Enhanced the Flask CLI initialization command to populate the databas…

…e from fixtures.
practisec · Jul 2, 2024 · 3b9019d · 3b9019d
1 parent 4277fad
commit 3b9019d
Show file tree

Hide file tree

Showing 12 changed files with 637 additions and 18 deletions.
diff --git a/pwnedadmin/__init__.py b/pwnedadmin/__init__.py
@@ -1,5 +1,6 @@
 from flask import Flask, Blueprint
 from flask_sqlalchemy import SQLAlchemy
+import click
 
 db = SQLAlchemy()
 
@@ -27,21 +28,39 @@ def create_app(config='Development'):
     app.register_blueprint(ConfigBlurprint)
     app.register_blueprint(EmailBlurprint)
 
-    @app.cli.command("init")
-    def init_data():
+    @app.cli.command('init')
+    @click.argument('dataset')
+    def init_data(dataset):
+        from flask import current_app
         from pwnedadmin import models
-        db.create_all()
+        import json
+        import os
+        db.create_all(bind_key=None)
+        for cls in models.BaseModel.__subclasses__():
+            fixture_path = os.path.join(current_app.root_path, 'fixtures', dataset, f"{cls.__table__.name}.json")
+            if os.path.exists(fixture_path):
+                print(f"Processing {fixture_path}.")
+                with open(fixture_path) as fp:
+                    for row in json.load(fp):
+                        db.session.add(cls(**row))
+        db.session.commit()
         print('Database initialized.')
 
-    @app.cli.command("export")
+    @app.cli.command('export')
     def export_data():
-        from pwnedadmin.models import Config, Email
+        from pwnedadmin.models import BaseModel
         import json
-        for cls in [Config, Email]:
+        for cls in BaseModel.__subclasses__():
             objs = [obj.serialize_for_export() for obj in cls.query.all()]
             if objs:
                 print(f"\n***** {cls.__table__.name}.json *****\n")
                 print(json.dumps(objs, indent=4, default=str))
         print('Database exported.')
 
+    @app.cli.command('purge')
+    def purge_data():
+        db.drop_all(bind_key=None)
+        db.session.commit()
+        print('Database purged.')
+
     return app
diff --git a/pwnedadmin/fixtures/base/configs.json b/pwnedadmin/fixtures/base/configs.json
@@ -0,0 +1,86 @@
+[
+    {
+        "id": 1,
+        "name": "CSRF_PROTECT",
+        "description": "Profile CSRF Protection (PwnedHub)",
+        "type": "security control",
+        "value": true
+    },
+    {
+        "id": 2,
+        "name": "OSCI_PROTECT",
+        "description": "Tools OSCI Protection (PwnedHub)",
+        "type": "security control",
+        "value": false
+    },
+    {
+        "id": 3,
+        "name": "SQLI_PROTECT",
+        "description": "Login SQLi Protection (PwnedHub)",
+        "type": "security control",
+        "value": false
+    },
+    {
+        "id": 4,
+        "name": "CSP_PROTECT",
+        "description": "Content Security Policy (PwnedHub)",
+        "type": "security control",
+        "value": false
+    },
+    {
+        "id": 5,
+        "name": "CORS_RESTRICT",
+        "description": "Restricted CORS (PwnedAPI)",
+        "type": "security control",
+        "value": true
+    },
+    {
+        "id": 6,
+        "name": "JWT_VERIFY",
+        "description": "Verify JWT Signatures (PwnedAPI)",
+        "type": "security control",
+        "value": true
+    },
+    {
+        "id": 7,
+        "name": "JWT_ENCRYPT",
+        "description": "Encrypt JWTs (PwnedAPI)",
+        "type": "security control",
+        "value": false
+    },
+    {
+        "id": 8,
+        "name": "BEARER_AUTH_ENABLE",
+        "description": "Bearer Token Authentication (PwnedAPI)",
+        "type": "feature",
+        "value": true
+    },
+    {
+        "id": 9,
+        "name": "OIDC_ENABLE",
+        "description": "OpenID Connect Authentication (PwnedHub)",
+        "type": "feature",
+        "value": false
+    },
+    {
+        "id": 10,
+        "name": "SSO_ENABLE",
+        "description": "SSO Authentication (PwnedHub)",
+        "type": "feature",
+        "value": false
+    },
+    {
+        "id": 11,
+        "name": "OOB_RESET_ENABLE",
+        "description": "Out-of-Band Password Reset (PwnedHub)",
+        "type": "feature",
+        "value": false
+    },
+    {
+        "id": 12,
+        "name": "CTF_MODE",
+        "description": "CTF Mode (Warning: Disables this interface!)",
+        "type": "feature",
+        "value": false
+    }
+]
diff --git a/pwnedapi/__init__.py b/pwnedapi/__init__.py
@@ -3,6 +3,7 @@
 from flask_socketio import SocketIO
 from flask_sqlalchemy import SQLAlchemy
 from redis import Redis
+import click
 import rq
 
