From 370be42add254328ba4292553e9ab6112c389974 Mon Sep 17 00:00:00 2001 From: Stefan Fleckenstein Date: Sat, 20 Nov 2021 06:47:04 +0100 Subject: [PATCH] Auth V2 - Remove legacy authorization part 3: Remove feature flag from core classes (#5458) * remove dojo/user/helper * remove FEATURE_AUTHORIZATION_V2 from core classes and API --- dojo/api_v2/serializers.py | 17 +--- dojo/api_v2/views.py | 90 +++++++------------ dojo/filters.py | 5 +- dojo/forms.py | 67 ++------------ dojo/pipeline.py | 24 ++--- dojo/product/views.py | 4 +- .../test_authorization_decorators.py | 4 - .../authorization/test_authorization_tags.py | 5 +- dojo/urls.py | 17 ++-- dojo/views.py | 46 ++++------ 10 files changed, 76 insertions(+), 203 deletions(-) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 451771bb29..80b126ec46 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -577,14 +577,7 @@ class ProductTypeSerializer(serializers.ModelSerializer): class Meta: model = Product_Type - - if not settings.FEATURE_AUTHORIZATION_V2: - exclude = ['members'] - extra_kwargs = { - 'authorized_users': {'queryset': User.objects.exclude(is_staff=True).exclude(is_active=False)} - } - else: - exclude = ['authorized_users'] + exclude = ['authorized_users'] class EngagementSerializer(TaggitSerializer, serializers.ModelSerializer): @@ -1181,13 +1174,7 @@ class ProductSerializer(TaggitSerializer, serializers.ModelSerializer): class Meta: model = Product - if not settings.FEATURE_AUTHORIZATION_V2: - exclude = ['tid', 'updated', 'members'] - extra_kwargs = { - 'authorized_users': {'queryset': User.objects.exclude(is_staff=True).exclude(is_active=False)} - } - else: - exclude = ['tid', 'updated', 'authorized_users'] + exclude = ['tid', 'updated', 'authorized_users'] def get_findings_count(self, obj) -> int: return obj.findings_count diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index b97dfd93f5..b6a1eb298f 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -100,8 +100,7 @@ class DojoGroupViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'name') swagger_schema = prefetch.get_prefetch_schema(["dojo_groups_list", "dojo_groups_read"], serializers.DojoGroupSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasDojoGroupPermission) + permission_classes = (IsAuthenticated, permissions.UserHasDojoGroupPermission) def get_queryset(self): return get_authorized_groups(Permissions.Group_View).distinct() @@ -134,8 +133,7 @@ class DojoGroupMemberViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'group_id', 'user_id') swagger_schema = prefetch.get_prefetch_schema(["dojo_group_members_list", "dojo_group_members_read"], serializers.DojoGroupMemberSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasDojoGroupMemberPermission) + permission_classes = (IsAuthenticated, permissions.UserHasDojoGroupMemberPermission) def get_queryset(self): return get_authorized_group_members(Permissions.Group_View).distinct() @@ -175,8 +173,7 @@ class EndPointViewSet(mixins.ListModelMixin, queryset = Endpoint.objects.none() filter_backends = (DjangoFilterBackend,) filter_class = ApiEndpointFilter - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasEndpointPermission) + permission_classes = (IsAuthenticated, permissions.UserHasEndpointPermission) def get_queryset(self): return get_authorized_endpoints(Permissions.Endpoint_View).distinct() @@ -222,8 +219,7 @@ class EndpointStatusViewSet(mixins.ListModelMixin, filter_backends = (DjangoFilterBackend,) filter_fields = ('mitigated', 'false_positive', 'out_of_scope', 'risk_accepted', 'mitigated_by', 'finding', 'endpoint') - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasEndpointStatusPermission) + permission_classes = (IsAuthenticated, permissions.UserHasEndpointStatusPermission) def get_queryset(self): return get_authorized_endpoint_status(Permissions.Endpoint_View).distinct() @@ -241,8 +237,7 @@ class EngagementViewSet(mixins.ListModelMixin, queryset = Engagement.objects.none() filter_backends = (DjangoFilterBackend,) filter_class = ApiEngagementFilter - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasEngagementPermission) + permission_classes = (IsAuthenticated, permissions.UserHasEngagementPermission) @property def risk_application_model_class(self): @@ -429,8 +424,7 @@ class AppAnalysisViewSet(mixins.ListModelMixin, queryset = App_Analysis.objects.none() filter_backends = (DjangoFilterBackend,) filter_class = ApiAppAnalysisFilter - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasAppAnalysisPermission) + permission_classes = (IsAuthenticated, permissions.UserHasAppAnalysisPermission) def get_queryset(self): return get_authorized_app_analysis(Permissions.Product_View) @@ -480,8 +474,7 @@ class FindingViewSet(prefetch.PrefetchListMixin, queryset = Finding.objects.none() filter_backends = (DjangoFilterBackend,) filterset_class = ApiFindingFilter - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasFindingPermission) + permission_classes = (IsAuthenticated, permissions.UserHasFindingPermission) _related_field_parameters = [openapi.Parameter( name="related_fields", @@ -1150,8 +1143,7 @@ class DojoMetaViewSet(prefetch.PrefetchListMixin, queryset = DojoMeta.objects.none() filter_backends = (DjangoFilterBackend,) filter_fields = ('id', 'product', 'endpoint', 'finding', 'name', 'value') - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasDojoMetaPermission) + permission_classes = (IsAuthenticated, permissions.UserHasDojoMetaPermission) swagger_schema = prefetch.get_prefetch_schema(["metadata_list", "metadata_read"], serializers.MetaSerializer).to_schema() @@ -1202,8 +1194,7 @@ class ProductViewSet(prefetch.PrefetchListMixin, filterset_class = ApiProductFilter swagger_schema = prefetch.get_prefetch_schema(["products_list", "products_read"], serializers.ProductSerializer). \ to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductPermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductPermission) def get_queryset(self): return get_authorized_products(Permissions.Product_View).distinct() @@ -1271,8 +1262,7 @@ class ProductMemberViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'product_id', 'user_id') swagger_schema = prefetch.get_prefetch_schema(["product_members_list", "product_members_read"], serializers.ProductMemberSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductMemberPermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductMemberPermission) def get_queryset(self): return get_authorized_product_members(Permissions.Product_View).distinct() @@ -1318,8 +1308,7 @@ class ProductGroupViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'product_id', 'group_id') swagger_schema = prefetch.get_prefetch_schema(["product_groups_list", "product_groups_read"], serializers.ProductGroupSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductGroupPermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductGroupPermission) def get_queryset(self): return get_authorized_product_groups(Permissions.Product_Group_View).distinct() @@ -1365,8 +1354,7 @@ class ProductTypeViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'name', 'critical_product', 'key_product', 'created', 'updated') swagger_schema = prefetch.get_prefetch_schema(["product_types_list", "product_types_read"], serializers.ProductTypeSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductTypePermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductTypePermission) def get_queryset(self): return get_authorized_product_types(Permissions.Product_Type_View).distinct() @@ -1374,15 +1362,14 @@ def get_queryset(self): # Overwrite perfom_create of CreateModelMixin to add current user as owner def perform_create(self, serializer): serializer.save() - if settings.FEATURE_AUTHORIZATION_V2: - product_type_data = serializer.data - product_type_data.pop('authorization_groups') - product_type_data.pop('members') - member = Product_Type_Member() - member.user = self.request.user - member.product_type = Product_Type(**product_type_data) - member.role = Role.objects.get(is_owner=True) - member.save() + product_type_data = serializer.data + product_type_data.pop('authorization_groups') + product_type_data.pop('members') + member = Product_Type_Member() + member.user = self.request.user + member.product_type = Product_Type(**product_type_data) + member.role = Role.objects.get(is_owner=True) + member.save() @extend_schema( request=serializers.ReportGenerateOptionSerializer, @@ -1440,8 +1427,7 @@ class ProductTypeMemberViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'product_type_id', 'user_id') swagger_schema = prefetch.get_prefetch_schema(["product_type_members_list", "product_type_members_read"], serializers.ProductTypeMemberSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductTypeMemberPermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductTypeMemberPermission) def get_queryset(self): return get_authorized_product_type_members(Permissions.Product_Type_View).distinct() @@ -1496,8 +1482,7 @@ class ProductTypeGroupViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'product_type_id', 'group_id') swagger_schema = prefetch.get_prefetch_schema(["product_type_groups_list", "product_type_groups_read"], serializers.ProductTypeGroupSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasProductTypeGroupPermission) + permission_classes = (IsAuthenticated, permissions.UserHasProductTypeGroupPermission) def get_queryset(self): return get_authorized_product_type_groups(Permissions.Product_Type_Group_View).distinct() @@ -1527,8 +1512,7 @@ class StubFindingsViewSet(mixins.ListModelMixin, queryset = Stub_Finding.objects.none() filter_backends = (DjangoFilterBackend,) filter_fields = ('id', 'title', 'date', 'severity', 'description') - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasFindingPermission) + permission_classes = (IsAuthenticated, permissions.UserHasFindingPermission) def get_queryset(self): return get_authorized_stub_findings(Permissions.Finding_View).distinct() @@ -1565,8 +1549,7 @@ class TestsViewSet(mixins.ListModelMixin, queryset = Test.objects.none() filter_backends = (DjangoFilterBackend,) filter_class = ApiTestFilter - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasTestPermission) + permission_classes = (IsAuthenticated, permissions.UserHasTestPermission) @property def risk_application_model_class(self): @@ -1763,8 +1746,7 @@ class TestImportViewSet(prefetch.PrefetchListMixin, 'test_import_finding_action__finding', 'test_import_finding_action__created') swagger_schema = prefetch.get_prefetch_schema(["test_imports_list", "test_imports_read"], serializers.TestImportSerializer). \ to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasTestImportPermission) + permission_classes = (IsAuthenticated, permissions.UserHasTestImportPermission) def get_queryset(self): return get_authorized_test_imports(Permissions.Test_View).prefetch_related( @@ -1959,10 +1941,7 @@ class ImportScanView(mixins.CreateModelMixin, serializer_class = serializers.ImportScanSerializer parser_classes = [MultiPartParser] queryset = Test.objects.none() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasImportPermission) - else: - permission_classes = (IsAuthenticated, DjangoModelPermissions) + permission_classes = (IsAuthenticated, permissions.UserHasImportPermission) def perform_create(self, serializer): _, _, _, engagement_id, engagement_name, product_name = serializers.get_import_meta_data_from_dict(serializer.validated_data) @@ -2022,8 +2001,7 @@ class LanguageViewSet(prefetch.PrefetchListMixin, filter_fields = ('id', 'language', 'product') swagger_schema = prefetch.get_prefetch_schema(["languages_list", "languages_read"], serializers.LanguageSerializer).to_schema() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasLanguagePermission) + permission_classes = (IsAuthenticated, permissions.UserHasLanguagePermission) def get_queryset(self): return get_authorized_languages(Permissions.Language_View).distinct() @@ -2035,8 +2013,7 @@ class ImportLanguagesView(mixins.CreateModelMixin, serializer_class = serializers.ImportLanguagesSerializer parser_classes = [MultiPartParser] queryset = Product.objects.none() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasLanguagePermission) + permission_classes = (IsAuthenticated, permissions.UserHasLanguagePermission) def