def edit_user(username):
own_user = username == current_user.name
if not current_user.role.is_administrator and not own_user:
forbidden()
user = User.query.filter_by(name=username).first()
if not user:
return not_found()
form = UserForm(edit=True)
if not form.is_submitted():
form.username.data = user.name
form.email.data = user.email
form.role.data = user.role.name
form.active.data = user.active
if not form.validate_on_submit():
return render_template('admin/form/user.html',
title='Edit {}'.format(username),
form=form,
User=User,
random_password=True,
password_length={
'min': TRACKER_PASSWORD_LENGTH_MIN,
'max': TRACKER_PASSWORD_LENGTH_MAX
})
active_admins = User.query.filter_by(active=True,
role=UserRole.administrator).count()
if user.id == current_user.id and 1 == active_admins and not form.active.data:
return forbidden()
user.name = form.username.data
user.email = form.email.data
user.role = UserRole.fromstring(form.role.data)
if form.random_password.data:
form.password.data = random_string()
if form.password.data and 0 != len(form.password.data):
user.salt = random_string()
user.password = hash_password(form.password.data, user.salt)
user.active = form.active.data
user_invalidate(user)
db.session.commit()
flash_password = ''
if form.random_password.data:
flash_password = '******'.format(form.password.data)
flash('Edited user {}{}'.format(user.name, flash_password))
return redirect('/user')
def delete_user(username):
user = User.query.filter_by(name=username).first()
if not user:
return not_found()
form = ConfirmForm()
title = 'Delete {}'.format(username)
if not form.validate_on_submit():
return render_template('admin/form/delete_user.html',
title=title,
heading=title,
form=form,
user=user)
if not form.confirm.data:
return redirect('/user')
active_admins = User.query.filter_by(active=True,
role=UserRole.administrator).count()
if user.id == current_user.id and 1 >= active_admins:
return forbidden()
user_invalidate(user)
db.session.delete(user)
db.session.commit()
flash('Deleted user {}'.format(user.name))
return redirect('/user')
def delete_advisory(advisory_id):
advisory, pkg, group = (db.session.query(Advisory, CVEGroupPackage, CVEGroup)
.filter(Advisory.id == advisory_id)
.join(CVEGroupPackage).join(CVEGroup)).first()
if not advisory:
return not_found()
if Publication.scheduled != advisory.publication:
return forbidden()
form = ConfirmForm()
title = 'Delete {}'.format(advisory.id)
if not form.validate_on_submit():
return render_template('form/delete_advisory.html',
title=title,
heading=title,
form=form,
advisory=advisory,
pkg=pkg,
group=group)
if not form.confirm.data:
return redirect('/{}'.format(advisory.id))
db.session.delete(advisory)
db.session.commit()
flash('Deleted {}'.format(advisory.id))
return redirect('/')
def delete_group(avg):
avg_id = avg.replace('AVG-', '')
entries = (db.session.query(
CVEGroup, CVE,
CVEGroupPackage, Advisory).filter(CVEGroup.id == avg_id).join(
CVEGroupEntry, CVEGroup.issues).join(CVE, CVEGroupEntry.cve).join(
CVEGroupPackage, CVEGroup.packages).outerjoin(
Advisory,
Advisory.group_package_id == CVEGroupPackage.id)).all()
if not entries:
return not_found()
group = entries[0][0]
issues = set()
packages = set()
advisories = set()
for group, issue, pkg, advisory in entries:
issues.add(issue)
packages.add(pkg)
if advisory:
advisories.add(advisory)
if not user_can_delete_group(advisories):
return forbidden()
issues = sorted(issues, key=lambda item: item.id)
packages = sorted(packages, key=lambda item: item.pkgname)
advisories = sorted(advisories, key=lambda item: item.id, reverse=True)
form = ConfirmForm()
title = 'Delete {}'.format(avg)
if not form.validate_on_submit():
return render_template('form/delete_group.html',
