-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a 'blank' project with no questions useful for batch project creation #1634
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is just a data change -- no code is changed, just a new compliance app added to starter pack. |
gregelin
added a commit
that referenced
this pull request
Jun 23, 2021
* Filter SAR Deployment form dropdown to System's deployments * Filter SAR Deployment form dropdown to System's deployments * Create a simple SAR server to generate test data Create a simple System Assessment Result web server generating JSON data object listing assessment summary results that can be added to a system's assessment. This provides a synthentic provider of SAR results data from which we can test the UI for consuming SAR data. * Better SAR displays, wrap SAR item data Polish SAR summary page - use details tag, other improvements. Polish SAR list page - include deployment name. Wrap SAR test item to start to make more realistic SAR data. Display assessment name in Assessment model admin list. * Add sar_etl.py example middlware app * Use project-base.html in deployment detail page. Misc improvements to sar generator and middleware. Include description value for SAR wrapper. * Remove hardcoded data from SAR middleware pipeline Remove hardcoded values of system id and deployment id from SAR middleware pipeline. Pass as many values as possible in SAR wrapper object. Properly handle UUID to string and back again Post assessment to system without a deployment ID Display project id, system id on project pages. * Support Wazuh SCA results in SAR pipeline Add `tools/simple_sar_server/wazuh_etl.py` to support Wazuh SCA results in SAR pipeline. Display all summary values of a SAR result for each inventory item using a loop and table. * Improve styling of inventory-item results display * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 3 * attempting multiple catalog output * dont want install py changes * Add clear links for forgot password, change password * Update stub_app for input, components Update stub_app used by complianca_app command or generating compliance app to include "input" and "output" section; and to have folders for templates, utils, and components. Add in exceprtion for integrity error to eventually support gracefully handling. * Closes #1547 Display impact level on project page. Implement impact level as a statement about a system of type "fisma_impact_level" with imoact level in body. This continues idea that statements are factual observations about a system. Statement must be associated with system.root_element and be consumed by root_element. * note as with any change to the document data to be rendered need to press the refresh documents button to see changes. Removing cache removal function. * spelling * Need default of None if there are no control catalogs present * also need try/except for test_render_markdown_to_text since there are no projects for this test. * ISPGBSS-208 Added new fields to system settings and created migrations * make sure to send catalog_key for sid_class form_value * checking for statement sid class * Add tests for fisma_impact_level_display * need to filter statements by sid class as well. some optimization on catalog retrieval * Add StatementTypeEnum Enumarate different type of statements * modularizing some common data retrievals. * Added empty my_component.json file * only save once at the end of all possible changes * added better logging to find bad templates faster * Report OSCAL component schema validation error to standout Provide better error reporting on import component schema validation. Report actual validation error to standout. * Merge v0.9.3.4 into develop * ISPGBSS-208 ISPGBSS-261 Refactored previous changes to implement timeout through environment variables instead of db based setting. * implemented a full example of multiple catalogs in a new govready-qfiles-startpack app source multi-catalog. * remove extra prints * put "Manage Import Records" button last Rearrange Create | Import | Manage component buttons * Immediately assign change project perms to user starting project This fixes a bug where non-admin users were not assigned permissions to change a project started by the user until after several project modification steps were performed. The fix assigns non-admin project change permissions right after project and system is created and before further actions are made to project, such as setting baseline controls. * Update CHANGELOG * Set system fisma_impact_level smt as question action with new set/get methods Set system fisma_impact_level root_element statement as part of question action to set baseline. Since baselines could have more names than just "Low", "Moderate", and "High", we only set fisma_impact_level if baseline is one of those three. This might need to improve in the future and make setting fisma_impact_level a separate question action from setting baselines. Created set/get methods for fisma_impact_level in System model to make sure only one statement for the system with statement_type of fisma_impact_level existed. Also fixed POAM stat counting to only count POAMs associated with current system. Existing POAM count was not filtering on current system. * Update CHANGELOG * Update CHANGELOG.md spelling * Update navbar.html * Update project.html all caps no brakes * fixing fisma display test (#1566) * fixes a few typos in HTML templates (#1565) * fix filtering for components on adding a component search box. (#1567) * Docker Local Development implementation (#1555) * wip * Local development rework based on deployments repo * adding +x * added action for running and some clean up and docs * Added docker engine check * added another message at end * more faq * changelog * added selenium & chrome support * document quick fix * regression * readme change * added var * Update dev_env/run.py Co-authored-by: davidpofo <dampofo@umd.edu> * space Co-authored-by: davidpofo <dampofo@umd.edu> * ISPGBSS-208 ISPGBSS-261 Added test for session setting ping * Fixed a bug where ssh files weren't brought over on restart * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Faster retrieval of component control statements, show control titles (#1570) * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Update element_detail_tabs.html system_tags aren't used anywhere Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * enums need to match case of value. adding smt id to logs * use enums' value to cover the expected values everye where for statement type. * remove asserts comment * ISPGBSS-208 ISPGBSS-261 Used requirements_txt_updated.sh to update requirements.txt as per PR review. * Display control catalog guidance text in `details` tag Display control catalog guidance text in `details` tag next to component control implementation statements. Also clean up some html on component detail pages, move some styles to main `govready-q.css` file. * Left align text in project action buttons * Improve project pages appearance: descrease action button width and left align text; widen from 9 to 10 columns main content. * Update CHANGELOG * Search component library by tag, make component tags clickable * Better notifification when project smt differs from certified Better notify users when project implementation statement differs from certified by displaying notice in third column control detail pages. Improve language notifying users that project implementation statement differs from certified. Only difference notice is clickable now. * Add DB page for AppInput * Add input_type to AppInputs * ISPGBSS-261 Fixed issues related to PR review. * Da/last min develop (#1582) * Add new options to runner.py environment. PR 1572 missed changelog. also change log for PR 1535 was missed for the last release * also mention nplusone. * commenting out session security for now until issue with js is fixed. * unnecessary return * fixing statement types * a few more statement type fixes * removing feature that is a WIP * adding some time to avoid the erroneous failures. * more sleep * skipping bad integration tests. (#1585) * missing statetypeenum import * added SECURITY_IMPACT_LEVEL to statements. Created a components enum * Ge/develop test 0516 (#1595) * Release/v0.9.3.5 (#1586) * Filter SAR Deployment form dropdown to System's deployments * Filter SAR Deployment form dropdown to System's deployments * Create a simple SAR server to generate test data Create a simple System Assessment Result web server generating JSON data object listing assessment summary results that can be added to a system's assessment. This provides a synthentic provider of SAR results data from which we can test the UI for consuming SAR data. * Better SAR displays, wrap SAR item data Polish SAR summary page - use details tag, other improvements. Polish SAR list page - include deployment name. Wrap SAR test item to start to make more realistic SAR data. Display assessment name in Assessment model admin list. * Add sar_etl.py example middlware app * Use project-base.html in deployment detail page. Misc improvements to sar generator and middleware. Include description value for SAR wrapper. * Remove hardcoded data from SAR middleware pipeline Remove hardcoded values of system id and deployment id from SAR middleware pipeline. Pass as many values as possible in SAR wrapper object. Properly handle UUID to string and back again Post assessment to system without a deployment ID Display project id, system id on project pages. * Support Wazuh SCA results in SAR pipeline Add `tools/simple_sar_server/wazuh_etl.py` to support Wazuh SCA results in SAR pipeline. Display all summary values of a SAR result for each inventory item using a loop and table. * Improve styling of inventory-item results display * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 3 * attempting multiple catalog output * dont want install py changes * Add clear links for forgot password, change password * Update stub_app for input, components Update stub_app used by complianca_app command or generating compliance app to include "input" and "output" section; and to have folders for templates, utils, and components. Add in exceprtion for integrity error to eventually support gracefully handling. * Closes #1547 Display impact level on project page. Implement impact level