AIL-framework/var/www/Flask_server.py

#!/usr/bin/env python3
# -*-coding:UTF-8 -*

import redis
import configparser
import random
import json
import datetime
import time
import calendar
from flask import Flask, render_template, jsonify, request, Request, session, redirect, url_for
from flask_login import LoginManager, current_user, login_user, logout_user, login_required

import bcrypt

import flask
import importlib
import os
from os.path import join
import sys
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/'))
sys.path.append('./modules/')
import Paste
from Date import Date

from User import User

from pytaxonomies import Taxonomies

# Import config
import Flask_config

def flask_init():
    int_user_management()

def int_user_management():
    # # TODO: check for admin account
    # check if an account exists
    if not r_serv_db.hexists('user:all'):
        password = 'admin@admin.test'
        create_user_db('admin', password, default=True)

def hashing_password(bytes_password):
    hashed = bcrypt.hashpw(bytes_password, bcrypt.gensalt())
    return hashed

def verify_password(id, bytes_password):
    hashed_password = r_serv_db.hget('user:all', id)
    if bcrypt.checkpw(password, hashed):
        return True
    else:
        return False

def create_user_db(username_id , password, default=False):
    ## TODO: validate username
    ## TODO: validate password

    if username_id == '__anonymous__':
        ## TODO: return 500
        return 'ERROR'

    password = password.encode()
    password_hash = hashing_password(password)
    r_serv_db.hset('user:all', username_id, password_hash)
    if default:
        r_serv_db.set('user:request_password_change', username_id)

# CONFIG #
cfg = Flask_config.cfg
baseUrl = cfg.get("Flask", "baseurl")
baseUrl = baseUrl.replace('/', '')
if baseUrl != '':
    baseUrl = '/'+baseUrl

# ========= REDIS =========#
r_serv_db = redis.StrictRedis(
    host=cfg.get("ARDB_DB", "host"),
    port=cfg.getint("ARDB_DB", "port"),
    db=cfg.getint("ARDB_DB", "db"),
    decode_responses=True)
r_serv_tags = redis.StrictRedis(
    host=cfg.get("ARDB_Tags", "host"),
    port=cfg.getint("ARDB_Tags", "port"),
    db=cfg.getint("ARDB_Tags", "db"),
    decode_responses=True)

# =========       =========#

Flask_config.app = Flask(__name__, static_url_path=baseUrl+'/static/')
app = Flask_config.app
app.config['MAX_CONTENT_LENGTH'] = 900 * 1024 * 1024

# ========= session ========
app.secret_key = str(random.getrandbits(256))
login_manager = LoginManager()
login_manager.login_view = 'login'
login_manager.init_app(app)

# ========= LOGIN MANAGER ========

@login_manager.user_loader
def load_user(user_id):
    return User.get(user_id)

# ========= HEADER GENERATION ========

# Get headers items that should be ignored (not displayed)
toIgnoreModule = set()
try:
    with open('templates/ignored_modules.txt', 'r') as f:
        lines = f.read().splitlines()
        for line in lines:
            toIgnoreModule.add(line)

except IOError:
    f = open('templates/ignored_modules.txt', 'w')
    f.close()

# Dynamically import routes and functions from modules
# Also, prepare header.html
to_add_to_header_dico = {}
for root, dirs, files in os.walk('modules/'):
    sys.path.append(join(root))

    # Ignore the module
    curr_dir = root.split('/')[1]
    if curr_dir in toIgnoreModule:
        continue

    for name in files:
        module_name = root.split('/')[-2]
        if name.startswith('Flask_') and name.endswith('.py'):
            if name == 'Flask_config.py':
                continue
            name = name.strip('.py')
            #print('importing {}'.format(name))
            importlib.import_module(name)
        elif name == 'header_{}.html'.format(module_name):
            with open(join(root, name), 'r') as f:
                to_add_to_header_dico[module_name] = f.read()

#create header.html
complete_header = ""
with open('templates/header_base.html', 'r') as f:
    complete_header = f.read()
modified_header = complete_header

#Add the header in the supplied order
for module_name, txt in list(to_add_to_header_dico.items()):
    to_replace = '<!--{}-->'.format(module_name)
    if to_replace in complete_header:
        modified_header = modified_header.replace(to_replace, txt)
        del to_add_to_header_dico[module_name]

#Add the header for no-supplied order
to_add_to_header = []
for module_name, txt in to_add_to_header_dico.items():
    to_add_to_header.append(txt)

modified_header = modified_header.replace('<!--insert here-->', '\n'.join(to_add_to_header))

#Write the header.html file
with open('templates/header.html', 'w') as f:
    f.write(modified_header)


# ========= JINJA2 FUNCTIONS ========
def list_len(s):
    return len(s)
app.jinja_env.filters['list_len'] = list_len


# ========= CACHE CONTROL ========
@app.after_request
def add_header(response):
    """
    Add headers to both force latest IE rendering engine or Chrome Frame,
    and also to cache the rendered page for 10 minutes.
    """
    response.headers['X-UA-Compatible'] = 'IE=Edge,chrome=1'
    response.headers['Cache-Control'] = 'public, max-age=0'
    return response

# ========== ROUTES ============
@app.route('/login', methods=['POST', 'GET'])
def login():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        next_page = request.form.get('next_page')

        print(username)
        print(password)

        if username is not None:
            user = User.get(username)
            #print(user.is_anonymous)
            #print('auth') # TODO: overwrite
            #print(user.is_authenticated)
            if user and user.check_password(password):
                login_user(user) ## TODO: use remember me ?
                #print(user.request_password_change())
                print(user.is_active)
                return redirect(url_for('dashboard.index'))
            else:
                return 'incorrect password'

        return 'none'

    else:
        next_page = request.args.get('next')
        print(next_page)
        return render_template("login.html", next_page=next_page)

@app.route('/role', methods=['POST', 'GET'])
def role():
    return 'ERROR role'

@app.route('/logout')
@login_required
def logout():
    logout_user()
    return redirect(url_for('login'))

@app.route('/create_user')
@login_required
def create_user():
    username = request.form.get('username')
    password = request.form.get('password')
    #role = request.form.get('role') ## TODO: create role

    ## TODO: validate username
    ## TODO: validate password

    username = 'admin@admin.test'
    password = 'admin'

    if r_serv_db.hexists('user:all', username):
        return 'this id is not available'

    create_user_db(username, password)

    return 'True'


@app.route('/searchbox/')
def searchbox():
    return render_template("searchbox.html")


# ========== INITIAL taxonomies ============
# add default ail taxonomies
r_serv_tags.sadd('active_taxonomies', 'infoleak')
r_serv_tags.sadd('active_taxonomies', 'gdpr')
r_serv_tags.sadd('active_taxonomies', 'fpf')
# add default tags
taxonomies = Taxonomies()
for tag in taxonomies.get('infoleak').machinetags():
    r_serv_tags.sadd('active_tag_infoleak', tag)
for tag in taxonomies.get('gdpr').machinetags():
    r_serv_tags.sadd('active_tag_gdpr', tag)
for tag in taxonomies.get('fpf').machinetags():
    r_serv_tags.sadd('active_tag_fpf', tag)

# ========== INITIAL tags auto export ============
infoleak_tags = taxonomies.get('infoleak').machinetags()
infoleak_automatic_tags = []
for tag in taxonomies.get('infoleak').machinetags():
    if tag.split('=')[0][:] == 'infoleak:automatic-detection':
        r_serv_db.sadd('list_export_tags', tag)

r_serv_db.sadd('list_export_tags', 'infoleak:submission="manual"')
# ============ MAIN ============

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=7000, threaded=True)
decode with redis connection 2018-05-04 13:53:29 +02:00			`#!/usr/bin/env python3`
Initial import of AIL framework - Analysis Information Leak framework AIL is a modular framework to analyse potential information leak from unstructured data source like pastes from Past ebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sen sitive information 2014-08-06 11:43:40 +02:00			`# --coding:UTF-8 -`

Big cleanup, pep8 2014-08-14 17:55:18 +02:00			`import redis`
frontend python 3.5 upgrade 2018-04-17 16:06:32 +02:00			`import configparser`
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`import random`
Big cleanup, pep8 2014-08-14 17:55:18 +02:00			`import json`
Added top_progression chart for tld, domain and scheme + Small modification in config file. 2016-07-21 13:44:22 +02:00			`import datetime`
Correctly handle and display add or remove a term in term-frequency + started sketch of terms-plot tool. 2016-08-19 16:53:46 +02:00			`import time`
Added sentiment analyser module (draft) 2016-08-13 15:24:57 +02:00			`import calendar`
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`from flask import Flask, render_template, jsonify, request, Request, session, redirect, url_for`
			`from flask_login import LoginManager, current_user, login_user, logout_user, login_required`

chg: [user_management] create + check user password 2019-05-03 16:52:05 +02:00			`import bcrypt`

Initial import of AIL framework - Analysis Information Leak framework AIL is a modular framework to analyse potential information leak from unstructured data source like pastes from Past ebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sen sitive information 2014-08-06 11:43:40 +02:00			`import flask`
Draft of new organisation of the web interface. Usage of Flask's blueprint 2017-04-19 11:02:03 +02:00			`import importlib`
Make sure the webserver fails properly if there is no config file. Create the queue list in a more pythonesque fashion. 2014-08-26 17:33:28 +02:00			`import os`
Draft of new organisation of the web interface. Usage of Flask's blueprint 2017-04-19 11:02:03 +02:00			`from os.path import join`
Added DomainTrending seems working. Started search features with related html pages, not finish yet. 2016-07-05 16:53:03 +02:00			`import sys`
			`sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/'))`
Draft of new organisation of the web interface. Usage of Flask's blueprint 2017-04-19 11:02:03 +02:00			`sys.path.append('./modules/')`
Added DomainTrending seems working. Started search features with related html pages, not finish yet. 2016-07-05 16:53:03 +02:00			`import Paste`
Added top_progression chart for tld, domain and scheme + Small modification in config file. 2016-07-21 13:44:22 +02:00			`from Date import Date`
web: basic search functionality added 2014-12-24 15:42:20 +01:00
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`from User import User`

taxonomie + add tags + tags display 2018-05-23 16:58:56 +02:00			`from pytaxonomies import Taxonomies`

Splitted Flask_server into module related to website sections 2016-12-09 08:46:37 +01:00			`# Import config`
			`import Flask_config`
Added draft of terms_management + Added copyright in readme 2016-08-19 13:34:02 +02:00
chg: [user_management] create + check user password 2019-05-03 16:52:05 +02:00			`def flask_init():`
			`int_user_management()`

			`def int_user_management():`
			`# # TODO: check for admin account`
			`# check if an account exists`
			`if not r_serv_db.hexists('user:all'):`
			`password = 'admin@admin.test'`
			`create_user_db('admin', password, default=True)`

			`def hashing_password(bytes_password):`
			`hashed = bcrypt.hashpw(bytes_password, bcrypt.gensalt())`
			`return hashed`

			`def verify_password(id, bytes_password):`
			`hashed_password = r_serv_db.hget('user:all', id)`
			`if bcrypt.checkpw(password, hashed):`
			`return True`
			`else:`
			`return False`

			`def create_user_db(username_id , password, default=False):`
			`## TODO: validate username`
			`## TODO: validate password`

			`if username_id == '__anonymous__':`
			`## TODO: return 500`
			`return 'ERROR'`

			`password = password.encode()`
			`password_hash = hashing_password(password)`
			`r_serv_db.hset('user:all', username_id, password_hash)`
			`if default:`
			`r_serv_db.set('user:request_password_change', username_id)`

Splitted Flask_server into module related to website sections 2016-12-09 08:46:37 +01:00			`# CONFIG #`
			`cfg = Flask_config.cfg`
chg: [Flask] add prefix in config to flask routes 2018-09-20 10:38:19 +02:00			`baseUrl = cfg.get("Flask", "baseurl")`
			`baseUrl = baseUrl.replace('/', '')`
			`if baseUrl != '':`
			`baseUrl = '/'+baseUrl`
Added color in web-index reprenting modules states. 2016-08-24 18:00:05 +02:00
chg: [user_management] create + check user password 2019-05-03 16:52:05 +02:00			`# ========= REDIS =========#`
			`r_serv_db = redis.StrictRedis(`
			`host=cfg.get("ARDB_DB", "host"),`
			`port=cfg.getint("ARDB_DB", "port"),`
			`db=cfg.getint("ARDB_DB", "db"),`
			`decode_responses=True)`
			`r_serv_tags = redis.StrictRedis(`
			`host=cfg.get("ARDB_Tags", "host"),`
			`port=cfg.getint("ARDB_Tags", "port"),`
			`db=cfg.getint("ARDB_Tags", "db"),`
			`decode_responses=True)`

			`# ========= =========#`

chg: [Flask] add prefix in config to flask routes 2018-09-20 10:38:19 +02:00			`Flask_config.app = Flask(__name__, static_url_path=baseUrl+'/static/')`
Splitted Flask_server into module related to website sections 2016-12-09 08:46:37 +01:00			`app = Flask_config.app`
add feature, user can submit paste on the web interface 2018-06-08 16:49:20 +02:00			`app.config['MAX_CONTENT_LENGTH'] = 900 * 1024 * 1024`
Make sure the webserver fails properly if there is no config file. Create the queue list in a more pythonesque fashion. 2014-08-26 17:33:28 +02:00
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`# ========= session ========`
			`app.secret_key = str(random.getrandbits(256))`
			`login_manager = LoginManager()`
			`login_manager.login_view = 'login'`
			`login_manager.init_app(app)`

