mirror of
https://github.com/ail-project/ail-framework.git
synced 2024-11-22 22:27:17 +00:00
chg: [acl] refactor acl cookiejars, trackers, retro_hunts, investigation + refactor users roles
This commit is contained in:
parent
7bf609b0e8
commit
a05e1feed6
14 changed files with 312 additions and 301 deletions
|
@ -456,29 +456,21 @@ def get_investigations_selector(org_uuid):
|
||||||
|
|
||||||
#### ACL ####
|
#### ACL ####
|
||||||
|
|
||||||
def check_access_acl(inv, user_org, is_admin=False):
|
def api_check_investigation_acl(inv, user_org, user_id, user_role, action):
|
||||||
if is_admin:
|
if not ail_orgs.check_obj_access_acl(inv, user_org, user_id, user_role, action):
|
||||||
return True
|
|
||||||
|
|
||||||
level = inv.get_level()
|
|
||||||
if level == 1:
|
|
||||||
return True
|
|
||||||
elif level == 2:
|
|
||||||
return ail_orgs.check_access_acl(inv, user_org, is_admin=is_admin)
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
def api_check_access_acl(inv_uuid, user_org, is_admin=False):
|
|
||||||
if not check_access_acl(inv_uuid, user_org, is_admin=is_admin):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
|
|
||||||
|
def api_is_allowed_to_edit_investigation_level(inv, user_org, user_id, user_role, new_level):
|
||||||
|
if not ail_orgs.check_acl_edit_level(inv, user_org, user_id, user_role, new_level):
|
||||||
|
return {"status": "error", "reason": "Access Denied - Investigation level"}, 403
|
||||||
|
|
||||||
#### API ####
|
#### API ####
|
||||||
|
|
||||||
def api_get_investigation(user_org, is_admin, investigation_uuid): # TODO check if is UUIDv4
|
def api_get_investigation(user_org, user_id, user_role, investigation_uuid): # TODO check if is UUIDv4
|
||||||
investigation = Investigation(investigation_uuid)
|
investigation = Investigation(investigation_uuid)
|
||||||
if not investigation.exists():
|
if not investigation.exists():
|
||||||
return {'status': 'error', 'reason': 'Investigation Not Found'}, 404
|
return {'status': 'error', 'reason': 'Investigation Not Found'}, 404
|
||||||
res = api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = api_check_investigation_acl(investigation, user_org, user_id, user_role, 'view')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -528,7 +520,7 @@ def api_add_investigation(json_dict):
|
||||||
return res, 200
|
return res, 200
|
||||||
|
|
||||||
# # TODO: edit threat level / status
|
# # TODO: edit threat level / status
|
||||||
def api_edit_investigation(user_org, user_id, is_admin, json_dict):
|
def api_edit_investigation(user_org, user_id, user_role, json_dict):
|
||||||
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
||||||
if not is_valid_uuid_v4(investigation_uuid):
|
if not is_valid_uuid_v4(investigation_uuid):
|
||||||
return {"status": "error", "reason": "Invalid Investigation uuid"}, 400
|
return {"status": "error", "reason": "Invalid Investigation uuid"}, 400
|
||||||
|
@ -536,7 +528,18 @@ def api_edit_investigation(user_org, user_id, is_admin, json_dict):
|
||||||
if not exists_investigation(investigation_uuid):
|
if not exists_investigation(investigation_uuid):
|
||||||
return {"status": "error", "reason": "Investigation not found"}, 404
|
return {"status": "error", "reason": "Investigation not found"}, 404
|
||||||
investigation = Investigation(investigation_uuid)
|
investigation = Investigation(investigation_uuid)
|
||||||
res = api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = api_check_investigation_acl(investigation, user_org, user_id, user_role, 'edit')
|
||||||
|
if res:
|
||||||
|
return res
|
||||||
|
|
||||||
|
level = json_dict.get('level', 1)
|
||||||
|
try:
|
||||||
|
level = int(level)
|
||||||
|
except TypeError:
|
||||||
|
level = 1
|
||||||
|
if level not in range(1, 3):
|
||||||
|
level = 1
|
||||||
|
res = api_is_allowed_to_edit_investigation_level(investigation, user_org, user_id, user_role, level)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -561,13 +564,6 @@ def api_edit_investigation(user_org, user_id, is_admin, json_dict):
|
||||||
if not Tag.are_enabled_tags(tags):
|
if not Tag.are_enabled_tags(tags):
|
||||||
return {"status": "error", "reason": "Invalid/Disabled tags"}, 400
|
return {"status": "error", "reason": "Invalid/Disabled tags"}, 400
|
||||||
|
|
||||||
level = json_dict.get('level', 1)
|
|
||||||
try:
|
|
||||||
level = int(level)
|
|
||||||
except TypeError:
|
|
||||||
level = 1
|
|
||||||
if level not in range(1, 3):
|
|
||||||
level = 1
|
|
||||||
old_level = investigation.get_level()
|
old_level = investigation.get_level()
|
||||||
if level != old_level:
|
if level != old_level:
|
||||||
investigation.reset_level(old_level, level, user_org)
|
investigation.reset_level(old_level, level, user_org)
|
||||||
|
@ -581,7 +577,7 @@ def api_edit_investigation(user_org, user_id, is_admin, json_dict):
|
||||||
|
|
||||||
return investigation_uuid, 200
|
return investigation_uuid, 200
|
||||||
|
|
||||||
def api_delete_investigation(user_org, user_id, is_admin, json_dict):
|
def api_delete_investigation(user_org, user_id, user_role, json_dict):
|
||||||
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
||||||
if not is_valid_uuid_v4(investigation_uuid):
|
if not is_valid_uuid_v4(investigation_uuid):
|
||||||
return {"status": "error", "reason": "Invalid Investigation uuid"}, 400
|
return {"status": "error", "reason": "Invalid Investigation uuid"}, 400
|
||||||
|
@ -589,13 +585,13 @@ def api_delete_investigation(user_org, user_id, is_admin, json_dict):
|
||||||
if not exists_investigation(investigation_uuid):
|
if not exists_investigation(investigation_uuid):
|
||||||
return {"status": "error", "reason": "Investigation not found"}, 404
|
return {"status": "error", "reason": "Investigation not found"}, 404
|
||||||
investigation = Investigation(investigation_uuid)
|
investigation = Investigation(investigation_uuid)
|
||||||
res = api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = api_check_investigation_acl(investigation, user_org, user_id, user_role, 'delete')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
res = investigation.delete()
|
res = investigation.delete()
|
||||||
return res, 200
|
return res, 200
|
||||||
|
|
||||||
def api_register_object(user_org, user_id, is_admin, json_dict):
|
def api_register_object(user_org, user_id, user_role, json_dict):
|
||||||
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
||||||
if not is_valid_uuid_v4(investigation_uuid):
|
if not is_valid_uuid_v4(investigation_uuid):
|
||||||
return {"status": "error", "reason": f"Invalid Investigation uuid: {investigation_uuid}"}, 400
|
return {"status": "error", "reason": f"Invalid Investigation uuid: {investigation_uuid}"}, 400
|
||||||
|
@ -603,7 +599,7 @@ def api_register_object(user_org, user_id, is_admin, json_dict):
|
||||||
if not exists_investigation(investigation_uuid):
|
if not exists_investigation(investigation_uuid):
|
||||||
return {"status": "error", "reason": f"Investigation not found: {investigation_uuid}"}, 404
|
return {"status": "error", "reason": f"Investigation not found: {investigation_uuid}"}, 404
|
||||||
investigation = Investigation(investigation_uuid)
|
investigation = Investigation(investigation_uuid)
|
||||||
res = api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = api_check_investigation_acl(investigation, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -622,7 +618,7 @@ def api_register_object(user_org, user_id, is_admin, json_dict):
|
||||||
res = investigation.register_object(obj_id, obj_type, subtype, comment=comment)
|
res = investigation.register_object(obj_id, obj_type, subtype, comment=comment)
|
||||||
return res, 200
|
return res, 200
|
||||||
|
|
||||||
def api_unregister_object(user_org, user_id, is_admin, json_dict):
|
def api_unregister_object(user_org, user_id, user_role, json_dict):
|
||||||
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
investigation_uuid = json_dict.get('uuid', '').replace(' ', '')
|
||||||
if not is_valid_uuid_v4(investigation_uuid):
|
if not is_valid_uuid_v4(investigation_uuid):
|
||||||
return {"status": "error", "reason": f"Invalid Investigation uuid: {investigation_uuid}"}, 400
|
return {"status": "error", "reason": f"Invalid Investigation uuid: {investigation_uuid}"}, 400
