-
Notifications
You must be signed in to change notification settings - Fork 258
/
views.py
executable file
·2529 lines (2226 loc) · 101 KB
/
views.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
import sys
import datetime
import json
import logging
from bson import json_util
from dateutil.parser import parse
from time import gmtime, strftime
from django.conf import settings
from django import get_version
from django.contrib.auth.decorators import user_passes_test
try:
from django.urls import reverse
except ImportError:
from django.core.urlresolvers import reverse
from django.http import HttpResponse, HttpResponseRedirect
from django.shortcuts import render, redirect
from django.template.loader import render_to_string
from crits.actors.actor import ActorThreatIdentifier
from crits.actors.forms import AddActorForm, AddActorIdentifierTypeForm
from crits.actors.forms import AddActorIdentifierForm, AttributeIdentifierForm
from crits.backdoors.forms import AddBackdoorForm
from crits.campaigns.campaign import Campaign
from crits.campaigns.forms import AddCampaignForm, CampaignForm
from crits.certificates.forms import UploadCertificateForm
from crits.comments.forms import AddCommentForm, InlineCommentForm
from crits.config.config import CRITsConfig
from crits.core.crits_mongoengine import Action
from crits.core.data_tools import json_handler
from crits.core.forms import SourceAccessForm, AddSourceForm
from crits.core.forms import ActionsForm, NewActionForm
from crits.core.forms import SourceForm, DownloadFileForm, AddReleasabilityForm
from crits.core.forms import TicketForm, AddRoleForm, RoleCombinePreview
from crits.core.handlers import add_releasability, add_releasability_instance
from crits.core.handlers import remove_releasability, remove_releasability_instance
from crits.core.handlers import add_new_source, generate_counts_jtable
from crits.core.handlers import source_add_update, source_remove, source_remove_all
from crits.core.handlers import modify_bucket_list, promote_bucket_list
from crits.core.handlers import download_object_handler, unflatten
from crits.core.handlers import modify_sector_list, validate_next
from crits.core.handlers import generate_bucket_jtable, generate_bucket_csv
from crits.core.handlers import generate_sector_jtable, generate_sector_csv
from crits.core.handlers import generate_dashboard, generate_global_search
from crits.core.handlers import login_user, reset_user_password
from crits.core.handlers import generate_user_profile, generate_user_preference
from crits.core.handlers import modify_source_access, get_bucket_autocomplete
from crits.core.handlers import dns_timeline, email_timeline, indicator_timeline
from crits.core.handlers import generate_users_jtable, generate_items_jtable
from crits.core.handlers import toggle_item_state, download_grid_file
from crits.core.handlers import get_data_for_item, generate_audit_jtable
from crits.core.handlers import details_from_id, status_update, set_role_value
from crits.core.handlers import get_favorites, favorite_update, get_role_details
from crits.core.handlers import generate_favorites_jtable, generate_roles_jtable
from crits.core.handlers import ticket_add, ticket_update, ticket_remove
from crits.core.handlers import add_new_role, render_role_graph
from crits.core.handlers import add_role_source, remove_role_source
from crits.core.handlers import edit_role_description, edit_role_name
from crits.core.handlers import modify_tlp, description_update, data_update
from crits.core.handlers import do_add_preferred_actions, add_new_action
from crits.core.handlers import action_add, action_remove, action_update
from crits.core.handlers import get_action_types_for_tlo, generate_audit_csv
from crits.core.source_access import SourceAccess
from crits.core.user import CRITsUser
from crits.core.user_tools import user_can_view_data, user_sources
from crits.core.user_tools import get_nav_template
from crits.core.user_tools import get_acl_object
from crits.core.user_tools import get_user_email_notification
from crits.core.user_tools import get_user_info, get_user_organization
from crits.core.user_tools import is_user_subscribed, unsubscribe_user
from crits.core.user_tools import subscribe_user, subscribe_to_source
from crits.core.user_tools import unsubscribe_from_source, is_user_subscribed_to_source
from crits.core.user_tools import change_user_password, toggle_active
from crits.core.user_tools import save_user_secret
