Skip to content

Commit

Permalink
Feature/0.9.10 (#1689)
Browse files Browse the repository at this point in the history
* fixed control and sectioning for components in system

* check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels.

* adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent

* pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all.

* a todo for fisma impact level renaming

* added project_security_objs_edit to edit security objectives separately from project editing.

* update changelog and some wording in the modal

* Move action-button styles from inline to style section

* two views/urls for editing component state and type

* adding component type and state to ElementForm

* adding just the display of the state and type to component library components not the ability to change.

* changelog

* FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL

* Work inprogress

* Work inprogress

* Da/quick insert (#1601)

* make sure component_type not element_type is exported

* ssp versions should be floats not integers. Information types needs a uuid

* adding empty placeholders for the required keys.

* using updated for component version

* party-uuids is still a todo

* categorizations is still a todo

* parties is still a todo

* Fix system ctl detail page err; Improve creating smt from prototypes (#1602)

Refactor creating system control statements from component library
prototype statements when adding a component from the library to a system
and reduce by an order a magnitude the time it takes to add a component to system.

Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt

Fix bug breaking rendering of system's control detail page by
removing an errant login_required decorator on a function.
Add test for system control page. Will add test(s) for system control detail page.

Co-authored-by: Greg Elin <[email protected]>

* Automatically clear, refresh output document content downloading docs

Performnce of document generation now sufficiently fast
to not require cache and manual "Refresh documents" button.

* remove comments. changelog

* Fixed an issue where statement didn't exist while exporting to oscal (#1605)

* Fixed an issue where statement didn't exist while exporting to oscal

* Update CHANGELOG

Co-authored-by: Alexander Ward <[email protected]>
Co-authored-by: Greg Elin <[email protected]>

* Align Delete section on project settings (#1604)

Co-authored-by: Greg Elin <[email protected]>

* Update CHANGELOG

* Ge/file upload extensions (#1607)

* Accepts file uploads with capitalized extensions, e.g. ".JPG".

Adjust file upload validator to recognize capitalized extensions
and also recognizes ".jpeg" in addition to ".jpg".

* Add tests for validating uppercase extensions on file uploads

* Add test fixture data

Co-authored-by: Greg Elin <[email protected]>

* Batch update cntl impl smts when component_statement changes

Implemented a faster way to update status of system controls.
When user sets a system component state to "operational" all statements
associated with that component for the system get their status set to
"Implemented". Similarly, setting component’s state to "planned" batch
sets all component statements for that system to "Planned", and
"under-development" sets component statements to "Partially Implemented".

Display system component component_state and component_type when
component is listed for a system.

* More okta changes

* export a projects ssp control implementations with export form (#1611)

* export a projects ssp control implementations with export form

* remove comments

* Correct slugify import

* Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665

* Polish SSP control CSV export form

Co-authored-by: Greg Elin <[email protected]>

* Add 'Create a template' button to template library (#1610)

Co-authored-by: Greg Elin <[email protected]>

* Content-Security-Policy header permit images (*), videos youtube, vimeo

* quick fix for auth

* quick fix for auth

* quick fix for auth

* quick fix for auth

* quick fix for auth

* Force controls csv to download to browser

* quick fix for auth

* quick fix for auth

* test

* test

* test

* test

* test

* last fix and vuln update for django

* last fix and vuln update for django

* 'Back' link to question to take user to previous question (#1612)

* 'Back' link to question to take user to previous question

* Update guidedmodules/views.py

Refactor pulling back_url into project_form

Co-authored-by: davidpofo <[email protected]>

* Improve back-button styling

Co-authored-by: Greg Elin <Greg Elin>
Co-authored-by: davidpofo <[email protected]>
Co-authored-by: Greg Elin <[email protected]>

* WIP: Side-by-side comparison of components (#1620)

* created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest

* for now just implementing two comparison

* click to read full text after 50 chars

* styling and added Control part

* displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template

* check for pid

* removing detail/summary not really necessary

* Condense comparison listings into rows of a single table

Co-authored-by: Greg Elin <Greg Elin>

* Update CHANGELOG.md

* Rename 'compare' column to 'select' in component library (#1626)

Co-authored-by: Greg Elin <Greg Elin>

* Remove portfolio selection modal from Start a Project process

Start projects in user's default portfolio to reduce the clicks
starting a project.