|
||||||
|
@ -630,7 +626,7 @@ def api_unregister_object(user_org, user_id, is_admin, json_dict):
|
||||||
if not exists_investigation(investigation_uuid):
|
if not exists_investigation(investigation_uuid):
|
||||||
return {"status": "error", "reason": f"Investigation not found: {investigation_uuid}"}, 404
|
return {"status": "error", "reason": f"Investigation not found: {investigation_uuid}"}, 404
|
||||||
investigation = Investigation(investigation_uuid)
|
investigation = Investigation(investigation_uuid)
|
||||||
res = api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = api_check_investigation_acl(investigation, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,6 @@ from lib import ail_orgs
|
||||||
from lib import ConfigLoader
|
from lib import ConfigLoader
|
||||||
from lib import item_basic
|
from lib import item_basic
|
||||||
from lib import Tag
|
from lib import Tag
|
||||||
from lib.ail_users import AILUser
|
|
||||||
|
|
||||||
# LOGS
|
# LOGS
|
||||||
logging.config.dictConfig(ail_logger.get_config(name='modules'))
|
logging.config.dictConfig(ail_logger.get_config(name='modules'))
|
||||||
|
@ -476,8 +475,6 @@ class Tracker:
|
||||||
r_tracker.sadd('trackers:all', self.uuid)
|
r_tracker.sadd('trackers:all', self.uuid)
|
||||||
r_tracker.sadd(f'trackers:all:{tracker_type}', self.uuid)
|
r_tracker.sadd(f'trackers:all:{tracker_type}', self.uuid)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# TRACKER LEVEL
|
# TRACKER LEVEL
|
||||||
self.set_level(level, org)
|
self.set_level(level, org)
|
||||||
|
|
||||||
|
@ -506,7 +503,7 @@ class Tracker:
|
||||||
trigger_trackers_refresh(tracker_type)
|
trigger_trackers_refresh(tracker_type)
|
||||||
return self.uuid
|
return self.uuid
|
||||||
|
|
||||||
def edit(self, tracker_type, to_track, level, org, description=None, filters={}, tags=[], mails=[], webhook=None): # TODO ADMIN: EDIT ORG UUID
|
def edit(self, tracker_type, to_track, level, org, description=None, filters={}, tags=[], mails=[], webhook=None):
|
||||||
|
|
||||||
# edit tracker
|
# edit tracker
|
||||||
old_type = self.get_type()
|
old_type = self.get_type()
|
||||||
|
@ -868,53 +865,18 @@ def api_check_tracker_uuid(tracker_uuid):
|
||||||
return {"status": "error", "reason": "Unknown uuid"}, 404
|
return {"status": "error", "reason": "Unknown uuid"}, 404
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def api_check_tracker_acl(tracker_uuid, user_org, user_id):
|
def api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, action):
|
||||||
res = api_check_tracker_uuid(tracker_uuid)
|
res = api_check_tracker_uuid(tracker_uuid)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
tracker = Tracker(tracker_uuid)
|
tracker = Tracker(tracker_uuid)
|
||||||
if tracker.is_level_user():
|
if not ail_orgs.check_obj_access_acl(tracker, user_org, user_id, user_role, action):
|
||||||
if tracker.get_user() != user_id or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
elif tracker.is_level_org():
|
|
||||||
if tracker.get_org() != user_org or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
return None
|
|
||||||
|
|
||||||
def api_is_allowed_to_edit_tracker(tracker_uuid, user_org, user_id):
|
def api_is_allowed_to_edit_tracker_level(tracker_uuid, user_org, user_id, user_role, new_level):
|
||||||
res = api_check_tracker_uuid(tracker_uuid)
|
|
||||||
if res:
|
|
||||||
return res
|
|
||||||
tracker = Tracker(tracker_uuid)
|
tracker = Tracker(tracker_uuid)
|
||||||
if tracker.is_level_user():
|
if not ail_orgs.check_acl_edit_level(tracker, user_org, user_id, user_role, new_level):
|
||||||
if tracker.get_user() != user_id or not AILUser(user_id).is_in_role('admin'):
|
return {"status": "error", "reason": "Access Denied - Tracker level"}, 403
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
elif tracker.is_level_org():
|
|
||||||
if tracker.get_org() != user_org or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
else: # global
|
|
||||||
if tracker.get_user() != user_id or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
return None
|
|
||||||
|
|
||||||
def api_is_allowed_to_edit_tracker_level(tracker_uuid, user_org, user_id, new_level):
|
|
||||||
tracker = Tracker(tracker_uuid)
|
|
||||||
level = tracker.get_level()
|
|
||||||
if level == new_level:
|
|
||||||
return None
|
|
||||||
# Global Edit
|
|
||||||
if level == 1:
|
|
||||||
if new_level == 0:
|
|
||||||
if tracker.get_user() != user_id or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
elif new_level == 2:
|
|
||||||
if tracker.get_org() != user_org or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
# Community Edit
|
|
||||||
elif level == 2:
|
|
||||||
if new_level == 0:
|
|
||||||
if tracker.get_user() != user_id or not AILUser(user_id).is_in_role('admin'):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
|
||||||
|
|
||||||
## --ACL-- ##
|
## --ACL-- ##
|
||||||
|
|
||||||
|
@ -1083,9 +1045,9 @@ def api_add_tracker(dict_input, org, user_id):
|
||||||
|
|
||||||
return {'tracked': to_track, 'type': tracker_type, 'uuid': tracker_uuid}, 200
|
return {'tracked': to_track, 'type': tracker_type, 'uuid': tracker_uuid}, 200
|
||||||
|
|
||||||
def api_edit_tracker(dict_input, user_org, user_id):
|
def api_edit_tracker(dict_input, user_org, user_id, user_role):
|
||||||
tracker_uuid = dict_input.get('uuid')
|
tracker_uuid = dict_input.get('uuid')
|
||||||
res = api_check_tracker_acl(tracker_uuid, user_org, user_id)
|
res = api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -1105,7 +1067,7 @@ def api_edit_tracker(dict_input, user_org, user_id):
|
||||||
level = 1
|
level = 1
|
||||||
if level not in range(0, 3):
|
if level not in range(0, 3):
|
||||||
level = 1
|
level = 1
|
||||||
res = api_is_allowed_to_edit_tracker_level(tracker_uuid, user_org, user_id, level)
|
res = api_is_allowed_to_edit_tracker_level(tracker_uuid, user_org, user_id, user_role, level)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -1163,18 +1125,18 @@ def api_edit_tracker(dict_input, user_org, user_id):
|
||||||
return {'tracked': to_track, 'type': tracker_type, 'uuid': tracker_uuid}, 200
|
return {'tracked': to_track, 'type': tracker_type, 'uuid': tracker_uuid}, 200
|
||||||
|
|
||||||
|
|
||||||
def api_delete_tracker(data, user_org, user_id):
|
def api_delete_tracker(data, user_org, user_id, user_role):
|
||||||
tracker_uuid = data.get('uuid')
|
tracker_uuid = data.get('uuid')
|
||||||
res = api_check_tracker_acl(tracker_uuid, user_org, user_id)
|
res = api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'delete')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
tracker = Tracker(tracker_uuid)
|
tracker = Tracker(tracker_uuid)
|
||||||
return tracker.delete(), 200
|
return tracker.delete(), 200
|
||||||
|
|
||||||
def api_tracker_add_object(data, user_org, user_id):
|
def api_tracker_add_object(data, user_org, user_id, user_role):
|
||||||
tracker_uuid = data.get('uuid')
|
tracker_uuid = data.get('uuid')
|
||||||
res = api_check_tracker_acl(tracker_uuid, user_org, user_id)
|
res = api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
tracker = Tracker(tracker_uuid)
|
tracker = Tracker(tracker_uuid)
|
||||||
|
@ -1189,9 +1151,9 @@ def api_tracker_add_object(data, user_org, user_id):
|
||||||
return {"status": "error", "reason": "Invalid Object"}, 400
|
return {"status": "error", "reason": "Invalid Object"}, 400
|
||||||
return tracker.add(obj_type, subtype, obj_id, date=date), 200
|
return tracker.add(obj_type, subtype, obj_id, date=date), 200
|
||||||
|
|
||||||
def api_tracker_remove_object(data, user_org, user_id):
|
def api_tracker_remove_object(data, user_org, user_id, user_role):
|
||||||
tracker_uuid = data.get('uuid')
|
tracker_uuid = data.get('uuid')
|
||||||
res = api_check_tracker_acl(tracker_uuid, user_org, user_id)
|
res = api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
|
|
||||||
|
@ -1841,22 +1803,15 @@ def delete_obj_retro_hunts(obj_type, subtype, obj_id):
|
||||||
|
|
||||||
#### ACL ####
|
#### ACL ####
|
||||||
|
|
||||||
def check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=False):
|
def api_check_retro_hunt_acl(retro_hunt, user_org, user_id, user_role, action):
|
||||||
if is_admin:
|