as a statement about a system of type "fisma_impact_level" with imoact level in body. This continues idea that statements are factual observations about a system. Statement must be associated with system.root_element and be consumed by root_element. * note as with any change to the document data to be rendered need to press the refresh documents button to see changes. Removing cache removal function. * spelling * Need default of None if there are no control catalogs present * also need try/except for test_render_markdown_to_text since there are no projects for this test. * ISPGBSS-208 Added new fields to system settings and created migrations * make sure to send catalog_key for sid_class form_value * checking for statement sid class * Add tests for fisma_impact_level_display * need to filter statements by sid class as well. some optimization on catalog retrieval * Add StatementTypeEnum Enumarate different type of statements * modularizing some common data retrievals. * Added empty my_component.json file * only save once at the end of all possible changes * added better logging to find bad templates faster * Report OSCAL component schema validation error to standout Provide better error reporting on import component schema validation. Report actual validation error to standout. * Merge v0.9.3.4 into develop * ISPGBSS-208 ISPGBSS-261 Refactored previous changes to implement timeout through environment variables instead of db based setting. * implemented a full example of multiple catalogs in a new govready-qfiles-startpack app source multi-catalog. * remove extra prints * put "Manage Import Records" button last Rearrange Create | Import | Manage component buttons * Immediately assign change project perms to user starting project This fixes a bug where non-admin users were not assigned permissions to change a project started by the user until after several project modification steps were performed. The fix assigns non-admin project change permissions right after project and system is created and before further actions are made to project, such as setting baseline controls. * Update CHANGELOG * Set system fisma_impact_level smt as question action with new set/get methods Set system fisma_impact_level root_element statement as part of question action to set baseline. Since baselines could have more names than just "Low", "Moderate", and "High", we only set fisma_impact_level if baseline is one of those three. This might need to improve in the future and make setting fisma_impact_level a separate question action from setting baselines. Created set/get methods for fisma_impact_level in System model to make sure only one statement for the system with statement_type of fisma_impact_level existed. Also fixed POAM stat counting to only count POAMs associated with current system. Existing POAM count was not filtering on current system. * Update CHANGELOG * Update CHANGELOG.md spelling * Update navbar.html * Update project.html all caps no brakes * fixing fisma display test (#1566) * fixes a few typos in HTML templates (#1565) * fix filtering for components on adding a component search box. (#1567) * Docker Local Development implementation (#1555) * wip * Local development rework based on deployments repo * adding +x * added action for running and some clean up and docs * Added docker engine check * added another message at end * more faq * changelog * added selenium & chrome support * document quick fix * regression * readme change * added var * Update dev_env/run.py Co-authored-by: davidpofo <dampofo@umd.edu> * space Co-authored-by: davidpofo <dampofo@umd.edu> * ISPGBSS-208 ISPGBSS-261 Added test for session setting ping * Fixed a bug where ssh files weren't brought over on restart * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Faster retrieval of component control statements, show control titles (#1570) * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Update element_detail_tabs.html system_tags aren't used anywhere Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * enums need to match case of value. adding smt id to logs * use enums' value to cover the expected values everye where for statement type. * remove asserts comment * ISPGBSS-208 ISPGBSS-261 Used requirements_txt_updated.sh to update requirements.txt as per PR review. * Display control catalog guidance text in `details` tag Display control catalog guidance text in `details` tag next to component control implementation statements. Also clean up some html on component detail pages, move some styles to main `govready-q.css` file. * Search component library by tag, make component tags clickable * Better notifification when project smt differs from certified Better notify users when project implementation statement differs from certified by displaying notice in third column control detail pages. Improve language notifying users that project implementation statement differs from certified. Only difference notice is clickable now. * ISPGBSS-261 Fixed issues related to PR review. * Da/last min develop (#1582) * Add new options to runner.py environment. PR 1572 missed changelog. also change log for PR 1535 was missed for the last release * also mention nplusone. * commenting out session security for now until issue with js is fixed. * unnecessary return * fixing statement types * a few more statement type fixes * removing feature that is a WIP * adding some time to avoid the erroneous failures. * more sleep * skipping bad integration tests. (#1585) * update version and changelog Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <gregelin@govready.com> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> * Fix for handling unset SESSION timeout params (#1587) * Fix to handle unset SESSION timeout params Fixes missing key error in settings.py for `SESSION_SECURITY...` params when param missing. Testing was done only in dev env where DEBUG was always set. * Update CHANGELOG, VERSION Co-authored-by: Greg Elin <greg.elin@govready.com> * Restore `common-tab-count` styles (#1588) * Restore `common-tab-count` styles Restore a `common-tab-count` and `component-tab-count` styles accidentally not added to `govready-q.css` style sheet. * Update requirements.txt Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix cmpt search result, smt count on action, session timeout err Fix various issues. Fix component search results returning multiple copies. Fix Session Timeout showing 500 error after being away from site. Fix control count on actions where too many control statements were trying to be added instead of statements of control implementation prototypes. * Reload component detail page after adding control statement Have page reload after adding control statement to a component in the library to avoid non-feedback to user and user having to refresh the page. Also fix ImportExportProjectTests test * Upgrade to Django 3.2.3 Upgrade to Django 3.2.3 to correct for Snyk indicated vulnerability in Django 3.1.8 https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1279042 Remove documentation-related m2r and sphinx related packages from requirements.in. * Use 'controls' instead of 'control' in controls/apps.py Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> Co-authored-by: GovReady-Q <govready-q@govready.com> Co-authored-by: Greg Elin <Greg Elin> * Add management command to export as OSCAL or CSV. * In Django 3.2.0+ on need to set type of auto-created primary keys in settings. (could also be done explicitly in each model) * optimize imports * set/get methods for an element's security objectives * first instead of brackets * adding frontend for a component's security objectives section * this is implemented for elements. should be SSP instead... * implemented security objectives for systems. reverting element version * test * get project directly * need an element and system * ele and system * added comp state/type to element model, some system sec info to comp gen. * test * Add Django mgt cmd importcomponents to batch import components Updates to generation of components to improve adherence to OSCAL specification by removing certain keys when value for keys is None. Added new parameter `existing_import_record` to importing and creating components to group multiple imports under the same import record. * Make Elements.description TextField and required Change Elements.description to TextField and make required. Modify component edit modal to use a textarea for description field. Fixes to show error on problem saving edit to library component * Use self.element.tags.exists() * Send proper error message when editing component * Temporarily remove controls/migrations/0051_auto * Add back better controls/migrations/0051_auto * fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * Add 'blank' compliance app to first_run * Fix version in CHANGELOG Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> Co-authored-by: GovReady-Q <govready-q@govready.com>
gregelin
added a commit
that referenced
this pull request
Jul 15, 2021
