def get_authorized_users_for_product_and_product_type(users, product, permission): if users is None: User = get_user_model() users = User.objects.filter(is_active=True) if settings.FEATURE_AUTHORIZATION_V2: roles = get_roles_for_permission(permission) product_members = Product_Member.objects \ .filter(product=product, role__in=roles) product_type_members = Product_Type_Member.objects \ .filter(product_type=product.prod_type, role__in=roles) product_groups = Product_Group.objects \ .filter(product=product, role__in=roles) product_type_groups = Product_Type_Group.objects \ .filter(product_type=product.prod_type, role__in=roles) group_members = Dojo_Group_Member.objects.filter( Q(group__in=[pg.group for pg in product_groups]) | Q(group__in=[ptg.group for ptg in product_type_groups])) return users.filter( Q(id__in=[pm.user.id for pm in product_members]) | Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(id__in=[gm.user.id for gm in group_members]) | Q(global_role__role__in=roles) | Q(is_superuser=True)) else: return users.filter( Q(id__in=product.authorized_users.all()) | Q(id__in=product.prod_type.authorized_users.all()) | Q(is_superuser=True) | Q(is_staff=True))
def get_authorized_product_types(permission): user = get_current_user() if user is None: return Product_Type.objects.none() if user.is_superuser: return Product_Type.objects.all().order_by('name') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_Type.objects.all().order_by('name') if user_has_global_permission(user, permission): return Product_Type.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_roles = Product_Type_Member.objects.filter( product_type=OuterRef('pk'), user=user, role__in=roles) authorized_groups = Product_Type_Group.objects.filter( product_type=OuterRef('pk'), group__users=user, role__in=roles) product_types = Product_Type.objects.annotate( member=Exists(authorized_roles), authorized_group=Exists(authorized_groups)).order_by('name') product_types = product_types.filter( Q(member=True) | Q(authorized_group=True)) return product_types
def get_authorized_products(permission): user = get_current_user() if user is None: return Product.objects.none() if user.is_superuser: return Product.objects.all().order_by('name') if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('pk'), user=user, role__in=roles) products = Product.objects.annotate( prod_type__member=Exists(authorized_product_type_roles), member=Exists(authorized_product_roles)).order_by('name') products = products.filter(Q(prod_type__member=True) | Q(member=True)) else: if user.is_staff: products = Product.objects.all().order_by('name') else: products = Product.objects.filter( Q(authorized_users__in=[user]) | Q(prod_type__authorized_users__in=[user])).order_by('name') return products
def get_authorized_groups(permission): user = get_current_user() if user is None: return Dojo_Group.objects.none() if user.is_superuser: return Dojo_Group.objects.all().order_by('name') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Dojo_Group.objects.all().order_by('name') if hasattr(user, 'global_role' ) and user.global_role.role is not None and role_has_permission( user.global_role.role.id, permission): return Dojo_Group.objects.all().order_by('name') for group in get_groups(user): if hasattr( group, 'global_role' ) and group.global_role.role is not None and role_has_permission( group.global_role.role.id, permission): return Dojo_Group.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_roles = Dojo_Group_Member.objects.filter(group=OuterRef('pk'), user=user, role__in=roles) groups = Dojo_Group.objects.annotate( user=Exists(authorized_roles)).order_by('name') return groups.filter(user=True)
def get_authorized_engagement_presets(permission): user = get_current_user() if user is None: return Engagement_Presets.objects.none() if user.is_superuser: return Engagement_Presets.objects.all().order_by('title') if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Engagement_Presets.objects.all().order_by('title') if hasattr( user, 'global_role' ) and user.global_role.role is not None and role_has_permission( user.global_role.role.id, permission): return Engagement_Presets.objects.all().order_by('title') for group in get_groups(user): if hasattr( group, 'global_role' ) and group.global_role.role is not None and role_has_permission( group.global_role.role.id, permission): return Engagement_Presets.objects.all().order_by('title') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) engagement_presets = Engagement_Presets.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists( authorized_product_groups)).order_by('title') engagement_presets = engagement_presets.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) else: if user.is_staff: engagement_presets = Engagement_Presets.objects.all().order_by( 'title') else: engagement_presets = Engagement_Presets.objects.filter( Q(product__authorized_users__in=[user]) | Q(product__prod_type__authorized_users__in=[user])).order_by( 'title') return engagement_presets
