def view_tool_product(request, pid, ttid):
tool = Tool_Product_Settings.objects.get(pk=ttid)
notes = tool.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
tool.notes.add(new_note)
form = NoteForm()
# url = request.build_absolute_uri(reverse("view_test", args=(test.id,)))
# title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name)
# process_notifications(request, new_note, url, title)
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(
title="View Product Tool Configuration",
top_level=False,
request=request)
return render(request, 'dojo/view_tool_product.html', {
'tool': tool,
'notes': notes,
'form': form
})
def view_cred_details(request, ttid):
cred = Cred_User.objects.get(pk=ttid)
notes = cred.notes.all()
cred_products = Cred_Mapping.objects.select_related('product').filter(
product_id__isnull=False, cred_id=ttid).order_by('product__name')
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
cred.notes.add(new_note)
form = NoteForm()
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(title="View", top_level=False, request=request)
return render(request, 'dojo/view_cred_details.html', {
'cred': cred,
'form': form,
'notes': notes,
'cred_products': cred_products
})
def view_test(request, tid):
test = Test.objects.get(id=tid)
prod = test.engagement.product
auth = request.user.is_staff or request.user in prod.authorized_users.all()
if not auth:
# will render 403
raise PermissionDenied
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test).order_by('numerical_severity')
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id')
if request.method == 'POST' and request.user.is_staff:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
form = NoteForm()
url = request.build_absolute_uri(reverse("view_test", args=(test.id,)))
title = "Test: %s on %s" % (test.test_type.name, test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES)
product_tab = Product_Tab(prod.id, title="Test", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/view_test.html',
{'test': test,
'product_tab': product_tab,
'findings': fpage,
'findings_count': findings.count(),
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'creds': creds,
'cred_test': cred_test
})
def view_cred_finding(request, fid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related('cred_id'), id=ttid)
cred_product = Cred_Mapping.objects.filter(
cred_id=cred.cred_id.id,
product=cred.finding.test.engagement.product.id).first()
notes = cred.cred_id.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
cred.cred_id.notes.add(new_note)
form = NoteForm()
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(
title="Credential Manager", top_level=False, request=request)
cred_type = "Finding"
edit_link = None
view_link = reverse(
'view_cred_finding', args=(
fid,
cred.id,
))
delete_link = reverse(
'delete_cred_finding', args=(
fid,
cred.id,
))
return render(
request, 'dojo/view_cred_all_details.html', {
'cred': cred,
'form': form,
'notes': notes,
'cred_type': cred_type,
'edit_link': edit_link,
'delete_link': delete_link,
'cred_product': cred_product
})
def view_cred_details(request, ttid):
cred = Cred_User.objects.get(pk=ttid)
notes = cred.notes.all()
cred_products = Cred_Mapping.objects.select_related('product').filter(
product_id__isnull=False, cred_id=ttid).order_by('product__name')
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
cred.notes.add(new_note)
form = NoteForm()
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(title="View", top_level=False, request=request)
return render(request, 'dojo/view_cred_details.html', {
'cred': cred,
'form': form,
'notes': notes,
'cred_products': cred_products
})
def view_test(request, tid):
test = Test.objects.get(id=tid)
prod = test.engagement.product
auth = request.user.is_staff or request.user in prod.authorized_users.all()
if not auth:
# will render 403
raise PermissionDenied
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test).order_by('numerical_severity')
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(
test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(
engagement=test.engagement).select_related('cred_id').order_by(
'cred_id')
if request.method == 'POST' and request.user.is_staff:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_test", args=(test.id, )))
title = "Test: %s on %s" % (test.test_type.name,
test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code
for code in ImportScanForm.SCAN_TYPE_CHOICES)
product_tab = Product_Tab(prod.id, title="Test", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/view_test.html', {
'test': test,
'product_tab': product_tab,
'findings': fpage,
'findings_count': findings.count(),
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'creds': creds,
'cred_test': cred_test
})
def view_tool_product(request, pid, ttid):
tool = Tool_Product_Settings.objects.get(pk=ttid)
notes = tool.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
tool.notes.add(new_note)
form = NoteForm()
# url = request.build_absolute_uri(reverse("view_test", args=(test.id,)))
# title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name)
# process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(title="View Product Tool Configuration",
top_level=False,
