def test_user_post_save_without_template(self, mock_notifications,
mock_member, mock_settings):
user = Dojo_User()
user.id = 1
group = Dojo_Group()
group.id = 1
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
save_mock_notifications = Mock(return_value=Notifications())
mock_notifications.return_value = save_mock_notifications
mock_notifications.objects.get.side_effect = Exception(
"Mock no templates")
user_post_save(None, user, True)
mock_member.assert_called_with(group=group, user=user, role=role)
save_mock_member.save.assert_called_once()
mock_notifications.assert_called_with(user=user)
save_mock_notifications.save.assert_called_once()
def test_user_post_save_email_pattern_does_not_match(
self, mock_notifications, mock_member, mock_settings):
user = Dojo_User()
user.id = 1
user.email = '*****@*****.**'
group = Dojo_Group()
group.id = 1
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
system_settings_group.default_group_email_pattern = '.*@example.com'
save_mock_notifications = Mock(return_value=Notifications())
mock_notifications.return_value = save_mock_notifications
mock_notifications.objects.get.side_effect = Exception(
"Mock no templates")
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
user_post_save(None, user, True)
mock_member.assert_not_called()
save_mock_member.save.assert_not_called()
def change_password(request):
user = get_object_or_404(Dojo_User, pk=request.user.id)
form = ChangePasswordForm(user=user)
if request.method == 'POST':
form = ChangePasswordForm(request.POST, user=user)
if form.is_valid():
current_password = form.cleaned_data['current_password']
new_password = form.cleaned_data['new_password']
confirm_password = form.cleaned_data['confirm_password']
user.set_password(new_password)
Dojo_User.disable_force_password_reset(user)
user.save()
messages.add_message(request,
messages.SUCCESS,
'Your password has been changed.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_profile'))
add_breadcrumb(title="Change Password", top_level=False, request=request)
return render(request, 'dojo/change_pwd.html', {
'name': 'ChangePassword',
'form': form
})
def test_user_post_save_with_template(self, mock_notifications,
mock_member, mock_settings):
user = Dojo_User()
user.id = 1
group = Dojo_Group()
group.id = 1
template = Mock(Notifications(template=False, user=user))
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
mock_notifications.objects.get.return_value = template
user_post_save(None, user, True)
mock_member.assert_called_with(group=group, user=user, role=role)
save_mock_member.save.assert_called_once()
mock_notifications.objects.get.assert_called_with(template=True)
template.save.assert_called_once()
def __wrapper__(*args, **kwargs):
from dojo.utils import get_current_user
user = get_current_user()
from dojo.models import Dojo_User
if Dojo_User.wants_block_execution(user):
logger.debug(
'dojo_async_task: running task in the foreground as block_execution is set to True for %s',
user)
return func(*args, **kwargs)
else:
return func.delay(*args, **kwargs)
def setUp(self):
self.product_type = Product_Type()
self.user = Dojo_User()
self.group = Group()
self.permission_a = Permission()
self.permission_a.codename = 'a'
self.permission_b = Permission()
self.permission_b.codename = 'b'
self.permission_c = Permission()
self.permission_c.codename = 'c'
def we_want_async():
from dojo.utils import get_current_user
from dojo.models import Dojo_User
user = get_current_user()
if Dojo_User.wants_block_execution(user):
logger.debug(
'dojo_async_task: running task in the foreground as block_execution is set to True for %s',
user)
return False
return True
def _wrapped(request, *args, **kw):
_block = getattr(settings, 'RATE_LIMITER_BLOCK', block)
_rate = getattr(settings, 'RATE_LIMITER_RATE', rate)
_lockout = getattr(settings, 'RATE_LIMITER_ACCOUNT_LOCKOUT', False)
old_limited = getattr(request, 'limited', False)
ratelimited = is_ratelimited(request=request,
fn=fn,
key=key,
rate=_rate,
method=method,
increment=True)
request.limited = ratelimited or old_limited
if ratelimited and _block:
if _lockout:
username = request.POST.get('username', None)
if username:
dojo_user = Dojo_User.objects.filter(
username=username).first()
if dojo_user:
Dojo_User.enable_force_password_rest(dojo_user)
raise Ratelimited()
return fn(request, *args, **kw)
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.group = Dojo_Group()
cls.group.id = 1
cls.system_settings_email = System_Settings()
cls.system_settings_email.staff_user_email_pattern = '.*@example.com'
cls.role = Role.objects.get(id=Roles.Reader)
cls.system_settings_group = System_Settings()
cls.system_settings_group.default_group = cls.group
cls.system_settings_group.default_group_role = cls.role
def process_notifications(event, notifications=None, *args, **kwargs):
from dojo.utils import get_system_setting
if not notifications:
logger.warn('no notifications!')