if not ail_orgs.check_obj_access_acl(retro_hunt, user_org, user_id, user_role, action):
|
||||||
return True
|
|
||||||
|
|
||||||
level = retro_hunt.get_level()
|
|
||||||
if level == 1:
|
|
||||||
return True
|
|
||||||
elif level == 2:
|
|
||||||
return ail_orgs.check_access_acl(retro_hunt, user_org, is_admin=is_admin)
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
def api_check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=False):
|
|
||||||
if not check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=is_admin):
|
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
def api_is_allowed_to_edit_retro_hunt_level(retro_hunt, user_org, user_id, user_role, new_level):
|
||||||
|
if not ail_orgs.check_acl_edit_level(retro_hunt, user_org, user_id, user_role, new_level):
|
||||||
|
return {"status": "error", "reason": "Access Denied - Tracker level"}, 403
|
||||||
|
|
||||||
#### API ####
|
#### API ####
|
||||||
|
|
||||||
def api_check_retro_hunt_task_uuid(task_uuid):
|
def api_check_retro_hunt_task_uuid(task_uuid):
|
||||||
|
@ -1867,12 +1822,12 @@ def api_check_retro_hunt_task_uuid(task_uuid):
|
||||||
return {"status": "error", "reason": "Unknown uuid"}, 404
|
return {"status": "error", "reason": "Unknown uuid"}, 404
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def api_pause_retro_hunt_task(user_org, is_admin, task_uuid):
|
def api_pause_retro_hunt_task(user_org, user_id, user_role, task_uuid):
|
||||||
res = api_check_retro_hunt_task_uuid(task_uuid)
|
res = api_check_retro_hunt_task_uuid(task_uuid)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
retro_hunt = RetroHunt(task_uuid)
|
retro_hunt = RetroHunt(task_uuid)
|
||||||
res = api_check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=is_admin)
|
res = api_check_retro_hunt_acl(retro_hunt, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
task_state = retro_hunt.get_state()
|
task_state = retro_hunt.get_state()
|
||||||
|
@ -1881,12 +1836,12 @@ def api_pause_retro_hunt_task(user_org, is_admin, task_uuid):
|
||||||
retro_hunt.pause()
|
retro_hunt.pause()
|
||||||
return task_uuid, 200
|
return task_uuid, 200
|
||||||
|
|
||||||
def api_resume_retro_hunt_task(user_org, is_admin, task_uuid):
|
def api_resume_retro_hunt_task(user_org, user_id, user_role, task_uuid):
|
||||||
res = api_check_retro_hunt_task_uuid(task_uuid)
|
res = api_check_retro_hunt_task_uuid(task_uuid)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
retro_hunt = RetroHunt(task_uuid)
|
retro_hunt = RetroHunt(task_uuid)
|
||||||
res = api_check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=is_admin)
|
res = api_check_retro_hunt_acl(retro_hunt, user_org, user_id, user_role, 'edit')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
if not retro_hunt.is_paused():
|
if not retro_hunt.is_paused():
|
||||||
|
@ -1988,12 +1943,12 @@ def api_create_retro_hunt_task(dict_input, user_org, user_id):
|
||||||
mails=mails, tags=tags, timeout=30, filters=filters)
|
mails=mails, tags=tags, timeout=30, filters=filters)
|
||||||
return {'name': name, 'rule': rule, 'type': task_type, 'uuid': task_uuid}, 200
|
return {'name': name, 'rule': rule, 'type': task_type, 'uuid': task_uuid}, 200
|
||||||
|
|
||||||
def api_delete_retro_hunt_task(user_org, is_admin, task_uuid):
|
def api_delete_retro_hunt_task(user_org, user_id, user_role, task_uuid):
|
||||||
res = api_check_retro_hunt_task_uuid(task_uuid)
|
res = api_check_retro_hunt_task_uuid(task_uuid)
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
retro_hunt = RetroHunt(task_uuid)
|
retro_hunt = RetroHunt(task_uuid)
|
||||||
res = api_check_retro_hunt_access_acl(retro_hunt, user_org, is_admin=is_admin)
|
res = api_check_retro_hunt_acl(retro_hunt, user_org, user_id, user_role, 'delete')
|
||||||
if res:
|
if res:
|
||||||
return res
|
return res
|
||||||
if retro_hunt.is_running() and retro_hunt.get_state() not in ['completed', 'paused']:
|
if retro_hunt.is_running() and retro_hunt.get_state() not in ['completed', 'paused']:
|
||||||
|
@ -2006,12 +1961,12 @@ def api_delete_retro_hunt_task(user_org, is_admin, task_uuid):
|
||||||
################################################################################
|
################################################################################
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
#### DB FIX #### TODO
|
#### DB FIX ####
|
||||||
|
|
||||||
def _fix_db_custom_tags():
|
# def _fix_db_custom_tags():
|
||||||
for tag in get_trackers_tags():
|
# for tag in get_trackers_tags():
|
||||||
if not Tag.is_taxonomie_tag(tag) and not Tag.is_galaxy_tag(tag):
|
# if not Tag.is_taxonomie_tag(tag) and not Tag.is_galaxy_tag(tag):
|
||||||
Tag.create_custom_tag(tag)
|
# Tag.create_custom_tag(tag)
|
||||||
|
|
||||||
#### -- ####
|
#### -- ####
|
||||||
|
|
||||||
|
@ -2046,7 +2001,6 @@ def _fix_db_custom_tags():
|
||||||
# from packages import Term
|
# from packages import Term
|
||||||
# Term.delete_term('074ab4be-6049-45b5-a20e-8125a4e4f500')
|
# Term.delete_term('074ab4be-6049-45b5-a20e-8125a4e4f500')
|
||||||
|
|
||||||
|
|
||||||
# res = get_items_to_analyze('archive/pastebin.com_pro/2020/05/15', last='archive/pastebin.com_pro/2020/05/15/zkHEgqjQ.gz')
|
# res = get_items_to_analyze('archive/pastebin.com_pro/2020/05/15', last='archive/pastebin.com_pro/2020/05/15/zkHEgqjQ.gz')
|
||||||
# get_retro_hunt_task_progress('0', nb_src_done=2)
|
# get_retro_hunt_task_progress('0', nb_src_done=2)
|
||||||
|
|
||||||
|
@ -2065,7 +2019,6 @@ def _fix_db_custom_tags():
|
||||||
|
|
||||||
# res = create_retro_hunt_task(name, rule, date_from, date_to, creator, sources=sources, tags=tags, description=description)
|
# res = create_retro_hunt_task(name, rule, date_from, date_to, creator, sources=sources, tags=tags, description=description)
|
||||||
|
|
||||||
|
|
||||||
# get_retro_hunt_nb_item_by_day(['80b402ef-a8a9-4e97-adb6-e090edcfd571'], date_from=None, date_to=None, num_day=31)
|
# get_retro_hunt_nb_item_by_day(['80b402ef-a8a9-4e97-adb6-e090edcfd571'], date_from=None, date_to=None, num_day=31)
|
||||||
|
|
||||||
# res = get_retro_hunt_nb_item_by_day(['c625f971-16e6-4331-82a7-b1e1b9efdec1'], date_from='20200610', date_to='20210630')
|
# res = get_retro_hunt_nb_item_by_day(['c625f971-16e6-4331-82a7-b1e1b9efdec1'], date_from='20200610', date_to='20210630')
|
||||||
|
|
|
@ -28,7 +28,7 @@ def get_user_from_token(token):
|
||||||
|
|
||||||
def get_basic_user_meta(token):
|
def get_basic_user_meta(token):
|
||||||
user_id = get_user_from_token(token)
|
user_id = get_user_from_token(token)
|
||||||
return ail_users.get_user_org(user_id), user_id, ail_users.is_in_role(user_id, 'admin')
|
return ail_users.get_user_org(user_id), user_id, ail_users.get_user_role(user_id)
|
||||||
|
|
||||||
def is_user_in_role(role, token): # verify_user_role
|
def is_user_in_role(role, token): # verify_user_role
|
||||||
# User without API
|
# User without API
|
||||||
|
|
|
@ -83,7 +83,8 @@ def create_default_org():
|
||||||
# org = Organisation(generate_uuid())
|
# org = Organisation(generate_uuid())
|
||||||
name = 'Default AIL Organisation'
|
name = 'Default AIL Organisation'
|
||||||
description = 'Default AIL Organisation'
|
description = 'Default AIL Organisation'
|
||||||
return create_org(name, description)
|
creator = 'admin@admin.test'
|
||||||
|
return create_org(creator, name, description)
|
||||||
|
|
||||||
#### ORGANISATION ####
|
#### ORGANISATION ####
|
||||||
|
|
||||||
|
@ -99,7 +100,7 @@ class Organisation:
|
||||||
return r_serv_db.hget(f'ail:org:{self.uuid}', field)
|
return r_serv_db.hget(f'ail:org:{self.uuid}', field)
|
||||||
|
|
||||||
def _set_fields(self, field, value):
|
def _set_fields(self, field, value):
|
||||||
return r_serv_db.hset(f'ail:org:{self.uuid}', field, value)
|
r_serv_db.hset(f'ail:org:{self.uuid}', field, value)
|
||||||
|
|
||||||
def get_uuid(self):
|
def get_uuid(self):
|
||||||
return self.uuid
|
return self.uuid
|
||||||
|
@ -197,7 +198,7 @@ class Organisation:
|
||||||
def exists_org(org_uuid):
|
def exists_org(org_uuid):
|
||||||
return r_serv_db.exists(f'ail:org:{org_uuid}')
|
return r_serv_db.exists(f'ail:org:{org_uuid}')
|
||||||
|
|
||||||
def create_org(name, description, uuid=None, nationality=None, sector=None, org_type=None, logo=None): # contacts ?????
|
def create_org(creator, name, description, uuid=None, nationality=None, sector=None, org_type=None, logo=None):
|
||||||
if uuid is None:
|
if uuid is None:
|
||||||
uuid = generate_uuid()
|
uuid = generate_uuid()
|
||||||
else:
|
else:
|
||||||
|
@ -205,7 +206,7 @@ def create_org(name, description, uuid=None, nationality=None, sector=None, org_
|
||||||
raise Exception('Organisation already exists') # TODO CUSTOM ERROR
|
raise Exception('Organisation already exists') # TODO CUSTOM ERROR
|
||||||
|
|
||||||
org = Organisation(uuid)
|
org = Organisation(uuid)
|
||||||
org.create(name, description, nationality=nationality, sector=sector, org_type=org_type, logo=logo)
|
org.create(creator, name, description, nationality=nationality, sector=sector, org_type=org_type, logo=logo)
|
||||||
return org
|
return org
|
||||||
|
|
||||||
def get_org_objs_by_type(org_uuid, obj_type):
|
def get_org_objs_by_type(org_uuid, obj_type):
|
||||||
|
@ -225,6 +226,78 @@ def check_access_acl(obj, user_org, is_admin=False):
|
||||||
return True
|
return True
|
||||||
return obj.get_org() == user_org
|
return obj.get_org() == user_org
|
||||||
|
|
||||||
|
# view
|
||||||
|
# edit
|
||||||
|
# delete -> coordinator or admin
|
||||||
|
def check_obj_access_acl(obj, user_org, user_id, user_role, action):
|
||||||
|
if user_role == 'admin':
|
||||||
|
return True
|
||||||
|
|
||||||
|
level = obj.get_level()
|
||||||
|
# User
|
||||||
|
if level == 0:
|
||||||
|
return user_id == obj.get_user()
|
||||||
|
# Global
|
||||||
|
elif level == 1:
|
||||||
|
if action == 'view':
|
||||||
|
return True
|
||||||
|
# edit + delete
|
||||||
|
else: # TODO allow user to edit same org global
|
||||||
|
if user_role == 'coordinator':
|
||||||
|
creator_org = obj.get_creator_org()
|
||||||
|
if user_org == creator_org:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
else:
|
||||||
|
return False # TODO allow user (creator) to edit global tracker ????
|
||||||
|
# Organization
|
||||||
|
elif level == 2:
|
||||||
|
if action == 'view':
|
||||||
|
return obj.get_org() == user_org
|
||||||
|
elif action == 'edit':
|
||||||
|
return obj.get_org() == user_org
|
||||||
|
elif action == 'delete':
|
||||||
|
if user_role == 'coordinator':
|
||||||
|
if user_org == obj.get_org():
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
def check_acl_edit_level(obj, user_org, user_id, user_role, new_level):
|
||||||
|
if user_role == 'admin':
|
||||||
|
return True
|
||||||
|
|
||||||
|
level = obj.get_level()
|
||||||
|
if new_level == level:
|
||||||
|
return True
|
||||||
|
|
||||||
|
# User
|
||||||
|
if new_level == 0: # TODO
|
||||||
|
return False
|
||||||
|
# if obj.get_user() == user_id:
|
||||||
|
# return True
|
||||||
|
# Global
|
||||||
|
elif new_level == 1:
|
||||||
|
if level == 0 and obj.get_id() == user_id:
|
||||||
|
return True
|
||||||
|
elif level == 2 and user_role == 'coordinator':
|
||||||
|
if obj.get_creator_org() == user_org:
|
||||||
|
return True
|
||||||
|
# Organisation
|
||||||
|
elif new_level == 2:
|
||||||
|
if level == 0 and obj.get_id() == user_id:
|
||||||
|
return True
|
||||||
|
elif level == 1 and user_role == 'coordinator':
|
||||||
|
if obj.get_creator_org() == user_org:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
#### API ####
|
#### API ####
|
||||||
|
|
||||||
def api_get_orgs_meta():
|
def api_get_orgs_meta():
|
||||||
|
|
|
@ -326,13 +326,9 @@ def create_user(user_id, password=None, admin_id=None, chg_passwd=True, org_uuid
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'last_edit', date)
|
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'last_edit', date)
|
||||||
|
|
||||||
# Role
|
# Role
|
||||||
if not role:
|
if not role or role not in get_roles():
|
||||||
role = get_default_role()
|
role = get_default_role()
|
||||||
|
set_user_role(user_id, role)
|
||||||
if role in get_all_roles():
|
|
||||||
for role_to_add in get_all_user_role(role):
|
|
||||||
r_serv_db.sadd(f'ail:users:role:{role_to_add}', user_id)
|
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'role', role)
|
|
||||||
|
|
||||||
# ORG
|
# ORG
|
||||||
org = ail_orgs.Organisation(org_uuid)
|
org = ail_orgs.Organisation(org_uuid)
|
||||||
|
@ -569,7 +565,7 @@ class AILUser(UserMixin):
|
||||||
|
|
||||||
def delete(self):
|
def delete(self):
|
||||||
kill_session_user(self.user_id)
|
kill_session_user(self.user_id)
|
||||||
for role_id in get_all_roles():
|
for role_id in get_roles():
|
||||||
r_serv_db.srem(f'ail:users:role:{role_id}', self.user_id)
|
r_serv_db.srem(f'ail:users:role:{role_id}', self.user_id)
|
||||||
user_token = self.get_api_key()
|
user_token = self.get_api_key()
|
||||||
if user_token:
|
if user_token:
|
||||||
|
@ -711,35 +707,15 @@ def api_delete_user(user_id, admin_id, ip_address):
|
||||||
|
|
||||||
#### ROLES ####
|
#### ROLES ####
|
||||||
|
|
||||||
def get_all_roles():
|
def get_roles():
|
||||||
return r_serv_db.zrange('ail:roles:all', 0, -1)
|
return r_serv_db.smembers('ail:roles')
|
||||||
|
|
||||||
# create role_list
|
def _create_roles():
|
||||||
def _create_roles_list():
|
r_serv_db.sadd('ail:roles', 'admin')
|
||||||
if not r_serv_db.exists('ail:roles:all'):
|
r_serv_db.sadd('ail:roles', 'read_only')
|
||||||
r_serv_db.zadd('ail:roles:all', {'admin': 1})
|
r_serv_db.sadd('ail:roles', 'user')
|
||||||
r_serv_db.zadd('ail:roles:all', {'analyst': 2})
|
r_serv_db.sadd('ail:roles', 'user_no_api')
|
||||||
r_serv_db.zadd('ail:roles:all', {'user': 3})
|
r_serv_db.sadd('ail:roles', 'contributor')
|
||||||
r_serv_db.zadd('ail:roles:all', {'user_no_api': 4})
|
|
||||||
r_serv_db.zadd('ail:roles:all', {'read_only': 5})
|
|
||||||
|
|
||||||
def get_role_level(role):
|
|
||||||
return int(r_serv_db.zscore('ail:roles:all', role))
|
|
||||||
|
|
||||||
def get_user_role_by_range(inf, sup):
|
|
||||||
return r_serv_db.zrange('ail:roles:all', inf, sup)
|
|
||||||
|
|
||||||
def get_all_user_role(user_role):
|
|
||||||
current_role_val = get_role_level(user_role)
|
|
||||||
return r_serv_db.zrange('ail:roles:all', current_role_val - 1, -1)
|
|
||||||
|
|
||||||
def get_all_user_upper_role(user_role):
|
|
||||||
current_role_val = get_role_level(user_role)
|
|
||||||
# remove one rank
|
|
||||||
if current_role_val > 1:
|
|
||||||
return r_serv_db.zrange('ail:roles:all', 0, current_role_val - 2)
|
|
||||||
else:
|
|
||||||
return []
|
|
||||||
|
|
||||||
def get_default_role():
|
def get_default_role():
|
||||||
return 'read_only'
|
return 'read_only'
|
||||||
|
@ -747,41 +723,45 @@ def get_default_role():
|
||||||
def is_in_role(user_id, role):
|
def is_in_role(user_id, role):
|
||||||
return r_serv_db.sismember(f'ail:users:role:{role}', user_id)
|
return r_serv_db.sismember(f'ail:users:role:{role}', user_id)
|
||||||
|
|
||||||
def edit_user_role(user_id, role):
|
def _get_users_roles_list():
|
||||||
current_role = get_user_role(user_id)
|
return ['read_only', 'user_no_api', 'user', 'coordinator', 'admin']
|
||||||
if role != current_role:
|
|
||||||
request_level = get_role_level(role)
|
|
||||||
current_role = get_role_level(current_role)
|
|
||||||
|
|
||||||
if current_role < request_level:
|
def _get_users_roles_dict():
|
||||||
role_to_remove = get_user_role_by_range(current_role - 1, request_level - 2)
|
return {
|
||||||
for role_id in role_to_remove:
|
'read_only': ['read_only'],
|
||||||
r_serv_db.srem(f'ail:users:role:{role_id}', user_id)
|
'user_no_api': ['read_only', 'user_no_api'],
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'role', role)
|
'user': ['read_only', 'user_no_api', 'user'],
|
||||||
else:
|
'coordinator': ['read_only', 'user_no_api', 'user', 'coordinator'],
|
||||||
role_to_add = get_user_role_by_range(request_level - 1, current_role)
|
'admin': ['read_only', 'user_no_api', 'user', 'coordinator', 'admin'],
|
||||||
for role_id in role_to_add:
|
}
|
||||||
r_serv_db.sadd(f'ail:users:role:{role_id}', user_id)
|
|
||||||
|
def set_user_role(user_id, role):
|
||||||
|
roles = _get_users_roles_dict()
|
||||||
|
# set role
|
||||||
|
for role_to_add in roles[role]:
|
||||||
|
r_serv_db.sadd(f'ail:users:role:{role_to_add}', user_id)
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'role', role)
|
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'role', role)
|
||||||
|
|
||||||
def check_user_role_integrity(user_id):
|
def check_user_role_integrity(user_id):
|
||||||
|
