func (s *MeService) changePassword(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): add captcha support
raw := &ChangePasswordEntity{}
if err := req.ReadEntity(raw); err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusBadRequest, services.WrongEntityErr)
return
}
u := filters.GetUser(req)
// verify old password
verified, err := s.PassCtx().Verify(raw.Old, u.Password)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.AppErr)
return
}
if !verified {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq("old password is incorrect"))
return
}
// TODO (m0sth8): validate new password (length, symbols etc); extract
if len(raw.New) < 7 {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq("new password must be more than 6 symbols"))
return
}
pass, err := s.PassCtx().Encrypt(raw.New)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.AppErr)
return
}
u.Password = pass
mgr := s.Manager()
defer mgr.Close()
err = mgr.Users.Update(u)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
resp.WriteHeader(http.StatusOK)
}
func (s *ProjectService) list(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): check permissions
query, err := fltr.FromRequest(req, manager.ProjectFltr{})
if err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(err.Error()))
return
}
u := filters.GetUser(req)
admin := false
// if user is not admin then show him only his projects or where he has membership
if !admin {
query = manager.Or(fltr.GetQuery(&manager.ProjectFltr{Owner: u.Id, Member: u.Id}))
}
mgr := s.Manager()
defer mgr.Close()
results, count, err := mgr.Projects.FilterByQuery(query)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
result := &project.ProjectList{
Meta: pagination.Meta{Count: count},
Results: results,
}
resp.WriteEntity(result)
}
func (s *UserService) list(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): do not show emails and other fields for everyone
// TODO (m0sth8): filter by email for admin only
query, err := fltr.FromRequest(req, manager.UserFltr{})
if err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(err.Error()))
return
}
mgr := s.Manager()
defer mgr.Close()
results, count, err := mgr.Users.FilterByQuery(query)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
result := &user.UserList{
Meta: pagination.Meta{Count: count},
Results: results,
}
resp.WriteEntity(result)
}
func (s *FileService) create(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): Check permissions for the user, he is might be blocked or removed
f, header, err := req.Request.FormFile("file")
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq("Couldn't read file"))
return
}
contentType := header.Header.Get("Content-Type")
// TODO (m0sth8): reduce filename length
meta := &file.Meta{
Name: header.Filename,
ContentType: contentType,
}
mgr := s.Manager()
defer mgr.Close()
obj, err := mgr.Files.Create(f, meta)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
resp.WriteHeader(http.StatusCreated)
resp.WriteEntity(obj)
}
func (s *ProjectService) membersCreate(req *restful.Request, resp *restful.Response, p *project.Project) {
raw := &project.Member{}
if err := req.ReadEntity(raw); err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusBadRequest, services.WrongEntityErr)
return
}
if raw.User == "" {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq("user is required"))
return
}
u := filters.GetUser(req)
if p.Owner != u.Id {
resp.WriteServiceError(http.StatusForbidden, services.AuthForbidErr)
return
}
for _, member := range p.Members {
if member.User == raw.User {
resp.WriteServiceError(http.StatusConflict, services.NewError(services.CodeDuplicate, "User is already member"))
return
}
}
mgr := s.Manager()
defer mgr.Close()
mUser, err := mgr.Users.GetById(raw.User)
if err != nil {
if mgr.IsNotFound(err) {
resp.WriteErrorString(http.StatusNotFound, "User not found")
return
}
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
member := &project.Member{User: mUser.Id}
p.Members = append(p.Members, member)
err = mgr.Projects.Update(p)
if err != nil {
if mgr.IsNotFound(err) {
resp.WriteErrorString(http.StatusNotFound, "Not found")
return
}
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
resp.WriteHeader(http.StatusCreated)
resp.WriteEntity(member)
}
func (s *FeedService) list(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): check if this user has access to feed items
mgr := s.Manager()
defer mgr.Close()
query, err := fltr.FromRequest(req, manager.FeedItemFltr{})
if err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(err.Error()))
return
}
skip := 0
if p := req.QueryParameter("skip"); p != "" {
