Sindbad~EG File Manager

"""
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
See the GNU General Public License for more details.


You should have received a copy of the GNU General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.

Copyright © 2019 Cloud Linux Software Inc.

This software is also available under ImunifyAV commercial license,
see <https://www.imunify360.com/legal/eula>
"""
from collections import defaultdict
from itertools import chain

from defence360agent.contracts.messages import MessageType
from defence360agent.contracts.permissions import (
    MS_IMUNIFY_PATCH_ENABLED,
    has_permission,
)
from defence360agent.rpc_tools.lookup import (
    CommonEndpoints,
    bind,
)
from imav.contracts.imunify_patch_id import (
    get_imunify_patch_id,
    get_imunify_patch_purchase_url,
)
from imav.contracts.messages import RefreshImunifyPatchSubscription
from imav.contracts.permissions import is_imunify_patch_enabled
from imav.malwarelib.api.vulnerability import VulnerabilityAPI
from imav.malwarelib.config import VulnerabilityHitStatus
from imav.malwarelib.model import VulnerabilityHit
from imav.malwarelib.vulnerabilities.storage import restore_hits


class VulnerabilitiesEndpoints(CommonEndpoints):
    @bind("vulnerabilities", "file", "list")
    async def vulnerabilities_file_list(self, user=None, **kwargs):
        """
        Return list vulnerable/patched files
        """
        await self._sink.process_message(RefreshImunifyPatchSubscription())
        max_count, hits = VulnerabilityHit.list(user=user, **kwargs)
        vuln_info = await VulnerabilityAPI.get_details(
            VulnerabilityHit.get_vulnerabilities_ids(hits)
        )
        results = []
        for hit in hits:
            username = hit["username"]
            subscribed = is_imunify_patch_enabled(username)
            record = {
                "id": hit["id"],
                "username": username,
                "file_path": hit["file_path"],
                "status": hit["status"],
                "app_name": "",
                "imunify_patch_user_id": await get_imunify_patch_id(username),
                "subscribed": subscribed,
                "purchase_url": (
                    await get_imunify_patch_purchase_url(username)
                    if not subscribed
                    else None
                ),
                "vulnerabilities": [],
            }
            for vuln_id in VulnerabilityHit.get_vulnerability_ids(hit["type"]):
                record["vulnerabilities"].append(
                    {
                        "cve_id": vuln_info[vuln_id]["cveId"],
                        "vulnerability_type": vuln_info[vuln_id]["type"],
                        "vulnerability_description": vuln_info[vuln_id][
                            "name"
                        ],
                    }
                )
                if not record["app_name"]:  # set it once
                    record["app_name"] = vuln_info[vuln_id]["app"]
            results.append(record)
        return max_count, results

    @bind("vulnerabilities", "file", "patch")
    async def vulnerabilities_file_patch(self, paths, user=None):
        query = VulnerabilityHit.select().where(
            VulnerabilityHit.orig_file.in_(paths)
        )
        if user is not None:
            query = query.where(VulnerabilityHit.user == user)
        # make sure all associated users have patch permission
        user_paths = defaultdict(list)
        for vulnerability in query:
            user_paths[vulnerability.user].append(vulnerability.orig_file)
        for panel_user in user_paths.keys():
            _check_imunify_patch_permission(panel_user)
        if filelist := list(chain.from_iterable(user_paths.values())):
            await self._sink.process_message(
                MessageType.VulnerabilityPatchTask(
                    filelist=filelist, initiator=user, manual=True
                )
            )

    @bind("vulnerabilities", "file", "revert")
    async def vulnerabilities_file_revert(self, paths, user=None):
        query = VulnerabilityHit.select().where(
            VulnerabilityHit.orig_file.in_(paths),
            VulnerabilityHit.status.in_([VulnerabilityHitStatus.PATCHED]),
        )
        if user is not None:
            query = query.where(VulnerabilityHit.user == user)
        hits = list(query)
        succeeded, failed = await restore_hits(hits)
        return {
            "succeeded": [hit.orig_file for hit in succeeded],
            "failed": [hit.orig_file for hit in failed],
        }


def _check_imunify_patch_permission(user: str | None) -> None:
    if not has_permission(MS_IMUNIFY_PATCH_ENABLED, user):
        raise PermissionError(
            "Unable to perform the command. "
            f"User '{user}' does not have required permissions.",
        )