
'type': u'export_template',
'node': db_admin_serialize_node(store, language),
'notification': db_get_notification(store, language),
'tip': serialize_rtip(store, rtip, itip, language),
'user': user_serialize_user(store, user, language),
'context': admin_serialize_context(store, context, language),
'comments': rtip_dict['comments'],
'messages': rtip_dict['messages'],
'files': []
}
export_template = Templating().format_template(
export_dict['notification']['export_template'],
export_dict).encode('utf-8')
export_template = msdos_encode(export_template)
export_dict['files'].append({'buf': export_template, 'name': "data.txt"})
for rfile in store.find(models.ReceiverFile,
models.ReceiverFile.receivertip_id == rtip_id):
rfile.downloads += 1
file_dict = models.serializers.serialize_rfile(store, rfile)
file_dict['name'] = 'files/' + file_dict['name']
export_dict['files'].append(file_dict)
for wf in store.find(
models.WhistleblowerFile,
models.WhistleblowerFile.receivertip_id == models.ReceiverTip.id,
models.ReceiverTip.internaltip_id == rtip.internaltip_id):
file_dict = models.serializers.serialize_wbfile(store, wf)
file_dict['name'] = 'files_from_recipients/' + file_dict['name']
export_dict['files'].append(file_dict)
return export_dict
def perform_pgp_validation_checks(self, store):
expired_or_expiring = []
for user in db_get_expired_or_expiring_pgp_users(store):
expired_or_expiring.append(user_serialize_user(store, user, State.tenant_cache[1].default_language))
if user.pgp_key_expiration < datetime_now():
user.pgp_key_public = ''
user.pgp_key_fingerprint = ''
user.pgp_key_expiration = datetime_null()
if expired_or_expiring:
if not State.tenant_cache[1].notif.disable_admin_notification_emails:
self.prepare_admin_pgp_alerts(store, expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(store, user_desc)
def perform_pgp_validation_checks(self, store):
expired_or_expiring = []
for user in db_get_expired_or_expiring_pgp_users(store):
expired_or_expiring.append(user_serialize_user(user, GLSettings.memory_copy.default_language))
if user.pgp_key_expiration < datetime_now():
user.pgp_key_public = ''
user.pgp_key_fingerprint = ''
user.pgp_key_expiration = datetime_null()
if len(expired_or_expiring):
if not GLSettings.memory_copy.notif.disable_admin_notification_emails:
self.prepare_admin_pgp_alerts(store, expired_or_expiring)
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(store, user_desc)
def db_check_for_expiring_submissions(self, session, tid):
threshold = datetime_now() + timedelta(
hours=self.state.tenant_cache[tid].notification.
tip_expiration_threshold)
result = session.query(models.User, func.count(models.InternalTip.id), func.min(models.InternalTip.expiration_date)) \
.filter(models.InternalTip.tid == tid,
models.ReceiverTip.internaltip_id == models.InternalTip.id,
models.InternalTip.expiration_date < threshold,
models.User.id == models.ReceiverTip.receiver_id) \
.group_by(models.User.id) \
.having(func.count(models.InternalTip.id) > 0) \
.all()
for x in result:
user = x[0]
expiring_submission_count = x[1]
earliest_expiration_date = x[2]
user_desc = user_serialize_user(session, user, user.language)
data = {
'type':
u'tip_expiration_summary',
'node':
db_admin_serialize_node(session, tid, user.language),
'notification':
db_get_notification(session, tid, user.language),
'user':
user_desc,
'expiring_submission_count':
expiring_submission_count,
'earliest_expiration_date':
datetime_to_ISO8601(earliest_expiration_date)
}
subject, body = Templating().get_mail_subject_and_body(data)
session.add(
models.Mail({
'tid': tid,
'address': user_desc['mail_address'],
'subject': subject,
'body': body
}))
def db_create_identity_access_reply_notifications(session, itip, rtip, iar):
"""
Transaction for the creation of notifications related to identity access replies
:param session: An ORM session
:param itip: A itip ID of the tip involved in the request
:param iar: A identity access request model
"""
from globaleaks.handlers.rtip import serialize_rtip
for user in session.query(models.User) \
.filter(models.User.id == rtip.receiver_id,
models.User.notification.is_(True)):
context = session.query(
models.Context).filter(models.Context.id == itip.context_id).one()
data = {
'type':
'identity_access_authorized'
if iar.reply == 'authorized' else 'identity_access_denied'
}
data['user'] = user_serialize_user(session, user, user.language)
data['tip'] = serialize_rtip(session, rtip, itip, user.language)
data['context'] = admin_serialize_context(session, context,
user.language)
data['iar'] = serialize_identityaccessrequest(session, iar)
data['node'] = db_admin_serialize_node(session, user.tid,
user.language)
if data['node']['mode'] == 'default':
data['notification'] = db_get_notification(session, user.tid,
user.language)
else:
data['notification'] = db_get_notification(session, 1,
user.language)
subject, body = Templating().get_mail_subject_and_body(data)
session.add(
models.Mail({
'address': data['user']['mail_address'],
'subject': subject,
'body': body,
'tid': user.tid
}))
def receiver_serialize_receiver(session, tid, user, language):
# take only contexts for the current tenant
contexts = [x[0] for x in session.query(models.ReceiverContext.context_id)
.filter(models.ReceiverContext.receiver_id == user.id,
models.UserTenant.user_id == user.id,
models.UserTenant.tenant_id == tid)]
ret_dict = user_serialize_user(session, user, language)
ret_dict.update({
'can_postpone_expiration': State.tenant_cache[tid].can_postpone_expiration or user.can_postpone_expiration,
'can_delete_submission': State.tenant_cache[tid].can_delete_submission or user.can_delete_submission,