roles = _get_users_roles_dict()
|
||||||
user_role = get_user_role(user_id)
|
user_role = get_user_role(user_id)
|
||||||
all_user_role = get_all_user_role(user_role)
|
if user_role not in roles:
|
||||||
res = True
|
return False
|
||||||
for role in all_user_role:
|
# check if is in role
|
||||||
if not r_serv_db.sismember(f'ail:users:role:{role}', user_id):
|
for r in roles[user_role]:
|
||||||
res = False
|
if not r_serv_db.sismember(f'ail:users:role:{r}', user_id):
|
||||||
upper_role = get_all_user_upper_role(user_role)
|
print(r)
|
||||||
for role in upper_role:
|
return False
|
||||||
if r_serv_db.sismember(f'ail:users:role:{role}', user_id):
|
for r in list(set(_get_users_roles_list()) - set(roles[user_role])):
|
||||||
res = False
|
if r_serv_db.sismember(f'ail:users:role:{r}', user_id):
|
||||||
return res
|
print(r)
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
|
||||||
## --ROLES-- ##
|
# TODO
|
||||||
|
# ACL:
|
||||||
# if __name__ == '__main__':
|
# - mass tag correlation graph
|
||||||
# user_id = 'admin@admin.test'
|
#
|
||||||
# instance_name = 'AIL TEST'
|
#
|
||||||
# delete_user_otp(user_id)
|
#
|
||||||
# # q = get_user_otp_qr_code(user_id, instance_name)
|
#
|
||||||
# # print(q)
|
|
||||||
|
|
|
@ -701,24 +701,24 @@ def api_get_cookiejars_selector(user_org, user_id):
|
||||||
cookiejars.append(f'{description} : {cookiejar.uuid}')
|
cookiejars.append(f'{description} : {cookiejar.uuid}')
|
||||||
return sorted(cookiejars)
|
return sorted(cookiejars)
|
||||||
|
|
||||||
def api_edit_cookiejar_description(user_org, user_id, is_admin, cookiejar_uuid, description):
|
def api_edit_cookiejar_description(user_org, user_id, user_role, cookiejar_uuid, description):
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
cookiejar = Cookiejar(cookiejar_uuid)
|
cookiejar = Cookiejar(cookiejar_uuid)
|
||||||
cookiejar.set_description(description)
|
cookiejar.set_description(description)
|
||||||
return {'cookiejar_uuid': cookiejar_uuid}, 200
|
return {'cookiejar_uuid': cookiejar_uuid}, 200
|
||||||
|
|
||||||
def api_delete_cookiejar(user_org, user_id, is_admin, cookiejar_uuid):
|
def api_delete_cookiejar(user_org, user_id, user_role, cookiejar_uuid):
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'delete')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
cookiejar = Cookiejar(cookiejar_uuid)
|
cookiejar = Cookiejar(cookiejar_uuid)
|
||||||
cookiejar.delete()
|
cookiejar.delete()
|
||||||
return {'cookiejar_uuid': cookiejar_uuid}, 200
|
return {'cookiejar_uuid': cookiejar_uuid}, 200
|
||||||
|
|
||||||
def api_get_cookiejar(user_org, user_id, is_admin, cookiejar_uuid):
|
def api_get_cookiejar(user_org, user_id, user_role, cookiejar_uuid):
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'view')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
cookiejar = Cookiejar(cookiejar_uuid)
|
cookiejar = Cookiejar(cookiejar_uuid)
|
||||||
|
@ -727,25 +727,11 @@ def api_get_cookiejar(user_org, user_id, is_admin, cookiejar_uuid):
|
||||||
|
|
||||||
#### ACL ####
|
#### ACL ####
|
||||||
|
|
||||||
def check_cookiejar_access_acl(cookiejar, user_org, user_id, is_admin=False):
|
def api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, action):
|
||||||
if is_admin:
|
|
||||||
return True
|
|
||||||
|
|
||||||
level = cookiejar.get_level()
|
|
||||||
if level == 0:
|
|
||||||
return user_id == cookiejar.get_user()
|
|
||||||
elif level == 1:
|
|
||||||
return True
|
|
||||||
elif level == 2:
|
|
||||||
return ail_orgs.check_access_acl(cookiejar, user_org, is_admin=is_admin)
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
def api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin=False):
|
|
||||||
cookiejar = Cookiejar(cookiejar_uuid)
|
cookiejar = Cookiejar(cookiejar_uuid)
|
||||||
if not cookiejar.exists():
|
if not cookiejar.exists():
|
||||||
return {'error': 'unknown cookiejar uuid', 'cookiejar_uuid': cookiejar_uuid}, 404
|
return {'error': 'unknown cookiejar uuid', 'cookiejar_uuid': cookiejar_uuid}, 404
|
||||||
if not check_cookiejar_access_acl(cookiejar, user_org, user_id, is_admin=is_admin):
|
if not ail_orgs.check_obj_access_acl(cookiejar, user_org, user_id, user_role, action):
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
|
|
||||||
#### API ####
|
#### API ####
|
||||||
|
@ -849,20 +835,20 @@ class Cookie:
|
||||||
|
|
||||||
## API ##
|
## API ##
|
||||||
|
|
||||||
def api_get_cookie(user_org, user_id, is_admin, cookie_uuid):
|
def api_get_cookie(user_org, user_id, user_role, cookie_uuid):
|
||||||
cookie = Cookie(cookie_uuid)
|
cookie = Cookie(cookie_uuid)
|
||||||
if not cookie.exists():
|
if not cookie.exists():
|
||||||
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
||||||
resp = api_check_cookiejar_access_acl(cookie.get_cookiejar(), user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookie.get_cookiejar(), user_org, user_id, user_role, 'view')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
return cookie.get_meta()
|
return cookie.get_meta()
|
||||||
|
|
||||||
def api_edit_cookie(user_org, user_id, is_admin, cookie_uuid, cookie_dict):
|
def api_edit_cookie(user_org, user_id, user_role, cookie_uuid, cookie_dict):
|
||||||
cookie = Cookie(cookie_uuid)
|
cookie = Cookie(cookie_uuid)
|
||||||
if not cookie.exists():
|
if not cookie.exists():
|
||||||
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
||||||
resp = api_check_cookiejar_access_acl(cookie.get_cookiejar(), user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookie.get_cookiejar(), user_org, user_id, user_role, 'edit')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
if 'name' not in cookie_dict or 'value' not in cookie_dict or not cookie_dict['name'] or not cookie_dict['value']:
|
if 'name' not in cookie_dict or 'value' not in cookie_dict or not cookie_dict['name'] or not cookie_dict['value']:
|
||||||
|
@ -870,8 +856,8 @@ def api_edit_cookie(user_org, user_id, is_admin, cookie_uuid, cookie_dict):
|
||||||
cookie.edit(cookie_dict)
|
cookie.edit(cookie_dict)
|
||||||
return cookie.get_meta(), 200
|
return cookie.get_meta(), 200
|
||||||
|
|
||||||
def api_create_cookie(user_org, user_id, is_admin, cookiejar_uuid, cookie_dict):
|
def api_create_cookie(user_org, user_id, user_role, cookiejar_uuid, cookie_dict):
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
if 'name' not in cookie_dict or 'value' not in cookie_dict or not cookie_dict['name'] or not cookie_dict['value']:
|
if 'name' not in cookie_dict or 'value' not in cookie_dict or not cookie_dict['name'] or not cookie_dict['value']:
|
||||||
|
@ -887,12 +873,12 @@ def api_create_cookie(user_org, user_id, is_admin, cookiejar_uuid, cookie_dict):
|
||||||
cookiejar.add_cookie(name, value, domain=domain, httponly=httponly, path=path, secure=secure, text=text)
|
cookiejar.add_cookie(name, value, domain=domain, httponly=httponly, path=path, secure=secure, text=text)
|
||||||
return resp, 200
|
return resp, 200
|
||||||
|
|
||||||
def api_delete_cookie(user_org, user_id, is_admin, cookie_uuid):
|
def api_delete_cookie(user_org, user_id, user_role, cookie_uuid):
|
||||||
cookie = Cookie(cookie_uuid)
|
cookie = Cookie(cookie_uuid)
|
||||||
if not cookie.exists():
|
if not cookie.exists():
|
||||||
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
return {'error': 'unknown cookie uuid', 'cookie_uuid': cookie_uuid}, 404
|
||||||
cookiejar_uuid = cookie.get_cookiejar()
|
cookiejar_uuid = cookie.get_cookiejar()
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
cookiejar = Cookiejar(cookiejar_uuid)
|
cookiejar = Cookiejar(cookiejar_uuid)
|
||||||
|
@ -938,8 +924,8 @@ def unpack_imported_json_cookie(json_cookie):
|
||||||
|
|
||||||
## - - ##
|
## - - ##
|
||||||
#### COOKIEJAR API ####
|
#### COOKIEJAR API ####
|
||||||
def api_import_cookies_from_json(user_org, user_id, is_admin, cookiejar_uuid, json_cookies_str): # # TODO: add catch
|
def api_import_cookies_from_json(user_org, user_id, user_role, cookiejar_uuid, json_cookies_str): # # TODO: add catch
|
||||||
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
resp = api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if resp:
|
if resp:
|
||||||
return resp
|
return resp
|
||||||
json_cookies = json.loads(json_cookies_str)
|
json_cookies = json.loads(json_cookies_str)
|
||||||
|
|
|
@ -113,7 +113,7 @@ def user_migration():
|
||||||
print('USER MIGRATION...')
|
print('USER MIGRATION...')
