Implement hashing bypass for groups

This commit is contained in:
Mark Veidemanis 2022-08-16 19:43:55 +01:00
parent e67eee8cc8
commit e08a7677ef
Signed by: m
GPG Key ID: 5ACFCEED46C0904F
11 changed files with 123 additions and 63 deletions

View File

@ -23,6 +23,7 @@ def construct_query(index, net, channel, src, num, size, type=None, nicks=None):
"type", "type",
"net", "net",
"src", "src",
"tokens",
] ]
if index == "int": if index == "int":
fields.append("mtype") fields.append("mtype")

View File

@ -448,10 +448,11 @@ def query_results(
results_parsed = dedup_list(results_parsed, dedup_fields) results_parsed = dedup_list(results_parsed, dedup_fields)
if settings.ENCRYPTION: if settings.ENCRYPTION:
encrypt_list(results_parsed, settings.ENCRYPTION_KEY) encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)
if settings.HASHING: if not request.user.has_perm("view_plain"):
hash_list(results_parsed) if settings.HASHING:
hash_list(request.user, results_parsed)
# process_list(reqults) # process_list(reqults)

View File

@ -0,0 +1,22 @@
# Generated by Django 4.0.6 on 2022-08-16 18:04
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('core', '0006_contentblock_page'),
]
operations = [
migrations.CreateModel(
name='Perms',
fields=[
('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
],
options={
'permissions': (('bypass_hashing', 'Can bypass field hashing'), ('bypass_blacklist', 'Can bypass the blacklist'), ('bypass_encryption', 'Can bypass field encryption'), ('post_irc', 'Can post to IRC'), ('post_discord', 'Can post to Discord')),
},
),
]

View File

@ -104,15 +104,12 @@ class ContentBlock(models.Model):
super().save(*args, **kwargs) super().save(*args, **kwargs)
class Role(models.Model): class Perms(models.Model):
name = models.CharField(max_length=255, unique=True) class Meta:
description = models.CharField(max_length=1024, null=True, blank=True) permissions = (
permission = models.CharField(max_length=255) ("bypass_hashing", "Can bypass field hashing"),
("bypass_blacklist", "Can bypass the blacklist"),
def __str__(self): ("bypass_encryption", "Can bypass field encryption"),
return self.name ("post_irc", "Can post to IRC"),
("post_discord", "Can post to Discord"),
)
class ContentPermission(models.Model):
inherit = models.ForeignKey("self", null=True, blank=True, on_delete=models.PROTECT)
roles = models.ManyToManyField(Role, blank=True)

View File

@ -82,6 +82,10 @@
<span class="icon" data-tooltip="Who"> <span class="icon" data-tooltip="Who">
<i class="fa-solid fa-passport"></i> <i class="fa-solid fa-passport"></i>
</span> </span>
{% elif item.type == 'topic' %}
<span class="icon" data-tooltip="Topic">
<i class="fa-solid fa-sign"></i>
</span>
{% else %} {% else %}
{{ item.type }} {{ item.type }}
{% endif %} {% endif %}

View File

@ -49,15 +49,9 @@
populateSearch(field, value); populateSearch(field, value);
}); });
} }
var plain_fields = ["ts", "date", "time", "sentiment", "version_sentiment", "tokens", "num_chans", "num_users", "tokens", "src", "exemption", "hidden"];
function populateSearch(field, value) { function populateSearch(field, value) {
var queryElement = document.getElementById('query'); var queryElement = document.getElementById('query');
if (!plain_fields.includes(field)) {
if (!value.startsWith("|") && !value.endsWith("|")) {
value = `|${value}|`;
}
}
var present = true; var present = true;
if (present == true) { if (present == true) {
var combinations = [`${field}: "${value}"`, var combinations = [`${field}: "${value}"`,

