Merge pull request #30 from equalitie/develop

Issue #28

Author: mkaranasou

backend/requirements.txt

@@ -4,7 +4,7 @@ Flask==1.1.2
 Flask-Cors==3.0.9
 Flask-Session==0.3.2
 Flask-SocketIO==4.3.2
-passlib==1.7.2
+passlib==1.7.4
 PyJWT==1.7.1
 PyYAML==3.12
 redis==3.5.3
@@ -13,3 +13,4 @@ uuid==1.30
 baskerville==1.0.0
 docker==4.4.4
 docker-compose==1.28.5
+pyaml-env==1.1.1

backend/src/baskerville_dashboard/app.py

@@ -99,7 +99,7 @@ def add_guest_org(session):
         if not org:
             org = Organization()
             new_org = True
-        org.uuid = org_uuid
+        org.uuid = org.uuid if not new_org else org_uuid
         org.name = name
         org.registered = org.registered or False
         if new_org:
@@ -345,4 +345,4 @@ def clean_up_before_shutdown():
 
 
 if __name__ == '__main__':
-    socketio.run(app, host="0.0.0.0", port=5000)
+    socketio.run(app, host="0.0.0.0", port=5000, use_reloader=False)

backend/src/baskerville_dashboard/auth.py

@@ -7,7 +7,8 @@
 import uuid as uuid
 
 from baskerville.util.enums import UserCategoryEnum
-from baskerville_dashboard.utils.helpers import ResponseEnvelope
+from baskerville_dashboard.utils.helpers import ResponseEnvelope, \
+    get_user_by_org_uuid, response_jsonified
 from flask import current_app as app, session
 from baskerville_dashboard.db.manager import SessionManager
 from baskerville.db.dashboard_models import User, UserCategory, Organization
@@ -25,6 +26,7 @@ def create_token(user):
     """
     payload = {
         'sub': user.organization.uuid,
+        'id': user.id,
         'iat': datetime.utcnow(),
         'exp': datetime.utcnow() + timedelta(days=1),
         'scope': 'admin' if user.is_admin else 'user',
@@ -64,6 +66,7 @@ def decorated_function(*args, **kwargs):
             response.status_code = 401
             return response
         session['org_uuid'] = payload['sub']
+        session['user_id'] = payload['id']
 
         return f(*args, **kwargs)
 
@@ -313,3 +316,20 @@ def post(self):
         #     except RuntimeError as e:
         #         msg.message = str(e)
         #         return jsonify(msg.to_dict()), 500
+
+
+def resolve_user(f):
+
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        from flask import request
+        request.re = ResponseEnvelope()
+        user = get_user_by_org_uuid(session['org_uuid'], session['user_id'])
+        if not user:
+            code = 404
+            request.re.success = False
+            request.re.message = 'No user found'
+            return response_jsonified(request.re, code)
+        request.user = user
+        return f(*args, **kwargs)
+    return decorated_function

backend/src/baskerville_dashboard/routes/feedback.py

@@ -6,7 +6,8 @@
 import traceback
 
 from baskerville.util.enums import FeedbackContextTypeEnum, LabelEnum
-from baskerville_dashboard.auth import login_required
+from baskerville.util.helpers import get_logger
+from baskerville_dashboard.auth import login_required, resolve_user
 from baskerville_dashboard.db.manager import SessionManager
 from baskerville.db.dashboard_models import Feedback, FeedbackContext
 from baskerville_dashboard.utils.helpers import ResponseEnvelope, \
@@ -21,9 +22,12 @@
 
 ES_HOST = ''
 
+logger = get_logger(__name__, output_file='baskerville_dashboard.log')
+
 
 @feedback_app.route('/feedback/context', methods=('GET',))
 @login_required
+@resolve_user
 def get_feedback_context_details():
     """
     Get all available feedback context, feedback context type and respective
@@ -34,7 +38,7 @@ def get_feedback_context_details():
     sm = SessionManager()
     code = 200
     try:
-        re.data = FeedbackContextVM().to_dict()
+        re.data = FeedbackContextVM(request.user).to_dict()
         re.success = True
         re.message = 'Feedback context details'
     except Exception as e:
@@ -48,6 +52,7 @@ def get_feedback_context_details():
 