title=title,
heading=title,
form=form,
group=group,
issues=issues,
packages=packages)
if not form.confirm.data:
return redirect('/{}'.format(group))
db.session.delete(group)
db.session.commit()
flash('Deleted {}'.format(group))
return redirect('/')
def delete_issue(issue):
entries = (db.session.query(CVE, CVEGroup, CVEGroupPackage, Advisory)
.filter(CVE.id == issue)
.outerjoin(CVEGroupEntry).outerjoin(CVEGroup).outerjoin(CVEGroupPackage)
.outerjoin(Advisory, Advisory.group_package_id == CVEGroupPackage.id)
.order_by(CVEGroup.created.desc()).order_by(CVEGroupPackage.pkgname)).all()
if not entries:
return not_found()
issue = entries[0][0]
advisories = set()
groups = set()
group_packages = defaultdict(set)
for cve, group, pkg, advisory in entries:
if group:
groups.add(group)
group_packages[group].add(pkg.pkgname)
if advisory:
advisories.add(advisory)
if not user_can_delete_issue(advisories):
return forbidden()
group_ids = [group.id for group in groups]
group_entries = (db.session.query(CVEGroup, CVE)
.join(CVEGroupEntry).join(CVE)
.order_by(CVE.id.desc()))
if group_ids:
group_entries = group_entries.filter(CVEGroup.id.in_(group_ids))
group_entries = group_entries.all()
group_issues = defaultdict(set)
for group, cve in group_entries:
group_issues[group].add(cve)
groups = sorted(groups, key=lambda item: item.created, reverse=True)
groups = sorted(groups, key=lambda item: item.status)
group_packages = dict(map(lambda item: (item[0], sorted(item[1])), group_packages.items()))
form = ConfirmForm()
title = 'Delete {}'.format(issue)
if not form.validate_on_submit():
return render_template('form/delete_cve.html',
title=title,
heading=title,
form=form,
issue=issue,
groups=groups,
group_packages=group_packages,
group_issues=group_issues)
if not form.confirm.data:
return redirect('/{}'.format(issue))
# delete groups that only contain this issue
for group, issues in group_issues.items():
if 0 == len(list(filter(lambda e: e.id != issue.id, issues))):
flash('Deleted {}'.format(group))
db.session.delete(group)
db.session.delete(issue)
db.session.commit()
flash('Deleted {}'.format(issue))
return redirect('/')
def sso_auth():
try:
token = oauth.idp.authorize_access_token()
parsed_token = oauth.idp.parse_id_token(token)
except AuthlibBaseError as e:
return bad_request(f'{e.description}')
idp_user_sub = parsed_token.get('sub')
if not idp_user_sub:
return bad_request(LOGIN_ERROR_MISSING_USER_SUB_FROM_TOKEN)
idp_email_verified = parsed_token.get('email_verified')
if not idp_email_verified:
return forbidden(LOGIN_ERROR_EMAIL_ADDRESS_NOT_VERIFIED)
idp_email = parsed_token.get('email')
if not idp_email:
return bad_request(LOGIN_ERROR_MISSING_EMAIL_FROM_TOKEN)
idp_username = parsed_token.get('preferred_username')
if not idp_username:
return bad_request(LOGIN_ERROR_MISSING_USERNAME_FROM_TOKEN)
idp_groups = parsed_token.get('groups')
if idp_groups is None:
return bad_request(LOGIN_ERROR_MISSING_GROUPS_FROM_TOKEN)
user_role = get_user_role_from_idp_groups(idp_groups)
if not user_role:
return forbidden(LOGIN_ERROR_PERMISSION_DENIED)
# get local user from current authenticated idp id
user = db.get(User, idp_id=idp_user_sub)
if not user:
# get local user from idp email address
user = db.get(User, email=idp_email)
if user:
# prevent impersonation by checking whether this email is associated with an idp id
if user.idp_id:
return forbidden(
LOGIN_ERROR_EMAIL_ASSOCIATED_WITH_DIFFERENT_SUB)
# email is already associated with a different username
if user.name != idp_username:
return forbidden(
LOGIN_ERROR_EMAIL_ASSOCIATED_WITH_DIFFERENT_USERNAME)
# prevent integrity error for mismatching mail between db and keycloak
check_user = db.get(User, name=idp_username)
if check_user and check_user.email != idp_email:
