示例#1
0
def create_user():
    user = request.json
    # Verify incoming user: email must not exist yet, groups must exist, role must exist
    if User.get_user(user["email"]) is not None:
        return jsonify(success=False, reason='user-already-exists')

    for group_name in user.get('groups', []):
        if not Group.get_group(group_name):
            return jsonify(success=False, reason='unknown-group')

    if user.get("role") not in ("user", "administrator"):
        return jsonify(success=False, reason="invalid-role")

    new_user = User(user.get('name'), user['email'])
    new_user.created = datetime.datetime.utcnow()
    new_user.status = 'invited' if user.get('invitation') else 'active'
    new_user.role = user['role']
    new_user.last_login = None
    api_key = str(uuid.uuid4())

    db.session.add(new_user)
    db.session.commit()

    for group_name in user.get('groups', []):
        new_user.groups.append(Group.get_group(group_name))

    db.session.commit()
    return jsonify(success=True, user=sanitize_user(new_user))
示例#2
0
def get_reports_sites():
    result = []
    group_name = request.args.get('group_name')
    user_email = request.args.get('user')

    if user_email is not None:
        # User specified, so return recent scans for each site/plan that the user can see
        user = User.get_user(user_email)
        if user is None:
            return jsonify(success=False, reason='no-such-user')
        if group_name:
            group = Group.get_group(group_name)
            if group is None:
                return jsonify(success=False, reason='no-such-group')

            site_list = map(lambda x: x.url, group.sites)
        else:
            site_list = user.sites()
        for site_url in sorted(site_list):
            site = Site.get_site_by_url(site_url)
            if site is not None:
                for plan in site.plans:
                    plan_name = plan.name
                    schedule = ScanSchedule.get_schedule(site.site_uuid, plan.plan_uuid)

                    crontab = None
                    scheduleEnabled = False
                    if schedule is not None:
                        crontab = schedule['crontab']
                        scheduleEnabled = schedule['enabled']

                    scans = []
                    for scan in site.scans:
                        if scan.plan is not None:
                            p = json.loads(scan.plan)
                            if p['name'] == plan_name:
                                scans.append(scan)                    

                    scan_for_site = []
                    for scan in scans:
                        config = json.loads(scan.configuration)
                        
                        if config.get('target', None) == site_url:
                            scan_for_site.append(scan)


                    o = list(sorted(scan_for_site, cmp= lambda x, y: cmp(x.created, y, created)))
                    if len(o):
                     l = [o[0]]
                    else:
                     l = []         
                    
                    if len(l) == 1:
                        scan = summarize_scan(l[0])
                        s = {v: scan.get(v) for v in ('id', 'created', 'state', 'issues')}
                        result.append({'target': site_url, 'plan': plan_name, 'scan': scan, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
                    else:
                        result.append({'target': site_url, 'plan': plan_name, 'scan': None, 'crontab': crontab, 'scheduleEnabled': scheduleEnabled})
    return jsonify(success=True, report=result)
示例#3
0
def create_group():
    group = request.json


    # perform validations on incoming data; issue#132
    if not group.get('name'):
        return jsonify(success=False, reason='name-field-is-required')

    userz = group.get('users', [])
    sitez = group.get('sites', [])

    if userz:
        for user in userz:
            if not User.get_user(user):
                return jsonify(success=False, reason='user %s does not exist'%user)
    if sitez:
        for site in sitez:
            if not Site.get_site_by_url(site):
                return jsonify(success=False, reason='site %s does not exist'%site)

    if Group.get_group(group['name']) is not None:
        return jsonify(success=False, reason='group-already-exists')