View File

@ -122,6 +122,7 @@
<td> <td>
<p class="has-text-grey">Hidden {{ row.cells.hidden }} similar result{% if row.cells.hidden > 1%}s{% endif %}</p> <p class="has-text-grey">Hidden {{ row.cells.hidden }} similar result{% if row.cells.hidden > 1%}s{% endif %}</p>
</td> </td>
</tr> </tr>
{% else %} {% else %}
<tr class=" <tr class="
@ -227,6 +228,10 @@
<span class="icon" data-tooltip="Who"> <span class="icon" data-tooltip="Who">
<i class="fa-solid fa-passport"></i> <i class="fa-solid fa-passport"></i>
</span> </span>
{% elif cell == 'topic' %}
<span class="icon" data-tooltip="Topic">
<i class="fa-solid fa-sign"></i>
</span>
{% else %} {% else %}
{{ cell }} {{ cell }}
{% endif %} {% endif %}
@ -238,16 +243,16 @@
class="has-text-grey is-underlined" class="has-text-grey is-underlined"
hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}' hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}'
hx-post="{% url 'modal_context' %}" hx-post="{% url 'modal_context' %}"
hx-vals='{"net": "|{{ row.cells.net|escapejs }}|", hx-vals='{"net": "{{ row.cells.net|escapejs }}",
"num": "|{{ row.cells.num|escapejs }}|", "num": "{{ row.cells.num|escapejs }}",
"src": "{{ row.cells.src|escapejs }}", "src": "{{ row.cells.src|escapejs }}",
"channel": "|{{ row.cells.channel|escapejs }}|", "channel": "{{ row.cells.channel|escapejs }}",
"time": "{{ row.cells.time|escapejs }}", "time": "{{ row.cells.time|escapejs }}",
"date": "{{ row.cells.date|escapejs }}", "date": "{{ row.cells.date|escapejs }}",
"index": "{{ params.index }}", "index": "{{ params.index }}",
"type": "|{{ row.cells.type }}|", "type": "{{ row.cells.type }}",
"mtype": "{{ row.cells.mtype }}", "mtype": "{{ row.cells.mtype }}",
"nick": "|{{ row.cells.nick|escapejs }}|", "nick": "{{ row.cells.nick|escapejs }}",
"dedup": "{{ params.dedup }}"}' "dedup": "{{ params.dedup }}"}'
hx-target="#modals-here" hx-target="#modals-here"
hx-trigger="click" hx-trigger="click"
@ -281,7 +286,7 @@
<button <button
hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}' hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}'
hx-post="{% url 'modal_drilldown' %}" hx-post="{% url 'modal_drilldown' %}"
hx-vals='{"net": "|{{ row.cells.net }}|", "nick": "|{{ row.cells.nick }}|", "channel": "|{{ row.cells.channel }}|"}' hx-vals='{"net": "{{ row.cells.net }}", "nick": "{{ row.cells.nick }}", "channel": "{{ row.cells.channel }}"}'
hx-target="#modals-here" hx-target="#modals-here"
hx-trigger="click" hx-trigger="click"
class="button is-small"> class="button is-small">