def get_authorized_finding_groups(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Finding_Group.objects.none() if queryset is None: finding_groups = Finding_Group.objects.all() else: finding_groups = queryset if user.is_superuser: return finding_groups if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return finding_groups if user_has_global_permission(user, permission): return finding_groups roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('test__engagement__product_id'), group__users=user, role__in=roles) finding_groups = finding_groups.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles), test__engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), test__engagement__product__authorized_group=Exists( authorized_product_groups)) finding_groups = finding_groups.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True) | Q(test__engagement__product__prod_type__authorized_group=True) | Q(test__engagement__product__authorized_group=True)) return finding_groups
def get_authorized_users_for_product_type(users, product_type, permission): if settings.FEATURE_AUTHORIZATION_V2: roles = get_roles_for_permission(permission) product_type_members = Product_Type_Member.objects \ .filter(product_type=product_type, role__in=roles) \ .values_list('user_id', flat=True) return users.filter(Q(id__in=product_type_members) | Q(is_superuser=True)) else: return users.filter(Q(id__in=product_type.authorized_users.all()) | Q(is_superuser=True) | Q(is_staff=True))
def get_authorized_product_api_scan_configurations(permission): user = get_current_user() if user is None: return Product_API_Scan_Configuration.objects.none() if user.is_superuser: return Product_API_Scan_Configuration.objects.all() if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_API_Scan_Configuration.objects.all() if hasattr(user, 'global_role') and user.global_role.role is not None and role_has_permission(user.global_role.role.id, permission): return Product_API_Scan_Configuration.objects.all() for group in get_groups(user): if hasattr(group, 'global_role') and group.global_role.role is not None and role_has_permission(group.global_role.role.id, permission): return Product_API_Scan_Configuration.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists(authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) product_api_scan_configurations = product_api_scan_configurations.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) else: if user.is_staff: product_api_scan_configurations = Product_API_Scan_Configuration.objects.all() else: product_api_scan_configurations = Product_API_Scan_Configuration.objects.filter( Q(product__authorized_users__in=[user]) | Q(product__prod_type__authorized_users__in=[user])) return product_api_scan_configurations
def get_authorized_users_for_product_type(users, product_type, permission): roles = get_roles_for_permission(permission) product_type_members = Product_Type_Member.objects \ .filter(product_type=product_type, role__in=roles) product_type_groups = Product_Type_Group.objects \ .filter(product_type=product_type, role__in=roles) group_members = Dojo_Group_Member.objects. \ filter(group__in=[ptg.group for ptg in product_type_groups]) return users.filter( Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(id__in=[gm.user.id for gm in group_members]) | Q(global_role__role__in=roles) | Q(is_superuser=True))
def get_authorized_tests(permission, product=None): user = get_current_user() if user is None: return Test.objects.none() tests = Test.objects.all() if product: tests = tests.filter(engagement__product=product) if user.is_superuser: return tests if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Test.objects.all() if user_has_global_permission(user, permission): return Test.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('engagement__product_id'), group__users=user, role__in=roles) tests = tests.annotate( engagement__product__prod_type__member=Exists( authorized_product_type_roles), engagement__product__member=Exists(authorized_product_roles), engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), engagement__product__authorized_group=Exists( authorized_product_groups)) tests = tests.filter( Q(engagement__product__prod_type__member=True) | Q(engagement__product__member=True) | Q(engagement__product__prod_type__authorized_group=True) | Q(engagement__product__authorized_group=True)) return tests
def get_authorized_endpoint_status(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Endpoint_Status.objects.none() if queryset is None: endpoint_status = Endpoint_Status.objects.all() else: endpoint_status = queryset if user.is_superuser: return endpoint_status if user_has_global_permission(user, permission): return endpoint_status roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('endpoint__product_id'), group__users=user, role__in=roles) endpoint_status = endpoint_status.annotate( endpoint__product__prod_type__member=Exists( authorized_product_type_roles), endpoint__product__member=Exists(authorized_product_roles), endpoint__product__prod_type__authorized_group=Exists( authorized_product_type_groups), endpoint__product__authorized_group=Exists(authorized_product_groups)) endpoint_status = endpoint_status.filter( Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True) | Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True)) return endpoint_status