			`# ========= LOGIN MANAGER ========`

			`@login_manager.user_loader`
			`def load_user(user_id):`
			`return User.get(user_id)`

Modified skeleton template name into rawSkeleton + Added possibility to hide modules in the header. 2017-04-25 12:18:08 +02:00			`# ========= HEADER GENERATION ========`

			`# Get headers items that should be ignored (not displayed)`
			`toIgnoreModule = set()`
			`try:`
			`with open('templates/ignored_modules.txt', 'r') as f:`
			`lines = f.read().splitlines()`
			`for line in lines:`
			`toIgnoreModule.add(line)`

			`except IOError:`
			`f = open('templates/ignored_modules.txt', 'w')`
			`f.close()`

Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`# Dynamically import routes and functions from modules`
			`# Also, prepare header.html`
			`to_add_to_header_dico = {}`
Draft of new organisation of the web interface. Usage of Flask's blueprint 2017-04-19 11:02:03 +02:00			`for root, dirs, files in os.walk('modules/'):`
Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`sys.path.append(join(root))`
Modified skeleton template name into rawSkeleton + Added possibility to hide modules in the header. 2017-04-25 12:18:08 +02:00
			`# Ignore the module`
			`curr_dir = root.split('/')[1]`
			`if curr_dir in toIgnoreModule:`
			`continue`

Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`for name in files:`
			`module_name = root.split('/')[-2]`
			`if name.startswith('Flask_') and name.endswith('.py'):`
			`if name == 'Flask_config.py':`
			`continue`
			`name = name.strip('.py')`
			`#print('importing {}'.format(name))`
			`importlib.import_module(name)`
			`elif name == 'header_{}.html'.format(module_name):`
			`with open(join(root, name), 'r') as f:`
			`to_add_to_header_dico[module_name] = f.read()`
Make sure the webserver fails properly if there is no config file. Create the queue list in a more pythonesque fashion. 2014-08-26 17:33:28 +02:00
Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`#create header.html`
			`complete_header = ""`
			`with open('templates/header_base.html', 'r') as f:`
			`complete_header = f.read()`
			`modified_header = complete_header`

			`#Add the header in the supplied order`
frontend python 3.5 upgrade 2018-04-17 16:06:32 +02:00			`for module_name, txt in list(to_add_to_header_dico.items()):`
Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`to_replace = '<!--{}-->'.format(module_name)`
			`if to_replace in complete_header:`
			`modified_header = modified_header.replace(to_replace, txt)`
			`del to_add_to_header_dico[module_name]`

			`#Add the header for no-supplied order`
			`to_add_to_header = []`
			`for module_name, txt in to_add_to_header_dico.items():`
			`to_add_to_header.append(txt)`

			`modified_header = modified_header.replace('<!--insert here-->', '\n'.join(to_add_to_header))`

			`#Write the header.html file`
			`with open('templates/header.html', 'w') as f:`
			`f.write(modified_header)`


			`# ========= JINJA2 FUNCTIONS ========`
Added DomainTrending seems working. Started search features with related html pages, not finish yet. 2016-07-05 16:53:03 +02:00			`def list_len(s):`
			`return len(s)`
			`app.jinja_env.filters['list_len'] = list_len`

Draft: added new duplicate hash comparison - tlsh 2016-08-04 11:55:38 +02:00
Bug fix related with redis: Fixed typo key in redis for module creditcard and sqlinjection Modified Curve redisLvlDb server Modified Url.py so that it forwards name of protocol from saved protocolsfile Added Cache control in Flask Modified key-tab name into keys-tab 2016-08-09 11:59:36 +02:00			`# ========= CACHE CONTROL ========`
			`@app.after_request`
			`def add_header(response):`
			`"""`
			`Add headers to both force latest IE rendering engine or Chrome Frame,`
			`and also to cache the rendered page for 10 minutes.`
			`"""`
			`response.headers['X-UA-Compatible'] = 'IE=Edge,chrome=1'`
			`response.headers['Cache-Control'] = 'public, max-age=0'`
			`return response`
Added top_progression chart for tld, domain and scheme + Small modification in config file. 2016-07-21 13:44:22 +02:00
Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`# ========== ROUTES ============`
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`@app.route('/login', methods=['POST', 'GET'])`
			`def login():`
			`if request.method == 'POST':`
			`username = request.form.get('username')`
			`password = request.form.get('password')`
			`next_page = request.form.get('next_page')`

			`print(username)`
			`print(password)`

			`if username is not None:`
			`user = User.get(username)`
			`#print(user.is_anonymous)`
			`#print('auth') # TODO: overwrite`
			`#print(user.is_authenticated)`
			`if user and user.check_password(password):`
			`login_user(user) ## TODO: use remember me ?`
chg: [user_management] create + check user password 2019-05-03 16:52:05 +02:00			`#print(user.request_password_change())`
			`print(user.is_active)`
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`return redirect(url_for('dashboard.index'))`
			`else:`
			`return 'incorrect password'`

			`return 'none'`

			`else:`
			`next_page = request.args.get('next')`
			`print(next_page)`
			`return render_template("login.html", next_page=next_page)`

chg: [user_management] add user role_management 2019-05-06 16:58:36 +02:00			`@app.route('/role', methods=['POST', 'GET'])`
			`def role():`
			`return 'ERROR role'`

chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00			`@app.route('/logout')`
			`@login_required`
			`def logout():`
			`logout_user()`
chg: [user_management] create + check user password 2019-05-03 16:52:05 +02:00			`return redirect(url_for('login'))`

			`@app.route('/create_user')`
			`@login_required`
			`def create_user():`
			`username = request.form.get('username')`
			`password = request.form.get('password')`
			`#role = request.form.get('role') ## TODO: create role`

			`## TODO: validate username`
			`## TODO: validate password`

			`username = 'admin@admin.test'`
			`password = 'admin'`

			`if r_serv_db.hexists('user:all', username):`
			`return 'this id is not available'`

			`create_user_db(username, password)`

			`return 'True'`
chg: [UI] add basic user management 2019-05-02 17:31:14 +02:00

Auto organisation of the navbar -> Web page are auto-inserted. Created skeleton webpage 2017-04-19 15:14:20 +02:00			`@app.route('/searchbox/')`
			`def searchbox():`
			`return render_template("searchbox.html")`


taxonomie + add tags + tags display 2018-05-23 16:58:56 +02:00			`# ========== INITIAL taxonomies ============`
			`# add default ail taxonomies`
			`r_serv_tags.sadd('active_taxonomies', 'infoleak')`
galaxy tag info + fix 2018-05-30 16:18:58 +02:00			`r_serv_tags.sadd('active_taxonomies', 'gdpr')`
			`r_serv_tags.sadd('active_taxonomies', 'fpf')`
taxonomie + add tags + tags display 2018-05-23 16:58:56 +02:00			`# add default tags`
			`taxonomies = Taxonomies()`
			`for tag in taxonomies.get('infoleak').machinetags():`
			`r_serv_tags.sadd('active_tag_infoleak', tag)`
galaxy tag info + fix 2018-05-30 16:18:58 +02:00			`for tag in taxonomies.get('gdpr').machinetags():`
verify file upload extention 2018-06-06 10:05:25 +02:00			`r_serv_tags.sadd('active_tag_gdpr', tag)`
galaxy tag info + fix 2018-05-30 16:18:58 +02:00			`for tag in taxonomies.get('fpf').machinetags():`
verify file upload extention 2018-06-06 10:05:25 +02:00			`r_serv_tags.sadd('active_tag_fpf', tag)`
taxonomie + add tags + tags display 2018-05-23 16:58:56 +02:00
fix duplicate export attribute + tag export whitelist 2018-06-15 17:25:43 +02:00			`# ========== INITIAL tags auto export ============`
			`infoleak_tags = taxonomies.get('infoleak').machinetags()`
			`infoleak_automatic_tags = []`
			`for tag in taxonomies.get('infoleak').machinetags():`
			`if tag.split('=')[0][:] == 'infoleak:automatic-detection':`
			`r_serv_db.sadd('list_export_tags', tag)`

fix hive and misp error 2018-06-19 16:39:49 +02:00			`r_serv_db.sadd('list_export_tags', 'infoleak:submission="manual"')`
Splitted Flask_server into module related to website sections 2016-12-09 08:46:37 +01:00			`# ============ MAIN ============`
Added comments and renamed variables and separeted chunks of codes into function 2016-07-08 10:19:24 +02:00
Initial import of AIL framework - Analysis Information Leak framework AIL is a modular framework to analyse potential information leak from unstructured data source like pastes from Past ebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sen sitive information 2014-08-06 11:43:40 +02:00			`if __name__ == "__main__":`
Big cleanup, pep8 2014-08-14 17:55:18 +02:00			`app.run(host='0.0.0.0', port=7000, threaded=True)`