def setUpTestData(cls):
cls.user = User()
cls.product_type = Product_Type()
cls.product_type_member = Product_Type_Member()
cls.product = Product()
cls.product_member = Product_Member()
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Roles.Reader
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Roles.Owner
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Roles.Reader
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Roles.Owner
def test_user_has_permission_product_type_member_success(self, mock_get):
other_user = User()
product_type_member_other_user = Product_Type_Member()
product_type_member_other_user.user = other_user
product_type_member_other_user.product_type = self.product_type
product_type_member_other_user.role = Roles.Owner
mock_get.return_value = product_type_member_other_user
result = user_has_permission(other_user,
self.product_type_member_reader,
Permissions.Product_Type_Remove_Member)
self.assertTrue(result)
self.assertEqual(mock_get.call_args[1]['user'], other_user)
self.assertEqual(mock_get.call_args[1]['product_type'],
self.product_type)
def add_product_type_member(request, uid):
user = get_object_or_404(Dojo_User, id=uid)
memberform = Add_Product_Type_Member_UserForm(initial={'user': user.id})
if request.method == 'POST':
memberform = Add_Product_Type_Member_UserForm(
request.POST, initial={'user': user.id})
if memberform.is_valid():
if 'product_types' in memberform.cleaned_data and len(
memberform.cleaned_data['product_types']) > 0:
for product_type in memberform.cleaned_data['product_types']:
existing_members = Product_Type_Member.objects.filter(
product_type=product_type, user=user)
if existing_members.count() == 0:
product_type_member = Product_Type_Member()
product_type_member.product_type = product_type
product_type_member.user = user
product_type_member.role = memberform.cleaned_data[
'role']
product_type_member.save()
messages.add_message(
request,
messages.SUCCESS,
'Product type members added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_user', args=(uid, )))
add_breadcrumb(title="Add Product Type Member",
top_level=False,
request=request)
return render(request, 'dojo/new_product_type_member_user.html', {
'user': user,
'form': memberform,
})
def add_product_type(request):
form = Product_TypeForm()
if request.method == 'POST':
form = Product_TypeForm(request.POST)
if form.is_valid():
product_type = form.save()
member = Product_Type_Member()
member.user = request.user
member.product_type = product_type
member.role = Role.objects.get(is_owner=True)
member.save()
messages.add_message(request,
messages.SUCCESS,
'Product type added successfully.',
extra_tags='alert-success')
create_notification(event='product_type_added',
title=product_type.name,
product_type=product_type,
url=reverse('view_product_type',
args=(product_type.id, )))
return HttpResponseRedirect(reverse('product_type'))
add_breadcrumb(title="Add Product Type", top_level=False, request=request)
return render(request, 'dojo/new_product_type.html', {
'name': 'Add Product Type',
'form': form,
})
def add_product_type_member(request, ptid):
pt = get_object_or_404(Product_Type, pk=ptid)
memberform = Add_Product_Type_MemberForm(initial={'product_type': pt.id})
if request.method == 'POST':
memberform = Add_Product_Type_MemberForm(request.POST, initial={'product_type': pt.id})
if memberform.is_valid():
if memberform.cleaned_data['role'].is_owner and not user_has_permission(request.user, pt, Permissions.Product_Type_Member_Add_Owner):
messages.add_message(request,
messages.WARNING,
'You are not permitted to add users as owners.',
extra_tags='alert-warning')
else:
if 'users' in memberform.cleaned_data and len(memberform.cleaned_data['users']) > 0:
for user in memberform.cleaned_data['users']:
members = Product_Type_Member.objects.filter(product_type=pt, user=user)
if members.count() == 0:
product_type_member = Product_Type_Member()
product_type_member.product_type = pt
product_type_member.user = user
product_type_member.role = memberform.cleaned_data['role']
product_type_member.save()
messages.add_message(request,
messages.SUCCESS,
'Product type members added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_product_type', args=(ptid, )))
add_breadcrumb(title="Add Product Type Member", top_level=False, request=request)
return render(request, 'dojo/new_product_type_member.html', {
'pt': pt,
'form': memberform,
})
def test_user_has_permission_product_type_member_no_permission(self, mock_get):
other_user = User()
other_user.id = 2
product_type_member_other_user = Product_Type_Member()
product_type_member_other_user.id = 2
product_type_member_other_user.user = other_user
product_type_member_other_user.product_type = self.product_type
product_type_member_other_user.role = Roles.Reader
mock_get.return_value = product_type_member_other_user
result = user_has_permission(other_user, self.product_type_member_owner, Permissions.Product_Type_Member_Delete)
self.assertFalse(result)
self.assertEqual(mock_get.call_args[1]['user'], other_user)
self.assertEqual(mock_get.call_args[1]['product_type'], self.product_type)
def test_user_has_permission_product_type_member_success(self, mock_foo):
other_user = User()
other_user.id = 2
product_type_member_other_user = Product_Type_Member()
product_type_member_other_user.id = 2
product_type_member_other_user.user = other_user
product_type_member_other_user.product_type = self.product_type
product_type_member_other_user.role = Role.objects.get(id=Roles.Owner)
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [product_type_member_other_user]
result = user_has_permission(other_user, self.product_type_member_reader, Permissions.Product_Type_Member_Delete)
self.assertTrue(result)
mock_foo.filter.assert_called_with(user=other_user)
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.user2 = Dojo_User()
cls.user2.id = 2
cls.global_role_user = Global_Role()
cls.global_role_user.id = 1
cls.global_role_user.user = cls.user2
cls.global_role_user.role = Role.objects.get(id=Roles.Reader)
cls.product_type = Product_Type()
cls.product_type.id = 1
cls.product_type_member = Product_Type_Member()
