Adjust several permissions for API and UI (#5672)

* initial commit

* documentation of method

* intermediate commit

* API for Notes restricted to superusers

* documentation for notes api

* fix unit tests

* flake8

Author: StefanFl

dojo/api_v2/permissions.py

@@ -5,7 +5,7 @@
 from dojo.importers.reimporter.utils import get_target_engagement_if_exists, get_target_product_by_id_if_exists, \
     get_target_product_if_exists, get_target_test_if_exists,  \
     get_target_product_type_if_exists
-from dojo.models import Endpoint, Engagement, Finding, Product_Type, Product, Test, Dojo_Group
+from dojo.models import Endpoint, Engagement, Finding, Finding_Group, Product_Type, Product, Test, Dojo_Group
 from django.shortcuts import get_object_or_404
 from rest_framework import permissions, serializers
 from dojo.authorization.authorization import user_has_global_permission, user_has_permission, user_has_configuration_permission
@@ -109,6 +109,14 @@ def has_object_permission(self, request, view, obj):
         return has_permission_result
 
 
+class UserHasToolProductSettingsPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(request, Product, 'product', Permissions.Product_Edit)
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(request, obj.product, Permissions.Product_View, Permissions.Product_Edit, Permissions.Product_Edit)
+
+
 class UserHasEndpointPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(request, Product, 'product', Permissions.Endpoint_Add)
@@ -347,6 +355,77 @@ def has_object_permission(self, request, view, obj):
         return check_object_permission(request, obj, Permissions.Product_API_Scan_Configuration_View, Permissions.Product_API_Scan_Configuration_Edit, Permissions.Product_API_Scan_Configuration_Delete)
 
 
+class UserHasJiraProductPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method == 'POST':
+            has_permission_result = True
+            engagement_id = request.data.get('engagement', None)
+            if engagement_id:
+                object = get_object_or_404(Engagement, pk=engagement_id)
+                has_permission_result = has_permission_result and \
+                    user_has_permission(request.user, object, Permissions.Engagement_Edit)
+            product_id = request.data.get('product', None)
+            if product_id:
+                object = get_object_or_404(Product, pk=product_id)
+                has_permission_result = has_permission_result and \
+                    user_has_permission(request.user, object, Permissions.Product_Edit)
+            return has_permission_result
+        else:
+            return True
+
+    def has_object_permission(self, request, view, obj):
+        has_permission_result = True
+        engagement = obj.engagement
+        if engagement:
+            has_permission_result = has_permission_result and \
+                check_object_permission(request, engagement, Permissions.Engagement_View, Permissions.Engagement_Edit, Permissions.Engagement_Edit)
+        product = obj.product
+        if product:
+            has_permission_result = has_permission_result and \
+                check_object_permission(request, product, Permissions.Product_View, Permissions.Product_Edit, Permissions.Product_Edit)
+        return has_permission_result
+
+
+class UserHasJiraIssuePermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method == 'POST':
+            has_permission_result = True
+            engagement_id = request.data.get('engagement', None)
+            if engagement_id:
+                object = get_object_or_404(Engagement, pk=engagement_id)
+                has_permission_result = has_permission_result and \
+                    user_has_permission(request.user, object, Permissions.Engagement_Edit)
+            finding_id = request.data.get('finding', None)
+            if finding_id:
+                object = get_object_or_404(Finding, pk=finding_id)
+                has_permission_result = has_permission_result and \
+                    user_has_permission(request.user, object, Permissions.Finding_Edit)
+            finding_group_id = request.data.get('finding_group', None)
+            if finding_group_id:
+                object = get_object_or_404(Finding_Group, pk=finding_group_id)
+                has_permission_result = has_permission_result and \
+                    user_has_permission(request.user, object, Permissions.Finding_Group_Edit)
+            return has_permission_result
+        else:
+            return True
+
+    def has_object_permission(self, request, view, obj):
+        has_permission_result = True
+        engagement = obj.engagement
+        if engagement:
+            has_permission_result = has_permission_result and \
+                check_object_permission(request, engagement, Permissions.Engagement_View, Permissions.Engagement_Edit, Permissions.Engagement_Edit)
+        finding = obj.finding
+        if finding:
+            has_permission_result = has_permission_result and \
+                check_object_permission(request, finding, Permissions.Finding_View, Permissions.Finding_Edit, Permissions.Finding_Edit)
+        finding_group = obj.finding_group
+        if finding_group:
+            has_permission_result = has_permission_result and \
+                check_object_permission(request, finding_group, Permissions.Finding_Group_View, Permissions.Finding_Group_Edit, Permissions.Finding_Group_Edit)
+        return has_permission_result
+
+
 class IsSuperUser(permissions.BasePermission):
     def has_permission(self, request, view):
         return request.user and request.user.is_superuser

dojo/api_v2/serializers.py

@@ -780,6 +780,25 @@ class Meta:
     def get_url(self, obj) -> str:
         return jira_helper.get_jira_issue_url(obj)
 
+    def validate(self, data):
+        if self.context['request'].method == 'PATCH':
+            engagement = data.get('engagement', self.instance.engagement)
+            finding = data.get('finding', self.instance.finding)
+            finding_group = data.get('finding_group', self.instance.finding_group)
+        else:
+            engagement = data.get('engagement', None)
+            finding = data.get('finding', None)
+            finding_group = data.get('finding_group', None)
+
+        if ((engagement and not finding and not finding_group) or
+                (finding and not engagement and not finding_group) or
+                (finding_group and not engagement and not finding)):
+            pass
+        else:
+            raise serializers.ValidationError('Either engagement or finding or finding_group has to be set.')
+
+        return data
+
 
 class JIRAInstanceSerializer(serializers.ModelSerializer):
     class Meta:
@@ -795,6 +814,19 @@ class Meta:
         model = JIRA_Project
         fields = '__all__'
 
+    def validate(self, data):
+        if self.context['request'].method == 'PATCH':
+            engagement = data.get('engagement', self.instance.engagement)
+            product = data.get('product', self.instance.product)
+        else:
+            engagement = data.get('engagement', None)
+            product = data.get('product', None)
+
+        if ((engagement and product) or (not engagement and not product)):
+            raise serializers.ValidationError('Either engagement or product has to be set.')
+
+        return data
+
 
 class SonarqubeIssueSerializer(serializers.ModelSerializer):
     class Meta:

dojo/api_v2/views.py

@@ -56,6 +56,8 @@
 from dojo.finding.queries import get_authorized_findings, get_authorized_stub_findings
 from dojo.endpoint.queries import get_authorized_endpoints, get_authorized_endpoint_status
 from dojo.group.queries import get_authorized_groups, get_authorized_group_members
+from dojo.jira_link.queries import get_authorized_jira_projects, get_authorized_jira_issues
+from dojo.tool_product.queries import get_authorized_tool_product_settings
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema, extend_schema_view
 from dojo.authorization.roles_permissions import Permissions
 
@@ -1015,34 +1017,40 @@ class JiraInstanceViewSet(mixins.ListModelMixin,
     permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)
 
 
-# Authorization: staff
+# Authorization: object-based
 class JiraIssuesViewSet(mixins.ListModelMixin,
                         mixins.RetrieveModelMixin,
                         mixins.DestroyModelMixin,
                         mixins.CreateModelMixin,
                         mixins.UpdateModelMixin,
                         viewsets.GenericViewSet):
     serializer_class = serializers.JIRAIssueSerializer
-    queryset = JIRA_Issue.objects.all()
+    queryset = JIRA_Issue.objects.none()
     filter_backends = (DjangoFilterBackend,)
-    filter_fields = ('id', 'jira_id', 'jira_key', 'finding_id')
-    permission_classes = (IsAdminUser, DjangoModelPermissions)
+    filter_fields = ('id', 'jira_id', 'jira_key', 'finding', 'engagement', 'finding_group')
+    permission_classes = (IsAuthenticated, permissions.UserHasJiraIssuePermission)
 
+    def get_queryset(self):
+        return get_authorized_jira_issues(Permissions.Product_View)
 
-# Authorization: staff
+
+# Authorization: object-based
 class JiraProjectViewSet(mixins.ListModelMixin,
                   mixins.RetrieveModelMixin,
                   mixins.DestroyModelMixin,
                   mixins.UpdateModelMixin,
                   mixins.CreateModelMixin,
                   viewsets.GenericViewSet):
     serializer_class = serializers.JIRAProjectSerializer
-    queryset = JIRA_Project.objects.all()
+    queryset = JIRA_Project.objects.none()
     filter_backends = (DjangoFilterBackend,)
-    filter_fields = ('id', 'jira_instance', 'product', 'component', 'project_key',
+    filter_fields = ('id', 'jira_instance', 'product', 'engagement', 'component', 'project_key',
                      'push_all_issues', 'enable_engagement_epic_mapping',
                      'push_notes')
-    permission_classes = (IsAdminUser, DjangoModelPermissions)
+    permission_classes = (IsAuthenticated, permissions.UserHasJiraProductPermission)
+
+    def get_queryset(self):
+        return get_authorized_jira_projects(Permissions.Product_View)
 
 
 # Authorization: superuser
@@ -1754,19 +1762,22 @@ class ToolConfigurationsViewSet(mixins.ListModelMixin,
     permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)
 
 
-# Authorization: staff
+# Authorization: object-based
 class ToolProductSettingsViewSet(mixins.ListModelMixin,
                                  mixins.RetrieveModelMixin,
                                  mixins.DestroyModelMixin,
                                  mixins.CreateModelMixin,
                                  mixins.UpdateModelMixin,
                                  viewsets.GenericViewSet):
     serializer_class = serializers.ToolProductSettingsSerializer
-    queryset = Tool_Product_Settings.objects.all()
+    queryset = Tool_Product_Settings.objects.none()
     filter_backends = (DjangoFilterBackend,)
     filter_fields = ('id', 'name', 'product', 'tool_configuration',
                      'tool_project_id', 'url')
-    permission_classes = (IsAdminUser, DjangoModelPermissions)
+    permission_classes = (IsAuthenticated, permissions.UserHasToolProductSettingsPermission)
+
+    def get_queryset(self):
+        return get_authorized_tool_product_settings(Permissions.Product_View)
 
 
 # Authorization: configuration
@@ -2078,7 +2089,7 @@ class NoteTypeViewSet(mixins.ListModelMixin,
     permission_classes = (IsAdminUser, DjangoModelPermissions)
 
 
-# Authorization: staff
+# Authorization: superuser
 class NotesViewSet(mixins.ListModelMixin,
                    mixins.RetrieveModelMixin,
                    mixins.UpdateModelMixin,
@@ -2089,7 +2100,7 @@ class NotesViewSet(mixins.ListModelMixin,
     filter_fields = ('id', 'entry', 'author',
                     'private', 'date', 'edited',
                     'edit_time', 'editor')
-    permission_classes = (IsAdminUser, DjangoModelPermissions)
+    permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)
 
 
 def report_generate(request, obj, options):

dojo/authorization/roles_permissions.py

@@ -114,6 +114,11 @@ class Permissions(IntEnum):
     Product_API_Scan_Configuration_Edit = 2506
     Product_API_Scan_Configuration_Delete = 2507
 
+    Product_Tracking_Files_View = 2602
+    Product_Tracking_Files_Add = 2603
+    Product_Tracking_Files_Edit = 2606
+    Product_Tracking_Files_Delete = 2607
+
     @classmethod
     def has_value(cls, value):
         try:
@@ -212,7 +217,8 @@ def get_roles_with_permissions():
             Permissions.Group_View,
             Permissions.Language_View,
             Permissions.Technology_View,
-            Permissions.Product_API_Scan_Configuration_View
+            Permissions.Product_API_Scan_Configuration_View,
+            Permissions.Product_Tracking_Files_View,
         },
         Roles.API_Importer: {
             Permissions.Product_Type_View,
@@ -279,7 +285,9 @@ def get_roles_with_permissions():
             Permissions.Technology_Add,
             Permissions.Technology_Edit,
 
-            Permissions.Product_API_Scan_Configuration_View
+            Permissions.Product_API_Scan_Configuration_View,
+
+            Permissions.Product_Tracking_Files_View,
         },
         Roles.Maintainer: {
             Permissions.Product_Type_Add_Product,
@@ -359,7 +367,12 @@ def get_roles_with_permissions():
             Permissions.Product_API_Scan_Configuration_View,
             Permissions.Product_API_Scan_Configuration_Add,
             Permissions.Product_API_Scan_Configuration_Edit,
-            Permissions.Product_API_Scan_Configuration_Delete
+            Permissions.Product_API_Scan_Configuration_Delete,
+
+            Permissions.Product_Tracking_Files_View,
+            Permissions.Product_Tracking_Files_Add,
+            Permissions.Product_Tracking_Files_Edit,
+            Permissions.Product_Tracking_Files_Delete,
         },
         Roles.Owner: {
             Permissions.Product_Type_Add_Product,
@@ -447,7 +460,12 @@ def get_roles_with_permissions():
             Permissions.Product_API_Scan_Configuration_View,
             Permissions.Product_API_Scan_Configuration_Add,
             Permissions.Product_API_Scan_Configuration_Edit,
-            Permissions.Product_API_Scan_Configuration_Delete
+            Permissions.Product_API_Scan_Configuration_Delete,
+
+            Permissions.Product_Tracking_Files_View,
+            Permissions.Product_Tracking_Files_Add,
+            Permissions.Product_Tracking_Files_Edit,
+            Permissions.Product_Tracking_Files_Delete,
         }
     }
 

dojo/github_issue_link/views.py

@@ -25,12 +25,7 @@ def webhook(request):
     return HttpResponse('')
 
 
-@user_passes_test(lambda u: u.is_staff)
-def express_new_github(request):
-    return HttpResponse('')
-
-
-@user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.is_superuser)
 def new_github(request):
     if request.method == 'POST':
         gform = GITHUBForm(request.POST, instance=GITHUB_Conf())
@@ -63,7 +58,7 @@ def new_github(request):
                     {'gform': gform})
 
 
-@user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.is_superuser)
 def github(request):
     confs = GITHUB_Conf.objects.all()
     add_breadcrumb(title="Github List", top_level=not len(request.GET), request=request)
@@ -73,7 +68,7 @@ def github(request):
                    })
 
 
-@user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.is_superuser)
 def delete_github(request, tid):
     github_instance = get_object_or_404(GITHUB_Conf, pk=tid)
     # eng = test.engagement