Module: VulnreportAuth

Defined in:
lib/auth.rb

Overview

Handle all Vulnreport authentication and permission functions.

Instance Method Summary (collapse)

Instance Method Details

- (Boolean) admin?

Checks if active session is an admin

Returns:

  • (Boolean)

    True if active user is an admin, false otherwise



26
27
28
29
30
31
32
# File 'lib/auth.rb', line 26

def admin?
	u = User.get(session[:uid])
	return false if u.org == 0
	return false if !u.active

	return u.admin
end

- (Boolean) allowRTForOrg(oid, rtid)

Create a link assigning the given RT as accessible to the given Org

Parameters:

  • oid (Integer)

    ID of the Org

  • rtid (Integer)

    ID of the RecordType to allow

Returns:

  • (Boolean)

    True if successful, false otherwise



179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# File 'lib/auth.rb', line 179

def allowRTForOrg(oid, rtid)
	return false if(oid.nil? || rtid.nil?)

	l = Link.first(:fromType => LINK_TYPE::ORGANIZATION, :fromId => oid, :toType => LINK_TYPE::ALLOW_APP_RT, :toId => rtid)
	if(!l.nil?)
		return true
	else
		l = Link.create(:fromType => LINK_TYPE::ORGANIZATION, :fromId => oid, :toType => LINK_TYPE::ALLOW_APP_RT, :toId => rtid)
		if(l.saved?)
			return true
		else
			return false
		end
	end
end

- (Boolean) authorized?

Checks if active session is a logged in user

Returns:

  • (Boolean)

    True if active user is logged in, false otherwise



14
15
16
17
18
19
20
21
# File 'lib/auth.rb', line 14

def authorized?
	if(session[:org].nil?)
		session[:logged_in] = false;
		session[:username] = nil;
	end
	
	return session[:logged_in] == true && !session[:username].nil?
end

- (Boolean) canApproveProvPass?

Check if the logged in user has perm to approve Provisional Passes

Returns:

  • (Boolean)

    True if user is allowed, false otherwise



521
522
523
524
525
526
527
# File 'lib/auth.rb', line 521

def canApproveProvPass?()
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.provPassApprover

	return false
end

- (Boolean) canAuditMonitors?

Check if the logged in user has perm to audit monitoring alerts

Returns:

  • (Boolean)

    True if user is allowed, false otherwise



508
509
510
511
512
513
514
515
516
# File 'lib/auth.rb', line 508

def canAuditMonitors?()
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.admin
	return false if !u.verified?
	return true if u.canAuditMonitors

	return false
end

- (Boolean) canDeleteReview?(aid)

Check if the logged in user is allowed to delete a Application

Parameters:

  • aid (Integer)

    ID of the Application to check against

Returns:

  • (Boolean)

    True if user can delete the Application, false otherwise



419
420
421
422
423
424
425
426
427
428
429
430
431
# File 'lib/auth.rb', line 419

def canDeleteReview?(aid)
	#If admin or in super org, yes
	#Else no
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.admin

	return false if !u.verified?
	o = Organization.get(u.org)
	return true if o.super

	return false
end

- (Boolean) canDeleteTest?(tid)

Check if the logged in user is allowed to delete a Test

Parameters:

  • tid (Integer)

    ID of the Test to check against

Returns:

  • (Boolean)

    True if user can delete the Test, false otherwise



437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
# File 'lib/auth.rb', line 437

def canDeleteTest?(tid)
	#If admin or in super org, yes
	#If created test or in org that created test, yes
	#Else no
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.admin

	return false if !u.verified?
	o = Organization.get(u.org)
	return true if o.super

	t = Test.get(tid)
	return true if (u.id = t.reviewer)
	
	rev = User.get(t.reviewer)
	return true if (u.org == rev.org)

	return false
end

- (Boolean) canFinalizeTest?(tid, uid = session[:uid])

Check if the logged in user is allowed to finalize (pass, fail, or request prov pass) a given Test. To finalize a test, user must be able to access the review the test is on. If they require approval, that step will be taken care of in the status update. If a test is in the is_pending state (awaiting approval) this function restricts finalize ability to those who can approve based on the pending_by UID.