def get_authorized_groups(permission): user = get_current_user() if user is None: return Dojo_Group.objects.none() if user.is_superuser: return Dojo_Group.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_roles = Dojo_Group_Member.objects.filter(group=OuterRef('pk'), user=user, role__in=roles) groups = Dojo_Group.objects.annotate( user=Exists(authorized_roles)).order_by('name') return groups.filter(user=True)
def get_authorized_users_for_product_type(users, product_type, permission): if settings.FEATURE_AUTHORIZATION_V2: roles = get_roles_for_permission(permission) product_type_members = Product_Type_Member.objects \ .filter(product_type=product_type, role__in=roles) product_type_groups = Product_Type_Group.objects \ .filter(product_type=product_type, role__in=roles) groups = Dojo_Group.objects \ .filter(id__in=[ptg.group.id for ptg in product_type_groups]) return users.filter(Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(groups__id__in=[gu.id for gu in groups]) | Q(is_superuser=True)) else: return users.filter(Q(id__in=product_type.authorized_users.all()) | Q(is_superuser=True) | Q(is_staff=True))
def get_authorized_cred_mappings(permission, queryset=None): user = get_current_user() if user is None: return Cred_Mapping.objects.none() if queryset is None: cred_mappings = Cred_Mapping.objects.all() else: cred_mappings = queryset if user.is_superuser: return cred_mappings if user_has_global_permission(user, permission): return cred_mappings roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) cred_mappings = cred_mappings.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists(authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) cred_mappings = cred_mappings.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return cred_mappings
def get_authorized_findings(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Finding.objects.none() if queryset is None: findings = Finding.objects.all() else: findings = queryset if user.is_superuser: return findings if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return findings roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) findings = findings.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles)) findings = findings.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True)) else: if not user.is_staff: findings = findings.filter( Q(test__engagement__product__authorized_users__in=[user]) | Q(test__engagement__product__prod_type__authorized_users__in=[ user ])) return findings
def get_authorized_stub_findings(permission): user = get_current_user() if user is None: return Stub_Finding.objects.none() if user.is_superuser: return Stub_Finding.objects.all() if user_has_global_permission(user, permission): return Stub_Finding.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('test__engagement__product_id'), group__users=user, role__in=roles) findings = Stub_Finding.objects.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles), test__engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), test__engagement__product__authorized_group=Exists( authorized_product_groups)) findings = findings.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True) | Q(test__engagement__product__prod_type__authorized_group=True) | Q(test__engagement__product__authorized_group=True)) return findings
def get_authorized_product_types(permission): user = get_current_user() if user.is_superuser: return Product_Type.objects.all().order_by('name') if settings.FEATURE_NEW_AUTHORIZATION: roles = get_roles_for_permission(permission) authorized_roles = Product_Type_Member.objects.filter(product_type=OuterRef('pk'), user=user, role__in=roles) product_types = Product_Type.objects.annotate(member=Exists(authorized_roles)).order_by('name') product_types = product_types.filter(member=True) else: if user.is_staff: product_types = Product_Type.objects.all().order_by('name') else: product_types = Product_Type.objects.filter(authorized_users__in=[user]).order_by('name') return product_types
def get_authorized_endpoint_status(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Endpoint_Status.objects.none() if queryset is None: endpoint_status = Endpoint_Status.objects.all() else: endpoint_status = queryset if user.is_superuser: return endpoint_status if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return endpoint_status roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) endpoint_status = endpoint_status.annotate( endpoint__product__prod_type__member=Exists( authorized_product_type_roles), endpoint__product__member=Exists(authorized_product_roles)) endpoint_status = endpoint_status.filter( Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True)) else: if not user.is_staff: endpoint_status = endpoint_status.filter( Q(endpoint__product__authorized_users__in=[user]) | Q(endpoint__product__prod_type__authorized_users__in=[user])) return endpoint_status