Use the User.create_default_portfolio_if_missing method consistently
to consistently create the user portfolio default portfolio.

Remove the PortfolioSignupForm because registration is no longer
used in registering users.

Remove the '"project_form": AddProjectForm(request.user ...' passed
into many templates because the navbar start app option no longer
brings up the portfolio select modal.

* Update tests for default portfolio

* Bump VERSION, CHANGELOG

* Update CHANGELOG VERSION

* Add button, form to add AppSource via upload of zip file

Add button, form to App Store to provide front-end UI for
admininstrators to add an AppSource by uploading a zip file.
This simplifies setting up an AppSource for first time users.

Implementation only validates that uploaded directory is a zip
file, does not check if uploaded zip file is valid AppSource
directory structure.

Implementation assumes apps are in the 'apps' directory.

* Link to library version of component from a system's selected control component

* Display systems using a component (#1618)

* Display systems using a component

Add method controls.element.consuming_systems to produce list of systems
consuming (e.g., containing) the element.

Add tab to component library component detail page to display list of systems
containing the component.

Also, always display OSCAL tab in component library for component detail
(rather than conditional on 'enable_experimental_opencontrol' parameter).

* Show component system count in tab, better projects.exists query

* Replace list compression with query filters

Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: davidpofo <[email protected]>

* Ge/fulltext search (#1631)

* Add fulltext smt search to component library search

* Note fulltext search in CHANGELOG

Co-authored-by: Greg Elin <Greg Elin>

* check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user.

* fixed a bug where Elements of type system were shown in the selected components for a project

* Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project.

* Add YAML intermediary file for CMMC

* try/except to still do the component search for non-Postgres users. (#1633)

* Add a 'blank' project with no questions useful for batch project creation (#1634)

Co-authored-by: Greg Elin <Greg Elin>

* td not th

* Polish security objective ui

* Avoid errors when project has no root_task set

* Better project name when no root task set

* Align project name when listing project with no root task

* Support CMMC ver 1 OSCAL catalog

* Fix typo

* Add 'blank' compliance app to first_run

* Append '-dev' to version number

* Legacy Statements added as statements for import

* Updating regex

* Del size limit on speedyssp img upload

* updated column for imp statements

* Fix test shipped catalogs count

* td not th

* Revert "td not th"

This reverts commit e7e8b9c

* these values are safe

* removing extra differences obj.

* safe and efficiency

* adding select/deselect all. checkbox container wrap.

* control structure for compare button toggle

* Maintain sort order of compare_list otherwise Django will order ascending

* adding change component button to change what the prime component of comparison is. Still has work todo

* changed to allow user passed in for parsing

* remove commented out code from template

* Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644)

* [WIP] UI to display legacy control impl smts

Create a conditional display of legacy control implementation
statements in control editor page.

Also widen width of display of editor control statements
to 1250px.

* Improve display of legacy statement

* StatementTypeEnum fixes. Closes #1643

Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name`
in order for relevant label/term to show up in Django database admin interface.

Set component library detail page Systems tab to not be inactive thereby
removing the content from the System tab showing up on the Control Implementation
Statements tab.

Update controls.tests.

Co-authored-by: Greg Elin <[email protected]>

* Update CHANGELOG

* fixing styling of portfolio table

* using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms

* hide_registration revert

* formatting for sid

* Use StatementEnum.*.name value

* removing change component comparison button for now.

* implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all

* Use one import record for entire file

* More OSCALize id fixes. Proper Create/Update/Del of smts

* Display other_statement count on confirm import delete

* test test_portfolio_projects

* Add project, system.root_element to import_record

Add project and system.root_element to import_record
in order to auto delete the project and system (and root element)
when the import process for importing legacy control impl smts
also creates the project.

* name not value for statement enums

* Sometimes there are not parameters and that is okay it is caught by the try/except block.

* Captialize mission for test

* name not value for enums

* captial impact... Impact

* testing parse for version

* missed one get

* is_prerelease not dev release

* using is_prerelease works for checking dev

* need to force login as authenticated user and then reset login

* url

* snyk update to avoid SQL injection vuln found in Django 3.2.4

* check if previously checked and if so then don't hide compare button.

* fix conflicting migrations detected

* systems-security-sensitivity-level

* Fix controls/0052 StatementTypeEnum migration (#1648)

Co-authored-by: Greg Elin <Greg Elin>

* Update CHANGELOG.md (#1647)

* Configure users on install

New govready_users parameter in local/environment.json
to create sample users on install.

* Add Wazuh collection form to Assessments page (#1651)

* Add Wazuh info via end-user form

* Create SecurityService class to represent Security Service

Create `sec_srvc.SecurityService` class to represent a security service
from which data could be collected.

Add form to Assessments page to collect info from Wazuh SecurityService.

* Fix sec_srvc.py

* Abstracted and made a few improvements

* Fix uuid error

* Fix testing for fields

Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: Alexander Ward <[email protected]>

* checking for dev user creation pw. Create reg users not admin.

* Add CMMC baselines, assign baselines (#1649)

* Improve CMMC links, add OSCAL methods for link content

Improve CMMC catalog links to link to NIST 800-53 in GovReady.

Add methods to OSCAL catalog, get control_part, guidance links

Add get_control_part_by_name, get_control_guidance_links,
get_guidance_related_links_by_value_in_href, and
get_guidance_related_links_text_by_value_in_href to make getting
link content easier.

* Display related controls as links in control guidance

* Properly assign CMMC baselines

* Remove debugging print statements

* Fix typo

* Properly use StatementTypeEnum when saving smts

Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: Greg Elin <Greg Elin>

* first_run finishing touch

* Fix assessment summary link to wazuh (#1653)

* Add Wazuh info via end-user form

* Create SecurityService class to represent Security Service

Create `sec_srvc.SecurityService` class to represent a security service
from which data could be collected.

Add form to Assessments page to collect info from Wazuh SecurityService.

* Fix sec_srvc.py

* Abstracted and made a few improvements

* Fix uuid error

* Fix testing for fields

* Fix assessment summary link to wazuh

Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: Alexander Ward <[email protected]>

* Da/dropnfill (#1654)

* adding drag and fill for component import

* client-side filetype checking

* client-side file size checking 5MB max. missing div.

* missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test

* json_content not id_file

* spelling

* del

* hot fix for external catalogs

* Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655)

Co-authored-by: Greg Elin <[email protected]>

* Update SpeedSSP ssp template for multiple catalogs (#1656)

Co-authored-by: Greg Elin <[email protected]>

* Update admin.py

Readded AppInput

* new line fix

* fixed bug where id doesn't exist yet in db

* pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0.

* revert some changes to ssp-def for now and added source to statement model.

* ensure source and uuid are added correctly to import/export of component-definition

* adding oscal-version to element model. clean up output title

* replaced component-defintion for test data with official oscal 1.0.0 example component

* lowering the amount of output for circleci

* fixing exceptions

* update example link

* WIP on updating system-security-plan definition.

* missing uuid and 2 removed

* SSP export now includes the uuid and version from the root_element object

* fixing up some module logic to include real uuid and oscal version

* uuid not id

* Import component control statement even if catalog not found

Remove test to see of control exists in control catalog when importing
a component because we may import a component that has controls from
a catalog that is not yet in GovReady.

The test on the control id being in the catalog was originally done
to avoid importing a bad control (or bad control id). But it is worse
to not be able to import the component because we don't yet have the
a control catalog mentioned by the component.

* Display component, smts even if catalog missing

Do not crash on displaying a component and component
control implementation statement when a catalog
associated with statements is missing from GovReady-Q
install.

* Ge/data grid question (#1667)

* Improve appearance of data grid question

Display datagrid question wider and with smaller fonts.
Support datgrid specifying select type cell.

* Display legacy smt in system selected controls; fix component counts

Fix count on project system's components associated with a control (avoid double counting).

Display existance of legacy statement in project system's selected controls.

* Fix typo

Co-authored-by: Greg Elin <[email protected]>

* Adjust test to new rule of importing controls with bad catalog

* natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring
all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse.

* If no statements are created then delete empty component

* OSCAL SSP almost implemented just need to finish implemented reqs.

* OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill.

* added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP.

* Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog.

* added a proxy for parties and responsible parties for component oscal export

* a couple tweaks for comp

* todo for ssp validation with trestle

* read validate ssp  with trestle

* revert discussion test change.

* extra file

* test_path?

* delete invalid test files

* fixing up implementation and testing of validation of extension.

* remove extra addition for .doc

* var sleep?

* bad test case

* adding some comments. Better logging/messaging for schema. Fixed splitting of control id.

