| 1 | + | #!/usr/bin/env python3 |
| 2 | + | from flask import Flask,render_template,request,g,redirect |
| 3 | + | import flask.helpers |
| 4 | + | import requests |
| 5 | + | import jwt |
| 6 | + | import sqlite3 |
| 7 | + | from datetime import datetime, timezone |
| 8 | + | import time |
| 9 | + | import os,sys,shutil |
| 10 | + | from threading import Thread |
| 11 | + | import json |
| 12 | + | import uuid |
| 13 | + | |
| 14 | + | with open(os.path.join(os.path.dirname(os.path.abspath(__file__)),"version.txt")) as f: |
| 15 | + | __version__ = f.read() |
| 16 | + | |
| 17 | + | # ========== Database ========== |
| 18 | + | |
| 19 | + | def init_db(): |
| 20 | + | con = sqlite3.connect(app.config['graph_spy_db_path']) |
| 21 | + | con.execute('CREATE TABLE accesstokens (id INTEGER PRIMARY KEY AUTOINCREMENT, stored_at TEXT, issued_at TEXT, expires_at TEXT, description TEXT, user TEXT, resource TEXT, accesstoken TEXT)') |
| 22 | + | con.execute('CREATE TABLE refreshtokens (id INTEGER PRIMARY KEY AUTOINCREMENT, stored_at TEXT, description TEXT, user TEXT, tenant_id TEXT, resource TEXT, foci INTEGER, refreshtoken TEXT)') |
| 23 | + | con.execute('CREATE TABLE devicecodes (id INTEGER PRIMARY KEY AUTOINCREMENT, generated_at INTEGER, expires_at INTEGER, user_code TEXT, device_code TEXT, interval INTEGER, client_id TEXT, status TEXT, last_poll INTEGER)') |
| 24 | + | con.execute('CREATE TABLE settings (setting TEXT UNIQUE, value TEXT)') |
| 25 | + | # Valid Settings: active_access_token_id, active_refresh_token_id, schema_version |
| 26 | + | cur = con.cursor() |
| 27 | + | cur.execute("INSERT INTO settings (setting, value) VALUES ('schema_version', '1')") |
| 28 | + | con.commit() |
| 29 | + | con.close() |
| 30 | + | |
| 31 | + | def get_db(): |
| 32 | + | db = getattr(g, '_database', None) |
| 33 | + | if db is None: |
| 34 | + | db = g._database = sqlite3.connect(app.config['graph_spy_db_path']) |
| 35 | + | return db |
| 36 | + | |
| 37 | + | def query_db(query, args=(), one=False): |
| 38 | + | con = get_db() |
| 39 | + | con.row_factory = sqlite3.Row |
| 40 | + | cur = con.execute(query, args) |
| 41 | + | rv = cur.fetchall() |
| 42 | + | cur.close() |
| 43 | + | return (rv[0] if rv else None) if one else rv |
| 44 | + | |
| 45 | + | def query_db_json(query, args=(), one=False): |
| 46 | + | con = get_db() |
| 47 | + | con.row_factory = make_dicts |
| 48 | + | cur = con.execute(query, args) |
| 49 | + | rv = cur.fetchall() |
| 50 | + | cur.close() |
| 51 | + | return (rv[0] if rv else None) if one else rv |
| 52 | + | |
| 53 | + | def execute_db(statement, args=()): |
| 54 | + | con = get_db() |
| 55 | + | cur = con.cursor() |
| 56 | + | cur.execute(statement, args) |
| 57 | + | con.commit() |
| 58 | + | |
| 59 | + | def make_dicts(cursor, row): |
| 60 | + | return dict((cursor.description[idx][0], value) |
| 61 | + | for idx, value in enumerate(row)) |
| 62 | + | |
| 63 | + | def list_databases(): |
| 64 | + | db_folder_content = os.scandir(app.config['graph_spy_db_folder']) |
| 65 | + | databases = [ |
| 66 | + | { |
| 67 | + | 'name': db_file.name, |
| 68 | + | 'last_modified': f"{datetime.fromtimestamp(db_file.stat().st_mtime)}".split(".")[0], |
| 69 | + | 'size': f"{round(db_file.stat().st_size/1024)} KB", |
| 70 | + | 'state': "Active" if db_file.name.lower() == os.path.basename(app.config['graph_spy_db_path']).lower() else "Inactive" |
| 71 | + | } for db_file in db_folder_content if db_file.is_file() and db_file.name.endswith(".db")] |
| 72 | + | return databases |
| 73 | + | |
| 74 | + | # ========== Helper Functions ========== |
| 75 | + | |
| 76 | + | def graph_request(graph_uri, access_token_id): |
| 77 | + | access_token = query_db("SELECT accesstoken FROM accesstokens where id = ?",[access_token_id],one=True)[0] |
| 78 | + | headers = {"Authorization":f"Bearer {access_token}"} |
| 79 | + | response = requests.get(graph_uri, headers=headers) |
| 80 | + | resp_json = response.json() |