get_queryset(self): return get_authorized_products(Permissions.Language_Add) @@ -2068,10 +2045,7 @@ class ReImportScanView(mixins.CreateModelMixin, serializer_class = serializers.ReImportScanSerializer parser_classes = [MultiPartParser] queryset = Test.objects.none() - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasReimportPermission) - else: - permission_classes = (IsAuthenticated, DjangoModelPermissions) + permission_classes = (IsAuthenticated, permissions.UserHasReimportPermission) def get_queryset(self): return get_authorized_tests(Permissions.Import_Scan_Result) @@ -2467,8 +2441,7 @@ class EngagementPresetsViewset(mixins.ListModelMixin, filter_backends = (DjangoFilterBackend,) filter_fields = ('id', 'title', 'product') - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, permissions.UserHasEngagementPresetPermission) + permission_classes = (IsAuthenticated, permissions.UserHasEngagementPresetPermission) def get_queryset(self): return get_authorized_engagement_presets(Permissions.Product_View) @@ -2484,5 +2457,4 @@ class NetworkLocationsViewset(mixins.ListModelMixin, queryset = Network_Locations.objects.all() filter_backends = (DjangoFilterBackend,) filter_fields = ('id', 'location') - if settings.FEATURE_AUTHORIZATION_V2: - permission_classes = (IsAuthenticated, DjangoModelPermissions) + permission_classes = (IsAuthenticated, DjangoModelPermissions) diff --git a/dojo/filters.py b/dojo/filters.py index ba3724579d..afefc0225e 100644 --- a/dojo/filters.py +++ b/dojo/filters.py @@ -2093,10 +2093,7 @@ class ProductTypeFilter(DojoFilter): class Meta: model = Product_Type - if settings.FEATURE_AUTHORIZATION_V2: - exclude = ['authorized_users'] - else: - exclude = ['members', 'authorization_groups'] + exclude = ['authorized_users'] include = ('name',) diff --git a/dojo/forms.py b/dojo/forms.py index faa9907591..744dd7901e 100755 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -147,25 +147,10 @@ def value_from_datadict(self, data, files, name): class Product_TypeForm(forms.ModelForm): description = forms.CharField(widget=forms.Textarea(attrs={}), required=False) - if not settings.FEATURE_AUTHORIZATION_V2: - authorized_users = forms.ModelMultipleChoiceField( - queryset=None, - required=False, label="Authorized Users") - - def __init__(self, *args, **kwargs): - non_staff = Dojo_User.objects.exclude(is_staff=True) \ - .exclude(is_active=False).order_by('first_name', 'last_name') - super(Product_TypeForm, self).__init__(*args, **kwargs) - - if not settings.FEATURE_AUTHORIZATION_V2: - self.fields['authorized_users'].queryset = non_staff class Meta: model = Product_Type - if settings.FEATURE_AUTHORIZATION_V2: - fields = ['name', 'description', 'critical_product', 'key_product'] - else: - fields = ['name', 'description', 'authorized_users', 'critical_product', 'key_product'] + fields = ['name', 'description', 'critical_product', 'key_product'] class Delete_Product_TypeForm(forms.ModelForm): @@ -254,33 +239,19 @@ class ProductForm(forms.ModelForm): queryset=Product_Type.objects.none(), required=True) - if not settings.FEATURE_AUTHORIZATION_V2: - authorized_users = forms.ModelMultipleChoiceField( - queryset=None, - required=False, label="Authorized Users") - product_manager = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by('first_name', 'last_name'), required=False) technical_contact = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by('first_name', 'last_name'), required=False) team_manager = forms.ModelChoiceField(queryset=Dojo_User.objects.exclude(is_active=False).order_by('first_name', 'last_name'), required=False) def __init__(self, *args, **kwargs): - non_staff = Dojo_User.objects.exclude(is_staff=True) \ - .exclude(is_active=False).order_by('first_name', 'last_name') super(ProductForm, self).