def test_user_post_save_without_template(self, mock_notifications, mock_member, mock_settings): user = Dojo_User() user.id = 1 group = Dojo_Group() group.id = 1 role = Role.objects.get(id=Roles.Reader) system_settings_group = System_Settings() system_settings_group.default_group = group system_settings_group.default_group_role = role mock_settings.get.return_value = system_settings_group save_mock_member = Mock(return_value=Dojo_Group_Member()) mock_member.return_value = save_mock_member save_mock_notifications = Mock(return_value=Notifications()) mock_notifications.return_value = save_mock_notifications mock_notifications.objects.get.side_effect = Exception( "Mock no templates") user_post_save(None, user, True) mock_member.assert_called_with(group=group, user=user, role=role) save_mock_member.save.assert_called_once() mock_notifications.assert_called_with(user=user) save_mock_notifications.save.assert_called_once()
def test_user_post_save_email_pattern_does_not_match( self, mock_notifications, mock_member, mock_settings): user = Dojo_User() user.id = 1 user.email = '*****@*****.**' group = Dojo_Group() group.id = 1 role = Role.objects.get(id=Roles.Reader) system_settings_group = System_Settings() system_settings_group.default_group = group system_settings_group.default_group_role = role system_settings_group.default_group_email_pattern = '.*@example.com' save_mock_notifications = Mock(return_value=Notifications()) mock_notifications.return_value = save_mock_notifications mock_notifications.objects.get.side_effect = Exception( "Mock no templates") mock_settings.get.return_value = system_settings_group save_mock_member = Mock(return_value=Dojo_Group_Member()) mock_member.return_value = save_mock_member user_post_save(None, user, True) mock_member.assert_not_called() save_mock_member.save.assert_not_called()
def change_password(request): user = get_object_or_404(Dojo_User, pk=request.user.id) form = ChangePasswordForm(user=user) if request.method == 'POST': form = ChangePasswordForm(request.POST, user=user) if form.is_valid(): current_password = form.cleaned_data['current_password'] new_password = form.cleaned_data['new_password'] confirm_password = form.cleaned_data['confirm_password'] user.set_password(new_password) Dojo_User.disable_force_password_reset(user) user.save() messages.add_message(request, messages.SUCCESS, 'Your password has been changed.', extra_tags='alert-success') return HttpResponseRedirect(reverse('view_profile')) add_breadcrumb(title="Change Password", top_level=False, request=request) return render(request, 'dojo/change_pwd.html', { 'name': 'ChangePassword', 'form': form })
def test_user_post_save_with_template(self, mock_notifications, mock_member, mock_settings): user = Dojo_User() user.id = 1 group = Dojo_Group() group.id = 1 template = Mock(Notifications(template=False, user=user)) role = Role.objects.get(id=Roles.Reader) system_settings_group = System_Settings() system_settings_group.default_group = group system_settings_group.default_group_role = role mock_settings.get.return_value = system_settings_group save_mock_member = Mock(return_value=Dojo_Group_Member()) mock_member.return_value = save_mock_member mock_notifications.objects.get.return_value = template user_post_save(None, user, True) mock_member.assert_called_with(group=group, user=user, role=role) save_mock_member.save.assert_called_once() mock_notifications.objects.get.assert_called_with(template=True) template.save.assert_called_once()
def __wrapper__(*args, **kwargs): from dojo.utils import get_current_user user = get_current_user() from dojo.models import Dojo_User if Dojo_User.wants_block_execution(user): logger.debug( 'dojo_async_task: running task in the foreground as block_execution is set to True for %s', user) return func(*args, **kwargs) else: return func.delay(*args, **kwargs)
def setUp(self): self.product_type = Product_Type() self.user = Dojo_User() self.group = Group() self.permission_a = Permission() self.permission_a.codename = 'a' self.permission_b = Permission() self.permission_b.codename = 'b' self.permission_c = Permission() self.permission_c.codename = 'c'
def we_want_async(): from dojo.utils import get_current_user from dojo.models import Dojo_User user = get_current_user() if Dojo_User.wants_block_execution(user): logger.debug( 'dojo_async_task: running task in the foreground as block_execution is set to True for %s', user) return False return True
def _wrapped(request, *args, **kw): _block = getattr(settings, 'RATE_LIMITER_BLOCK', block) _rate = getattr(settings, 'RATE_LIMITER_RATE', rate) _lockout = getattr(settings, 'RATE_LIMITER_ACCOUNT_LOCKOUT', False) old_limited = getattr(request, 'limited', False) ratelimited = is_ratelimited(request=request, fn=fn, key=key, rate=_rate, method=method, increment=True) request.limited = ratelimited or old_limited if ratelimited and _block: if _lockout: username = request.POST.get('username', None) if username: dojo_user = Dojo_User.objects.filter( username=username).first() if dojo_user: Dojo_User.enable_force_password_rest(dojo_user) raise Ratelimited() return fn(request, *args, **kw)
def setUpTestData(cls): cls.user = Dojo_User() cls.user.id = 1 cls.group = Dojo_Group() cls.group.id = 1 cls.system_settings_email = System_Settings() cls.system_settings_email.staff_user_email_pattern = '.*@example.com' cls.role = Role.objects.get(id=Roles.Reader) cls.system_settings_group = System_Settings() cls.system_settings_group.default_group = cls.group cls.system_settings_group.default_group_role = cls.role
def process_notifications(event, notifications=None, *args, **kwargs): from dojo.utils import get_system_setting if not notifications: logger.warn('no notifications!') return sync = 'initiator' in kwargs and Dojo_User.wants_block_execution( kwargs['initiator']) # logger.debug('sync: %s %s', sync, vars(notifications)) logger.debug('sending notification ' + ('synchronously' if sync else 'asynchronously')) logger.debug('process notifications for %s', notifications.user) logger.debug('notifications: %s', vars(notifications)) slack_enabled = get_system_setting('enable_slack_notifications') msteams_enabled = get_system_setting('enable_msteams_notifications') mail_enabled = get_system_setting('enable_mail_notifications') if slack_enabled and 'slack' in getattr(notifications, event): if not sync: send_slack_notification.delay(event, notifications.user, *args, **kwargs) else: send_slack_notification(event, notifications.user, *args, **kwargs) if msteams_enabled and 'msteams' in getattr(notifications, event): if not sync: send_msteams_notification.delay(event, notifications.user, *args, **kwargs) else: send_msteams_notification(event, notifications.user, *args, **kwargs) logger.debug('mail_enabled: %s', mail_enabled) logger.debug('getattr(notifications, event): %s', getattr(notifications, event)) if mail_enabled and 'mail' in getattr(notifications, event): if not sync: send_mail_notification.delay(event, notifications.user, *args, **kwargs) else: send_mail_notification(event, notifications.user, *args, **kwargs) if 'alert' in getattr(notifications, event, None): send_alert_notification(event, notifications.user, *args, **kwargs)
def we_want_async(*args, **kwargs): from dojo.utils import get_current_user from dojo.models import Dojo_User sync = kwargs.get('sync', False) if sync: logger.debug( 'dojo_async_task: running task in the foreground as sync=True has been found as kwarg' ) return False user = get_current_user() if Dojo_User.wants_block_execution(user): logger.debug( 'dojo_async_task: running task in the foreground as block_execution is set to True for %s', user) return False return True
def we_want_async(*args, func=None, **kwargs): from dojo.utils import get_current_user from dojo.models import Dojo_User sync = kwargs.get('sync', False) if sync: logger.debug( 'dojo_async_task %s: running task in the foreground as sync=True has been found as kwarg', func) return False user = kwargs.get('async_user', get_current_user()) logger.debug('user: %s', user) if Dojo_User.wants_block_execution(user): logger.debug( 'dojo_async_task %s: running task in the foreground as block_execution is set to True for %s', func, user) return False logger.debug( 'dojo_async_task %s: no current user, running task in the background', func) return True
def full_name(user): # not in all templates we have access to a Dojo_User instance, so we use a filter # see https://github.com/DefectDojo/django-DefectDojo/pull/3278 return Dojo_User.generate_full_name(user)
def add_temp_finding(request, tid, fid): jform = None test = get_object_or_404(Test, id=tid) finding = get_object_or_404(Finding_Template, id=fid) findings = Finding_Template.objects.all() push_all_jira_issues = False if get_system_setting('enable_jira'): push_all_jira_issues = test.engagement.product.jira_pkey_set.first( ).push_all_issues jform = JIRAFindingForm(push_all=push_all_jira_issues, prefix='jiraform', jira_pkey=test.engagement.product.jira_pkey) else: jform = None if request.method == 'POST': form = FindingForm(request.POST, template=True, req_resp=None) if (form['active'].value() is False or form['false_p'].value() ) and form['duplicate'].value() is False: closing_disabled = Note_Type.objects.filter( is_mandatory=True, is_active=True).count() if closing_disabled != 0: error_inactive = ValidationError( 'Can not set a finding as inactive without adding all mandatory notes', code='not_active_or_false_p_true') error_false_p = ValidationError( 'Can not set a finding as false positive without adding all mandatory notes', code='not_active_or_false_p_true') if form['active'].value() is False: form.add_error('active', error_inactive) if