Merge pull request #321 from devEricA/master

Fixes 299, 174, 316

Author: devGregA

dojo/forms.py

@@ -626,6 +626,46 @@ class Meta:
                    'review_requested_by')
 
 
+class AdHocFindingForm(forms.ModelForm):
+    title = forms.CharField(max_length=1000)
+    date = forms.DateField(required=True,
+                           widget=forms.TextInput(attrs={'class':
+                                                             'datepicker'}))
+    cwe = forms.IntegerField(required=False)
+    severity_options = (('Low', 'Low'), ('Medium', 'Medium'),
+                        ('High', 'High'), ('Critical', 'Critical'))
+    description = forms.CharField(widget=forms.Textarea)
+    severity = forms.ChoiceField(
+        choices=severity_options,
+        error_messages={
+            'required': 'Select valid choice: In Progress, On Hold, Completed',
+            'invalid_choice': 'Select valid choice: Critical,High,Medium,Low'})
+    mitigation = forms.CharField(widget=forms.Textarea)
+    impact = forms.CharField(widget=forms.Textarea)
+    endpoints = forms.ModelMultipleChoiceField(Endpoint.objects, required=False, label='Systems / Endpoints',
+                                               widget=MultipleSelectWithPopPlusMinus(attrs={'size': '11'}))
+    references = forms.CharField(widget=forms.Textarea, required=False)
+    is_template = forms.BooleanField(label="Create Template?", required=False,
+                                     help_text="A new finding template will be created from this finding.")
+
+    def clean(self):
+        # self.fields['endpoints'].queryset = Endpoint.objects.all()
+        cleaned_data = super(AdHocFindingForm, self).clean()
+        if ((cleaned_data['active'] or cleaned_data['verified'])
+            and cleaned_data['duplicate']):
+            raise forms.ValidationError('Duplicate findings cannot be'
+                                        ' verified or active')
+        if cleaned_data['false_p'] and cleaned_data['verified']:
+            raise forms.ValidationError('False positive findings cannot '
+                                        'be verified.')
+        return cleaned_data
+
+    class Meta:
+        model = Finding
+        order = ('title', 'severity', 'endpoints', 'description', 'impact')
+        exclude = ('reporter', 'url', 'numerical_severity', 'endpoint', 'images', 'under_review', 'reviewers',
+                   'review_requested_by')
+
 class PromoteFindingForm(forms.ModelForm):
     title = forms.CharField(max_length=1000)
     date = forms.DateField(required=True,

dojo/product/urls.py

@@ -20,4 +20,6 @@
         name='add_meta_data'),
     url(r'^product/(?P<pid>\d+)/edit_meta_data', views.edit_meta_data,
         name='edit_meta_data'),
+    url(r'^product/(?P<pid>\d+)/ad_hoc_finding', views.ad_hoc_finding,
+        name='ad_hoc_finding'),
 ]

dojo/product/views.py

@@ -18,9 +18,9 @@
 from pytz import timezone
 
 from dojo.filters import ProductFilter, ProductFindingFilter
-from dojo.forms import ProductForm, EngForm, DeleteProductForm, ProductMetaDataForm, JIRAPKeyForm, JIRAFindingForm
+from dojo.forms import ProductForm, EngForm, DeleteProductForm, ProductMetaDataForm, JIRAPKeyForm, JIRAFindingForm, AdHocFindingForm
 from dojo.models import Product_Type, Finding, Product, Engagement, ScanSettings, Risk_Acceptance, Test, JIRA_PKey, \
-    Tool_Product_Settings, Cred_User, Cred_Mapping
+    Tool_Product_Settings, Cred_User, Cred_Mapping, Test_Type
 from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data, get_system_setting
 from custom_field.models import CustomFieldValue, CustomField
 from  dojo.tasks import add_epic_task
@@ -383,7 +383,7 @@ def delete_product(request, pid):
     product = get_object_or_404(Product, pk=pid)
     form = DeleteProductForm(instance=product)
 