__init__(*args, **kwargs) - if not settings.FEATURE_AUTHORIZATION_V2: - self.fields['authorized_users'].queryset = non_staff self.fields['prod_type'].queryset = get_authorized_product_types(Permissions.Product_Type_Add_Product) class Meta: model = Product - if settings.FEATURE_AUTHORIZATION_V2: - fields = ['name', 'description', 'tags', 'product_manager', 'technical_contact', 'team_manager', 'prod_type', 'regulations', - 'business_criticality', 'platform', 'lifecycle', 'origin', 'user_records', 'revenue', 'external_audience', - 'internet_accessible', 'enable_simple_risk_acceptance', 'enable_full_risk_acceptance'] - else: - fields = ['name', 'description', 'tags', 'product_manager', 'technical_contact', 'team_manager', 'prod_type', 'regulations', - 'authorized_users', 'business_criticality', 'platform', 'lifecycle', 'origin', 'user_records', 'revenue', 'external_audience', - 'internet_accessible', 'enable_simple_risk_acceptance', 'enable_full_risk_acceptance'] + fields = ['name', 'description', 'tags', 'product_manager', 'technical_contact', 'team_manager', 'prod_type', 'regulations', + 'business_criticality', 'platform', 'lifecycle', 'origin', 'user_records', 'revenue', 'external_audience', + 'internet_accessible', 'enable_simple_risk_acceptance', 'enable_full_risk_acceptance'] class DeleteProductForm(forms.ModelForm): @@ -1573,7 +1544,7 @@ def __init__(self, *args, **kwargs): super(ReviewFindingForm, self).__init__(*args, **kwargs) - if finding is not None and settings.FEATURE_AUTHORIZATION_V2: + if finding is not None: self.fields['reviewers'].queryset = get_authorized_users_for_product_and_product_type(None, finding.test.engagement.product, Permissions.Finding_Edit) class Meta: @@ -1876,43 +1847,23 @@ class AddDojoUserForm(forms.ModelForm): required=False, validators=[validate_password], help_text='Password must contain at least 9 characters, one lowercase (a-z) and one uppercase (A-Z) letter, one number (0-9), \ and one symbol (()[]{}|\`~!@#$%^&*_-+=;:\'\",<>./?). Leave blank to set an unusable password for this user.') # noqa W605 - if not settings.FEATURE_AUTHORIZATION_V2: - authorized_products = forms.ModelMultipleChoiceField( - queryset=Product.objects.all(), required=False, - help_text='Select the products this user should have access to.') - authorized_product_types = forms.ModelMultipleChoiceField( - queryset=Product_Type.objects.all(), required=False, - help_text='Select the product types this user should have access to.') class Meta: model = Dojo_User fields = ['username', 'password', 'first_name', 'last_name', 'email', 'is_active', 'is_staff', 'is_superuser'] - if not settings.FEATURE_AUTHORIZATION_V2: - exclude = ['last_login', 'groups', 'date_joined', 'user_permissions'] - else: - exclude = ['last_login', 'groups', 'date_joined', 'user_permissions', - 'authorized_products', 'authorized_product_types'] + exclude = ['last_login', 'groups', 'date_joined', 'user_permissions', + 'authorized_products', 'authorized_product_types'] class EditDojoUserForm(forms.ModelForm): - if not settings.FEATURE_AUTHORIZATION_V2: - authorized_products = forms.ModelMultipleChoiceField( - queryset=Product.objects.all(), required=False, - help_text='Select the products this user should have access to.') - authorized_product_types = forms.ModelMultipleChoiceField( - queryset=Product_Type.objects.all(), required=False, - help_text='Select the product types this user should have access to.') class Meta: model = Dojo_User fields = ['username', 'first_name', 'last_name', 'email', 'is_active', 'is_staff', 'is_superuser'] - if not settings.FEATURE_AUTHORIZATION_V2: - exclude = ['password', 'last_login', 'groups', 'date_joined', 'user_permissions'] - else: - exclude = ['password', 'last_login', 'groups', 'date_joined', 'user_permissions', - 'authorized_products', 'authorized_product_types'] + exclude = ['password', 'last_login', 'groups', 'date_joined', 'user_permissions', + 'authorized_products', 'authorized_product_types'] class DeleteUserForm(forms.ModelForm): diff --git a/dojo/pipeline.py b/dojo/pipeline.py index 5749ae0d26..655fd68e92 100644 --- a/dojo/pipeline.py +++ b/dojo/pipeline.py @@ -2,10 +2,8 @@ import re from django.conf import settings -from django.contrib.auth.models import Permission -from django.contrib.contenttypes.models import ContentType -from dojo.models import Dojo_Group_Member, Engagement, Product, Product_Member, \ - Product_Type, System_Settings, Test, Role +from dojo.models import Dojo_Group_Member, Product, Product_Member, \ + Product_Type, System_Settings, Role from social_core.backends.azuread_tenant import AzureADTenantOAuth2 from social_core.backends.google import GoogleOAuth2 from dojo.authorization.roles_permissions import Permissions, Roles @@ -76,10 +74,6 @@ def modify_permissions(backend, uid, user=None, social=None, *args, **kwargs): else: user.is_staff = False - if settings.GITLAB_PROJECT_AUTO_IMPORT is True and not settings.FEATURE_AUTHORIZATION_V2: - # Add engagement creation permission if auto_import is set - user.user_permissions.set([Permission.objects.get(codename='add_engagement', content_type=ContentType.objects.get_for_model(Engagement)), Permission.objects.get(codename='add_test', content_type=ContentType.objects.get_for_model(Test)), Permission.objects.get(codename='change_test', content_type=ContentType.objects.get_for_model(Test))]) - def update_product_access(backend, uid, user=None, social=None, *args, **kwargs): if settings.GITLAB_PROJECT_AUTO_IMPORT is True: @@ -105,11 +99,7 @@ def update_product_access(backend, uid, user=None, social=None, *args, **kwargs) # If not, create a product with that name and the GitLab product type product = Product(name=project.path_with_namespace, prod_type=product_type) product.save() - if not settings.FEATURE_AUTHORIZATION_V2: - product.authorized_users.add(user) - product.save() - else: - product_member, created = Product_Member.objects.get_or_create(product=product, user=user, defaults={'role': Role.objects.get(id=Roles.Owner)}) + product_member, created = Product_Member.objects.get_or_create(product=product, user=user, defaults={'role': Role.objects.get(id=Roles.Owner)}) # Import tags and/orl URL if necessary if settings.GITLAB_PROJECT_IMPORT_TAGS: if hasattr(project, 'topics'): @@ -123,12 +113,8 @@ def update_product_access(backend, uid, user=None, social=None, *args, **kwargs) if settings.GITLAB_PROJECT_IMPORT_TAGS or settings.GITLAB_PROJECT_IMPORT_URL: product.save() - # For each product: if user is not project member any more, remove him from product's authorized users + # For each product: if user is not project member any more, remove him from product's list of product members for product_name in user_product_names: if product_name not in project_names: product = Product.objects.get(name=product_name) - if not settings.FEATURE_AUTHORIZATION_V2: - product.authorized_users.remove(user) - product.save() - else: - Product_Member.objects.filter(product=product, user=user).delete() + Product_Member.objects.filter(product=product, user=user).delete() diff --git a/dojo/product/views.py b/dojo/product/views.py index fb0bb6a462..1c394c7520 100755 --- a/dojo/product/views.py +++ b/dojo/product/views.py @@ -1577,7 +1577,7 @@ def view_api_scan_configurations(request, pid): }) -@user_is_authorized(Product_API_Scan_Configuration, Permissions.Product_API_Scan_Configuration_Edit, 'pascid', 'staff') +@user_is_authorized(Product_API_Scan_Configuration, Permissions.Product_API_Scan_Configuration_Edit, 'pascid') def edit_api_scan_configuration(request, pid, pascid): product_api_scan_configuration = get_object_or_404(Product_API_Scan_Configuration, id=pascid) @@ -1622,7 +1622,7 @@ def edit_api_scan_configuration(request, pid, pascid): }) -@user_is_authorized(Product_API_Scan_Configuration, Permissions.Product_API_Scan_Configuration_Delete, 'pascid', 'staff') +@user_is_authorized(Product_API_Scan_Configuration, Permissions.Product_API_Scan_Configuration_Delete, 'pascid') def delete_api_scan_configuration(request, pid, pascid): product_api_scan_configuration = get_object_or_404(Product_API_Scan_Configuration, id=pascid) diff --git a/dojo/unittests/authorization/test_authorization_decorators.py b/dojo/unittests/authorization/test_authorization_decorators.py index 6a3645a21a..3b0d1784e4 100644 --- a/dojo/unittests/authorization/test_authorization_decorators.py +++ b/dojo/unittests/authorization/test_authorization_decorators.py @@ -27,7 +27,6 @@ def