From d1a074a100022b576fc4f8c202128ced2c2b80f9 Mon Sep 17 00:00:00 2001
From: Mike Fiedler <miketheman@gmail.com>
Date: Fri, 29 Mar 2024 12:41:39 -0400
Subject: [PATCH] feat(admin): Add a Malware-specific UI (#15687)

* fix(admin): activate datatables only when found

If a table wasn't found, the rest of the module's execution would halt.

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

* feat(dev): add some more color to generated summary

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

* feat(admin): show malware counts on dashboard

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

* feat(admin): malware reports list and details

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

* refactor: move csp directives to admin-only

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

---------

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
---
 tests/common/db/packaging.py                  |  4 +
 tests/unit/admin/test_routes.py               | 10 +++
 tests/unit/admin/views/test_core.py           | 26 +++++-
 .../unit/admin/views/test_malware_reports.py  | 38 ++++++++
 tests/unit/test_csp.py                        | 28 ++++++
 warehouse/admin/routes.py                     | 10 +++
 warehouse/admin/static/css/admin.scss         |  1 +
 warehouse/admin/static/js/warehouse.js        | 89 +++++++++++++------
 warehouse/admin/templates/admin/base.html     |  9 +-
 .../admin/templates/admin/dashboard.html      | 24 +++++
 .../admin/malware_reports/detail.html         | 79 ++++++++++++++++
 .../templates/admin/malware_reports/list.html | 71 +++++++++++++++
 warehouse/admin/views/core.py                 | 14 ++-
 warehouse/admin/views/malware_reports.py      | 64 +++++++++++++
 warehouse/cli/observations.py                 |  4 +-
 warehouse/csp.py                              |  6 ++
 16 files changed, 444 insertions(+), 33 deletions(-)
 create mode 100644 tests/unit/admin/views/test_malware_reports.py
 create mode 100644 warehouse/admin/templates/admin/malware_reports/detail.html
 create mode 100644 warehouse/admin/templates/admin/malware_reports/list.html
 create mode 100644 warehouse/admin/views/malware_reports.py

diff --git a/tests/common/db/packaging.py b/tests/common/db/packaging.py
index 462f6bb9e0a9..f6aba2f8c4ba 100644
--- a/tests/common/db/packaging.py
+++ b/tests/common/db/packaging.py
@@ -35,6 +35,7 @@
 
 from .accounts import UserFactory
 from .base import WarehouseFactory
+from .observations import ObserverFactory
 
 fake = faker.Faker()
 
@@ -61,6 +62,9 @@ class ProjectObservationFactory(WarehouseFactory):
     class Meta:
         model = Project.Observation
 
+    related = factory.SubFactory(ProjectFactory)
+    observer = factory.SubFactory(ObserverFactory)
+
     kind = factory.Faker(
         "random_element", elements=[kind.value[1] for kind in ObservationKind]
     )
diff --git a/tests/unit/admin/test_routes.py b/tests/unit/admin/test_routes.py
index 09cba574612f..c8f3d38c7c55 100644
--- a/tests/unit/admin/test_routes.py
+++ b/tests/unit/admin/test_routes.py
@@ -256,6 +256,16 @@ def test_includeme():
             "/admin/observations/",
             domain=warehouse,
         ),
+        pretend.call(
+            "admin.malware_reports.list",
+            "/admin/malware_reports/",
+            domain=warehouse,
+        ),
+        pretend.call(
+            "admin.malware_reports.detail",
+            "/admin/malware_reports/{observation_id}/",
+            domain=warehouse,
+        ),
         pretend.call("admin.emails.list", "/admin/emails/", domain=warehouse),
         pretend.call("admin.emails.mass", "/admin/emails/mass/", domain=warehouse),
         pretend.call(
diff --git a/tests/unit/admin/views/test_core.py b/tests/unit/admin/views/test_core.py
index 69f0d2390f79..01a1f20b44f7 100644
--- a/tests/unit/admin/views/test_core.py
+++ b/tests/unit/admin/views/test_core.py
@@ -14,7 +14,29 @@
 
