refactor/rework text copy labels and urls

Author: dogboat

.github/workflows/integration-tests.yml

@@ -48,8 +48,6 @@ jobs:
           "tests/organization_group_test.py",
           "tests/organization_member_test.py",
           "tests/organization_test.py",
-          # v2; can be removed after v3 migration complete
-          "tests/report_builder_test_v2.py",
         ]
         os: [alpine, debian]
       fail-fast: false

dojo/v3_migration/api_v2/__init__.py renamed to dojo/asset/__init__.py

@@ -17,9 +17,6 @@
     Product_API_Scan_Configuration,
     Product_Group,
     Product_Member,
-    Product_Type,
-    Product_Type_Group,
-    Product_Type_Member,
 )
 
 labels = get_labels()
@@ -116,34 +113,9 @@ class Meta:
         fields = ("id", "user_id")
 
 
-class OrganizationFilterSet(FilterSet):
-    critical_asset = BooleanFilter(field_name="critical_product")
-    key_asset = BooleanFilter(field_name="key_product")
-
-    class Meta:
-        model = Product_Type
-        fields = ("id", "name", "created", "updated")
-
-
 class AssetGroupFilterSet(FilterSet):
     asset_id = NumberFilter(field_name="product_id")
 
     class Meta:
         model = Product_Group
         fields = ("id", "group_id")
-
-
-class OrganizationMemberFilterSet(FilterSet):
-    organization_id = NumberFilter(field_name="product_type_id")
-
-    class Meta:
-        model = Product_Type_Member
-        fields = ("id", "user_id")
-
-
-class OrganizationGroupFilterSet(FilterSet):
-    asset_type_id = NumberFilter(field_name="product_type_id")
-
-    class Meta:
-        model = Product_Type_Group
-        fields = ("id", "group_id")

unittests/v2/__init__.py renamed to dojo/asset/api/__init__.py

@@ -10,24 +10,16 @@
     Product_API_Scan_Configuration,
     Product_Group,
     Product_Member,
-    Product_Type,
-    Product_Type_Group,
-    Product_Type_Member,
 )
+from dojo.organization.api.serializers import RelatedOrganizationField
 from dojo.product.queries import get_authorized_products
-from dojo.product_type.queries import get_authorized_product_types
 
 
 class RelatedAssetField(serializers.PrimaryKeyRelatedField):
     def get_queryset(self):
         return get_authorized_products(Permissions.Product_View)
 
 
-class RelatedOrganizationField(serializers.PrimaryKeyRelatedField):
-    def get_queryset(self):
-        return get_authorized_product_types(Permissions.Product_Type_View)
-
-
 class AssetAPIScanConfigurationSerializer(serializers.ModelSerializer):
     asset = RelatedAssetField(source="product")
 
@@ -166,110 +158,3 @@ def validate(self, data):
             raise PermissionDenied(msg)
 