| 81 | + | return json.dumps(resp_json) |
| 82 | + | |
| 83 | + | def graph_request_post(graph_uri, access_token_id, body): |
| 84 | + | access_token = query_db("SELECT accesstoken FROM accesstokens where id = ?",[access_token_id],one=True)[0] |
| 85 | + | headers = {"Authorization":f"Bearer {access_token}"} |
| 86 | + | response = requests.post(graph_uri, headers=headers, json=body) |
| 87 | + | resp_json = response.json() |
| 88 | + | return json.dumps(resp_json) |
| 89 | + | |
| 90 | + | def save_access_token(accesstoken, description): |
| 91 | + | decoded_accesstoken = jwt.decode(accesstoken, options={"verify_signature": False}) |
| 92 | + | |
| 93 | + | execute_db("INSERT INTO accesstokens (stored_at, issued_at, expires_at, description, user, resource, accesstoken) VALUES (?,?,?,?,?,?,?)",( |
| 94 | + | f"{datetime.now()}".split(".")[0], |
| 95 | + | datetime.fromtimestamp(decoded_accesstoken["iat"]), |
| 96 | + | datetime.fromtimestamp(decoded_accesstoken["exp"]), |
| 97 | + | description, |
| 98 | + | decoded_accesstoken["unique_name"], |
| 99 | + | decoded_accesstoken["aud"], |
| 100 | + | accesstoken |
| 101 | + | ) |
| 102 | + | ) |
| 103 | + | |
| 104 | + | def save_refresh_token(refreshtoken, description, user, tenant, resource, foci): |
| 105 | + | # Used to convert potential boolean inputs to an integer, as the DB uses an integer to store this value |
| 106 | + | foci_int = 1 if foci else 0 |
| 107 | + | tenant_id = tenant.strip('"{}-[]\\/\' ') if is_valid_uuid(tenant.strip('"{}-[]\\/\' ')) else get_tenant_id(tenant) |
| 108 | + | execute_db("INSERT INTO refreshtokens (stored_at, description, user, tenant_id, resource, foci, refreshtoken) VALUES (?,?,?,?,?,?,?)",( |
| 109 | + | f"{datetime.now()}".split(".")[0], |
| 110 | + | description, |
| 111 | + | user, |
| 112 | + | tenant_id, |
| 113 | + | resource, |
| 114 | + | foci_int, |
| 115 | + | refreshtoken |
| 116 | + | ) |
| 117 | + | ) |
| 118 | + | |
| 119 | + | def is_valid_uuid(val): |
| 120 | + | try: |
| 121 | + | uuid.UUID(str(val)) |
| 122 | + | return True |
| 123 | + | except ValueError: |
| 124 | + | return False |
| 125 | + | |
| 126 | + | def get_tenant_id(tenant_domain): |
| 127 | + | response = requests.get(f"https://login.microsoftonline.com/{tenant_domain}/.well-known/openid-configuration") |
| 128 | + | resp_json = response.json() |
| 129 | + | tenant_id = resp_json["authorization_endpoint"].split("/")[3] |
| 130 | + | return tenant_id |
| 131 | + | |
| 132 | + | def refresh_to_access_token(refresh_token_id, resource = "defined_in_token", client_id = "d3590ed6-52b3-4102-aeff-aad2292ab01c", store_refresh_token = True): |
| 133 | + | refresh_token = query_db("SELECT refreshtoken FROM refreshtokens where id = ?",[refresh_token_id],one=True)[0] |
| 134 | + | tenant_id = query_db("SELECT tenant_id FROM refreshtokens where id = ?",[refresh_token_id],one=True)[0] |
| 135 | + | resource = query_db("SELECT resource FROM refreshtokens where id = ?",[refresh_token_id],one=True)[0] if resource == "defined_in_token" else resource |
| 136 | + | body = { |
| 137 | + | "resource": resource, |
| 138 | + | "client_id": client_id, |
| 139 | + | "grant_type": "refresh_token", |
| 140 | + | "refresh_token": refresh_token, |
| 141 | + | "scope": "openid" |
| 142 | + | } |
| 143 | + | url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token?api-version=1.0" |
| 144 | + | response = requests.post(url, data=body) |
| 145 | + | access_token = response.json()["access_token"] |
| 146 | + | save_access_token(access_token, f"Created using refresh token {refresh_token_id}") |
| 147 | + | access_token_id = query_db("SELECT id FROM accesstokens where accesstoken = ?",[access_token],one=True)[0] |
| 148 | + | if store_refresh_token: |
| 149 | + | decoded_accesstoken = jwt.decode(access_token, options={"verify_signature": False}) |
| 150 | + | save_refresh_token( |
| 151 | + | response.json()["refresh_token"], |