-    from django.contrib.admin.util import NestedObjects
+    from django.contrib.admin.utils import NestedObjects
     from django.db import DEFAULT_DB_ALIAS
 
     collector = NestedObjects(using=DEFAULT_DB_ALIAS)
@@ -564,3 +564,108 @@ def edit_meta_data(request, pid):
                   {'product': prod,
                    'product_metadata': product_metadata,
                    })
+
+
+@user_passes_test(lambda u: u.is_staff)
+def ad_hoc_finding(request, pid):
+    prod = Product.objects.get(id=pid)
+    test = None
+    try:
+        eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement")
+        tests = Test.objects.filter(engagement=eng)
+
+        if len(tests) != 0:
+            test = tests[0]
+        else:
+            test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"),
+                        target_start=datetime.now(tz=localtz), target_end=datetime.now(tz=localtz))
+            test.save()
+    except:
+        eng = Engagement(name="Ad Hoc Engagement", target_start=datetime.now(tz=localtz),
+                         target_end=datetime.now(tz=localtz), active=False, product=prod)
+        eng.save()
+        test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"),
+                    target_start=datetime.now(tz=localtz), target_end=datetime.now(tz=localtz))
+        test.save()
+    form_error = False
+    enabled = False
+    jform = None
+    form = AdHocFindingForm(initial={'date': datetime.now(tz=localtz).date()})
+    if hasattr(settings, 'ENABLE_JIRA'):
+        if settings.ENABLE_JIRA:
+            if JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
+                enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
+                jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
+        else:
+            jform = None
+    if request.method == 'POST':
+        form = AdHocFindingForm(request.POST)
+        if form.is_valid():
+            new_finding = form.save(commit=False)
+            new_finding.test = test
+            new_finding.reporter = request.user
+            new_finding.numerical_severity = Finding.get_numerical_severity(
+                new_finding.severity)
+            if new_finding.false_p or new_finding.active is False:
+                new_finding.mitigated = datetime.now(tz=localtz)
+                new_finding.mitigated_by = request.user
+            create_template = new_finding.is_template
+            # always false now since this will be deprecated soon in favor of new Finding_Template model
+            new_finding.is_template = False
+            new_finding.save()
+            new_finding.endpoints = form.cleaned_data['endpoints']
+            new_finding.save()
+            if 'jiraform-push_to_jira' in request.POST:
+                jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
+                if jform.is_valid():
+                    add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
+                messages.add_message(request,
+                                     messages.SUCCESS,
+                                     'Finding added successfully.',
+                                     extra_tags='alert-success')
+            if create_template:
+                templates = Finding_Template.objects.filter(title=new_finding.title)
+                if len(templates) > 0:
+                    messages.add_message(request,
+                                         messages.ERROR,
+                                         'A finding template was not created.  A template with this title already '
+                                         'exists.',
+                                         extra_tags='alert-danger')
+                else:
+                    template = Finding_Template(title=new_finding.title,
+                                                cwe=new_finding.cwe,
+                                                severity=new_finding.severity,
+                                                description=new_finding.description,
+                                                mitigation=new_finding.mitigation,
+                                                impact=new_finding.impact,
+                                                references=new_finding.references,
+                                                numerical_severity=new_finding.numerical_severity)
+                    template.save()
+                    messages.add_message(request,
+                                         messages.SUCCESS,
+                                         'A finding template was also created.',
+                                         extra_tags='alert-success')
+            if '_Finished' in request.POST:
+                return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
+            else:
+                return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
+        else:
+            if 'endpoints' in form.cleaned_data:
+                form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
+            else:
+                form.fields['endpoints'].queryset = Endpoint.objects.none()
+            form_error = True
+            messages.add_message(request,
+                                 messages.ERROR,
+                                 'The form has errors, please correct them below.',
+                                 extra_tags='alert-danger')
+    add_breadcrumb(parent=prod, title="Add Finding", top_level=False, request=request)
+    return render(request, 'dojo/ad_hoc_findings.html',
+                  {'form': form,
+                   'temp': False,
+                   'tid' : test.id,
+                   'pid': pid,
+                   'form_error': form_error,
+                   'jform': jform,
+                   })
+

dojo/system_settings/views.py

@@ -34,7 +34,7 @@
 logger = logging.getLogger(__name__)
 
