Secure all endpoints

This commit is contained in:
Itay Mizeretz 2018-02-22 16:21:03 +02:00
parent 9e169980e3
commit 9bb7148f50
9 changed files with 28 additions and 11 deletions

View File

@ -15,23 +15,20 @@ __author__ = 'Barak'
class Monkey(flask_restful.Resource): class Monkey(flask_restful.Resource):
# Used by monkey. can't secure.
def get(self, guid=None, **kw): def get(self, guid=None, **kw):
NodeService.update_dead_monkeys() # refresh monkeys status NodeService.update_dead_monkeys() # refresh monkeys status
if not guid: if not guid:
guid = request.args.get('guid') guid = request.args.get('guid')
timestamp = request.args.get('timestamp')
if guid: if guid:
monkey_json = mongo.db.monkey.find_one_or_404({"guid": guid}) monkey_json = mongo.db.monkey.find_one_or_404({"guid": guid})
return monkey_json return monkey_json
else:
result = {'timestamp': datetime.now().isoformat()}
find_filter = {}
if timestamp is not None:
find_filter['modifytime'] = {'$gt': dateutil.parser.parse(timestamp)}
result['objects'] = [x for x in mongo.db.monkey.find(find_filter)]
return result
return {}
# Used by monkey. can't secure.
def patch(self, guid): def patch(self, guid):
monkey_json = json.loads(request.data) monkey_json = json.loads(request.data)
update = {"$set": {'modifytime': datetime.now()}} update = {"$set": {'modifytime': datetime.now()}}
@ -51,6 +48,7 @@ class Monkey(flask_restful.Resource):
return mongo.db.monkey.update({"_id": monkey["_id"]}, update, upsert=False) return mongo.db.monkey.update({"_id": monkey["_id"]}, update, upsert=False)
# Used by monkey. can't secure.
def post(self, **kw): def post(self, **kw):
monkey_json = json.loads(request.data) monkey_json = json.loads(request.data)
monkey_json['creds'] = [] monkey_json['creds'] = []

View File

@ -1,18 +1,20 @@
import json import json
from flask import request, jsonify
import flask_restful import flask_restful
from flask import request, jsonify
from cc.database import mongo from cc.auth import jwt_required
from cc.services.config import ConfigService from cc.services.config import ConfigService
__author__ = 'Barak' __author__ = 'Barak'
class MonkeyConfiguration(flask_restful.Resource): class MonkeyConfiguration(flask_restful.Resource):
@jwt_required()
def get(self): def get(self):
return jsonify(schema=ConfigService.get_config_schema(), configuration=ConfigService.get_config()) return jsonify(schema=ConfigService.get_config_schema(), configuration=ConfigService.get_config())
@jwt_required()
def post(self): def post(self):
config_json = json.loads(request.data) config_json = json.loads(request.data)
if config_json.has_key('reset'): if config_json.has_key('reset'):
@ -20,4 +22,3 @@ class MonkeyConfiguration(flask_restful.Resource):
else: else:
ConfigService.update_config(config_json) ConfigService.update_config(config_json)
return self.get() return self.get()

View File

@ -47,9 +47,12 @@ def get_monkey_executable(host_os, machine):
class MonkeyDownload(flask_restful.Resource): class MonkeyDownload(flask_restful.Resource):
# Used by monkey. can't secure.
def get(self, path): def get(self, path):
return send_from_directory('binaries', path) return send_from_directory('binaries', path)
# Used by monkey. can't secure.
def post(self): def post(self):
host_json = json.loads(request.data) host_json = json.loads(request.data)
host_os = host_json.get('os') host_os = host_json.get('os')

View File

@ -1,5 +1,6 @@
import flask_restful import flask_restful
from cc.auth import jwt_required
from cc.services.edge import EdgeService from cc.services.edge import EdgeService
from cc.services.node import NodeService from cc.services.node import NodeService
from cc.database import mongo from cc.database import mongo
@ -8,6 +9,7 @@ __author__ = 'Barak'
class NetMap(flask_restful.Resource): class NetMap(flask_restful.Resource):
@jwt_required()
def get(self, **kw): def get(self, **kw):
monkeys = [NodeService.monkey_to_net_node(x) for x in mongo.db.monkey.find({})] monkeys = [NodeService.monkey_to_net_node(x) for x in mongo.db.monkey.find({})]
nodes = [NodeService.node_to_net_node(x) for x in mongo.db.node.find({})] nodes = [NodeService.node_to_net_node(x) for x in mongo.db.node.find({})]

