Engagement validation for risk_acceptance API in POST PATCH and PUT (#…

…9599) * engagement validation for risk_acceptance API in POST PATCH and PUT * fix unit tests * create new unit test for risk_acceptance creation * change ViewEngagement as a class based view * template content blocks for risk_acceptance extra fields * requested change finding permission level, and list comprehension instead map * reverting changes class based views ViewEngagement
DefectDojo · Feb 28, 2024 · a5df4fa · a5df4fa
1 parent 8402f84
commit a5df4fa
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 14 deletions.
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -1,3 +1,4 @@
+from dojo.finding.queries import get_authorized_findings
 from dojo.group.utils import get_auth_group_name
 from django.contrib.auth.models import Group
 from typing import List
@@ -1531,13 +1532,27 @@ def get_engagement(self, obj):
         )
 
     def validate(self, data):
+        findings = data.get('accepted_findings', [])
+        findings_ids = [x.id for x in findings]
+        finding_objects = Finding.objects.filter(id__in=findings_ids)
+        authed_findings = get_authorized_findings(Permissions.Finding_Edit).filter(id__in=findings_ids)
+        if len(findings) != len(authed_findings):
+            raise PermissionDenied(
+                "You are not permitted to add one or more selected findings to this risk acceptance"
+            )
         if self.context["request"].method == "POST":
-            findings = data['accepted_findings']
-            for finding in findings:
-                if not user_has_permission(self.context["request"].user, finding, Permissions.Finding_View):
-                    raise PermissionDenied(
-                        "You are not permitted to add one or more selected findings to this risk acceptance"
-                    )
+            engagements = finding_objects.values_list('test__engagement__id', flat=True).distinct().count()
+            if engagements > 1:
+                raise PermissionDenied(
+                    "You are not permitted to add findings to a distinct engagement"
+                )
+        elif self.context['request'].method in ['PATCH', 'PUT']:
+            engagement = Engagement.objects.filter(risk_acceptance=self.instance.id).first()
+            findings = finding_objects.exclude(test__engagement__id=engagement.id)
+            if len(findings) > 0:
+                raise PermissionDenied(
+                    "You are not permitted to add findings to a distinct engagement"
+                )
         return data
 
     class Meta:

diff --git a/dojo/templates/dojo/view_eng.html b/dojo/templates/dojo/view_eng.html
@@ -395,6 +395,7 @@ <h4> Risk Acceptance
                                             <th>Findings</th>
                                             <th>Proof</th>
                                             <th>Owner</th>
+                                        </tr>
                                     </thead>
                                     <tbody>
                                         {% for risk_acceptance in risks_accepted %}
@@ -452,6 +453,7 @@ <h4> Risk Acceptance
                     </div>
                 </div>
             </div>
+            {% block global_risk_acceptances %}{% endblock %}
             <div class="panel panel-default">
                 <div class="panel-heading">
                     <h4>Additional Features<span class="pull-right"><a name="collapsible" data-toggle="collapse" href="#add_feat">

diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py
@@ -399,9 +399,6 @@ def test_update(self):
             current_objects = self.client.get(self.url, format='json').data
             relative_url = self.url + '%s/' % current_objects['results'][0]['id']
             response = self.client.patch(relative_url, self.update_fields)
-            # print('patch response.data')
-            # print(response.data)
-
             self.assertEqual(200, response.status_code, response.content[:1000])
 
             self.check_schema_response('patch', '200', response, detail=True)
@@ -432,8 +429,6 @@ def test_update(self):
             response = self.client.put(
                 relative_url, self.payload)
             self.assertEqual(200, response.status_code, response.content[:1000])
-            # print('put response.data')
-            # print(response.data)
 
             self.check_schema_response('put', '200', response, detail=True)
 
@@ -937,7 +932,7 @@ def __init__(self, *args, **kwargs):
         self.viewname = 'risk_acceptance'
         self.viewset = RiskAcceptanceViewSet
         self.payload = {
-            "id": 1,
+            "id": 2,
             "recommendation": "Fix (The risk is eradicated)",
             "decision": "Accept (The risk is acknowledged, yet remains)",
             "path": "No proof has been supplied",
@@ -954,7 +949,7 @@ def __init__(self, *args, **kwargs):
             "updated": "2023-09-15T17:17:39.462854Z",
             "owner": 1,
             "accepted_findings": [
-                4
+                226
             ],
             "notes": []
         }
@@ -969,10 +964,37 @@ def __init__(self, *args, **kwargs):
 
     def test_create_object_not_authorized(self):
         self.setUp_not_authorized()
-
         response = self.client.post(self.url, self.payload)
         self.assertEqual(403, response.status_code, response.content[:1000])
 
+    def test_update_forbidden_engagement(self):
+        self.payload = {
+            "id": 1,
+            "recommendation": "Fix (The risk is eradicated)",
+            "decision": "Accept (The risk is acknowledged, yet remains)",
+            "path": "No proof has been supplied",
+            "name": "string",
+            "recommendation_details": "string",
+            "decision_details": "string",
+            "accepted_by": "string",
+            "expiration_date": "2023-09-15T17:16:52.989000Z",
+            "expiration_date_warned": "2023-09-15T17:16:52.989000Z",
+            "expiration_date_handled": "2023-09-15T17:16:52.989000Z",
+            "reactivate_expired": True,
+            "restart_sla_expired": True,
+            "created": "2020-11-09T23:13:08.520000Z",
+            "updated": "2023-09-15T17:17:39.462854Z",
+            "owner": 1,
+            "accepted_findings": [
+                4
+            ],
+            "notes": []
+        }
+        current_objects = self.client.get(self.url, format='json').data
+        relative_url = self.url + '%s/' % current_objects['results'][0]['id']
+        response = self.client.put(relative_url, self.payload)
+        self.assertEqual(403, response.status_code, response.content[:1000])
+
 
 class FindingRequestResponseTest(DojoAPITestCase):
     fixtures = ['dojo_testdata.json']