Add operation export functionality (#831)

Closes #734
ashirt-ops · May 10, 2023 · 78b933c · 78b933c
1 parent 591faf0
commit 78b933c
Show file tree

Hide file tree

Showing 15 changed files with 345 additions and 30 deletions.
diff --git a/backend/dtos/dtos.go b/backend/dtos/dtos.go
@@ -69,6 +69,7 @@ type Operation struct {
 	TopContribs       []TopContrib  `json:"topContribs"`
 	EvidenceCount     EvidenceCount `json:"evidenceCount,omitempty"`
 	UserCanViewGroups *bool         `json:"userCanViewGroups,omitempty"`
+	UserCanExportData *bool         `json:"userCanExportData,omitempty"`
 }
 
 type Query struct {

diff --git a/backend/policy/operation.go b/backend/policy/operation.go
@@ -54,6 +54,8 @@ func (o *Operation) Check(permission Permission) bool {
 
 	case CanListUserGroupsOfOperation:
 		return o.hasRole(p.OperationID, OperationRoleAdmin) || o.IsHeadless
+	case CanExportOperationData:
+		return o.hasRole(p.OperationID, OperationRoleAdmin) || o.IsHeadless
 	}
 	return false
 }

diff --git a/backend/policy/permissions.go b/backend/policy/permissions.go
@@ -41,6 +41,7 @@ type CanModifyUserOfOperation struct {
 }
 
 type CanListUserGroupsOfOperation struct{ OperationID int64 }
+type CanExportOperationData struct{ OperationID int64 }
 type CanModifyUserGroupOfOperation struct {
 	OperationID int64
 	UserGroupID int64

diff --git a/backend/services/operations.go b/backend/services/operations.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/theparanoids/ashirt-server/backend"
 	"github.com/theparanoids/ashirt-server/backend/contentstore"
@@ -283,6 +284,18 @@ func ReadOperation(ctx context.Context, db *database.Connection, operationSlug s
 		userCanViewGroups = true
 	}
 
+	var userIsAdmin bool
+	if err := policyRequireWithAdminBypass(ctx, policy.CanExportOperationData{OperationID: operation.ID}); err == nil {
+		userIsAdmin = true
+	} else {
+		userIsAdmin = middleware.IsAdmin(ctx)
+	}
+
+	var userCanExportData bool
+	if os.Getenv("ENABLE_EVIDENCE_EXPORT") == "true" && userIsAdmin {
+		userCanExportData = true
+	}
+
 	return &dtos.Operation{
 		Slug:              operationSlug,
 		Name:              operation.Name,
@@ -293,6 +306,7 @@ func ReadOperation(ctx context.Context, db *database.Connection, operationSlug s
 		TopContribs:       topContribsForOp,
 		EvidenceCount:     evidenceCountForOp,
 		UserCanViewGroups: &userCanViewGroups,
+		UserCanExportData: &userCanExportData,
 	}, nil
 }
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -31,6 +31,8 @@ services:
       DB_URI: dev-user:dev-user-password@tcp(db:3306)/dev-db
       APP_USE_LAMBDA_RIE: "true"
 
+      ENABLE_EVIDENCE_EXPORT: "false"
+
       # Common Value for all emailers
       EMAIL_FROM_ADDRESS: AShirt
 

diff --git a/frontend/default.conf.template b/frontend/default.conf.template
@@ -7,7 +7,7 @@ server {
     add_header X-Frame-Options "DENY" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
+    add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox allow-downloads allow-scripts allow-same-origin allow-forms allow-popups; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
 
     add_header Strict-transport-security "max-age=31536000" always;
 

diff --git a/frontend/nginx.conf b/frontend/nginx.conf
@@ -7,7 +7,7 @@ server {
     add_header X-Frame-Options "DENY" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri 'https://csp.yahoo.com/beacon/csp?src=ashirt'" always;
+    add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox allow-downloads allow-scripts allow-same-origin allow-forms allow-popups; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri 'https://csp.yahoo.com/beacon/csp?src=ashirt'" always;
 
     add_header Strict-transport-security "max-age=31536000" always;
     add_header Expect-CT "max-age=31536000, report-uri='https://csp.yahoo.com/beacon/csp?src=ashirt'" always;