test_object_does_not_exist(self, shortcuts_get_mock): @patch('dojo.authorization.authorization_decorators.get_object_or_404') @patch('dojo.authorization.authorization_decorators.user_has_permission_or_403', side_effect=PermissionDenied()) - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_authorization_permission_denied(self, mock_user_has_permission, mock_shortcuts_get): mock_shortcuts_get.return_value = self.product_type @@ -40,7 +39,6 @@ def test_authorization_permission_denied(self, mock_user_has_permission, mock_sh mock_user_has_permission.assert_called_with(self.user, self.product_type, Permissions.Product_Type_View) @patch('dojo.authorization.authorization_decorators.get_object_or_404') - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_authorization_superuser(self, mock_shortcuts_get): mock_shortcuts_get.return_value = self.product_type @@ -51,7 +49,6 @@ def test_authorization_superuser(self, mock_shortcuts_get): mock_shortcuts_get.assert_called_once() @patch('dojo.authorization.authorization_decorators.get_object_or_404') - @override_settings(FEATURE_AUTHORIZATION_V2=True) @override_settings(AUTHORIZATION_STAFF_OVERRIDE=True) def test_authorization_staff_override(self, mock_shortcuts_get): mock_shortcuts_get.return_value = self.product_type @@ -64,7 +61,6 @@ def test_authorization_staff_override(self, mock_shortcuts_get): @patch('dojo.authorization.authorization_decorators.get_object_or_404') @patch('dojo.authorization.authorization_decorators.user_has_permission_or_403') - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_authorization_user_has_permission(self, mock_user_has_permission, mock_shortcuts_get): mock_shortcuts_get.return_value = self.product_type diff --git a/dojo/unittests/authorization/test_authorization_tags.py b/dojo/unittests/authorization/test_authorization_tags.py index a566322b31..1525b42907 100644 --- a/dojo/unittests/authorization/test_authorization_tags.py +++ b/dojo/unittests/authorization/test_authorization_tags.py @@ -1,4 +1,4 @@ -from django.test import TestCase, override_settings +from django.test import TestCase from unittest.mock import patch from dojo.models import Product_Type from dojo.authorization.roles_permissions import Permissions @@ -11,7 +11,6 @@ def setUp(self): self.product_type = Product_Type() @patch('dojo.templatetags.authorization_tags.user_has_permission') - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_has_object_permission_no_permission(self, mock_has_permission): mock_has_permission.return_value = False @@ -21,7 +20,6 @@ def test_has_object_permission_no_permission(self, mock_has_permission): mock_has_permission.assert_called_with(None, self.product_type, Permissions.Product_Type_View) @patch('dojo.templatetags.authorization_tags.user_has_permission') - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_has_object_permission_has_permission(self, mock_has_permission): mock_has_permission.return_value = True @@ -30,7 +28,6 @@ def test_has_object_permission_has_permission(self, mock_has_permission): self.assertTrue(result) mock_has_permission.assert_called_with(None, self.product_type, Permissions.Product_Type_View) - @override_settings(FEATURE_AUTHORIZATION_V2=True) def test_has_object_permission_wrong_permission(self): with self.assertRaises(KeyError): diff --git a/dojo/urls.py b/dojo/urls.py index 5728769ebc..a5b0b34016 100755 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -80,15 +80,14 @@ v2_api.register(r'jira_projects', JiraProjectViewSet) v2_api.register(r'products', ProductViewSet) v2_api.register(r'product_types', ProductTypeViewSet) -if settings.FEATURE_AUTHORIZATION_V2: - v2_api.register(r'dojo_groups', DojoGroupViewSet) - v2_api.register(r'dojo_group_members', DojoGroupMemberViewSet) - v2_api.register(r'product_type_members', ProductTypeMemberViewSet) - v2_api.register(r'product_members', ProductMemberViewSet) - v2_api.register(r'product_type_groups', ProductTypeGroupViewSet) - v2_api.register(r'product_groups', ProductGroupViewSet) - v2_api.register(r'roles', RoleViewSet) - v2_api.register(r'global_roles', GlobalRoleViewSet) +v2_api.register(r'dojo_groups', DojoGroupViewSet) +v2_api.register(r'dojo_group_members', DojoGroupMemberViewSet) +v2_api.register(r'product_type_members', ProductTypeMemberViewSet) +v2_api.register(r'product_members', ProductMemberViewSet) +v2_api.register(r'product_type_groups', ProductTypeGroupViewSet) +v2_api.register(r'product_groups', ProductGroupViewSet) +v2_api.register(r'roles', RoleViewSet) +v2_api.register(r'global_roles', GlobalRoleViewSet) v2_api.register(r'sonarqube_issues', SonarqubeIssueViewSet) v2_api.register(r'sonarqube_transitions', SonarqubeIssueTransitionViewSet) v2_api.register(r'product_api_scan_configurations', ProductAPIScanConfigurationViewSet) diff --git a/dojo/views.py b/dojo/views.py index 4528909d7c..f92eaa0b15 100755 --- a/dojo/views.py +++ b/dojo/views.py @@ -33,49 +33,43 @@ def action_history(request, cid, oid): object_value = None if ct.model == "product": - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Product_View) + user_has_permission_or_403(request.user, obj, Permissions.Product_View) product_id = obj.id active_tab = "overview" object_value = Product.objects.get(id=obj.id) elif ct.model == "engagement": - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Engagement_View) + user_has_permission_or_403(request.user, obj, Permissions.Engagement_View) object_value = Engagement.objects.get(id=obj.id) product_id = object_value.product.id active_tab = "engagements" elif ct.model == "test": - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Test_View) + user_has_permission_or_403(request.user, obj, Permissions.Test_View) object_value = Test.objects.get(id=obj.id) product_id = object_value.engagement.product.id active_tab = "engagements" test = True elif ct.model == "finding": - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Finding_View) + user_has_permission_or_403(request.user, obj, Permissions.Finding_View) object_value = Finding.objects.get(id=obj.id) product_id = object_value.test.engagement.product.id active_tab = "findings" finding = object_value elif ct.model == "endpoint": - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Endpoint_View) + user_has_permission_or_403(request.user, obj, Permissions.Endpoint_View) object_value = Endpoint.objects.get(id=obj.id) product_id = object_value.product.id active_tab = "endpoints" elif ct.model == "risk_acceptance": - if settings.FEATURE_AUTHORIZATION_V2: - engagements = Engagement.objects.filter(risk_acceptance=obj) - authorized = False - for engagement in engagements: - if user_has_permission(request.user, engagement, Permissions.Engagement_View): - authorized = True - break - if not authorized: - raise PermissionDenied + engagements = Engagement.objects.filter(risk_acceptance=obj) + authorized = False + for engagement in engagements: + if user_has_permission(request.user, engagement, Permissions.Engagement_View): + authorized = True + break + if not authorized: + raise PermissionDenied else: - if settings.FEATURE_AUTHORIZATION_V2 and not request.user.is_superuser: + if not request.user.is_superuser: raise PermissionDenied product_tab = None @@ -111,23 +105,17 @@ def action_history(request, cid, oid): def manage_files(request, oid, obj_type): - if not settings.FEATURE_AUTHORIZATION_V2 and not request.user.is_staff: - raise PermissionDenied - if obj_type == 'Engagement': obj = get_object_or_404(Engagement, pk=oid) - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Engagement_Edit) + user_has_permission_or_403(request.user, obj, Permissions.Engagement_Edit) obj_vars = ('view_engagement', 'engagement_set') elif obj_type == 'Test': obj = get_object_or_404(Test, pk=oid) - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Test_Edit) + user_has_permission_or_403(request.user, obj, Permissions.Test_Edit) obj_vars = ('view_test', 'test_set') elif obj_type == 'Finding': obj = get_object_or_404(Finding, pk=oid) - if settings.FEATURE_AUTHORIZATION_V2: - user_has_permission_or_403(request.user, obj, Permissions.Finding_Edit) + user_has_permission_or_403(request.user, obj, Permissions.Finding_Edit) obj_vars = ('view_finding', 'finding_set') else: raise Http404()