def require_auth():
if request.method == "OPTIONS":
return
auth = request.headers.get("Authorization")
g.auth_user = None
if auth and auth.startswith("Bearer "):
token = auth.split(" ", 1)[1]
g.auth_user = User.verify_session_token(token)
# Not a session token? Maybe APIKey token
if g.auth_user is None:
g.auth_user = APIKey.verify_token(token)
# Still nothing? Maybe legacy API key
if g.auth_user is None:
g.auth_user = User.verify_legacy_token(token)
if g.auth_user is not None:
getLogger().warning(
"'%s' used legacy auth token for authentication",
g.auth_user.login)
if g.auth_user:
if (app_config.mwdb.enable_maintenance
and g.auth_user.login != app_config.mwdb.admin_login):
raise Forbidden("Maintenance underway. Please come back later.")
if g.auth_user.disabled:
raise Forbidden("User has been disabled.")
def require_auth():
if request.method == "OPTIONS":
return
auth = request.headers.get("Authorization")
g.auth_user = None
if auth and auth.startswith("Bearer "):
token = auth.split(" ", 1)[1]
g.auth_user = User.verify_session_token(token)
# Not a session token? Maybe APIKey token
if g.auth_user is None:
g.auth_user = APIKey.verify_token(token)
# Still nothing? Maybe legacy API key
if g.auth_user is None:
g.auth_user = User.verify_legacy_token(token)
if g.auth_user is not None:
getLogger().warning(
"'%s' used legacy auth token for authentication", g.auth_user.login
)
if g.auth_user:
if (
app_config.mwdb.enable_maintenance
and g.auth_user.login != app_config.mwdb.admin_login
):
raise Forbidden("Maintenance underway. Please come back later.")
if g.auth_user.disabled:
raise Forbidden("User has been disabled.")
if app_config.mwdb.enable_rate_limit and not g.auth_user.has_rights(
Capabilities.unlimited_requests
):
"""
Single sample view in malwarefront generates 7 requests (6 GET, 1 POST)
"""
if request.method == "GET":
"""
DownloadResource is token-based and shouldn't be limited
"""
if request.endpoint != api.endpoint_for(DownloadResource):
# 1000 per 10 seconds
rate_limit("get-request", 10, 1000)
# 2000 per 1 minute
rate_limit("get-request", 60, 2000)
# 6000 per 5 minutes
rate_limit("get-request", 5 * 60, 6000)
# 10000 per 15 minutes
rate_limit("get-request", 15 * 60, 10000)
else:
# 10 per 10 seconds
rate_limit("set-request", 10, 10)
# 30 per 1 minute
rate_limit("set-request", 60, 30)
# 100 per 5 minutes
rate_limit("set-request", 5 * 60, 100)
# 200 per 15 minutes
rate_limit("set-request", 15 * 60, 200)
def log_request(response):
response_time = datetime.utcnow() - g.request_start_time
response_size = response.calculate_content_length()
getLogger().info('request', extra={'path': request.path,
'arguments': request.args,
'method': request.method,
'status': response.status_code,
'response_time': response_time,
'response_size': response_size})
return response
def log_request(response):
response_time = datetime.utcnow() - g.request_start_time
response_size = response.calculate_content_length()
getLogger().info(
"request",
extra={
"path": request.path,
"arguments": request.args,
"method": request.method,
"status": response.status_code,
"response_time": response_time,
"response_size": response_size,
},
)
return response
import contextlib
import functools
import importlib
import pkgutil
import sys
from mwdb.core.app import api, app
from mwdb.core.config import app_config
from mwdb.core.log import getLogger
from mwdb.core.util import is_subdir
from mwdb.model import Config, File, Object, TextBlob
logger = getLogger()
_plugin_handlers = []
loaded_plugins = {}
class PluginAppContext(object):
def register_hook_handler(self, hook_handler_cls):
global _plugin_handlers
_plugin_handlers.append(hook_handler_cls())
def register_resource(self, resource, *urls, **kwargs):
api.add_resource(resource, *urls, **kwargs)
def register_converter(self, converter_name, converter):
app.url_map.converters[converter_name] = converter
def register_schema_spec(self, schema_name, schema):
api.spec.components.schema(schema_name, schema=schema)
from functools import wraps
from json import JSONDecodeError
from flask import g, request
from marshmallow import EXCLUDE, ValidationError
from werkzeug.exceptions import BadRequest, Forbidden, Unauthorized
from mwdb.core import log
from mwdb.model import Config, File, Object, TextBlob
logger = log.getLogger()
def requires_capabilities(*required_caps):
"""
Decorator for endpoints which require specific permission.
Available capabilities are declared in capabilities.Capabilities
"""
def decorator(f):
@wraps(f)
def endpoint(*args, **kwargs):
for required_cap in required_caps:
if not g.auth_user.has_rights(required_cap):
raise Forbidden(f"You don't have required capability "
f"({required_cap}) to perform this action")
return f(*args, **kwargs)
return endpoint
return decorator