return forbidden(
LOGIN_ERROR_USERNAME_ASSOCIATE_WITH_DIFFERENT_EMAIL)
if user:
user.role = user_role
user.email = idp_email
else:
salt = random_string()
user = db.create(User,
name=idp_username,
email=idp_email,
salt=salt,
password=hash_password(
random_string(TRACKER_PASSWORD_LENGTH_MAX), salt),
role=user_role,
active=True,
idp_id=idp_user_sub)
db.session.add(user)
db.session.commit()
user = user_assign_new_token(user)
user.is_authenticated = True
login_user(user)
return redirect(url_for('tracker.index'))
def add_cve():
form = CVEForm()
if not form.validate_on_submit():
return render_template('form/cve.html',
title='Add CVE',
form=form,
CVE=CVE)
cve = db.get(CVE, id=form.cve.data)
if cve is not None:
advisories = (db.session.query(Advisory).join(
CVEGroupEntry, CVEGroupEntry.cve_id == cve.id).join(
CVEGroup, CVEGroupEntry.group).join(
CVEGroupPackage, CVEGroup.packages).filter(
Advisory.group_package_id == CVEGroupPackage.id)
).all()
if not user_can_edit_issue(advisories):
flash(ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(cve.id), 'error')
return forbidden()
not_merged = []
merged = False
# try to merge issue_type
if 'unknown' != form.issue_type.data:
if 'unknown' == cve.issue_type:
cve.issue_type = form.issue_type.data
merged = True
elif form.issue_type.data != cve.issue_type:
not_merged.append(form.issue_type)
form.issue_type.data = cve.issue_type
# try to merge severity
form_severity = Severity.fromstring(form.severity.data)
if Severity.unknown != form_severity:
if Severity.unknown == cve.severity:
cve.severity = form_severity
merged = True
elif form_severity != cve.severity:
not_merged.append(form.severity)
form.severity.data = cve.severity.name
# try to merge remote
form_remote = Remote.fromstring(form.remote.data)
if Remote.unknown != form_remote:
if Remote.unknown == cve.remote:
cve.remote = form_remote
merged = True
elif form_remote != cve.remote:
not_merged.append(form.remote)
form.remote.data = cve.remote.name
# try to merge description
if form.description.data:
if not cve.description:
cve.description = form.description.data
merged = True
elif form.description.data != cve.description:
not_merged.append(form.description)
form.description.data = cve.description
# try to merge references
references = cve.reference.splitlines() if cve.reference else []
old_references = references.copy()
form_references = form.reference.data.splitlines(
) if form.reference.data else []
for reference in form_references:
if reference not in references:
references.append(reference)
merged = True
if old_references != references:
cve.reference = '\n'.join(references)
form.reference.data = cve.reference
# try to merge notes
if form.notes.data:
if not cve.notes:
cve.notes = form.notes.data
merged = True
elif form.notes.data != cve.notes:
not_merged.append(form.notes)
form.notes.data = cve.notes
# if something got merged, commit and flash
if merged:
db.session.commit()
flash(CVE_MERGED.format(cve.id))
# warn if something failed to be merged
if not_merged:
for field in not_merged:
field.errors.append(ERROR_UNMERGEABLE)
not_merged_labels = [field.label.text for field in not_merged]
flash(
CVE_MERGED_PARTIALLY.format(cve.id,
', '.join(not_merged_labels)),
'warning')
return render_template('form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE,
action='{}/edit'.format(cve.id))
return redirect('/{}'.format(cve.id))
cve = CVE()
cve.id = form.cve.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = Severity.fromstring(form.severity.data)
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
db.session.add(cve)
db.session.commit()
flash('Added {}'.format(cve.id))
return redirect('/{}'.format(cve.id))
def edit_cve(cve):
entries = (db.session.query(CVE, CVEGroup, Advisory)