return
sync = 'initiator' in kwargs and Dojo_User.wants_block_execution(
kwargs['initiator'])
# logger.debug('sync: %s %s', sync, vars(notifications))
logger.debug('sending notification ' +
('synchronously' if sync else 'asynchronously'))
logger.debug('process notifications for %s', notifications.user)
logger.debug('notifications: %s', vars(notifications))
slack_enabled = get_system_setting('enable_slack_notifications')
msteams_enabled = get_system_setting('enable_msteams_notifications')
mail_enabled = get_system_setting('enable_mail_notifications')
if slack_enabled and 'slack' in getattr(notifications, event):
if not sync:
send_slack_notification.delay(event, notifications.user, *args,
**kwargs)
else:
send_slack_notification(event, notifications.user, *args, **kwargs)
if msteams_enabled and 'msteams' in getattr(notifications, event):
if not sync:
send_msteams_notification.delay(event, notifications.user, *args,
**kwargs)
else:
send_msteams_notification(event, notifications.user, *args,
**kwargs)
logger.debug('mail_enabled: %s', mail_enabled)
logger.debug('getattr(notifications, event): %s',
getattr(notifications, event))
if mail_enabled and 'mail' in getattr(notifications, event):
if not sync:
send_mail_notification.delay(event, notifications.user, *args,
**kwargs)
else:
send_mail_notification(event, notifications.user, *args, **kwargs)
if 'alert' in getattr(notifications, event, None):
send_alert_notification(event, notifications.user, *args, **kwargs)
def we_want_async(*args, **kwargs):
from dojo.utils import get_current_user
from dojo.models import Dojo_User
sync = kwargs.get('sync', False)
if sync:
logger.debug(
'dojo_async_task: running task in the foreground as sync=True has been found as kwarg'
)
return False
user = get_current_user()
if Dojo_User.wants_block_execution(user):
logger.debug(
'dojo_async_task: running task in the foreground as block_execution is set to True for %s',
user)
return False
return True
def we_want_async(*args, func=None, **kwargs):
from dojo.utils import get_current_user
from dojo.models import Dojo_User
sync = kwargs.get('sync', False)
if sync:
logger.debug(
'dojo_async_task %s: running task in the foreground as sync=True has been found as kwarg',
func)
return False
user = kwargs.get('async_user', get_current_user())
logger.debug('user: %s', user)
if Dojo_User.wants_block_execution(user):
logger.debug(
'dojo_async_task %s: running task in the foreground as block_execution is set to True for %s',
func, user)
return False
logger.debug(
'dojo_async_task %s: no current user, running task in the background',
func)
return True
def full_name(user):
# not in all templates we have access to a Dojo_User instance, so we use a filter
# see https://github.com/DefectDojo/django-DefectDojo/pull/3278
return Dojo_User.generate_full_name(user)
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
push_all_jira_issues = False
if get_system_setting('enable_jira'):
push_all_jira_issues = test.engagement.product.jira_pkey_set.first(
).push_all_issues
jform = JIRAFindingForm(push_all=push_all_jira_issues,
prefix='jiraform',
jira_pkey=test.engagement.product.jira_pkey)
else:
jform = None
if request.method == 'POST':
form = FindingForm(request.POST, template=True, req_resp=None)
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='not_active_or_false_p_true')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='not_active_or_false_p_true')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
new_finding.is_Mitigated = True
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save(dedupe_option=False, false_history=False)
for ep in form.cleaned_data['endpoints']:
eps, created = Endpoint_Status.objects.get_or_create(
finding=new_finding, endpoint=ep)
ep.endpoint_status.add(eps)
new_finding.endpoints.add(ep)
new_finding.endpoint_status.add(eps)
new_finding.save(false_history=True)
tags = request.POST.getlist('tags')
t = ", ".join('"{0}"'.format(w) for w in tags)
new_finding.tags = t
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
push_all=push_all_jira_issues,
jira_pkey=test.engagement.product.jira_pkey)
if jform.is_valid():
if Dojo_User.wants_block_execution(request.user):
add_jira_issue(new_finding,
jform.cleaned_data.get('push_to_jira'))
else:
add_jira_issue_task.delay(
new_finding,
jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(template=True,
req_resp=None,
initial={
'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity':
finding.numerical_severity,
'tags': [tag.name for tag in finding.tags]
})
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.user2 = Dojo_User()
cls.user2.id = 2
cls.global_role_user = Global_Role()