View File

@ -75,10 +75,12 @@ def base36decode(number):
return int(number, 36) return int(number, 36)
def hash_list(data, hash_keys=False): def hash_list(user, data, hash_keys=False):
""" """
Hash a list of dicts or a list with SipHash42. Hash a list of dicts or a list with SipHash42.
""" """
if user.has_perm("core.bypass_hashing"):
return
cache = "cache.hash" cache = "cache.hash"
hash_table = {} hash_table = {}
if isinstance(data, dict): if isinstance(data, dict):
@ -126,7 +128,8 @@ def hash_lookup(data_dict):
for key, value in data_dict.items(): for key, value in data_dict.items():
if not value: if not value:
continue continue
hashes = re.findall("\|([^\|]*)\|", value) # noqa # hashes = re.findall("\|([^\|]*)\|", value) # noqa
hashes = re.findall("[A-Z0-9]{12,13}", value)
if not hashes: if not hashes:
continue continue
for hash in hashes: for hash in hashes:
@ -137,20 +140,20 @@ def hash_lookup(data_dict):
if not values: if not values:
return return
for index, val in enumerate(values): for index, val in enumerate(values):
if not val: if val is None:
values[index] = "ERR" values[index] = b"ERR"
values = [x.decode() for x in values] values = [x.decode() for x in values]
total = dict(zip(hash_list, values)) total = dict(zip(hash_list, values))
for key in data_dict.keys(): for key in data_dict.keys():
for hash in total: for hash in total:
if data_dict[key]: if data_dict[key]:
if hash in data_dict[key]: if hash in data_dict[key]:
data_dict[key] = data_dict[key].replace( data_dict[key] = data_dict[key].replace(f"{hash}", total[hash])
f"|{hash}|", total[hash]
)
def encrypt_list(data, secret): def encrypt_list(user, data, secret):
if user.has_perm("core.bypass_encryption"):
return
cipher = Cipher(algorithms.AES(secret), ECB()) cipher = Cipher(algorithms.AES(secret), ECB())
for index, item in enumerate(data): for index, item in enumerate(data):
for key, value in item.items(): for key, value in item.items():

View File

@ -106,7 +106,7 @@ def drilldown_search(request, return_context=False, template=None):
query_params.update(tmp_get) query_params.update(tmp_get)
if "index" in query_params: if "index" in query_params:
if not request.user.is_superuser: if not request.user.is_superuser and not query_params["index"] == "main":
message = "You can't use the index parameter" message = "You can't use the index parameter"
message_class = "danger" message_class = "danger"
context = {"message": message, "class": message_class} context = {"message": message, "class": message_class}
@ -253,7 +253,7 @@ class DrilldownContextModal(APIView):
self.template_name = "modals/context_table.html" self.template_name = "modals/context_table.html"
size = 20 size = 20
nicks = None nicks_sensitive = None
query = False query = False
# Create the query params from the POST arguments # Create the query params from the POST arguments
mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"] mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"]
@ -272,51 +272,57 @@ class DrilldownContextModal(APIView):
if settings.HASHING: if settings.HASHING:
SAFE_PARAMS = deepcopy(query_params) SAFE_PARAMS = deepcopy(query_params)
hash_lookup(SAFE_PARAMS) hash_lookup(SAFE_PARAMS)
else:
SAFE_PARAMS = query_params
type = None type = None
# SUPERUSER BLOCK #
if request.user.is_superuser: if request.user.is_superuser:
if "type" in SAFE_PARAMS: if "type" in query_params:
type = SAFE_PARAMS["type"] type = query_params["type"]
if type == "znc": if type == "znc":
query_params["channel"] = "*status"
SAFE_PARAMS["channel"] = "*status" SAFE_PARAMS["channel"] = "*status"
if type in ["query", "notice"]: if type in ["query", "notice"]:
nicks = [SAFE_PARAMS["channel"], SAFE_PARAMS["nick"]] nicks_sensitive = [
SAFE_PARAMS["channel"],
SAFE_PARAMS["nick"],
] # UNSAFE
# nicks = [query_params["channel"], query_params["nick"]]
query = True query = True
if ( if (
SAFE_PARAMS["index"] == "int" query_params["index"] == "int"
