Skip to content

Commit

Permalink
Merge pull request #24 from blacklanternsecurity/dev
Browse files Browse the repository at this point in the history 
v1.3.0

Was approved for merge by @kerrymilan
  • Loading branch information
@debifrank
debifrank authored Dec 15, 2022
2 parents 4db849f + 8031572 commit 819c02c
Show file tree
Hide file tree
Showing 22 changed files with 768,333 additions and 512,295 deletions.
21 changes: 17 additions & 4 deletions Controllers/AdminDashboardController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,18 @@ public class AdminDashboardController : Controller
private readonly ILogger<AdminDashboardController> _logger;
private readonly UsersService _usersService;
private readonly KeyService _keyService;
private readonly AssessmentsService _assessmentsService;

public AdminDashboardController(
ILogger<AdminDashboardController> logger,
UsersService usersService,
KeyService keyService)
KeyService keyService,
AssessmentsService assessmentsService)
{
_logger = logger;
_usersService = usersService;
_keyService = keyService;
_assessmentsService = assessmentsService;
}

[HttpGet]
Expand All @@ -47,8 +50,9 @@ public async Task<IActionResult> AdminDashboard()
// Display the dashboard
List<User> users = await _usersService.GetUsers();
List<Key> keys = await _keyService.GetKeys();
List<Assessments> assessments = await _assessmentsService.GetAllAsync();

return View((users, keys));
return View((users, keys, assessments));
}

[HttpPost]
Expand All @@ -67,11 +71,20 @@ public async Task<IActionResult> CreateKey(string keyName,
List<string> scenarioPrivileges,
List<string> eventPrivileges,
List<string> templatePrivileges,
List<string> metricsPrivileges)
List<string> metricsPrivileges,
string assessmentId)
{
if (!User.Identity.IsAuthenticated || !User.IsInRole("Admin")) { return RedirectToAction("Logout", "Security"); }

string apiKey = await _keyService.AddKey(keyName, assessmentPrivileges, scenarioPrivileges, eventPrivileges, templatePrivileges, metricsPrivileges);
string apiKey = await _keyService.AddKey(
keyName,
assessmentPrivileges,
scenarioPrivileges,
eventPrivileges,
templatePrivileges,
metricsPrivileges,
assessmentId
);

return Content(JsonConvert.SerializeObject(apiKey));
}
Expand Down
256 changes: 223 additions & 33 deletions Controllers/AssessmentsController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,68 +23,258 @@ namespace Enter_The_Matrix.Controllers
public class AssessmentsController : ControllerBase
{
private readonly AssessmentsService _assessmentsService;
private readonly ScenariosService _scenariosService;
private readonly StepsService _stepsService;
private readonly KeyService _keyService;
private const string APIKEY = "X-Api-Key";

public AssessmentsController(AssessmentsService service)
public AssessmentsController(
AssessmentsService assessmentService,
ScenariosService scenarioService,
StepsService stepsService,
KeyService keyService)
{
_assessmentsService = service;
_assessmentsService = assessmentService;
_scenariosService = scenarioService;
_stepsService = stepsService;
_keyService = keyService;
}

[HttpGet]
public async Task<ActionResult<IEnumerable<Assessments>>> GetAll()
{
var assessments = await _assessmentsService.GetAllAsync();
return Ok(assessments);
var keyIn = HttpContext.Request.Headers[APIKEY];
string authorizedFor = await _keyService.ValidateAssessment(keyIn);
if (authorizedFor == "")
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

if (authorizedFor == "*")
{
var assessments = await _assessmentsService.GetAllAsync();
return Ok(assessments);
}
else
{
try
{
var assessment = await _assessmentsService.GetByIdAsync(authorizedFor);
List<Assessments> retList = new List<Assessments>();
retList.Add(assessment);
return Ok(retList);
}
catch
{
return BadRequest();
}
}
}

[HttpGet]
public async Task<ActionResult<Assessments>> GetById(string id)
{
var assessment = await _assessmentsService.GetByIdAsync(id);
if (assessment == null)
{
return NotFound();
var keyIn = HttpContext.Request.Headers[APIKEY];
string authorizedFor = await _keyService.ValidateAssessment(keyIn);
if (authorizedFor == "")
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

if (authorizedFor == id || authorizedFor == "*")
{
Assessments assessment;
try
{
assessment = await _assessmentsService.GetByIdAsync(id);
}
catch
{
return BadRequest();
}
if (assessment == null)
{
return NotFound("The assessment provided does not exist.");
}
return Ok(assessment);
}
else
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}
return Ok(assessment);
}

[HttpPost]
public async Task<IActionResult> Create(Assessments assessment)
public async Task<IActionResult> Create([FromBody] Assessments assessment)
{
var keyIn = HttpContext.Request.Headers[APIKEY];
string authorizedFor = await _keyService.ValidateAssessment(keyIn);
if (authorizedFor != "*")
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

if (!ModelState.IsValid)
{
return BadRequest();
return BadRequest("The model supplied is invalid.");
}
assessment.Id = null;
assessment.Scenarios = new string[] { };
assessment.ThreatTreeId = "";
try
{
await _assessmentsService.CreateAsync(assessment);
}
catch
{
return BadRequest();
}
await _assessmentsService.CreateAsync(assessment);
return Ok(assessment);


string assessmentApiKey = await _keyService.AddKey(
assessment.Name,
new List<string> { "C", "R", "U", "D" },
new List<string> { "C", "R", "U", "D" },
new List<string> { "C", "R", "U", "D" },
new List<string> { },
new List<string> { },
assessment.Id
);