Parameters:

  • tid (Integer)

    ID of the Test to check against

Returns:

  • (Boolean)

    True if user can finalize the test, false otherwise



391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
# File 'lib/auth.rb', line 391

def canFinalizeTest?(tid, uid=session[:uid])
	u = User.get(uid)
	return false if !u.active
	return false if !u.verified?
	return true if u.admin

	t = Test.get(tid)
	if(!t.is_pending)
		return canViewReview?(t.application_id)
	else
		pendingUser = User.get(t.pending_by)
		approvers = pendingUser.approvers
		if(!approvers[:users].nil? && approvers[:users].include?(uid))
			return true
		end

		if(!approvers[:orgs].nil? && approvers[:orgs].include?(u.org))
			return true
		end
	end

	return false
end

- (Boolean) canPassRTToContractor?(rtid, uid = session[:uid])

Check if the logged in user has perm to pass a test from an Application with given RecordType ID to a contractor. Requires that user have the canPassToCon perm bit and be able to access the given RT

Parameters:

  • rtid (Integer)

    ID of the RecordType to check permission against

Returns:

  • (Boolean)

    True if user is allowed, false otherwise



479
480
481
482
483
484
485
486
487
488
# File 'lib/auth.rb', line 479

def canPassRTToContractor?(rtid, uid=session[:uid])
	u = User.get(uid)
	return false if !u.active
	return true if u.admin

	return false if !u.verified?
	return false if(!u.canPassToCon)
	return false if(!(getAllowedRTsForUser(uid).include?(rtid)))
	return true
end

- (Boolean) canPassToContractor?(aid)

Check if the logged in user has perm to pass a test from given Application ID to a contractor. Requires that user have the canPassToCon perm bit and be able to access the RT of given Application ID.

Parameters:

  • aid (Integer)

    ID of the Application to check permission against

Returns:

  • (Boolean)

    True if user is allowed, false otherwise



463
464
465
466
467
468
469
470
471
472
# File 'lib/auth.rb', line 463

def canPassToContractor?(aid)
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.admin

	return false if !u.verified?
	return false if(!u.canPassToCon)
	return false if(!canViewReview?(aid, u.id))
	return true
end

- (Boolean) canUseReports?

Check if the logged in user has perm to use reporting

Returns:

  • (Boolean)

    True if user is allowed, false otherwise



493
494
495
496
497
498
499
500
501
502
503
# File 'lib/auth.rb', line 493

def canUseReports?()
	u = User.get(session[:uid])
	return false if !u.active
	return true if u.admin

	return false if !u.verified?
	return true if reports_only?

	o = Organization.get(u.org)
	return o.canReport
end

- (Boolean) canViewReview?(aid, uid = session[:uid])

Check if a user is allowed to view a review

Permissions rules are as follows:
(1) => If user not active NO
(2) => If user is admin YES (warning for private reviews takes place elsewhere)
(3) => If user is on app's UID override list YES
    => If test is private
    (3) => => If UID on allowed list YES [handled above]
    (4) => => Else NO
(5) => If test is marked as global YES
(6) => If user is not assigned to an Org and not yet allowed NO
(7) => If user's org is Super YES
(8) => If user's org is allowed for app's RT YES
(9) => If user is marked as reviewer for any of app's tests YES
(10) => ELSE NO

Parameters:

  • aid (Integer)

    ID of the Application to check permission against.

  • uid (Integer) (defaults to: session[:uid])

    ID of the User to check permission for. Defaults to logged in user.

Returns:

  • (Boolean)

    True if user can access the application, false otherwise.



359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
# File 'lib/auth.rb', line 359

def canViewReview?(aid, uid=session[:uid])
	u = User.get(uid)
	return false if !u.active #(1)
	return true if u.admin #(2)

	a = Application.get(aid)
	return true if(!a.allow_UIDs.nil? && a.allow_UIDs.include?(u.id)) #(3)

	return false if(a.isPrivate) #(4)
	return true if a.global #(5)
	
	return false if !u.verified? #(6)
	o = Organization.get(u.org)
	return true if o.super #(7)
	
	allowedOrgs = getOrgsAllowedForRT(a.record_type)
	return true if(allowedOrgs.include?(o.id)) #(8)

	a.tests.each do |t|
		return true if t.reviewer == u.id #(9)
	end

	return false #(10)
end

- (Array<Integer>) checkRecordTypeListForAccess(requested, uid)

Check a list of RecordType IDs against those given User is allowed to access and return only those the User is allowed to access

Parameters:

  • requested (Array<Integer>)

    Array of integers representing RecordType IDs User wants to access

  • uid (Integer)

    ID of the User

Returns:

  • (Array<Integer>)

    Array of integers representing RecordType ID's from requested array User can access



281
282
283
284
285
286
287
# File 'lib/auth.rb', line 281

def checkRecordTypeListForAccess(requested, uid)
	if(requested.nil? || requested.kind_of?(Array) || requested.size == 0)
		return []
	end
	
	return (requested & (getAllowedRTsForUser(uid)))
end

- (Boolean) contractor?

Checks if active session is a contractor

Returns:

  • (Boolean)

    True if active user is a contractor, false otherwise



59
60
61
62
63
# File 'lib/auth.rb', line 59

def contractor?
	o = Organization.get(session[:org])
	return false if o.nil?
	return o.contractor
end

- (Array<RecordType>) getAllowedRTObjsForUser(uid)

Get all RecordTypes accessible for the given User, returning an array of the objects

Parameters:

  • uid (Integer)

    ID of the User

Returns:

  • (Array<RecordType>)

    Array of RecordTypes representing the RecordTypes the given User can access



272
273
274
# File 'lib/auth.rb', line 272

def getAllowedRTObjsForUser(uid)
	return RecordType.all(:id => getAllowedRTsForUser(uid))
end

- (Array<Integer>) getAllowedRTsForOrg(oid)

Get all RecordType IDs accessible for the given Org

Parameters:

  • oid (Integer)

    ID of the Org

Returns:

  • (Array<Integer>)

    Array of RecordType IDs representing the RecordTypes the given Org can access



215
216
217
218
219
220
221
222
223
224
225
226
227
# File 'lib/auth.rb', line 215

def getAllowedRTsForOrg(oid)
	return [] if(oid.nil?)
	allowed = Array.new

	ls = Link.all(:fromType => LINK_TYPE::ORGANIZATION, :fromId => oid, :toType => LINK_TYPE::ALLOW_APP_RT)
	if(!ls.nil?)
		ls.each do |l|
			allowed << l.toId.to_i
		end
	end

	return allowed
end

- (Array<Integer>) getAllowedRTsForUser(uid)

Get all RecordType IDs accessible for the given User

Parameters:

  • uid (Integer)

    ID of the User

Returns:

  • (Array<Integer>)

    Array of RecordType IDs representing the RecordTypes the given User can access



251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
# File 'lib/auth.rb', line 251

def getAllowedRTsForUser(uid)
	return [] if(uid.nil?)
	allowed = Array.new

	u = User.get(uid)
	return [] if (u.nil? || !u.active)

	o = Organization.get(u.org)
	return [] if (o.nil?)

	if(u.admin || o.super)
		return RecordType.allAppRecordTypes().map{|rt| rt.id}
	else
		return getAllowedRTsForOrg(o.id)
	end
end

- (Array<Integer>) getOrgsAllowedForRT(rtid)

Get IDs of all Orgs that can access a given RecordType

Parameters:

  • rtid (Integer)

    ID of the RecordType

Returns:

  • (Array<Integer>)

    Array of Organization IDs representing the orgs that can access the given RecordType



233
234
235
236
237
238
239
240
241
242
243
244
245
# File 'lib/auth.rb', line 233

def getOrgsAllowedForRT(rtid)
	return [] if(rtid.nil?)
	allowed = Array.new

	ls = Link.all(:fromType => LINK_TYPE::ORGANIZATION, :toType => LINK_TYPE::ALLOW_APP_RT, :toId => rtid)
	if(!ls.nil?)
		ls.each do |l|
			allowed << l.fromId.to_i
		end
	end

	return allowed
end

- (Boolean) markUserWarnedApp(uid, aid, sec = 1800)

Remember (for 30 mins) that a user has been warned about a private app they are viewing. Done in Redis so we can auto-expire warning. Audit event is logged.