| 152 | + | f"Created using refresh token {refresh_token_id}", |
| 153 | + | decoded_accesstoken["unique_name"], |
| 154 | + | tenant_id, |
| 155 | + | response.json()["resource"], |
| 156 | + | response.json()["foci"] |
| 157 | + | ) |
| 158 | + | return access_token_id |
| 159 | + | |
| 160 | + | def generate_device_code(resource = "https://graph.microsoft.com", client_id = "d3590ed6-52b3-4102-aeff-aad2292ab01c"): |
| 161 | + | body = { |
| 162 | + | "resource": resource, |
| 163 | + | "client_id": client_id |
| 164 | + | } |
| 165 | + | url = "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" |
| 166 | + | response = requests.post(url, data=body) |
| 167 | + | |
| 168 | + | execute_db("INSERT INTO devicecodes (generated_at, expires_at, user_code, device_code, interval, client_id, status, last_poll) VALUES (?,?,?,?,?,?,?,?)",( |
| 169 | + | int(datetime.now().timestamp()), |
| 170 | + | int(datetime.now().timestamp()) + int(response.json()["expires_in"]), |
| 171 | + | response.json()["user_code"], |
| 172 | + | response.json()["device_code"], |
| 173 | + | int(response.json()["interval"]), |
| 174 | + | client_id, |
| 175 | + | "CREATED", |
| 176 | + | 0 |
| 177 | + | ) |
| 178 | + | ) |
| 179 | + | return response.json()["device_code"] |
| 180 | + | |
| 181 | + | def poll_device_codes(): |
| 182 | + | with app.app_context(): |
| 183 | + | while True: |
| 184 | + | rows = query_db_json("SELECT * FROM devicecodes WHERE status IN ('CREATED','POLLING')") |
| 185 | + | if not rows: |
| 186 | + | return |
| 187 | + | sorted_rows = sorted(rows, key=lambda x: x["last_poll"]) |
| 188 | + | for row in sorted_rows: |
| 189 | + | current_time_seconds = int(datetime.now().timestamp()) |
| 190 | + | if current_time_seconds > row["expires_at"]: |
| 191 | + | execute_db("UPDATE devicecodes SET status = ? WHERE device_code = ?",("EXPIRED",row["device_code"])) |
| 192 | + | continue |
| 193 | + | next_poll = row["last_poll"] + row["interval"] |
| 194 | + | #print(f"[{current_time_seconds}] {row['user_code']} - {row['last_poll']} - {next_poll}", flush=True) |
| 195 | + | if current_time_seconds < next_poll: |
| 196 | + | time.sleep(next_poll - current_time_seconds) |
| 197 | + | if row["status"] == "CREATED": |
| 198 | + | execute_db("UPDATE devicecodes SET status = ? WHERE device_code = ?",("POLLING",row["device_code"])) |
| 199 | + | body = { |
| 200 | + | "client_id": row["client_id"], |
| 201 | + | "grant_type": "urn:ietf:params:oauth:grant-type:device_code", |
| 202 | + | "code": row["device_code"] |
| 203 | + | } |
| 204 | + | url = "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" |
| 205 | + | response = requests.post(url, data=body) |
| 206 | + | execute_db("UPDATE devicecodes SET last_poll = ? WHERE device_code = ?",(int(datetime.now().timestamp()),row["device_code"])) |
| 207 | + | if response.status_code == 200 and "access_token" in response.json(): |
| 208 | + | access_token = response.json()["access_token"] |
| 209 | + | user_code = row["user_code"] |
| 210 | + | save_access_token(access_token, f"Created using device code auth ({user_code})") |
| 211 | + | decoded_accesstoken = jwt.decode(access_token, options={"verify_signature": False}) |
| 212 | + | save_refresh_token( |
| 213 | + | response.json()["refresh_token"], |
| 214 | + | f"Created using device code auth ({user_code})", |
| 215 | + | decoded_accesstoken["unique_name"], |
| 216 | + | decoded_accesstoken["tid"], |
| 217 | + | response.json()["resource"], |
| 218 | + | int(response.json()["foci"])) |
| 219 | + | execute_db("UPDATE devicecodes SET status = ? WHERE device_code = ?",("SUCCESS",row["device_code"])) |
| 220 | + | |
| 221 | + | def start_device_code_thread(): |
| 222 | + | if "device_code_thread" in app.config: |
| 223 | + | if app.config["device_code_thread"].is_alive(): |
| 224 | + | return "[Error] Device Code polling thread is still running." |
| 225 | + | app.config["device_code_thread"] = Thread(target=poll_device_codes) |