request=request)
return render(request, 'dojo/view_tool_product.html', {
'tool': tool,
'notes': notes,
'form': form
})
def view_test(request, tid):
test = Test.objects.get(id=tid)
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test)
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(
test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(
engagement=test.engagement).select_related('cred_id').order_by(
'cred_id')
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
test.notes.add(new_note)
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_test", args=(test.id, )))
title = "Test: %s on %s" % (test.test_type.name,
test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code
for code in ImportScanForm.SCAN_TYPE_CHOICES)
ajax_url = reverse('api_dispatch_list',
kwargs={
'resource_name': 'stub_findings',
'api_name': 'v1_a'
})
add_breadcrumb(parent=test, top_level=False, request=request)
return render(
request, 'dojo/view_test.html', {
'test': test,
'findings': fpage,
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'ajax_url': ajax_url,
'creds': creds,
'cred_test': cred_test
})
def edit_issue(request, id, page, objid):
note = get_object_or_404(Notes, id=id)
reverse_url = None
object_id = None
if page is None or str(
request.user
) != note.author.username and not request.user.is_superuser:
raise PermissionDenied
if page == "test":
object = get_object_or_404(Test, id=objid)
object_id = object.id
reverse_url = "view_test"
elif page == "finding":
object = get_object_or_404(Finding, id=objid)
object_id = object.id
reverse_url = "view_finding"
if request.method == 'POST':
form = NoteForm(request.POST, instance=note)
if form.is_valid():
note = form.save(commit=False)
note.edited = True
note.editor = request.user
note.edit_time = timezone.now()
history = NoteHistory(data=note.entry,
time=note.edit_time,
current_editor=note.editor)
history.save()
note.history.add(history)
note.save()
object.last_reviewed = note.date
object.last_reviewed_by = request.user
object.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note edited.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse(reverse_url, args=(object_id, )))
else:
messages.add_message(request,
messages.SUCCESS,
'Note was not succesfully edited.',
extra_tags='alert-danger')
else:
form = NoteForm(instance=note)
return render(request, 'dojo/edit_note.html', {
'note': note,
'form': form,
'page': page,
'objid': objid,
})
def view_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
user = request.user
if (user.is_staff
or user in finding.test.engagement.product.authorized_users.all()):
pass # user is authorized for this product
else:
raise PermissionDenied
notes = finding.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
finding.notes.add(new_note)
finding.last_reviewed = new_note.date
finding.last_reviewed_by = user
finding.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note saved.',
extra_tags='alert-success')
else:
form = NoteForm()
try:
reqres = BurpRawRequestResponse.objects.get(finding=finding)
burp_request = base64.b64decode(reqres.burpRequestBase64)
burp_response = base64.b64decode(reqres.burpResponseBase64)
except:
reqres = None
burp_request = None
burp_response = None
add_breadcrumb(parent=finding, top_level=False, request=request)
return render(request, 'dojo/view_finding.html',
{'finding': finding,
'burp_request': burp_request,
'burp_response': burp_response,
'user': user, 'notes': notes, 'form': form})
def view_test(request, tid):
test = Test.objects.get(id=tid)
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test)
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(engagement=test.engagement).select_related('cred_id').order_by('cred_id')
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
form = NoteForm()
url = request.build_absolute_uri(reverse("view_test", args=(test.id,)))
title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES)
add_breadcrumb(parent=test, top_level=False, request=request)
return render(request, 'dojo/view_test.html',
{'test': test,
'findings': fpage,
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'creds': creds,
'cred_test': cred_test
})
def view_cred_finding(request, fid, ttid):
cred = get_object_or_404(
Cred_Mapping.objects.select_related('cred_id'), id=ttid)
cred_product = Cred_Mapping.objects.filter(
cred_id=cred.cred_id.id,
product=cred.finding.test.engagement.product.id).first()
notes = cred.cred_id.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
cred.cred_id.notes.add(new_note)
form = NoteForm()
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
add_breadcrumb(
title="Credential Manager", top_level=False, request=request)
cred_type = "Finding"
edit_link = None
view_link = reverse(
'view_cred_finding', args=(
fid,
cred.id,
))
delete_link = reverse(
'delete_cred_finding', args=(
fid,
cred.id,
))
return render(
request, 'dojo/view_cred_all_details.html', {
'cred': cred,
'form': form,
'notes': notes,
'cred_type': cred_type,
'edit_link': edit_link,
'delete_link': delete_link,