def get_authorized_engagement_presets(permission): user = get_current_user() if user is None: return Engagement_Presets.objects.none() if user.is_superuser: return Engagement_Presets.objects.all().order_by('title') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Engagement_Presets.objects.all().order_by('title') if user_has_global_permission(user, permission): return Engagement_Presets.objects.all().order_by('title') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) engagement_presets = Engagement_Presets.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)).order_by( 'title') engagement_presets = engagement_presets.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return engagement_presets
def get_authorized_products(permission, user=None): if user is None: user = get_current_user() if user is None: return Product.objects.none() if user.is_superuser: return Product.objects.all().order_by('name') if user_has_global_permission(user, permission): return Product.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('pk'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('pk'), group__users=user, role__in=roles) products = Product.objects.annotate( prod_type__member=Exists(authorized_product_type_roles), member=Exists(authorized_product_roles), prod_type__authorized_group=Exists(authorized_product_type_groups), authorized_group=Exists(authorized_product_groups)).order_by('name') products = products.filter( Q(prod_type__member=True) | Q(member=True) | Q(prod_type__authorized_group=True) | Q(authorized_group=True)) return products
def get_authorized_product_api_scan_configurations(permission): user = get_current_user() if user is None: return Product_API_Scan_Configuration.objects.none() if user.is_superuser: return Product_API_Scan_Configuration.objects.all() if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_API_Scan_Configuration.objects.all() if user_has_global_permission(user, permission): return Product_API_Scan_Configuration.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) product_api_scan_configurations = product_api_scan_configurations.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return product_api_scan_configurations
def get_authorized_test_imports(permission): user = get_current_user() if user is None: return Test_Import.objects.none() if user.is_superuser: return Test_Import.objects.all() if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Test_Import.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) test_imports = Test_Import.objects.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles)) test_imports = test_imports.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True)) else: if user.is_staff: test_imports = Test_Import.objects.all() else: test_imports = Test_Import.objects.filter( Q(test__engagement__product__authorized_users__in=[user]) | Q(test__engagement__product__prod_type__authorized_users__in=[ user ])) return test_imports
def get_authorized_users_for_product_and_product_type(users, product, permission): if users is None: users = Dojo_User.objects.filter(is_active=True) roles = get_roles_for_permission(permission) product_members = Product_Member.objects \ .filter(product=product, role__in=roles) product_type_members = Product_Type_Member.objects \ .filter(product_type=product.prod_type, role__in=roles) product_groups = Product_Group.objects \ .filter(product=product, role__in=roles) product_type_groups = Product_Type_Group.objects \ .filter(product_type=product.prod_type, role__in=roles) group_members = Dojo_Group_Member.objects.filter( Q(group__in=[pg.group for pg in product_groups]) | Q(group__in=[ptg.group for ptg in product_type_groups])) return users.filter( Q(id__in=[pm.user.id for pm in product_members]) | Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(id__in=[gm.user.id for gm in group_members]) | Q(global_role__role__in=roles) | Q(is_superuser=True))
def get_authorized_tool_product_settings(permission): user = get_current_user() if user is None: return Tool_Product_Settings.objects.none() if user.is_superuser: return Tool_Product_Settings.objects.all() if user_has_global_permission(user, permission): return Tool_Product_Settings.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) tool_product_settings = Tool_Product_Settings.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) tool_product_settings = tool_product_settings.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return tool_product_settings
def test_get_roles_for_permission_success(self): result = get_roles_for_permission(Permissions.Product_Type_Manage_Members) expected = {Roles.Maintainer, Roles.Owner} self.assertEqual(result, expected)