| 226 | + | app.config["device_code_thread"].start() |
| 227 | + | return "[Success] Started device code polling thread." |
| 228 | + | |
| 229 | + | def device_code_flow(resource = "https://graph.microsoft.com", client_id = "d3590ed6-52b3-4102-aeff-aad2292ab01c"): |
| 230 | + | device_code = generate_device_code(resource, client_id) |
| 231 | + | row = query_db_json("SELECT * FROM devicecodes WHERE device_code = ?",[device_code],one=True) |
| 232 | + | user_code = row["user_code"] |
| 233 | + | start_device_code_thread() |
| 234 | + | return user_code |
| 235 | + | |
| 236 | + | def safe_join(directory, filename): |
| 237 | + | # Safely join `directory` and `filename`. |
| 238 | + | os_seps = list(sep for sep in [os.path.sep, os.path.altsep] if sep != None) |
| 239 | + | filename = os.path.normpath(filename) |
| 240 | + | for sep in os_seps: |
| 241 | + | if sep in filename: |
| 242 | + | return False |
| 243 | + | if os.path.isabs(filename) or filename.startswith('../'): |
| 244 | + | return False |
| 245 | + | if not os.path.normpath(os.path.join(directory,filename)).startswith(directory): |
| 246 | + | return False |
| 247 | + | return os.path.join(directory, filename) |
| 248 | + | |
| 249 | + | def init_routes(): |
| 250 | + | |
| 251 | + | # ========== Pages ========== |
| 252 | + | |
| 253 | + | @app.route("/") |
| 254 | + | def settings(): |
| 255 | + | return render_template('settings.html', title="Settings") |
| 256 | + | |
| 257 | + | @app.route("/access_tokens") |
| 258 | + | def access_tokens(): |
| 259 | + | return render_template('access_tokens.html', title="Access Tokens") |
| 260 | + | |
| 261 | + | @app.route("/refresh_tokens") |
| 262 | + | def refresh_tokens(): |
| 263 | + | return render_template('refresh_tokens.html', title="Refresh Tokens") |
| 264 | + | |
| 265 | + | @app.route("/device_codes") |
| 266 | + | def device_codes(): |
| 267 | + | return render_template('device_codes.html', title="Device Codes") |
| 268 | + | |
| 269 | + | @app.route("/graph_requests") |
| 270 | + | def graph_requests(): |
| 271 | + | return render_template('requests.html', title="Graph Requests") |
| 272 | + | |
| 273 | + | @app.route("/generic_search") |
| 274 | + | def generic_search(): |
| 275 | + | return render_template('generic_search.html', title="Generic Search") |
| 276 | + | |
| 277 | + | @app.route("/recent_files") |
| 278 | + | def recent_files(): |
| 279 | + | return render_template('recent_files.html', title="Recent Files") |
| 280 | + | |
| 281 | + | @app.route("/shared_with_me") |
| 282 | + | def shared_with_me(): |
| 283 | + | return render_template('shared_with_me.html', title="Files Shared With Me") |
| 284 | + | |
| 285 | + | @app.route("/onedrive") |
| 286 | + | def onedrive(): |
| 287 | + | return render_template('OneDrive.html', title="OneDrive") |
| 288 | + | |
| 289 | + | @app.route("/sharepoint_sites") |
| 290 | + | def sharepoint_sites(): |
| 291 | + | return render_template('SharePointSites.html', title="SharePoint Sites") |
| 292 | + | |
| 293 | + | @app.route("/sharepoint_drives") |
| 294 | + | def sharepoint_drives(): |
| 295 | + | return render_template('SharePointDrives.html', title="SharePoint Drives") |
| 296 | + | |
| 297 | + | @app.route("/sharepoint") |
| 298 | + | def sharepoint(): |
| 299 | + | return render_template('SharePoint.html', title="SharePoint") |
| 300 | + | |
| 301 | + | @app.route("/outlook") |
| 302 | + | def outlook(): |
| 303 | + | return render_template('outlook.html', title="Outlook") |
| 304 | + | |
| 305 | + | # ========== API ========== |
| 306 | + | |
| 307 | + | # ========== Device Codes ========== |
| 308 | + | |
| 309 | + | @app.route("/api/list_device_codes") |
| 310 | + | def api_list_device_codes(): |
| 311 | + | rows = query_db_json("select * from devicecodes") |
| 312 | + | # Convert unix timestamps to formated datetime strings before returning |
| 313 | + | [row.update(generated_at=f"{datetime.fromtimestamp(row['generated_at'])}") for row in rows] |