* fixing fisma display test (#1566) * fixes a few typos in HTML templates (#1565) * fix filtering for components on adding a component search box. (#1567) * Docker Local Development implementation (#1555) * wip * Local development rework based on deployments repo * adding +x * added action for running and some clean up and docs * Added docker engine check * added another message at end * more faq * changelog * added selenium & chrome support * document quick fix * regression * readme change * added var * Update dev_env/run.py Co-authored-by: davidpofo <dampofo@umd.edu> * space Co-authored-by: davidpofo <dampofo@umd.edu> * ISPGBSS-208 ISPGBSS-261 Added test for session setting ping * Fixed a bug where ssh files weren't brought over on restart * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Faster retrieval of component control statements, show control titles (#1570) * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Update element_detail_tabs.html system_tags aren't used anywhere Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * enums need to match case of value. adding smt id to logs * use enums' value to cover the expected values everye where for statement type. * remove asserts comment * ISPGBSS-208 ISPGBSS-261 Used requirements_txt_updated.sh to update requirements.txt as per PR review. * Display control catalog guidance text in `details` tag Display control catalog guidance text in `details` tag next to component control implementation statements. Also clean up some html on component detail pages, move some styles to main `govready-q.css` file. * Left align text in project action buttons * Improve project pages appearance: descrease action button width and left align text; widen from 9 to 10 columns main content. * Update CHANGELOG * Search component library by tag, make component tags clickable * Better notifification when project smt differs from certified Better notify users when project implementation statement differs from certified by displaying notice in third column control detail pages. Improve language notifying users that project implementation statement differs from certified. Only difference notice is clickable now. * Add DB page for AppInput * Add input_type to AppInputs * ISPGBSS-261 Fixed issues related to PR review. * Da/last min develop (#1582) * Add new options to runner.py environment. PR 1572 missed changelog. also change log for PR 1535 was missed for the last release * also mention nplusone. * commenting out session security for now until issue with js is fixed. * unnecessary return * fixing statement types * a few more statement type fixes * removing feature that is a WIP * adding some time to avoid the erroneous failures. * more sleep * skipping bad integration tests. (#1585) * missing statetypeenum import * added SECURITY_IMPACT_LEVEL to statements. Created a components enum * Clean up mixed tabs/spaces * Loosen git url regex to allow ssh:// and other urls * Missed some tabs in repatching make_widget() in render() * Ge/develop test 0516 (#1595) * Release/v0.9.3.5 (#1586) * Filter SAR Deployment form dropdown to System's deployments * Filter SAR Deployment form dropdown to System's deployments * Create a simple SAR server to generate test data Create a simple System Assessment Result web server generating JSON data object listing assessment summary results that can be added to a system's assessment. This provides a synthentic provider of SAR results data from which we can test the UI for consuming SAR data. * Better SAR displays, wrap SAR item data Polish SAR summary page - use details tag, other improvements. Polish SAR list page - include deployment name. Wrap SAR test item to start to make more realistic SAR data. Display assessment name in Assessment model admin list. * Add sar_etl.py example middlware app * Use project-base.html in deployment detail page. Misc improvements to sar generator and middleware. Include description value for SAR wrapper. * Remove hardcoded data from SAR middleware pipeline Remove hardcoded values of system id and deployment id from SAR middleware pipeline. Pass as many values as possible in SAR wrapper object. Properly handle UUID to string and back again Post assessment to system without a deployment ID Display project id, system id on project pages. * Support Wazuh SCA results in SAR pipeline Add `tools/simple_sar_server/wazuh_etl.py` to support Wazuh SCA results in SAR pipeline. Display all summary values of a SAR result for each inventory item using a loop and table. * Improve styling of inventory-item results display * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 2 * Improve styling of inventory-item results display 3 * attempting multiple catalog output * dont want install py changes * Add clear links for forgot password, change password * Update stub_app for input, components Update stub_app used by complianca_app command or generating compliance app to include "input" and "output" section; and to have folders for templates, utils, and components. Add in exceprtion for integrity error to eventually support gracefully handling. * Closes #1547 Display impact level on project page. Implement impact level as a statement about a system of type "fisma_impact_level" with imoact level in body. This continues idea that statements are factual observations about a system. Statement must be associated with system.root_element and be consumed by root_element. * note as with any change to the document data to be rendered need to press the refresh documents button to see changes. Removing cache removal function. * spelling * Need default of None if there are no control catalogs present * also need try/except for test_render_markdown_to_text since there are no projects for this test. * ISPGBSS-208 Added new fields to system settings and created migrations * make sure to send catalog_key for sid_class form_value * checking for statement sid class * Add tests for fisma_impact_level_display * need to filter statements by sid class as well. some optimization on catalog retrieval * Add StatementTypeEnum Enumarate different type of statements * modularizing some common data retrievals. * Added empty my_component.json file * only save once at the end of all possible changes * added better logging to find bad templates faster * Report OSCAL component schema validation error to standout Provide better error reporting on import component schema validation. Report actual validation error to standout. * Merge v0.9.3.4 into develop * ISPGBSS-208 ISPGBSS-261 Refactored previous changes to implement timeout through environment variables instead of db based setting. * implemented a full example of multiple catalogs in a new govready-qfiles-startpack app source multi-catalog. * remove extra prints * put "Manage Import Records" button last Rearrange Create | Import | Manage component buttons * Immediately assign change project perms to user starting project This fixes a bug where non-admin users were not assigned permissions to change a project started by the user until after several project modification steps were performed. The fix assigns non-admin project change permissions right after project and system is created and before further actions are made to project, such as setting baseline controls. * Update CHANGELOG * Set system fisma_impact_level smt as question action with new set/get methods Set system fisma_impact_level root_element statement as part of question action to set baseline. Since baselines could have more names than just "Low", "Moderate", and "High", we only set fisma_impact_level if baseline is one of those three. This might need to improve in the future and make setting fisma_impact_level a separate question action from setting baselines. Created set/get methods for fisma_impact_level in System model to make sure only one statement for the system with statement_type of fisma_impact_level existed. Also fixed POAM stat counting to only count POAMs associated with current system. Existing POAM count was not filtering on current system. * Update CHANGELOG * Update CHANGELOG.md spelling * Update navbar.html * Update project.html all caps no brakes * fixing fisma display test (#1566) * fixes a few typos in HTML templates (#1565) * fix filtering for components on adding a component search box. (#1567) * Docker Local Development implementation (#1555) * wip * Local development rework based on deployments repo * adding +x * added action for running and some clean up and docs * Added docker engine check * added another message at end * more faq * changelog * added selenium & chrome support * document quick fix * regression * readme change * added var * Update dev_env/run.py Co-authored-by: davidpofo <dampofo@umd.edu> * space Co-authored-by: davidpofo <dampofo@umd.edu> * ISPGBSS-208 ISPGBSS-261 Added test for session setting ping * Fixed a bug where ssh files weren't brought over on restart * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Faster retrieval of component control statements, show control titles (#1570) * Faster retrieval of component cntl smts, show cntl titles Retrieve component control statement much faster by getting just related catalog_control_as_dict for statement. Also add statement property to get control title. Display control title on component control pages. * Update element_detail_tabs.html system_tags aren't used anywhere Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * enums need to match case of value. adding smt id to logs * use enums' value to cover the expected values everye where for statement type. * remove asserts comment * ISPGBSS-208 ISPGBSS-261 Used requirements_txt_updated.sh to update requirements.txt as per PR review. * Display control catalog guidance text in `details` tag Display control catalog guidance text in `details` tag next to component control implementation statements. Also clean up some html on component detail pages, move some styles to main `govready-q.css` file. * Search component library by tag, make component tags clickable * Better notifification when project smt differs from certified Better notify users when project implementation statement differs from certified by displaying notice in third column control detail pages. Improve language notifying users that project implementation statement differs from certified. Only difference notice is clickable now. * ISPGBSS-261 Fixed issues related to PR review. * Da/last min develop (#1582) * Add new options to runner.py environment. PR 1572 missed changelog. also change log for PR 1535 was missed for the last release * also mention nplusone. * commenting out session security for now until issue with js is fixed. * unnecessary return * fixing statement types * a few more statement type fixes * removing feature that is a WIP * adding some time to avoid the erroneous failures. * more sleep * skipping bad integration tests. (#1585) * update version and changelog Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <gregelin@govready.com> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> * Fix for handling unset SESSION timeout params (#1587) * Fix to handle unset SESSION timeout params Fixes missing key error in settings.py for `SESSION_SECURITY...` params when param missing. Testing was done only in dev env where DEBUG was always set. * Update CHANGELOG, VERSION Co-authored-by: Greg Elin <greg.elin@govready.com> * Restore `common-tab-count` styles (#1588) * Restore `common-tab-count` styles Restore a `common-tab-count` and `component-tab-count` styles accidentally not added to `govready-q.css` style sheet. * Update requirements.txt Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix cmpt search result, smt count on action, session timeout err Fix various issues. Fix component search results returning multiple copies. Fix Session Timeout showing 500 error after being away from site. Fix control count on actions where too many control statements were trying to be added instead of statements of control implementation prototypes. * Reload component detail page after adding control statement Have page reload after adding control statement to a component in the library to avoid non-feedback to user and user having to refresh the page. Also fix ImportExportProjectTests test * Upgrade to Django 3.2.3 Upgrade to Django 3.2.3 to correct for Snyk indicated vulnerability in Django 3.1.8 https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1279042 Remove documentation-related m2r and sphinx related packages from requirements.in. * Use 'controls' instead of 'control' in controls/apps.py Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> Co-authored-by: GovReady-Q <govready-q@govready.com> Co-authored-by: Greg Elin <Greg Elin> * Add management command to export as OSCAL or CSV. * In Django 3.2.0+ on need to set type of auto-created primary keys in settings. (could also be done explicitly in each model) * optimize imports * set/get methods for an element's security objectives * first instead of brackets * adding frontend for a component's security objectives section * this is implemented for elements. should be SSP instead... * implemented security objectives for systems. reverting element version * test * get project directly * need an element and system * ele and system * added comp state/type to element model, some system sec info to comp gen. * test * Add Django mgt cmd importcomponents to batch import components Updates to generation of components to improve adherence to OSCAL specification by removing certain keys when value for keys is None. Added new parameter `existing_import_record` to importing and creating components to group multiple imports under the same import record. * Make Elements.description TextField and required Change Elements.description to TextField and make required. Modify component edit modal to use a textarea for description field. Fixes to show error on problem saving edit to library component * Use self.element.tags.exists() * Send proper error message when editing component * Temporarily remove controls/migrations/0051_auto * Add back better controls/migrations/0051_auto * fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * Update CHANGELOG.md Co-authored-by: Peter Kaminski <peter.kaminski@govready.com> Co-authored-by: alexanderward <alexander.ward1@gmail.com> Co-authored-by: Azhar Mian <azharem@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <gregelin@govready.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: GovReady-Q <govready-q@govready.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com>
gregelin
added a commit
that referenced
this pull request
Aug 6, 2021
* implemented security objectives for systems. reverting element version * test * get project directly * need an element and system * ele and system * added comp state/type to element model, some system sec info to comp gen. * test * Add Django mgt cmd importcomponents to batch import components Updates to generation of components to improve adherence to OSCAL specification by removing certain keys when value for keys is None. Added new parameter `existing_import_record` to importing and creating components to group multiple imports under the same import record. * Make Elements.description TextField and required Change Elements.description to TextField and make required. Modify component edit modal to use a textarea for description field. Fixes to show error on problem saving edit to library component * Use self.element.tags.exists() * Send proper error message when editing component * Temporarily remove controls/migrations/0051_auto * Add back better controls/migrations/0051_auto * fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * new line fix * fixed bug where id doesn't exist yet in db * pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0. * revert some changes to ssp-def for now and added source to statement model. * ensure source and uuid are added correctly to import/export of component-definition * adding oscal-version to element model. clean up output title * replaced component-defintion for test data with official oscal 1.0.0 example component * lowering the amount of output for circleci * fixing exceptions * update example link * WIP on updating system-security-plan definition. * missing uuid and 2 removed * SSP export now includes the uuid and version from the root_element object * fixing up some module logic to include real uuid and oscal version * uuid not id * Import component control statement even if catalog not found Remove test to see of control exists in control catalog when importing a component because we may import a component that has controls from a catalog that is not yet in GovReady. The test on the control id being in the catalog was originally done to avoid importing a bad control (or bad control id). But it is worse to not be able to import the component because we don't yet have the a control catalog mentioned by the component. * Display component, smts even if catalog missing Do not crash on displaying a component and component control implementation statement when a catalog associated with statements is missing from GovReady-Q install. * Ge/data grid question (#1667) * Improve appearance of data grid question Display datagrid question wider and with smaller fonts. Support datgrid specifying select type cell. * Display legacy smt in system selected controls; fix component counts Fix count on project system's components associated with a control (avoid double counting). Display existance of legacy statement in project system's selected controls. * Fix typo Co-authored-by: Greg Elin <greg.elin@govready.com> * Adjust test to new rule of importing controls with bad catalog * natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse. * If no statements are created then delete empty component * OSCAL SSP almost implemented just need to finish implemented reqs. * OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill. * added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP. * Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog. * added a proxy for parties and responsible parties for component oscal export * a couple tweaks for comp * todo for ssp validation with trestle * read validate ssp with trestle * revert discussion test change. * extra file * test_path? * delete invalid test files * fixing up implementation and testing of validation of extension. * remove extra addition for .doc * var sleep? * bad test case * adding some comments. Better logging/messaging for schema. Fixed splitting of control id. * Added test of OSCAL ssp export. * explicitly login as user * test baseline json file should be test_baselines.json not baseline * create system * check part correctly. test fix * get system from self * try/except * last try * done * Remove duplicate loads of select2 in base.html * Da/cleanup export sspcsv (#1674) * created a de-oscalizing function and applied to selected controls on import. * some super route way of making sure the catalogs produce 3.1. * add test of de_oscalize_control * Da/discussion updates (#1675) * get task for the attached object. added some more notes * fixed signature for getting a task for the attached object. * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670) Co-authored-by: root <root@MSI.localdomain> * Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676) Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: alexanderward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com> Co-authored-by: Greg Elin <gregelin@govready.com> Co-authored-by: Ward <12001004185765@FEDIDCARD.GOV> Co-authored-by: root <root@MSI.localdomain>
gregelin
added a commit
that referenced
this pull request
Aug 9, 2021
* test * Add Django mgt cmd importcomponents to batch import components Updates to generation of components to improve adherence to OSCAL specification by removing certain keys when value for keys is None. Added new parameter `existing_import_record` to importing and creating components to group multiple imports under the same import record. * Make Elements.description TextField and required Change Elements.description to TextField and make required. Modify component edit modal to use a textarea for description field. Fixes to show error on problem saving edit to library component * Use self.element.tags.exists() * Send proper error message when editing component * Temporarily remove controls/migrations/0051_auto * Add back better controls/migrations/0051_auto * fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * new line fix * fixed bug where id doesn't exist yet in db * pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0. * revert some changes to ssp-def for now and added source to statement model. * ensure source and uuid are added correctly to import/export of component-definition * adding oscal-version to element model. clean up output title * replaced component-defintion for test data with official oscal 1.0.0 example component * lowering the amount of output for circleci * fixing exceptions * update example link * WIP on updating system-security-plan definition. * missing uuid and 2 removed * SSP export now includes the uuid and version from the root_element object * fixing up some module logic to include real uuid and oscal version * uuid not id * Import component control statement even if catalog not found Remove test to see of control exists in control catalog when importing a component because we may import a component that has controls from a catalog that is not yet in GovReady. The test on the control id being in the catalog was originally done to avoid importing a bad control (or bad control id). But it is worse to not be able to import the component because we don't yet have the a control catalog mentioned by the component. * Display component, smts even if catalog missing Do not crash on displaying a component and component control implementation statement when a catalog associated with statements is missing from GovReady-Q install. * Ge/data grid question (#1667) * Improve appearance of data grid question Display datagrid question