    # post-validation
    # XXX - this is a horrible hack, we should grab the default admin user / admin group instead, not just use the first user/group in the list!!!!
    admin_user = User.query.all()[0]
    admin_group = None
    if len(Group.query.all()) > 0:
        admin_group = Group.query.all()[0]
    new_group = Group(group['name'], admin_user.email, admin_group)
    new_group.created = datetime.datetime.utcnow()
    new_group.description = group.get('description', "")

    db.session.add(new_group)
    
    for user in userz:
        new_group.users.append(User.get_user(user))
        

    for site in sitez:
        new_group.sites.append(Site.get_site_by_url(site))

    db.session.commit()

    new_group = Group.get_group(group['name'])
    return jsonify(success=True, group=sanitize_group(new_group))
示例#4
0
def delete_group(group_name):
    group = Group.get_group(group_name)

    if not group:
        return jsonify(success=False, reason='no-such-group')
    db.session.delete(group)
    db.session.commit()
    return jsonify(success=True)
示例#5
0
def update_user(user_email):
    new_user = request.json
    # Verify the incoming user: user must exist, groups must exist, role must exist

    old_user = User.get_user(user_email)
    if old_user is None:
        return jsonify(success=False, reason='unknown-user')

    if 'groups' in new_user:
        for group_name in new_user.get('groups', []):
            if not Group.get_group(group_name):
                return jsonify(success=False, reason='unknown-group')
    if 'role' in new_user:
        if new_user["role"] not in ("user", "administrator"):
            return jsonify(success=False, reason="invalid-role")
    if 'status' in new_user:
        if new_user['status'] not in ('active', 'banned'):
            return jsonify(success=False, reason='unknown-status-option')

    # Update the group memberships
    if 'groups' in new_user:
        #clear all groups
        for group in old_user.groups:
            old_user.groups.remove(group)
        #add new groups
        for group in new_user.get('groups', []):
            old_user.groups.append(Group.get_group(group))
    
    # Modify the user
    changes = {}
    if 'name' in new_user:
        old_user.name = new_user['name']
    if 'role' in new_user:
        old_user.role = new_user['role']
        
    if 'status' in new_user:
        old_user.status = new_user['status']

    db.session.commit()
    
    # Return the updated user
    user = User.get_user(user_email)
    if not user:
        return jsonify(success=False, reason='unknown-user')
    return jsonify(success=True, user=sanitize_user(user))
示例#6
0
def _find_sites_for_user_by_group_name(email, group_name):
    """ Find all sites that user has access to in a
    given group. """
    group = Group.get_group(group_name)
    user = User.get_user(email)
    if not user or not group:
        return []
    if not user in group.users:
        return []
    return map(lambda x: x.url, group.sites)
示例#7
0
def patch_group(group_name):

    patch = request.json

    group = Group.get_group(group_name)
    
    if not group:
        return jsonify(success=False, reason='no-such-group')

    # Process the edits. These can probably be done in one operation.

    for url in patch.get('addSites', []):
        site = Site.get_site_by_url(url)
        if not site:
            return jsonoify(success = false, reason='no-such-site')
        if not site in group.sites:
            group.sites.append(site)

    for url in patch.get('removeSites', []):
        site = Site.get_site_by_url(url)
        if not site:
            return jsonoify(success = false, reason='no-such-site')
        if site in group.sites:
            group.sites.remove(site)
    
    for email in patch.get('addUsers', []):
        user = User.get_user(email)
        if not user:
            return jsonoify(success = false, reason='no-such-user')
        if not user in group.users:
            group.users.append(user)

    for user in patch.get('removeUsers', []):
        user = User.get_user(email)
        if not user:
            return jsonoify(success = false, reason='no-such-user')
        if user in group.users:
            group.users.remove(user)

    db.session.commit()
    group = Group.get_group(group_name)
    return jsonify(success=True, group=sanitize_group(group))
示例#8
0
def create_site():
    site = request.json
    # Verify incoming site: url must be valid, groups must exist, plans must exist

    if not _check_site_url(site.get('url')):
        return jsonify(success=False, reason='invalid-url')
    if not site.get('url', None):
        return jsonify(success=False, reason='missing-required-field')
    for group in site.get('groups', []):
        if not Group.get_group(group):
            return jsonify(success=False, reason='unknown-group')
    for plan_name in site.get('plans', []):
        if not Plan.get_plan(plan_name):
            return jsonify(success=False, reason='unknown-plan')
    if Site.get_site_by_url(site['url']) is not None:
        return jsonify(success=False, reason='site-already-exists')