|
||||||
|
|
||||||
# create role_list
|
# create role_list
|
||||||
ail_users._create_roles_list()
|
ail_users._create_roles()
|
||||||
|
|
||||||
for user_id in r_serv_db.hkeys('user:all'):
|
for user_id in r_serv_db.hkeys('user:all'):
|
||||||
role = r_serv_db.hget(f'user_metadata:{user_id}', 'role')
|
role = r_serv_db.hget(f'user_metadata:{user_id}', 'role')
|
||||||
|
@ -248,8 +248,6 @@ def trackers_migration():
|
||||||
for obj_id in old_Tracker.get_retro_hunt_items_by_daterange(task_uuid, meta['date_from'], meta['date_to']):
|
for obj_id in old_Tracker.get_retro_hunt_items_by_daterange(task_uuid, meta['date_from'], meta['date_to']):
|
||||||
retro_hunt.add('item', '', obj_id)
|
retro_hunt.add('item', '', obj_id)
|
||||||
|
|
||||||
Tracker._fix_db_custom_tags()
|
|
||||||
|
|
||||||
|
|
||||||
###############################
|
###############################
|
||||||
# #
|
# #
|
||||||
|
@ -452,7 +450,7 @@ def crawler_migration():
|
||||||
cookie_dict = get_cookie_dict(cookie_uuid)
|
cookie_dict = get_cookie_dict(cookie_uuid)
|
||||||
if cookie_dict:
|
if cookie_dict:
|
||||||
# print(cookie_dict)
|
# print(cookie_dict)
|
||||||
crawlers.api_create_cookie(get_ail_uuid(), meta['user'], True, cookiejar_uuid, cookie_dict)
|
crawlers.api_create_cookie(get_ail_uuid(), meta['user'], 'admin', cookiejar_uuid, cookie_dict)
|
||||||
|
|
||||||
auto_crawler_web = r_crawler.smembers('auto_crawler_url:regular')
|
auto_crawler_web = r_crawler.smembers('auto_crawler_url:regular')
|
||||||
auto_crawler_onion = r_crawler.smembers('auto_crawler_url:onion')
|
auto_crawler_onion = r_crawler.smembers('auto_crawler_url:onion')
|
||||||
|
|
|
@ -31,20 +31,22 @@ if __name__ == '__main__':
|
||||||
config_loader = None
|
config_loader = None
|
||||||
date = datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
|
date = datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
|
||||||
|
|
||||||
# ORGS
|
|
||||||
# TODO CREATE DEFAULT ORG
|
|
||||||
|
|
||||||
# USERS
|
# USERS
|
||||||
print('Updating Users ...')
|
print('Updating Users ...')
|
||||||
# Create Default Org
|
# Create Default Org
|
||||||
org = ail_orgs.create_default_org()
|
org = ail_orgs.create_default_org()
|
||||||
org_uuid = org.get_uuid()
|
org_uuid = org.get_uuid()
|
||||||
|
|
||||||
for user_id in ail_users.get_users(): # TODO ORG
|
for user_id in ail_users.get_users():
|
||||||
|
if ail_users.get_user_role(user_id) == 'analyst':
|
||||||
|
ail_users.set_user_role(user_id, 'user')
|
||||||
ail_users.edit_user('admin@admin.test', user_id, org_uuid=org_uuid)
|
ail_users.edit_user('admin@admin.test', user_id, org_uuid=org_uuid)
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'creator', 'admin@admin.test')
|
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'creator', 'admin@admin.test')
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'created_at', date)
|
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'created_at', date)
|
||||||
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'last_edit', date)
|
r_serv_db.hset(f'ail:user:metadata:{user_id}', 'last_edit', date)
|
||||||
|
r_serv_db.srem(f'ail:users:role:analyst', user_id)
|
||||||
|
user_role = ail_users.get_user_role(user_id)
|
||||||
|
ail_users.set_user_role(user_id, user_role)
|
||||||
# ADD User to ORG
|
# ADD User to ORG
|
||||||
org.add_user(user_id)
|
org.add_user(user_id)
|
||||||
|
|
||||||
|
|
|
@ -252,8 +252,8 @@ def objects_titles_download_unsafe():
|
||||||
@token_required('read_only')
|
@token_required('read_only')
|
||||||
def v1_investigation(investigation_uuid):
|
def v1_investigation(investigation_uuid):
|
||||||
user_token = get_auth_from_header()
|
user_token = get_auth_from_header()
|
||||||
user_org, user_id, is_admin = ail_api.get_basic_user_meta(user_token)
|
user_org, user_id, user_role = ail_api.get_basic_user_meta(user_token)
|
||||||
r = Investigations.api_get_investigation(user_org, is_admin, investigation_uuid)
|
r = Investigations.api_get_investigation(user_org, user_id, user_role, investigation_uuid)
|
||||||
return create_json_response(r[0], r[1])
|
return create_json_response(r[0], r[1])
|
||||||
|
|
||||||
# TODO CATCH REDIRECT
|
# TODO CATCH REDIRECT
|
||||||
|
|
|
@ -19,7 +19,7 @@ sys.path.append('modules')
|
||||||
import Flask_config
|
import Flask_config
|
||||||
|
|
||||||
# Import Role_Manager
|
# Import Role_Manager
|
||||||
from Role_Manager import login_admin, login_analyst, login_read_only
|
from Role_Manager import login_admin, login_analyst, login_read_only, login_user_no_api
|
||||||
|
|
||||||
sys.path.append(os.environ['AIL_BIN'])
|
sys.path.append(os.environ['AIL_BIN'])
|
||||||
##################################
|
##################################
|
||||||
|
@ -660,7 +660,7 @@ def crawler_cookiejar_add():
|
||||||
def crawler_cookiejar_add_post():
|
def crawler_cookiejar_add_post():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
|
|
||||||
description = request.form.get('description')
|
description = request.form.get('description')
|
||||||
level = request.form.get('level')
|
level = request.form.get('level')
|
||||||
|
@ -697,11 +697,11 @@ def crawler_cookiejar_add_post():
|
||||||
|
|
||||||
# Create Cookies
|
# Create Cookies
|
||||||
if json_cookies: # TODO CHECK Import
|
if json_cookies: # TODO CHECK Import
|
||||||
res = crawlers.api_import_cookies_from_json(user_org, user_id, is_admin, cookiejar_uuid, json_cookies)
|
res = crawlers.api_import_cookies_from_json(user_org, user_id, user_role, cookiejar_uuid, json_cookies)
|
||||||
if res:
|
if res:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
for cookie_dict in l_manual_cookie:
|
for cookie_dict in l_manual_cookie:
|
||||||
crawlers.api_create_cookie(user_org, user_id, is_admin, cookiejar_uuid, cookie_dict)
|
crawlers.api_create_cookie(user_org, user_id, user_role, cookiejar_uuid, cookie_dict)
|
||||||
|
|
||||||
return redirect(url_for('crawler_splash.crawler_cookiejar_show', uuid=cookiejar_uuid))
|
return redirect(url_for('crawler_splash.crawler_cookiejar_show', uuid=cookiejar_uuid))
|
||||||
|
|
||||||
|
@ -725,10 +725,10 @@ def crawler_cookiejar_all():
|
||||||
def crawler_cookiejar_show():
|
def crawler_cookiejar_show():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookiejar_uuid = request.args.get('uuid')
|
cookiejar_uuid = request.args.get('uuid')
|
||||||
|
|
||||||
res = crawlers.api_get_cookiejar(user_org, user_id, is_admin, cookiejar_uuid)
|
res = crawlers.api_get_cookiejar(user_org, user_id, user_role, cookiejar_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
|
@ -739,14 +739,14 @@ def crawler_cookiejar_show():
|
||||||
|
|
||||||
@crawler_splash.route('/crawler/cookie/delete', methods=['GET'])
|
@crawler_splash.route('/crawler/cookie/delete', methods=['GET'])
|
||||||
@login_required
|
@login_required
|
||||||
@login_analyst
|
@login_user_no_api
|
||||||
def crawler_cookiejar_cookie_delete():
|
def crawler_cookiejar_cookie_delete():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookie_uuid = request.args.get('uuid')
|
cookie_uuid = request.args.get('uuid')
|
||||||
|
|
||||||
res = crawlers.api_delete_cookie(user_org, user_id, is_admin, cookie_uuid)
|
res = crawlers.api_delete_cookie(user_org, user_id, user_role, cookie_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
|
@ -760,10 +760,10 @@ def crawler_cookiejar_cookie_delete():
|
||||||
def crawler_cookiejar_delete():
|
def crawler_cookiejar_delete():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookiejar_uuid = request.args.get('uuid')
|
cookiejar_uuid = request.args.get('uuid')
|
||||||
|
|
||||||
res = crawlers.api_delete_cookiejar(user_org, user_id, is_admin, cookiejar_uuid)
|
res = crawlers.api_delete_cookiejar(user_org, user_id, user_role, cookiejar_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('crawler_splash.crawler_cookiejar_all'))
|
return redirect(url_for('crawler_splash.crawler_cookiejar_all'))
|
||||||
|
@ -775,11 +775,11 @@ def crawler_cookiejar_delete():
|
||||||
def crawler_cookiejar_edit():
|
def crawler_cookiejar_edit():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookiejar_uuid = request.args.get('uuid')
|
cookiejar_uuid = request.args.get('uuid')
|
||||||
description = request.args.get('description')
|
description = request.args.get('description')
|
||||||
|
|
||||||
res = crawlers.api_edit_cookiejar_description(user_org, user_id, is_admin, cookiejar_uuid, description)
|
res = crawlers.api_edit_cookiejar_description(user_org, user_id, user_role, cookiejar_uuid, description)
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
|
|
||||||
|
@ -789,10 +789,10 @@ def crawler_cookiejar_edit():
|
||||||
def crawler_cookiejar_cookie_edit():
|
def crawler_cookiejar_cookie_edit():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookie_uuid = request.args.get('uuid')
|
cookie_uuid = request.args.get('uuid')
|
||||||
|
|
||||||
cookie_dict = crawlers.api_get_cookie(user_org, user_id, is_admin, cookie_uuid)
|
cookie_dict = crawlers.api_get_cookie(user_org, user_id, user_role, cookie_uuid)
|
||||||