 @feedback_app.route('/feedback/context/<id>', methods=('GET',))
 @login_required
+@resolve_user
 def get_feedback_context_by_id(id):
     """
     Get a specific feedback context by id
@@ -58,7 +63,20 @@ def get_feedback_context_by_id(id):
     sm = SessionManager()
     code = 200
     try:
-        re.data = sm.session.query(FeedbackContext).filter_by(id=id).first()
+        feedback_context_q = sm.session.query(
+            FeedbackContext
+        ).filter_by(id=id)
+        if not request.user.is_admin:
+            feedback_context_q = feedback_context_q.filter_by(
+                uuid_organization=request.user.organization.uuid
+            ).filter_by(
+                id_user=request.user.id
+            )
+            logger.debug(
+                f'User {request.user.id} is not admin, filtering feedback_context'
+            )
+        re.data = feedback_context_q.first()
+
         if not re.data:
             code = 404
             raise ValueError(f'Could not find feedback context with id {id}')
@@ -76,6 +94,7 @@ def get_feedback_context_by_id(id):
 
 @feedback_app.route('/feedback/context', methods=('POST',))
 @login_required
+@resolve_user
 def save_feedback_context():
     re = ResponseEnvelope()
     sm = SessionManager()
@@ -86,6 +105,7 @@ def save_feedback_context():
         fc = FeedbackContext()
         fc.reason = FeedbackContextTypeEnum[data['reason'].replace(' ', '_')]
         fc.uuid_organization = session['org_uuid']
+        fc.id_user = request.user.id
         fc.reason_descr = data['reason_descr']
         fc.start = data['start']
         fc.stop = data['stop']
@@ -122,14 +142,15 @@ def bulk_feedback(context_id, feedback_str):
         data = request.get_json()
         errors = []
         succeeded = []
-        user = get_user_by_org_uuid(session['org_uuid'])
+        user = get_user_by_org_uuid(session['org_uuid'], session['user_id'])
         if not user:
             code = 404
             re.success = False
             re.message = 'No user found'
             return response_jsonified(re, code)
 
         for id in data['rss']:
+            local_created = False
             rs = sm.session.query(RequestSet).filter_by(id=id).first()
             if not rs:
                 errors.append(id)
@@ -144,6 +165,7 @@ def bulk_feedback(context_id, feedback_str):
             else:
                 feedback = Feedback()
                 created += 1
+                local_created = True
             feedback.uuid_request_set = rs.uuid_request_set
             feedback.id_feedback_context = context_id
             feedback.id_user = user.id
@@ -157,7 +179,7 @@ def bulk_feedback(context_id, feedback_str):
             feedback.score = rs.score
             feedback.attack_prediction = rs.attack_prediction or 42
             feedback.feedback = feedback_str
-            if not updated:
+            if local_created:
                 sm.session.add(feedback)
         if not errors:
             sm.session.commit()
@@ -183,6 +205,7 @@ def bulk_feedback(context_id, feedback_str):
 
 @feedback_app.route('/feedback/<context_id>/<rs_id>/<feedback_str>', methods=('POST', 'PUT'))
 @login_required
+@resolve_user
 def set_feedback_for(context_id, rs_id, feedback_str):
     sm = SessionManager()
     re = ResponseEnvelope()
@@ -200,10 +223,7 @@ def set_feedback_for(context_id, rs_id, feedback_str):
 
         if not rs:
             raise Exception('No such request-set')
-        user = get_user_by_org_uuid(session['org_uuid'])
-        if not user:
-            raise Exception('No user found.')
-
+        user = request.user
         feedback = sm.session.query(Feedback).filter_by(
             uuid_request_set=rs.uuid_request_set
         ).filter_by(id_user=user.id).first()
@@ -222,7 +242,7 @@ def set_feedback_for(context_id, rs_id, feedback_str):
         feedback.low_rate = request.get_json().get('lowRate')
         feedback.features = rs.features
         feedback.score = rs.score
-        feedback.attack_prediction = rs.attack_prediction or LabelEnum.unknown
+        feedback.attack_prediction = rs.attack_prediction or LabelEnum.unknown.value
         feedback.feedback = feedback_str
         if not updated:
             sm.session.add(feedback)
@@ -243,6 +263,7 @@ def set_feedback_for(context_id, rs_id, feedback_str):
 
