DefectDojo
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docker/entrypoint-integration-tests.sh‎
Lines changed: 16 additions & 0 deletions b/‎docker/entrypoint-integration-tests.sh‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎dojo/engagement/views.py‎
Lines changed: 1 addition & 1 deletion b/‎dojo/engagement/views.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dojo/finding/views.py‎
Lines changed: 8 additions & 10 deletions b/‎dojo/finding/views.py‎
Lines changed: 8 additions & 10 deletions
diff --git a/‎dojo/github.py‎
Lines changed: 2 additions & 2 deletions b/‎dojo/github.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎dojo/models.py‎
Lines changed: 3 additions & 7 deletions b/‎dojo/models.py‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎dojo/notifications/helper.py‎
Lines changed: 238 additions & 0 deletions b/‎dojo/notifications/helper.py‎
Lines changed: 238 additions & 0 deletions
@@ -93,7 +93,7 @@ Quarterly.txt
 components/*
 !components/package.json
 !components/yarn.lock
-dojo/static/*
+# dojo/static/*
 !dojo/static/dojo/*
 dojo/media
 /static
 
@@ -13,6 +13,22 @@ fi
 
 # Run available unittests with a simple setup
 echo "Running Product type integration tests"
+# All available Integrationtest Scripts are activated below
+# If successsful, A successs message is printed and the script continues
+# If any script is unsuccesssful a failure message is printed and the test script
+# Exits with status code of 1
+
+function fail() {
+    echo "Error: $1 test failed\n"
+    exit 1
+}
+
+function success() {
+    echo "Success: $1 test passed\n"
+}
+
+test="Product type integration tests"
+echo "Running: $test"
 if python3 tests/Product_type_unit_test.py ; then
     echo "Success: Product type integration tests passed"
 else
 
@@ -522,7 +522,6 @@ def import_scan_results(request, eid=None, pid=None):
         cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
             engagement=engagement).order_by('cred_id')
 
-
         if form.is_valid():
             # Allows for a test to be imported with an engagement created on the fly
             if engagement is None:
@@ -692,6 +691,7 @@ def import_scan_results(request, eid=None, pid=None):
 
                 create_notification(
                     event='results_added',
+                    initiator=request.user,
                     title=str(finding_count) + " findings for " + engagement.product.name,
                     finding_count=finding_count,
                     test=t,
 
@@ -1037,24 +1037,22 @@ def edit_finding(request, fid):
         enabled = finding.test.engagement.product.jira_pkey_set.first().push_all_issues
         jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
 
-    gform = None
     try:
         jissue = JIRA_Issue.objects.get(finding=finding)
         enabled = True
     except:
         enabled = False
-        pass
 
     try:
         gissue = GITHUB_Issue.objects.get(finding=finding)
-        enabled = True
+        github_enabled = True
     except:
-        enabled = False
-        pass
+        github_enabled = False
 
-    if get_system_setting('enable_github') and GITHUB_PKey.objects.filter(
-            product=finding.test.engagement.product) != 0:
-        gform = GITHUBFindingForm(enabled=enabled, prefix='githubform')
+    gform = None
+    if get_system_setting('enable_github'):
+        if GITHUB_PKey.objects.filter(product=finding.test.engagement.product).exclude(git_conf_id=None):
+            gform = GITHUBFindingForm(enabled=github_enabled, prefix='githubform')
 
     if request.method == 'POST':
         form = FindingForm(request.POST, instance=finding, template=False)
@@ -1128,7 +1126,7 @@ def edit_finding(request, fid):
 
             if 'githubform-push_to_github' in request.POST:
                 gform = GITHUBFindingForm(
-                    request.POST, prefix='githubform', enabled=enabled)
+                    request.POST, prefix='githubform', enabled=github_enabled)
                 if gform.is_valid():
                     if GITHUB_Issue.objects.filter(finding=new_finding).exists():
                         update_external_issue_task.delay(
@@ -2148,7 +2146,7 @@ def finding_bulk_update_all(request, pid=None):
                     logger.info('push selected findings to github')
                     finds = Finding.objects.filter(id__in=finding_to_update)
                     for finding in finds:
-                        print('will push to github finding: ' + str(finding))
+                        print('will push to GitHub finding: ' + str(finding))
                         old_status = finding.status()
                         if form.cleaned_data['push_to_github']:
                             if GITHUB_Issue.objects.filter(finding=finding).exists():
 
@@ -109,8 +109,8 @@ def add_external_issue_github(find, prod, eng):
         eng = Engagement.objects.get(test=find.test)
         prod = Product.objects.get(engagement=eng)
         github_product_key = GITHUB_PKey.objects.get(product=prod)
-        github_conf = github_product_key.git_conf
-        logger.debug('Create issue with github profile: ' + str(github_conf) + ' on product: ' + str(github_product_key))
+        github_conf = github_product_key.git_conf_id
+        logger.info('Create issue with github profile: ' + str(github_conf) + ' on product: ' + str(github_product_key))
 
         try:
             g = Github(github_conf.api_key)
 
@@ -1806,14 +1806,10 @@ def save(self, dedupe_option=True, false_history=False, rules_option=True,
         if rules_option:
             from dojo.tasks import async_rules
             from dojo.utils import sync_rules
-            try:
-                if self.reporter.usercontactinfo.block_execution:
-                    sync_rules(self, *args, **kwargs)
-                else:
-                    async_rules(self, *args, **kwargs)
-            except UserContactInfo.DoesNotExist:
+            if hasattr(self.reporter, 'usercontactinfo') and self.reporter.usercontactinfo.block_execution:
+                sync_rules(self, *args, **kwargs)
+            else:
                 async_rules(self, *args, **kwargs)
-                pass
         from dojo.utils import calculate_grade
         calculate_grade(self.test.engagement.product)
         # Assign the numerical severity for correct sorting order
 
@@ -0,0 +1,238 @@
+import requests
+import logging
+from django.core.mail import EmailMessage
+from dojo.models import Notifications, Dojo_User, Alerts, UserContactInfo
+from django.template.loader import render_to_string
+from django.db.models import Q, Count, Prefetch
+from django.urls import reverse
+
+logger = logging.getLogger(__name__)
+
+
+def create_notification(event=None, *args, **kwargs):
+    # System notifications
+    try:
+        system_notifications = Notifications.objects.get(user=None)
+    except Exception:
+        system_notifications = Notifications()
+
+    logger.debug('creating system notifications')
+    process_notifications(event, system_notifications, *args, **kwargs)
+
+    if 'recipients' in kwargs:
+        # mimic existing code so that when recipients is specified, no other personal notifications are sent.
+        logger.debug('creating notifications for recipients')
+        for recipient_notifications in Notifications.objects.filter(user__username__in=kwargs['recipients'], user__is_active=True):
+            # kwargs.update({'user': recipient_notifications.user})
+            process_notifications(event, recipient_notifications, *args, **kwargs)
+    else:
+        # Personal but global notifications
+        # only retrieve users which have at least one notification type enabled for this event type.
+        logger.debug('creating personal notifications')
+
+        product = None
+        if 'product' in kwargs:
+            product = kwargs.get('product')
+
+        if not product and 'engagement' in kwargs:
+            product = kwargs['engagement'].product
+
+        if not product and 'test' in kwargs:
+            product = kwargs['test'].engagement.product
+
+        # get users with either global notifications, or a product specific noditiciation
+        users = Dojo_User.objects.filter(is_active=True).prefetch_related(Prefetch(
+            "notifications_set",
+            queryset=Notifications.objects.filter(Q(product_id=product) | Q(product__isnull=True)),
+            to_attr="applicable_notifications"
+        )).annotate(applicable_notifications_count=Count('notifications__id', filter=Q(notifications__product_id=product) | Q(notifications__product__isnull=True))).filter(applicable_notifications_count__gt=0)
+
+        for user in users:
+            # send notifications to user after merging possible multiple notifications records (i.e. personal global + personal product)
+            # kwargs.update({'user': user})
+            process_notifications(event, Notifications.merge_notifications_list(user.applicable_notifications), *args, **kwargs)
+
+
+def create_description(event, *args, **kwargs):
+    if "description" not in kwargs.keys():
+        if event == 'product_added':
+            kwargs["description"] = "Product " + kwargs['title'] + " has been created successfully."
+        else:
+            kwargs["description"] = "Event " + str(event) + " has occured."
+
+    return kwargs["description"]
+
+
+def create_notification_message(event, user, notification_type, *args, **kwargs):
+    template = 'notifications/%s.tpl' % event.replace('/', '')
+    kwargs.update({'type': notification_type})
+    kwargs.update({'user': user})
+
+    try:
+        notification = render_to_string(template, kwargs)
+    except Exception as e:
+        logger.exception(e)
+        create_description(event)
+        notification = render_to_string('notifications/other.tpl', kwargs)
+
+    return notification
+
+
+def process_notifications(event, notifications=None, *args, **kwargs):
+    from dojo.utils import get_system_setting
+
+    if not notifications:
+        logger.warn('no notifications!')
+        return
+
+    sync = 'initiator' in kwargs and hasattr(kwargs['initiator'], 'usercontactinfo') and kwargs['initiator'].usercontactinfo.block_execution
+
+    logger.debug('sync: %s', sync)
+    logger.debug('sending notifications ' + ('synchronously' if sync else 'asynchronously'))
+    logger.debug(vars(notifications))
+
+    slack_enabled = get_system_setting('enable_slack_notifications')
+    hipchat_enabled = get_system_setting('enable_hipchat_notifications')
+    mail_enabled = get_system_setting('enable_mail_notifications')
+
+    from dojo.tasks import send_slack_notification_task, send_alert_notification_task, send_hipchat_notification_task, send_mail_notification_task
+
