From f50d110454b4495b30db32bc7d6673758d7d0d31 Mon Sep 17 00:00:00 2001
From: Michal Kostenec <kostenec@civ.zcu.cz>
Date: Mon, 19 Jan 2015 16:16:11 +0100
Subject: [PATCH] Dynamic SQL query building fixed (negating conditions) Auth
 for sending events fixed

---
 warden3/warden_client/warden_client_test.py | 11 ++++---
 warden3/warden_server/warden_server.py      | 35 ++++++++++++---------
 2 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/warden3/warden_client/warden_client_test.py b/warden3/warden_client/warden_client_test.py
index 96985d4..1cc4b4d 100755
--- a/warden3/warden_client/warden_client_test.py
+++ b/warden3/warden_client/warden_client_test.py
@@ -76,6 +76,7 @@ def gen_random_idea(client_name="cz.example.warden.test"):
        "EventTime": get_precise_timestamp(),
        "CeaseTime": get_precise_timestamp(),
        "Category": ["Abusive.Spam","Fraud.Copyright","Test"],
+       # "Category": ["Abusive.Spam","Fraud.Copyright"],
        "Ref": ["cve:CVE-%s-%s" % (randstr(string.digits, 4), randstr()), "http://www.example.com/%s" % randstr()],
        "Confidence": random(),
        "Note": "Random event",
@@ -143,8 +144,10 @@ def main():
     print "=== Getting 10 events ==="
     start = time()
 
-    cat = ['Availability', 'Abusive.Spam','Attempt.Login']
-    nocat = ['Fraud.Scam','Malware.Virus']
+    # cat = ['Availability', 'Abusive.Spam','Attempt.Login']
+    # cat = ['Attempt', 'Information','Fraud.Scam','Malware.Virus']
+    cat = ['Attempt']
+    nocat = ['Availability', 'Information', 'Fraud.Scam']
 
     tag = ['Log', 'Data']
     notag = ['Flow', 'Datagram']
@@ -152,8 +155,8 @@ def main():
     group = ['cz.tul.ward.kippo','cz.vsb.buldog.kippo']
     nogroup = ['cz.zcu.civ.afrodita','cz.vutbr.net.bee.hpscan']
 
-    ret = wclient.getEvents(count=10, cat=cat, nocat=None, tag=tag, notag=None, group=None, nogroup=nogroup)
-    #ret = wclient.getEvents(count=10)
+    ret = wclient.getEvents(count=10, cat=None, nocat=None, tag=None, notag=None, group=None, nogroup=nogroup)
+    ret = wclient.getEvents(count=10)
     print "Time: %f" % (time()-start)
     print "Got %i events" % len(ret)
     for e in ret:
diff --git a/warden3/warden_server/warden_server.py b/warden3/warden_server/warden_server.py
index 5caa694..453199a 100755
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -307,8 +307,10 @@ class X509Authenticator(NoAuthenticator):
                 return None
 
             test = 'Test' in event.get('Category', [])
-            if not test:
-                logging.info("authorize: failed, service %i (%s) does not send Test category in event" % (service["service_id"], identity))
+            # if not test:
+            #     logging.info("authorize: failed, service %i (%s) does not send Test category in event" % (service["service_id"], identity))
+            if test and not service['test']:
+                logging.info("authorize: failed, service %i (%s) is not allowed to send Test category in event" % (service["service_id"], identity))
                 return None
         
         return client
@@ -442,8 +444,13 @@ class MySQL(ObjectReq):
             else:
                 parent_cats.append(mapped_id)
     
-        format_strings = ','.join(['%s'] * len(variables_id))
-        temp_string = query_string % format_strings
+        temp_string = ""
+
+        if len(variables_id) > 0:
+            format_strings = ','.join(['%s'] * len(variables_id))
+            logging.debug("query_string: %s" % query_string)
+            logging.debug("format_strings: %s" % format_strings)
+            temp_string = query_string % format_strings
         
         return temp_string, variables_id
 
@@ -472,20 +479,18 @@ class MySQL(ObjectReq):
         sqlparams.append(id or 0)
 
         if cat or nocat:
-            not_op = "" if cat else "NOT"
             parent_cats = []
-            sqltemp, sqlpar = self.generateDynamicQuery(self.catmap, "category_id %s IN (%%s)" % not_op, (cat or nocat), parent_cats)
-            for pcats in parent_cats:
-                sqltemp += " %s category_id DIV %s = 1 " % (("OR" if sqltemp else ""), pcats)
-                
-            sqlwhere.append(" AND e.id IN (SELECT event_id FROM event_category_mapping WHERE %s)" % sqltemp)
+            sqltemp, sqlpar = self.generateDynamicQuery(self.catmap, "category_id IN (%s)", (cat or nocat), parent_cats)
+            for pcat in parent_cats:
+                sqltemp += " %s (category_id > %s AND category_id < %s) " % (("OR" if sqltemp else ""), pcat, pcat + 100)
+             
+            sqlwhere.append(" AND e.id %s IN (SELECT event_id FROM event_category_mapping WHERE %s)" % (("NOT" if nocat else ""), sqltemp))
             sqlparams.extend(sqlpar)
 
         if tag or notag:
-            not_op = "" if tag else "NOT"
-            sqltemp, sqlpar = self.generateDynamicQuery(self.tagmap, "tag_id %s IN (%%s)" % not_op, (tag or notag))
-            
-            sqlwhere.append(" AND e.id IN (SELECT event_id FROM event_tag_mapping WHERE %s)" % sqltemp)
+            sqltemp, sqlpar = self.generateDynamicQuery(self.tagmap, "tag_id IN (%s)", (tag or notag))
+
+            sqlwhere.append(" AND e.id %s IN (SELECT event_id FROM event_tag_mapping WHERE %s)" % (("NOT" if notag else ""), sqltemp))
             sqlparams.extend(sqlpar)
 
         if group or nogroup:
@@ -766,7 +771,7 @@ class WardenHandler(ObjectReq):
             try:
                 id = self.db.getLastReceivedId(self.req.client)
             except Exception, e:
-                logging.info("cannot getLastReceivedId - " + type(e).__name__ + ": " + e)
+                logging.info("cannot getLastReceivedId - " + type(e).__name__ + ": " + str(e))
                 
         if id is None:
             # First access, remember the guy and get him last event
-- 
GitLab