def get_authorized_users_for_product_and_product_type(users, product,
permission):
if users is None:
User = get_user_model()
users = User.objects.filter(is_active=True)
if settings.FEATURE_AUTHORIZATION_V2:
roles = get_roles_for_permission(permission)
product_members = Product_Member.objects \
.filter(product=product, role__in=roles)
product_type_members = Product_Type_Member.objects \
.filter(product_type=product.prod_type, role__in=roles)
product_groups = Product_Group.objects \
.filter(product=product, role__in=roles)
product_type_groups = Product_Type_Group.objects \
.filter(product_type=product.prod_type, role__in=roles)
group_members = Dojo_Group_Member.objects.filter(
Q(group__in=[pg.group for pg in product_groups])
| Q(group__in=[ptg.group for ptg in product_type_groups]))
return users.filter(
Q(id__in=[pm.user.id for pm in product_members])
| Q(id__in=[ptm.user.id for ptm in product_type_members])
| Q(id__in=[gm.user.id for gm in group_members])
| Q(global_role__role__in=roles) | Q(is_superuser=True))
else:
return users.filter(
Q(id__in=product.authorized_users.all())
| Q(id__in=product.prod_type.authorized_users.all())
| Q(is_superuser=True) | Q(is_staff=True))
def get_authorized_product_types(permission):
user = get_current_user()
if user is None:
return Product_Type.objects.none()
if user.is_superuser:
return Product_Type.objects.all().order_by('name')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_Type.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return Product_Type.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('pk'), user=user, role__in=roles)
authorized_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('pk'), group__users=user, role__in=roles)
product_types = Product_Type.objects.annotate(
member=Exists(authorized_roles),
authorized_group=Exists(authorized_groups)).order_by('name')
product_types = product_types.filter(
Q(member=True) | Q(authorized_group=True))
return product_types
def get_authorized_products(permission):
user = get_current_user()
if user is None:
return Product.objects.none()
if user.is_superuser:
return Product.objects.all().order_by('name')
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('prod_type_id'), user=user, role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('pk'), user=user, role__in=roles)
products = Product.objects.annotate(
prod_type__member=Exists(authorized_product_type_roles),
member=Exists(authorized_product_roles)).order_by('name')
products = products.filter(Q(prod_type__member=True) | Q(member=True))
else:
if user.is_staff:
products = Product.objects.all().order_by('name')
else:
products = Product.objects.filter(
Q(authorized_users__in=[user])
| Q(prod_type__authorized_users__in=[user])).order_by('name')
return products
def get_authorized_groups(permission):
user = get_current_user()
if user is None:
return Dojo_Group.objects.none()
if user.is_superuser:
return Dojo_Group.objects.all().order_by('name')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Dojo_Group.objects.all().order_by('name')
if hasattr(user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return Dojo_Group.objects.all().order_by('name')
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return Dojo_Group.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_roles = Dojo_Group_Member.objects.filter(group=OuterRef('pk'),
user=user,
role__in=roles)
groups = Dojo_Group.objects.annotate(
user=Exists(authorized_roles)).order_by('name')
return groups.filter(user=True)
def get_authorized_engagement_presets(permission):
user = get_current_user()
if user is None:
return Engagement_Presets.objects.none()
if user.is_superuser:
return Engagement_Presets.objects.all().order_by('title')
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Engagement_Presets.objects.all().order_by('title')
if hasattr(
user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return Engagement_Presets.objects.all().order_by('title')
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return Engagement_Presets.objects.all().order_by('title')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
engagement_presets = Engagement_Presets.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(
authorized_product_groups)).order_by('title')
engagement_presets = engagement_presets.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
else:
if user.is_staff:
engagement_presets = Engagement_Presets.objects.all().order_by(
'title')
else:
engagement_presets = Engagement_Presets.objects.filter(
Q(product__authorized_users__in=[user])
| Q(product__prod_type__authorized_users__in=[user])).order_by(
'title')
return engagement_presets
def get_authorized_finding_groups(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Finding_Group.objects.none()
if queryset is None:
finding_groups = Finding_Group.objects.all()
else:
finding_groups = queryset
if user.is_superuser:
return finding_groups
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return finding_groups
if user_has_global_permission(user, permission):
return finding_groups
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
finding_groups = finding_groups.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
finding_groups = finding_groups.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
return finding_groups
def get_authorized_users_for_product_type(users, product_type, permission):
if settings.FEATURE_AUTHORIZATION_V2:
roles = get_roles_for_permission(permission)
product_type_members = Product_Type_Member.objects \
.filter(product_type=product_type, role__in=roles) \
.values_list('user_id', flat=True)
return users.filter(Q(id__in=product_type_members) | Q(is_superuser=True))
else:
return users.filter(Q(id__in=product_type.authorized_users.all()) |
Q(is_superuser=True) |
Q(is_staff=True))
def get_authorized_product_api_scan_configurations(permission):
user = get_current_user()
if user is None:
return Product_API_Scan_Configuration.objects.none()
if user.is_superuser:
return Product_API_Scan_Configuration.objects.all()
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_API_Scan_Configuration.objects.all()
if hasattr(user, 'global_role') and user.global_role.role is not None and role_has_permission(user.global_role.role.id, permission):
return Product_API_Scan_Configuration.objects.all()
for group in get_groups(user):
if hasattr(group, 'global_role') and group.global_role.role is not None and role_has_permission(group.global_role.role.id, permission):
return Product_API_Scan_Configuration.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
product_api_scan_configurations = product_api_scan_configurations.filter(
Q(product__prod_type__member=True) | Q(product__member=True) |
Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
else:
if user.is_staff:
product_api_scan_configurations = Product_API_Scan_Configuration.objects.all()
else:
product_api_scan_configurations = Product_API_Scan_Configuration.objects.filter(
Q(product__authorized_users__in=[user]) |
Q(product__prod_type__authorized_users__in=[user]))
return product_api_scan_configurations
def get_authorized_users_for_product_type(users, product_type, permission):
roles = get_roles_for_permission(permission)
product_type_members = Product_Type_Member.objects \
.filter(product_type=product_type, role__in=roles)
product_type_groups = Product_Type_Group.objects \
.filter(product_type=product_type, role__in=roles)
group_members = Dojo_Group_Member.objects. \
filter(group__in=[ptg.group for ptg in product_type_groups])
return users.filter(
Q(id__in=[ptm.user.id for ptm in product_type_members])
| Q(id__in=[gm.user.id for gm in group_members])
| Q(global_role__role__in=roles) | Q(is_superuser=True))
def get_authorized_tests(permission, product=None):
user = get_current_user()
if user is None:
return Test.objects.none()
tests = Test.objects.all()
if product:
tests = tests.filter(engagement__product=product)
if user.is_superuser:
return tests
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Test.objects.all()
if user_has_global_permission(user, permission):
return Test.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('engagement__product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('engagement__product_id'),
group__users=user,
role__in=roles)
tests = tests.annotate(
engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
engagement__product__member=Exists(authorized_product_roles),
engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
engagement__product__authorized_group=Exists(
authorized_product_groups))
tests = tests.filter(
Q(engagement__product__prod_type__member=True)
| Q(engagement__product__member=True)
| Q(engagement__product__prod_type__authorized_group=True)
| Q(engagement__product__authorized_group=True))
return tests
def get_authorized_endpoint_status(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Endpoint_Status.objects.none()
if queryset is None:
endpoint_status = Endpoint_Status.objects.all()
else:
endpoint_status = queryset
if user.is_superuser:
return endpoint_status
if user_has_global_permission(user, permission):
return endpoint_status
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('endpoint__product_id'),
group__users=user,
role__in=roles)
endpoint_status = endpoint_status.annotate(
endpoint__product__prod_type__member=Exists(
authorized_product_type_roles),
endpoint__product__member=Exists(authorized_product_roles),
endpoint__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
endpoint__product__authorized_group=Exists(authorized_product_groups))
endpoint_status = endpoint_status.filter(
Q(endpoint__product__prod_type__member=True)
| Q(endpoint__product__member=True)
| Q(endpoint__product__prod_type__authorized_group=True)
| Q(endpoint__product__authorized_group=True))
return endpoint_status
def get_authorized_groups(permission):
user = get_current_user()
if user is None:
return Dojo_Group.objects.none()
if user.is_superuser:
return Dojo_Group.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_roles = Dojo_Group_Member.objects.filter(group=OuterRef('pk'),
user=user,
role__in=roles)
groups = Dojo_Group.objects.annotate(
user=Exists(authorized_roles)).order_by('name')
return groups.filter(user=True)
def get_authorized_users_for_product_type(users, product_type, permission):
if settings.FEATURE_AUTHORIZATION_V2:
roles = get_roles_for_permission(permission)
product_type_members = Product_Type_Member.objects \
.filter(product_type=product_type, role__in=roles)
product_type_groups = Product_Type_Group.objects \
.filter(product_type=product_type, role__in=roles)
groups = Dojo_Group.objects \
.filter(id__in=[ptg.group.id for ptg in product_type_groups])
return users.filter(Q(id__in=[ptm.user.id for ptm in product_type_members]) |
Q(groups__id__in=[gu.id for gu in groups]) |
Q(is_superuser=True))
else:
return users.filter(Q(id__in=product_type.authorized_users.all()) |
Q(is_superuser=True) |
Q(is_staff=True))
def get_authorized_cred_mappings(permission, queryset=None):
user = get_current_user()
if user is None:
return Cred_Mapping.objects.none()
if queryset is None:
cred_mappings = Cred_Mapping.objects.all()
else:
cred_mappings = queryset
if user.is_superuser:
return cred_mappings
if user_has_global_permission(user, permission):
return cred_mappings
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
cred_mappings = cred_mappings.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
cred_mappings = cred_mappings.filter(
Q(product__prod_type__member=True) | Q(product__member=True) |
Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
return cred_mappings
def get_authorized_findings(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Finding.objects.none()
if queryset is None:
findings = Finding.objects.all()
else:
findings = queryset
if user.is_superuser:
return findings
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return findings
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
findings = findings.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles))
findings = findings.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True))
else:
if not user.is_staff:
findings = findings.filter(
Q(test__engagement__product__authorized_users__in=[user]) |
Q(test__engagement__product__prod_type__authorized_users__in=[
user
]))
return findings
def get_authorized_stub_findings(permission):
user = get_current_user()
if user is None:
return Stub_Finding.objects.none()
if user.is_superuser:
return Stub_Finding.objects.all()
if user_has_global_permission(user, permission):
return Stub_Finding.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
findings = Stub_Finding.objects.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
findings = findings.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
return findings
def get_authorized_product_types(permission):
user = get_current_user()
if user.is_superuser:
return Product_Type.objects.all().order_by('name')
if settings.FEATURE_NEW_AUTHORIZATION:
roles = get_roles_for_permission(permission)
authorized_roles = Product_Type_Member.objects.filter(product_type=OuterRef('pk'),
user=user,
role__in=roles)
product_types = Product_Type.objects.annotate(member=Exists(authorized_roles)).order_by('name')
product_types = product_types.filter(member=True)
else:
if user.is_staff:
product_types = Product_Type.objects.all().order_by('name')
else:
product_types = Product_Type.objects.filter(authorized_users__in=[user]).order_by('name')
return product_types
def get_authorized_endpoint_status(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Endpoint_Status.objects.none()
if queryset is None:
endpoint_status = Endpoint_Status.objects.all()
else:
endpoint_status = queryset
if user.is_superuser:
return endpoint_status
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return endpoint_status
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'),
user=user,
role__in=roles)
endpoint_status = endpoint_status.annotate(
endpoint__product__prod_type__member=Exists(
authorized_product_type_roles),
endpoint__product__member=Exists(authorized_product_roles))
endpoint_status = endpoint_status.filter(
Q(endpoint__product__prod_type__member=True)
| Q(endpoint__product__member=True))
else:
if not user.is_staff:
endpoint_status = endpoint_status.filter(
Q(endpoint__product__authorized_users__in=[user])
| Q(endpoint__product__prod_type__authorized_users__in=[user]))
return endpoint_status
def get_authorized_engagement_presets(permission):
user = get_current_user()
if user is None:
return Engagement_Presets.objects.none()
if user.is_superuser:
return Engagement_Presets.objects.all().order_by('title')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Engagement_Presets.objects.all().order_by('title')
if user_has_global_permission(user, permission):
return Engagement_Presets.objects.all().order_by('title')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
engagement_presets = Engagement_Presets.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups)).order_by(
'title')
engagement_presets = engagement_presets.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return engagement_presets
def get_authorized_products(permission, user=None):
if user is None:
user = get_current_user()
if user is None:
return Product.objects.none()
if user.is_superuser:
return Product.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return Product.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('pk'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('pk'),
group__users=user,
role__in=roles)
products = Product.objects.annotate(
prod_type__member=Exists(authorized_product_type_roles),
member=Exists(authorized_product_roles),
prod_type__authorized_group=Exists(authorized_product_type_groups),
authorized_group=Exists(authorized_product_groups)).order_by('name')
products = products.filter(
Q(prod_type__member=True) | Q(member=True) |
Q(prod_type__authorized_group=True) | Q(authorized_group=True))
return products
def get_authorized_product_api_scan_configurations(permission):
user = get_current_user()
if user is None:
return Product_API_Scan_Configuration.objects.none()
if user.is_superuser:
return Product_API_Scan_Configuration.objects.all()
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_API_Scan_Configuration.objects.all()
if user_has_global_permission(user, permission):
return Product_API_Scan_Configuration.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
product_api_scan_configurations = product_api_scan_configurations.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return product_api_scan_configurations
def get_authorized_test_imports(permission):
user = get_current_user()
if user is None:
return Test_Import.objects.none()
if user.is_superuser:
return Test_Import.objects.all()
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Test_Import.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
test_imports = Test_Import.objects.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles))
test_imports = test_imports.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True))
else:
if user.is_staff:
test_imports = Test_Import.objects.all()
else:
test_imports = Test_Import.objects.filter(
Q(test__engagement__product__authorized_users__in=[user]) |
Q(test__engagement__product__prod_type__authorized_users__in=[
user
]))
return test_imports
def get_authorized_users_for_product_and_product_type(users, product,
permission):
if users is None:
users = Dojo_User.objects.filter(is_active=True)
roles = get_roles_for_permission(permission)
product_members = Product_Member.objects \
.filter(product=product, role__in=roles)
product_type_members = Product_Type_Member.objects \
.filter(product_type=product.prod_type, role__in=roles)
product_groups = Product_Group.objects \
.filter(product=product, role__in=roles)
product_type_groups = Product_Type_Group.objects \
.filter(product_type=product.prod_type, role__in=roles)
group_members = Dojo_Group_Member.objects.filter(
Q(group__in=[pg.group for pg in product_groups])
| Q(group__in=[ptg.group for ptg in product_type_groups]))
return users.filter(
Q(id__in=[pm.user.id for pm in product_members])
| Q(id__in=[ptm.user.id for ptm in product_type_members])
| Q(id__in=[gm.user.id for gm in group_members])
| Q(global_role__role__in=roles) | Q(is_superuser=True))
def get_authorized_tool_product_settings(permission):
user = get_current_user()
if user is None:
return Tool_Product_Settings.objects.none()
if user.is_superuser:
return Tool_Product_Settings.objects.all()
if user_has_global_permission(user, permission):
return Tool_Product_Settings.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
tool_product_settings = Tool_Product_Settings.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
tool_product_settings = tool_product_settings.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return tool_product_settings
def test_get_roles_for_permission_success(self):
result = get_roles_for_permission(Permissions.Product_Type_Manage_Members)
expected = {Roles.Maintainer, Roles.Owner}
self.assertEqual(result, expected)
def test_get_roles_for_permission_exception(self):
with self.assertRaisesMessage(PermissionDoesNotExistError,
'Permission 9999 does not exist'):
get_roles_for_permission(9999)
def get_authorized_findings(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Finding.objects.none()
if queryset is None:
findings = Finding.objects.all()
else:
findings = queryset
if user.is_superuser:
return findings
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return findings
if hasattr(
user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return findings
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return findings
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
findings = findings.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
findings = findings.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
else:
if not user.is_staff:
findings = findings.filter(
Q(test__engagement__product__authorized_users__in=[user]) |
Q(test__engagement__product__prod_type__authorized_users__in=[
user
]))
return findings
def get_authorized_dojo_meta(permission):
user = get_current_user()
if user is None:
return DojoMeta.objects.none()
if user.is_superuser:
return DojoMeta.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return DojoMeta.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
product_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
product_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
product_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
product_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
endpoint_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'),
user=user,
role__in=roles)
endpoint_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
group__users=user,
role__in=roles)
endpoint_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('endpoint__product_id'),
group__users=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('finding__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
group__users=user,
role__in=roles)
dojo_meta = DojoMeta.objects.annotate(
product__prod_type__member=Exists(product_authorized_product_type_roles),
product__member=Exists(product_authorized_product_roles),
product__prod_type__authorized_group=Exists(product_authorized_product_type_groups),
product__authorized_group=Exists(product_authorized_product_groups),
endpoint__product__prod_type__member=Exists(endpoint_authorized_product_type_roles),
endpoint__product__member=Exists(endpoint_authorized_product_roles),
endpoint__product__prod_type__authorized_group=Exists(endpoint_authorized_product_type_groups),
endpoint__product__authorized_group=Exists(endpoint_authorized_product_groups),
finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(finding_authorized_product_roles),
finding__test__engagement__product__prod_type__authorized_group=Exists(finding_authorized_product_type_groups),
finding__test__engagement__product__authorized_group=Exists(finding_authorized_product_groups)
).order_by('name')
dojo_meta = dojo_meta.filter(
Q(product__prod_type__member=True) |
Q(product__member=True) |
Q(product__prod_type__authorized_group=True) |
Q(product__authorized_group=True) |
Q(endpoint__product__prod_type__member=True) |
Q(endpoint__product__member=True) |
Q(endpoint__product__prod_type__authorized_group=True) |
Q(endpoint__product__authorized_group=True) |
Q(finding__test__engagement__product__prod_type__member=True) |
Q(finding__test__engagement__product__member=True) |
Q(finding__test__engagement__product__prod_type__authorized_group=True) |
Q(finding__test__engagement__product__authorized_group=True))
return dojo_meta
def get_authorized_dojo_meta(permission):
user = get_current_user()
if user is None:
return DojoMeta.objects.none()
if user.is_superuser:
return DojoMeta.objects.all().order_by('name')
if settings.FEATURE_AUTHORIZATION_V2:
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return DojoMeta.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
product_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
product_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
endpoint_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
dojo_meta = DojoMeta.objects.annotate(
product__prod_type__member=Exists(product_authorized_product_type_roles),
product__member=Exists(product_authorized_product_roles),
endpoint_product__prod_type__member=Exists(endpoint_authorized_product_type_roles),
endpoint_product__member=Exists(endpoint_authorized_product_roles),
finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(finding_authorized_product_roles)
).order_by('name')
dojo_meta = dojo_meta.filter(
Q(product__prod_type__member=True) |
Q(product__member=True) |
Q(endpoint_product__prod_type__member=True) |
Q(endpoint_product__member=True) |
Q(finding__test__engagement__product__prod_type__member=True) |
Q(finding__test__engagement__product__member=True))
else:
if user.is_staff:
dojo_meta = DojoMeta.objects.all().order_by('name')
else:
dojo_meta = DojoMeta.objects.filter(
Q(product__authorized_users__in=[user]) |
Q(product__prod_type__authorized_users__in=[user]) |
Q(endpoint__product__authorized_users__in=[user]) |
Q(endpoint__product__prod_type__authorized_users__in=[user]) |
Q(finding__test__engagement__product__authorized_users__in=[user]) |
Q(finding__test__engagement__product__prod_type__authorized_users__in=[user])
).order_by('name')
return dojo_meta
def get_authorized_jira_issues(permission):
user = get_current_user()
if user is None:
return JIRA_Issue.objects.none()
jira_issues = JIRA_Issue.objects.all()
if user.is_superuser:
return jira_issues
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return jira_issues
if user_has_global_permission(user, permission):
return jira_issues
roles = get_roles_for_permission(permission)
engagement_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
user=user,
role__in=roles)
engagement_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('engagement__product_id'), user=user, role__in=roles)
engagement_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
engagement_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('engagement__product_id'),
group__users=user,
role__in=roles)
finding_group_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef(
'finding_group__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_group_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding_group__test__engagement__product_id'),
user=user,
role__in=roles)
finding_group_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef(
'finding_group__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_group_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding_group__test__engagement__product_id'),
group__users=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
group__users=user,
role__in=roles)
jira_issues = jira_issues.annotate(
engagement__product__prod_type__member=Exists(
engagement_authorized_product_type_roles),
engagement__product__member=Exists(
engagement_authorized_product_roles),
engagement__product__prod_type__authorized_group=Exists(
engagement_authorized_product_type_groups),
engagement__product__authorized_group=Exists(
engagement_authorized_product_groups),
finding_group__test__engagement__product__prod_type__member=Exists(
finding_group_authorized_product_type_roles),
finding_group__test__engagement__product__member=Exists(
finding_group_authorized_product_roles),
finding_group__test__engagement__product__prod_type__authorized_group=
Exists(finding_group_authorized_product_type_groups),
finding_group__test__engagement__product__authorized_group=Exists(
finding_group_authorized_product_groups),
finding__test__engagement__product__prod_type__member=Exists(
finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(
finding_authorized_product_roles),
finding__test__engagement__product__prod_type__authorized_group=Exists(
finding_authorized_product_type_groups),
finding__test__engagement__product__authorized_group=Exists(
finding_authorized_product_groups))
jira_issues = jira_issues.filter(
Q(engagement__product__prod_type__member=True)
| Q(engagement__product__member=True)
| Q(engagement__product__prod_type__authorized_group=True)
| Q(engagement__product__authorized_group=True)
| Q(finding_group__test__engagement__product__prod_type__member=True)
| Q(finding_group__test__engagement__product__member=True) |
Q(finding_group__test__engagement__product__prod_type__authorized_group
=True)
| Q(finding_group__test__engagement__product__authorized_group=True)
| Q(finding__test__engagement__product__prod_type__member=True)
| Q(finding__test__engagement__product__member=True) |
Q(finding__test__engagement__product__prod_type__authorized_group=True)
| Q(finding__test__engagement__product__authorized_group=True))
return jira_issues