 
-@user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.is_superuser)
 def system_settings(request):
     try:
         system_settings_obj = System_Settings.objects.get()

dojo/templates/base.html

@@ -250,7 +250,9 @@
                                     <a href="{% url 'jira' %}"><i class="fa fa-cog fa-fw"></i>
                                         <span>Configuration</span></a>
                                     <ul class="nav nav-second-level">
+                                        {% if request.user.is_superuser%}
                                         <li><a href="{% url 'system_settings' %}">System Settings </a></li>
+                                        {% endif %}
                                         <li><a href="{% url 'cred' %}">Credential Manager </a></li>
                                         {% if "enable_jira"|get_system_setting %}
                                         <li><a href="{% url 'jira' %}">JIRA </a></li>

dojo/templates/dojo/ad_hoc_findings.html

@@ -0,0 +1,38 @@
+{% extends "base.html" %}
+{% load event_tags %}
+{% load static from staticfiles %}
+{% block content %}
+    <div>
+        <h3> Add findings to a test</h3>
+    </div>
+    <div>
+        <form class="form-horizontal" action="{% url 'ad_hoc_finding' pid %}" method="post">
+            {% csrf_token %}
+            {% include "dojo/form_fields.html" with form=form %}
+            {%  if jform %}
+                <h4> JIRA </h4>
+                <hr>
+                {% include "dojo/form_fields.html" with form=jform %}
+            {% endif %}
+            <div class="form-group">
+                <div class="col-sm-offset-2 col-sm-10">
+                    <input class="btn btn-primary" type="submit" value="Add Another Finding"/>
+                    <input class="btn btn-primary" name="_Finished" type="submit" value="Finished"/>
+                </div>
+            </div>
+        </form>
+    </div>
+{% endblock %}
+{% block postscript %}
+    <script type="text/javascript" src="{% static "admin/js/jquery.init.js"%}"></script>
+    <script type="application/javascript" src="{% static "admin/js/admin/RelatedObjectLookups.js" %}"></script>
+    <script type="application/javascript">
+        $ = django.jQuery;
+        $('#add_id_endpoints').attr('href', "{% url 'add_endpoint' pid %}?_popup");
+        {% if not form_error %}
+            $('#id_endpoints').find('option').remove();
+        {% endif %}
+    </script>
+
+
+{% endblock %}

dojo/templates/dojo/view_product.html

@@ -45,6 +45,13 @@ <h3 class="pull-left">
                                     </a>
                                 </li>
                             {% endif %}
+                            {% if user.is_staff %}
+                                <li role="presentation">
+                                    <a class="" href="{% url 'ad_hoc_finding' prod.id %}">
+                                        <i class="fa fa-list-alt"></i> Add Finding
+                                    </a>
+                                </li>
+                            {% endif %}
                             {% if user.is_staff %}
                                 <li role="presentation">
                                     <a class="" href="{% url 'add_meta_data' prod.id %}">

dojo/user/views.py

@@ -161,6 +161,10 @@ def user(request):
 @user_passes_test(lambda u: u.is_staff)
 def add_user(request):
     form = AddDojoUserForm()
+    if not request.user.is_superuser:
+        form.fields['is_staff'].widget.attrs['disabled'] = True
+        form.fields['is_superuser'].widget.attrs['disabled'] = True
+        form.fields['is_active'].widget.attrs['disabled'] = True
     contact_form = UserContactInfoForm()
     user = None
 
@@ -202,6 +206,10 @@ def edit_user(request, uid):
     user = get_object_or_404(Dojo_User, id=uid)
     authed_products = Product.objects.filter(authorized_users__in=[user])
     form = AddDojoUserForm(instance=user, initial={'authorized_products': authed_products})
+    if not request.user.is_superuser:
+        form.fields['is_staff'].widget.attrs['disabled'] = True
+        form.fields['is_superuser'].widget.attrs['disabled'] = True
+        form.fields['is_active'].widget.attrs['disabled'] = True
     try:
         user_contact = UserContactInfo.objects.get(user=user)
     except UserContactInfo.DoesNotExist: