def get_authorized_engagement_presets(permission):
user = get_current_user()
if user is None:
return Engagement_Presets.objects.none()
if user.is_superuser:
return Engagement_Presets.objects.all().order_by('title')
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Engagement_Presets.objects.all().order_by('title')
if hasattr(
user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return Engagement_Presets.objects.all().order_by('title')
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return Engagement_Presets.objects.all().order_by('title')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
engagement_presets = Engagement_Presets.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(
authorized_product_groups)).order_by('title')
engagement_presets = engagement_presets.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
else:
if user.is_staff:
engagement_presets = Engagement_Presets.objects.all().order_by(
'title')
else:
engagement_presets = Engagement_Presets.objects.filter(
Q(product__authorized_users__in=[user])
| Q(product__prod_type__authorized_users__in=[user])).order_by(
'title')
return engagement_presets
def get_authorized_groups(permission):
user = get_current_user()
if user is None:
return Dojo_Group.objects.none()
if user.is_superuser:
return Dojo_Group.objects.all().order_by('name')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Dojo_Group.objects.all().order_by('name')
if hasattr(user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return Dojo_Group.objects.all().order_by('name')
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return Dojo_Group.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_roles = Dojo_Group_Member.objects.filter(group=OuterRef('pk'),
user=user,
role__in=roles)
groups = Dojo_Group.objects.annotate(
user=Exists(authorized_roles)).order_by('name')
return groups.filter(user=True)
def get_authorized_product_type_members_for_user(user, permission):
request_user = get_current_user()
if request_user is None:
return Product_Type_Member.objects.none()
if request_user.is_superuser:
return Product_Type_Member.objects.filter(user=user).select_related(
'role', 'product_type')
if request_user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_Type_Member.objects.filter(user=user).select_related(
'role', 'product_type')
if hasattr(
request_user, 'global_role'
) and request_user.global_role.role is not None and role_has_permission(
request_user.global_role.role.id, permission):
return Product_Type_Member.objects.filter(user=user).select_related(
'role', 'product_type')
product_types = get_authorized_product_types(permission)
return Product_Type_Member.objects.filter(
user=user,
product_type__in=product_types).select_related('role', 'product_type')
def get_authorized_product_api_scan_configurations(permission):
user = get_current_user()
if user is None:
return Product_API_Scan_Configuration.objects.none()
if user.is_superuser:
return Product_API_Scan_Configuration.objects.all()
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_API_Scan_Configuration.objects.all()
if hasattr(user, 'global_role') and user.global_role.role is not None and role_has_permission(user.global_role.role.id, permission):
return Product_API_Scan_Configuration.objects.all()
for group in get_groups(user):
if hasattr(group, 'global_role') and group.global_role.role is not None and role_has_permission(group.global_role.role.id, permission):
return Product_API_Scan_Configuration.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
product_api_scan_configurations = product_api_scan_configurations.filter(
Q(product__prod_type__member=True) | Q(product__member=True) |
Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
else:
if user.is_staff:
product_api_scan_configurations = Product_API_Scan_Configuration.objects.all()
else:
product_api_scan_configurations = Product_API_Scan_Configuration.objects.filter(
Q(product__authorized_users__in=[user]) |
Q(product__prod_type__authorized_users__in=[user]))
return product_api_scan_configurations
def get_authorized_product_members(permission):
user = get_current_user()
if user is None:
return Product_Member.objects.none()
if user.is_superuser:
return Product_Member.objects.all().select_related('role')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_Member.objects.all().select_related('role')
if hasattr(user, 'global_role') and user.global_role.role is not None and role_has_permission(user.global_role.role.id, permission):
return Product_Member.objects.all().select_related('role')
products = get_authorized_products(permission)
return Product_Member.objects.filter(product__in=products).select_related('role')
def test_role_has_permission_false(self):
result = role_has_permission(Roles.Reader, Permissions.Product_Type_Edit)
self.assertFalse(result)
def test_role_has_permission_true(self):
result = role_has_permission(Roles.Maintainer, Permissions.Product_Type_Edit)
self.assertTrue(result)