         return data
-
-
-class OrganizationMemberSerializer(serializers.ModelSerializer):
-    organization = RelatedOrganizationField(source="product_type")
-
-    class Meta:
-        model = Product_Type_Member
-        exclude = ("product_type",)
-
-    def validate(self, data):
-        if (
-            self.instance is not None
-            and data.get("organization") != self.instance.product_type
-            and not user_has_permission(
-                self.context["request"].user,
-                data.get("organization"),
-                Permissions.Product_Type_Manage_Members,
-            )
-        ):
-            msg = "You are not permitted to add a member to this Organization"
-            raise PermissionDenied(msg)
-
-        if (
-            self.instance is None
-            or data.get("organization") != self.instance.product_type
-            or data.get("user") != self.instance.user
-        ):
-            members = Product_Type_Member.objects.filter(
-                product_type=data.get("organization"), user=data.get("user"),
-            )
-            if members.count() > 0:
-                msg = "Organization Member already exists"
-                raise ValidationError(msg)
-
-        if self.instance is not None and not data.get("role").is_owner:
-            owners = (
-                Product_Type_Member.objects.filter(
-                    product_type=data.get("organization"), role__is_owner=True,
-                )
-                .exclude(id=self.instance.id)
-                .count()
-            )
-            if owners < 1:
-                msg = "There must be at least one owner"
-                raise ValidationError(msg)
-
-        if data.get("role").is_owner and not user_has_permission(
-            self.context["request"].user,
-            data.get("organization"),
-            Permissions.Product_Type_Member_Add_Owner,
-        ):
-            msg = "You are not permitted to add a member as Owner to this Organization"
-            raise PermissionDenied(msg)
-
-        return data
-
-
-class OrganizationGroupSerializer(serializers.ModelSerializer):
-    organization = RelatedOrganizationField(source="product_type")
-
-    class Meta:
-        model = Product_Type_Group
-        exclude = ("product_type",)
-
-    def validate(self, data):
-        if (
-            self.instance is not None
-            and data.get("organization") != self.instance.product_type
-            and not user_has_permission(
-                self.context["request"].user,
-                data.get("organization"),
-                Permissions.Product_Type_Group_Add,
-            )
-        ):
-            msg = "You are not permitted to add a group to this Organization"
-            raise PermissionDenied(msg)
-
-        if (
-            self.instance is None
-            or data.get("organization") != self.instance.product_type
-            or data.get("group") != self.instance.group
-        ):
-            members = Product_Type_Group.objects.filter(
-                product_type=data.get("organization"), group=data.get("group"),
-            )
-            if members.count() > 0:
-                msg = "Organization Group already exists"
-                raise ValidationError(msg)
-
-        if data.get("role").is_owner and not user_has_permission(
-            self.context["request"].user,
-            data.get("organization"),
-            Permissions.Product_Type_Group_Add_Owner,
-        ):
-            msg = "You are not permitted to add a group as Owner to this Organization"
-            raise PermissionDenied(msg)
-
-        return data
-
-
-class OrganizationSerializer(serializers.ModelSerializer):
-    critical_asset = serializers.BooleanField(source="critical_product")
-    key_asset = serializers.BooleanField(source="key_product")
-
-    class Meta:
-        model = Product_Type
-        exclude = ("critical_product", "key_product")

dojo/v3_migration/api_v2/filters.py renamed to dojo/asset/api/filters.py

@@ -0,0 +1,15 @@
+from dojo.asset.api.views import (
+    AssetAPIScanConfigurationViewSet,
+    AssetGroupViewSet,
+    AssetMemberViewSet,
+    AssetViewSet,
+)
+
+
+def add_asset_urls(router):
+    router.register(r"assets", AssetViewSet, basename="asset")
+    router.register(r"asset_api_scan_configurations", AssetAPIScanConfigurationViewSet,
+                    basename="asset_api_scan_configuration")
+    router.register(r"asset_groups", AssetGroupViewSet, basename="asset_group")
+    router.register(r"asset_members", AssetMemberViewSet, basename="asset_member")
+    return router