 @feedback_app.route('/feedback/submit/<context_id>', methods=('POST',))
 @login_required
+@resolve_user
 def submit_feedback_for(context_id):
     _q_filter = get_qparams(request)
     sm = SessionManager()
@@ -251,7 +272,7 @@ def submit_feedback_for(context_id):
     ip_list = None
     data = request.get_json()
     try:
-        user = get_user_by_org_uuid(session['org_uuid'])
+        user = request.user
         fc = sm.session.query(FeedbackContext).filter_by(id=context_id).first()
         if not fc:
             print('TODO: could not find Feedback Context')
@@ -271,6 +292,52 @@ def submit_feedback_for(context_id):
         re.data = None
         re.success = True
         re.message = 'Feedback context details'
+    except Exception as e:
+        traceback.print_exc()
+        re.success = False
+        message = str(e)
+        if 'NoBrokersAvailable' in message:
+            message = 'Kafka: NoBrokersAvailable. Please try again later.'
+        re.message = message
+        if code == 200:
+            code = 500
+
+    return response_jsonified(re, code)
+
+
+@feedback_app.route('/feedback/<context_id>/count', methods=('GET',))
+@login_required
+@resolve_user
+def feedback_count(context_id):
+    _q_filter = get_qparams(request)
+    sm = SessionManager()
+    re = ResponseEnvelope()
+    code = 200
+    try:
+        user = request.user
+        fc = sm.session.query(FeedbackContext)
+        if not user.is_admin:
+            fc = fc.filter_by(
+                id_user=user.id
+            )
+        fc = fc.filter_by(
+            id=context_id
+        ).first()
+        if not fc:
+            code = 403
+            raise ValueError(
+                'Could not find feedback context. '
+            )
+
+        feedback_count = sm.session.query(Feedback).filter_by(
+            id_user=user.id
+        ).filter_by(
+            id_feedback_context=fc.id
+        ).count()
+
+        re.data = feedback_count
+        re.success = True
+        re.message = 'Feedback count for current feedback context'
     except Exception as e:
         traceback.print_exc()
         re.success = False

backend/src/baskerville_dashboard/routes/messages.py

@@ -24,7 +24,7 @@ def all_notifications():
     re = ResponseEnvelope()
     try:
         code = 200
-        user = get_user_by_org_uuid(session['org_uuid'])
+        user = get_user_by_org_uuid(session['org_uuid'], session['user_id'])
         notifications = sm.session.query(
             Message
         ).filter_by(uuid_organization=session['org_uuid'])

backend/src/baskerville_dashboard/routes/results.py

@@ -8,7 +8,7 @@
 import traceback
 
 from pathlib import Path
-from baskerville_dashboard.auth import login_required
+from baskerville_dashboard.auth import login_required, resolve_user
 from baskerville_dashboard.utils.helpers import ResponseEnvelope, get_qparams, \
     get_rss, response_jsonified, get_active_app, get_extension, is_compressed, \
     get_ip_list, unzip, get_user_by_org_uuid
@@ -74,6 +74,7 @@ def upload_file():
 
 @results_app.route('/results', methods=['POST'])
 @login_required
+@resolve_user
 def get_all_results():
     _q_filter = get_qparams(request)
     re = ResponseEnvelope()
@@ -83,18 +84,29 @@ def get_all_results():
     re.message = f'No results found.'
     code = 200
     ip_list = None
+    runtime = None
     try:
+        data = request.json
         org_uuid = session['org_uuid']
         ip_file_name = request.args.get('file')
-        user = get_user_by_org_uuid(org_uuid)
-        if not user:
-            code = 404
-            re.success = False
-            re.message = 'No user found'
-            return response_jsonified(re, code)
+        app_id = request.args.get('appId')
+        context_id = data.get('feedbackContextId')
+        user = request.user
         if ip_file_name:
             ip_list = get_ip_list(ip_file_name, org_uuid)
-        re.data = get_rss(**_q_filter, user=user, ip_list=ip_list)
+        if app_id:
+            if app_id.startswith(org_uuid):
+                app_id = app_id.replace(f'{org_uuid}_', '', 1)
+            runtime = sm.session.query(Runtime).filter(
+            Runtime.file_name.like(f'%{app_id}%')
+        ).first()
+        re.data = get_rss(
+            **_q_filter,
+            user=user,
+            ip_list=ip_list,
+            id_feedback_context=context_id,
+            id_runtime=runtime.id if runtime else None
+        )
         re.message = f'The request sets for {">>"}'
     except Exception as e:
         sm.session.rollback()
@@ -108,6 +120,7 @@ def get_all_results():
 
 @results_app.route('/results/<app_id>', methods=['POST'])
 @login_required
+@resolve_user
 def get_results(app_id: str):
     from flask import session
     _q_filter = get_qparams(request)
@@ -123,7 +136,7 @@ def get_results(app_id: str):
         if app_id.startswith(org_uuid):
             app_id = app_id.replace(f'{org_uuid}_', '', 1)
         ip_file_name = request.args.get('file')
-        user = get_user_by_org_uuid(org_uuid)
+        user = get_user_by_org_uuid(org_uuid, session['user_id'])
         if not user:
             code = 404
             re.success = False

backend/src/baskerville_dashboard/routes/retrain.py

@@ -29,7 +29,7 @@ def retrain():
     try:
         code = 200
         data = request.get_json()
-        user = get_user_by_org_uuid(session['org_uuid'])
+        user = get_user_by_org_uuid(session['org_uuid'], session['user_id'])
         config = parse_config(data=data['config'])
         training_config = TrainingConfig(config).validate()
         if len(training_config.errors) > 0: