From b2895c501445b83746e510c822d19385a89285af Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Thu, 25 Jan 2024 16:32:23 -0600 Subject: [PATCH 01/15] Added Post in risk acceptance endpoint API --- dojo/api_v2/views.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 40bc45b892b..1b88df44cf3 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -745,6 +745,7 @@ def download_file(self, request, file_id, pk=None): class RiskAcceptanceViewSet( prefetch.PrefetchListMixin, prefetch.PrefetchRetrieveMixin, + mixins.CreateModelMixin, mixins.DestroyModelMixin, mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet, From 06a352e4d73f7aba48060702be22b770f5a1f2f8 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 26 Jan 2024 11:42:17 -0600 Subject: [PATCH 02/15] fixing permissions --- dojo/api_v2/permissions.py | 7 ++++--- unittests/test_rest_framework.py | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index aac0eb79264..fa7af414a44 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -22,6 +22,7 @@ Finding_Group, Product_Type, Product, + Risk_Acceptance, Test, Dojo_Group, Cred_Mapping, @@ -333,8 +334,8 @@ def has_object_permission(self, request, view, obj): class UserHasRiskAcceptancePermission(permissions.BasePermission): # Permission checks for related objects (like notes or metadata) can be moved # into a seperate class, when the legacy authorization will be removed. - path_risk_acceptance_post = re.compile(r"^/api/v2/risk_acceptances/$") - path_risk_acceptance = re.compile(r"^/api/v2/risk_acceptances/\d+/$") + path_risk_acceptance_post = re.compile(r"^/api/v2/risk_acceptance/$") + path_risk_acceptance = re.compile(r"^/api/v2/risk_acceptance/\d+/$") def has_permission(self, request, view): if UserHasRiskAcceptancePermission.path_risk_acceptance_post.match( @@ -343,7 +344,7 @@ def has_permission(self, request, view): request.path ): return check_post_permission( - request, Product, "product", Permissions.Risk_Acceptance + request, Risk_Acceptance, "id", Permissions.Risk_Acceptance ) else: # related object only need object permission diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index c5e10179cb0..0259a3b2d48 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -1454,7 +1454,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Test_Add self.permission_update = Permissions.Test_Edit self.permission_delete = Permissions.Test_Delete - self.deleted_objects = 18 + self.deleted_objects = 5 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) @@ -2531,7 +2531,7 @@ def __init__(self, *args, **kwargs): } self.update_fields = {'color': 'blue'} self.test_type = TestType.CONFIGURATION_PERMISSIONS - self.deleted_objects = 2 + self.deleted_objects = 1 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From 2c99aff7ce0d6c0e2846e90974b3ec1a221654d1 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 26 Jan 2024 13:56:53 -0600 Subject: [PATCH 03/15] fix tests --- unittests/test_rest_framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 0259a3b2d48..07730ad03e0 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -1454,7 +1454,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Test_Add self.permission_update = Permissions.Test_Edit self.permission_delete = Permissions.Test_Delete - self.deleted_objects = 5 + self.deleted_objects = 18 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From c5d3b23e1135a1501bb0b2636f09d7c41c9f750c Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Tue, 30 Jan 2024 16:22:19 -0600 Subject: [PATCH 04/15] fix tests --- unittests/test_rest_framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 07730ad03e0..0259a3b2d48 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -1454,7 +1454,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Test_Add self.permission_update = Permissions.Test_Edit self.permission_delete = Permissions.Test_Delete - self.deleted_objects = 18 + self.deleted_objects = 5 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From e52d72434689ba33fd1a0d78f60520e396847930 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 31 Jan 2024 09:24:17 -0600 Subject: [PATCH 05/15] removed risk_acceptance permission from api methods --- unittests/test_apiv2_methods.