def setUp(self):
self.request = RequestFactory().get('/dummy')
self.user = User()
self.request.user = self.user
self.product_type = Product_Type()
self.decorated_func = user_is_authorized(Product_Type,
Permissions.Product_Type_View,
'id', None, 'pk', Mock())
self.decorated_func_legacy = user_is_authorized(
Product_Type, Permissions.Product_Type_View, 'id', 'staff', 'pk',
Mock())
def add_product_endpoint(request):
if not settings.FEATURE_AUTHORIZATION_V2 and not request.user.is_staff:
raise PermissionDenied
form = AddEndpointForm()
if request.method == 'POST':
form = AddEndpointForm(request.POST)
if form.is_valid():
if not settings.FEATURE_AUTHORIZATION_V2:
if not user_is_authorized(request.user, 'change',
form.product):
raise PermissionDenied
else:
user_has_permission_or_403(request.user, form.product,
Permissions.Endpoint_Add)
endpoints = form.save()
tags = request.POST.get('tags')
for e in endpoints:
e.tags = tags
e.save()
messages.add_message(request,
messages.SUCCESS,
'Endpoint added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('endpoint') + "?product=%s" % form.product.id)
add_breadcrumb(title="Add Endpoint", top_level=False, request=request)
return render(request, 'dojo/add_endpoint.html', {
'name': 'Add Endpoint',
'form': form,
})
def process_endpoints_view(request, host_view=False, vulnerable=False):
if vulnerable:
endpoints = Endpoint.objects.filter(finding__active=True, finding__verified=True, finding__false_p=False,
finding__duplicate=False, finding__out_of_scope=False, mitigated=False)
else:
endpoints = Endpoint.objects.all()
endpoints = endpoints.prefetch_related('product', 'product__tags', 'tags').distinct()
endpoints = get_authorized_endpoints(Permissions.Endpoint_View, endpoints, request.user)
if host_view:
ids = get_endpoint_ids(EndpointFilter(request.GET, queryset=endpoints, user=request.user).qs)
endpoints = EndpointFilter(request.GET, queryset=endpoints.filter(id__in=ids), user=request.user)
else:
endpoints = EndpointFilter(request.GET, queryset=endpoints, user=request.user)
paged_endpoints = get_page_items(request, endpoints.qs, 25)
if vulnerable:
view_name = "Vulnerable"
else:
view_name = "All"
if host_view:
view_name += " Endpoint Hosts"
else:
view_name += " Endpoints"
add_breadcrumb(title=view_name, top_level=not len(request.GET), request=request)
product_tab = None
if 'product' in request.GET:
p = request.GET.getlist('product', [])
if len(p) == 1:
product = get_object_or_404(Product, id=p[0])
if not settings.FEATURE_AUTHORIZATION_V2:
if not user_is_authorized(request.user, 'view', product):
raise PermissionDenied
else:
user_has_permission_or_403(request.user, product, Permissions.Product_View)
product_tab = Product_Tab(product.id, view_name, tab="endpoints")
return render(
request, 'dojo/endpoints.html', {
'product_tab': product_tab,
"endpoints": paged_endpoints,
"filtered": endpoints,
"name": view_name,
"host_view": host_view,
"product_tab": product_tab
})
def all_endpoints(request):
endpoints = Endpoint.objects.prefetch_related('product', 'tags',
'product__tags')
endpoints = get_authorized_endpoints(Permissions.Endpoint_View, endpoints,
request.user)
show_uri = get_system_setting('display_endpoint_uri')
product = None
if 'product' in request.GET:
p = request.GET.getlist('product', [])
if len(p) == 1:
product = get_object_or_404(Product, id=p[0])
if not settings.FEATURE_AUTHORIZATION_V2:
if not user_is_authorized(request.user, 'view', product):
raise PermissionDenied
else:
user_has_permission_or_403(request.user, product,
Permissions.Product_View)
if show_uri:
endpoints = EndpointFilter(request.GET,
queryset=endpoints,
user=request.user)
paged_endpoints = get_page_items(request, endpoints.qs, 25)
else:
ids = get_endpoint_ids(
EndpointFilter(request.GET, queryset=endpoints,
user=request.user).qs)
endpoints = EndpointFilter(request.GET,
queryset=endpoints.filter(id__in=ids),
user=request.user)
paged_endpoints = get_page_items(request, endpoints.qs, 25)
add_breadcrumb(title="All Endpoints",
top_level=not len(request.GET),
request=request)
product_tab = None
view_name = "All Endpoints"
if product:
view_name = "Endpoints"
product_tab = Product_Tab(product.id, "Endpoints", tab="endpoints")
return render(
request, 'dojo/endpoints.html', {
'product_tab': product_tab,
"endpoints": paged_endpoints,
"filtered": endpoints,
"name": view_name,
"show_uri": show_uri
})
def import_scan_results(request, eid=None, pid=None):
engagement = None
form = ImportScanForm()
cred_form = CredMappingForm()
finding_count = 0
jform = None
user = request.user
if eid:
engagement = get_object_or_404(Engagement, id=eid)
engagement_or_product = engagement
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
elif pid:
product = get_object_or_404(Product, id=pid)
engagement_or_product = product
elif not user.is_staff:
raise PermissionDenied
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(user, engagement_or_product,
Permissions.Import_Scan_Result)
else:
if not user_is_authorized(user, 'staff', engagement_or_product):
raise PermissionDenied
push_all_jira_issues = jira_helper.is_push_all_issues(
engagement_or_product)
if request.method == "POST":
form = ImportScanForm(request.POST, request.FILES)
cred_form = CredMappingForm(request.POST)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if jira_helper.get_jira_project(engagement_or_product):
jform = JIRAImportScanForm(request.POST,
push_all=push_all_jira_issues,
prefix='jiraform')
logger.debug('jform valid: %s', jform.is_valid())
logger.debug('jform errors: %s', jform.errors)
if form.is_valid() and (jform is None or jform.is_valid()):
scan = request.FILES.get('file', None)
scan_date = form.cleaned_data['scan_date']
minimum_severity = form.cleaned_data['minimum_severity']
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
scan_type = request.POST['scan_type']
tags = form.cleaned_data['tags']
version = form.cleaned_data['version']
branch_tag = form.cleaned_data.get('branch_tag', None)
build_id = form.cleaned_data.get('build_id', None)
commit_hash = form.cleaned_data.get('commit_hash', None)
close_old_findings = form.cleaned_data.get('close_old_findings',
None)
# Will save in the provided environment or in the `Development` one if absent
environment_id = request.POST.get('environment', 'Development')
environment = Development_Environment.objects.get(
id=environment_id)
group_by = form.cleaned_data.get('group_by', None)
# TODO move to form validation?
if not any(scan_type in code
for code in ImportScanForm.SORTED_SCAN_TYPE_CHOICES):
raise Http404()
# TODO move to form validation?
if scan and is_scan_file_too_large(scan):
messages.add_message(
request,
messages.ERROR,
"Report file is too large. Maximum supported size is {} MB"
.format(settings.SCAN_FILE_MAX_SIZE),
extra_tags='alert-danger')
return HttpResponseRedirect(
reverse('import_scan_results', args=(engagement, )))
# Allows for a test to be imported with an engagement created on the fly
if engagement is None:
engagement = Engagement()
engagement.name = "AdHoc Import - " + strftime(
"%a, %d %b %Y %X",
timezone.now().timetuple())
engagement.threat_model = False
engagement.api_test = False
engagement.pen_test = False
engagement.check_list = False
engagement.target_start = timezone.now().date()
engagement.target_end = timezone.now().date()
engagement.product = product
engagement.active = True
engagement.status = 'In Progress'
engagement.version = version
engagement.branch_tag = branch_tag
engagement.build_id = build_id
engagement.commit_hash = commit_hash
engagement.save()
# can't use helper as when push_all_jira_issues is True, the checkbox gets disabled and is always false
# push_to_jira = jira_helper.is_push_to_jira(new_finding, jform.cleaned_data.get('push_to_jira'))
push_to_jira = push_all_jira_issues or (
jform and jform.cleaned_data.get('push_to_jira'))
error = False
try:
importer = Importer()
test, finding_count, closed_finding_count = importer.import_scan(
scan,
scan_type,
engagement,
user,
environment,
active=active,
verified=verified,
tags=tags,
minimum_severity=minimum_severity,
endpoints_to_add=form.cleaned_data['endpoints'],
scan_date=scan_date,
version=version,
branch_tag=branch_tag,
build_id=build_id,
commit_hash=commit_hash,
push_to_jira=push_to_jira,
close_old_findings=close_old_findings,
group_by=group_by)
message = f'{scan_type} processed a total of {finding_count} findings'
if close_old_findings:
message = message + ' and closed %d findings' % (
closed_finding_count)
message = message + "."
add_success_message_to_response(message)
except Exception as e:
logger.exception(e)
add_error_message_to_response(
'An exception error occurred during the report import:%s' %
str(e))
error = True
# Save the credential to the test
if cred_form.is_valid():
if cred_form.cleaned_data['cred_user']:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_form.cleaned_data['cred_user'].id,
engagement=eid).first()
new_f = cred_form.save(commit=False)
new_f.test = test
new_f.cred_id = cred_user.cred_id
new_f.save()
if not error:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
prod_id = None
custom_breadcrumb = None
title = "Import Scan Results"
if engagement:
prod_id = engagement.product.id
product_tab = Product_Tab(prod_id, title=title, tab="engagements")
product_tab.setEngagement(engagement)
else:
prod_id = pid
custom_breadcrumb = {"", ""}
product_tab = Product_Tab(prod_id, title=title, tab="findings")
if jira_helper.get_jira_project(engagement_or_product):
jform = JIRAImportScanForm(push_all=push_all_jira_issues,
prefix='jiraform')
form.fields['endpoints'].queryset = Endpoint.objects.filter(
product__id=product_tab.product.id)
return render(
request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'engagement_or_product': engagement_or_product,
'custom_breadcrumb': custom_breadcrumb,
'title': title,
'cred_form': cred_form,
'jform': jform,
'scan_types': get_choices(),
})