if val, err := strconv.Atoi(p); err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(fmt.Sprintf("skip: %s", err.Error())))
return
} else {
skip = val
}
}
limit := 20
if p := req.QueryParameter("limit"); p != "" {
if val, err := strconv.Atoi(p); err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(fmt.Sprintf("limit: %s", err.Error())))
return
} else {
limit = val
}
}
sort := []string{"-updated"}
results, count, err := mgr.Feed.FilterByQuery(query, mgr.Opts(skip, limit, sort))
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
result := &feed.Feed{
Meta: pagination.Meta{Count: count},
Results: results,
}
resp.WriteEntity(result)
}
func (s *PlanService) list(req *restful.Request, resp *restful.Response) {
query, err := fltr.FromRequest(req, manager.PlanFltr{})
if err != nil {
resp.WriteServiceError(http.StatusBadRequest, services.NewBadReq(err.Error()))
return
}
mgr := s.Manager()
defer mgr.Close()
results, count, err := mgr.Plans.FilterByQuery(query)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
result := &plan.PlanList{
Meta: pagination.Meta{Count: count},
Results: results,
}
resp.WriteEntity(result)
}
func (s *ScanService) create(req *restful.Request, resp *restful.Response) {
// TODO (m0sth8): Check permissions
raw := &scan.Scan{}
if err := req.ReadEntity(raw); err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusBadRequest, services.WrongEntityErr)
return
}
u := filters.GetUser(req)
mgr := s.Manager()
defer mgr.Close()
// TODO (m0sth8): check project and target permissions for this user
// validations
project, err := mgr.Projects.GetById(raw.Project)
if err != nil {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq("project not found"))
return
}
target, err := mgr.Targets.GetById(raw.Target)
if err != nil {
if mgr.IsNotFound(err) {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq("target not found"))
return
}
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
if target.Project != project.Id {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq("this target is not from this project"))
return
}
planObj, err := mgr.Plans.GetById(raw.Plan)
if err != nil {
if mgr.IsNotFound(err) {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq("plan not found"))
return
}
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
if planObj.TargetType != target.Type {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq("target.type and plan.targetType is not compatible"))
return
}
sc := &scan.Scan{
Status: scan.StatusCreated,
Owner: u.Id,
Plan: raw.Plan,
Project: project.Id,
Target: target.Id,
Conf: scan.ScanConf{
Target: target.Addr(),
},
Sessions: []*scan.Session{},
}
now := time.Now().UTC()
// Add session from plans workflow steps
for _, step := range planObj.Workflow {
plugin, err := mgr.Plugins.GetByName(step.Plugin)
if err != nil {
if mgr.IsNotFound(err) {
resp.WriteServiceError(http.StatusBadRequest,
services.NewBadReq(fmt.Sprintf("plugin %s is not found", step.Plugin)))
return
}
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
// TODO (m0sth8): extract template execution
if step.Conf != nil {
if command := step.Conf.CommandArgs; command != "" {
t, err := template.New("").Parse(command)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.NewAppErr("Wrong command args template"))
return
}
buf := bytes.NewBuffer(nil)
err = t.Execute(buf, sc.Conf)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.NewAppErr("Wrong command args template"))
return
}
step.Conf.CommandArgs = buf.String()
}
if formData := step.Conf.FormData; formData != "" {
t, err := template.New("").Parse(formData)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.NewAppErr("Wrong form data template"))
return
}
buf := bytes.NewBuffer(nil)
err = t.Execute(buf, sc.Conf)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.NewAppErr("Wrong form data template"))
return
}
step.Conf.FormData = buf.String()
}
if target := step.Conf.Target; target == "" {
step.Conf.Target = sc.Conf.Target
}
} else {
step.Conf = &plan.Conf{
Target: sc.Conf.Target,
}
}
sess := scan.Session{
Id: mgr.NewId(),
Step: step,
Plugin: plugin.Id,
Status: scan.StatusCreated,
Dates: scan.Dates{
Created: &now,
Updated: &now,
},
}
sc.Sessions = append(sc.Sessions, &sess)
}
obj, err := mgr.Scans.Create(sc)
if err != nil {
logrus.Error(stackerr.Wrap(err))
resp.WriteServiceError(http.StatusInternalServerError, services.DbErr)
return
}
// put scan to queue
s.Scheduler().AddScan(obj)
if _, err := mgr.Feed.AddScan(obj); err != nil {
logrus.Error(stackerr.Wrap(err))
}
resp.WriteHeader(http.StatusCreated)
resp.WriteEntity(obj)
}