.filter(CVE.id == cve)
.outerjoin(CVEGroupEntry, CVEGroupEntry.cve_id == CVE.id)
.outerjoin(CVEGroup, CVEGroupEntry.group)
.outerjoin(CVEGroupPackage, CVEGroup.packages)
.outerjoin(Advisory, Advisory.group_package_id == CVEGroupPackage.id)).all()
if not entries:
return not_found()
cve = entries[0][0]
groups = set(group for (cve, group, advisory) in entries if group)
advisories = set(advisory for (cve, group, advisory) in entries if advisory)
if not user_can_edit_issue(advisories):
return forbidden()
form = CVEForm(edit=True)
if not form.is_submitted():
form.cve.data = cve.id
form.issue_type.data = cve.issue_type
form.description.data = cve.description
form.severity.data = cve.severity.name
form.remote.data = cve.remote.name
form.reference.data = cve.reference
form.notes.data = cve.notes
if not form.validate_on_submit():
if advisories:
flash('WARNING: This is referenced by an already published advisory!', 'warning')
return render_template('form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE)
severity = Severity.fromstring(form.severity.data)
severity_changed = cve.severity != severity
issue_type_changed = cve.issue_type != form.issue_type.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = severity
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
if severity_changed or issue_type_changed:
# update cached group severity for all goups containing this issue
group_ids = [group.id for group in groups]
issues = (db.session.query(CVEGroup, CVE)
.join(CVEGroupEntry, CVEGroup.issues)
.join(CVE, CVEGroupEntry.cve)
.group_by(CVEGroup.id).group_by(CVE.id))
if group_ids:
issues = issues.filter(CVEGroup.id.in_(group_ids))
issues = (issues).all()
if severity_changed:
group_severity = defaultdict(list)
for group, issue in issues:
group_severity[group].append(issue.severity)
for group, severities in group_severity.items():
group.severity = highest_severity(severities)
# update scheduled advisories if the issue type changes
if advisories and issue_type_changed:
group_issue_type = defaultdict(set)
for group, issue in issues:
group_issue_type[group].add(issue.issue_type)
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_types = group_issue_type[advisory.group_package.group]
issue_type = 'multiple issues' if len(issue_types) > 1 else next(iter(issue_types))
advisory.advisory_type = issue_type
if db.session.is_modified(cve):
flash('Edited {}'.format(cve.id))
db.session.commit()
return redirect('/{}'.format(cve.id))
def edit_group(avg):
group_id = avg.replace('AVG-', '')
group_data = (db.session.query(CVEGroup, CVE, func.group_concat(CVEGroupPackage.pkgname, ' '), Advisory)
.filter(CVEGroup.id == group_id)
.join(CVEGroupEntry, CVEGroup.issues)
.join(CVE, CVEGroupEntry.cve)
.join(CVEGroupPackage, CVEGroup.packages)
.outerjoin(Advisory, Advisory.group_package_id == CVEGroupPackage.id)
.group_by(CVEGroup.id).group_by(CVE.id).group_by(CVEGroupPackage.pkgname)
.order_by(CVE.id)).all()
if not group_data:
return not_found()
group = group_data[0][0]
issues = set([cve for (group, cve, pkg, advisory) in group_data])
issue_ids = set([cve.id for cve in issues])
pkgnames = set(chain.from_iterable([pkg.split(' ') for (group, cve, pkg, advisory) in group_data]))
advisories = set(advisory for (group, cve, pkg, advisory) in group_data if advisory)
if not user_can_edit_group(advisories):
return forbidden()
form = GroupForm(pkgnames)
if not form.is_submitted():
form.affected.data = group.affected
form.fixed.data = group.fixed
form.pkgnames.data = "\n".join(sorted(pkgnames))
form.status.data = status_to_affected(group.status).name
form.reference.data = group.reference
form.notes.data = group.notes
form.bug_ticket.data = group.bug_ticket