'cred_product': cred_product
})
def view_test(request, tid):
test = Test.objects.get(id=tid)
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test)
stub_findings = Stub_Finding.objects.filter(test=test)
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
test.notes.add(new_note)
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES)
ajax_url = reverse('api_dispatch_list', kwargs={'resource_name': 'stub_findings', 'api_name': 'v1_a'})
add_breadcrumb(parent=test, top_level=False, request=request)
return render(request, 'dojo/view_test.html',
{'test': test,
'findings': fpage,
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'ajax_url': ajax_url,
})
def view_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
user = request.user
if user.is_staff or user in finding.test.engagement.product.authorized_users.all(
):
pass # user is authorized for this product
else:
raise PermissionDenied
notes = finding.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
finding.notes.add(new_note)
finding.last_reviewed = new_note.date
finding.last_reviewed_by = user
finding.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note saved.',
extra_tags='alert-success')
else:
form = NoteForm()
try:
reqres = BurpRawRequestResponse.objects.get(finding=finding)
burp_request = base64.b64decode(reqres.burpRequestBase64)
burp_response = base64.b64decode(reqres.burpResponseBase64)
except:
reqres = None
burp_request = None
burp_response = None
add_breadcrumb(parent=finding, top_level=False, request=request)
return render(
request, 'dojo/view_finding.html', {
'finding': finding,
'burp_request': burp_request,
'burp_response': burp_response,
'user': user,
'notes': notes,
'form': form
})
def view_test(request, tid):
test = Test.objects.get(id=tid)
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test)
stub_findings = Stub_Finding.objects.filter(test=test)
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
test.notes.add(new_note)
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code
for code in ImportScanForm.SCAN_TYPE_CHOICES)
ajax_url = reverse('api_dispatch_list',
kwargs={
'resource_name': 'stub_findings',
'api_name': 'v1_a'
})
add_breadcrumb(parent=test, top_level=False, request=request)
return render(
request, 'dojo/view_test.html', {
'test': test,
'findings': fpage,
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'ajax_url': ajax_url,
})
def view_test(request, tid):
if request.user.is_superuser:
test = get_object_or_404(Test, id=tid)
else:
test = get_object_or_404(Test, id=tid, engagement__product__authorized_users__in=[request.user])
notes = test.notes.all()
person = request.user.username
findings = Finding.objects.filter(test=test).order_by('-score')
stub_findings = Stub_Finding.objects.filter(test=test)
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
form = NoteForm()
url = request.build_absolute_uri(reverse("view_test", args=(test.id,)))
title="Test: %s on %s" % (test.test_type.name, test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
form = NoteForm()
fpage = get_page_items(request, findings, 25)
sfpage = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code for code in ImportScanForm.SCAN_TYPE_CHOICES)
add_breadcrumb(parent=test, top_level=False, request=request)
return render(request, 'dojo/view_test.html',
{'test': test,
'findings': fpage,
'stub_findings': sfpage,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
})
def view_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
user = request.user
try:
jissue = JIRA_Issue.objects.get(finding=finding)
except:
jissue = None
pass
try:
jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product)
jconf = jpkey.conf
except:
jconf = None
pass
dojo_user = get_object_or_404(Dojo_User, id=user.id)
if user.is_staff or user in finding.test.engagement.product.authorized_users.all(
):
pass # user is authorized for this product
else:
raise PermissionDenied
notes = finding.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
finding.notes.add(new_note)
finding.last_reviewed = new_note.date
finding.last_reviewed_by = user
finding.save()
if jissue is not None:
add_comment_task(finding, new_note)
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_finding", args=(finding.id, )))
title = "Finding: " + finding.title
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note saved.',
extra_tags='alert-success')
else:
form = NoteForm()
try:
reqres = BurpRawRequestResponse.objects.get(finding=finding)
burp_request = base64.b64decode(reqres.burpRequestBase64)
burp_response = base64.b64decode(reqres.burpResponseBase64)
except:
reqres = None
burp_request = None
burp_response = None
add_breadcrumb(parent=finding, top_level=False, request=request)
return render(
request, 'dojo/view_finding.html', {
'finding': finding,
'burp_request': burp_request,
'jissue': jissue,
'jconf': jconf,
'burp_response': burp_response,
'dojo_user': dojo_user,
'user': user,
'notes': notes,
'form': form
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if (request.user.is_staff
or request.user in eng.product.authorized_users.all()):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data['accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'Finding%s added successfully.' %