form['false_p'].value(): form.add_error('false_p', error_false_p) messages.add_message( request, messages.ERROR, 'Can not set a finding as inactive or false positive without adding all mandatory notes', extra_tags='alert-danger') if form.is_valid(): finding.last_used = timezone.now() finding.save() new_finding = form.save(commit=False) new_finding.test = test new_finding.reporter = request.user new_finding.numerical_severity = Finding.get_numerical_severity( new_finding.severity) new_finding.date = datetime.today() if new_finding.false_p or new_finding.active is False: new_finding.mitigated = timezone.now() new_finding.mitigated_by = request.user new_finding.is_Mitigated = True create_template = new_finding.is_template # is template always False now in favor of new model Finding_Template # no further action needed here since this is already adding from template. new_finding.is_template = False new_finding.save(dedupe_option=False, false_history=False) for ep in form.cleaned_data['endpoints']: eps, created = Endpoint_Status.objects.get_or_create( finding=new_finding, endpoint=ep) ep.endpoint_status.add(eps) new_finding.endpoints.add(ep) new_finding.endpoint_status.add(eps) new_finding.save(false_history=True) tags = request.POST.getlist('tags') t = ", ".join('"{0}"'.format(w) for w in tags) new_finding.tags = t if 'jiraform-push_to_jira' in request.POST: jform = JIRAFindingForm( request.POST, prefix='jiraform', push_all=push_all_jira_issues, jira_pkey=test.engagement.product.jira_pkey) if jform.is_valid(): if Dojo_User.wants_block_execution(request.user): add_jira_issue(new_finding, jform.cleaned_data.get('push_to_jira')) else: add_jira_issue_task.delay( new_finding, jform.cleaned_data.get('push_to_jira')) messages.add_message(request, messages.SUCCESS, 'Finding from template added successfully.', extra_tags='alert-success') if create_template: templates = Finding_Template.objects.filter( title=new_finding.title) if len(templates) > 0: messages.add_message( request, messages.ERROR, 'A finding template was not created. A template with this title already ' 'exists.', extra_tags='alert-danger') else: template = Finding_Template( title=new_finding.title, cwe=new_finding.cwe, severity=new_finding.severity, description=new_finding.description, mitigation=new_finding.mitigation, impact=new_finding.impact, references=new_finding.references, numerical_severity=new_finding.numerical_severity) template.save() messages.add_message( request, messages.SUCCESS, 'A finding template was also created.', extra_tags='alert-success') return HttpResponseRedirect(reverse('view_test', args=(test.id, ))) else: messages.add_message( request, messages.ERROR, 'The form has errors, please correct them below.', extra_tags='alert-danger') else: form = FindingForm(template=True, req_resp=None, initial={ 'active': False, 'date': timezone.now().date(), 'verified': False, 'false_p': False, 'duplicate': False, 'out_of_scope': False, 'title': finding.title, 'description': finding.description, 'cwe': finding.cwe, 'severity': finding.severity, 'mitigation': finding.mitigation, 'impact': finding.impact, 'references': finding.references, 'numerical_severity': finding.numerical_severity, 'tags': [tag.name for tag in finding.tags] }) product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements") product_tab.setEngagement(test.engagement) return render( request, 'dojo/add_findings.html', { 'form': form, 'product_tab': product_tab, 'jform': jform, 'findings': findings, 'temp': True, 'fid': finding.id, 'tid': test.id, 'test': test, })
def setUpTestData(cls): cls.user = Dojo_User() cls.user.id = 1 cls.user2 = Dojo_User() cls.user2.id = 2 cls.global_role_user = Global_Role() cls.global_role_user.id = 1 cls.global_role_user.user = cls.user2 cls.global_role_user.role = Role.objects.get(id=Roles.Reader) cls.product_type = Product_Type() cls.product_type.id = 1 cls.product_type_member = Product_Type_Member() cls.product_type_member.id = 1 cls.product = Product() cls.product.id = 1 cls.product_member = Product_Member() cls.product_member.id = 1 cls.product.prod_type = cls.product_type cls.engagement = Engagement() cls.engagement.product = cls.product cls.test = Test() cls.test.engagement = cls.engagement cls.finding = Finding() cls.finding.test = cls.test cls.stub_finding = Stub_Finding() cls.stub_finding.test = cls.test cls.endpoint = Endpoint() cls.endpoint.product = cls.product cls.technology = App_Analysis() cls.technology.product = cls.product cls.language = Languages() cls.language.product = cls.product cls.product_type_member_reader = Product_Type_Member() cls.product_type_member_reader.user = cls.user cls.product_type_member_reader.product_type = cls.product_type cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader) cls.product_type_member_owner = Product_Type_Member() cls.product_type_member_owner.user = cls.user cls.product_type_member_owner.product_type = cls.product_type cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner) cls.product_member_reader = Product_Member() cls.product_member_reader.user = cls.user cls.product_member_reader.product = cls.product cls.product_member_reader.role = Role.objects.get(id=Roles.Reader) cls.product_member_owner = Product_Member() cls.product_member_owner.user = cls.user cls.product_member_owner.product = cls.product cls.product_member_owner.role = Role.objects.get(id=Roles.Owner) cls.group = Dojo_Group() cls.group.id = 1 cls.product_group_reader = Product_Group() cls.product_group_reader.id = 1 cls.product_group_reader.product = cls.product cls.product_group_reader.group = cls.group cls.product_group_reader.role = Role.objects.get(id=Roles.Reader) cls.product_group_owner = Product_Group() cls.product_group_owner.id = 2 cls.product_group_owner.product = cls.product cls.product_group_owner.group = cls.group cls.product_group_owner.role = Role.objects.get(id=Roles.Owner) cls.product_type_group_reader = Product_Type_Group() cls.product_type_group_reader.id = 1 cls.product_type_group_reader.product_type = cls.product_type cls.product_type_group_reader.group = cls.group cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader) cls.product_type_group_owner = Product_Type_Group() cls.product_type_group_owner.id = 2 cls.product_type_group_owner.product_type = cls.product_type cls.product_type_group_owner.group = cls.group cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner) cls.group2 = Dojo_Group() cls.group2.id = 2 cls.global_role_group = Global_Role() cls.global_role_group.id = 2 cls.global_role_group.group = cls.group2 cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer) cls.user3 = Dojo_User() cls.user3.id = 3 cls.global_role_user = Global_Role() cls.global_role_user.id = 3 cls.global_role_user.user = cls.user3 cls.global_role_user.role = None cls.group3 = Dojo_Group() cls.group3.id = 3 cls.user4 = Dojo_User() cls.user4.id = 4 cls.group_member = Dojo_Group_Member() cls.group_member.id = 1 cls.group_member.group = cls.group3 cls.group_member.user = cls.user4 cls.group_member.role = Role.objects.get(id=Roles.Writer) cls.user5 = Dojo_User() cls.user5.id = 5 cls.global_role_user = Global_Role() cls.global_role_user.id = 5 cls.global_role_user.user = cls.user5 cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def edit_engagement(request, eid): eng = Engagement.objects.get(pk=eid) ci_cd_form = False if eng.engagement_type == "CI/CD": ci_cd_form = True jform = None use_jira = get_system_setting( 'enable_jira') and eng.product.jira_pkey is not None if request.method == 'POST': form = EngForm(request.POST, instance=eng, cicd=ci_cd_form, product=eng.product.id, user=request.user) if 'jiraform-push_to_jira' in request.POST: jform = JIRAEngagementForm(request.POST, prefix='jiraform', instance=eng) if (form.is_valid() and jform is None) or (form.is_valid() and jform and jform.is_valid()): logger.debug('jform valid') if 'jiraform-push_to_jira' in request.POST: logger.debug('push_to_jira true') if JIRA_Issue.objects.filter(engagement=eng).exists(): if Dojo_User.wants_block_execution(request.user): update_epic(eng, jform.cleaned_data.get('push_to_jira')) else: update_epic_task.delay( eng, jform.cleaned_data.get('push_to_jira')) else: if Dojo_User.wants_block_execution(request.user): add_epic(eng, jform.cleaned_data.get('push_to_jira')) else: add_epic_task.delay( eng, jform.cleaned_data.get('push_to_jira')) temp_form = form.save(commit=False) if (temp_form.status == "Cancelled" or temp_form.status == "Completed"): temp_form.active = False elif (temp_form.active is False): temp_form.active = True temp_form.product_id = form.cleaned_data.get('product').id temp_form.save() tags = request.POST.getlist('tags') t = ", ".join('"{0}"'.format(w) for w in tags) eng.tags = t messages.add_message(request, messages.SUCCESS, 'Engagement updated successfully.', extra_tags='alert-success') if '_Add Tests' in request.POST: return HttpResponseRedirect( reverse('add_tests', args=(eng.id, ))) else: return HttpResponseRedirect( reverse('view_engagement', args=(eng.id, ))) else: form = EngForm(initial={'product': eng.product.id}, instance=eng, cicd=ci_cd_form, product=eng.product.id, user=request.user) if use_jira: jform = JIRAEngagementForm(prefix='jiraform', instance=eng) else: jform = None form.initial['tags'] = [tag.name for tag in eng.tags] title = "" if eng.engagement_type == "CI/CD": title = " CI/CD" product_tab = Product_Tab(eng.product.id, title="Edit" + title + " Engagement", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/new_eng.html', { 'product_tab': product_tab, 'form': form, 'edit': True, 'jform': jform, 'eng': eng })
def setUpTestData(cls): cls.user = Dojo_User() cls.user.id = 1 cls.system_settings_email = System_Settings() cls.system_settings_email.staff_user_email_pattern = '.*@example.com'