form.advisory_qualified.data = group.advisory_qualified and group.status is not Status.not_affected
issue_ids = sorted(issue_ids, key=issue_to_numeric)
form.cve.data = "\n".join(issue_ids)
if not form.validate_on_submit():
if advisories:
flash('WARNING: This is referenced by an already published advisory!', 'warning')
return render_template('form/group.html',
title='Edit {}'.format(avg),
form=form,
CVEGroup=CVEGroup)
pkgnames_edited = multiline_to_list(form.pkgnames.data)
group.affected = form.affected.data
group.fixed = form.fixed.data
group.status = affected_to_status(Affected.fromstring(form.status.data), pkgnames_edited[0], group.fixed)
group.bug_ticket = form.bug_ticket.data
group.reference = form.reference.data
group.notes = form.notes.data
group.advisory_qualified = form.advisory_qualified.data and group.status is not Status.not_affected
cve_ids = multiline_to_list(form.cve.data)
cve_ids = set(filter(lambda s: s.startswith('CVE-'), cve_ids))
issues_removed = set(filter(lambda issue: issue not in cve_ids, issue_ids))
issues_added = set(filter(lambda issue: issue not in issue_ids, cve_ids))
issues_final = set(filter(lambda issue: issue.id not in issues_removed, issues))
issues_changed = any(issues_added) or any(issues_removed)
# remove old issues
for issue in filter(lambda issue: issue.cve_id in issues_removed, list(group.issues)):
group.issues.remove(issue)
flash('Removed {}'.format(issue.cve_id))
# add new issues
severities = [issue.severity for issue in list(filter(lambda issue: issue.id not in issues_removed, issues))]
for cve_id in issues_added:
# TODO check if we can avoid this by the latter append call
cve = db.get(CVE, id=cve_id)
if not cve:
cve = CVE.new(id=cve_id)
db.get_or_create(CVEGroupEntry, group=group, cve=cve)
flash('Added {}'.format(cve.id))
severities.append(cve.severity)
issues_final.add(cve)
group.severity = highest_severity(severities)
pkgnames_removed = set(filter(lambda pkgname: pkgname not in pkgnames_edited, pkgnames))
pkgnames_added = set(filter(lambda pkgname: pkgname not in pkgnames, pkgnames_edited))
pkgnames_changed = any(pkgnames_removed) or any(pkgnames_added)
# remove old packages
for pkg in filter(lambda pkg: pkg.pkgname in pkgnames_removed, list(group.packages)):
group.packages.remove(pkg)
flash('Removed {}'.format(pkg.pkgname))
# add new packages
for pkgname in pkgnames_added:
db.get_or_create(CVEGroupPackage, pkgname=pkgname, group=group)
flash('Added {}'.format(pkgname))
# update scheduled advisories
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_type = 'multiple issues' if len(set([issue.issue_type for issue in issues_final])) > 1 else next(iter(issues_final)).issue_type
advisory.advisory_type = issue_type
# update changed date on modification
if pkgnames_changed or issues_changed or db.session.is_modified(group):
group.changed = datetime.utcnow()
flash('Edited {}'.format(group.name))
db.session.commit()
return redirect('/{}'.format(group.name))
def decorated_view(*args, **kwargs):
if not permission.fget(current_user.role):
from tracker.view.error import forbidden
return forbidden()
return func(*args, **kwargs)
def edit_cve(cve):
entries = (db.session.query(
CVE, CVEGroup, Advisory).filter(CVE.id == cve).outerjoin(
CVEGroupEntry, CVEGroupEntry.cve_id == CVE.id).outerjoin(
CVEGroup, CVEGroupEntry.group).outerjoin(
CVEGroupPackage, CVEGroup.packages).outerjoin(
Advisory,
Advisory.group_package_id == CVEGroupPackage.id)
).all()
if not entries:
return not_found()
cve: CVE = entries[0][0]
groups = set(group for (cve, group, advisory) in entries if group)
advisories = set(advisory for (cve, group, advisory) in entries
if advisory)
if not user_can_edit_issue(advisories):
flash(ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(cve.id), 'error')