def test_get_roles_for_permission_exception(self): with self.assertRaisesMessage(PermissionDoesNotExistError, 'Permission 9999 does not exist'): get_roles_for_permission(9999)
def get_authorized_findings(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Finding.objects.none() if queryset is None: findings = Finding.objects.all() else: findings = queryset if user.is_superuser: return findings if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return findings if hasattr( user, 'global_role' ) and user.global_role.role is not None and role_has_permission( user.global_role.role.id, permission): return findings for group in get_groups(user): if hasattr( group, 'global_role' ) and group.global_role.role is not None and role_has_permission( group.global_role.role.id, permission): return findings roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('test__engagement__product_id'), group__users=user, role__in=roles) findings = findings.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles), test__engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), test__engagement__product__authorized_group=Exists( authorized_product_groups)) findings = findings.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True) | Q(test__engagement__product__prod_type__authorized_group=True) | Q(test__engagement__product__authorized_group=True)) else: if not user.is_staff: findings = findings.filter( Q(test__engagement__product__authorized_users__in=[user]) | Q(test__engagement__product__prod_type__authorized_users__in=[ user ])) return findings
def get_authorized_dojo_meta(permission): user = get_current_user() if user is None: return DojoMeta.objects.none() if user.is_superuser: return DojoMeta.objects.all().order_by('name') if user_has_global_permission(user, permission): return DojoMeta.objects.all().order_by('name') roles = get_roles_for_permission(permission) product_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) product_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) product_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) product_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) endpoint_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) endpoint_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), group__users=user, role__in=roles) endpoint_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('endpoint__product_id'), group__users=user, role__in=roles) finding_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('finding__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding__test__engagement__product_id'), user=user, role__in=roles) finding_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('finding__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding__test__engagement__product_id'), group__users=user, role__in=roles) dojo_meta = DojoMeta.objects.annotate( product__prod_type__member=Exists(product_authorized_product_type_roles), product__member=Exists(product_authorized_product_roles), product__prod_type__authorized_group=Exists(product_authorized_product_type_groups), product__authorized_group=Exists(product_authorized_product_groups), endpoint__product__prod_type__member=Exists(endpoint_authorized_product_type_roles), endpoint__product__member=Exists(endpoint_authorized_product_roles), endpoint__product__prod_type__authorized_group=Exists(endpoint_authorized_product_type_groups), endpoint__product__authorized_group=Exists(endpoint_authorized_product_groups), finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles), finding__test__engagement__product__member=Exists(finding_authorized_product_roles), finding__test__engagement__product__prod_type__authorized_group=Exists(finding_authorized_product_type_groups), finding__test__engagement__product__authorized_group=Exists(finding_authorized_product_groups) ).order_by('name') dojo_meta = dojo_meta.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True) | Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True) | Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True) | Q(finding__test__engagement__product__prod_type__member=True) | Q(finding__test__engagement__product__member=True) | Q(finding__test__engagement__product__prod_type__authorized_group=True) | Q(finding__test__engagement__product__authorized_group=True)) return dojo_meta
def get_authorized_dojo_meta(permission): user = get_current_user() if user is None: return DojoMeta.objects.none() if user.is_superuser: return DojoMeta.objects.all().order_by('name') if settings.FEATURE_AUTHORIZATION_V2: if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return DojoMeta.objects.all().order_by('name') roles = get_roles_for_permission(permission) product_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) product_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) endpoint_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) finding_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('finding__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding__test__engagement__product_id'), user=user, role__in=roles) dojo_meta = DojoMeta.objects.annotate( product__prod_type__member=Exists(product_authorized_product_type_roles), product__member=Exists(product_authorized_product_roles), endpoint_product__prod_type__member=Exists(endpoint_authorized_product_type_roles), endpoint_product__member=Exists(endpoint_authorized_product_roles), finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles), finding__test__engagement__product__member=Exists(finding_authorized_product_roles) ).order_by('name') dojo_meta = dojo_meta.