chore: merge to main for release 1.13.0

.github/workflows/build_push_dev.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

.github/workflows/build_push_release.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: 'v${{ github.event.inputs.release }}'
       -

.github/workflows/check_backend.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Python 3.12
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:

.github/workflows/check_frontend.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 20

.github/workflows/check_vulnerabilities.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - 
         name: Checkout code
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       -
         name: Run vulnerability scanners for code
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@b681a7b2089d9be0a0d84179b6fdfd9540e77680 # main

.github/workflows/generate_sboms.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: 'v${{ github.event.inputs.release }}'
       - 

.github/workflows/publish_docs.yml

@@ -14,7 +14,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.x

.github/workflows/scan_sca_current.yml

@@ -13,9 +13,9 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
-          ref: 'v1.12.0'
+          ref: 'v1.13.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@b681a7b2089d9be0a0d84179b6fdfd9540e77680 # main

.github/workflows/scorecard.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           persist-credentials: false
 
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2
+        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.12.0"
+__version__ = "1.13.0"
 
 import pymysql
 

backend/application/access_control/api/serializers.py

@@ -17,7 +17,13 @@
 from application.core.models import Product_Member
 
 
-class UserSerializer(ModelSerializer):
+class NestedAuthorizationGroupSerializer(ModelSerializer):
+    class Meta:
+        model = Authorization_Group
+        exclude = ["users"]
+
+
+class UserListSerializer(ModelSerializer):
     permissions = SerializerMethodField()
     has_password = SerializerMethodField()
 
@@ -77,6 +83,42 @@ def get_has_password(self, obj: User) -> bool:
         # eliminate false positive, password is not hardcoded
 
 
+class UserSerializer(UserListSerializer):
+    authorization_groups = NestedAuthorizationGroupSerializer(many=True)
+
+    class Meta:
+        model = User
+        fields = [
+            "id",
+            "username",
+            "first_name",
+            "last_name",
+            "full_name",
+            "email",
+            "is_active",
+            "is_superuser",
+            "is_external",
+            "setting_theme",
+            "setting_list_size",
+            "permissions",
+            "setting_list_properties",
+            "oidc_groups_hash",
+            "is_oidc_user",
+            "date_joined",
+            "has_password",
+            "authorization_groups",
+        ]
+
+    def to_representation(self, instance: User):
+        data = super().to_representation(instance)
+
+        user = get_current_user()
+        if user and not user.is_superuser and not user.pk == instance.pk:
+            data.pop("authorization_groups")
+
+        return data
+
+
 class UserUpdateSerializer(ModelSerializer):
     class Meta:
         model = User

backend/application/access_control/api/views.py

@@ -31,6 +31,7 @@
     AuthorizationGroupUserSerializer,
     CreateApiTokenResponseSerializer,
     ProductApiTokenSerializer,
+    UserListSerializer,
     UserPasswordSerializer,
     UserPasswortRulesSerializer,
     UserSerializer,
@@ -85,6 +86,8 @@ def get_queryset(self):
         return get_users()
 
     def get_serializer_class(self):
+        if self.action == "list":
+            return UserListSerializer
         if self.action in ["create", "update", "partial_update"]:
             return UserUpdateSerializer
 

backend/application/access_control/queries/authorization_group.py

@@ -4,9 +4,6 @@
 
 from application.access_control.models import Authorization_Group
 from application.commons.services.global_request import get_current_user
-from application.core.queries.product_member import (
-    get_product_authorization_group_members,
-)
 
 
 def get_authorization_group_by_id(pk: int) -> Optional[Authorization_Group]:
@@ -24,14 +21,7 @@ def get_authorization_groups() -> QuerySet[Authorization_Group]:
 
     authorization_groups = Authorization_Group.objects.all()
 
-    if user.is_superuser or not user.is_external:
+    if user.is_superuser:
         return authorization_groups
 