| 314 | + | [row.update(expires_at=f"{datetime.fromtimestamp(row['expires_at'])}") for row in rows] |
| 315 | + | [row.update(last_poll=f"{datetime.fromtimestamp(row['last_poll'])}") for row in rows] |
| 316 | + | return json.dumps(rows) |
| 317 | + | |
| 318 | + | @app.post("/api/restart_device_code_polling") |
| 319 | + | def api_restart_device_code_polling(): |
| 320 | + | return start_device_code_thread() |
| 321 | + | |
| 322 | + | @app.post('/api/generate_device_code') |
| 323 | + | def api_generate_device_code(): |
| 324 | + | resource = request.form['resource'] if "resource" in request.form else "" |
| 325 | + | client_id = request.form['client_id'] if "client_id" in request.form else "" |
| 326 | + | if resource and client_id: |
| 327 | + | user_code = device_code_flow(resource, client_id) |
| 328 | + | return user_code |
| 329 | + | |
| 330 | + | @app.route("/api/delete_device_code/<id>") |
| 331 | + | def api_delete_device_code(id): |
| 332 | + | execute_db("DELETE FROM devicecodes where id = ?",[id]) |
| 333 | + | return "true" |
| 334 | + | |
| 335 | + | # ========== Refresh Tokens ========== |
| 336 | + | |
| 337 | + | @app.route("/api/list_refresh_tokens") |
| 338 | + | def api_list_refresh_tokens(): |
| 339 | + | rows = query_db_json("select * from refreshtokens") |
| 340 | + | return json.dumps(rows) |
| 341 | + | |
| 342 | + | @app.route("/api/get_refresh_token/<id>") |
| 343 | + | def api_get_refresh_token(id): |
| 344 | + | rows = query_db_json("select * from refreshtokens WHERE id = ?",[id],one=True) |
| 345 | + | return json.dumps(rows) |
| 346 | + | |
| 347 | + | @app.post('/api/add_refresh_token') |
| 348 | + | def api_add_refresh_token(): |
| 349 | + | refreshtoken = request.form['refreshtoken'] if "refreshtoken" in request.form else "" |
| 350 | + | user = request.form['user'] if "user" in request.form else "" |
| 351 | + | tenant = request.form['tenant_domain'] if "tenant_domain" in request.form else "" |
| 352 | + | resource = request.form['resource'] if "resource" in request.form else "" |
| 353 | + | description = request.form['description'] if "description" in request.form else "" |
| 354 | + | foci = 1 if "foci" in request.form else 0 |
| 355 | + | if refreshtoken and tenant and resource: |
| 356 | + | save_refresh_token(refreshtoken, description, user, tenant, resource, foci) |
| 357 | + | return redirect('/refresh_tokens') |
| 358 | + | |
| 359 | + | @app.post('/api/refresh_to_access_token') |
| 360 | + | def api_refresh_to_access_token(): |
| 361 | + | refresh_token_id = request.form['refresh_token_id'] if "refresh_token_id" in request.form else "" |
| 362 | + | resource = request.form['resource'] if "resource" in request.form else "" |
| 363 | + | resource = resource if resource else "defined_in_token" |
| 364 | + | client_id = request.form['client_id'] if "client_id" in request.form else "" |
| 365 | + | client_id = client_id if client_id else "d3590ed6-52b3-4102-aeff-aad2292ab01c" |
| 366 | + | store_refresh_token = True if "store_refresh_token" in request.form else False |
| 367 | + | access_token_id = 0 |
| 368 | + | if refresh_token_id and resource and client_id: |
| 369 | + | access_token_id = refresh_to_access_token(refresh_token_id, resource, client_id, store_refresh_token) |
| 370 | + | return f"{access_token_id}" |
| 371 | + | |
| 372 | + | @app.route("/api/delete_refresh_token/<id>") |
| 373 | + | def api_delete_refresh_token(id): |
| 374 | + | execute_db("DELETE FROM refreshtokens where id = ?",[id]) |
| 375 | + | return "true" |
| 376 | + | |
| 377 | + | @app.route("/api/active_refresh_token/<id>") |
| 378 | + | def api_set_active_refresh_token(id): |
| 379 | + | previous_id = query_db("SELECT value FROM settings WHERE setting = 'active_refresh_token_id'",one=True) |
| 380 | + | if not previous_id: |
| 381 | + | execute_db("INSERT INTO settings (setting, value) VALUES ('active_refresh_token_id',?)",(id,)) |
| 382 | + | else: |