from crits.core.user_tools import toggle_user_preference, update_user_preference
from crits.core.user_tools import get_api_key_by_name, create_api_key_by_name
from crits.core.user_tools import revoke_api_key_by_name, make_default_api_key_by_name
from crits.core.class_mapper import class_from_id
from crits.domains.forms import TLDUpdateForm, AddDomainForm
from crits.emails.forms import EmailUploadForm, EmailEMLForm, EmailYAMLForm, EmailRawUploadForm, EmailOutlookForm
from crits.events.forms import EventForm
from crits.exploits.forms import AddExploitForm
from crits.indicators.forms import UploadIndicatorCSVForm, UploadIndicatorTextForm
from crits.indicators.forms import UploadIndicatorForm
from crits.ips.forms import AddIPForm
from crits.locations.forms import AddLocationForm
from crits.notifications.handlers import get_user_notifications
from crits.notifications.handlers import remove_user_from_notification
from crits.notifications.handlers import remove_user_notifications
from crits.objects.forms import AddObjectForm
from crits.pcaps.forms import UploadPcapForm
from crits.raw_data.forms import UploadRawDataFileForm, UploadRawDataForm
from crits.raw_data.forms import NewRawDataTypeForm
from crits.raw_data.raw_data import RawDataType
from crits.relationships.forms import ForgeRelationshipForm
from crits.samples.forms import UploadFileForm
from crits.screenshots.forms import AddScreenshotForm
from crits.signatures.forms import UploadSignatureForm
from crits.signatures.forms import NewSignatureTypeForm
from crits.signatures.forms import NewSignatureDependencyForm
from crits.signatures.signature import SignatureType
from crits.signatures.signature import SignatureDependency
from crits.targets.forms import TargetInfoForm
from crits.vocabulary.sectors import Sectors
from crits.vocabulary.acls import *
logger = logging.getLogger(__name__)
django_version = get_version()
@user_passes_test(user_can_view_data)
def update_object_description(request):
"""
Toggle favorite in a user profile.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
user = request.user
if request.method == "POST" and request.is_ajax():
type_ = request.POST['type']
id_ = request.POST['id']
description = request.POST['description']
acl = get_acl_object(type_)
if user.has_access_to(acl.DESCRIPTION_EDIT):
return HttpResponse(json.dumps(description_update(type_,
id_,
description,
user.username)),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success':False,
'message':'User does not have permission to edit description.'}),
content_type="application/json")
else:
return render(request, "error.html", {"error" : 'Expected AJAX POST.'})
@user_passes_test(user_can_view_data)
def update_object_data(request):
"""
Update the data in a data element
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
type_ = request.POST['type']
id_ = request.POST['id']
data = request.POST['data']
user = request.user
return HttpResponse(json.dumps(data_update(type_,
id_,
data,
user)),
content_type="application/json")
else:
return render(request, "error.html", {"error" : 'Expected AJAX POST.'})
@user_passes_test(user_can_view_data)
def toggle_favorite(request):
"""
Toggle favorite in a user profile.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
type_ = request.POST['type']
id_ = request.POST['id']
user = request.user
return HttpResponse(json.dumps(favorite_update(type_,
id_,
user)),
content_type="application/json")
else:
return render(request, "error.html", {"error" : 'Expected AJAX POST.'})
@user_passes_test(user_can_view_data)
def favorites(request):
"""
Get favorites for a user.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
user = request.user
return HttpResponse(json.dumps(get_favorites(user)),
content_type="application/json")
else:
return render(request, "error.html", {"error" : 'Expected AJAX POST.'})
@user_passes_test(user_can_view_data)
def favorites_list(request, ctype=None, option=None):
"""
Get favorites for a user for jtable.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
return generate_favorites_jtable(request, ctype, option)
@user_passes_test(user_can_view_data)
def get_dialog(request):
"""
Get a specific dialog for rendering in the UI.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
dialog = str(request.GET.get('dialog', ''))
params = {}
# Only prepare & serve the single form being requested
try:
# These require no params
if dialog == 'action_add':
params['add_new_action'] = NewActionForm()
elif dialog == 'comments':
params['comment_add'] = AddCommentForm()