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(endpoint_product__prod_type__member=True) | Q(endpoint_product__member=True) | Q(finding__test__engagement__product__prod_type__member=True) | Q(finding__test__engagement__product__member=True)) else: if user.is_staff: dojo_meta = DojoMeta.objects.all().order_by('name') else: dojo_meta = DojoMeta.objects.filter( Q(product__authorized_users__in=[user]) | Q(product__prod_type__authorized_users__in=[user]) | Q(endpoint__product__authorized_users__in=[user]) | Q(endpoint__product__prod_type__authorized_users__in=[user]) | Q(finding__test__engagement__product__authorized_users__in=[user]) | Q(finding__test__engagement__product__prod_type__authorized_users__in=[user]) ).order_by('name') return dojo_meta
def get_authorized_jira_issues(permission): user = get_current_user() if user is None: return JIRA_Issue.objects.none() jira_issues = JIRA_Issue.objects.all() if user.is_superuser: return jira_issues if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return jira_issues if user_has_global_permission(user, permission): return jira_issues roles = get_roles_for_permission(permission) engagement_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), user=user, role__in=roles) engagement_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('engagement__product_id'), user=user, role__in=roles) engagement_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), group__users=user, role__in=roles) engagement_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('engagement__product_id'), group__users=user, role__in=roles) finding_group_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef( 'finding_group__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_group_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding_group__test__engagement__product_id'), user=user, role__in=roles) finding_group_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef( 'finding_group__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_group_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding_group__test__engagement__product_id'), group__users=user, role__in=roles) finding_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef( 'finding__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding__test__engagement__product_id'), user=user, role__in=roles) finding_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef( 'finding__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding__test__engagement__product_id'), group__users=user, role__in=roles) jira_issues = jira_issues.annotate( engagement__product__prod_type__member=Exists( engagement_authorized_product_type_roles), engagement__product__member=Exists( engagement_authorized_product_roles), engagement__product__prod_type__authorized_group=Exists( engagement_authorized_product_type_groups), engagement__product__authorized_group=Exists( engagement_authorized_product_groups), finding_group__test__engagement__product__prod_type__member=Exists( finding_group_authorized_product_type_roles), finding_group__test__engagement__product__member=Exists( finding_group_authorized_product_roles), finding_group__test__engagement__product__prod_type__authorized_group= Exists(finding_group_authorized_product_type_groups), finding_group__test__engagement__product__authorized_group=Exists( finding_group_authorized_product_groups), finding__test__engagement__product__prod_type__member=Exists( finding_authorized_product_type_roles), finding__test__engagement__product__member=Exists( finding_authorized_product_roles), finding__test__engagement__product__prod_type__authorized_group=Exists( finding_authorized_product_type_groups), finding__test__engagement__product__authorized_group=Exists( finding_authorized_product_groups)) jira_issues = jira_issues.filter( Q(engagement__product__prod_type__member=True) | Q(engagement__product__member=True) | Q(engagement__product__prod_type__authorized_group=True) | Q(engagement__product__authorized_group=True) | Q(finding_group__test__engagement__product__prod_type__member=True) | Q(finding_group__test__engagement__product__member=True) | Q(finding_group__test__engagement__product__prod_type__authorized_group =True) | Q(finding_group__test__engagement__product__authorized_group=True) | Q(finding__test__engagement__product__prod_type__member=True) | Q(finding__test__engagement__product__member=True) | Q(finding__test__engagement__product__prod_type__authorized_group=True) | Q(finding__test__engagement__product__authorized_group=True)) return jira_issues