| 383 | + | execute_db("UPDATE settings SET value = ? WHERE setting = 'active_refresh_token_id'",(id,)) |
| 384 | + | return id |
| 385 | + | |
| 386 | + | @app.route("/api/active_refresh_token") |
| 387 | + | def api_get_active_refresh_token(): |
| 388 | + | active_refresh_token = query_db("SELECT value FROM settings WHERE setting = 'active_refresh_token_id'",one=True) |
| 389 | + | return f"{active_refresh_token[0]}" if active_refresh_token else "0" |
| 390 | + | |
| 391 | + | # ========== Access Tokens ========== |
| 392 | + | |
| 393 | + | @app.route("/api/list_access_tokens") |
| 394 | + | def api_list_access_tokens(): |
| 395 | + | rows = query_db_json("select * from accesstokens") |
| 396 | + | return json.dumps(rows) |
| 397 | + | |
| 398 | + | @app.post('/api/add_access_token') |
| 399 | + | def api_add_access_token(): |
| 400 | + | accesstoken = request.form['accesstoken'] |
| 401 | + | description = request.form['description'] |
| 402 | + | save_access_token(accesstoken, description) |
| 403 | + | return redirect('/access_tokens') |
| 404 | + | |
| 405 | + | @app.route("/api/get_access_token/<id>") |
| 406 | + | def api_get_access_token(id): |
| 407 | + | rows = query_db_json("select * from accesstokens WHERE id = ?",[id],one=True) |
| 408 | + | return json.dumps(rows) |
| 409 | + | |
| 410 | + | @app.route("/api/decode_token/<id>") |
| 411 | + | def api_decode_token(id): |
| 412 | + | rows = query_db("SELECT accesstoken FROM accesstokens WHERE id = ?",[id],one=True) |
| 413 | + | if rows: |
| 414 | + | decoded_accesstoken = jwt.decode(rows[0], options={"verify_signature": False}) |
| 415 | + | return decoded_accesstoken |
| 416 | + | else: |
| 417 | + | return f"[Error] Could not find access token with id {id}" |
| 418 | + | |
| 419 | + | @app.route("/api/delete_access_token/<id>") |
| 420 | + | def api_delete_access_token(id): |
| 421 | + | execute_db("DELETE FROM accesstokens WHERE id = ?",[id]) |
| 422 | + | return "true" |
| 423 | + | |
| 424 | + | @app.route("/api/active_access_token/<id>") |
| 425 | + | def api_set_active_access_token(id): |
| 426 | + | previous_id = query_db("SELECT value FROM settings WHERE setting = 'active_access_token_id'",one=True) |
| 427 | + | if not previous_id: |
| 428 | + | execute_db("INSERT INTO settings (setting, value) VALUES ('active_access_token_id',?)",(id,)) |
| 429 | + | else: |
| 430 | + | execute_db("UPDATE settings SET value = ? WHERE setting = 'active_access_token_id'",(id,)) |
| 431 | + | return id |
| 432 | + | |
| 433 | + | @app.route("/api/active_access_token") |
| 434 | + | def api_get_active_access_token(): |
| 435 | + | active_access_token = query_db("SELECT value FROM settings WHERE setting = 'active_access_token_id'",one=True) |
| 436 | + | return f"{active_access_token[0]}" if active_access_token else "0" |
| 437 | + | |
| 438 | + | # ========== Graph Requests ========== |
| 439 | + | |
| 440 | + | @app.post("/api/generic_graph") |
| 441 | + | def api_generic_graph(): |
| 442 | + | graph_uri = request.form['graph_uri'] |
| 443 | + | access_token_id = request.form['access_token_id'] |
| 444 | + | graph_response = graph_request(graph_uri, access_token_id) |
| 445 | + | return graph_response |
| 446 | + | |
| 447 | + | @app.post("/api/generic_graph_post") |
| 448 | + | def api_generic_graph_post(): |
| 449 | + | graph_uri = request.form['graph_uri'] |
| 450 | + | access_token_id = request.form['access_token_id'] |
| 451 | + | body = json.loads(request.form['body']) |
| 452 | + | graph_response = graph_request_post(graph_uri, access_token_id, body) |
| 453 | + | return graph_response |
| 454 | + | |
| 455 | + | # ========== Database ========== |
| 456 | + | |
| 457 | + | @app.get("/api/list_databases") |
| 458 | + | def api_list_databases(): |
| 459 | + | return list_databases() |
| 460 | + | |
| 461 | + | @app.post("/api/create_database") |
| 462 | + | def api_create_database(): |
| 463 | + | database_name = request.form['database'] |