'can_grant_permissions': State.tenant_cache[tid].can_grant_permissions or user.can_grant_permissions,
'notification': user.notification,
'contexts': contexts
})
return ret_dict
def admin_serialize_receiver(receiver, language):
"""
Serialize the specified receiver
:param language: the language in which to localize data
:return: a dictionary representing the serialization of the receiver
"""
ret_dict = user_serialize_user(receiver.user, language)
ret_dict.update({
'can_delete_submission': receiver.can_delete_submission,
'can_postpone_expiration': receiver.can_postpone_expiration,
'can_grant_permissions': receiver.can_grant_permissions,
'mail_address': receiver.user.mail_address,
'configuration': receiver.configuration,
'contexts': [c.id for c in receiver.contexts],
'tip_notification': receiver.tip_notification,
'presentation_order': receiver.presentation_order
})
return get_localized_values(ret_dict, receiver, receiver.localized_keys, language)
def perform_pgp_validation_checks(self, session):
tenant_expiry_map = {1: []}
for user in db_get_expired_or_expiring_pgp_users(session, self.state.tenant_cache.keys()):
user_desc = user_serialize_user(session, user, user.language)
tenant_expiry_map.setdefault(user.tid, []).append(user_desc)
log.info('Removing expired PGP key of: %s', user.username, tid=user.tid)
if user.pgp_key_expiration < datetime_now():
user.pgp_key_public = ''
user.pgp_key_fingerprint = ''
user.pgp_key_expiration = datetime_null()
for tid, expired_or_expiring in tenant_expiry_map.items():
for user_desc in expired_or_expiring:
self.prepare_user_pgp_alerts(session, tid, user_desc)
if self.state.tenant_cache[tid].notification.disable_admin_notification_emails:
continue
if expired_or_expiring:
self.prepare_admin_pgp_alerts(session, tid, expired_or_expiring)
def db_check_for_expiring_submissions(self, session):
for tid in self.state.tenant_state:
threshold = datetime_now() + timedelta(hours=self.state.tenant_cache[tid].notification.tip_expiration_threshold)
for user in session.query(models.User).filter(models.User.role == u'receiver',
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid):
itip_ids = [id[0] for id in session.query(models.InternalTip.id)
.filter(models.InternalTip.tid == tid,
models.ReceiverTip.internaltip_id == models.InternalTip.id,
models.InternalTip.expiration_date < threshold,
models.ReceiverTip.receiver_id == user.id)]
if not len(itip_ids):
continue
earliest_expiration_date = session.query(func.min(models.InternalTip.expiration_date)) \
.filter(models.InternalTip.id.in_(itip_ids)).one()[0]
user_desc = user_serialize_user(session, user, user.language)
data = {
'type': u'tip_expiration_summary',
'node': db_admin_serialize_node(session, tid, user.language),
'notification': db_get_notification(session, tid, user.language),
'user': user_desc,
'expiring_submission_count': len(itip_ids),
'earliest_expiration_date': datetime_to_ISO8601(earliest_expiration_date)
}
subject, body = Templating().get_mail_subject_and_body(data)
session.add(models.Mail({
'tid': tid,
'address': user_desc['mail_address'],
'subject': subject,
'body': body
}))
def serialize_obj(self, session, key, obj, tid, language):
obj_id = obj.id
cache_key = gen_cache_key(key, tid, obj_id, language)
cache_obj = None
if cache_key not in self.cache:
if key == 'user':
cache_obj = user_serialize_user(session, obj, language)
elif key == 'context':
cache_obj = admin_serialize_context(session, obj, language)
elif key == 'tip':
itip = session.query(models.InternalTip).filter(models.InternalTip.id == obj.internaltip_id).one()
cache_obj = serialize_rtip(session, obj, itip, language)
elif key == 'message':
cache_obj = serialize_message(session, obj)
elif key == 'comment':
cache_obj = serialize_comment(session, obj)
elif key == 'file':
cache_obj = models.serializers.serialize_ifile(session, obj)
self.cache[cache_key] = cache_obj
return self.cache[cache_key]
def create_custodian_user(store, request, language):
return user_serialize_user(db_create_custodian(store, request, language), language)
def create_admin_user(store, request, language):
return user_serialize_user(db_create_admin(store, request, language), language)
def create_custodian(store, request, language):
"""
Currently this function simply serialize the custodian user.
In the future this will serialize the admin model with its peculiatieis.
"""
return user_serialize_user(db_create_custodian(store, request, language), language)
def db_get_admin_users(store):
return [user_serialize_user(user, GLSettings.memory_copy.default_language)
for user in store.find(models.User,models.User.role == u'admin')]
def create_user(session, tid, request, language):
return user_serialize_user(session, db_create_user(session, tid, request, language), language)
def get_user(store, user_id, language):
user = db_get_user(store, user_id)
return user_serialize_user(user, language)
def admin_update_user(store, user_id, request, language):
return user_serialize_user(db_admin_update_user(store, user_id, request, language), language)
def create_receiver_user(store, request, language):
receiver = db_create_receiver(store, request, language)
return user_serialize_user(receiver.user, language)
def db_get_admin_users(session, tid):
users = session.query(models.User).filter(models.User.role == u'admin',
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid)
return [user_serialize_user(session, user, State.tenant_cache[tid].default_language) for user in users]
def admin_update_user(session, tid, user_id, request, language):
return user_serialize_user(session, db_admin_update_user(session, tid, user_id, request, language), language)