 from warehouse.admin.views import core as views
 
+from ....common.db.packaging import ProjectObservationFactory
+
 
 class TestDashboard:
-    def test_dashboard(self):
-        assert views.dashboard(pretend.stub()) == {}
+    def test_dashboard(self, pyramid_request):
+        pyramid_request.has_permission = pretend.call_recorder(lambda perm: False)
+
+        assert views.dashboard(pyramid_request) == {
+            "malware_reports_count": None,
+        }
+
+        assert pyramid_request.has_permission.calls == [
+            pretend.call(views.Permissions.AdminObservationsRead),
+        ]
+
+    def test_dashboard_with_permission_and_observation(self, db_request):
+        ProjectObservationFactory.create(kind="is_malware")
+        db_request.user = pretend.stub()
+        db_request.has_permission = pretend.call_recorder(lambda perm: True)
+
+        assert views.dashboard(db_request) == {
+            "malware_reports_count": 1,
+        }
+        assert db_request.has_permission.calls == [
+            pretend.call(views.Permissions.AdminObservationsRead),
+        ]
diff --git a/tests/unit/admin/views/test_malware_reports.py b/tests/unit/admin/views/test_malware_reports.py
new file mode 100644
index 000000000000..5ee4d9d71cdb
--- /dev/null
+++ b/tests/unit/admin/views/test_malware_reports.py
@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from warehouse.admin.views import malware_reports as views
+
+from ....common.db.packaging import ProjectObservationFactory
+
+
+class TestMalwareReportsList:
+    def test_malware_reports_list(self, db_request):
+        assert views.malware_reports_list(db_request) == {"malware_reports": []}
+
+    def test_malware_reports_list_with_observations(self, db_request):
+        ProjectObservationFactory.create(kind="is_spam")
+        malware = ProjectObservationFactory.create_batch(size=3, kind="is_malware")
+
+        assert views.malware_reports_list(db_request) == {"malware_reports": malware}
+
+
+class TestMalwareReportsDetail:
+    def test_malware_reports_detail(self, db_request):
+        assert views.malware_reports_detail(db_request) == {"report": None}
+
+    def test_malware_reports_detail_with_report(self, db_request):
+        report = ProjectObservationFactory.create(kind="is_malware")
+        db_request.matchdict["observation_id"] = str(report.id)
+
+        assert views.malware_reports_detail(db_request) == {"report": report}
diff --git a/tests/unit/test_csp.py b/tests/unit/test_csp.py
index 39abe3daec3e..eaeb7a1a611a 100644
--- a/tests/unit/test_csp.py
+++ b/tests/unit/test_csp.py
@@ -159,6 +159,34 @@ def test_simple_csp(self):
             )
         }
 
+    def test_admin_csp(self):
+        settings = {
+            "csp": {
+                "default-src": ["'none'"],
+                "frame-src": ["'none'"],
+                "img-src": ["'self'"],
+            }
+        }
+        response = pretend.stub(headers={})
+        registry = pretend.stub(settings=settings)
+        handler = pretend.call_recorder(lambda request: response)
+
+        tween = csp.content_security_policy_tween_factory(handler, registry)
+
+        request = pretend.stub(
+            path="/admin/",
+            find_service=pretend.call_recorder(lambda *args, **kwargs: settings["csp"]),
+        )
+
+        assert tween(request) is response
+        assert response.headers == {
+            "Content-Security-Policy": (
+                "default-src 'none'; "
+                "frame-src https://inspector.pypi.io; "
+                "img-src 'self' data:"
+            )
+        }
+
 
 class TestCSPPolicy:
     def test_create(self):
diff --git a/warehouse/admin/routes.py b/warehouse/admin/routes.py
index abcce14cdfc2..eefb57f4cd5f 100644
--- a/warehouse/admin/routes.py
+++ b/warehouse/admin/routes.py
@@ -264,6 +264,16 @@ def includeme(config):
     config.add_route(
         "admin.observations.list", "/admin/observations/", domain=warehouse
     )
+    config.add_route(
+        "admin.malware_reports.list",
+        "/admin/malware_reports/",
+        domain=warehouse,
+    )
+    config.add_route(
+        "admin.malware_reports.detail",
+        "/admin/malware_reports/{observation_id}/",
+        domain=warehouse,
+    )
 
     # Email related Admin pages
     config.add_route("admin.emails.list", "/admin/emails/", domain=warehouse)
diff --git a/warehouse/admin/static/css/admin.scss b/warehouse/admin/static/css/admin.scss
index 7fe537300273..130393420747 100644
--- a/warehouse/admin/static/css/admin.scss
+++ b/warehouse/admin/static/css/admin.scss
@@ -18,6 +18,7 @@
 @import "admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.css";
 @import "admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.css";
 @import "admin-lte/plugins/datatables-buttons/css/buttons.bootstrap4.css";
+@import "admin-lte/plugins/datatables-rowgroup/css/rowGroup.bootstrap4.css";
 