| 464 | + | if not database_name: |
| 465 | + | return f"[Error] Please specify a database name." |
| 466 | + | database_name = database_name if database_name.endswith(".db") else f"{database_name}.db" |
| 467 | + | db_path = safe_join(app.config['graph_spy_db_folder'],database_name) |
| 468 | + | if not db_path: |
| 469 | + | return f"[Error] Invalid database name '{database_name}'. Try again with another name." |
| 470 | + | if(os.path.exists(db_path)): |
| 471 | + | return f"[Error] Database '{database_name}' already exists. Try again with another name." |
| 472 | + | old_db = app.config['graph_spy_db_path'] |
| 473 | + | app.config['graph_spy_db_path'] = db_path |
| 474 | + | init_db() |
| 475 | + | if(not os.path.exists(db_path)): |
| 476 | + | app.config['graph_spy_db_path'] = old_db |
| 477 | + | return f"[Error] Failed to create database '{database_name}'." |
| 478 | + | return f"[Success] Created and activated '{database_name}'." |
| 479 | + | |
| 480 | + | @app.post("/api/activate_database") |
| 481 | + | def api_activate_database(): |
| 482 | + | database_name = request.form['database'] |
| 483 | + | db_path = safe_join(app.config['graph_spy_db_folder'],database_name) |
| 484 | + | if(not os.path.exists(db_path)): |
| 485 | + | return f"[Error] Database file '{db_path}' not found." |
| 486 | + | app.config['graph_spy_db_path'] = db_path |
| 487 | + | return f"[Success] Activated database '{database_name}'." |
| 488 | + | |
| 489 | + | @app.post("/api/duplicate_database") |
| 490 | + | def api_duplicate_database(): |
| 491 | + | database_name = request.form['database'] |
| 492 | + | db_path = safe_join(app.config['graph_spy_db_folder'],database_name) |
| 493 | + | if(not os.path.exists(db_path)): |
| 494 | + | return f"[Error] Database file '{db_path}' not found." |
| 495 | + | for i in range(1,100): |
| 496 | + | new_path = f"{db_path.strip('.db')}_{i}.db" |
| 497 | + | if(not os.path.exists(new_path)): |
| 498 | + | shutil.copy2(db_path, new_path) |
| 499 | + | return f"[Success] Duplicated database '{database_name}' to '{new_path.split('/')[-1]}'." |
| 500 | + | return f"[Error] Could not duplicate database '{database_name}'." |
| 501 | + | |
| 502 | + | @app.post("/api/delete_database") |
| 503 | + | def api_delete_database(): |
| 504 | + | database_name = request.form['database'] |
| 505 | + | db_path = safe_join(app.config['graph_spy_db_folder'],database_name) |
| 506 | + | if app.config['graph_spy_db_path'].lower() == db_path.lower(): |
| 507 | + | return "[Error] Can't delete the active database. Select a different database first." |
| 508 | + | os.remove(db_path) |
| 509 | + | if(not os.path.exists(db_path)): |
| 510 | + | return f"[Success] Database '{database_name}' deleted." |
| 511 | + | else: |
| 512 | + | return f"[Error] Failed to delete '{database_name}' at '{db_path}'." |
| 513 | + | |
| 514 | + | # ========== Settings ========== |
| 515 | + | |
| 516 | + | @app.post("/api/set_table_error_messages") |
| 517 | + | def api_set_table_error_messages(): |
| 518 | + | state = request.form['state'] |
| 519 | + | if state not in ["enabled", "disabled"]: |
| 520 | + | return f"[Error] Invalid state '{state}'." |
| 521 | + | app.config['table_error_messages'] = state |
| 522 | + | return f"[Success] {state.capitalize()} datatable error messages." |
| 523 | + | |
| 524 | + | @app.get("/api/get_settings") |
| 525 | + | def api_get_settings(): |
| 526 | + | settings_raw = query_db_json("SELECT * FROM settings") |
| 527 | + | #settings_json = [{setting["setting"] : setting["value"]} for setting in settings_raw] |
| 528 | + | settings_json = {setting["setting"] : setting["value"] for setting in settings_raw} |
| 529 | + | return settings_json |
| 530 | + | |
| 531 | + | # ========== Other ========== |
| 532 | + | |
| 533 | + | @app.teardown_appcontext |
| 534 | + | def close_connection(exception): |
| 535 | + | db = getattr(g, '_database', None) |
| 536 | + | if db is not None: |