* Added test of OSCAL ssp export.

* explicitly login as user

* test baseline json file should be test_baselines.json not baseline

* create system

* check part correctly. test fix

* get system from self

* try/except

* last try

* done

* Remove duplicate loads of select2 in base.html

* Da/cleanup export sspcsv (#1674)

* created a de-oscalizing function and applied to selected controls on import.

* some super route way of making sure the catalogs produce 3.1.

* add test of de_oscalize_control

* Da/discussion updates (#1675)

* get task for the attached object. added some more notes

* fixed signature for getting a task for the attached object.

* Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer

* Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer

* addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670)

Co-authored-by: root <[email protected]>

* Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676)

* Auto-start a particular project (#1640)

* [WIP] Auto-start a particular project

Enable the auto-starting of a particular project, e.g.,
start a project without having to visit the compliance app
store.

Eventually, start a project and launch the first question.

* Rename auto start app variables

* Finish project auto start, auto start question, redirect actions

Complete work on automatically starting a project defined in
by a System Setting.

Allow the auto start system setting to define the project template
(e.g. compliance app) to use and even the module to automatically
start.

Also add new question actions to redirect to project page
or project component after answering a question.

TO DO:
- Add error handling (e.g., missing/incorrect project)
- Add tests

* Bump VERSION

Co-authored-by: Greg Elin <Greg Elin>
Co-authored-by: Greg Elin <[email protected]>

* Move Catalog data into database, faster control select autocomplete (#1673)

* Move Catalog data into database, faster control select autocomplete

Move control catalog data into database so catalogs shipped
with GovReady and user added catalogs all accessed in database.
Also faster reading in containers.
Adjust first_run to load catalogs.
Speed up auocomplete by only selecting matching controls.

* Fix tests: add catalogs to db in setup

* Read baselines from database

* Sync with 0.9.7

* Fix tests

* Fix tests 2

* Use better DB query instead of closure

Co-authored-by: Greg Elin <[email protected]>

* Ge/mvp july 2021 (#1679)

* [WIP] Auto-start a particular project

Enable the auto-starting of a particular project, e.g.,
start a project without having to visit the compliance app
store.

Eventually, start a project and launch the first question.

* Rename auto start app variables

* Provide selected ocmponent data to project page

* Finish project auto start, auto start question, redirect actions

Complete work on automatically starting a project defined in
by a System Setting.

Allow the auto start system setting to define the project template
(e.g. compliance app) to use and even the module to automatically
start.

Also add new question actions to redirect to project page
or project component after answering a question.

TO DO:
- Add error handling (e.g., missing/incorrect project)
- Add tests

* Add route for single system-component-control

* issue in bootstrap

* better styling for the drag-n-fill area

* missing carrot. reverting the removal of project import form done in 29ff7c2

* Fix skip buttons and question action crash

* Update CHANGELOG.md

* Update CHANGELOG.md

* Produce dictionary of producer_element control impl smts

* Templatetags for math

* Calculate dict of element ctl impl smts status

Co-authored-by: Greg Elin <Greg Elin>
Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: davidpofo <[email protected]>

* Improve search of control selection auto complete (#1681)

* Improve Control Search, migrate CatalogData to Django models.JSONField

* Dramatically improve control selection auot-complete

* Further improve add smt control select and form

Refactor add_statement form.
Better UI with "Add Statement" button in center.
Better alignment.
Validate control is set before saving to avoid error.
Remove unneeded Delete button.
Show/hide "Add Statement button appropriately.

Co-authored-by: Greg Elin <[email protected]>

* Include 'Add component statement' btn when component has no smts (#1682)

Co-authored-by: Greg Elin <[email protected]>

* Fix first_run and add friendlier component import by refactoring source catalog handling (#1683)

* Move user creation earlier in first_run

* Update sample components to OSCAL 1.0.0

* Friendlier component importart, refactor source catalog handling

Import components and their statements even when catalog
not found or statement control ids are not found in referenced catalog.

* Fix source of sample components

* bump version

* Fix name of ILIAS component

* Use faster bulk_create importing components

* Small fixes and synchronizations

* Comment out soon-to-be deprecated account settings

Co-authored-by: Greg Elin <[email protected]>

* Fix adding catalog_key during new smt creation (#1686)

* Fix adding catalog_key during new smt creation

* Avoid creating orphaned smt when adding smt in cmpt library

* Fix test

* Fix tests

Co-authored-by: Greg Elin <[email protected]>

* Add migration to load default catalogs to DB (#1687)

Co-authored-by: Greg Elin <[email protected]>

* Ge/migrate add catalog data 2 (#1688)

* Add migration to load default catalogs to DB

* Remove loading catalogdata in first_frun

Co-authored-by: Greg Elin <[email protected]>

* Manage component tags in OSCAL components (#1685)

* Bump version

* Export/import tags for OSCAL components

* Add component tags to OSCAL SSPs

* Add tags to sample components

* Refactor importing tags

* Nest SQLITE timeout to fix database locking in tests

Co-authored-by: Greg Elin <[email protected]>

* Bump version

Co-authored-by: davidpofo <[email protected]>
Co-authored-by: Greg Elin <Greg Elin>
Co-authored-by: mike <[email protected]>
Co-authored-by: Alexander Ward <[email protected]>
Co-authored-by: Mike Guelfi <[email protected]>
Co-authored-by: Greg Elin <[email protected]>
Co-authored-by: Ward <[email protected]>
Co-authored-by: root <[email protected]>
  • Loading branch information
8 people authored Aug 16, 2021
1 parent 430fbac commit 8be41a0
Show file tree
Hide file tree
Showing 12 changed files with 145 additions and 61 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,23 @@
GovReady-Q Release Notes
========================

v0.9.10 (August 16, 2021)
-------------------------

**Developer changes**

* Component tags now correctly included on OSCAL component export and included on OSCAL component import.
* Component tags now correctly included on OSCAL SSP generation.

**Bug fix**

* Add the catalog_key to statement's `sid_class` and `source` fields when adding new statement to a component in library.

**Data fix**

* Add migration in controls to load default control catalogs into CatalogData in database. Remove loading of catalogs via first_run command.


v0.9.9 (August 12, 2021)
------------------------

Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v0.9.9
v0.9.10
51 changes: 51 additions & 0 deletions controls/migrations/0060_auto_20210816_1634.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Generated by Django 3.2.5 on 2021-08-16 16:34

from django.db import migrations
import os.path
import json

from controls.models import Element
from controls.oscal import CatalogData


def load_catalog_data(apps, schema_editor):
"""Load control catalog data into database"""

# Load the default control catalogs and baselines
CATALOG_PATH = os.path.join(os.path.dirname(__file__),'..','data','catalogs')
BASELINE_PATH = os.path.join(os.path.dirname(__file__),'..','data','baselines')

# TODO: Check directory exists
catalog_files = [file for file in os.listdir(CATALOG_PATH) if file.endswith('.json')]
# Load catalog and baseline data into database records from source files if data records do not exist in database
for cf in catalog_files:
catalog_key = cf.replace("_catalog.json", "")
with open(os.path.join(CATALOG_PATH,cf), 'r') as json_file:
catalog_json = json.load(json_file)
baseline_filename = cf.replace("_catalog.json", "_baselines.json")
if os.path.isfile(os.path.join(BASELINE_PATH, baseline_filename)):
with open(os.path.join(BASELINE_PATH, baseline_filename), 'r') as json_file:
baselines_json = json.load(json_file)
else:
baselines_json = {}

catalog, created = CatalogData.objects.get_or_create(
catalog_key=catalog_key,
catalog_json=catalog_json,
baselines_json=baselines_json
)
if created:
print(f"{catalog_key} record created into database")
else:
print(f"{catalog_key} record found in database")


class Migration(migrations.Migration):

dependencies = [
('controls', '0059_auto_20210811_0001'),
]

operations = [
migrations.RunPython(load_catalog_data)
]
61 changes: 40 additions & 21 deletions controls/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
from django.views.generic import ListView
from simple_history.utils import update_change_reason

from siteapp.models import Project, Organization
from siteapp.models import Project, Organization, Tag
from siteapp.settings import GOVREADY_URL
from system_settings.models import SystemSettings
from .forms import ElementEditForm
Expand Down Expand Up @@ -651,12 +651,21 @@ def as_json(self):

