#1030 update - #947 method 1

LDO-CERT · Feb 29, 2024 · 7e4c1f6 · 7e4c1f6
1 parent 7003a2a
commit 7e4c1f6
Show file tree

Hide file tree

Showing 15 changed files with 138 additions and 36 deletions.
diff --git a/.envs/.local/.django b/.envs/.local/.django
@@ -7,6 +7,14 @@ IPYTHONDIR=/app/.ipython
 # ------------------------------------------------------------------------------
 ALLOWED_HOSTS=*
 
+# Smtp
+# ------------------------------------------------------------------------------
+EMAIL_HOST=mailpit
+EMAIL_PORT=1025
+EMAIL_USE_TLS=False
+EMAIL_HOST_USER=
+EMAIL_HOST_PASSWORD=
+
 # Redis
 # ------------------------------------------------------------------------------
 REDIS_URL=redis://redis:6379/0

diff --git a/compose/local/dask/Dockerfile b/compose/local/dask/Dockerfile
@@ -1,6 +1,5 @@
-FROM daskdev/dask:dev-py3.12
+FROM daskdev/dask:2024.2.1-py3.12
 ENV DEBIAN_FRONTEND noninteractive
-RUN echo "export VIRTUAL_ENV=`python -c 'import sys; print(sys.prefix)'`" >> /envfile
 
 ARG local_folder=/uploads
 
@@ -48,7 +47,7 @@ RUN python setup.py build \
 # Workers should have similar reqs as django
 WORKDIR /
 COPY ./requirements /requirements
-RUN . /envfile && pip install uv==0.1.7 && uv pip install --no-cache -r /requirements/base.txt
+RUN pip install uv==0.1.12 && uv pip install --system --no-cache -r /requirements/base.txt
 
 COPY ./compose/local/dask/prepare.sh /usr/bin/prepare.sh
 RUN chmod +x /usr/bin/prepare.sh

diff --git a/compose/local/django/Dockerfile b/compose/local/django/Dockerfile
@@ -3,7 +3,6 @@ FROM python:3.12-slim-bookworm as common-base
 ENV DJANGO_SETTINGS_MODULE config.settings.local
 ENV PYTHONUNBUFFERED 1
 ENV PYTHONDONTWRITEBYTECODE 1
-RUN echo "export VIRTUAL_ENV=`python -c 'import sys; print(sys.prefix)'`" >> /envfile
 
 ARG local_folder=/uploads
 
@@ -66,7 +65,7 @@ RUN /usr/local/go/bin/go build
 FROM common-base
 WORKDIR /
 COPY ./requirements /requirements
-RUN . /envfile && pip install uv==0.1.7 && uv pip install --no-cache -r /requirements/base.txt
+RUN pip install uv==0.1.12 && uv pip install --no-cache --system -r /requirements/base.txt
 
 COPY ./compose/local/__init__.py /src/volatility3/volatility3/framework/constants/__init__.py
 

diff --git a/compose/local/nginx/conf/default.conf b/compose/local/nginx/conf/default.conf
@@ -14,12 +14,8 @@ map $http_upgrade $connection_upgrade {
 server {
     listen 80;
     listen [::]:80;
-    server_name orochi.dev;
-    location / {
-        proxy_set_header   X-Forwarded-For $remote_addr;
-        proxy_set_header   Host $http_host;
-        proxy_pass         http://django_wsgi;
-    }
+    server_name _;
+    return 301 https://$host$request_uri;
 }
 
 server {

diff --git a/config/settings/local.py b/config/settings/local.py
@@ -27,7 +27,7 @@
 
 # EMAIL
 # ------------------------------------------------------------------------------
-EMAIL_HOST = env("EMAIL_HOST", default="mailhog")
+EMAIL_HOST = env("EMAIL_HOST", default="mailpit")
 EMAIL_PORT = 1025
 EMAIL_USE_TLS = env("EMAIL_USE_TLS", default=True)
 EMAIL_HOST_USER = env("EMAIL_HOST_USER", default=None)

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -42,7 +42,7 @@ services:
     restart: always
     depends_on:
       - postgres
-      - mailhog
+      - mailpit
     volumes:
       - media_path:/media
       - symbols_path:/src/volatility3/volatility3/symbols
@@ -73,7 +73,7 @@ services:
     restart: always
     depends_on:
       - postgres
-      - mailhog
+      - mailpit
     volumes:
       - media_path:/media
       - symbols_path:/src/volatility3/volatility3/symbols
@@ -103,12 +103,13 @@ services:
     ports:
       - "5432:5432"
 
-  mailhog:
-    image: mailhog/mailhog:v1.0.1
-    container_name: orochi_mailhog
-    hostname: mailhog
+  mailpit:
+    image: 'axllent/mailpit:latest'
+    container_name: orochi_mailpit
+    hostname: mailpit
     restart: always
     ports:
+      - "1025:1025"
       - "8025:8025"
 
   redis:

diff --git a/orochi/templates/base.html b/orochi/templates/base.html
@@ -1,4 +1,4 @@
-{% load static i18n %}
+{% load static i18n custom_tags %}
 <!DOCTYPE html>
 <html lang="en">
 