and SAFE_PARAMS["mtype"] == "msg" and query_params["mtype"] == "msg"
and not type == "query" and not type == "query"
): ):
query_params["index"] = "main"
SAFE_PARAMS["index"] = "main" SAFE_PARAMS["index"] = "main"
if SAFE_PARAMS["type"] in ["znc", "auth"]: if query_params["type"] in ["znc", "auth"]:
query = True query = True
# SUPERUSER BLOCK #
if not request.user.is_superuser: if not request.user.is_superuser:
if "index" in SAFE_PARAMS: query_params["index"] = "main"
SAFE_PARAMS["index"] = "main" SAFE_PARAMS["index"] = "main"
SAFE_PARAMS["sorting"] = "desc" query_params["sorting"] = "desc"
SAFE_PARAMS["index"] = "main"
annotate = False annotate = False
if SAFE_PARAMS["src"] == "irc": if query_params["src"] == "irc":
if SAFE_PARAMS["type"] in ["query", "notice", "msg", "highlight"]: if query_params["type"] not in ["znc", "auth"]:
annotate = True annotate = True
# Create the query with the context helper # Create the query with the context helper
search_query = construct_query( search_query = construct_query(
SAFE_PARAMS["index"], query_params["index"],
SAFE_PARAMS["net"], SAFE_PARAMS["net"],
SAFE_PARAMS["channel"], SAFE_PARAMS["channel"],
SAFE_PARAMS["src"], query_params["src"],
SAFE_PARAMS["num"], SAFE_PARAMS["num"],
size, size,
type=type, type=type,
nicks=nicks, nicks=nicks_sensitive,
) )
results = query_results( results = query_results(
@ -331,10 +337,18 @@ class DrilldownContextModal(APIView):
if "message" in results: if "message" in results:
return render(request, self.template_name, results) return render(request, self.template_name, results)
if settings.HASHING: # we probably want to see the tokens
if not request.user.has_perm("bypass_hashing"):
for index, item in enumerate(results["object_list"]):
if "tokens" in item:
results["object_list"][index]["msg"] = results["object_list"][
index
].pop("tokens")
# item["msg"] = item.pop("tokens")
# Make the time nicer # Make the time nicer
# for index, item in enumerate(results["object_list"]): # for index, item in enumerate(results["object_list"]):
# results["object_list"][index]["time"] = item["time"]+"SSS" # results["object_list"][index]["time"] = item["time"]+"SSS"
context = { context = {
"net": query_params["net"], "net": query_params["net"],
"channel": query_params["channel"], "channel": query_params["channel"],
@ -396,18 +410,17 @@ class ThresholdInfoModal(APIView):
inter_chans = get_chans(safe_net, users) inter_chans = get_chans(safe_net, users)
else: else:
inter_chans = [] inter_chans = []
hash_list(inter_chans) hash_list(request.user, inter_chans)
hash_list(inter_users) hash_list(request.user, inter_users)
hash_list(num_chans, hash_keys=True) hash_list(request.user, num_chans, hash_keys=True)
hash_list(num_users, hash_keys=True) hash_list(request.user, num_users, hash_keys=True)
hash_list(channels) hash_list(request.user, channels)
hash_list(users) hash_list(request.user, users)
# SAFE BLOCK END # # SAFE BLOCK END #
nick = nick.replace("|", "")
channel = channel.replace("|", "")
context = { context = {
"net": net, "net": net,
"nick": nick, "nick": nick,

View File

@ -14,6 +14,16 @@ services:
- .env - .env
volumes_from: volumes_from:
- tmp - tmp
depends_on:
- migration
migration:
image: pathogen/neptune:latest
command: sh -c '. /venv/bin/activate && python manage.py migrate --noinput'
volumes:
- ${PORTAINER_GIT_DIR}:/code
- ${NEPTUNE_LOCAL_SETTINGS}:/code/app/local_settings.py
- ${NEPTUNE_DATABASE_FILE}:/code/db.sqlite3
# pyroscope: # pyroscope:
# image: pyroscope/pyroscope # image: pyroscope/pyroscope

View File

@ -15,6 +15,16 @@ services:
- ../stack.env - ../stack.env
volumes_from: volumes_from:
- tmp - tmp
depends_on:
- migration
migration:
image: pathogen/neptune:latest
command: sh -c '. /venv/bin/activate && python manage.py migrate --noinput'
volumes:
- ${PORTAINER_GIT_DIR}:/code
- ${NEPTUNE_LOCAL_SETTINGS}:/code/app/local_settings.py
- ${NEPTUNE_DATABASE_FILE}:/code/db.sqlite3
tmp: tmp:
image: busybox image: busybox