 cors = CORS()
@@ -57,21 +58,39 @@ def config_cors(response):
 
     from pwnedapi.views import websockets
 
-    @app.cli.command("init")
-    def init_data():
+    @app.cli.command('init')
+    @click.argument('dataset')
+    def init_data(dataset):
+        from flask import current_app
         from pwnedapi import models
-        db.create_all()
+        import json
+        import os
+        db.create_all(bind_key=None)
+        for cls in models.BaseModel.__subclasses__():
+            fixture_path = os.path.join(current_app.root_path, 'fixtures', dataset, f"{cls.__table__.name}.json")
+            if os.path.exists(fixture_path):
+                print(f"Processing {fixture_path}.")
+                with open(fixture_path) as fp:
+                    for row in json.load(fp):
+                        db.session.add(cls(**row))
+        db.session.commit()
         print('Database initialized.')
 
-    @app.cli.command("export")
+    @app.cli.command('export')
     def export_data():
-        from pwnedapi.models import Scan, Note, Tool, Room, Message, User
+        from pwnedapi.models import BaseModel
         import json
-        for cls in [Scan, Note, Tool, Room, Message, User]:
+        for cls in BaseModel.__subclasses__():
             objs = [obj.serialize_for_export() for obj in cls.query.all()]
             if objs:
                 print(f"\n***** {cls.__table__.name}.json *****\n")
                 print(json.dumps(objs, indent=4, default=str))
         print('Database exported.')
 