wider and with smaller fonts. Support datgrid specifying select type cell. * Display legacy smt in system selected controls; fix component counts Fix count on project system's components associated with a control (avoid double counting). Display existance of legacy statement in project system's selected controls. * Fix typo Co-authored-by: Greg Elin <greg.elin@govready.com> * Adjust test to new rule of importing controls with bad catalog * natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse. * If no statements are created then delete empty component * OSCAL SSP almost implemented just need to finish implemented reqs. * OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill. * added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP. * Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog. * added a proxy for parties and responsible parties for component oscal export * a couple tweaks for comp * todo for ssp validation with trestle * read validate ssp with trestle * revert discussion test change. * extra file * test_path? * delete invalid test files * fixing up implementation and testing of validation of extension. * remove extra addition for .doc * var sleep? * bad test case * adding some comments. Better logging/messaging for schema. Fixed splitting of control id. * Added test of OSCAL ssp export. * explicitly login as user * test baseline json file should be test_baselines.json not baseline * create system * check part correctly. test fix * get system from self * try/except * last try * done * Remove duplicate loads of select2 in base.html * Da/cleanup export sspcsv (#1674) * created a de-oscalizing function and applied to selected controls on import. * some super route way of making sure the catalogs produce 3.1. * add test of de_oscalize_control * Da/discussion updates (#1675) * get task for the attached object. added some more notes * fixed signature for getting a task for the attached object. * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670) Co-authored-by: root <root@MSI.localdomain> * Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676) * Auto-start a particular project (#1640) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Bump VERSION Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> * Move Catalog data into database, faster control select autocomplete (#1673) * Move Catalog data into database, faster control select autocomplete Move control catalog data into database so catalogs shipped with GovReady and user added catalogs all accessed in database. Also faster reading in containers. Adjust first_run to load catalogs. Speed up auocomplete by only selecting matching controls. * Fix tests: add catalogs to db in setup * Read baselines from database * Sync with 0.9.7 * Fix tests * Fix tests 2 * Use better DB query instead of closure Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/mvp july 2021 (#1679) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Provide selected ocmponent data to project page * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Add route for single system-component-control * issue in bootstrap * better styling for the drag-n-fill area * missing carrot. reverting the removal of project import form done in 29ff7c2 * Fix skip buttons and question action crash * Update CHANGELOG.md * Update CHANGELOG.md * Produce dictionary of producer_element control impl smts * Templatetags for math * Calculate dict of element ctl impl smts status Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Bump version to 0.9.8 * Remove commented-out, unneeded tests Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: alexanderward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com> Co-authored-by: Ward <12001004185765@FEDIDCARD.GOV> Co-authored-by: root <root@MSI.localdomain>
gregelin
added a commit
that referenced
this pull request
Aug 13, 2021
* Use self.element.tags.exists() * Send proper error message when editing component * Temporarily remove controls/migrations/0051_auto * Add back better controls/migrations/0051_auto * fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * new line fix * fixed bug where id doesn't exist yet in db * pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0. * revert some changes to ssp-def for now and added source to statement model. * ensure source and uuid are added correctly to import/export of component-definition * adding oscal-version to element model. clean up output title * replaced component-defintion for test data with official oscal 1.0.0 example component * lowering the amount of output for circleci * fixing exceptions * update example link * WIP on updating system-security-plan definition. * missing uuid and 2 removed * SSP export now includes the uuid and version from the root_element object * fixing up some module logic to include real uuid and oscal version * uuid not id * Import component control statement even if catalog not found Remove test to see of control exists in control catalog when importing a component because we may import a component that has controls from a catalog that is not yet in GovReady. The test on the control id being in the catalog was originally done to avoid importing a bad control (or bad control id). But it is worse to not be able to import the component because we don't yet have the a control catalog mentioned by the component. * Display component, smts even if catalog missing Do not crash on displaying a component and component control implementation statement when a catalog associated with statements is missing from GovReady-Q install. * Ge/data grid question (#1667) * Improve appearance of data grid question Display datagrid question wider and with smaller fonts. Support datgrid specifying select type cell. * Display legacy smt in system selected controls; fix component counts Fix count on project system's components associated with a control (avoid double counting). Display existance of legacy statement in project system's selected controls. * Fix typo Co-authored-by: Greg Elin <greg.elin@govready.com> * Adjust test to new rule of importing controls with bad catalog * natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse. * If no statements are created then delete empty component * OSCAL SSP almost implemented just need to finish implemented reqs. * OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill. * added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP. * Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog. * added a proxy for parties and responsible parties for component oscal export * a couple tweaks for comp * todo for ssp validation with trestle * read validate ssp with trestle * revert discussion test change. * extra file * test_path? * delete invalid test files * fixing up implementation and testing of validation of extension. * remove extra addition for .doc * var sleep? * bad test case * adding some comments. Better logging/messaging for schema. Fixed splitting of control id. * Added test of OSCAL ssp export. * explicitly login as user * test baseline json file should be test_baselines.json not baseline * create system * check part correctly. test fix * get system from self * try/except * last try * done * Remove duplicate loads of select2 in base.html * Da/cleanup export sspcsv (#1674) * created a de-oscalizing function and applied to selected controls on import. * some super route way of making sure the catalogs produce 3.1. * add test of de_oscalize_control * Da/discussion updates (#1675) * get task for the attached object. added some more notes * fixed signature for getting a task for the attached object. * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670) Co-authored-by: root <root@MSI.localdomain> * Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676) * Auto-start a particular project (#1640) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Bump VERSION Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> * Move Catalog data into database, faster control select autocomplete (#1673) * Move Catalog data into database, faster control select autocomplete Move control catalog data into database so catalogs shipped with GovReady and user added catalogs all accessed in database. Also faster reading in containers. Adjust first_run to load catalogs. Speed up auocomplete by only selecting matching controls. * Fix tests: add catalogs to db in setup * Read baselines from database * Sync with 0.9.7 * Fix tests * Fix tests 2 * Use better DB query instead of closure Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/mvp july 2021 (#1679) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Provide selected ocmponent data to project page * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Add route for single system-component-control * issue in bootstrap * better styling for the drag-n-fill area * missing carrot. reverting the removal of project import form done in 29ff7c2 * Fix skip buttons and question action crash * Update CHANGELOG.md * Update CHANGELOG.md * Produce dictionary of producer_element control impl smts * Templatetags for math * Calculate dict of element ctl impl smts status Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Improve search of control selection auto complete (#1681) * Improve Control Search, migrate CatalogData to Django models.JSONField * Dramatically improve control selection auot-complete * Further improve add smt control select and form Refactor add_statement form. Better UI with "Add Statement" button in center. Better alignment. Validate control is set before saving to avoid error. Remove unneeded Delete button. Show/hide "Add Statement button appropriately. Co-authored-by: Greg Elin <greg.elin@govready.com> * Include 'Add component statement' btn when component has no smts (#1682) Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix first_run and add friendlier component import by refactoring source catalog handling (#1683) * Move user creation earlier in first_run * Update sample components to OSCAL 1.0.0 * Friendlier component importart, refactor source catalog handling Import components and their statements even when catalog not found or statement control ids are not found in referenced catalog. * Fix source of sample components * bump version * Fix name of ILIAS component * Use faster bulk_create importing components * Small fixes and synchronizations * Comment out soon-to-be deprecated account settings Co-authored-by: Greg Elin <greg.elin@govready.com> * Bump version Co-authored-by: alexanderward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com> Co-authored-by: Ward <12001004185765@FEDIDCARD.GOV> Co-authored-by: root <root@MSI.localdomain>