 @import "admin-lte/dist/css/adminlte.css";
 
diff --git a/warehouse/admin/static/js/warehouse.js b/warehouse/admin/static/js/warehouse.js
index 090a694bb313..6aab66e56ed1 100644
--- a/warehouse/admin/static/js/warehouse.js
+++ b/warehouse/admin/static/js/warehouse.js
@@ -23,6 +23,8 @@ import "admin-lte/plugins/datatables-buttons/js/dataTables.buttons";
 import "admin-lte/plugins/datatables-buttons/js/buttons.bootstrap4";
 import "admin-lte/plugins/datatables-buttons/js/buttons.html5";
 import "admin-lte/plugins/datatables-buttons/js/buttons.colVis";
+import "admin-lte/plugins/datatables-rowgroup/js/dataTables.rowGroup";
+import "admin-lte/plugins/datatables-rowgroup/js/rowGroup.bootstrap4";
 
 // Import AdminLTE JS
 import "admin-lte/build/js/AdminLTE";
@@ -111,35 +113,68 @@ document.querySelectorAll(".copy-text").forEach(function (element) {
 });
 
 // Activate Datatables https://datatables.net/
+// Guard each one to not break execution if the table isn't present
+
 // User Account Activity
-let table = $("#account-activity").DataTable({
-  responsive: true,
-  lengthChange: false,
-});
-// sort by time
-table.column(".time").order("desc").draw();
-// Hide some columns we don't need to see all the time
-table.columns([".ip_address", ".hashed_ip"]).visible(false);
-// add column visibility button
-new $.fn.dataTable.Buttons(table, {buttons: ["copy", "csv", "colvis"]});
-table.buttons().container().appendTo($(".col-md-6:eq(0)", table.table().container()));
+let accountActivityTable = $("#account-activity")
+if (accountActivityTable.length) {
+  let table = accountActivityTable.DataTable({
+    responsive: true,
+    lengthChange: false,
+  });
+  // sort by time
+  table.column(".time").order("desc").draw();
+  // Hide some columns we don't need to see all the time
+  table.columns([".ip_address", ".hashed_ip"]).visible(false);
+  // add column visibility button
+  new $.fn.dataTable.Buttons(table, {buttons: ["copy", "csv", "colvis"]});
+  table.buttons().container().appendTo($(".col-md-6:eq(0)", table.table().container()));
+}
 
 // User API Tokens
-let token_table = $("#api-tokens").DataTable({
-  responsive: true,
-  lengthChange: false,
-});
-token_table.columns([".last_used", ".created"]).order([1, "desc"]).draw();
-token_table.columns([".permissions_caveat"]).visible(false);
-new $.fn.dataTable.Buttons(token_table, {buttons: ["colvis"]});
-token_table.buttons().container().appendTo($(".col-md-6:eq(0)", token_table.table().container()));
+let tokenTable = $("#api-tokens")
+if (tokenTable.length) {
+  let table = tokenTable.DataTable({
+    responsive: true,
+    lengthChange: false,
+  });
+  table.columns([".last_used", ".created"]).order([1, "desc"]).draw();
+  table.columns([".permissions_caveat"]).visible(false);
+  new $.fn.dataTable.Buttons(table, {buttons: ["colvis"]});
+  table.buttons().container().appendTo($(".col-md-6:eq(0)", table.table().container()));
+}
 