@@ -36,23 +36,30 @@
       {% if request.user.is_authenticated %}
 
       <ul class="nav col-12 col-md-auto mb-2 justify-content-center mb-md-0">
+
+        {% if not request.user|has_group:"ReadOnly" %}
         <li>
           <a href="{% url 'users:plugins' username=request.user.username %}" class="nav-link link-body-emphasis">
             <i class="fa fa-xl fa-dice-d20 bi d-block mx-auto mb-1"></i>{% trans "Plugins"%}
           </a>
         </li>
+        {% endif %}
 
+        {% if not request.user|has_group:"ReadOnly" %}
         <li>
           <a href="{% url 'website:list_symbols' %}" class="nav-link link-body-emphasis">
             <i class="fas fa-xl fa-dollar-sign bi d-block mx-auto mb-1"></i>{% trans "Symbols"%}
           </a>
         </li>
+        {% endif %}
 
+        {% if not request.user|has_group:"ReadOnly" %}
         <li>
           <a href="{% url 'users:rules' username=request.user.username %}" class="nav-link link-body-emphasis">
             <i class="fas fa-xl fa-ruler bi d-block mx-auto mb-1"></i>{% trans "Rules"%}
           </a>
         </li>
+        {% endif %}
 
         <div class="dropdown me-2 mt-2">
           <a href="#" class="d-block link-body-emphasis text-decoration-none dropdown-toggle" data-bs-toggle="dropdown"
@@ -87,7 +94,7 @@
             <i class="fa fa-xl fa-dragon bi d-block mx-auto mb-1"></i>{{request.user}}
           </a>
           <ul class="dropdown-menu text-small">
-            {% if user.is_staff %}
+            {% if request.user.is_staff %}
             <li>
               <a href="{% url 'admin:index' %}" class="dropdown-item" target="_blank">
                 <i class="fa fa-crown"></i> {% trans "Admin"%}

diff --git a/orochi/templates/website/index.html b/orochi/templates/website/index.html
@@ -1,5 +1,5 @@
 {% extends "base.html" %}
-{% load static %}
+{% load static custom_tags %}
 
 {% block modal %}
 <div class="modal fade" id="modal-update" tabindex="-1">
@@ -13,12 +13,14 @@
 {% block sidebar %}
 <h6 class="sidebar-heading d-flex justify-content-between px-3 mt-4 mb-1 text-muted">
     <span>dumps
+        {% if not request.user|has_group:"ReadOnly" %}
         <button id="new-index" type="button" class="btn btn-outline-success btn-sm">
             <i class="fa-solid fa-plus"></i>
         </button>
         <button id="new-folder" type="button" class="btn btn-outline-warning btn-sm">
             <i class="fa-solid fa-folder-plus"></i>
         </button>
+        {% endif %}
     </span>
     <input type="text" id="filter_dump" name="filter_dump" style="width: 60%;" class="form-control form-control-sm" placeholder="Filter">
 </h6>

diff --git a/orochi/templates/website/partial_indices.html b/orochi/templates/website/partial_indices.html
@@ -1,3 +1,4 @@
+{% load custom_tags %}
 {% if dumps %}
 <ul class="nav flex-column" id="index-list">
     {% for folder, index, name, color, os, author, status, description in dumps %}
@@ -29,7 +30,6 @@
             <span class="checkmark" style="background-color: black;"></span>
             {% endif %}
 
-            {% if author == user.pk %}
             <div class="btn-group float-end" role="group">
                 <a href="{% url 'website:hex_view' index %}" class="btn btn-outline-dark hex-index btn-sm"
                     data-toggle="tooltip" data-placement="top" title="Hex View">
@@ -39,6 +39,7 @@
                     data-toggle="tooltip" data-placement="top" title="Dump Info">
                     <i class="fas fa-info"></i>
                 </button>
+                {% if not request.user|has_group:"ReadOnly" %}
                 <button type="button" class="btn btn-outline-danger remove-index btn-sm" data-index="{{index}}"
                     data-toggle="tooltip" data-placement="top" title="Delete Dump">
                     <i class="fas fa-trash"></i>
@@ -82,12 +83,12 @@
                     <i class="fas fa-backward"></i>
                 </button>
                 {% endif %}
+                {% endif %}
                 <button type="button" class="btn btn-outline-dark download_obj download-index btn-sm"
                     data-path="{{filename}}" data-toggle="tooltip" data-placement="top" title="Download Dump">
                     <i class="fas fa-file-download"></i>
                 </button>
             </div>
-            {% endif %}
         </label>
     </li>
     {% if forloop.last %}