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_apiv2_methods.py b/unittests/test_apiv2_methods.py index 4f6694ef30f..2ac7f85b33a 100644 --- a/unittests/test_apiv2_methods.py +++ b/unittests/test_apiv2_methods.py @@ -17,7 +17,7 @@ def test_is_defined(self): exempt_list = [ 'import-scan', 'reimport-scan', 'notes', 'system_settings', 'roles', 'import-languages', 'endpoint_meta_import', 'test_types', - 'configuration_permissions', 'risk_acceptance', 'questionnaire_questions', + 'configuration_permissions', 'questionnaire_questions', 'questionnaire_answers', 'questionnaire_answered_questionnaires', 'questionnaire_engagement_questionnaires', 'questionnaire_general_questionnaires', 'dojo_group_members', 'product_members', 'product_groups', 'product_type_groups', From 77c869d6f17940c15944610663dd1ae6e8c5d1ad Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 31 Jan 2024 10:41:46 -0600 Subject: [PATCH 06/15] assert error --- unittests/test_rest_framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 0259a3b2d48..07730ad03e0 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -1454,7 +1454,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Test_Add self.permission_update = Permissions.Test_Edit self.permission_delete = Permissions.Test_Delete - self.deleted_objects = 5 + self.deleted_objects = 18 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From 5ad4ac99b77eb8be6a7f0c13ee94aaa348aeac26 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 31 Jan 2024 11:01:34 -0600 Subject: [PATCH 07/15] assert error --- unittests/test_rest_framework.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 07730ad03e0..342de9e71fa 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -2531,7 +2531,7 @@ def __init__(self, *args, **kwargs): } self.update_fields = {'color': 'blue'} self.test_type = TestType.CONFIGURATION_PERMISSIONS - self.deleted_objects = 1 + self.deleted_objects = 2 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) @@ -2559,7 +2559,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Language_Add self.permission_update = Permissions.Language_Edit self.permission_delete = Permissions.Language_Delete - self.deleted_objects = 1 + self.deleted_objects = 2 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From e644cb7bfc49b1f3b16c01f5e9be025682b6f938 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 31 Jan 2024 11:56:31 -0600 Subject: [PATCH 08/15] assert --- unittests/test_rest_framework.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 342de9e71fa..c5e10179cb0 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -2559,7 +2559,7 @@ def __init__(self, *args, **kwargs): self.permission_create = Permissions.Language_Add self.permission_update = Permissions.Language_Edit self.permission_delete = Permissions.Language_Delete - self.deleted_objects = 2 + self.deleted_objects = 1 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) From f0b14f435c1c35d2b29ed3cc99f28cc58b41c16a Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 31 Jan 2024 12:55:04 -0600 Subject: [PATCH 09/15] consistency details --- dojo/api_v2/views.py | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 1b88df44cf3..fceb87c7ea2 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -743,13 +743,7 @@ def download_file(self, request, file_id, pk=None): class RiskAcceptanceViewSet( - prefetch.PrefetchListMixin, - prefetch.PrefetchRetrieveMixin, - mixins.CreateModelMixin, - mixins.DestroyModelMixin, - mixins.UpdateModelMixin, - viewsets.ReadOnlyModelViewSet, - dojo_mixins.DeletePreviewModelMixin, + PrefetchDojoModelViewSet ): serializer_class = serializers.RiskAcceptanceSerializer queryset = Risk_Acceptance.objects.none() From 28ead337d2652e3043e39aad16803048e4dcc893 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Thu, 8 Feb 2024 13:05:31 -0600 Subject: [PATCH 10/15] validation for permissions (findings access) --- dojo/api_v2/permissions.py | 6 +++--- dojo/api_v2/serializers.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index fa7af414a44..ead57772eff 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -334,8 +334,8 @@ def has_object_permission(self, request, view, obj): class UserHasRiskAcceptancePermission(permissions.BasePermission): # Permission checks for related objects (like notes or metadata) can be moved # into a seperate class, when the legacy authorization will be removed. - path_risk_acceptance_post = re.compile(r"^/api/v2/risk_acceptance/$") - path_risk_acceptance = re.compile(r"^/api/v2/risk_acceptance/\d+/$") + path_risk_acceptance_post = re.compile(r"^/api/v2/risk_acceptances/$") + path_risk_acceptance = re.compile(r"^/api/v2/risk_acceptances/\d+/$") def has_permission(self, request, view): if UserHasRiskAcceptancePermission.path_risk_acceptance_post.match( @@ -344,7 +344,7 @@ def has_permission(self, request, view): request.path ): return check_post_permission( - request, Risk_Acceptance, "id", Permissions.Risk_Acceptance + request, Product, "product", Permissions.Risk_Acceptance ) else: # related object only need object permission diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 45d2707a6e0..d88ab9f5f7a 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -1527,6 +1527,16 @@ def get_engagement(self, obj): engagement ) + def validate(self, data): + if self.context["request"].method == "POST": + findings = data['accepted_findings'] + for finding in findings: + if not user_has_permission(self.context["request"].user, finding, Permissions.Finding_View): + raise serializers.ValidationError( + "You do not have permission to access to any of these findings" + ) + return data + class Meta: model = Risk_Acceptance fields = "__all__" From c063ab71a027f0e5bb692089e68a4709157d0302 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Thu, 8 Feb 2024 13:07:45 -0600 Subject: [PATCH 11/15] removed unused import --- dojo/api_v2/permissions.