 // Observations
-let obs_table = $("#observations").DataTable({
-  responsive: true,
-  lengthChange: false,
-});
-obs_table.column(".time").order("desc").draw();
-obs_table.columns([".payload"]).visible(false);
-new $.fn.dataTable.Buttons(obs_table, {buttons: ["copy", "csv", "colvis"]});
-obs_table.buttons().container().appendTo($(".col-md-6:eq(0)", obs_table.table().container()));
+let observationsTable = $("#observations")
+if (observationsTable.length) {
+  let table = observationsTable.DataTable({
+    responsive: true,
+    lengthChange: false,
+  });
+  table.column(".time").order("desc").draw();
+  table.columns([".payload"]).visible(false);
+  new $.fn.dataTable.Buttons(table, {buttons: ["copy", "csv", "colvis"]});
+  table.buttons().container().appendTo($(".col-md-6:eq(0)", table.table().container()));
+}
+
+// Malware Reports
+let malwareReportsTable = $("#malware-reports")
+if (malwareReportsTable.length) {
+  let table = malwareReportsTable.DataTable({
+    displayLength: 25,
+    lengthChange: false,
+    order: [[0, "asc"], [2, "desc"]],  // alpha name, recent date
+    responsive: true,
+    rowGroup: {
+      dataSrc: 0,
+      // display row count in group header
+      startRender: function (rows, group) {
+        return group + ' (' + rows.count() + ')';
+      },
+    },
+  });
+  // hide the project name, since it's in the group title
+  table.columns([0]).visible(false);
+  new $.fn.dataTable.Buttons(table, {buttons: ["copy", "csv", "colvis"]});
+  table.buttons().container().appendTo($(".col-md-6:eq(0)", table.table().container()));
+}
diff --git a/warehouse/admin/templates/admin/base.html b/warehouse/admin/templates/admin/base.html
index 92d91a22694c..250244c68fd2 100644
--- a/warehouse/admin/templates/admin/base.html
+++ b/warehouse/admin/templates/admin/base.html
@@ -12,7 +12,7 @@
  # limitations under the License.
 -#}
 <!DOCTYPE html>
-<html>
+<html lang="en">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
@@ -113,6 +113,11 @@
         <ul class="nav nav-pills nav-sidebar flex-column" data-widget="treeview" role="menu" data-accordion="false">
           {# TODO: Is there a cleaner way to show/hide the allowed sections? #}
           {% if request.has_permission(Permissions.AdminDashboardSidebarRead) %}
+          <li class="nav-item">
+            <a href="{{ request.route_path('admin.malware_reports.list') }}" class="nav-link">
+              <i class="fa-solid fa-dumpster-fire nav-icon"></i> <p>Malware Reports <span class="right badge badge-danger">New</span></p>
+            </a>
+          </li>
           <li class="nav-item">
             <a href="{{ request.route_path('admin.organization_application.list') }}" class="nav-link">
               <i class="fa fa-sitemap nav-icon"></i> <p>Organization Applications</p>
@@ -130,7 +135,7 @@
           </li>
           <li class="nav-item">
             <a href="{{ request.route_path('admin.macaroon.decode_token') }}" class="nav-link">
-              <i class="fa-solid fa-stroopwafel nav-icon"></i> <p>Macaroons <span class="right badge badge-danger">New</span></p>
+              <i class="fa-solid fa-stroopwafel nav-icon"></i> <p>Macaroons</p>
             </a>
           </li>
           <li class="nav-item">
diff --git a/warehouse/admin/templates/admin/dashboard.html b/warehouse/admin/templates/admin/dashboard.html
index d10ce558e056..db8ba79dd219 100644
--- a/warehouse/admin/templates/admin/dashboard.html
+++ b/warehouse/admin/templates/admin/dashboard.html
@@ -11,4 +11,28 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
 -#}
+
 {% extends "base.html" %}
+
+{% block content %}
+  <div class="row">
+    {% if malware_reports_count %}
+      <div class="col-lg-4 col-6">
+        <div class="small-box bg-gradient-warning">
+          <div class="inner">
+            <h3>{{ malware_reports_count }}</h3>
+            <p>Open Malware Reports</p>
+          </div>
+          <div class="icon">
+            <i class="fa-solid fa-dumpster-fire"></i>
+          </div>
+          <a href="{{ request.route_path("admin.malware_reports.list") }}"
+             class="small-box-footer">
+            More info <i class="fas fa-arrow-circle-right"></i>
+          </a>
+        </div>
+      </div>
+    {% endif %}
+  </div>
+  <!-- /.row -->
+{% endblock %}
diff --git a/warehouse/admin/templates/admin/malware_reports/detail.html b/warehouse/admin/templates/admin/malware_reports/detail.html
new file mode 100644
index 000000000000..b9cb88a9c10e
--- /dev/null
+++ b/warehouse/admin/templates/admin/malware_reports/detail.html
@@ -0,0 +1,79 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+
+{% extends "admin/base.html" %}
+
+{% import "admin/utils/pagination.html" as pagination %}
+{% block title %}Malware Reports{% endblock %}
+
+{% block breadcrumb %}
+  <li class="breadcrumb-item">
