howler-api 3.0.0.dev374__py3-none-any.whl

howler/security/utils.py

@@ -0,0 +1,185 @@
+import base64
+import os
+import re
+from typing import List, Optional
+from urllib.parse import urlparse
+
+import elasticapm
+from passlib.hash import bcrypt
+
+from howler.config import config
+
+UPPERCASE = r"[A-Z]"
+LOWERCASE = r"[a-z]"
+NUMBER = r"[0-9]"
+SPECIAL = r'[ !#$@%&\'()*+,-./[\\\]^_`{|}~"]'
+PASS_BASIC = (
+    [chr(x + 65) for x in range(26)]
+    + [chr(x + 97) for x in range(26)]
+    + [str(x) for x in range(10)]
+    + ["!", "@", "$", "^", "?", "&", "*", "(", ")"]
+)
+
+
+def generate_random_secret(length: int = 25) -> str:
+    """Generate a random secret
+
+    Args:
+        length (int, optional): The length of the secret. Defaults to 25.
+
+    Returns:
+        str: The random secret
+    """
+    return base64.b32encode(os.urandom(length)).decode("UTF-8")
+
+
+def get_password_hash(password: Optional[str]) -> Optional[str]:
+    """Get a bcrypt hash of the password
+
+    Args:
+        password (Optional[str]): The password to hash
+
+    Returns:
+        str: The hash of the password
+    """
+    if password is None or len(password) == 0:
+        return None
+
+    return bcrypt.hash(password)
+
+
+@elasticapm.capture_span(span_type="authentication")
+def verify_password(password: str, pw_hash: str):
+    """Use bcrypt to verify a user's password against the hash"""
+    try:
+        return bcrypt.verify(password, pw_hash)
+    except ValueError:
+        return False
+    except TypeError:
+        return False
+
+
+def get_password_requirement_message(
+    lower: bool = True,
+    upper: bool = True,
+    number: bool = False,
+    special: bool = False,
+    min_length: int = 12,
+) -> str:
+    """Get a custom password requirement message based on the configuration values
+
+    Args:
+        lower (bool, optional): Must include lowercase? Defaults to True.
+        upper (bool, optional): Must include uppercase? Defaults to True.
+        number (bool, optional): Must include number? Defaults to False.
+        special (bool, optional): Must include special characters? Defaults to False.
+        min_length (int, optional): What is the minimum length? Defaults to 12.
+
+    Returns:
+        str: The formatted password requirement message
+    """
+    msg = f"Password needs to be at least {min_length} characters"
+
+    if lower or upper or number or special:
+        msg += " with the following characteristics: "
+        specs = []
+        if lower:
+            specs.append("lowercase letters")
+        if upper:
+            specs.append("uppercase letters")
+        if number:
+            specs.append("numbers")
+        if special:
+            specs.append("special characters")
+
+        msg += ", ".join(specs)
+
+    return msg
+
+
+def check_password_requirements(
+    password: str,
+    lower: bool = True,
+    upper: bool = True,
+    number: bool = False,
+    special: bool = False,
+    min_length: int = 12,
+) -> bool:
+    """Validate the given password based on the password requirements
+
+    Args:
+        password (str): The password to check
+        lower (bool, optional): Must include lowercase? Defaults to True.
+        upper (bool, optional): Must include uppercase? Defaults to True.
+        number (bool, optional): Must include number? Defaults to False.
+        special (bool, optional): Must include special characters? Defaults to False.
+        min_length (int, optional): What is the minimum length? Defaults to 12.
+
+    Returns:
+        bool: Does the password meet the requirements?
+    """
+    check_upper = re.compile(UPPERCASE)
+    check_lower = re.compile(LOWERCASE)
+    check_number = re.compile(NUMBER)
+    check_special = re.compile(SPECIAL)
+
+    if get_password_hash(password) is None:
+        return True
+
+    if len(password) < min_length:
+        return False
+
+    if upper and len(check_upper.findall(password)) == 0:
+        return False
+
+    if lower and len(check_lower.findall(password)) == 0:
+        return False
+
+    if number and len(check_number.findall(password)) == 0:
+        return False
+
+    if special and len(check_special.findall(password)) == 0:
+        return False
+
+    return True
+
+
+def get_random_password(alphabet: Optional[List] = None, length: int = 24) -> str:
+    """Get a random password
+
+    Args:
+        alphabet (Optional[List], optional): The alphabet to base the password on. Defaults to None.
+        length (int, optional): The length of the password. Defaults to 24.
+
+    Returns:
+        str: The generated password
+    """
+    if alphabet is None:
+        alphabet = PASS_BASIC
+    r_bytes = bytearray(os.urandom(length))
+    a_list = []
+
+    for byte in r_bytes:
+        while byte >= (256 - (256 % len(alphabet))):
+            byte = ord(os.urandom(1))
+        a_list.append(alphabet[byte % len(alphabet)])
+
+    return "".join(a_list)
+
+
+def get_disco_url(host_url: Optional[str]):
+    """Get the discovery URL based on the current host"""
+    if type(host_url) is str and "localhost" not in host_url:
+        if not host_url.startswith("http"):
+            host_url = f"https://{host_url}"
+
+        original_hostname = urlparse(host_url).hostname
+
+        if original_hostname:
+            hostname = re.sub(r"^(.*?)howler(-stg)?(.+)$", r"\1discover\3", original_hostname)
+
+            return f"https://{hostname}/eureka/apps"
+        else:
+            return config.ui.discover_url
+    else:
+        return config.ui.discover_url