View File

@ -1,12 +1,14 @@
from flask import request from flask import request
import flask_restful import flask_restful
from cc.auth import jwt_required
from cc.services.node import NodeService from cc.services.node import NodeService
__author__ = 'Barak' __author__ = 'Barak'
class Node(flask_restful.Resource): class Node(flask_restful.Resource):
@jwt_required()
def get(self): def get(self):
node_id = request.args.get('id') node_id = request.args.get('id')
if node_id: if node_id:

View File

@ -1,10 +1,13 @@
import flask_restful import flask_restful
from cc.auth import jwt_required
from cc.services.report import ReportService from cc.services.report import ReportService
__author__ = "itay.mizeretz" __author__ = "itay.mizeretz"
class Report(flask_restful.Resource): class Report(flask_restful.Resource):
@jwt_required()
def get(self): def get(self):
return ReportService.get_report() return ReportService.get_report()

View File

@ -3,6 +3,7 @@ from datetime import datetime
import flask_restful import flask_restful
from flask import request, make_response, jsonify from flask import request, make_response, jsonify
from cc.auth import jwt_required
from cc.database import mongo from cc.database import mongo
from cc.services.config import ConfigService from cc.services.config import ConfigService
from cc.services.node import NodeService from cc.services.node import NodeService
@ -13,6 +14,8 @@ __author__ = 'Barak'
class Root(flask_restful.Resource): class Root(flask_restful.Resource):
@jwt_required()
def get(self, action=None): def get(self, action=None):
if not action: if not action:
action = request.args.get('action') action = request.args.get('action')

View File

@ -7,6 +7,7 @@ import dateutil
import flask_restful import flask_restful
from flask import request from flask import request
from cc.auth import jwt_required
from cc.database import mongo from cc.database import mongo
from cc.services.config import ConfigService from cc.services.config import ConfigService
from cc.services.edge import EdgeService from cc.services.edge import EdgeService
@ -16,6 +17,7 @@ __author__ = 'Barak'
class Telemetry(flask_restful.Resource): class Telemetry(flask_restful.Resource):
@jwt_required()
def get(self, **kw): def get(self, **kw):
monkey_guid = request.args.get('monkey_guid') monkey_guid = request.args.get('monkey_guid')
telem_type = request.args.get('telem_type') telem_type = request.args.get('telem_type')
@ -36,6 +38,7 @@ class Telemetry(flask_restful.Resource):
result['objects'] = self.telemetry_to_displayed_telemetry(mongo.db.telemetry.find(find_filter)) result['objects'] = self.telemetry_to_displayed_telemetry(mongo.db.telemetry.find(find_filter))
return result return result
# Used by monkey. can't secure.
def post(self): def post(self):
telemetry_json = json.loads(request.data) telemetry_json = json.loads(request.data)
telemetry_json['timestamp'] = datetime.now() telemetry_json['timestamp'] = datetime.now()

View File

@ -5,6 +5,7 @@ import flask_restful
from flask import request from flask import request
import flask_pymongo import flask_pymongo
from cc.auth import jwt_required
from cc.database import mongo from cc.database import mongo
from cc.services.node import NodeService from cc.services.node import NodeService
@ -12,6 +13,7 @@ __author__ = 'itay.mizeretz'
class TelemetryFeed(flask_restful.Resource): class TelemetryFeed(flask_restful.Resource):
@jwt_required()
def get(self, **kw): def get(self, **kw):
timestamp = request.args.get('timestamp') timestamp = request.args.get('timestamp')
if "null" == timestamp or timestamp is None: # special case to avoid ugly JS code... if "null" == timestamp or timestamp is None: # special case to avoid ugly JS code...