Dictionary<string, object> ret = new Dictionary<string, object>();
ret["id"] = assessment.Id;
ret["name"] = assessment.Name;
ret["date"] = assessment.Date;
ret["createdBy"] = assessment.CreatedBy;
ret["scenarios"] = assessment.Scenarios;
ret["threatTreeId"] = assessment.ThreatTreeId;
ret["apiKey"] = assessmentApiKey;

return Ok(ret);
}

[HttpPut]
public async Task<IActionResult> Update(string id, Assessments assessment)
{
if (!ModelState.IsValid)
{
return BadRequest();
}
public async Task<IActionResult> Update(string id, [FromBody] Assessments assessment)
{

var keyIn = HttpContext.Request.Headers[APIKEY];
string authorizedFor = await _keyService.ValidateAssessment(keyIn);
if (authorizedFor == "")
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

if (authorizedFor == id || authorizedFor == "*")
{
if (!ModelState.IsValid)
{
return BadRequest("The model supplied is invalid.");
}

// Check if assessment exists
var queriedAssessment = await _assessmentsService.GetByIdAsync(id);
if (queriedAssessment == null)
{
return NotFound("The assessment supplied was not found.");
}

// Make sure that scenarios are unique (no duplicates)
if (assessment.Scenarios.Length != assessment.Scenarios.Distinct().ToArray<string>().Length)
{
return BadRequest("A scenario was supplied more than once.");
}

// Check if all scenarios exist
foreach (string scenarioId in assessment.Scenarios)
{
if (await _scenariosService.GetByIdAsync(scenarioId) == null)
{
return NotFound("One of the scenarios supplied was not found.");
}
}

// Check that no scenario is already consumed by another assessment
List<Assessments> assessmentList = await _assessmentsService.GetAllAsync();
foreach (string scenarioId in assessment.Scenarios)
{
foreach (Assessments a in assessmentList)
{
if (a.Id == id) { continue; }
if (a.Scenarios.Contains(scenarioId)) {
return BadRequest("One of the scenarios supplied is already associated with another assessment.");
}
}
}

var queriedAssessment = await _assessmentsService.GetByIdAsync(id);
if (queriedAssessment == null)
{
return NotFound();
}

await _assessmentsService.UpdateAsync(id, assessment);
return NoContent();
try
{
await _assessmentsService.UpdateAsync(id, assessment);
}
catch
{
return BadRequest();
}

return Ok(await _assessmentsService.GetByIdAsync(id));
}
else
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

}

[HttpDelete]
public async Task<IActionResult> Delete(string id)
{
var assessment = await _assessmentsService.GetByIdAsync(id);
if (assessment == null)
{
return NotFound();
{
var keyIn = HttpContext.Request.Headers[APIKEY];
string authorizedFor = await _keyService.ValidateAssessment(keyIn);
if (authorizedFor == "")
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}

if (authorizedFor == id || authorizedFor == "*")
{
// Check if the assessment exists
var assessment = await _assessmentsService.GetByIdAsync(id);
if (assessment == null)
{
return NotFound("The assessment provided does not exist.");
}

// Take care of orphaned records
foreach (string scenarioId in assessment.Scenarios)
{
Scenarios scenario = await _scenariosService.GetByIdAsync(scenarioId);
if (scenario != null)
{
foreach (string stepId in scenario.Steps)
{
Steps step = await _stepsService.GetByIdAsync(stepId);
if (step != null)
{
await _stepsService.DeleteAsync(step.Id);
}
}
await _scenariosService.DeleteAsync(scenario.Id);
}
}
try
{
await _assessmentsService.DeleteAsync(id);
}
catch
{
return BadRequest();
}
return Ok();
}
else
{
return Unauthorized("You are not authorized to perform this action due to assessment level restrictions.");
}
await _assessmentsService.DeleteAsync(id);
return NoContent();
}
}
}
3 changes: 3 additions & 0 deletions Controllers/MetricsController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ orderby entry.Value.Item1 descending
return Content(JsonConvert.SerializeObject(sortedUsed), "application/json");
}

[HttpGet]
public async Task<IActionResult> GetAttackChains()
{
Dictionary<string, List<(string, string)>> chains = await _metricsService.GetAttackChains();
Expand All @@ -66,6 +67,7 @@ public async Task<IActionResult> GetAttackChains()
return Content(JsonConvert.SerializeObject(returnChains), "application/json");
}

[HttpGet]
public async Task<IActionResult> GetCommonStarts()
{
Dictionary<string, (int, List<string>)> events = await _metricsService.GetCommonEvents(0);
Expand All @@ -80,6 +82,7 @@ orderby entry.Value.Item1 descending
return Content(JsonConvert.SerializeObject(returnEvents), "application/json");
}

[HttpGet]
public async Task<IActionResult> GetCommonEnds()
{
Dictionary<string, (int, List<string>)> events = await _metricsService.GetCommonEvents(-1);
Expand Down
Loading

0 comments on commit 819c02c

Please sign in to comment.