elif dialog == 'new-inline-comment':
params['inline_comment_add'] = InlineCommentForm()
elif dialog == 'new-campaign':
params['campaign_add'] = AddCampaignForm()
elif dialog == 'campaign-add':
params['campaign_form'] = CampaignForm()
elif dialog == 'location-add':
params['location_add'] = AddLocationForm()
elif dialog == 'raw_data_type_add':
params['add_raw_data_type'] = NewRawDataTypeForm()
elif dialog == 'forge-relationship':
params['relationship_form'] = ForgeRelationshipForm()
elif dialog == 'signature_type_add':
params['add_signature_type'] = NewSignatureTypeForm()
elif dialog == 'signature_dependency_add':
params['add_signature_dependency'] = NewSignatureDependencyForm()
elif dialog == 'upload_tlds':
params['upload_tlds'] = TLDUpdateForm()
elif dialog == 'actor_identifier_type_add':
params['add_actor_identifier_type'] = AddActorIdentifierTypeForm()
elif dialog == 'attribute_actor_identifier':
params['attribute_actor_identifier'] = AttributeIdentifierForm()
elif dialog == 'role_combine_preview':
params['role_combine_preview'] = RoleCombinePreview()
elif dialog == 'new-role':
params['role_add'] = AddRoleForm()
# These require user as parameter
elif dialog == 'new-target':
params['add_target'] = TargetInfoForm(request.user)
elif dialog == 'new-actor':
params['actor_add'] = AddActorForm(request.user)
elif dialog == 'new-actor-identifier':
params['add_actor_identifier'] = AddActorIdentifierForm(request.user)
elif dialog == 'new-backdoor':
params['backdoor_add'] = AddBackdoorForm(request.user)
elif dialog == 'new-exploit':
params['exploit_add'] = AddExploitForm(request.user)
elif dialog == 'new-domain':
params['add_domain'] = AddDomainForm(request.user)
elif dialog == 'new-certificate':
params['upload_cert'] = UploadCertificateForm(request.user)
elif dialog == 'new-indicator-csv':
params['upload_csv'] = UploadIndicatorCSVForm(request.user)
elif dialog == 'new-email-outlook':
params['upload_email_outlook'] = EmailOutlookForm(request.user)
elif dialog == 'new-email-eml':
params['upload_email_eml'] = EmailEMLForm(request.user)
elif dialog == 'new-email-fields':
params['upload_email_fields'] = EmailUploadForm(request.user)
elif dialog == 'new-email-yaml':
params['upload_email_yaml'] = EmailYAMLForm(request.user)
elif dialog == 'new-email-raw':
params['upload_email_raw'] = EmailRawUploadForm(request.user)
elif dialog == 'new-event':
params['upload_event'] = EventForm(request.user)
elif dialog == 'new-indicator':
params['upload_ind'] = UploadIndicatorForm(request.user)
elif dialog == 'new-pcap':
params['upload_pcap'] = UploadPcapForm(request.user)
elif dialog == 'indicator-blob':
params['upload_text'] = UploadIndicatorTextForm(request.user)
elif dialog == 'new-sample':
params['upload_sample'] = UploadFileForm(request.user)
elif dialog == 'add-object':
params['object_form'] = AddObjectForm(request.user)
elif dialog == 'releasability-add':
params['releasability_form'] = AddReleasabilityForm(request.user)
elif dialog == 'add-screenshot':
params['screenshots_form'] = AddScreenshotForm(request.user)
elif dialog == 'new-raw-data':
params['upload_raw_data'] = UploadRawDataForm(request.user)
elif dialog == 'new-raw-data-file':
params['upload_raw_data_file'] = UploadRawDataFileForm(request.user)
elif dialog == 'new-signature':
params['upload_signature'] = UploadSignatureForm(request.user)
# Others
elif dialog == 'ticket':
params['new_ticket'] = TicketForm(initial={'date': datetime.datetime.now()})
elif dialog == 'new-ip':
params['ip_form'] = AddIPForm(request.user, None)
elif dialog == 'action_add':
params['new_action'] = ActionsForm(initial={'analyst': request.user.username,
'active': "off",
'date': datetime.datetime.now()})
elif dialog == 'source-add':
params['source_add'] = SourceForm(request.user, initial={'analyst': request.user.username})
# Admin required -> Since this is checked by the method itself, we no longer check
elif dialog == 'source_create':
params['source_create'] = AddSourceForm()
# If this is hit, requested dialog does not exist.
else:
dialog = 'error'
params['error'] = "Dialog does not exist"
except Exception, e:
dialog = 'error'
params['error'] = 'Error preparing requested dialog'
logger.warning("Dialog error: %s" % e)
return render(request, dialog + ".html", params)
@user_passes_test(user_can_view_data)
def update_status(request, type_, id_):
"""
Update the status of a top-level object. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param type_: The top-level object to update.
:type type_: str
:param id_: The ObjectId to search for.
:type id_: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
value = request.POST['value']
user = request.user
if user.has_access_to(get_acl_object(type_).STATUS_EDIT):
return HttpResponse(json.dumps(status_update(type_,
id_,
value,
user)),
content_type="application/json")
else:
return HttpResponse(json.dumps({"success":False,
"message":"User does not have permission to edit status."}),
content_type="application/json")
else:
return render(request, "error.html", {"error" : 'Expected AJAX POST.'})
@user_passes_test(user_can_view_data)
def get_item_data(request):
"""
Get basic data for an item. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
item_id = request.POST.get('id','')
item_type = request.POST.get('type','')
# Right now we pass the id/type for the data we want
# If we write a function that doesn't pass these values,
# then grab them from the cookies
if not item_id:
item_id = request.COOKIES.get('crits_rel_id','')
if not item_type:
item_type = request.COOKIES.get('crits_rel_type','')
response = get_data_for_item(item_type, item_id)
return HttpResponse(json.dumps(response, default=json_handler),
content_type="application/json")
@user_passes_test(user_can_view_data)
def global_search_listing(request):
"""
Return results for a global search.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
# For object searches
if 'q' not in request.GET:
return render(request, "error.html", {"error" : 'No valid search criteria'})
args = generate_global_search(request)
# If we matched a single ObjectID
if 'url' in args:
return redirect(args['url'], args['key'])
# For all other searches
if 'Result' in args and args['Result'] == "ERROR":
return render(request, "error.html", {"error": args['Message']})
return render(request, "search_listing.html", args)
def about(request):
"""
Return the About page.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
# All loaded modules without dot in the name, with __path__, and with __version__
mods = [(m.__name__.lower(), getattr(m, '__version__', ''), m.__path__[0]) for m in sys.modules.values() if getattr(m, '__path__', '') and getattr(m, '__version__', '') and not '.' in m.__name__]
mods=sorted(mods)
return render(request, 'about.html', {"loaded_mods": mods,})
def help(request):
"""
Return the Help page.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
return render(request, 'help.html', {})
# Mongo Auth
def login(request):
"""
Authenticate a user.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
# Gather basic request information
crits_config = CRITsConfig.objects().first()
url = request.GET.get('next')
user_agent = request.META.get('HTTP_USER_AGENT', '')
remote_addr = request.META.get('REMOTE_ADDR', '')
accept_language = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
next_url = request.GET.get('next', request.POST.get('next', None))
user = request.user
# Is the user already authenticated?
if (request.user.is_authenticated if django_version >= (1, 10) else request.user.is_authenticated()) and user.has_access_to(GeneralACL.WEB_INTERFACE) and not request.is_ajax:
resp = validate_next(next_url)
if not resp['success']:
return render(request, 'error.html',
{'data': resp,
'error': resp['message']})
else:
return HttpResponseRedirect(resp['message'])
# Setup defaults
username = None
login_ = True
show_auth = True
message = crits_config.crits_message
token_message = """
<b>If you are not using TOTP or not sure what TOTP is,<br />leave the Token field empty.</b><br />
If you are setting up TOTP for the first time, please enter a PIN above.<br />
If you are already setup with TOTP, please enter your PIN + Key above."""
response = {}
# Check for remote user being enabled and check for user
if crits_config.remote_user:
show_auth = False
username = request.META.get(settings.REMOTE_USER_META,None)
if username:
resp = login_user(username, None, next_url, user_agent,
remote_addr, accept_language, request,
totp_pass=None)
if resp['success']:
return HttpResponseRedirect(resp['message'])
else:
# Login failed, set messages/settings and continue
message = resp['message']
login_ = False
if resp['type'] == "totp_required":
login_ = True
else:
logger.warn("REMOTE_USER enabled, but no user passed.")