return render_template("edit_cookie.html", cookie_uuid=cookie_uuid, cookie_dict=cookie_dict)
|
return render_template("edit_cookie.html", cookie_uuid=cookie_uuid, cookie_dict=cookie_dict)
|
||||||
|
|
||||||
|
|
||||||
|
@ -802,7 +802,7 @@ def crawler_cookiejar_cookie_edit():
|
||||||
def crawler_cookiejar_cookie_edit_post():
|
def crawler_cookiejar_cookie_edit_post():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookie_uuid = request.form.get('cookie_uuid')
|
cookie_uuid = request.form.get('cookie_uuid')
|
||||||
name = request.form.get('name')
|
name = request.form.get('name')
|
||||||
value = request.form.get('value')
|
value = request.form.get('value')
|
||||||
|
@ -821,7 +821,7 @@ def crawler_cookiejar_cookie_edit_post():
|
||||||
if secure:
|
if secure:
|
||||||
cookie_dict['secure'] = True
|
cookie_dict['secure'] = True
|
||||||
|
|
||||||
res = crawlers.api_edit_cookie(user_org, user_id, is_admin, cookie_uuid, cookie_dict)
|
res = crawlers.api_edit_cookie(user_org, user_id, user_role, cookie_uuid, cookie_dict)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
cookie = crawlers.Cookie(cookie_uuid)
|
cookie = crawlers.Cookie(cookie_uuid)
|
||||||
|
@ -835,10 +835,10 @@ def crawler_cookiejar_cookie_edit_post():
|
||||||
def crawler_cookiejar_cookie_add():
|
def crawler_cookiejar_cookie_add():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
cookiejar_uuid = request.args.get('uuid')
|
cookiejar_uuid = request.args.get('uuid')
|
||||||
res = crawlers.api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, is_admin)
|
res = crawlers.api_check_cookiejar_access_acl(cookiejar_uuid, user_org, user_id, user_role, action='edit')
|
||||||
if res[1] != 200:
|
if res:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return render_template("add_cookie.html", cookiejar_uuid=cookiejar_uuid)
|
return render_template("add_cookie.html", cookiejar_uuid=cookiejar_uuid)
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ sys.path.append('modules')
|
||||||
import Flask_config
|
import Flask_config
|
||||||
|
|
||||||
# Import Role_Manager
|
# Import Role_Manager
|
||||||
from Role_Manager import login_admin, login_analyst, login_read_only
|
from Role_Manager import login_admin, login_analyst, login_user_no_api, login_read_only
|
||||||
|
|
||||||
sys.path.append(os.environ['AIL_BIN'])
|
sys.path.append(os.environ['AIL_BIN'])
|
||||||
##################################
|
##################################
|
||||||
|
@ -151,8 +151,10 @@ def tracked_menu_admin():
|
||||||
@login_read_only
|
@login_read_only
|
||||||
def show_tracker():
|
def show_tracker():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_check_tracker_acl(tracker_uuid, current_user.get_org(), user_id)
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'view')
|
||||||
if res: # invalid access
|
if res: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
||||||
|
|
||||||
|
@ -312,20 +314,21 @@ def add_tracked_menu():
|
||||||
|
|
||||||
@hunters.route("/tracker/edit", methods=['GET', 'POST'])
|
@hunters.route("/tracker/edit", methods=['GET', 'POST'])
|
||||||
@login_required
|
@login_required
|
||||||
@login_analyst
|
@login_user_no_api
|
||||||
def tracker_edit():
|
def tracker_edit():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
input_dict = parse_add_edit_request(request.form)
|
input_dict = parse_add_edit_request(request.form)
|
||||||
res = Tracker.api_edit_tracker(input_dict, user_org, user_id)
|
res = Tracker.api_edit_tracker(input_dict, user_org, user_id, user_role)
|
||||||
if res[1] == 200:
|
if res[1] == 200:
|
||||||
return redirect(url_for('hunters.show_tracker', uuid=res[0].get('uuid')))
|
return redirect(url_for('hunters.show_tracker', uuid=res[0].get('uuid')))
|
||||||
else:
|
else:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_is_allowed_to_edit_tracker(tracker_uuid, user_org, user_id)
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res: # invalid access
|
if res: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
||||||
|
|
||||||
|
@ -356,8 +359,10 @@ def tracker_edit():
|
||||||
@login_analyst
|
@login_analyst
|
||||||
def tracker_delete():
|
def tracker_delete():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid')
|
tracker_uuid = request.args.get('uuid')
|
||||||
res = Tracker.api_delete_tracker({'uuid': tracker_uuid}, current_user.get_org(), user_id)
|
res = Tracker.api_delete_tracker({'uuid': tracker_uuid}, user_org, user_id, user_role)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
|
@ -369,8 +374,10 @@ def tracker_delete():
|
||||||
@login_read_only
|
@login_read_only
|
||||||
def get_json_tracker_graph():
|
def get_json_tracker_graph():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid')
|
tracker_uuid = request.args.get('uuid')
|
||||||
res = Tracker.api_check_tracker_acl(tracker_uuid, current_user.get_org(), user_id)
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'view')
|
||||||
if res:
|
if res:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
|
@ -392,6 +399,8 @@ def get_json_tracker_graph():
|
||||||
@login_admin
|
@login_admin
|
||||||
def tracker_object_add():
|
def tracker_object_add():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid')
|
tracker_uuid = request.args.get('uuid')
|
||||||
object_global_id = request.args.get('gid')
|
object_global_id = request.args.get('gid')
|
||||||
if object_global_id.startswith('messages::'):
|
if object_global_id.startswith('messages::'):
|
||||||
|
@ -399,7 +408,7 @@ def tracker_object_add():
|
||||||
date = obj.get_date()
|
date = obj.get_date()
|
||||||
else:
|
else:
|
||||||
date = request.args.get('date') # TODO check daterange
|
date = request.args.get('date') # TODO check daterange
|
||||||
res = Tracker.api_tracker_add_object({'uuid': tracker_uuid, 'gid': object_global_id, 'date': date}, current_user.get_org(), user_id)
|
res = Tracker.api_tracker_add_object({'uuid': tracker_uuid, 'gid': object_global_id, 'date': date}, user_org, user_id, user_role)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
|
@ -410,12 +419,14 @@ def tracker_object_add():
|
||||||
|
|
||||||
@hunters.route('/tracker/object/remove', methods=['GET'])
|
@hunters.route('/tracker/object/remove', methods=['GET'])
|
||||||
@login_required
|
@login_required
|
||||||
@login_analyst
|
@login_user_no_api
|
||||||
def tracker_object_remove():
|
def tracker_object_remove():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid')
|
tracker_uuid = request.args.get('uuid')
|
||||||
object_global_id = request.args.get('gid')
|
object_global_id = request.args.get('gid')
|
||||||
res = Tracker.api_tracker_remove_object({'uuid': tracker_uuid, 'gid': object_global_id}, current_user.get_org(), user_id)
|
res = Tracker.api_tracker_remove_object({'uuid': tracker_uuid, 'gid': object_global_id}, user_org, user_id, user_role)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
else:
|
else:
|
||||||
|
@ -430,8 +441,10 @@ def tracker_object_remove():
|
||||||
@login_admin
|
@login_admin
|
||||||
def tracker_objects():
|
def tracker_objects():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_role = current_user.get_role()
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_is_allowed_to_edit_tracker(tracker_uuid, current_user.get_org(), user_id)
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res: # invalid access
|
if res: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
||||||
|
|
||||||
|
@ -477,6 +490,10 @@ def retro_hunt_all_tasks():
|
||||||
@login_required
|
@login_required
|
||||||
@login_read_only
|
@login_read_only
|
||||||
def retro_hunt_show_task():
|
def retro_hunt_show_task():
|
||||||
|
user_org = current_user.get_org()
|
||||||
|
user_id = current_user.get_user_id()
|
||||||
|
user_role = current_user.get_role()
|
||||||
|
|
||||||
task_uuid = request.args.get('uuid', None)
|
task_uuid = request.args.get('uuid', None)
|
||||||
objs = request.args.get('objs', False)
|
objs = request.args.get('objs', False)
|
||||||
|
|
||||||
|
@ -490,8 +507,11 @@ def retro_hunt_show_task():
|
||||||
res = Tracker.api_check_retro_hunt_task_uuid(task_uuid)
|
res = Tracker.api_check_retro_hunt_task_uuid(task_uuid)
|
||||||
if res:
|
if res:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
retro_hunt = Tracker.RetroHunt(task_uuid)
|
retro_hunt = Tracker.RetroHunt(task_uuid)
|
||||||
|
res = Tracker.api_check_retro_hunt_acl(retro_hunt, user_org, user_id, user_role, 'view')
|
||||||
|
if res:
|
||||||
|
return res
|
||||||
|
|
||||||
dict_task = retro_hunt.get_meta(options={'creator', 'date', 'description', 'level', 'progress', 'filters', 'nb_objs', 'tags'})
|
dict_task = retro_hunt.get_meta(options={'creator', 'date', 'description', 'level', 'progress', 'filters', 'nb_objs', 'tags'})
|
||||||
rule_content = Tracker.get_yara_rule_content(dict_task['rule'])
|
rule_content = Tracker.get_yara_rule_content(dict_task['rule'])
|
||||||
dict_task['filters'] = json.dumps(dict_task['filters'], indent=4)
|
dict_task['filters'] = json.dumps(dict_task['filters'], indent=4)
|
||||||
|
@ -614,9 +634,10 @@ def retro_hunt_add_task():