diff --git a/orochi/templates/website/partial_note.html b/orochi/templates/website/partial_note.html
@@ -8,9 +8,11 @@ <h1 class="h4">
     <button class="btn btn-sm btn-success" id="diff-dump" target="_blank" data-plugin="{{plugin}}" disabled>
         <i class="fas fa-code-compare" title="Rerun"></i> Compare
     </button>
+    {% if not request.user|has_group:"ReadOnly" %}
     <button type="button" class="btn btn-sm btn-warning" id="btn-resubmit" data-plugin="{{plugin}}" disabled>
         <i class="fas fa-sync" title="Rerun"></i> Rerun
     </button>
+    {% endif %}
 </h1>
 <div id="selected_alert" class="row row-cols-auto gy-2">
     {% for item in note %}

diff --git a/orochi/users/views.py b/orochi/users/views.py
@@ -1,11 +1,15 @@
-from orochi.website.models import UserPlugin
+from typing import Any
+
+from django.contrib import messages
 from django.contrib.auth import get_user_model
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.db.models.query import QuerySet
+from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import RedirectView, DetailView
-from django.shortcuts import get_object_or_404
-from django.contrib import messages
+from django.views.generic import DetailView, RedirectView
+
+from orochi.website.models import UserPlugin
 
 User = get_user_model()
 
@@ -16,6 +20,13 @@ class UserYaraView(LoginRequiredMixin, DetailView):
     slug_url_kwarg = "username"
     template_name = "users/user_rules.html"
 
+    def get_queryset(self) -> QuerySet[Any]:
+        mine = self.request.user == User.objects.get(username=self.kwargs["username"])
+        qs = super().get_queryset()
+        if mine:
+            return qs
+        return qs.none()
+
 
 user_yara_view = UserYaraView.as_view()
 
@@ -42,6 +53,13 @@ def post(self, request, *args, **kwargs):
         )
         return self.render_to_response(context)
 
+    def get_queryset(self) -> QuerySet[Any]:
+        mine = self.request.user == User.objects.get(username=self.kwargs["username"])
+        qs = super().get_queryset()
+        if mine:
+            return qs
+        return qs.none()
+
 
 user_plugins_view = UserPluginView.as_view()
 
@@ -52,6 +70,13 @@ class UserBookmarksView(LoginRequiredMixin, DetailView):
     slug_url_kwarg = "username"
     template_name = "users/user_bookmarks.html"
 
+    def get_queryset(self) -> QuerySet[Any]:
+        mine = self.request.user == User.objects.get(username=self.kwargs["username"])
+        qs = super().get_queryset()
+        if mine:
+            return qs
+        return qs.none()
+
 
 user_bookmarks_view = UserBookmarksView.as_view()
 

diff --git a/orochi/website/api/permissions.py b/orochi/website/api/permissions.py
@@ -1,5 +1,5 @@
-from rest_framework import permissions
 from guardian.shortcuts import get_objects_for_user
+from rest_framework import permissions
 
 
 # Custom permissions
@@ -16,13 +16,22 @@ def has_permission(self, request, view):
 class AuthAndAuthorized(NotUpdateAndIsAuthenticated):
     def has_object_permission(self, request, view, obj):
         """
-        For object user must have permission
-        """
-        return (
-            request.user
-            and request.user.is_authenticated
-            and obj in get_objects_for_user(request.user, "website.can_see")
-        )
+        For object user must have can_see permission to list it,
+        also not being readonly to edit/delete
+        """
+        if view.action in ["retrieve", "list"]:
+            return (
+                request.user
+                and request.user.is_authenticated
+                and obj in get_objects_for_user(request.user, "website.can_see")
+            )
+        else:
+            return (
+                request.user
+                and request.user.is_authenticated
+                and obj in get_objects_for_user(request.user, "website.can_see")
+                and not request.user.groups.filter(name="ReadOnly").exists()
+            )
 
 
 class ParentAuthAndAuthorized(NotUpdateAndIsAuthenticated):

diff --git a/orochi/website/migrations/0053_create_default_groups.py b/orochi/website/migrations/0053_create_default_groups.py
@@ -0,0 +1,14 @@
+from django.apps import apps
+from django.db import migrations
+
+
+def create_groups(app, schema_editor):
+    Group = apps.get_model("auth", "Group")
+    group = Group(name="ReadOnly")
+    group.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [("website", "0052_create_superuser")]
+
+    operations = [migrations.RunPython(create_groups)]
diff --git a/orochi/website/templatetags/custom_tags.py b/orochi/website/templatetags/custom_tags.py
@@ -1,4 +1,5 @@
 from datetime import datetime
+
 from django import template
 from django.forms import CheckboxInput
 
@@ -24,3 +25,8 @@ def starts_with(value, value_with):
 @register.filter(name="epoch")
 def epoch(value):
     return datetime.fromtimestamp(value)
+
+
+@register.filter(name="has_group")
+def has_group(user, group_name):
+    return user.groups.filter(name=group_name).exists()