('s' if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
exclude_findings = [
finding.id for ra in eng.risk_acceptance.all()
for finding in ra.accepted_findings.all()
]
findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=exclude_findings).order_by("title")
add_fpage = get_page_items(request, findings, 10, 'apage')
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
fpage = get_page_items(
request,
risk_approval.accepted_findings.order_by('numerical_severity'), 15)
authorized = (request.user == risk_approval.reporter.username
or request.user.is_staff)
add_breadcrumb(parent=risk_approval, top_level=False, request=request)
return render(
request, 'dojo/view_risk.html', {
'risk_approval': risk_approval,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
'show_add_findings_form': len(findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def view_test(request, tid):
test_prefetched = get_authorized_tests(Permissions.Test_View)
test_prefetched = test_prefetched.annotate(
total_reimport_count=Count('test_import__id', distinct=True))
# tests_prefetched = test_prefetched.prefetch_related(Prefetch('test_import_set', queryset=Test_Import.objects.filter(~Q(findings_affected=None))))
# tests_prefetched = test_prefetched.prefetch_related('test_import_set')
# test_prefetched = test_prefetched.prefetch_related('test_import_set__test_import_finding_action_set')
test = get_object_or_404(test_prefetched, pk=tid)
# test = get_object_or_404(Test, pk=tid)
prod = test.engagement.product
notes = test.notes.all()
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(notes)
files = test.files.all()
person = request.user.username
findings = Finding.objects.filter(test=test).order_by('numerical_severity')
findings = FindingFilter(request.GET, queryset=findings)
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(
test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(
engagement=test.engagement).select_related('cred_id').order_by(
'cred_id')
system_settings = get_object_or_404(System_Settings, id=1)
if request.method == 'POST':
user_has_permission_or_403(request.user, test, Permissions.Note_Add)
if note_type_activation:
form = TypedNoteForm(request.POST,
available_note_types=available_note_types)
else:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_test", args=(test.id, )))
title = "Test: %s on %s" % (test.test_type.name,
test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
title_words = get_words_for_field(Finding, 'title')
component_words = get_words_for_field(Finding, 'component_name')
# test_imports = test.test_import_set.all()
test_imports = Test_Import.objects.filter(test=test)
test_import_filter = TestImportFilter(request.GET, test_imports)
paged_test_imports = get_page_items_and_count(request,
test_import_filter.qs,
5,
prefix='test_imports')
paged_test_imports.object_list = paged_test_imports.object_list.prefetch_related(
'test_import_finding_action_set')
paged_findings = get_page_items_and_count(request,
prefetch_for_findings(
findings.qs),
25,
prefix='findings')
paged_stub_findings = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code
for code in get_choices_sorted())
product_tab = Product_Tab(prod.id, title="Test", tab="engagements")
product_tab.setEngagement(test.engagement)
jira_project = jira_helper.get_jira_project(test)
finding_groups = test.finding_group_set.all().prefetch_related(
'findings', 'jira_issue', 'creator')
bulk_edit_form = FindingBulkUpdateForm(request.GET)
google_sheets_enabled = system_settings.enable_google_sheets
sheet_url = None
if google_sheets_enabled and system_settings.credentials:
spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str(
test.id)
system_settings = get_object_or_404(System_Settings, id=1)
service_account_info = json.loads(system_settings.credentials)
SCOPES = ['https://www.googleapis.com/auth/drive']
credentials = service_account.Credentials.from_service_account_info(
service_account_info, scopes=SCOPES)
try:
drive_service = googleapiclient.discovery.build(
'drive', 'v3', credentials=credentials, cache_discovery=False)
folder_id = system_settings.drive_folder_ID
gs_files = drive_service.files().list(
q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'"
% (folder_id, spreadsheet_name),
spaces='drive',
pageSize=10,
fields='files(id, name)').execute()
except googleapiclient.errors.HttpError:
messages.add_message(
request,
messages.ERROR,
"There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed, the Google Sheets Sync feature cannot be used.",
extra_tags="alert-danger",
)
google_sheets_enabled = False
except httplib2.ServerNotFoundError:
messages.add_message(
request,
messages.ERROR,
"Unable to reach the Google Sheet API.",
extra_tags="alert-danger",
)
else:
spreadsheets = gs_files.get('files')
if len(spreadsheets) == 1:
spreadsheetId = spreadsheets[0].get('id')
sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId
return render(
request, 'dojo/view_test.html', {
'test': test,
'prod': prod,
'product_tab': product_tab,
'findings': paged_findings,
'filtered': findings,
'stub_findings': paged_stub_findings,
'title_words': title_words,
'component_words': component_words,
'form': form,
'notes': notes,
'files': files,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'creds': creds,
'cred_test': cred_test,
'jira_project': jira_project,
'show_export': google_sheets_enabled
and system_settings.credentials,
'sheet_url': sheet_url,
'bulk_edit_form': bulk_edit_form,
'paged_test_imports': paged_test_imports,
'test_import_filter': test_import_filter,
'finding_groups': finding_groups,
'finding_group_by_options': Finding_Group.GROUP_BY_OPTIONS,
})
def edit_issue(request, id, page, objid):
note = get_object_or_404(Notes, id=id)
reverse_url = None
object_id = None
if page == "engagement":
object = get_object_or_404(Engagement, id=objid)
object_id = object.id
reverse_url = "view_engagement"
elif page == "test":
object = get_object_or_404(Test, id=objid)
object_id = object.id
reverse_url = "view_test"
elif page == "finding":
object = get_object_or_404(Finding, id=objid)
object_id = object.id
reverse_url = "view_finding"
if page is None:
raise PermissionDenied
if str(request.user) != note.author.username:
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, object,
Permissions.Note_Edit)
else:
if not request.user.is_staff:
raise PermissionDenied
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(object, note)
if request.method == 'POST':
if note_type_activation:
form = TypedNoteForm(request.POST,
available_note_types=available_note_types,
instance=note)
else:
form = NoteForm(request.POST, instance=note)
if form.is_valid():
note = form.save(commit=False)
note.edited = True
note.editor = request.user
note.edit_time = timezone.now()
if note_type_activation:
history = NoteHistory(note_type=note.note_type,
data=note.entry,
time=note.edit_time,
current_editor=note.editor)
else:
history = NoteHistory(data=note.entry,
time=note.edit_time,
current_editor=note.editor)
history.save()
note.history.add(history)
note.save()
object.last_reviewed = note.date
object.last_reviewed_by = request.user
object.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note edited.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse(reverse_url, args=(object_id, )))
else:
messages.add_message(request,
messages.SUCCESS,
'Note was not succesfully edited.',
extra_tags='alert-danger')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types,
instance=note)
else:
form = NoteForm(instance=note)
return render(request, 'dojo/edit_note.html', {
'note': note,
'form': form,
'page': page,
'objid': objid,
})
def view_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
cred_finding = Cred_Mapping.objects.filter(finding=finding.id).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(test=finding.test.id).select_related('cred_id').order_by('cred_id')
cred_engagement = Cred_Mapping.objects.filter(engagement=finding.test.engagement.id).select_related('cred_id').order_by('cred_id')
user = request.user
try:
jissue = JIRA_Issue.objects.get(finding=finding)
except:
jissue = None
pass
try:
jpkey = JIRA_PKey.objects.get(product=finding.test.engagement.product)
jconf = jpkey.conf
except:
jconf = None
pass
dojo_user = get_object_or_404(Dojo_User, id=user.id)
if user.is_staff or user in finding.test.engagement.product.authorized_users.all():
pass # user is authorized for this product
else:
raise PermissionDenied
notes = finding.notes.all()
if request.method == 'POST':
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
finding.notes.add(new_note)
finding.last_reviewed = new_note.date
finding.last_reviewed_by = user
finding.save()
if jissue is not None:
add_comment_task(finding, new_note)
form = NoteForm()
url = request.build_absolute_uri(reverse("view_finding", args=(finding.id,)))
title= "Finding: "+ finding.title
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note saved.',
extra_tags='alert-success')
else:
form = NoteForm()
try:
reqres = BurpRawRequestResponse.objects.get(finding=finding)
burp_request = base64.b64decode(reqres.burpRequestBase64)
burp_response = base64.b64decode(reqres.burpResponseBase64)
except:
reqres = None
burp_request = None
burp_response = None
add_breadcrumb(parent=finding, top_level=False, request=request)
return render(request, 'dojo/view_finding.html',
{'finding': finding,
'burp_request': burp_request,
'jissue': jissue,
'jconf': jconf,
'cred_finding': cred_finding,
'creds': creds,
'cred_engagement': cred_engagement,
'burp_response': burp_response, 'dojo_user': dojo_user,
'user': user, 'notes': notes, 'form': form, 'found_by': finding.found_by.all().distinct()})
def view_engagement(request, eid):
eng = get_object_or_404(Engagement, id=eid)
tests = Test.objects.filter(engagement=eng).prefetch_related(
'tagged_items__tag', 'test_type').order_by('test_type__name',
'-updated')
prod = eng.product
risks_accepted = eng.risk_acceptance.all().select_related('owner')
preset_test_type = None
network = None
if eng.preset:
preset_test_type = eng.preset.test_type.all()
network = eng.preset.network_locations.all()
system_settings = System_Settings.objects.get()
try:
jissue = JIRA_Issue.objects.get(engagement=eng)
except:
jissue = None
pass
try:
jconf = JIRA_PKey.objects.get(product=eng.product).conf
except:
jconf = None
pass
exclude_findings = [
finding.id for ra in eng.risk_acceptance.all()
for finding in ra.accepted_findings.all()
]
eng_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=exclude_findings).order_by('title')
try:
check = Check_List.objects.get(engagement=eng)
except:
check = None
pass
notes = eng.notes.all()
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(notes)
if request.method == 'POST' and request.user.is_staff:
eng.progress = 'check_list'
eng.save()
if note_type_activation:
form = TypedNoteForm(request.POST,
available_note_types=available_note_types)
else:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
eng.notes.add(new_note)
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_engagement", args=(eng.id, )))
title = "Engagement: %s on %s" % (eng.name, eng.product.name)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
creds = Cred_Mapping.objects.filter(
product=eng.product).select_related('cred_id').order_by('cred_id')
cred_eng = Cred_Mapping.objects.filter(
engagement=eng.id).select_related('cred_id').order_by('cred_id')
add_breadcrumb(parent=eng, top_level=False, request=request)
if hasattr(settings, 'ENABLE_DEDUPLICATION'):
if settings.ENABLE_DEDUPLICATION:
enabled = True
findings = Finding.objects.filter(test__engagement=eng,
duplicate=False)
else:
enabled = False
findings = None
else:
enabled = False
findings = None
if findings is not None:
fpage = get_page_items(request, findings, 15)
else:
fpage = None
# ----------
try:
start_date = Finding.objects.filter(
test__engagement__product=eng.product).order_by('date')[:1][0].date
except:
start_date = timezone.now()
end_date = timezone.now()
risk_acceptances = Risk_Acceptance.objects.filter(
engagement__in=Engagement.objects.filter(product=eng.product))
accepted_findings = [
finding for ra in risk_acceptances
for finding in ra.accepted_findings.all()
]
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(prod.id,
title="View" + title + " Engagement",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/view_eng.html', {
'eng': eng,
'product_tab': product_tab,
'system_settings': system_settings,
'tests': tests,
'findings': fpage,
'enabled': enabled,
'check': check,
'threat': eng.tmodel_path,
'risk': eng.risk_path,
'form': form,
'notes': notes,
'risks_accepted': risks_accepted,
'can_add_risk': eng_findings.count(),
'jissue': jissue,
'jconf': jconf,
'accepted_findings': accepted_findings,
'start_date': start_date,
'creds': creds,
'cred_eng': cred_eng,
'network': network,
'preset_test_type': preset_test_type
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if request.user.is_staff or check_auth_users_list(request.user, eng):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data['accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'Finding%s added successfully.' %
('s' if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
accepted_findings = risk_approval.accepted_findings.order_by(
'numerical_severity')
fpage = get_page_items(request, accepted_findings, 15)
unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=accepted_findings).order_by("title")
add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage')
# on this page we need to add unaccepted findings as possible findings to add as accepted
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
authorized = (request.user == risk_approval.owner.username
or request.user.is_staff)
product_tab = Product_Tab(eng.product.id,
title="Risk Exception",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request,
'dojo/view_risk.html',
{
'risk_approval': risk_approval,
'product_tab': product_tab,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if (request.user.is_staff or
request.user in eng.product.authorized_users.all()):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(
request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST,
request.FILES,
instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data[
'accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(
request,
messages.SUCCESS,
'Finding%s added successfully.' % ('s'
if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
exclude_findings = [finding.id for ra in eng.risk_acceptance.all()
for finding in ra.accepted_findings.all()]
findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=exclude_findings).order_by("title")
add_fpage = get_page_items(request, findings, 10, 'apage')
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
fpage = get_page_items(request, risk_approval.accepted_findings.order_by(
'numerical_severity'), 15)
authorized = (request.user == risk_approval.reporter.username
or request.user.is_staff)
add_breadcrumb(parent=risk_approval, top_level=False, request=request)
return render(request, 'dojo/view_risk.html',
{'risk_approval': risk_approval,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
'show_add_findings_form': len(findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def view_engagement(request, eid):
eng = get_object_or_404(Engagement, id=eid)
tests = eng.test_set.all().order_by('test_type__name', '-updated')
default_page_num = 10
tests_filter = EngagementTestFilter(request.GET, queryset=tests, engagement=eng)
paged_tests = get_page_items(request, tests_filter.qs, default_page_num)
# prefetch only after creating the filters to avoid https://code.djangoproject.com/ticket/23771 and https://code.djangoproject.com/ticket/25375
paged_tests.object_list = prefetch_for_view_tests(paged_tests.object_list)
prod = eng.product
risks_accepted = eng.risk_acceptance.all().select_related('owner').annotate(accepted_findings_count=Count('accepted_findings__id'))
preset_test_type = None
network = None
if eng.preset:
preset_test_type = eng.preset.test_type.all()
network = eng.preset.network_locations.all()
system_settings = System_Settings.objects.get()
jissue = jira_helper.get_jira_issue(eng)
jira_project = jira_helper.get_jira_project(eng)
try:
check = Check_List.objects.get(engagement=eng)
except:
check = None
pass
notes = eng.notes.all()
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(notes)
form = DoneForm()
files = eng.files.all()
if request.method == 'POST':
user_has_permission_or_403(request.user, eng, Permissions.Note_Add)
eng.progress = 'check_list'
eng.save()
if note_type_activation:
form = TypedNoteForm(request.POST, available_note_types=available_note_types)
else:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
eng.notes.add(new_note)
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
url = request.build_absolute_uri(reverse("view_engagement", args=(eng.id,)))
title = "Engagement: %s on %s" % (eng.name, eng.product.name)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
creds = Cred_Mapping.objects.filter(
product=eng.product).select_related('cred_id').order_by('cred_id')
cred_eng = Cred_Mapping.objects.filter(
engagement=eng.id).select_related('cred_id').order_by('cred_id')
add_breadcrumb(parent=eng, top_level=False, request=request)
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(prod.id, title="View" + title + " Engagement", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/view_eng.html', {
'eng': eng,
'product_tab': product_tab,
'system_settings': system_settings,
'tests': paged_tests,
'filter': tests_filter,
'check': check,
'threat': eng.tmodel_path,
'form': form,
'notes': notes,
'files': files,
'risks_accepted': risks_accepted,
'jissue': jissue,
'jira_project': jira_project,
'creds': creds,
'cred_eng': cred_eng,
'network': network,
'preset_test_type': preset_test_type
})
def view_edit_risk_acceptance(request, eid, raid, edit_mode=False):
risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if edit_mode and not eng.product.enable_full_risk_acceptance:
raise PermissionDenied()
risk_acceptance_form = None
errors = False
if request.method == 'POST':
# deleting before instantiating the form otherwise django messes up and we end up with an empty path value
if len(request.FILES) > 0:
logger.debug('new proof uploaded')
risk_acceptance.path.delete()
if 'decision' in request.POST:
old_expiration_date = risk_acceptance.expiration_date
risk_acceptance_form = EditRiskAcceptanceForm(request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not risk_acceptance_form.is_valid()
if not errors:
logger.debug('path: %s', risk_acceptance_form.cleaned_data['path'])
risk_acceptance_form.save()
if risk_acceptance.expiration_date != old_expiration_date:
# risk acceptance was changed, check if risk acceptance needs to be reinstated and findings made accepted again
ra_helper.reinstate(risk_acceptance, old_expiration_date)
messages.add_message(
request,
messages.SUCCESS,
'Risk Acceptance saved successfully.',
extra_tags='alert-success')
if 'entry' in request.POST:
note_form = NoteForm(request.POST)
errors = errors or not note_form.is_valid()
if not errors:
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
risk_acceptance.notes.add(new_note)
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_acceptance.notes.remove(note)
note.delete()
messages.add_message(
request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(
Finding, pk=request.POST['remove_finding_id'])
ra_helper.remove_finding_from_risk_acceptance(risk_acceptance, finding)
messages.add_message(
request,
messages.SUCCESS,
'Finding removed successfully from risk acceptance.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceProofForm(
request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not replace_form.is_valid()
if not errors:
replace_form.save()
messages.add_message(
request,
messages.SUCCESS,
'New Proof uploaded successfully.',
extra_tags='alert-success')
else:
logger.error(replace_form.errors)
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not add_findings_form.is_valid()
if not errors:
findings = add_findings_form.cleaned_data['accepted_findings']
ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings)
messages.add_message(
request,
messages.SUCCESS,
'Finding%s added successfully.' % ('s' if len(findings) > 1
else ''),
extra_tags='alert-success')
if not errors:
logger.debug('redirecting to return_url')
return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid)))
else:
logger.error('errors found')
else:
if edit_mode:
risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance)
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance)
add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance)
accepted_findings = risk_acceptance.accepted_findings.order_by('numerical_severity')
fpage = get_page_items(request, accepted_findings, 15)
unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=accepted_findings).order_by("title")
add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage')
# on this page we need to add unaccepted findings as possible findings to add as accepted
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/view_risk_acceptance.html', {
'risk_acceptance': risk_acceptance,
'engagement': eng,
'product_tab': product_tab,
'accepted_findings': fpage,
'notes': risk_acceptance.notes.all(),
'eng': eng,
'edit_mode': edit_mode,
'risk_acceptance_form': risk_acceptance_form,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
'request': request,
'add_findings': add_fpage,
'return_url': get_return_url(request),
})
def view_test(request, tid):
test = get_object_or_404(Test, pk=tid)
prod = test.engagement.product
tags = Tag.objects.usage_for_model(Finding)
notes = test.notes.all()
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(notes)
person = request.user.username
findings = Finding.objects.filter(test=test).order_by('numerical_severity')
findings = OpenFindingFilter(request.GET, queryset=findings)
stub_findings = Stub_Finding.objects.filter(test=test)
cred_test = Cred_Mapping.objects.filter(
test=test).select_related('cred_id').order_by('cred_id')
creds = Cred_Mapping.objects.filter(
engagement=test.engagement).select_related('cred_id').order_by(
'cred_id')
system_settings = get_object_or_404(System_Settings, id=1)
if request.method == 'POST' and request.user.is_staff:
if note_type_activation:
form = TypedNoteForm(request.POST,
available_note_types=available_note_types)
else:
form = NoteForm(request.POST)
if form.is_valid():
new_note = form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
test.notes.add(new_note)
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
url = request.build_absolute_uri(
reverse("view_test", args=(test.id, )))
title = "Test: %s on %s" % (test.test_type.name,
test.engagement.product.name)
process_notifications(request, new_note, url, title)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types)
else:
form = NoteForm()
title_words = get_words_for_field(findings.qs, 'title')
component_words = get_words_for_field(findings.qs, 'component_name')
paged_findings, total_findings_count = get_page_items_and_count(
request, prefetch_for_findings(findings.qs), 25)
paged_stub_findings = get_page_items(request, stub_findings, 25)
show_re_upload = any(test.test_type.name in code
for code in ImportScanForm.SCAN_TYPE_CHOICES)
product_tab = Product_Tab(prod.id, title="Test", tab="engagements")
product_tab.setEngagement(test.engagement)
jira_config = JIRA_PKey.objects.filter(product=prod.id).first()
if jira_config:
jira_config = jira_config.conf_id
google_sheets_enabled = system_settings.enable_google_sheets
sheet_url = None
if google_sheets_enabled:
spreadsheet_name = test.engagement.product.name + "-" + test.engagement.name + "-" + str(
test.id)
system_settings = get_object_or_404(System_Settings, id=1)
service_account_info = json.loads(system_settings.credentials)
SCOPES = ['https://www.googleapis.com/auth/drive']
credentials = service_account.Credentials.from_service_account_info(
service_account_info, scopes=SCOPES)
try:
drive_service = googleapiclient.discovery.build(
'drive', 'v3', credentials=credentials, cache_discovery=False)
folder_id = system_settings.drive_folder_ID
files = drive_service.files().list(
q="mimeType='application/vnd.google-apps.spreadsheet' and parents in '%s' and name='%s'"
% (folder_id, spreadsheet_name),
spaces='drive',
pageSize=10,
fields='files(id, name)').execute()
except googleapiclient.errors.HttpError:
messages.add_message(
request,
messages.ERROR,
"There is a problem with the Google Sheets Sync Configuration. Contact your system admin to solve the issue. Until fixed Google Shet Sync feature can not be used.",
extra_tags="alert-danger",
)
google_sheets_enabled = False
except httplib2.ServerNotFoundError:
messages.add_message(
request,
messages.ERROR,
"Unable to reach the Google Sheet API.",
extra_tags="alert-danger",
)
else:
spreadsheets = files.get('files')
if len(spreadsheets) == 1:
spreadsheetId = spreadsheets[0].get('id')
sheet_url = 'https://docs.google.com/spreadsheets/d/' + spreadsheetId
return render(
request, 'dojo/view_test.html', {
'test': test,
'product_tab': product_tab,
'findings': paged_findings,
'filtered': findings,
'findings_count': total_findings_count,
'stub_findings': paged_stub_findings,
'title_words': title_words,
'component_words': component_words,
'form': form,
'notes': notes,
'person': person,
'request': request,
'show_re_upload': show_re_upload,
'creds': creds,
'cred_test': cred_test,
'tag_input': tags,
'jira_config': jira_config,
'show_export': google_sheets_enabled,
'sheet_url': sheet_url
})