Parameters:

Returns:

  • (Boolean)

    True if successful



307
308
309
310
# File 'lib/auth.rb', line 307

def markUserWarnedApp(uid, aid, sec=1800)
	thisAr = AuditRecord.create(:event_type => EVENT_TYPE::ADMIN_OVERRIDE_PRIVATE_APP, :event_at => DateTime.now, :actor => @session[:uid], :target_a_type => LINK_TYPE::APPLICATION, :target_a => aid.to_s) 
	return settings.redis.setex("privatewarn_u_#{uid.to_s}_a_#{aid.to_s}", sec, "true")
end

- (Boolean) markUserWarnedTest(uid, tid, sec = 1800)

Remember (for 30 mins) that a user has been warned about a private test they are viewing. Done in Redis so we can auto-expire warning. Audit event is logged.

Parameters:

  • uid (Inteder)

    User ID

  • tid (Integer)

    Test ID

Returns:

  • (Boolean)

    True if successful



318
319
320
321
# File 'lib/auth.rb', line 318

def markUserWarnedTest(uid, tid, sec=1800)
	thisAr = AuditRecord.create(:event_type => EVENT_TYPE::ADMIN_OVERRIDE_PRIVATE_TEST, :event_at => DateTime.now, :actor => @session[:uid], :target_a_type => LINK_TYPE::TEST, :target_a => tid.to_s) 
	return settings.redis.setex("privatewarn_u_#{uid.to_s}_t_#{tid.to_s}", sec, "true")
end

- (Object) no_contractors!

Prevent contractors from viewing a page. If the active user is a contractor, redirect to Unauth page.

ERB File Used:

  • views/unauth.erb



91
92
93
94
95
96
97
# File 'lib/auth.rb', line 91

def no_contractors!
	protected!

	if contractor?
		halt 401, (erb :unauth)
	end
end

- (Object) no_reporters!

Prevent reports_only users from viewing a page. If the active user is a reports unly user, redirect to Unauth page.

ERB File Used:

  • views/unauth.erb



103
104
105
106
107
108
109
# File 'lib/auth.rb', line 103

def no_reporters!
	protected!

	if reports_only?
		halt 401, (erb :unauth)
	end
end

- (Object) only_admins!

Allow only admins to see a page. If the active user is not an admin, redirect to Unauth page.

ERB File Used:

  • views/unauth.erb



115
116
117
118
119
120
121
# File 'lib/auth.rb', line 115

def only_admins!
	protected!

	unless admin?
		halt 401, (erb :unauth)
	end
end

- (Object) only_super!

Allow only super users (users belonging to a super org) to see a page. If the active user is not a super, redirect to Unauth page.

ERB File Used:

  • views/unauth.erb



127
128
129
130
131
132
133
# File 'lib/auth.rb', line 127

def only_super!
	protected!

	unless (admin? || super?)
		halt 401, (erb :unauth)
	end
end

- (Object) only_super_or_reporters!

Deprecated.

Allow only super users or reports users to see a page. If the active user is not a super or reports_only user, redirect to Unauth page. Good for reports that would otherwise be super, but can be shown to just reports users too.

ERB File Used:

  • views/unauth.erb



141
142
143
144
145
146
147
# File 'lib/auth.rb', line 141

def only_super_or_reporters!
	protected!

	unless (admin? || super? || reports_only?)
		halt 401, (erb :unauth)
	end
end

- (Object) only_verified!

Block users without an org assigned. If the active user is not assigned an org, redirect to Unauth page.