+    @app.cli.command('purge')
+    def purge_data():
+        db.drop_all(bind_key=None)
+        db.session.commit()
+        print('Database purged.')
+
     return app, socketio
diff --git a/pwnedapi/fixtures/base/messages.json b/pwnedapi/fixtures/base/messages.json
@@ -0,0 +1,90 @@
+[
+    {
+        "comment": "Hey, did you guys hear that we're having a security assessment this week?",
+        "user_id": 3,
+        "room_id": 1,
+        "id": 1,
+        "created": "2019-02-18 04:55:11",
+        "modified": "2019-02-18 04:55:11"
+    },
+    {
+        "comment": "No.",
+        "user_id": 4,
+        "room_id": 1,
+        "id": 2,
+        "created": "2019-02-18 04:55:19",
+        "modified": "2019-02-18 04:55:19"
+    },
+    {
+        "comment": "First I'm hearing of it. I hope they don't find any bugs. This is my \"get rich quick\" scheme.",
+        "user_id": 2,
+        "room_id": 1,
+        "id": 3,
+        "created": "2019-02-18 04:56:09",
+        "modified": "2019-02-18 04:56:09"
+    },
+    {
+        "comment": "Heh. Me too. So looking forward to afternoons on my yacht. :-)",
+        "user_id": 3,
+        "room_id": 1,
+        "id": 4,
+        "created": "2019-02-18 04:57:02",
+        "modified": "2019-02-18 04:57:02"
+    },
+    {
+        "comment": "Wait... didn't we go live this week?",
+        "user_id": 4,
+        "room_id": 1,
+        "id": 5,
+        "created": "2019-02-18 04:57:08",
+        "modified": "2019-02-18 04:57:08"
+    },
+    {
+        "comment": "Well, as the most interesting man in the world says, \"I don't always get apps tested, but when I do, I get it done in prod.\"",
+        "user_id": 2,
+        "room_id": 1,
+        "id": 6,
+        "created": "2019-02-18 04:57:20",
+        "modified": "2019-02-18 04:57:20"
+    },
+    {
+        "comment": "LOL! So, yeah, did any of you guys fix those things I found during QA testing? I sent Cooper a link to them in a private message.",
+        "user_id": 5,
+        "room_id": 1,
+        "id": 7,
+        "created": "2019-02-18 04:57:32",
+        "modified": "2019-02-18 04:57:32"
+    },
+    {
+        "comment": "No.",
+        "user_id": 4,
+        "room_id": 1,
+        "id": 8,
+        "created": "2019-02-18 04:57:37",
+        "modified": "2019-02-18 04:57:37"
+    },
+    {
+        "comment": "My bad.",
+        "user_id": 2,
+        "room_id": 1,
+        "id": 9,
+        "created": "2019-02-18 04:57:41",
+        "modified": "2019-02-18 04:57:41"
+    },
+    {
+        "comment": "Uh oh...",
+        "user_id": 3,
+        "room_id": 1,
+        "id": 10,
+        "created": "2019-02-18 04:57:46",
+        "modified": "2019-02-18 04:57:46"
+    },
+    {
+        "comment": "Wow. We're totally going to end up on https://haveibeenpwned.com/PwnedWebsites.",
+        "user_id": 5,
+        "room_id": 1,
+        "id": 11,
+        "created": "2019-02-18 04:59:31",
+        "modified": "2019-02-18 04:59:31"
+    }
+]
diff --git a/pwnedapi/fixtures/base/rooms.json b/pwnedapi/fixtures/base/rooms.json
@@ -0,0 +1,37 @@
+[
+    {
+        "name": "general",
+        "private": false,
+        "id": 1,
+        "created": "2019-02-16 01:51:59",
+        "modified": "2019-02-16 01:51:59"
+    },
+    {
+        "name": "f9adeea0",
+        "private": true,
+        "id": 2,
+        "created": "2023-07-17 04:58:05",
+        "modified": "2023-07-17 04:58:05"
+    },
+    {
+        "name": "a28b1e3e",
+        "private": true,
+        "id": 3,
+        "created": "2023-07-17 04:58:06",
+        "modified": "2023-07-17 04:58:06"
+    },
+    {
+        "name": "2ce70a5f",
+        "private": true,
+        "id": 4,
+        "created": "2023-07-17 04:58:08",
+        "modified": "2023-07-17 04:58:08"
+    },
+    {
+        "name": "ae206386",
+        "private": true,
+        "id": 5,
+        "created": "2023-07-17 04:58:09",
+        "modified": "2023-07-17 04:58:09"
+    }
+]
diff --git a/pwnedapi/fixtures/base/tools.json b/pwnedapi/fixtures/base/tools.json
@@ -0,0 +1,42 @@
+[
+    {
+        "name": "Dig",
+        "path": "dig",
+        "description": "(Domain Internet Groper) Network administration tool for Domain Name System (DNS) name server interrogation.",
+        "id": 1,
+        "created": "2019-02-16 02:09:59",
+        "modified": "2019-02-16 02:09:59"
+    },
+    {
+        "name": "Nmap",
+        "path": "nmap",
+        "description": "(Network Mapper) Utility for network discovery and security auditing.",
+        "id": 2,
+        "created": "2019-02-16 02:10:29",
+        "modified": "2019-02-16 02:10:29"
+    },
+    {
+        "name": "Nikto",
+        "path": "nikto",
+        "description": "Signature-based web server scanner.",
+        "id": 3,
+        "created": "2019-02-16 02:10:59",
+        "modified": "2019-02-16 02:10:59"
+    },
+    {
+        "name": "SSLyze",
+        "path": "sslyze",
+        "description": "Fast and powerful SSL/TLS server scanning library.",
+        "id": 4,
+        "created": "2019-02-16 02:11:29",
+        "modified": "2019-02-16 02:11:29"
+    },
+    {
+        "name": "SQLmap",
+        "path": "sqlmap --batch",
+        "description": "Penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.",
+        "id": 5,
+        "created": "2019-02-16 02:11:59",
+        "modified": "2019-02-16 02:11:59"
+    }
+]