gregelin
added a commit
that referenced
this pull request
Aug 16, 2021
* fixed control and sectioning for components in system * check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * new line fix * fixed bug where id doesn't exist yet in db * pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0. * revert some changes to ssp-def for now and added source to statement model. * ensure source and uuid are added correctly to import/export of component-definition * adding oscal-version to element model. clean up output title * replaced component-defintion for test data with official oscal 1.0.0 example component * lowering the amount of output for circleci * fixing exceptions * update example link * WIP on updating system-security-plan definition. * missing uuid and 2 removed * SSP export now includes the uuid and version from the root_element object * fixing up some module logic to include real uuid and oscal version * uuid not id * Import component control statement even if catalog not found Remove test to see of control exists in control catalog when importing a component because we may import a component that has controls from a catalog that is not yet in GovReady. The test on the control id being in the catalog was originally done to avoid importing a bad control (or bad control id). But it is worse to not be able to import the component because we don't yet have the a control catalog mentioned by the component. * Display component, smts even if catalog missing Do not crash on displaying a component and component control implementation statement when a catalog associated with statements is missing from GovReady-Q install. * Ge/data grid question (#1667) * Improve appearance of data grid question Display datagrid question wider and with smaller fonts. Support datgrid specifying select type cell. * Display legacy smt in system selected controls; fix component counts Fix count on project system's components associated with a control (avoid double counting). Display existance of legacy statement in project system's selected controls. * Fix typo Co-authored-by: Greg Elin <greg.elin@govready.com> * Adjust test to new rule of importing controls with bad catalog * natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse. * If no statements are created then delete empty component * OSCAL SSP almost implemented just need to finish implemented reqs. * OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill. * added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP. * Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog. * added a proxy for parties and responsible parties for component oscal export * a couple tweaks for comp * todo for ssp validation with trestle * read validate ssp with trestle * revert discussion test change. * extra file * test_path? * delete invalid test files * fixing up implementation and testing of validation of extension. * remove extra addition for .doc * var sleep? * bad test case * adding some comments. Better logging/messaging for schema. Fixed splitting of control id. * Added test of OSCAL ssp export. * explicitly login as user * test baseline json file should be test_baselines.json not baseline * create system * check part correctly. test fix * get system from self * try/except * last try * done * Remove duplicate loads of select2 in base.html * Da/cleanup export sspcsv (#1674) * created a de-oscalizing function and applied to selected controls on import. * some super route way of making sure the catalogs produce 3.1. * add test of de_oscalize_control * Da/discussion updates (#1675) * get task for the attached object. added some more notes * fixed signature for getting a task for the attached object. * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670) Co-authored-by: root <root@MSI.localdomain> * Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676) * Auto-start a particular project (#1640) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Bump VERSION Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> * Move Catalog data into database, faster control select autocomplete (#1673) * Move Catalog data into database, faster control select autocomplete Move control catalog data into database so catalogs shipped with GovReady and user added catalogs all accessed in database. Also faster reading in containers. Adjust first_run to load catalogs. Speed up auocomplete by only selecting matching controls. * Fix tests: add catalogs to db in setup * Read baselines from database * Sync with 0.9.7 * Fix tests * Fix tests 2 * Use better DB query instead of closure Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/mvp july 2021 (#1679) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Provide selected ocmponent data to project page * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Add route for single system-component-control * issue in bootstrap * better styling for the drag-n-fill area * missing carrot. reverting the removal of project import form done in 29ff7c2 * Fix skip buttons and question action crash * Update CHANGELOG.md * Update CHANGELOG.md * Produce dictionary of producer_element control impl smts * Templatetags for math * Calculate dict of element ctl impl smts status Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Improve search of control selection auto complete (#1681) * Improve Control Search, migrate CatalogData to Django models.JSONField * Dramatically improve control selection auot-complete * Further improve add smt control select and form Refactor add_statement form. Better UI with "Add Statement" button in center. Better alignment. Validate control is set before saving to avoid error. Remove unneeded Delete button. Show/hide "Add Statement button appropriately. Co-authored-by: Greg Elin <greg.elin@govready.com> * Include 'Add component statement' btn when component has no smts (#1682) Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix first_run and add friendlier component import by refactoring source catalog handling (#1683) * Move user creation earlier in first_run * Update sample components to OSCAL 1.0.0 * Friendlier component importart, refactor source catalog handling Import components and their statements even when catalog not found or statement control ids are not found in referenced catalog. * Fix source of sample components * bump version * Fix name of ILIAS component * Use faster bulk_create importing components * Small fixes and synchronizations * Comment out soon-to-be deprecated account settings Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix adding catalog_key during new smt creation (#1686) * Fix adding catalog_key during new smt creation * Avoid creating orphaned smt when adding smt in cmpt library * Fix test * Fix tests Co-authored-by: Greg Elin <greg.elin@govready.com> * Add migration to load default catalogs to DB (#1687) Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/migrate add catalog data 2 (#1688) * Add migration to load default catalogs to DB * Remove loading catalogdata in first_frun Co-authored-by: Greg Elin <greg.elin@govready.com> * Manage component tags in OSCAL components (#1685) * Bump version * Export/import tags for OSCAL components * Add component tags to OSCAL SSPs * Add tags to sample components * Refactor importing tags * Nest SQLITE timeout to fix database locking in tests Co-authored-by: Greg Elin <greg.elin@govready.com> * Bump version Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Ward <12001004185765@FEDIDCARD.GOV> Co-authored-by: root <root@MSI.localdomain>
gregelin
added a commit
that referenced
this pull request
Aug 17, 2021
* check for security impact level statement when updating. Readding retrieval of security impact levels. todo on separate form for levels. * adding component_state and component_type to system component and component library display. including component_metadata template to keep styling consistent * pulling in some of the information from statement about system. Rest would come from questionnaires. system_information_types is not used at all. * a todo for fisma impact level renaming * added project_security_objs_edit to edit security objectives separately from project editing. * update changelog and some wording in the modal * Move action-button styles from inline to style section * two views/urls for editing component state and type * adding component type and state to ElementForm * adding just the display of the state and type to component library components not the ability to change. * changelog * FISMA IMPACT LEVEL is now SECURITY SENSITIVITY LEVEL * Work inprogress * Work inprogress * Da/quick insert (#1601) * make sure component_type not element_type is exported * ssp versions should be floats not integers. Information types needs a uuid * adding empty placeholders for the required keys. * using updated for component version * party-uuids is still a todo * categorizations is still a todo * parties is still a todo * Fix system ctl detail page err; Improve creating smt from prototypes (#1602) Refactor creating system control statements from component library prototype statements when adding a component from the library to a system and reduce by an order a magnitude the time it takes to add a component to system. Rename smt.create_instance_from_prototype to smt.create_system_control_smt_from_component_prototype_smt Fix bug breaking rendering of system's control detail page by removing an errant login_required decorator on a function. Add test for system control page. Will add test(s) for system control detail page. Co-authored-by: Greg Elin <greg.elin@govready.com> * Automatically clear, refresh output document content downloading docs Performnce of document generation now sufficiently fast to not require cache and manual "Refresh documents" button. * remove comments. changelog * Fixed an issue where statement didn't exist while exporting to oscal (#1605) * Fixed an issue where statement didn't exist while exporting to oscal * Update CHANGELOG Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Greg Elin <greg.elin@govready.com> * Align Delete section on project settings (#1604) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * Ge/file upload extensions (#1607) * Accepts file uploads with capitalized extensions, e.g. ".JPG". Adjust file upload validator to recognize capitalized extensions and also recognizes ".jpeg" in addition to ".jpg". * Add tests for validating uppercase extensions on file uploads * Add test fixture data Co-authored-by: Greg Elin <greg.elin@govready.com> * Batch update cntl impl smts when component_statement changes Implemented a faster way to update status of system controls. When user sets a system component state to "operational" all statements associated with that component for the system get their status set to "Implemented". Similarly, setting component’s state to "planned" batch sets all component statements for that system to "Planned", and "under-development" sets component statements to "Partially Implemented". Display system component component_state and component_type when component is listed for a system. * More okta changes * export a projects ssp control implementations with export form (#1611) * export a projects ssp control implementations with export form * remove comments * Correct slugify import * Security update Python 3.2.4 due to https://snyk.io/vuln/SNYK-PYTHON-DJANGO-1298665 * Polish SSP control CSV export form Co-authored-by: Greg Elin <greg.elin@govready.com> * Add 'Create a template' button to template library (#1610) Co-authored-by: Greg Elin <greg.elin@govready.com> * Content-Security-Policy header permit images (*), videos youtube, vimeo * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * quick fix for auth * Force controls csv to download to browser * quick fix for auth * quick fix for auth * test * test * test * test * test * last fix and vuln update for django * last fix and vuln update for django * 'Back' link to question to take user to previous question (#1612) * 'Back' link to question to take user to previous question * Update guidedmodules/views.py Refactor pulling back_url into project_form Co-authored-by: davidpofo <dampofo@umd.edu> * Improve back-button styling Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <greg.elin@govready.com> * WIP: Side-by-side comparison of components (#1620) * created checkbox and form for submitting components for comparison. created rough start for displaying differences between prime component and rest * for now just implementing two comparison * click to read full text after 50 chars * styling and added Control part * displaying comparisons for x number of component statements against the prime component. Styling and abstracted out the comparison block into an included template * check for pid * removing detail/summary not really necessary * Condense comparison listings into rows of a single table Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md * Rename 'compare' column to 'select' in component library (#1626) Co-authored-by: Greg Elin <Greg Elin> * Remove portfolio selection modal from Start a Project process Start projects in user's default portfolio to reduce the clicks starting a project. Use the User.create_default_portfolio_if_missing method consistently to consistently create the user portfolio default portfolio. Remove the PortfolioSignupForm because registration is no longer used in registering users. Remove the '"project_form": AddProjectForm(request.user ...' passed into many templates because the navbar start app option no longer brings up the portfolio select modal. * Update tests for default portfolio * Bump VERSION, CHANGELOG * Update CHANGELOG VERSION * Add button, form to add AppSource via upload of zip file Add button, form to App Store to provide front-end UI for admininstrators to add an AppSource by uploading a zip file. This simplifies setting up an AppSource for first time users. Implementation only validates that uploaded directory is a zip file, does not check if uploaded zip file is valid AppSource directory structure. Implementation assumes apps are in the 'apps' directory. * Link to library version of component from a system's selected control component * Display systems using a component (#1618) * Display systems using a component Add method controls.element.consuming_systems to produce list of systems consuming (e.g., containing) the element. Add tab to component library component detail page to display list of systems containing the component. Also, always display OSCAL tab in component library for component detail (rather than conditional on 'enable_experimental_opencontrol' parameter). * Show component system count in tab, better projects.exists query * Replace list compression with query filters Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Ge/fulltext search (#1631) * Add fulltext smt search to component library search * Note fulltext search in CHANGELOG Co-authored-by: Greg Elin <Greg Elin> * check if we are in a portfolio when starting a project. If so then use that portfolio and not the default for the user. * fixed a bug where Elements of type system were shown in the selected components for a project * Addressing github issue 1630 in group id matching. fixed a bug where Elements of type system were shown in the selected components for a project. * Add YAML intermediary file for CMMC * try/except to still do the component search for non-Postgres users. (#1633) * Add a 'blank' project with no questions useful for batch project creation (#1634) Co-authored-by: Greg Elin <Greg Elin> * td not th * Polish security objective ui * Avoid errors when project has no root_task set * Better project name when no root task set * Align project name when listing project with no root task * Support CMMC ver 1 OSCAL catalog * Fix typo * Add 'blank' compliance app to first_run * Append '-dev' to version number * Legacy Statements added as statements for import * Updating regex * Del size limit on speedyssp img upload * updated column for imp statements * Fix test shipped catalogs count * td not th * Revert "td not th" This reverts commit e7e8b9c * these values are safe * removing extra differences obj. * safe and efficiency * adding select/deselect all. checkbox container wrap. * control structure for compare button toggle * Maintain sort order of compare_list otherwise Django will order ascending * adding change component button to change what the prime component of comparison is. Still has work todo * changed to allow user passed in for parsing * remove commented out code from template * Add UI for legacy statement display. Also fix StatementTypeEnum. (#1644) * [WIP] UI to display legacy control impl smts Create a conditional display of legacy control implementation statements in control editor page. Also widen width of display of editor control statements to 1250px. * Improve display of legacy statement * StatementTypeEnum fixes. Closes #1643 Set all `StatementTypeEnum.<LABEL>.value` to `StatementTypeEnum.<LABEL>.name` in order for relevant label/term to show up in Django database admin interface. Set component library detail page Systems tab to not be inactive thereby removing the content from the System tab showing up on the Control Implementation Statements tab. Update controls.tests. Co-authored-by: Greg Elin <greg.elin@govready.com> * Update CHANGELOG * fixing styling of portfolio table * using django guardian ObjectPermissionChecker to prefetch permissions. Directly check permissions, to avoid N+1 query of perms with get_obj_perms * hide_registration revert * formatting for sid * Use StatementEnum.*.name value * removing change component comparison button for now. * implemented persistent storage of checks by changing value in hidden input with jquery. Clears storage after clicking compare button or deselecting all * Use one import record for entire file * More OSCALize id fixes. Proper Create/Update/Del of smts * Display other_statement count on confirm import delete * test test_portfolio_projects * Add project, system.root_element to import_record Add project and system.root_element to import_record in order to auto delete the project and system (and root element) when the import process for importing legacy control impl smts also creates the project. * name not value for statement enums * Sometimes there are not parameters and that is okay it is caught by the try/except block. * Captialize mission for test * name not value for enums * captial impact... Impact * testing parse for version * missed one get * is_prerelease not dev release * using is_prerelease works for checking dev * need to force login as authenticated user and then reset login * url * snyk update to avoid SQL injection vuln found in Django 3.2.4 * check if previously checked and if so then don't hide compare button. * fix conflicting migrations detected * systems-security-sensitivity-level * Fix controls/0052 StatementTypeEnum migration (#1648) Co-authored-by: Greg Elin <Greg Elin> * Update CHANGELOG.md (#1647) * Configure users on install New govready_users parameter in local/environment.json to create sample users on install. * Add Wazuh collection form to Assessments page (#1651) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * checking for dev user creation pw. Create reg users not admin. * Add CMMC baselines, assign baselines (#1649) * Improve CMMC links, add OSCAL methods for link content Improve CMMC catalog links to link to NIST 800-53 in GovReady. Add methods to OSCAL catalog, get control_part, guidance links Add get_control_part_by_name, get_control_guidance_links, get_guidance_related_links_by_value_in_href, and get_guidance_related_links_text_by_value_in_href to make getting link content easier. * Display related controls as links in control guidance * Properly assign CMMC baselines * Remove debugging print statements * Fix typo * Properly use StatementTypeEnum when saving smts Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Greg Elin <Greg Elin> * first_run finishing touch * Fix assessment summary link to wazuh (#1653) * Add Wazuh info via end-user form * Create SecurityService class to represent Security Service Create `sec_srvc.SecurityService` class to represent a security service from which data could be collected. Add form to Assessments page to collect info from Wazuh SecurityService. * Fix sec_srvc.py * Abstracted and made a few improvements * Fix uuid error * Fix testing for fields * Fix assessment summary link to wazuh Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> * Da/dropnfill (#1654) * adding drag and fill for component import * client-side filetype checking * client-side file size checking 5MB max. missing div. * missing listed catalog for CMMC. Delete extra migration. adjust test for drag-n-fill. import_project_submit for import project view/test * json_content not id_file * spelling * del * hot fix for external catalogs * Remove baseline controls based on control's catalog_key. Fixes failure to remove controls from another catalog when resetting baselines. (#1655) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update SpeedSSP ssp template for multiple catalogs (#1656) Co-authored-by: Greg Elin <greg.elin@govready.com> * Update admin.py Readded AppInput * new line fix * fixed bug where id doesn't exist yet in db * pinning jinja and installing compliance-trestle with unpinning of markupsafe in order to validate oscal 1.0.0. * revert some changes to ssp-def for now and added source to statement model. * ensure source and uuid are added correctly to import/export of component-definition * adding oscal-version to element model. clean up output title * replaced component-defintion for test data with official oscal 1.0.0 example component * lowering the amount of output for circleci * fixing exceptions * update example link * WIP on updating system-security-plan definition. * missing uuid and 2 removed * SSP export now includes the uuid and version from the root_element object * fixing up some module logic to include real uuid and oscal version * uuid not id * Import component control statement even if catalog not found Remove test to see of control exists in control catalog when importing a component because we may import a component that has controls from a catalog that is not yet in GovReady. The test on the control id being in the catalog was originally done to avoid importing a bad control (or bad control id). But it is worse to not be able to import the component because we don't yet have the a control catalog mentioned by the component. * Display component, smts even if catalog missing Do not crash on displaying a component and component control implementation statement when a catalog associated with statements is missing from GovReady-Q install. * Ge/data grid question (#1667) * Improve appearance of data grid question Display datagrid question wider and with smaller fonts. Support datgrid specifying select type cell. * Display legacy smt in system selected controls; fix component counts Fix count on project system's components associated with a control (avoid double counting). Display existance of legacy statement in project system's selected controls. * Fix typo Co-authored-by: Greg Elin <greg.elin@govready.com> * Adjust test to new rule of importing controls with bad catalog * natsorting implementation statements before grouping by sid. Providing statement's uuid. Ensuring all requirements are added to final control implementation dictionary. dealing with empty or incorrect catalogs. Fixed up smt parse. * If no statements are created then delete empty component * OSCAL SSP almost implemented just need to finish implemented reqs. * OSCALSystemSecurityPlanSerializer is getting there still have some fields to fill. * added new function OSCAL_ssp_export in order to export a system's security plan in OSCAL, this replaces the usual JSON export. Added a several fields of data for OSCAL SSP. * Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments. Updating the requirements and Changelog. * added a proxy for parties and responsible parties for component oscal export * a couple tweaks for comp * todo for ssp validation with trestle * read validate ssp with trestle * revert discussion test change. * extra file * test_path? * delete invalid test files * fixing up implementation and testing of validation of extension. * remove extra addition for .doc * var sleep? * bad test case * adding some comments. Better logging/messaging for schema. Fixed splitting of control id. * Added test of OSCAL ssp export. * explicitly login as user * test baseline json file should be test_baselines.json not baseline * create system * check part correctly. test fix * get system from self * try/except * last try * done * Remove duplicate loads of select2 in base.html * Da/cleanup export sspcsv (#1674) * created a de-oscalizing function and applied to selected controls on import. * some super route way of making sure the catalogs produce 3.1. * add test of de_oscalize_control * Da/discussion updates (#1675) * get task for the attached object. added some more notes * fixed signature for getting a task for the attached object. * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * Added get_discussion_autocompletes changes to get the organization from the discussion(should be 1 to 1). If another models wants to implement it they can look at the get_discussion_autocompletes in TaskAnswer * addressing shell script issues for dockerfile_exec_gunicorn.sh from GH issues 1659 (#1670) Co-authored-by: root <root@MSI.localdomain> * Some controls have characters that we currently don't expect. However it shouldn't just return an empty string as this errors out. Also the controls are already in oscal format. (#1676) * Auto-start a particular project (#1640) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Bump VERSION Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> * Move Catalog data into database, faster control select autocomplete (#1673) * Move Catalog data into database, faster control select autocomplete Move control catalog data into database so catalogs shipped with GovReady and user added catalogs all accessed in database. Also faster reading in containers. Adjust first_run to load catalogs. Speed up auocomplete by only selecting matching controls. * Fix tests: add catalogs to db in setup * Read baselines from database * Sync with 0.9.7 * Fix tests * Fix tests 2 * Use better DB query instead of closure Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/mvp july 2021 (#1679) * [WIP] Auto-start a particular project Enable the auto-starting of a particular project, e.g., start a project without having to visit the compliance app store. Eventually, start a project and launch the first question. * Rename auto start app variables * Provide selected ocmponent data to project page * Finish project auto start, auto start question, redirect actions Complete work on automatically starting a project defined in by a System Setting. Allow the auto start system setting to define the project template (e.g. compliance app) to use and even the module to automatically start. Also add new question actions to redirect to project page or project component after answering a question. TO DO: - Add error handling (e.g., missing/incorrect project) - Add tests * Add route for single system-component-control * issue in bootstrap * better styling for the drag-n-fill area * missing carrot. reverting the removal of project import form done in 29ff7c2 * Fix skip buttons and question action crash * Update CHANGELOG.md * Update CHANGELOG.md * Produce dictionary of producer_element control impl smts * Templatetags for math * Calculate dict of element ctl impl smts status Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> * Improve search of control selection auto complete (#1681) * Improve Control Search, migrate CatalogData to Django models.JSONField * Dramatically improve control selection auot-complete * Further improve add smt control select and form Refactor add_statement form. Better UI with "Add Statement" button in center. Better alignment. Validate control is set before saving to avoid error. Remove unneeded Delete button. Show/hide "Add Statement button appropriately. Co-authored-by: Greg Elin <greg.elin@govready.com> * Include 'Add component statement' btn when component has no smts (#1682) Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix first_run and add friendlier component import by refactoring source catalog handling (#1683) * Move user creation earlier in first_run * Update sample components to OSCAL 1.0.0 * Friendlier component importart, refactor source catalog handling Import components and their statements even when catalog not found or statement control ids are not found in referenced catalog. * Fix source of sample components * bump version * Fix name of ILIAS component * Use faster bulk_create importing components * Small fixes and synchronizations * Comment out soon-to-be deprecated account settings Co-authored-by: Greg Elin <greg.elin@govready.com> * Fix adding catalog_key during new smt creation (#1686) * Fix adding catalog_key during new smt creation * Avoid creating orphaned smt when adding smt in cmpt library * Fix test * Fix tests Co-authored-by: Greg Elin <greg.elin@govready.com> * Add migration to load default catalogs to DB (#1687) Co-authored-by: Greg Elin <greg.elin@govready.com> * Ge/migrate add catalog data 2 (#1688) * Add migration to load default catalogs to DB * Remove loading catalogdata in first_frun Co-authored-by: Greg Elin <greg.elin@govready.com> * Manage component tags in OSCAL components (#1685) * Bump version * Export/import tags for OSCAL components * Add component tags to OSCAL SSPs * Add tags to sample components * Refactor importing tags * Nest SQLITE timeout to fix database locking in tests Co-authored-by: Greg Elin <greg.elin@govready.com> * Bump develop to 0.9.11-dev * Allow importcomponent script to continue or validation errors (#1690) Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: davidpofo <dampofo@umd.edu> Co-authored-by: Greg Elin <Greg Elin> Co-authored-by: mike <mike.guelfi@gmail.com> Co-authored-by: Alexander Ward <alexander.ward1@gmail.com> Co-authored-by: Mike Guelfi <52943685+mguelfi@users.noreply.github.com> Co-authored-by: Greg Elin <greg.elin@govready.com> Co-authored-by: Ward <12001004185765@FEDIDCARD.GOV> Co-authored-by: root <root@MSI.localdomain>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Create a compliance app project template that has no questions and no output. This is useful because it allows maintaining of current workflow of starting projects, but creates a completely blank project which can then be adjusted to specific values.
Primary use of the blank project is to be used when batch creating dozens of projects.