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index ead57772eff..aac0eb79264 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -22,7 +22,6 @@ Finding_Group, Product_Type, Product, - Risk_Acceptance, Test, Dojo_Group, Cred_Mapping, From 7d0a337db6253f98a5a583c74582c5e80a9bec67 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Thu, 8 Feb 2024 13:18:50 -0600 Subject: [PATCH 12/15] change Error type and message displayed --- dojo/api_v2/serializers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index d88ab9f5f7a..ff21d50aff7 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -1532,8 +1532,8 @@ def validate(self, data): findings = data['accepted_findings'] for finding in findings: if not user_has_permission(self.context["request"].user, finding, Permissions.Finding_View): - raise serializers.ValidationError( - "You do not have permission to access to any of these findings" + raise PermissionDenied( + "You are not permitted to add one or more selected findings to this risk acceptance" ) return data From 39b4b4774cffade0d7e05913935e7e2e070d3e01 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 9 Feb 2024 09:19:45 -0600 Subject: [PATCH 13/15] change RiskAcceptanceTest --- dojo/api_v2/permissions.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index aac0eb79264..7fbe70619ee 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -22,6 +22,7 @@ Finding_Group, Product_Type, Product, + Risk_Acceptance, Test, Dojo_Group, Cred_Mapping, @@ -343,7 +344,7 @@ def has_permission(self, request, view): request.path ): return check_post_permission( - request, Product, "product", Permissions.Risk_Acceptance + request, Risk_Acceptance, "name", Permissions.Risk_Acceptance ) else: # related object only need object permission From d20d1d2d6ed65dca9ddfa25a608108486182ae58 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 9 Feb 2024 09:43:47 -0600 Subject: [PATCH 14/15] change RiskAcceptanceTest --- dojo/api_v2/permissions.py | 3 +-- unittests/test_rest_framework.py | 6 ++++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py index 7fbe70619ee..aac0eb79264 100644 --- a/dojo/api_v2/permissions.py +++ b/dojo/api_v2/permissions.py @@ -22,7 +22,6 @@ Finding_Group, Product_Type, Product, - Risk_Acceptance, Test, Dojo_Group, Cred_Mapping, @@ -344,7 +343,7 @@ def has_permission(self, request, view): request.path ): return check_post_permission( - request, Risk_Acceptance, "name", Permissions.Risk_Acceptance + request, Product, "product", Permissions.Risk_Acceptance ) else: # related object only need object permission diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py index 979b0c36bb7..01d6ed27492 100644 --- a/unittests/test_rest_framework.py +++ b/unittests/test_rest_framework.py @@ -967,6 +967,12 @@ def __init__(self, *args, **kwargs): self.deleted_objects = 3 BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs) + def test_create_object_not_authorized(self): + self.setUp_not_authorized() + + response = self.client.post(self.url, self.payload) + self.assertEqual(403, response.status_code, response.content[:1000]) + class FindingRequestResponseTest(DojoAPITestCase): fixtures = ['dojo_testdata.json'] From 87cfcb7403cb5e78f7fe9fddd5dc97335f8af4ef Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 9 Feb 2024 10:04:13 -0600 Subject: [PATCH 15/15] remove risk_acceptance from test_apiv2_methods --- unittests/test_apiv2_methods_and_endpoints.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/test_apiv2_methods_and_endpoints.py b/unittests/test_apiv2_methods_and_endpoints.py index 8163de19534..408dd7cc060 100644 --- a/unittests/test_apiv2_methods_and_endpoints.py +++ b/unittests/test_apiv2_methods_and_endpoints.py @@ -45,7 +45,7 @@ def test_is_defined(self): exempt_list = [ 'import-scan', 'reimport-scan', 'notes', 'system_settings', 'roles', 'import-languages', 'endpoint_meta_import', 'test_types', - 'configuration_permissions', 'risk_acceptance', 'questionnaire_questions', + 'configuration_permissions', 'questionnaire_questions', 'questionnaire_answers', 'questionnaire_answered_questionnaires', 'questionnaire_engagement_questionnaires', 'questionnaire_general_questionnaires', 'dojo_group_members', 'product_members', 'product_groups', 'product_type_groups',