Merge pull request #52 from automationator/master

Allows creating intel references without the username parameter
IntegralDefense · Mar 20, 2019 · 430ca65 · 430ca65
2 parents d860485 + 91958d6
commit 430ca65
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 12 deletions.
diff --git a/services/web/project/api/routes/intel_reference.py b/services/web/project/api/routes/intel_reference.py
@@ -5,6 +5,7 @@
 from project.api import bp
 from project.api.decorators import check_apikey, validate_json, validate_schema
 from project.api.errors import error_response
+from project.api.helpers import get_apikey
 from project.api.schemas import intel_reference_create, intel_reference_update
 from project.models import IntelReference, IntelSource, User
 
@@ -57,17 +58,29 @@ def create_intel_reference():
     :status 400: JSON does not match the schema
     :status 401: Invalid role to perform this action
     :status 401: Username is inactive
+    :status 401: You must supply either username or API key
     :status 404: Source not found
+    :status 404: User not found by API key
     :status 404: Username not found
     :status 409: Intel reference already exists
     """
 
     data = request.get_json()
 
-    # Verify the username exists.
-    user = User.query.filter_by(username=data['username']).first()
-    if not user:
-        return error_response(404, 'User username not found: {}'.format(data['username']))
+    # Verify the user exists.
+    user = None
+    if 'username' in data:
+        user = User.query.filter_by(username=data['username']).first()
+        if not user:
+            return error_response(404, 'User not found by username')
+    else:
+        apikey = get_apikey(request)
+        if apikey:
+            user = User.query.filter_by(apikey=apikey).first()
+            if not user:
+                return error_response(404, 'User not found by API key')
+        else:
+            return error_response(401, 'You must supply either username or API key')
 
     # Verify the user is active.
     if not user.active:

diff --git a/services/web/project/api/schemas/intel_reference_create.json b/services/web/project/api/schemas/intel_reference_create.json
@@ -5,6 +5,6 @@
         "source": {"type": "string", "minLength": 1, "maxLength": 255},
         "username": {"type": "string", "minLength": 1, "maxLength": 255}
     },
-    "required": ["reference", "source", "username"],
+    "required": ["reference", "source"],
     "additionalProperties": false
 }
diff --git a/services/web/project/tests/api/test_intel_reference.py b/services/web/project/tests/api/test_intel_reference.py
@@ -31,13 +31,6 @@ def test_create_schema(client):
     assert request.status_code == 400
     assert response['msg'] == "Request JSON does not match schema: 'source' is a required property"
 
-    # Missing required username parameter
-    data = {'source': 'asdf', 'reference': 'asdf'}
-    request = client.post('/api/intel/reference', json=data)
-    response = json.loads(request.data.decode())
-    assert request.status_code == 400
-    assert response['msg'] == "Request JSON does not match schema: 'username' is a required property"
-
     # Additional parameter
     data = {'reference': 'asdf', 'source': 'asdf', 'username': 'asdf', 'asdf': 'asdf'}
     request = client.post('/api/intel/reference', json=data)
@@ -186,6 +179,47 @@ def test_create_invalid_role(app, client):
     assert response['msg'] == 'Insufficient privileges'
 
 
+def test_create_api_key_instead_of_username(app, client):
+    """ Ensure that supplying an API key instead of username value works """
+
+    app.config['INTELREFERENCE_AUTO_CREATE_INTELSOURCE'] = True
+
+    # Try a missing API key.
+    data = {'reference': 'http://blahblah.com',
+            'source': 'OSINT'}
+    request = client.post('/api/intel/reference', json=data)
+    response = json.loads(request.data.decode())
+    assert request.status_code == 401
+    assert response['msg'] == 'You must supply either username or API key'
+
+    # Try an invalid API key.
+    headers = {'Authorization': 'Apikey ' + 'this-api-key-does-not-exist'}
+    data = {'reference': 'http://blahblah.com',
+            'source': 'OSINT'}
+    request = client.post('/api/intel/reference', headers=headers, json=data)
+    response = json.loads(request.data.decode())
+    assert request.status_code == 404
+    assert response['msg'] == 'User not found by API key'
+
+    # Try an inactive API key.
+    headers = {'Authorization': 'Apikey ' + TEST_INACTIVE_APIKEY}
+    data = {'reference': 'http://blahblah.com',
+            'source': 'OSINT'}
+    request = client.post('/api/intel/reference', headers=headers, json=data)
+    response = json.loads(request.data.decode())
+    assert request.status_code == 401
+    assert response['msg'] == 'Cannot create an intel reference with an inactive user'
+
+    # Try a valid API key.
+    headers = {'Authorization': 'Apikey ' + TEST_ANALYST_APIKEY}
+    data = {'reference': 'http://blahblah.com',
+            'source': 'OSINT'}
+    request = client.post('/api/intel/reference', headers=headers, json=data)
+    response = json.loads(request.data.decode())
+    assert request.status_code == 201
+    assert response['user'] == 'analyst'
+
+
 def test_create_autocreate_intel_source(app, client):
     """ Ensure the auto-create intel source config actually works """