cls.product_type_member.id = 1
cls.product = Product()
cls.product.id = 1
cls.product_member = Product_Member()
cls.product_member.id = 1
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.stub_finding = Stub_Finding()
cls.stub_finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.technology = App_Analysis()
cls.technology.product = cls.product
cls.language = Languages()
cls.language.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.group = Dojo_Group()
cls.group.id = 1
cls.product_group_reader = Product_Group()
cls.product_group_reader.id = 1
cls.product_group_reader.product = cls.product
cls.product_group_reader.group = cls.group
cls.product_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_group_owner = Product_Group()
cls.product_group_owner.id = 2
cls.product_group_owner.product = cls.product
cls.product_group_owner.group = cls.group
cls.product_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_type_group_reader = Product_Type_Group()
cls.product_type_group_reader.id = 1
cls.product_type_group_reader.product_type = cls.product_type
cls.product_type_group_reader.group = cls.group
cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_group_owner = Product_Type_Group()
cls.product_type_group_owner.id = 2
cls.product_type_group_owner.product_type = cls.product_type
cls.product_type_group_owner.group = cls.group
cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.group2 = Dojo_Group()
cls.group2.id = 2
cls.global_role_group = Global_Role()
cls.global_role_group.id = 2
cls.global_role_group.group = cls.group2
cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer)
cls.user3 = Dojo_User()
cls.user3.id = 3
cls.global_role_user = Global_Role()
cls.global_role_user.id = 3
cls.global_role_user.user = cls.user3
cls.global_role_user.role = None
cls.group3 = Dojo_Group()
cls.group3.id = 3
cls.user4 = Dojo_User()
cls.user4.id = 4
cls.group_member = Dojo_Group_Member()
cls.group_member.id = 1
cls.group_member.group = cls.group3
cls.group_member.user = cls.user4
cls.group_member.role = Role.objects.get(id=Roles.Writer)
cls.user5 = Dojo_User()
cls.user5.id = 5
cls.global_role_user = Global_Role()
cls.global_role_user.id = 5
cls.global_role_user.user = cls.user5
cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def handle(self, *args, **options):
logger.info('Started migrating users for authorization v2 ...')
authorized_user_exists = False
# Staff users have had all permissions for all product types and products,
# so they will be get a global role as Owner.
# Superusers will have all permissions anyway, so they must not be set as members.
staff_users = Dojo_User.objects.filter(is_staff=True,
is_superuser=False)
for staff_user in staff_users:
global_role = staff_user.global_role if hasattr(
staff_user, 'global_role') else None
if global_role is None:
global_role = Global_Role()
global_role.user = staff_user
if global_role.role is None:
global_role.role = self.owner_role
global_role.save()
logger.info('Global_Role Owner added for staff user {}'.format(
staff_user))
else:
logger.info('Staff user {} already has Global_Role {}'.format(
staff_user, global_role.role))
# Authorized users for product types will be converted to product type members
# with a role according to the settings
product_types = Product_Type.objects.all().prefetch_related(
'authorized_users')
for product_type in product_types:
for authorized_user in product_type.authorized_users.all():
# If the product type member already exists, it won't be changed
if Product_Type_Member.objects.filter(
product_type=product_type,
user=authorized_user).count() == 0:
authorized_user_exists = True
product_type_member = Product_Type_Member()
product_type_member.product_type = product_type
product_type_member.user = authorized_user
product_type_member.role = self.get_role()
product_type_member.save()
logger.info(
'Product_Type_Member added: {} / {} / {}'.format(
product_type, authorized_user,
product_type_member.role))
else:
logger.info(
'Product_Type_Member already exists: {} / {}'.format(
product_type, authorized_user))
# Authorized users for products will be converted to product members
# with a role according to the settings
products = Product.objects.all().prefetch_related('authorized_users')
for product in products:
for authorized_user in product.authorized_users.all():
# If the product member already exists, it won't be changed
if Product_Member.objects.filter(
product=product, user=authorized_user).count() == 0:
authorized_user_exists = True
product_member = Product_Member()
product_member.product = product
product_member.user = authorized_user
product_member.role = self.get_role()
product_member.save()
logger.info('Product_Member added: {} / {} / {}'.format(
product, authorized_user, product_member.role))
else:
logger.info(
'Product_Member already exists: {} / {}'.format(
product, authorized_user))
if authorized_user_exists and not settings.AUTHORIZED_USERS_ALLOW_STAFF and \
(settings.AUTHORIZED_USERS_ALLOW_CHANGE or settings.AUTHORIZED_USERS_ALLOW_DELETE):
logger.warn(
'Authorized users have more permissions than before, because there is no equivalent for AUTHORIZED_USERS_ALLOW_CHANGE and AUTHORIZED_USERS_ALLOW_DELETE'
)
logger.info('Finished migrating users for authorization v2')
def get_or_create_product(product_name=None, product_type_name=None, auto_create_context=None):
# try to find the product (withing the provided product_type)
product = get_target_product_if_exists(product_name, product_type_name)
if product:
return product
# not found .... create it
if not auto_create_context:
raise ValueError('auto_create_context not True, unable to create non-existing product')
else:
product_type, created = Product_Type.objects.get_or_create(name=product_type_name)
if created:
member = Product_Type_Member()
member.user = get_current_user()
member.product_type = product_type
member.role = Role.objects.get(is_owner=True)
member.save()
product = Product.objects.create(name=product_name, prod_type=product_type)
member = Product_Member()
member.user = get_current_user()
member.product = product
member.role = Role.objects.get(is_owner=True)
member.save()
return product