+    <a href="{{ request.route_path("admin.observations.list") }}">Observations</a>
+  </li>
+  <li class="breadcrumb-item">
+    <a href="{{ request.route_path("admin.malware_reports.list") }}">Malware Reports</a>
+  </li>
+  <li class="breadcrumb-item active">Detail View</li>
+{% endblock %}
+
+{% block content %}
+  <div class="card">
+    <div class="card-header">
+      <h3 class="card-title">
+        Project: <code>{{ report.related.name }}</code>
+      </h3>
+    </div>
+    <div class="card-body">
+      <dl class="row">
+        <dt class="col-sm-3">Observation ID</dt>
+        <dd class="col-sm-9">
+          <code>{{ report.id }}</code>
+        </dd>
+        <dt class="col-sm-3">Reported By</dt>
+        <dd class="col-sm-9">
+          <a href="{{ request.route_path('admin.user.detail', username=report.observer.parent.username) }}">{{ report.observer.parent.username }}</a>
+        </dd>
+        <dt class="col-sm-3">Reported At</dt>
+        <dd class="col-sm-9">
+          {{ report.created }}
+        </dd>
+        <dt class="col-sm-3">Summary</dt>
+        <dd class="col-sm-9">
+          {{ report.summary }}
+        </dd>
+        <dt class="col-sm-3">Payload</dt>
+        <dd class="col-sm-9">
+          <code>{{ report.payload }}</code>
+        </dd>
+      </dl>
+    </div>
+    <div class="card-footer">
+      {# TODO: make this actually go somewhere and do something #}
+      <a href="{{ request.route_path("admin.malware_reports.list") }}"
+         class="btn btn-danger float-right disabled">Remove Project</a>
+    </div>
+  </div>
+  <div class="card">
+    <div class="card-header">
+      <span class="small">Inspector is loaded in an iframe. External links may not work.</span>
+    </div>
+    <div class="card-body">
+      <div class="embed-responsive embed-responsive-16by9">
+        <iframe class="embed-responsive-item"
+                src="https://inspector.pypi.io/project/{{ report.related.name }}">
+        </iframe>
+      </div>
+    </div>
+  </div>
+{% endblock %}
diff --git a/warehouse/admin/templates/admin/malware_reports/list.html b/warehouse/admin/templates/admin/malware_reports/list.html
new file mode 100644
index 000000000000..439ae1b7cad3
--- /dev/null
+++ b/warehouse/admin/templates/admin/malware_reports/list.html
@@ -0,0 +1,71 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+
+{% extends "admin/base.html" %}
+
+{% import "admin/utils/pagination.html" as pagination %}
+{% block title %}Malware Reports{% endblock %}
+
+{% block breadcrumb %}
+  <li class="breadcrumb-item">
+    <a href="{{ request.route_path("admin.observations.list") }}">Observations</a>
+  </li>
+  <li class="breadcrumb-item active">Malware Reports</li>
+{% endblock %}
+
+{% block content %}
+  <div class="card">
+    <div class="card-header">
+      <h3 class="card-title">Malware Reports</h3>
+    </div>
+    <div class="card-body">
+      <div class="table-responsive">
+        <table class="table table-hover" id="malware-reports">
+          <thead>
+            <tr>
+              <th>Project Name</th>
+              <th>Summary</th>
+              <th>Created</th>
+              <th>Reported By</th>
+              <th>Actions</th>
+            </tr>
+          </thead>
+          <tbody>
+            {% for report in malware_reports %}
+              <tr>
+                <td>
+                  <a href="{{ request.route_path('admin.project.detail', project_name=report.related.name) }}">{{ report.related.name }}</a>
+                </td>
+                <td>{{ report.summary }}</td>
+                {# TODO: humanize as time ago? #}
+                <td>{{ report.created }}</td>
+                <td>
+                  <a href="{{ request.route_path('admin.user.detail', username=report.observer.parent.username) }}">{{ report.observer.parent.username }}</a>
+                </td>
+                <td>
+                  <a href="{{ request.route_path('admin.malware_reports.detail', observation_id=report.id) }}"
+                     class="btn btn-sm btn-primary"><i class="fa-regular fa-eye"></i></a>
+                  {# TODO: enable this once there's a handler#}
+                  <a href="{{ request.route_path('admin.malware_reports.list', observation_id=report.id) }}"
+                     class="btn btn-sm btn-danger disabled"><i class="fa-regular fa-trash-can"></i></a>
+                </td>
+              </tr>
+            {% endfor %}
+          </tbody>
+        </table>
+      </div>
+    </div>
+    <div class="card-footer">{# TODO: add pagination #}</div>
+  </div>
+{% endblock %}
diff --git a/warehouse/admin/views/core.py b/warehouse/admin/views/core.py
index 2649d2159ff7..b4498c7b3fec 100644
--- a/warehouse/admin/views/core.py
+++ b/warehouse/admin/views/core.py
@@ -11,8 +11,10 @@
 # limitations under the License.
 