dojo/v3_migration/api_v2/serializers.py renamed to dojo/asset/api/serializers.py

@@ -0,0 +1,183 @@
+from django_filters.rest_framework import DjangoFilterBackend
+from drf_spectacular.utils import extend_schema, extend_schema_view
+from rest_framework import mixins, status, viewsets
+from rest_framework.decorators import action
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+
+import dojo.api_v2.mixins as dojo_mixins
+from dojo.api_v2 import permissions, prefetch
+from dojo.api_v2.serializers import ReportGenerateOptionSerializer, ReportGenerateSerializer
+from dojo.api_v2.views import PrefetchDojoModelViewSet, report_generate, schema_with_prefetch
+from dojo.asset.api import serializers
+from dojo.asset.api.filters import (
+    ApiAssetFilter,
+    AssetAPIScanConfigurationFilterSet,
+    AssetGroupFilterSet,
+    AssetMemberFilterSet,
+)
+from dojo.authorization.roles_permissions import Permissions
+from dojo.models import (
+    Product,
+    Product_API_Scan_Configuration,
+    Product_Group,
+    Product_Member,
+)
+from dojo.product.queries import (
+    get_authorized_product_api_scan_configurations,
+    get_authorized_product_groups,
+    get_authorized_product_members,
+    get_authorized_products,
+)
+from dojo.utils import async_delete, get_setting
+
+
+# Authorization: object-based
+@extend_schema_view(**schema_with_prefetch())
+class AssetAPIScanConfigurationViewSet(
+    PrefetchDojoModelViewSet,
+):
+    serializer_class = serializers.AssetAPIScanConfigurationSerializer
+    queryset = Product_API_Scan_Configuration.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filterset_class = AssetAPIScanConfigurationFilterSet
+    permission_classes = (
+        IsAuthenticated,
+        permissions.UserHasProductAPIScanConfigurationPermission,
+    )
+
+    def get_queryset(self):
+        return get_authorized_product_api_scan_configurations(
+            Permissions.Product_API_Scan_Configuration_View,
+        )
+
+
+@extend_schema_view(**schema_with_prefetch())
+class AssetViewSet(
+    prefetch.PrefetchListMixin,
+    prefetch.PrefetchRetrieveMixin,
+    mixins.CreateModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.UpdateModelMixin,
+    viewsets.GenericViewSet,
+    dojo_mixins.DeletePreviewModelMixin,
+):
+    serializer_class = serializers.AssetSerializer
+    queryset = Product.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filterset_class = ApiAssetFilter
+    permission_classes = (
+        IsAuthenticated,
+        permissions.UserHasProductPermission,
+    )
+
+    def get_queryset(self):
+        return get_authorized_products(Permissions.Product_View).distinct()
+
+    def destroy(self, request, *args, **kwargs):
+        instance = self.get_object()
+        if get_setting("ASYNC_OBJECT_DELETE"):
+            async_del = async_delete()
+            async_del.delete(instance)
+        else:
+            instance.delete()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
+    # def list(self, request):
+    #     # Note the use of `get_queryset()` instead of `self.queryset`
+    #     queryset = self.get_queryset()
+    #     serializer = self.serializer_class(queryset, many=True)
+    #     return Response(serializer.data)
+
+    @extend_schema(
+        request=ReportGenerateOptionSerializer,
+        responses={status.HTTP_200_OK: ReportGenerateSerializer},
+    )
+    @action(
+        detail=True, methods=["post"], permission_classes=[IsAuthenticated],
+    )
+    def generate_report(self, request, pk=None):
+        product = self.get_object()
+
+        options = {}
+        # prepare post data
+        report_options = ReportGenerateOptionSerializer(
+            data=request.data,
+        )
+        if report_options.is_valid():
+            options["include_finding_notes"] = report_options.validated_data[
+                "include_finding_notes"
+            ]
+            options["include_finding_images"] = report_options.validated_data[
+                "include_finding_images"
+            ]
+            options[
+                "include_executive_summary"
+            ] = report_options.validated_data["include_executive_summary"]
+            options[
+                "include_table_of_contents"
+            ] = report_options.validated_data["include_table_of_contents"]
+        else:
+            return Response(
+                report_options.errors, status=status.HTTP_400_BAD_REQUEST,
+            )
+
+        data = report_generate(request, product, options)
+        report = ReportGenerateSerializer(data)
+        return Response(report.data)
+
+
+# Authorization: object-based
+@extend_schema_view(**schema_with_prefetch())
+class AssetMemberViewSet(
+    PrefetchDojoModelViewSet,
+):
+    serializer_class = serializers.AssetMemberSerializer
+    queryset = Product_Member.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filterset_class = AssetMemberFilterSet
+    permission_classes = (
+        IsAuthenticated,
+        permissions.UserHasProductMemberPermission,
+    )
+
+    def get_queryset(self):
+        return get_authorized_product_members(
+            Permissions.Product_View,
+        ).distinct()
+
+    @extend_schema(
+        exclude=True,
+    )
+    def partial_update(self, request, pk=None):
+        # Object authorization won't work if not all data is provided
+        response = {"message": "Patch function is not offered in this path."}
+        return Response(response, status=status.HTTP_405_METHOD_NOT_ALLOWED)
+
+
+# Authorization: object-based
+@extend_schema_view(**schema_with_prefetch())
+class AssetGroupViewSet(
+    PrefetchDojoModelViewSet,
+):
+    serializer_class = serializers.AssetGroupSerializer
+    queryset = Product_Group.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filterset_class = AssetGroupFilterSet
+    permission_classes = (
+        IsAuthenticated,
+        permissions.UserHasProductGroupPermission,
+    )
+
+    def get_queryset(self):
+        return get_authorized_product_groups(
+            Permissions.Product_Group_View,
+        ).distinct()
+
+    @extend_schema(
+        exclude=True,
+    )
+    def partial_update(self, request, pk=None):
+        # Object authorization won't work if not all data is provided
+        response = {"message": "Patch function is not offered in this path."}
+        return Response(response, status=status.HTTP_405_METHOD_NOT_ALLOWED)