+    if slack_enabled and 'slack' in getattr(notifications, event):
+        if not sync:
+            send_slack_notification_task.delay(event, notifications.user, *args, **kwargs)
+        else:
+            send_slack_notification(event, notifications.user, *args, **kwargs)
+
+    if hipchat_enabled and 'hipchat' in getattr(notifications, event):
+        if not sync:
+            send_hipchat_notification_task.delay(event, notifications.user, *args, **kwargs)
+        else:
+            send_hipchat_notification(event, notifications.user, *args, **kwargs)
+
+    if mail_enabled and 'mail' in getattr(notifications, event):
+        if not sync:
+            send_mail_notification_task.delay(event, notifications.user, *args, **kwargs)
+        else:
+            send_mail_notification(event, notifications.user, *args, **kwargs)
+
+    print(getattr(notifications, event, None))
+    if 'alert' in getattr(notifications, event, None):
+        if not sync:
+            send_alert_notification_task.delay(event, notifications.user, *args, **kwargs)
+        else:
+            send_alert_notification(event, notifications.user, *args, **kwargs)
+
+
+def send_slack_notification(event, user=None, *args, **kwargs):
+    from dojo.utils import get_system_setting, get_slack_user_id
+    if user is not None:
+        if hasattr(user, 'usercontactinfo') and user.usercontactinfo.slack_username is not None:
+            slack_user_id = user.usercontactinfo.slack_user_id
+            if user.usercontactinfo.slack_user_id is None:
+                # Lookup the slack userid
+                slack_user_id = get_slack_user_id(
+                    user.usercontactinfo.slack_username)
+                slack_user_save = UserContactInfo.objects.get(user_id=user.id)
+                slack_user_save.slack_user_id = slack_user_id
+                slack_user_save.save()
+
+            channel = '@%s' % slack_user_id
+        else:
+            # user has no slack username, skip
+            return
+    else:
+        channel = get_system_setting('slack_channel')
+
+    try:
+        res = requests.request(
+            method='POST',
+            url='https://slack.com/api/chat.postMessage',
+            data={
+                'token': get_system_setting('slack_token'),
+                'channel': channel,
+                'username': get_system_setting('slack_username'),
+                'text': create_notification_message(event, user, 'slack', *args, **kwargs)
+            })
+    except Exception as e:
+        logger.exception(e)
+        log_alert(e, *args, **kwargs)
+        pass
+
+
+def send_hipchat_notification(event, user=None, *args, **kwargs):
+    from dojo.utils import get_system_setting
+    if user:
+        # HipChat doesn't seem to offer direct message functionality, so no HipChat PM functionality here...
+        return
+
+    try:
+        # We use same template for HipChat as for slack
+        res = requests.request(
+            method='POST',
+            url='https://%s/v2/room/%s/notification?auth_token=%s' %
+            (get_system_setting('hipchat_site'),
+            get_system_setting('hipchat_channel'),
+            get_system_setting('hipchat_token')),
+            data={
+                'message': create_notification_message(event, 'slack', *args, **kwargs),
+                'message_format': 'text'
+            })
+    except Exception as e:
+        logger.exception(e)
+        log_alert(e, *args, **kwargs)
+        pass
+
+
+def send_mail_notification(event, user=None, *args, **kwargs):
+    from dojo.utils import get_system_setting
+
+    if user:
+        address = user.email
+    else:
+        address = get_system_setting('mail_notifications_to')
+
+    subject = '%s notification' % get_system_setting('team_name')
+    if 'title' in kwargs:
+        subject += ': %s' % kwargs['title']
+    try:
+        email = EmailMessage(
+            subject,
+            create_notification_message(event, user, 'mail', *args, **kwargs),
+            get_system_setting('mail_notifications_from'),
+            [address],
+            headers={"From": "{}".format(get_system_setting('mail_notifications_from'))}
+        )
+        email.content_subtype = 'html'
+        logger.debug('sending email alert')
+        # logger.info(create_notification_message(event, 'mail'))
+        email.send(fail_silently=False)
+
+    except Exception as e:
+        logger.exception(e)
+        log_alert(e, *args, **kwargs)
+        pass
+
+
+def send_alert_notification(event, user=None, *args, **kwargs):
+    icon = kwargs.get('icon', 'info-circle')
+    alert = Alerts(
+        user_id=user,
+        title=kwargs.get('title'),
+        description=create_notification_message(event, user, 'alert', *args, **kwargs),
+        url=kwargs.get('url', reverse('alerts')),
+        icon=icon,
+        source=Notifications._meta.get_field(event).verbose_name.title())
+    alert.save()
+
+
+def log_alert(e, *args, **kwargs):
+    users = Dojo_User.objects.filter(is_superuser=True)
+    for user in users:
+        alert = Alerts(
+            user_id=user,
+            url=kwargs.get('url', reverse('alerts')),
+            title='Notification issue',
+            description="%s" % e,
+            icon="exclamation-triangle",
+            source="Notifications")
+        alert.save()