message = 'REMOTE_USER not provided. Please notify an admin.'
return render(request, 'login.html',
{'next': url,
'theme': 'default',
'login': False,
'show_auth': False,
'message': message,
'token_message': token_message})
# Attempt authentication
if request.method == 'POST' and request.is_ajax():
next_url = request.POST.get('next_url', None)
# Get username from form if this is not Remote User
if not crits_config.remote_user:
username = request.POST.get('username', None)
# Even if it is remote user, try to get password.
# Remote user will not have one so we pass None.
password = request.POST.get('password', None)
# TOTP can still be required for Remote Users
totp_pass = request.POST.get('totp_pass', None)
if username is None:
response['success'] = False
response['message'] = 'Unknown user, bad password, or user does not have permission to log on using the web UI.'
return HttpResponse(json.dumps(response),
content_type="application/json")
logging_in_user = get_user_info(username)
if logging_in_user is None:
response['success'] = False
response['message'] = 'Unknown user, bad password, or user does not have permission to log on using the web UI.'
return HttpResponse(json.dumps(response),
content_type="application/json")
logging_in_user.get_access_list(update=True)
if (not username or logging_in_user is None or not logging_in_user.has_access_to(GeneralACL.WEB_INTERFACE) or
(not totp_pass and crits_config.totp_web == 'Required')):
response['success'] = False
response['message'] = 'Unknown user, bad password, or user does not have permission to log on using the web UI.'
return HttpResponse(json.dumps(response),
content_type="application/json")
#This casues auth failures with LDAP and upper case name parts
#username = username.lower()
# login_user will handle the following cases:
# - User logging in with no TOTP enabled.
# - User logging in with TOTP enabled.
# - User logging in and setting up TOTP for the first time.
# It should return the string to use for setting up their
# authenticator and then prompt the user to submit pin + token.
resp = login_user(username, password, next_url, user_agent,
remote_addr, accept_language, request,
totp_pass=totp_pass)
return HttpResponse(json.dumps(resp), content_type="application/json")
# Display template for authentication
return render(request, 'login.html',
{'next': url,
'theme': 'default',
'login': login_,
'show_auth': show_auth,
'message': message,
'token_message': token_message})
def reset_password(request):
"""
Reset a user password.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
action = request.POST.get('action', None)
username = request.POST.get('username', None)
email = request.POST.get('email', None)
submitted_rcode = request.POST.get('reset_code', None)
new_p = request.POST.get('new_p', None)
new_p_c = request.POST.get('new_p_c', None)
user = request.user
return reset_user_password(username=username,
action=action,
email=email,
submitted_rcode=submitted_rcode,
new_p=new_p,
new_p_c=new_p_c,
analyst=user)
return render(request, 'login.html', {'reset': True})
@user_passes_test(user_can_view_data)
def profile(request, user=None):
"""
Render the User Profile page.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param username: The user to render the profile page for.
:type username: str
:returns: :class:`django.http.HttpResponse`
"""
if user:
username = user.username
else:
username = request.user.username
args = generate_user_profile(username,request)
if 'status'in args and args['status'] == "ERROR":
return render(request, 'error.html',
{'data': request,
'error': "Invalid request"},
)
return render(request, 'profile.html', args)
@user_passes_test(user_can_view_data)
def dashboard(request):
"""
Render the Dashboard.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
return generate_dashboard(request)
@user_passes_test(user_can_view_data)
def counts_listing(request,option=None):
"""
Render the Counts jtable.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param option: Action to take.
:type option: str of either 'jtlist', 'jtdelete', or 'inline'.
:returns: :class:`django.http.HttpResponse`
"""
return generate_counts_jtable(request, option)
@user_passes_test(user_can_view_data)
def source_releasability(request):
"""
Modify a top-level object's releasability. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
type_ = request.POST.get('type', None)
id_ = request.POST.get('id', None)
name = request.POST.get('name', None)
note = request.POST.get('note', None)
action = request.POST.get('action', None)
date = request.POST.get('date', datetime.datetime.now())
user = request.user
if not isinstance(date, datetime.datetime):
date = parse(date, fuzzy=True)
acl = get_acl_object(type_)
if not type_ or not id_ or not name or not action:
error = "Modifying releasability requires a type, id, source, and action"
return render(request, "error.html", {"error" : error })
if action == "add":
if user.has_access_to(acl.RELEASABILITY_ADD):
result = add_releasability(type_, id_, name, user.username)
else:
result = {'success':False,
'message':'User does not have permission to add releasability.'}
elif action == "add_instance":
if user.has_access_to(acl.RELEASABILITY_ADD):
result = add_releasability_instance(type_, id_, name, user.username,
note=note)
else:
result = {'success':False,
'message':'User does not have permission to add releasability.'}
elif action == "remove":
if user.has_access_to(acl.RELEASABILITY_DELETE):
result = remove_releasability(type_, id_, name, user.username)
else:
result = {'success':False,
'message':'User does not have permission to remove releasability.'}
elif action == "remove_instance":
if user.has_access_to(acl.RELEASABILITY_DELETE):
result = remove_releasability_instance(type_, id_, name, date, user.username)
else:
result = {'success':False,
'message':'User does not have permission to delete releasability.'}
else:
error = "Unknown releasability action: %s" % action
return render(request, "error.html", {"error" : error })
if result['success']:
subscription = {
'type': type_,
'id': id_
}
html = render_to_string('releasability_header_widget.html',
{'releasability': result['obj'],
'subscription': subscription},
request=request)
response = {'success': result['success'],
'html': html}
else:
response = {'success': result['success'],
'error': result['message']}
return HttpResponse(json.dumps(response),
content_type="application/json")
else:
error = "Expected AJAX POST!"
return render(request, "error.html", {"error" : error })
@user_passes_test(user_can_view_data)
def source_access(request):
"""
Modify a user's profile. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == 'POST' and request.is_ajax():
form = SourceAccessForm(request.POST)
if form.is_valid():
data = form.cleaned_data
result = modify_source_access(request.user.username,
data)
if result['success']:
message = '<div>User modified successfully!</div>'
result['message'] = message
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
return HttpResponse(json.dumps({'form':form.as_table()}),
content_type="application/json")
else:
error = "Expected AJAX POST!"
return render(request, "error.html", {"error" : error })
@user_passes_test(user_can_view_data)
def source_add(request):
"""
Add a source to CRITs. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
source_form = AddSourceForm(request.POST)
user = request.user
if source_form.is_valid():
if user.has_access_to(GeneralACL.ADD_NEW_SOURCE):
result = add_new_source(source_form.cleaned_data['source'],
user)
if result:
msg = ('<div>Source added successfully! Add this source to '
'users to utilize it.</div>')
message = {'message': msg,
'success': True}
else:
message = {'message': '<div>Source addition failed!</div>', 'success':
False}
else:
message = {'message': 'User does not have permission to add source.', 'success':False}
else:
message = {'success': False,
'form': source_form.as_table()}
return HttpResponse(json.dumps(message),
content_type="application/json")
return render(request, "error.html", {"error" : 'Expected AJAX POST' })
@user_passes_test(user_can_view_data)
def role_add(request):
"""
Add a role to CRITs. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
role_form = AddRoleForm(request.POST)
user = request.user
if role_form.is_valid():
if user.has_access_to(GeneralACL.ADD_NEW_USER_ROLE):
name = role_form.cleaned_data['name']
description = role_form.cleaned_data['description']
copy_from = role_form.cleaned_data['copy_from']
result = add_new_role(name,
copy_from,
description,
user)
if result['success']:
url = reverse('crits-core-views-role_details',
args=[result['id']])
message = {'message': '<div><a href="%s">Role</a> added successfully!</div>' % url,
'success': True}
else:
message = {'message': '<div>Role addition failed!</div>',
'success': False}
else:
message = {'message': 'User does not have permission to add user role.',
'success': False}
else:
message = {'success': False,
'form': role_form.as_table()}
return HttpResponse(json.dumps(message),
content_type="application/json")
return render(request, "error.html", {"error" : 'Expected AJAX POST'})
@user_passes_test(user_can_view_data)
def role_graph(request):
"""
Render the role graph.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
analyst = request.user.username
if request.method == "GET":
start_type = request.GET.get('start_type', 'roles')
start_node = request.GET.get('start_node', None)
expansion_node = request.GET.get('expansion_node', None)
if request.method == "POST" and request.is_ajax():
start_type = request.POST.get('start_type', 'roles')
start_node = request.POST.get('start_node', None)
expansion_node = request.POST.get('expansion_node', None)
result = render_role_graph(start_type,
start_node,
expansion_node,
analyst)
if result:
return HttpResponse(json.dumps(result),
content_type="application/json")
return render(request, "role_graph.html",
{"start_type": start_type,
"start_node": start_node,
"expansion_node": expansion_node})
@user_passes_test(user_can_view_data)
def add_update_source(request, method, obj_type, obj_id):
"""
Add/Update a source for a top-level object. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param method: Whether this is an "add" or "update".
:type method: str
:param obj_type: The type of top-level object.
:type obj_type: str
:param obj_id: The ObjectId to search for.
:type obj_id: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
form = SourceForm(request.user, request.POST)
if form.is_valid():
data = form.cleaned_data
user = request.user
acl = get_acl_object(obj_type)
# check to see that this user can already see the object
if (data['name'] in user_sources(user)):
if method == "add":
date = datetime.datetime.now()
if user.has_access_to(acl.SOURCES_ADD):
result = source_add_update(obj_type,
obj_id,
method,
data['name'],
method=data['method'],
reference=data['reference'],
tlp=data['tlp'],
date=date,
user=user.username)
else:
result = {"success":False,
"message":"User does not have permission to add sources to object."}
else:
date = datetime.datetime.strptime(data['date'],
settings.PY_DATETIME_FORMAT)
if user.has_access_to(acl.SOURCES_EDIT):
result = source_add_update(obj_type,
obj_id,
method,
data['name'],
method=data['method'],
reference=data['reference'],
tlp=data['tlp'],
date=date,
user=user.username)
else:
result = {"success":False,
"message":"User does not have permission to edit sources."}
if 'object' in result:
if method == "add":
result['header'] = result['object'].name
result['data_field'] = 'name'
result['html'] = render_to_string('sources_header_widget.html',
{'source': result['object'],
'obj_type': obj_type,
'obj_id': obj_id},
request=request)
else:
result['html'] = render_to_string('sources_row_widget.html',
{'source': result['object'],
'instance': result['instance'],
'obj_type': obj_type,
'obj_id': obj_id},
request=request)
return HttpResponse(json.dumps(result,
default=json_handler),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False,
'form': form.as_table()}),
content_type="application/json")
else:
return HttpResponse(json.dumps({'success': False,
'form':form.as_table()}),
content_type="application/json")
return HttpResponse({})
@user_passes_test(user_can_view_data)
def remove_source(request, obj_type, obj_id):
"""
Remove a source from a top-level object. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param obj_type: The type of top-level object.
:type obj_type: str
:param obj_id: The ObjectId to search for.
:type obj_id: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
date = datetime.datetime.strptime(request.POST['key'],
settings.PY_DATETIME_FORMAT)
name = request.POST['name']
user = request.user
acl = get_acl_object(obj_type)
if user.has_access_to(acl.SOURCES_DELETE):
result = source_remove(obj_type,
obj_id,
name,
date,
'%s' % user.username)
else:
result = {"success":False,
"message":"User does not have permission to remove sources."}
return HttpResponse(json.dumps(result),
content_type="application/json")
return HttpResponse({})
@user_passes_test(user_can_view_data)
def remove_all_source(request, obj_type, obj_id):
"""
Remove all sources from a top-level object. Should be an AJAX POST.
:param request: Django request.
:type request: :class:`django.http.HttpRequest`
:param obj_type: The type of top-level object.
:type obj_type: str
:param obj_id: The ObjectId to search for.
:type obj_id: str
:returns: :class:`django.http.HttpResponse`
"""
if request.method == "POST" and request.is_ajax():
name = request.POST['key']
result = source_remove_all(obj_type,
obj_id,
name, '%s' % request.user.username)
result['last'] = True
return HttpResponse(json.dumps(result),
content_type="application/json")
return HttpResponse({})
@user_passes_test(user_can_view_data)
def bucket_promote(request):
"""
Promote a bucket to a Campaign. Should be an AJAX POST.
:param request: Django request.