| 537 | + | db.close() |
| 538 | + | def main(): |
| 539 | + | # Banner |
| 540 | + | print(fr""" |
| 541 | + | ________ _________ |
| 542 | + | / / by RedByte1337 __ / / v{__version__} |
| 543 | + | / _____/___________ ______ | |__ / _____/_____ ______ |
| 544 | + | / \ __\_ __ \__ \ \____ \| | \ \_____ \\____ \ | | |
| 545 | + | \ \_\ \ | \/ __ \| |_> | \ \/ \ |_> \___ | |
| 546 | + | \______ /__| |____ | __/|___| /_______ / ___/ ____| |
| 547 | + | \/ \/|__| \/ \/|__| \/ |
| 548 | + | """) |
| 549 | + | # Argument Parser |
| 550 | + | import argparse |
| 551 | + | parser = argparse.ArgumentParser(prog="GraphSpy", description="Launches the GraphSpy Flask application", epilog="For more information, see https://github.com/RedByte1337/GraphSpy") |
| 552 | + | parser.add_argument("-i","--interface", type=str, help="The interface to bind to. Use 0.0.0.0 for all interfaces. (Default = 127.0.0.1)") |
| 553 | + | parser.add_argument("-p", "--port", type=int, help="The port to bind to. (Default = 5000)") |
| 554 | + | parser.add_argument("-d","--database", type=str, default="database.db", help="Database file to utilize. (Default = database.db)") |
| 555 | + | parser.add_argument("--debug", action="store_true", help="Enable flask debug mode. Will show detailed stack traces when an error occurs.") |
| 556 | + | args = parser.parse_args() |
| 557 | + | |
| 558 | + | # Create global Flask app variable |
| 559 | + | global app |
| 560 | + | app = Flask(__name__) |
| 561 | + | init_routes() |
| 562 | + | |
| 563 | + | # First time Use |
| 564 | + | graph_spy_folder = os.path.normpath(os.path.expanduser("~/.gspy/")) |
| 565 | + | if(not os.path.exists(graph_spy_folder)): |
| 566 | + | print("[*] First time use detected.") |
| 567 | + | print(f"[*] Creating directory '{graph_spy_folder}'.") |
| 568 | + | os.mkdir(graph_spy_folder) |
| 569 | + | if(not os.path.exists(graph_spy_folder)): |
| 570 | + | sys.exit(f"Failed creating directory '{graph_spy_folder}'. Unable to proceed.") |
| 571 | + | app.config['graph_spy_folder'] = graph_spy_folder |
| 572 | + | |
| 573 | + | # Database |
| 574 | + | database = args.database |
| 575 | + | # Normalize db path |
| 576 | + | database = database if database.endswith(".db") else f"{database}.db" |
| 577 | + | # Create database folder if it doesn't exist yet |
| 578 | + | graph_spy_db_folder = os.path.normpath(os.path.join(graph_spy_folder,"databases/")) |
| 579 | + | if(not os.path.exists(graph_spy_db_folder)): |
| 580 | + | print(f"[*] Creating directory '{graph_spy_db_folder}'.") |
| 581 | + | os.mkdir(graph_spy_db_folder) |
| 582 | + | if(not os.path.exists(graph_spy_db_folder)): |
| 583 | + | sys.exit(f"Failed creating directory '{graph_spy_db_folder}'. Unable to proceed.") |
| 584 | + | app.config['graph_spy_db_folder'] = graph_spy_db_folder |
| 585 | + | graph_spy_db_path = safe_join(graph_spy_db_folder,database) |
| 586 | + | if not graph_spy_db_path: |
| 587 | + | sys.exit(f"Invalid database name '{database}'.") |
| 588 | + | app.config['graph_spy_db_path'] = graph_spy_db_path |
| 589 | + | # Initialize DB if it doesn't exist yet |
| 590 | + | if(not os.path.exists(graph_spy_db_path)): |
| 591 | + | print(f"[*] Database file '{graph_spy_db_path}' not found. Initializing new database.") |
| 592 | + | init_db() |
| 593 | + | if(not os.path.exists(graph_spy_db_path)): |
| 594 | + | sys.exit(f"Failed creating database file at '{graph_spy_db_path}'. Unable to proceed.") |
| 595 | + | print(f"[*] Utilizing database '{graph_spy_db_path}'.") |
| 596 | + | |
| 597 | + | # Disable datatable error messages by default. |
| 598 | + | app.config['table_error_messages'] = "disabled" |
| 599 | + | |
| 600 | + | # Run flask |
| 601 | + | print(f"[*] Starting GraphSpy. Open in your browser by going to the url displayed below.\n") |
| 602 | + | app.run(debug=args.debug, host=args.interface, port=args.port) |
| 603 | + | |
| 604 | + | if __name__ == '__main__': |
| 605 | + | main() |