def test_role_has_permission_exception(self):
with self.assertRaisesMessage(RoleDoesNotExistError,
'Role 9999 does not exist'):
role_has_permission(9999, Permissions.Product_Type_Edit)
def get_authorized_findings(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Finding.objects.none()
if queryset is None:
findings = Finding.objects.all()
else:
findings = queryset
if user.is_superuser:
return findings
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return findings
if hasattr(
user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return findings
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return findings
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
findings = findings.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
findings = findings.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
else:
if not user.is_staff:
findings = findings.filter(
Q(test__engagement__product__authorized_users__in=[user]) |
Q(test__engagement__product__prod_type__authorized_users__in=[
user
]))
return findings
def get_authorized_dojo_meta(permission):
user = get_current_user()
if user is None:
return DojoMeta.objects.none()
if user.is_superuser:
return DojoMeta.objects.all().order_by('name')
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return DojoMeta.objects.all().order_by('name')
if hasattr(
user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return DojoMeta.objects.all().order_by('name')
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return DojoMeta.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
product_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
product_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
product_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
product_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
endpoint_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'),
user=user,
role__in=roles)
endpoint_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
group__users=user,
role__in=roles)
endpoint_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('endpoint__product_id'),
group__users=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
group__users=user,
role__in=roles)
dojo_meta = DojoMeta.objects.annotate(
product__prod_type__member=Exists(
product_authorized_product_type_roles),
product__member=Exists(product_authorized_product_roles),
product__prod_type__authorized_group=Exists(
product_authorized_product_type_groups),
product__authorized_group=Exists(
product_authorized_product_groups),
endpoint__product__prod_type__member=Exists(
endpoint_authorized_product_type_roles),
endpoint__product__member=Exists(
endpoint_authorized_product_roles),
endpoint__product__prod_type__authorized_group=Exists(
endpoint_authorized_product_type_groups),
endpoint__product__authorized_group=Exists(
endpoint_authorized_product_groups),
finding__test__engagement__product__prod_type__member=Exists(
finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(
finding_authorized_product_roles),
finding__test__engagement__product__prod_type__authorized_group=
Exists(finding_authorized_product_type_groups),
finding__test__engagement__product__authorized_group=Exists(
finding_authorized_product_groups)).order_by('name')
dojo_meta = dojo_meta.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True)
| Q(endpoint__product__prod_type__member=True)
| Q(endpoint__product__member=True)
| Q(endpoint__product__prod_type__authorized_group=True)
| Q(endpoint__product__authorized_group=True)
| Q(finding__test__engagement__product__prod_type__member=True)
| Q(finding__test__engagement__product__member=True)
| Q(finding__test__engagement__product__prod_type__authorized_group
=True)
| Q(finding__test__engagement__product__authorized_group=True))
else:
if user.is_staff:
dojo_meta = DojoMeta.objects.all().order_by('name')
else:
dojo_meta = DojoMeta.objects.filter(
Q(product__authorized_users__in=[user])
| Q(product__prod_type__authorized_users__in=[user])
| Q(endpoint__product__authorized_users__in=[user])
| Q(endpoint__product__prod_type__authorized_users__in=[user])
| Q(finding__test__engagement__product__authorized_users__in=[
user
]) |
Q(finding__test__engagement__product__prod_type__authorized_users__in
=[user])).order_by('name')
return dojo_meta
def get_authorized_product_members_for_user(user, permission):
request_user = get_current_user()
if request_user is None:
return Product_Member.objects.none()
if request_user.is_superuser:
return Product_Member.objects.filter(user=user).select_related('role', 'product')
if hasattr(request_user, 'global_role') and request_user.global_role.role is not None and role_has_permission(request_user.global_role.role.id, permission):
return Product_Member.objects.filter(user=user).select_related('role', 'product')
products = get_authorized_products(permission)
return Product_Member.objects.filter(user=user, product__in=products).select_related('role', 'product')