cls.global_role_user.id = 1
cls.global_role_user.user = cls.user2
cls.global_role_user.role = Role.objects.get(id=Roles.Reader)
cls.product_type = Product_Type()
cls.product_type.id = 1
cls.product_type_member = Product_Type_Member()
cls.product_type_member.id = 1
cls.product = Product()
cls.product.id = 1
cls.product_member = Product_Member()
cls.product_member.id = 1
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.stub_finding = Stub_Finding()
cls.stub_finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.technology = App_Analysis()
cls.technology.product = cls.product
cls.language = Languages()
cls.language.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.group = Dojo_Group()
cls.group.id = 1
cls.product_group_reader = Product_Group()
cls.product_group_reader.id = 1
cls.product_group_reader.product = cls.product
cls.product_group_reader.group = cls.group
cls.product_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_group_owner = Product_Group()
cls.product_group_owner.id = 2
cls.product_group_owner.product = cls.product
cls.product_group_owner.group = cls.group
cls.product_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_type_group_reader = Product_Type_Group()
cls.product_type_group_reader.id = 1
cls.product_type_group_reader.product_type = cls.product_type
cls.product_type_group_reader.group = cls.group
cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_group_owner = Product_Type_Group()
cls.product_type_group_owner.id = 2
cls.product_type_group_owner.product_type = cls.product_type
cls.product_type_group_owner.group = cls.group
cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.group2 = Dojo_Group()
cls.group2.id = 2
cls.global_role_group = Global_Role()
cls.global_role_group.id = 2
cls.global_role_group.group = cls.group2
cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer)
cls.user3 = Dojo_User()
cls.user3.id = 3
cls.global_role_user = Global_Role()
cls.global_role_user.id = 3
cls.global_role_user.user = cls.user3
cls.global_role_user.role = None
cls.group3 = Dojo_Group()
cls.group3.id = 3
cls.user4 = Dojo_User()
cls.user4.id = 4
cls.group_member = Dojo_Group_Member()
cls.group_member.id = 1
cls.group_member.group = cls.group3
cls.group_member.user = cls.user4
cls.group_member.role = Role.objects.get(id=Roles.Writer)
cls.user5 = Dojo_User()
cls.user5.id = 5
cls.global_role_user = Global_Role()
cls.global_role_user.id = 5
cls.global_role_user.user = cls.user5
cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
ci_cd_form = False
if eng.engagement_type == "CI/CD":
ci_cd_form = True
jform = None
use_jira = get_system_setting(
'enable_jira') and eng.product.jira_pkey is not None
if request.method == 'POST':
form = EngForm(request.POST,
instance=eng,
cicd=ci_cd_form,
product=eng.product.id,
user=request.user)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAEngagementForm(request.POST,
prefix='jiraform',
instance=eng)
if (form.is_valid() and jform is None) or (form.is_valid() and jform
and jform.is_valid()):
logger.debug('jform valid')
if 'jiraform-push_to_jira' in request.POST:
logger.debug('push_to_jira true')
if JIRA_Issue.objects.filter(engagement=eng).exists():
if Dojo_User.wants_block_execution(request.user):
update_epic(eng,
jform.cleaned_data.get('push_to_jira'))
else:
update_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
else:
if Dojo_User.wants_block_execution(request.user):
add_epic(eng, jform.cleaned_data.get('push_to_jira'))
else:
add_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
temp_form = form.save(commit=False)
if (temp_form.status == "Cancelled"
or temp_form.status == "Completed"):
temp_form.active = False
elif (temp_form.active is False):
temp_form.active = True
temp_form.product_id = form.cleaned_data.get('product').id
temp_form.save()
tags = request.POST.getlist('tags')
t = ", ".join('"{0}"'.format(w) for w in tags)
eng.tags = t
messages.add_message(request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(eng.id, )))
else:
form = EngForm(initial={'product': eng.product.id},
instance=eng,
cicd=ci_cd_form,
product=eng.product.id,
user=request.user)
if use_jira:
jform = JIRAEngagementForm(prefix='jiraform', instance=eng)
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(eng.product.id,
title="Edit" + title + " Engagement",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/new_eng.html', {
'product_tab': product_tab,
'form': form,
'edit': True,
'jform': jform,
'eng': eng
})
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.system_settings_email = System_Settings()
cls.system_settings_email.staff_user_email_pattern = '.*@example.com'