 from pyramid.view import view_config
+from sqlalchemy import func
 
 from warehouse.authnz import Permissions
+from warehouse.observations.models import Observation, ObservationKind
 
 
 @view_config(
@@ -22,4 +24,14 @@
     uses_session=True,
 )
 def dashboard(request):
-    return {}
+    if request.has_permission(Permissions.AdminObservationsRead):
+        # Count how many Malware Project Observations are in the database
+        malware_reports_count = (
+            request.db.query(func.count(Observation.id)).filter(
+                Observation.kind == ObservationKind.IsMalware.value[0]
+            )
+        ).scalar()
+    else:
+        malware_reports_count = None
+
+    return {"malware_reports_count": malware_reports_count}
diff --git a/warehouse/admin/views/malware_reports.py b/warehouse/admin/views/malware_reports.py
new file mode 100644
index 000000000000..2635adcf2000
--- /dev/null
+++ b/warehouse/admin/views/malware_reports.py
@@ -0,0 +1,64 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Admin Views related to Observations"""
+
+from pyramid.view import view_config
+
+from warehouse.authnz import Permissions
+from warehouse.observations.models import Observation
+
+
+@view_config(
+    route_name="admin.malware_reports.list",
+    renderer="admin/malware_reports/list.html",
+    permission=Permissions.AdminObservationsRead,
+    request_method="GET",
+    uses_session=True,
+    require_csrf=True,
+    require_methods=False,
+)
+def malware_reports_list(request):
+    """
+    List all Malware Reports.
+
+    TODO: Paginate this view, not worthwhile just yet.
+          Client-side pagination is a good enough solution for now.
+    """
+    malware_observations = (
+        request.db.query(Observation)
+        .filter(Observation.kind == "is_malware")
+        # TODO: filter by handled or not, once we have a way to handle them
+        .order_by(Observation.created)
+        .all()
+    )
+
+    return {"malware_reports": malware_observations}
+
+
+@view_config(
+    route_name="admin.malware_reports.detail",
+    renderer="admin/malware_reports/detail.html",
+    permission=Permissions.AdminObservationsRead,
+    request_method="GET",
+    uses_session=True,
+    require_csrf=True,
+    require_methods=False,
+)
+def malware_reports_detail(request):
+    """
+    Show a detailed view of a Malware Report.
+    """
+    observation_id = request.matchdict.get("observation_id")
+    observation = request.db.query(Observation).get(observation_id)
+
+    return {"report": observation}
diff --git a/warehouse/cli/observations.py b/warehouse/cli/observations.py
index 1c109c8d5a01..5674be02f21f 100644
--- a/warehouse/cli/observations.py
+++ b/warehouse/cli/observations.py
@@ -36,6 +36,8 @@ def generate_random_observations(config):  # pragma: no cover # dev-only tool
     """
     # Imported here because we don't want to trigger an import from anything
     # but warehouse.cli at the module scope.
+    import faker
+
     from sqlalchemy import select
 
     from warehouse.accounts.models import User
@@ -70,7 +72,7 @@ def __init__(self):
                 request=request,
                 kind=random.choice(list(ObservationKind)),
                 actor=random.choice(users),
-                summary="CLI Generated",
+                summary="CLI Generated: " + faker.Faker().paragraph(nb_sentences=3),
                 payload={"origin": "CLI"},
             )
             for _ in range(10)
diff --git a/warehouse/csp.py b/warehouse/csp.py
index 85587d54bb57..45c1ad12e843 100644
--- a/warehouse/csp.py
+++ b/warehouse/csp.py
@@ -45,6 +45,12 @@ def content_security_policy_tween(request):
             policy["sandbox"] = ["allow-top-navigation"]
             policy["default-src"] = [NONE]
 
+        # Specific enables for Admin UI
+        if request.path.startswith("/admin/"):
+            policy["frame-src"] = ["https://inspector.pypi.io"]
+            # Admin UI/Bootstrap 4 uses inline SVGs for icons
+            policy["img-src"].extend(["data:"])
+
         # We don't want to apply our Content Security Policy to the debug
         # toolbar, that's not part of our application and it doesn't work with
         # our restrictive CSP.