howler/services/action_service.py

@@ -0,0 +1,111 @@
+import json
+import sys
+from typing import Any, Optional
+
+from flask import Response
+
+from howler import actions
+from howler.api import bad_request
+from howler.common.exceptions import HowlerValueError
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.common.logging.audit import audit
+from howler.odm.models.action import VALID_TRIGGERS, Action
+from howler.odm.models.user import User
+from howler.utils.str_utils import sanitize_lucene_query
+
+logger = get_logger(__file__)
+
+
+def validate_action(new_action: Any) -> Optional[Response]:  # noqa: C901
+    """Validate a new action"""
+    if not isinstance(new_action, dict):
+        return bad_request(err="Incorrect data structure!")
+
+    if "name" not in new_action:
+        return bad_request(err="You must specify a name.")
+    elif not new_action["name"]:
+        return bad_request(err="Name cannot be empty.")
+
+    if "query" not in new_action:
+        return bad_request(err="You must specify a query.")
+    elif not new_action["query"]:
+        return bad_request(err="Query cannot be empty.")
+
+    operations = new_action.get("operations", None)
+    if operations is None:
+        return bad_request(err="You must specify a list of operations.")
+
+    if not isinstance(operations, list):
+        return bad_request(err="'operations' must be a list of operations.")
+
+    if len(operations) < 1:
+        return bad_request(err="You must specify at least one operation.")
+
+    operation_ids = [o["operation_id"] for o in operations]
+    if len(operation_ids) != len(set(operation_ids)):
+        return bad_request(err="You must have a maximum of one operation of each type in the action.")
+
+    if set(new_action.get("triggers", [])) - set(VALID_TRIGGERS):
+        return bad_request(err="Invalid trigger provided.")
+
+    return None
+
+
+def bulk_execute_on_query(query: str, trigger: str = "create", user: Optional[User] = None):
+    """Execute the operations specified in registered actions on the given query"""
+    storage = datastore()
+
+    if trigger not in VALID_TRIGGERS:
+        raise HowlerValueError(f"{trigger} is not a valid trigger. It must be one of {','.join(VALID_TRIGGERS)}")
+
+    on_trigger_actions: list[Action] = storage.action.search(f"triggers:{sanitize_lucene_query(trigger)}", rows=10000)[
+        "items"
+    ]
+
+    for action in on_trigger_actions:
+        intersected_query = f"({query}) AND ({action.query})"
+
+        if datastore().hit.search(intersected_query, rows=0)["total"] < 1:
+            if "pytest" in sys.modules:
+                logger.debug("Action %s does not apply to query %s", action.action_id, query)
+
+            continue
+
+        logger.info("Running action %s on bulk query %s", action.action_id, query)
+        for operation in action.operations:
+            if operation.operation_id == "example_plugin":
+                continue
+
+            parsed_data = json.loads(operation.data_json) if operation.data_json else operation.data
+
+            audit(
+                [],
+                {
+                    "query": intersected_query,
+                    "operation_id": operation.operation_id,
+                    **parsed_data,
+                },
+                user["uname"] if user is not None else "unknown",
+                user,
+                bulk_execute_on_query,
+            )
+
+            if not user:
+                raise NotImplementedError("Running actions without a user object is not currently supported")
+
+            report = actions.execute(
+                operation_id=operation.operation_id,
+                query=intersected_query,
+                user=user,
+                **parsed_data,
+            )
+
+            for entry in report:
+                logger.info(
+                    "%s (%s): %s",
+                    operation.operation_id,
+                    entry["outcome"],
+                    entry["message"],
+                )
+                logger.debug("\t%s", entry["query"])