|
||||||
@login_analyst
|
@login_analyst
|
||||||
def retro_hunt_pause_task():
|
def retro_hunt_pause_task():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
is_admin = current_user.is_admin()
|
user_id = current_user.get_user_id()
|
||||||
|
user_role = current_user.get_role()
|
||||||
task_uuid = request.args.get('uuid', None)
|
task_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_pause_retro_hunt_task(user_org, is_admin, task_uuid)
|
res = Tracker.api_pause_retro_hunt_task(user_org, user_id, user_role, task_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
||||||
|
@ -626,9 +647,10 @@ def retro_hunt_pause_task():
|
||||||
@login_analyst
|
@login_analyst
|
||||||
def retro_hunt_resume_task():
|
def retro_hunt_resume_task():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
is_admin = current_user.is_admin()
|
user_id = current_user.get_user_id()
|
||||||
|
user_role = current_user.get_role()
|
||||||
task_uuid = request.args.get('uuid', None)
|
task_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_resume_retro_hunt_task(user_org, is_admin, task_uuid)
|
res = Tracker.api_resume_retro_hunt_task(user_org, user_id, user_role, task_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
||||||
|
@ -638,9 +660,10 @@ def retro_hunt_resume_task():
|
||||||
@login_analyst
|
@login_analyst
|
||||||
def retro_hunt_delete_task():
|
def retro_hunt_delete_task():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
is_admin = current_user.is_admin()
|
user_id = current_user.get_id()
|
||||||
|
user_role = current_user.get_role()
|
||||||
task_uuid = request.args.get('uuid', None)
|
task_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_delete_retro_hunt_task(user_org, is_admin, task_uuid)
|
res = Tracker.api_delete_retro_hunt_task(user_org, user_id, user_role, task_uuid)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
return redirect(url_for('hunters.retro_hunt_all_tasks'))
|
||||||
|
|
|
@ -53,13 +53,13 @@ def investigations_dashboard():
|
||||||
@login_read_only
|
@login_read_only
|
||||||
def show_investigation():
|
def show_investigation():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
# user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
investigation_uuid = request.args.get("uuid")
|
investigation_uuid = request.args.get("uuid")
|
||||||
investigation = Investigations.Investigation(investigation_uuid)
|
investigation = Investigations.Investigation(investigation_uuid)
|
||||||
if not investigation.exists():
|
if not investigation.exists():
|
||||||
create_json_response({'status': 'error', 'reason': 'Investigation Not Found'}, 404)
|
create_json_response({'status': 'error', 'reason': 'Investigation Not Found'}, 404)
|
||||||
res = Investigations.api_check_access_acl(investigation, user_org, is_admin=is_admin)
|
res = Investigations.api_check_investigation_acl(investigation, user_org, user_id, user_role, 'view')
|
||||||
if res:
|
if res:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
|
@ -124,7 +124,7 @@ def edit_investigation(): # TODO CHECK ACL
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
investigation_uuid = request.form.get("investigation_uuid")
|
investigation_uuid = request.form.get("investigation_uuid")
|
||||||
level = request.form.get("investigation_level")
|
level = request.form.get("investigation_level")
|
||||||
name = request.form.get("investigation_name")
|
name = request.form.get("investigation_name")
|
||||||
|
@ -153,7 +153,7 @@ def edit_investigation(): # TODO CHECK ACL
|
||||||
input_dict = {"user_id": user_id, "uuid": investigation_uuid, "level": level,
|
input_dict = {"user_id": user_id, "uuid": investigation_uuid, "level": level,
|
||||||
"name": name, "threat_level": threat_level,
|
"name": name, "threat_level": threat_level,
|
||||||
"analysis": analysis, "info": info, "tags": tags}
|
"analysis": analysis, "info": info, "tags": tags}
|
||||||
res = Investigations.api_edit_investigation(user_org, user_id, is_admin, input_dict)
|
res = Investigations.api_edit_investigation(user_org, user_id, user_role, input_dict)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
|
@ -175,10 +175,10 @@ def edit_investigation(): # TODO CHECK ACL
|
||||||
def delete_investigation():
|
def delete_investigation():
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
investigation_uuid = request.args.get('uuid')
|
investigation_uuid = request.args.get('uuid')
|
||||||
input_dict = {"uuid": investigation_uuid}
|
input_dict = {"uuid": investigation_uuid}
|
||||||
res = Investigations.api_delete_investigation(user_org, user_id, is_admin, input_dict)
|
res = Investigations.api_delete_investigation(user_org, user_id, user_role, input_dict)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('investigations_b.investigations_dashboard'))
|
return redirect(url_for('investigations_b.investigations_dashboard'))
|
||||||
|
@ -189,7 +189,7 @@ def delete_investigation():
|
||||||
def register_investigation():
|
def register_investigation():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
investigations_uuid = request.args.get('uuids')
|
investigations_uuid = request.args.get('uuids')
|
||||||
investigations_uuid = investigations_uuid.split(',')
|
investigations_uuid = investigations_uuid.split(',')
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ def register_investigation():
|
||||||
"type": object_type, "subtype": object_subtype}
|
"type": object_type, "subtype": object_subtype}
|
||||||
if comment:
|
if comment:
|
||||||
input_dict["comment"] = comment
|
input_dict["comment"] = comment
|
||||||
res = Investigations.api_register_object(user_org, user_id, is_admin, input_dict)
|
res = Investigations.api_register_object(user_org, user_id, user_role, input_dict)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('investigations_b.investigations_dashboard', uuid=investigation_uuid))
|
return redirect(url_for('investigations_b.investigations_dashboard', uuid=investigation_uuid))
|
||||||
|
@ -214,14 +214,14 @@ def register_investigation():
|
||||||
def unregister_investigation():
|
def unregister_investigation():
|
||||||
user_id = current_user.get_user_id()
|
user_id = current_user.get_user_id()
|
||||||
user_org = current_user.get_org()
|
user_org = current_user.get_org()
|
||||||
is_admin = current_user.is_admin()
|
user_role = current_user.get_role()
|
||||||
investigation_uuid = request.args.get('uuid')
|
investigation_uuid = request.args.get('uuid')
|
||||||
object_type = request.args.get('type')
|
object_type = request.args.get('type')
|
||||||
object_subtype = request.args.get('subtype')
|
object_subtype = request.args.get('subtype')
|
||||||
object_id = request.args.get('id')
|
object_id = request.args.get('id')
|
||||||
input_dict = {"uuid": investigation_uuid, "id": object_id,
|
input_dict = {"uuid": investigation_uuid, "id": object_id,
|
||||||
"type": object_type, "subtype": object_subtype}
|
"type": object_type, "subtype": object_subtype}
|
||||||
res = Investigations.api_unregister_object(user_org, user_id, is_admin, input_dict)
|
res = Investigations.api_unregister_object(user_org, user_id, user_role, input_dict)
|
||||||
if res[1] != 200:
|
if res[1] != 200:
|
||||||
return create_json_response(res[0], res[1])
|
return create_json_response(res[0], res[1])
|
||||||
return redirect(url_for('investigations_b.show_investigation', uuid=investigation_uuid))
|
return redirect(url_for('investigations_b.show_investigation', uuid=investigation_uuid))
|
||||||
|
|
|
@ -219,7 +219,7 @@ def create_user():
|
||||||
if r[1] != 200:
|
if r[1] != 200:
|
||||||
return create_json_response(r[0], r[1])
|
return create_json_response(r[0], r[1])
|
||||||
meta = r[0]
|
meta = r[0]
|
||||||
all_roles = ail_users.get_all_roles()
|
all_roles = ail_users.get_roles()
|
||||||
orgs = ail_orgs.get_orgs_selector()
|
orgs = ail_orgs.get_orgs_selector()
|
||||||
return render_template("create_user.html", all_roles=all_roles, orgs=orgs, meta=meta,
|
return render_template("create_user.html", all_roles=all_roles, orgs=orgs, meta=meta,
|
||||||
error=error, error_mail=error_mail,
|
error=error, error_mail=error_mail,
|
||||||
|
@ -251,7 +251,7 @@ def create_user_post():
|
||||||
else:
|
else:
|
||||||
enable_2_fa = False
|
enable_2_fa = False
|
||||||
|
|
||||||
all_roles = ail_users.get_all_roles()
|
all_roles = ail_users.get_roles()
|
||||||
|
|
||||||
if email and len(email) < 300 and ail_users.check_email(email) and role:
|
if email and len(email) < 300 and ail_users.check_email(email) and role:
|
||||||
if role in all_roles:
|
if role in all_roles:
|
||||||
|
|
|
@ -17,7 +17,7 @@ if __name__ == "__main__":
|
||||||
password = ail_users.gen_password()
|
password = ail_users.gen_password()
|
||||||
|
|
||||||
# create role_list
|
# create role_list
|
||||||
ail_users._create_roles_list()
|
ail_users._create_roles()
|
||||||
|
|
||||||
if not ail_users.exists_user(user_id):
|
if not ail_users.exists_user(user_id):
|
||||||
# Create Default Org
|
# Create Default Org
|
||||||
|
|
Loading…
Reference in a new issue