return forbidden()
form = CVEForm(edit=True)
if not form.is_submitted():
form.cve.data = cve.id
form.issue_type.data = cve.issue_type
form.description.data = cve.description
form.severity.data = cve.severity.name
form.remote.data = cve.remote.name
form.reference.data = cve.reference
form.notes.data = cve.notes
form.changed.data = str(cve.changed)
form.changed_latest.data = str(cve.changed)
concurrent_modification = str(cve.changed) != form.changed.data
if not form.validate_on_submit() or (
concurrent_modification
and not (form.force_submit.data
and str(cve.changed) == form.changed_latest.data)):
if advisories:
flash(
'WARNING: This is referenced by an already published advisory!',
'warning')
issue = None
code = 200
if concurrent_modification:
flash('WARNING: The remote data has changed!', 'warning')
code = Conflict.code
issue = CVE()
issue.id = form.cve.data
issue.issue_type = form.issue_type.data
issue.issue_type_mod = cve.issue_type != issue.issue_type
issue.description = form.description.data
issue.description_mod = cve.description != issue.description
issue.severity = Severity.fromstring(form.severity.data)
issue.severity_mod = cve.severity != issue.severity
issue.remote = Remote.fromstring(form.remote.data)
issue.remote_mod = cve.remote != issue.remote
issue.reference = form.reference.data
issue.reference_mod = cve.reference != issue.reference
issue.notes = form.notes.data
issue.notes_mod = cve.notes != issue.notes
if form.changed_latest.data != cve.changed:
form.force_submit.data = False
form.changed_latest.data = str(cve.changed)
Transaction = versioning_manager.transaction_cls
VersionClassCVE = version_class(CVE)
version = (db.session.query(
Transaction, VersionClassCVE).outerjoin(
VersionClassCVE,
Transaction.id == VersionClassCVE.transaction_id).filter(
VersionClassCVE.id == cve.id).order_by(
Transaction.issued_at.desc())).first()[1]
issue.transaction = version.transaction
issue.operation_type = version.operation_type
issue.previous = cve
return render_template(
'form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE,
issue=issue,
concurrent_modification=concurrent_modification,
can_watch_user_log=user_can_watch_user_log()), code
severity = Severity.fromstring(form.severity.data)
severity_changed = cve.severity != severity
issue_type_changed = cve.issue_type != form.issue_type.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = severity
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
if severity_changed or issue_type_changed:
# update cached group severity for all goups containing this issue
group_ids = [group.id for group in groups]
issues = (db.session.query(
CVEGroup, CVE).join(CVEGroupEntry, CVEGroup.issues).join(
CVE, CVEGroupEntry.cve).group_by(CVEGroup.id).group_by(CVE.id))
if group_ids:
issues = issues.filter(CVEGroup.id.in_(group_ids))
issues = (issues).all()
if severity_changed:
group_severity = defaultdict(list)
for group, issue in issues:
group_severity[group].append(issue.severity)
for group, severities in group_severity.items():
group.severity = highest_severity(severities)
# update scheduled advisories if the issue type changes
if advisories and issue_type_changed:
group_issue_type = defaultdict(set)
for group, issue in issues:
group_issue_type[group].add(issue.issue_type)
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_types = group_issue_type[advisory.group_package.group]
issue_type = 'multiple issues' if len(
issue_types) > 1 else next(iter(issue_types))
advisory.advisory_type = issue_type
if db.session.is_modified(cve) or severity_changed or issue_type_changed:
cve.changed = datetime.utcnow()
flash('Edited {}'.format(cve.id))
db.session.commit()
return redirect('/{}'.format(cve.id))