howler/services/analytic_service.py

@@ -0,0 +1,128 @@
+from typing import Any, Union
+
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.datastore.exceptions import SearchException
+from howler.datastore.operations import OdmUpdateOperation
+from howler.odm.models.analytic import Analytic
+from howler.odm.models.hit import Hit
+from howler.odm.models.howler_data import Assessment
+from howler.odm.models.user import User
+from howler.utils.str_utils import sanitize_lucene_query
+
+logger = get_logger(__file__)
+
+
+def does_analytic_exist(analytic_id: str) -> bool:
+    """Returns true if the analytic_id is already in use."""
+    return datastore().analytic.exists(analytic_id)
+
+
+def get_analytic(
+    id: str,
+    as_obj: bool = False,
+    version: bool = False,
+):
+    """Return analytic object as either an ODM or Dict"""
+    return datastore().analytic.get_if_exists(key=id, as_obj=as_obj, version=version)
+
+
+def update_analytic(
+    analytic_id: str,
+    operations: list[OdmUpdateOperation],
+):
+    """Update one or more properties of an analytic in the database."""
+    storage = datastore()
+
+    result = storage.analytic.update(analytic_id, operations)
+
+    return result
+
+
+def get_matching_analytics(hits: Union[list[Hit], list[dict[str, Any]]]) -> list[Analytic]:
+    """Get a list of matching analytics for the given list of hits.
+
+    Args:
+        hits (Union[list[Hit], list[dict[str, Any]]]): A list of Hit objects or dictionaries representing hits.
+    Returns:
+        list[Analytic]: A list of Analytic objects that match the analytics referenced in the hits.
+    """
+    if len(hits) < 1:
+        return []
+
+    storage = datastore()
+
+    analytic_names: set[str] = set()
+    for hit in hits:
+        analytic_names.add(f'"{sanitize_lucene_query(hit["howler"]["analytic"])}"')
+
+    try:
+        existing_analytics: list[Analytic] = storage.analytic.search(
+            f'name:({" OR ".join(analytic_names)})', as_obj=True
+        )["items"]
+
+        return existing_analytics
+    except SearchException:
+        logger.exception("Exception on analytic matching")
+        return []
+
+
+def save_from_hit(hit: Hit, user: User):
+    """Save updates to an analytic based on a new hit that has been created
+
+    Args:
+        hit (Hit): The newly created hit to use to update the analytic entry
+    """
+    storage = datastore()
+
+    save = False
+    existing_analytics: list[Analytic] = storage.analytic.search(
+        f'name:"{sanitize_lucene_query(hit.howler.analytic)}"'
+    )["items"]
+    if len(existing_analytics) > 0:
+        analytic: Analytic = existing_analytics[0]
+
+        if not analytic.owner:
+            save = True
+            analytic.owner = user["uname"]
+
+        if user["uname"] not in analytic.contributors:
+            analytic.contributors.append(user["uname"])
+
+        if hit.howler.detection:
+            new_detections = [d for d in analytic.detections if d.lower() != (hit.howler.detection or "").lower()]
+            new_detections.append(hit.howler.detection)
+
+            new_detections = sorted(new_detections)
+
+            if new_detections != analytic.as_primitives()["detections"]:
+                save = True
+                analytic.detections = new_detections
+
+        if len(existing_analytics) > 1:
+            logger.warning("Duplicate analytics detected! Removing duplicates...")
+            for duplicate in existing_analytics[1:]:
+                storage.analytic.delete(duplicate.analytic_id)
+
+            storage.analytic.commit()
+    else:
+        save = True
+        analytic = Analytic(
+            {
+                "name": hit.howler.analytic,
+                "owner": user["uname"],
+                "contributors": [user["uname"]],
+                "detections": [hit.howler.detection] if hit.howler.detection else [],
+                "description": "Placeholder Description - Défaut Description",
+                "triage_settings": {
+                    "valid_assessments": Assessment.list(),
+                    "skip_rationale": False,
+                },
+            }
+        )
+
+    if save:
+        storage.analytic.save(analytic.analytic_id, analytic)
+
+        # This is necessary as we often save over the analytic multiple times in quick succession when saving from hits
+        storage.analytic.commit()