    # Create the site
    new_site = Site(site['url'])

    for plan in site.get('plans', []):
        new_site.plans.append(Plan.get_plan(plan))
    new_site.created = datetime.datetime.utcnow()

    for group in site.get('groups', []):
        new_site.groups.append(Group.get_group(group))

    if site.get('verification',{}).get('enabled',False):
        new_site.verification_enabled = True
        new_site.verification_value = str(uuid.uuid4())
    else:
        new_site.verification_enabled = False
        new_site.verification_value = None

    db.session.add(new_site)
    db.session.commit()
    new_site = Site.get_site(new_site.site_uuid)
    # Return the new site
    return jsonify(success=True, site=new_site.dict())
示例#9
0
def update_site(site_id):
    new_site = request.json
    # Verify incoming site. It must exist, groups must exist, plans must exist.
    site = Site.get_site(site_id)

    if not site:
        return jsonify(success=False, reason='no-such-site')
    
    for group in new_site.get('groups', []):
        if not Group.get_group(group):
            return jsonify(success=False, reason='unknown-group')
    for plan_name in new_site.get('plans', []):
        if not Plan.get_plan(plan_name):
            return jsonify(success=False, reason='unknown-plan')

    

    if 'groups' in new_site:
        # purge groups
        for group in site.groups:
            site.groups.remove(group)

        # insert desired groups
        for group_name in new_site.get('groups', []):
            site.groups.append(Group.get_group(group_name))

    if 'plans' in new_site:
        #purge plans
        for plan in site.plans:
            site.plans.remove(plan)
        #add new plans
        for plan_name in new_site['plans']:
            site.plans.append(Plan.get_plan(plan_name))

    db.session.commit()
    # Return the updated site
    site = Site.get_site(site_id)
    if not site:
        return jsonify(success=False, reason='no-such-site')
    return jsonify(success=True, site=site.dict())
示例#10
0
def get_reports_issues():
    result = []
    group_name = request.args.get('group_name')
    user_email = request.args.get('user')
    if user_email is not None:
        # User specified, so return recent scans for each site/plan that the user can see
        user = User.get_user(user_email)
        if user is None:
            return jsonify(success=False, reason='no-such-user')
        site_list = []
        if group_name:
            # get list of sites for group

            site_list = _find_sites_for_user_by_group_name(user_email, group_name)
            
            g = Group.get_group(group_name)
            if g:
                for site in g.sites:
                    site_list.append(site.url)


        else:
            site_list = User.get_user(user_email).sites()


        for site_url in sorted(site_list):
            r = {'target': site_url, 'issues': []}
            site = Site.get_site_by_url(site_url)
            if site is not None:
                scan_list = []
                for scan in site.scans:
                    scan_list.append(scan)

                if len(scan_list) > 0:
                    scan_list.sort(key=lambda x : x.created, reverse=True)
                    s = scan_list[0]
                    for session in s.sessions:
                            for issue in session.issues:
                                r['issues'].append({'severity': issue.severity,
                                                    'summary': issue.summary,
                                                    'scan': { 'id': s.scan_uuid},
                                                    'id': issue.issue_uuid})    

                
            result.append(r)
    return jsonify(success=True, report=result)
示例#11
0
def _check_group_exists(group_name):
    return Group.get_group(group_name) is not None
示例#12
0
def get_group(group_name):
    group = Group.get_group(group_name)
    if not group:
        return jsonify(success=False, reason='no-such-group')
    return jsonify(success=True, group=sanitize_group(group))