def view_tool_product(request, pid, ttid): tool = Tool_Product_Settings.objects.get(pk=ttid) notes = tool.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() tool.notes.add(new_note) form = NoteForm() # url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) # title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) # process_notifications(request, new_note, url, title) messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb( title="View Product Tool Configuration", top_level=False, request=request) return render(request, 'dojo/view_tool_product.html', { 'tool': tool, 'notes': notes, 'form': form })
def view_cred_details(request, ttid): cred = Cred_User.objects.get(pk=ttid) notes = cred.notes.all() cred_products = Cred_Mapping.objects.select_related('product').filter( product_id__isnull=False, cred_id=ttid).order_by('product__name') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() cred.notes.add(new_note) form = NoteForm() messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb(title="View", top_level=False, request=request) return render(request, 'dojo/view_cred_details.html', { 'cred': cred, 'form': form, 'notes': notes, 'cred_products': cred_products })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render(request, 'dojo/view_test.html', {'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_cred_finding(request, fid, ttid): cred = get_object_or_404( Cred_Mapping.objects.select_related('cred_id'), id=ttid) cred_product = Cred_Mapping.objects.filter( cred_id=cred.cred_id.id, product=cred.finding.test.engagement.product.id).first() notes = cred.cred_id.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() cred.cred_id.notes.add(new_note) form = NoteForm() messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb( title="Credential Manager", top_level=False, request=request) cred_type = "Finding" edit_link = None view_link = reverse( 'view_cred_finding', args=( fid, cred.id, )) delete_link = reverse( 'delete_cred_finding', args=( fid, cred.id, )) return render( request, 'dojo/view_cred_all_details.html', { 'cred': cred, 'form': form, 'notes': notes, 'cred_type': cred_type, 'edit_link': edit_link, 'delete_link': delete_link, 'cred_product': cred_product })
def view_test(request, tid): test = Test.objects.get(id=tid) prod = test.engagement.product auth = request.user.is_staff or request.user in prod.authorized_users.all() if not auth: # will render 403 raise PermissionDenied notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST' and request.user.is_staff: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) return render( request, 'dojo/view_test.html', { 'test': test, 'product_tab': product_tab, 'findings': fpage, 'findings_count': findings.count(), 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_tool_product(request, pid, ttid): tool = Tool_Product_Settings.objects.get(pk=ttid) notes = tool.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() tool.notes.add(new_note) form = NoteForm() # url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) # title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) # process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() add_breadcrumb(title="View Product Tool Configuration", top_level=False, request=request) return render(request, 'dojo/view_tool_product.html', { 'tool': tool, 'notes': notes, 'form': form })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={ 'resource_name': 'stub_findings', 'api_name': 'v1_a' }) add_breadcrumb(parent=test, top_level=False, request=request) return render( request, 'dojo/view_test.html', { 'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, 'creds': creds, 'cred_test': cred_test })
def edit_issue(request, id, page, objid): note = get_object_or_404(Notes, id=id) reverse_url = None object_id = None if page is None or str( request.user ) != note.author.username and not request.user.is_superuser: raise PermissionDenied if page == "test": object = get_object_or_404(Test, id=objid) object_id = object.id reverse_url = "view_test" elif page == "finding": object = get_object_or_404(Finding, id=objid) object_id = object.id reverse_url = "view_finding" if request.method == 'POST': form = NoteForm(request.POST, instance=note) if form.is_valid(): note = form.save(commit=False) note.edited = True note.editor = request.user note.edit_time = timezone.now() history = NoteHistory(data=note.entry, time=note.edit_time, current_editor=note.editor) history.save() note.history.add(history) note.save() object.last_reviewed = note.date object.last_reviewed_by = request.user object.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note edited.', extra_tags='alert-success') return HttpResponseRedirect( reverse(reverse_url, args=(object_id, ))) else: messages.add_message(request, messages.SUCCESS, 'Note was not succesfully edited.', extra_tags='alert-danger') else: form = NoteForm(instance=note) return render(request, 'dojo/edit_note.html', { 'note': note, 'form': form, 'page': page, 'objid': objid, })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user if (user.is_staff or user in finding.test.engagement.product.authorized_users.all()): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render(request, 'dojo/view_finding.html', {'finding': finding, 'burp_request': burp_request, 'burp_response': burp_response, 'user': user, 'notes': notes, 'form': form})