ERB File Used:

  • views/unauth.erb



153
154
155
156
157
158
159
160
# File 'lib/auth.rb', line 153

def only_verified!
	protected!

	u = User.get(session[:uid])
	if !u.verified?
		halt 401, (erb :unauth)
	end
end

- (Boolean) orgAllowedRT?(oid, rtid)

Check if the given RecordType is accessible to the given Org

Parameters:

  • oid (Integer)

    ID of the Org to check permissions for

  • rtid (Integer)

    ID of the RecordType to check permission to

Returns:

  • (Boolean)

    True if Org can access the RecordType, false otherwise



167
168
169
170
171
172
# File 'lib/auth.rb', line 167

def orgAllowedRT?(oid, rtid)
	return false if(oid.nil? || rtid.nil?)

	l = Link.first(:fromType => LINK_TYPE::ORGANIZATION, :fromId => oid, :toType => LINK_TYPE::ALLOW_APP_RT, :toId => rtid)
	return (!l.nil?)
end

- (Object) protected!

Requires a user be logged in to view page. Otherwise, redirect to login.



67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/auth.rb', line 67

def protected!
	unless authorized?
		session[:loginredir] = request.path unless (!request.path.nil? && request.path.include?("favicon"))
		redirect "/login"
	end

	u = User.get(session[:uid])
	if(!u.active)
		Rollbar.info("Inactive account access attempt blocked", {:uid => u.id, :username => u.sso_user})
		session[:login_error] = "Your user account is inactive. Please contact your Vulnreport admin."
		redirect "/login"
	end

	if(session[:org] == 0)
		if(u.org != 0)
			session[:org] = u.org
		end
	end
end

- (Boolean) removeRTForOrg(oid, rtid)

Remove link, blocking the given RT from the given Org

Parameters:

  • oid (Integer)

    ID of the Org

  • rtid (Integer)

    ID of the RecordType to remove

Returns:

  • (Boolean)

    True if successful, false otherwise



200
201
202
203
204
205
206
207
208
209
# File 'lib/auth.rb', line 200

def removeRTForOrg(oid, rtid)
	return false if(oid.nil? || rtid.nil?)

	ls = Link.all(:fromType => LINK_TYPE::ORGANIZATION, :fromId => oid, :toType => LINK_TYPE::ALLOW_APP_RT, :toId => rtid)
	if(ls.nil?)
		return true
	else
		return ls.destroy
	end
end

- (Boolean) reports_only?

Checks if active session is a reports-only user

Returns:

  • (Boolean)

    True if active user is reports-only, false otherwise



50
51
52
53
54
# File 'lib/auth.rb', line 50

def reports_only?
	u = User.get(session[:uid])
	return false if !u.active
	return u.reportsOnly
end

- (Boolean) super?

Checks if active session is a user belonging to a Super org

Returns:

  • (Boolean)

    True if active user is super, false otherwise



37
38
39
40
41
42
43
44
45
# File 'lib/auth.rb', line 37

def super?
	u = User.get(session[:uid])
	return false if !u.verified?
	return false if !u.active
	return true if u.admin
	
	o = Organization.get(u.org)
	return true if o.super
end

- (Boolean) userAllowedForApp(uid, aid)

Check if a User is on the allowed UID list for an Application

Parameters:

  • uid (Inteder)

    User ID to check access for

  • aid (Integer)

    Application ID to check access against

Returns:

  • (Boolean)

    True if user is in the allow list



294
295
296
297
298
299
# File 'lib/auth.rb', line 294

def userAllowedForApp(uid, aid)
	a = Application.get(aid)
	return false if a.nil?

	return (!a.allow_UIDs.nil? && a.allow_UIDs.include?(uid))
end

- (Boolean) userWarnedForApp?(uid, aid)

Check if a user has been recently warned about viewing a private app

Parameters:

Returns:

  • (Boolean)

    True if they have been warned recently, false otherwise



328
329
330
# File 'lib/auth.rb', line 328

def userWarnedForApp?(uid, aid)
	return settings.redis.exists("privatewarn_u_#{uid.to_s}_a_#{aid.to_s}")
end

- (Boolean) userWarnedForTest?(uid, tid)

Check if a user has been recently warned about viewing a private test

Parameters:

  • uid (Inteder)

    User ID

  • tid (Integer)

    Test ID

Returns:

  • (Boolean)

    True if they have been warned recently, false otherwise



337
338
339
# File 'lib/auth.rb', line 337

def userWarnedForTest?(uid, tid)
	return settings.redis.exists("privatewarn_u_#{uid.to_s}_t_#{tid.to_s}")
end