of["system-security-plan"]["metadata"]['roles'] = [{"id": auths.get('role', "member").split(';')[0], "title": auths.get('role', "member").split(';')[0].capitalize() } for user, auths in users]
of["system-security-plan"]["system-implementation"]['users'] = [{"uuid":user_party_uuid, "title":user.username, "role-ids": [auths.get('role', "member").split(';')[0]]} for user, auths in users]
of["system-security-plan"]["system-implementation"]['components'] = [{"uuid":str(comp_ele.uuid), "title":comp_ele.name, "description":comp_ele.description, "status": {"state": comp_ele.component_state}, "type":comp_ele.component_type, "responsible-roles": [{
"role-id": "asset-owner",
"party-uuids": [
user_party_uuid
]
}]} for comp_ele in components]# TODO: responsible-roles
of["system-security-plan"]["system-implementation"]['components'] = [{"uuid":str(comp_ele.uuid),
"title":comp_ele.name,
"description":comp_ele.description,
"status": {"state": comp_ele.component_state},
"type":comp_ele.component_type,
"responsible-roles": [{
"role-id": "asset-owner",
"party-uuids": [user_party_uuid]
}],
"props": [{"name": "tag",
"ns": "https://govready.com/ns/oscal",
"value": tag.label} for tag in
comp_ele.tags.all()]
} for comp_ele in components]# TODO: responsible-roles

# System characteristics
# TODO: status remarks, authorization-boundary
security_body = project.system.get_security_impact_level
Expand Down Expand Up @@ -768,8 +777,7 @@ def as_json(self):
"last-modified": self.element.updated.replace(microsecond=0).isoformat(),
"version": self.element.updated.replace(microsecond=0).isoformat(),
"oscal-version": self.element.oscal_version,
"parties": parties,
"props": props
"parties": parties
},
"components": [
{
Expand All @@ -778,6 +786,7 @@ def as_json(self):
"title": self.element.full_name or self.element.name,
"description": self.element.description,
"responsible-roles": responsible_roles, # TODO: gathering party-uuids, just filling for now
"props": props,
"control-implementations": control_implementations
}
]
Expand Down Expand Up @@ -966,8 +975,17 @@ def create_component(self, component_json):
)

logger.info(f"Component {new_component.name} created with UUID {new_component.uuid}.")

component_props = component_json.get('props', None)
if component_props is not None:
desired_tags = set([prop['value'] for prop in component_props if prop['name'] == 'tag' and 'ns' in prop and prop['ns'] == "https://govready.com/ns/oscal"])
existing_tags = Tag.objects.filter(label__in=desired_tags).values('id', 'label')
tags_to_create = desired_tags.difference(set([tag['label'] for tag in existing_tags]))
new_tags = Tag.objects.bulk_create([Tag(label=tag) for tag in tags_to_create])
all_tag_ids = [tag.id for tag in new_tags] + [tag['id'] for tag in existing_tags]
new_component.add_tags(all_tag_ids)
new_component.save()
control_implementation_statements = component_json.get('control-implementations', None)
# catalog = "missing"
# If there data exists the OSCAL component's control-implementations key
if control_implementation_statements:
for control_element in control_implementation_statements:
Expand Down Expand Up @@ -1250,6 +1268,7 @@ def component_library_component(request, element_id):
"impl_smts": impl_smts,
"is_admin": request.user.is_superuser,
"enable_experimental_opencontrol": SystemSettings.enable_experimental_opencontrol,
"form_source": "component_library"
}
return render(request, "components/element_detail_tabs.html", context)

Expand Down Expand Up @@ -1298,6 +1317,7 @@ def component_library_component(request, element_id):
"enable_experimental_opencontrol": SystemSettings.enable_experimental_opencontrol,
"enable_experimental_oscal": SystemSettings.enable_experimental_oscal,
"opencontrol": opencontrol_string,
"form_source": "component_library"
}
return render(request, "components/element_detail_tabs.html", context)

Expand All @@ -1312,6 +1332,8 @@ def api_controls_select(request):
cxs = []
for catalog in catalogs_containing_cl_id:
catalog_key_display = catalog.catalog_key.replace("_", " ")
# TODO: get control title effectively from CatalogData
# title = "catalog.ctl_title"
cxs.append({"id": oscal_ctl_id, 'catalog_key_display': catalog_key_display, 'display_text': f"{oscal_ctl_id} - {catalog_key_display} - {cl_id}"})
status = "success"
message = "Sending list."
Expand Down Expand Up @@ -1998,20 +2020,18 @@ def save_smt(request):
else:
new_statement_type_enum = StatementTypeEnum[form_values['statement_type'].upper()]
# Create new Statement object
new_sid_class = form_values['sid_class'].replace(" ","_") # convert displayed catalog name to catalog_key
statement = Statement(
sid=oscalize_control_id(form_values['sid']),
sid_class=form_values['sid_class'],
sid_class=new_sid_class,
source=new_sid_class,
body=form_values['body'],
pid=form_values['pid'],
statement_type=new_statement_type_enum.name,
status=form_values['status'],
remarks=form_values['remarks'],
)
new_statement = True
# Convert the human readable catalog name to proper catalog key, if needed
# from human readable `NIST SP-800-53 rev4` to `NIST_SP-800-53_rev4`
statement.sid_class = statement.sid_class.replace(" ","_")


# Updating or saving a new producer_element?
try:
Expand Down Expand Up @@ -2048,8 +2068,7 @@ def save_smt(request):
except Exception as e:
statement_status = "error"
statement_msg = "Statement save failed while saving statement prototype. Error reported {}".format(e)
return JsonResponse({"status": "error", "message": statement_msg})

return JsonResponse({"status": statement_status, "message": statement_msg})
# Retain only prototype statement if statement is created in the component library
# A statement of type `control_implementation` should only exists if associated a consumer_element.
# When the statement is created in the component library, no consuming_element will exist.
Expand All @@ -2058,13 +2077,13 @@ def save_smt(request):
# - Skip the associating the statement with the system's root_element because we do not have a system identified
statement_del_msg = ""
if "form_source" in form_values and form_values['form_source'] == 'component_library':
# Form source is part of form
# Form received from component library
from django.core import serializers
serialized_obj = serializers.serialize('json', [statement, ])
# Delete statement
Statement.objects.filter(pk=statement.id).delete()
statement.delete()
statement_del_msg = "Statement unassociated with System/Consumer Element deleted."
statement_del_msg = "Orphaned Control_Implementation Statement deleted."
else:
# Associate Statement and System's root_element
system_id = form_values['system_id']
Expand All @@ -2087,13 +2106,13 @@ def save_smt(request):

# Save Statement object
try:
statement.save()
if not new_statement:
statement.save()
statement_msg = "Statement saved."
messages.add_message(request, messages.INFO, f"Statement {smt_id} Saved")
except Exception as e:
statement_status = "error"
statement_msg = "Statement save failed. Error reported {}".format(e)

return JsonResponse({"status": statement_status, "message": statement_msg})
# Return successful save result to web page's Ajax request
return JsonResponse(
Expand Down
12 changes: 12 additions & 0 deletions q-files/vendors/govready/components/OSCAL/cybrary.json
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,18 @@
"type": "software",
"title": "Cybrary",
"description": "Training course",
"props": [
{
"name": "tag",
"ns": "https://govready.com/ns/oscal",
"value": "sample"
},
{
"name": "tag",
"ns": "https://govready.com/ns/oscal",
"value": "training"
}
],
"responsible-roles": [
{
"role-id": "supplier",
Expand Down
7 changes: 7 additions & 0 deletions q-files/vendors/govready/components/OSCAL/ilias.json
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@
"type": "software",
"title": "ILIAS",
"description": "ILIAS Training course",
"props": [
{
"name": "tag",
"ns": "https://govready.com/ns/oscal",
"value": "sample"
}
],
"responsible-roles": [
{
"role-id": "supplier",
Expand Down
5 changes: 3 additions & 2 deletions siteapp/admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -155,8 +155,9 @@ class SupportAdmin(admin.ModelAdmin):
fields = ('text', 'email', 'phone', 'url')

class TagAdmin(admin.ModelAdmin):
list_display = ('label', 'system_created')
fields = ('label', 'system_created')
list_display = ('id', 'label', 'system_created')
fields = ('id', 'label', 'system_created')
readonly_fields = ('id',)

class ProjectAssetAdmin(admin.ModelAdmin):
list_display = ('uuid', 'asset_type', 'description', 'project', 'default', 'title', 'filename', 'created', 'updated')
Expand Down
28 changes: 0 additions & 28 deletions siteapp/management/commands/first_run.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,34 +123,6 @@ def handle(self, *args, **options):
# One or more superusers already exists
print("\n[INFO] Superuser(s) already exists, not creating default admin superuser. Did you specify 'govready_admins' in 'local/environment.json'? Did you specify an admin or are you connecting to a persistent database?\n")

# Load the default control catalogs and baselines
CATALOG_PATH = os.path.join(os.path.dirname(__file__),'..','..','..','controls','data','catalogs')
BASELINE_PATH = os.path.join(os.path.dirname(__file__),'..','..','..','controls','data','baselines')

# TODO: Check directory exists
catalog_files = [file for file in os.listdir(CATALOG_PATH) if file.endswith('.json')]
# Load catalog and baseline data into database records from source files if data records do not exist in database
for cf in catalog_files:
catalog_key = cf.replace("_catalog.json", "")
with open(os.path.join(CATALOG_PATH,cf), 'r') as json_file:
catalog_json = json.load(json_file)
baseline_filename = cf.replace("_catalog.json", "_baselines.json")
if os.path.isfile(os.path.join(BASELINE_PATH, baseline_filename)):
with open(os.path.join(BASELINE_PATH, baseline_filename), 'r') as json_file:
baselines_json = json.load(json_file)
else:
baselines_json = {}

catalog, created = CatalogData.objects.get_or_create(
catalog_key=catalog_key,
catalog_json=catalog_json,
baselines_json=baselines_json
)
if created:
print(f"{catalog_key} record created into database")
else:
print(f"{catalog_key} record found in database")

# Install default AppSources and compliance apps if no AppSources installed
if not AppSource.objects.filter(slug="govready-q-files-startpack").exists():
# Create AppSources that we want.
Expand Down
7 changes: 6 additions & 1 deletion siteapp/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -256,9 +256,14 @@ def make_secret_key():
'ENGINE': 'django.db.backends.sqlite3',
'NAME': local('db.sqlite3'),
'CONN_MAX_AGE': 60*5, # 5 min
'timeout': 30,
'OPTIONS': {
'timeout': 30, # in seconds
# see also
# https://docs.python.org/3.7/library/sqlite3.html#sqlite3.connect
}
}
}

if not environment.get('db'):
# Ensure the 'local' directory exists for the default Sqlite
# database and then try touching the path to check for write
Expand Down
3 changes: 3 additions & 0 deletions siteapp/tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,7 @@ def setUp(self):
}
}
)
var_sleep(1)
load_modules().handle() # load system modules

AppSource.objects.get_or_create(
Expand All @@ -340,6 +341,8 @@ def setUp(self):
# tests. The Selenium tests require a separate log in via the
# headless browser.

var_sleep(2)

# self.user = User.objects.create_superuser(
self.user = wait_for_sleep_after(lambda: User.objects.get_or_create(
username="me",
Expand Down
11 changes: 4 additions & 7 deletions templates/components/element_detail_tabs.html
Original file line number Diff line number Diff line change
Expand Up @@ -388,16 +388,13 @@ <h3>Systems</h3>
}

function set_catalog_key(display_text, element) {
// Determine the catalog from the selected display_text
// Set the sid_class field to the catalogkey based on splitting the selected display_text
// Split text
displaytext = display_text.split(' - ');
var first = displaytext.shift(); //or arr[arr.length-1];
var last = displaytext.pop(); //or arr[0];
dtv = [first, displaytext.join(" - "), last]; // [control_id, title, catalog_key]

ck = dtv[2]

$(element).val(ck)
var catalog = displaytext.shift(); //or arr[0];
dtv = [first, displaytext.join(" - "), catalog]; // [control_id, catalog_key - match string]
$(element).val(dtv[2])
}

function save_smt(smt_panel_num) {
Expand Down
2 changes: 1 addition & 1 deletion templates/controls/add_smt_form.html
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<option value='' disabled selected>Enter control ID (e.g., ac-2, CM-3(1), 3.1.3)</option>
</select>
<input type="hidden" id="sid_class_panel_num" name="sid_class" prompt="Enter catalog_key" value="{{ catalog_key }}">
<input type="hidden" id="form_source_panel_num" name="form_source" prompt="Form source" value="component_library">
<input type="hidden" id="form_source_panel_num" name="form_source" prompt="Form source" value="{{ form_source }}">
</div>
<div class="form-group">
<input type="hidden" id="smt_id" name="smt_id" value="">
Expand Down

0 comments on commit 8be41a0

Please sign in to comment.