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id') if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={'resource_name': 'stub_findings', 'api_name': 'v1_a'}) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user if user.is_staff or user in finding.test.engagement.product.authorized_users.all( ): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render( request, 'dojo/view_finding.html', { 'finding': finding, 'burp_request': burp_request, 'burp_response': burp_response, 'user': user, 'notes': notes, 'form': form })
def view_test(request, tid): test = Test.objects.get(id=tid) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test) stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() test.notes.add(new_note) form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) ajax_url = reverse('api_dispatch_list', kwargs={ 'resource_name': 'stub_findings', 'api_name': 'v1_a' }) add_breadcrumb(parent=test, top_level=False, request=request) return render( request, 'dojo/view_test.html', { 'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'ajax_url': ajax_url, })
def view_test(request, tid): if request.user.is_superuser: test = get_object_or_404(Test, id=tid) else: test = get_object_or_404(Test, id=tid, engagement__product__authorized_users__in=[request.user]) notes = test.notes.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('-score') stub_findings = Stub_Finding.objects.filter(test=test) if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_test", args=(test.id,))) title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: form = NoteForm() fpage = get_page_items(request, findings, 25) sfpage = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) add_breadcrumb(parent=test, top_level=False, request=request) return render(request, 'dojo/view_test.html', {'test': test, 'findings': fpage, 'stub_findings': sfpage, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all( ): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri( reverse("view_finding", args=(finding.id, ))) title = "Finding: " + finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render( request, 'dojo/view_finding.html', { 'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if (request.user.is_staff or request.user in eng.product.authorized_users.all()): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm(request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data['accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message(request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() exclude_findings = [ finding.id for ra in eng.risk_acceptance.all() for finding in ra.accepted_findings.all() ] findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=exclude_findings).order_by("title") add_fpage = get_page_items(request, findings, 10, 'apage') add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list fpage = get_page_items( request, risk_approval.accepted_findings.order_by('numerical_severity'), 15) authorized = (request.user == risk_approval.reporter.username or request.user.is_staff) add_breadcrumb(parent=risk_approval, top_level=False, request=request) return render( request, 'dojo/view_risk.html', { 'risk_approval': risk_approval, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, 'show_add_findings_form': len(findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def view_test(request, tid): test_prefetched = get_authorized_tests(Permissions.Test_View) test_prefetched = test_prefetched.annotate( total_reimport_count=Count('test_import__id', distinct=True)) # tests_prefetched = test_prefetched.prefetch_related(Prefetch('test_import_set', queryset=Test_Import.objects.filter(~Q(findings_affected=None)))) # tests_prefetched = test_prefetched.prefetch_related('test_import_set') # test_prefetched = test_prefetched.prefetch_related('test_import_set__test_import_finding_action_set') test = get_object_or_404(test_prefetched, pk=tid) # test = get_object_or_404(Test, pk=tid) prod = test.engagement.product notes = test.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) files = test.files.all() person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') findings = FindingFilter(request.GET, queryset=findings) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') system_settings = get_object_or_404(System_Settings, id=1) if request.method == 'POST': user_has_permission_or_403(request.user, test, Permissions.Note_Add) if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() title_words = get_words_for_field(Finding, 'title') component_words = get_words_for_field(Finding, 'component_name') # test_imports = test.test_import_set.all() test_imports = Test_Import.objects.filter(test=test) test_import_filter = TestImportFilter(request.GET, test_imports) paged_test_imports = get_page_items_and_count(request, test_import_filter.qs, 5, prefix='test_imports') paged_test_imports.object_list = paged_test_imports.object_list.prefetch_related( 'test_import_finding_action_set') paged_findings = get_page_items_and_count(request, prefetch_for_findings( findings.qs), 25, prefix='findings') paged_stub_findings = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in get_choices_sorted()) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) jira_project = jira_helper.get_jira_project(test) finding_groups = test.finding_group_set.all().prefetch_related( 'findings', 'jira_issue', 'creator') bulk_edit_form = FindingBulkUpdateForm(request.GET) google_sheets_enabled = system_settings.enable_google_sheets sheet_url = None if google_sheets_enabled and system_settings.credentials: spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str( test.id) system_settings = get_object_or_404(System_Settings, id=1) service_account_info = json.loads(system_settings.credentials) SCOPES = ['https://www.googleapis.com/auth/drive'] credentials = service_account.Credentials.from_service_account_info( service_account_info, scopes=SCOPES) try: drive_service = googleapiclient.discovery.build( 'drive', 'v3', credentials=credentials, cache_discovery=False) folder_id = system_settings.drive_folder_ID gs_files = drive_service.files().list( q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'" % (folder_id, spreadsheet_name), spaces='drive', pageSize=10, fields='files(id, name)').execute() except googleapiclient.errors.HttpError: messages.add_message( request, messages.ERROR, "There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed, the Google Sheets Sync feature cannot be used.", extra_tags="alert-danger", ) google_sheets_enabled = False except httplib2.ServerNotFoundError: messages.add_message( request, messages.ERROR, "Unable to reach the Google Sheet API.", extra_tags="alert-danger", ) else: spreadsheets = gs_files.get('files') if len(spreadsheets) == 1: spreadsheetId = spreadsheets[0].get('id') sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId return render( request, 'dojo/view_test.html', { 'test': test, 'prod': prod, 'product_tab': product_tab, 'findings': paged_findings, 'filtered': findings, 'stub_findings': paged_stub_findings, 'title_words': title_words, 'component_words': component_words, 'form': form, 'notes': notes, 'files': files, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test, 'jira_project': jira_project, 'show_export': google_sheets_enabled and system_settings.credentials, 'sheet_url': sheet_url, 'bulk_edit_form': bulk_edit_form, 'paged_test_imports': paged_test_imports, 'test_import_filter': test_import_filter, 'finding_groups': finding_groups, 'finding_group_by_options': Finding_Group.GROUP_BY_OPTIONS, })
def edit_issue(request, id, page, objid): note = get_object_or_404(Notes, id=id) reverse_url = None object_id = None if page == "engagement": object = get_object_or_404(Engagement, id=objid) object_id = object.id reverse_url = "view_engagement" elif page == "test": object = get_object_or_404(Test, id=objid) object_id = object.id reverse_url = "view_test" elif page == "finding": object = get_object_or_404(Finding, id=objid) object_id = object.id reverse_url = "view_finding" if page is None: raise PermissionDenied if str(request.user) != note.author.username: if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, object, Permissions.Note_Edit) else: if not request.user.is_staff: raise PermissionDenied note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(object, note) if request.method == 'POST': if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types, instance=note) else: form = NoteForm(request.POST, instance=note) if form.is_valid(): note = form.save(commit=False) note.edited = True note.editor = request.user note.edit_time = timezone.now() if note_type_activation: history = NoteHistory(note_type=note.note_type, data=note.entry, time=note.edit_time, current_editor=note.editor) else: history = NoteHistory(data=note.entry, time=note.edit_time, current_editor=note.editor) history.save() note.history.add(history) note.save() object.last_reviewed = note.date object.last_reviewed_by = request.user object.save() form = NoteForm() messages.add_message(request, messages.SUCCESS, 'Note edited.', extra_tags='alert-success') return HttpResponseRedirect( reverse(reverse_url, args=(object_id, ))) else: messages.add_message(request, messages.SUCCESS, 'Note was not succesfully edited.', extra_tags='alert-danger') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types, instance=note) else: form = NoteForm(instance=note) return render(request, 'dojo/edit_note.html', { 'note': note, 'form': form, 'page': page, 'objid': objid, })
def view_finding(request, fid): finding = get_object_or_404(Finding, id=fid) cred_finding = Cred_Mapping.objects.filter(finding=finding.id).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter(test=finding.test.id).select_related('cred_id').order_by('cred_id') cred_engagement = Cred_Mapping.objects.filter(engagement=finding.test.engagement.id).select_related('cred_id').order_by('cred_id') user = request.user try: jissue = JIRA_Issue.objects.get(finding=finding) except: jissue = None pass try: jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product) jconf = jpkey.conf except: jconf = None pass dojo_user = get_object_or_404(Dojo_User, id=user.id) if user.is_staff or user in finding.test.engagement.product.authorized_users.all(): pass # user is authorized for this product else: raise PermissionDenied notes = finding.notes.all() if request.method == 'POST': form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() finding.notes.add(new_note) finding.last_reviewed = new_note.date finding.last_reviewed_by = user finding.save() if jissue is not None: add_comment_task(finding, new_note) form = NoteForm() url = request.build_absolute_uri(reverse("view_finding", args=(finding.id,))) title= "Finding: "+ finding.title process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note saved.', extra_tags='alert-success') else: form = NoteForm() try: reqres = BurpRawRequestResponse.objects.get(finding=finding) burp_request = base64.b64decode(reqres.burpRequestBase64) burp_response = base64.b64decode(reqres.burpResponseBase64) except: reqres = None burp_request = None burp_response = None add_breadcrumb(parent=finding, top_level=False, request=request) return render(request, 'dojo/view_finding.html', {'finding': finding, 'burp_request': burp_request, 'jissue': jissue, 'jconf': jconf, 'cred_finding': cred_finding, 'creds': creds, 'cred_engagement': cred_engagement, 'burp_response': burp_response, 'dojo_user': dojo_user, 'user': user, 'notes': notes, 'form': form, 'found_by': finding.found_by.all().distinct()})
def view_engagement(request, eid): eng = get_object_or_404(Engagement, id=eid) tests = Test.objects.filter(engagement=eng).prefetch_related( 'tagged_items__tag', 'test_type').order_by('test_type__name', '-updated') prod = eng.product risks_accepted = eng.risk_acceptance.all().select_related('owner') preset_test_type = None network = None if eng.preset: preset_test_type = eng.preset.test_type.all() network = eng.preset.network_locations.all() system_settings = System_Settings.objects.get() try: jissue = JIRA_Issue.objects.get(engagement=eng) except: jissue = None pass try: jconf = JIRA_PKey.objects.get(product=eng.product).conf except: jconf = None pass exclude_findings = [ finding.id for ra in eng.risk_acceptance.all() for finding in ra.accepted_findings.all() ] eng_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=exclude_findings).order_by('title') try: check = Check_List.objects.get(engagement=eng) except: check = None pass notes = eng.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) if request.method == 'POST' and request.user.is_staff: eng.progress = 'check_list' eng.save() if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() eng.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri( reverse("view_engagement", args=(eng.id, ))) title = "Engagement: %s on %s" % (eng.name, eng.product.name) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() creds = Cred_Mapping.objects.filter( product=eng.product).select_related('cred_id').order_by('cred_id') cred_eng = Cred_Mapping.objects.filter( engagement=eng.id).select_related('cred_id').order_by('cred_id') add_breadcrumb(parent=eng, top_level=False, request=request) if hasattr(settings, 'ENABLE_DEDUPLICATION'): if settings.ENABLE_DEDUPLICATION: enabled = True findings = Finding.objects.filter(test__engagement=eng, duplicate=False) else: enabled = False findings = None else: enabled = False findings = None if findings is not None: fpage = get_page_items(request, findings, 15) else: fpage = None # ---------- try: start_date = Finding.objects.filter( test__engagement__product=eng.product).order_by('date')[:1][0].date except: start_date = timezone.now() end_date = timezone.now() risk_acceptances = Risk_Acceptance.objects.filter( engagement__in=Engagement.objects.filter(product=eng.product)) accepted_findings = [ finding for ra in risk_acceptances for finding in ra.accepted_findings.all() ] title = "" if eng.engagement_type == "CI/CD": title = " CI/CD" product_tab = Product_Tab(prod.id, title="View" + title + " Engagement", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_eng.html', { 'eng': eng, 'product_tab': product_tab, 'system_settings': system_settings, 'tests': tests, 'findings': fpage, 'enabled': enabled, 'check': check, 'threat': eng.tmodel_path, 'risk': eng.risk_path, 'form': form, 'notes': notes, 'risks_accepted': risks_accepted, 'can_add_risk': eng_findings.count(), 'jissue': jissue, 'jconf': jconf, 'accepted_findings': accepted_findings, 'start_date': start_date, 'creds': creds, 'cred_eng': cred_eng, 'network': network, 'preset_test_type': preset_test_type })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if request.user.is_staff or check_auth_users_list(request.user, eng): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm(request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data['accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message(request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() accepted_findings = risk_approval.accepted_findings.order_by( 'numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list authorized = (request.user == risk_approval.owner.username or request.user.is_staff) product_tab = Product_Tab(eng.product.id, title="Risk Exception", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk.html', { 'risk_approval': risk_approval, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if (request.user.is_staff or request.user in eng.product.authorized_users.all()): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = datetime.now(tz=localtz) new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data[ 'accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message( request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() exclude_findings = [finding.id for ra in eng.risk_acceptance.all() for finding in ra.accepted_findings.all()] findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=exclude_findings).order_by("title") add_fpage = get_page_items(request, findings, 10, 'apage') add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list fpage = get_page_items(request, risk_approval.accepted_findings.order_by( 'numerical_severity'), 15) authorized = (request.user == risk_approval.reporter.username or request.user.is_staff) add_breadcrumb(parent=risk_approval, top_level=False, request=request) return render(request, 'dojo/view_risk.html', {'risk_approval': risk_approval, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, 'show_add_findings_form': len(findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def view_engagement(request, eid): eng = get_object_or_404(Engagement, id=eid) tests = eng.test_set.all().order_by('test_type__name', '-updated') default_page_num = 10 tests_filter = EngagementTestFilter(request.GET, queryset=tests, engagement=eng) paged_tests = get_page_items(request, tests_filter.qs, default_page_num) # prefetch only after creating the filters to avoid https://code.djangoproject.com/ticket/23771 and https://code.djangoproject.com/ticket/25375 paged_tests.object_list = prefetch_for_view_tests(paged_tests.object_list) prod = eng.product risks_accepted = eng.risk_acceptance.all().select_related('owner').annotate(accepted_findings_count=Count('accepted_findings__id')) preset_test_type = None network = None if eng.preset: preset_test_type = eng.preset.test_type.all() network = eng.preset.network_locations.all() system_settings = System_Settings.objects.get() jissue = jira_helper.get_jira_issue(eng) jira_project = jira_helper.get_jira_project(eng) try: check = Check_List.objects.get(engagement=eng) except: check = None pass notes = eng.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) form = DoneForm() files = eng.files.all() if request.method == 'POST': user_has_permission_or_403(request.user, eng, Permissions.Note_Add) eng.progress = 'check_list' eng.save() if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() eng.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri(reverse("view_engagement", args=(eng.id,))) title = "Engagement: %s on %s" % (eng.name, eng.product.name) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() creds = Cred_Mapping.objects.filter( product=eng.product).select_related('cred_id').order_by('cred_id') cred_eng = Cred_Mapping.objects.filter( engagement=eng.id).select_related('cred_id').order_by('cred_id') add_breadcrumb(parent=eng, top_level=False, request=request) title = "" if eng.engagement_type == "CI/CD": title = " CI/CD" product_tab = Product_Tab(prod.id, title="View" + title + " Engagement", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_eng.html', { 'eng': eng, 'product_tab': product_tab, 'system_settings': system_settings, 'tests': paged_tests, 'filter': tests_filter, 'check': check, 'threat': eng.tmodel_path, 'form': form, 'notes': notes, 'files': files, 'risks_accepted': risks_accepted, 'jissue': jissue, 'jira_project': jira_project, 'creds': creds, 'cred_eng': cred_eng, 'network': network, 'preset_test_type': preset_test_type })
def view_edit_risk_acceptance(request, eid, raid, edit_mode=False): risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if edit_mode and not eng.product.enable_full_risk_acceptance: raise PermissionDenied() risk_acceptance_form = None errors = False if request.method == 'POST': # deleting before instantiating the form otherwise django messes up and we end up with an empty path value if len(request.FILES) > 0: logger.debug('new proof uploaded') risk_acceptance.path.delete() if 'decision' in request.POST: old_expiration_date = risk_acceptance.expiration_date risk_acceptance_form = EditRiskAcceptanceForm(request.POST, request.FILES, instance=risk_acceptance) errors = errors or not risk_acceptance_form.is_valid() if not errors: logger.debug('path: %s', risk_acceptance_form.cleaned_data['path']) risk_acceptance_form.save() if risk_acceptance.expiration_date != old_expiration_date: # risk acceptance was changed, check if risk acceptance needs to be reinstated and findings made accepted again ra_helper.reinstate(risk_acceptance, old_expiration_date) messages.add_message( request, messages.SUCCESS, 'Risk Acceptance saved successfully.', extra_tags='alert-success') if 'entry' in request.POST: note_form = NoteForm(request.POST) errors = errors or not note_form.is_valid() if not errors: new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_acceptance.notes.add(new_note) messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_acceptance.notes.remove(note) note.delete() messages.add_message( request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404( Finding, pk=request.POST['remove_finding_id']) ra_helper.remove_finding_from_risk_acceptance(risk_acceptance, finding) messages.add_message( request, messages.SUCCESS, 'Finding removed successfully from risk acceptance.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceProofForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not replace_form.is_valid() if not errors: replace_form.save() messages.add_message( request, messages.SUCCESS, 'New Proof uploaded successfully.', extra_tags='alert-success') else: logger.error(replace_form.errors) if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not add_findings_form.is_valid() if not errors: findings = add_findings_form.cleaned_data['accepted_findings'] ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings) messages.add_message( request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') if not errors: logger.debug('redirecting to return_url') return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid))) else: logger.error('errors found') else: if edit_mode: risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance) note_form = NoteForm() replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance) add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance) accepted_findings = risk_acceptance.accepted_findings.order_by('numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk_acceptance.html', { 'risk_acceptance': risk_acceptance, 'engagement': eng, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_acceptance.notes.all(), 'eng': eng, 'edit_mode': edit_mode, 'risk_acceptance_form': risk_acceptance_form, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'return_url': get_return_url(request), })
def view_test(request, tid): test = get_object_or_404(Test, pk=tid) prod = test.engagement.product tags = Tag.objects.usage_for_model(Finding) notes = test.notes.all() note_type_activation = Note_Type.objects.filter(is_active=True).count() if note_type_activation: available_note_types = find_available_notetypes(notes) person = request.user.username findings = Finding.objects.filter(test=test).order_by('numerical_severity') findings = OpenFindingFilter(request.GET, queryset=findings) stub_findings = Stub_Finding.objects.filter(test=test) cred_test = Cred_Mapping.objects.filter( test=test).select_related('cred_id').order_by('cred_id') creds = Cred_Mapping.objects.filter( engagement=test.engagement).select_related('cred_id').order_by( 'cred_id') system_settings = get_object_or_404(System_Settings, id=1) if request.method == 'POST' and request.user.is_staff: if note_type_activation: form = TypedNoteForm(request.POST, available_note_types=available_note_types) else: form = NoteForm(request.POST) if form.is_valid(): new_note = form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() test.notes.add(new_note) if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() url = request.build_absolute_uri( reverse("view_test", args=(test.id, ))) title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name) process_notifications(request, new_note, url, title) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') else: if note_type_activation: form = TypedNoteForm(available_note_types=available_note_types) else: form = NoteForm() title_words = get_words_for_field(findings.qs, 'title') component_words = get_words_for_field(findings.qs, 'component_name') paged_findings, total_findings_count = get_page_items_and_count( request, prefetch_for_findings(findings.qs), 25) paged_stub_findings = get_page_items(request, stub_findings, 25) show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES) product_tab = Product_Tab(prod.id, title="Test", tab="engagements") product_tab.setEngagement(test.engagement) jira_config = JIRA_PKey.objects.filter(product=prod.id).first() if jira_config: jira_config = jira_config.conf_id google_sheets_enabled = system_settings.enable_google_sheets sheet_url = None if google_sheets_enabled: spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str( test.id) system_settings = get_object_or_404(System_Settings, id=1) service_account_info = json.loads(system_settings.credentials) SCOPES = ['https://www.googleapis.com/auth/drive'] credentials = service_account.Credentials.from_service_account_info( service_account_info, scopes=SCOPES) try: drive_service = googleapiclient.discovery.build( 'drive', 'v3', credentials=credentials, cache_discovery=False) folder_id = system_settings.drive_folder_ID files = drive_service.files().list( q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'" % (folder_id, spreadsheet_name), spaces='drive', pageSize=10, fields='files(id, name)').execute() except googleapiclient.errors.HttpError: messages.add_message( request, messages.ERROR, "There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed Google Shet Sync feature can not be used.", extra_tags="alert-danger", ) google_sheets_enabled = False except httplib2.ServerNotFoundError: messages.add_message( request, messages.ERROR, "Unable to reach the Google Sheet API.", extra_tags="alert-danger", ) else: spreadsheets = files.get('files') if len(spreadsheets) == 1: spreadsheetId = spreadsheets[0].get('id') sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId return render( request, 'dojo/view_test.html', { 'test': test, 'product_tab': product_tab, 'findings': paged_findings, 'filtered': findings, 'findings_count': total_findings_count, 'stub_findings': paged_stub_findings, 'title_words': title_words, 'component_words': component_words, 'form': form, 'notes': notes, 'person': person, 'request': request, 'show_re_upload': show_re_upload, 'creds': creds, 'cred_test': cred_test, 'tag_input': tags, 'jira_config': jira_config, 'show_export': google_sheets_enabled, 'sheet_url': sheet_url })