-    product_authorization_group_members = get_product_authorization_group_members()
-
-    return authorization_groups.filter(
-        id__in=[
-            member.authorization_group_id
-            for member in product_authorization_group_members
-        ]
-    )
+    return authorization_groups.filter(users=user)

backend/application/access_control/queries/user.py

@@ -54,7 +54,12 @@ def get_users_without_api_tokens() -> QuerySet[User]:
 
     users = User.objects.exclude(username__startswith="-product-")
 
-    if user.is_superuser or not user.is_external:
+    if user.is_superuser:
+        return users
+
+    users = users.filter(is_active=True)
+
+    if not user.is_external:
         return users
 
     product_members = get_product_members()

backend/application/access_control/services/oidc_authentication.py

@@ -4,6 +4,7 @@
 
 import jwt
 import requests
+from django.core.cache import cache
 from django.db import IntegrityError, transaction
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -79,13 +80,18 @@ def _validate_jwt(self, token: str) -> Optional[User]:
             raise AuthenticationFailed(str(e)) from e
 
     def _get_jwks_uri(self):
-        response = requests.request(
-            method="GET",
-            url=f"{os.environ['OIDC_AUTHORITY']}/.well-known/openid-configuration",
-            timeout=60,
-        )
-        response.raise_for_status()
-        return response.json()["jwks_uri"]
+        jwks_uri = cache.get("jwks_uri")
+        if not jwks_uri:
+            response = requests.request(
+                method="GET",
+                url=f"{os.environ['OIDC_AUTHORITY']}/.well-known/openid-configuration",
+                timeout=60,
+            )
+            response.raise_for_status()
+            jwks_uri = response.json()["jwks_uri"]
+            cache.set("jwks_uri", jwks_uri, timeout=5 * 60)
+
+        return jwks_uri
 
     def _create_user(self, username: str, payload: dict) -> User:
         user = User(username=username, first_name="", last_name="", email="")

backend/application/access_control/services/roles_permissions.py

@@ -40,6 +40,7 @@ class Permissions(IntEnum):
     Product_Rule_Delete = 1303
     Product_Rule_Create = 1304
     Product_Rule_Apply = 1305
+    Product_Rule_Approval = 1306
 
     Branch_View = 1401
     Branch_Edit = 1402
@@ -132,6 +133,7 @@ def get_product_rule_permissions(cls):
             Permissions.Product_Rule_Delete,
             Permissions.Product_Rule_Create,
             Permissions.Product_Rule_Apply,
+            Permissions.Product_Rule_Approval,
         }
 
     @classmethod
@@ -228,6 +230,7 @@ def get_roles_with_permissions():
             Permissions.Product_Rule_Delete,
             Permissions.Product_Rule_Create,
             Permissions.Product_Rule_Apply,
+            Permissions.Product_Rule_Approval,
             Permissions.Branch_View,
             Permissions.Branch_Edit,
             Permissions.Branch_Delete,
@@ -269,6 +272,7 @@ def get_roles_with_permissions():
             Permissions.Product_Rule_Delete,
             Permissions.Product_Rule_Create,
             Permissions.Product_Rule_Apply,
+            Permissions.Product_Rule_Approval,
             Permissions.Branch_View,
             Permissions.Branch_Edit,
             Permissions.Branch_Delete,

backend/application/commons/api/views.py

@@ -53,13 +53,21 @@ def get(self, request):
 
 class StatusSettingsView(APIView):
     serializer_class = StatusSettingsSerializer
+    permission_classes = []
 
     @action(detail=True, methods=["get"], url_name="settings")
     def get(self, request):
         features = []
+
         settings = Settings.load()
-        if settings.feature_vex:
-            features.append("feature_vex")
+        if settings.feature_disable_user_login:
+            features.append("feature_disable_user_login")
+        if request.user.is_authenticated:
+            if settings.feature_vex:
+                features.append("feature_vex")
+            if settings.feature_general_rules_need_approval:
+                features.append("feature_general_rules_need_approval")
+
         content = {"features": features}
         return Response(content)
 

backend/application/commons/migrations/0004_settings_feature_disable_user_login.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.11 on 2024-04-27 17:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("commons", "0003_migrate_settings_data"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="settings",
+            name="feature_disable_user_login",
+            field=models.BooleanField(default=False, help_text="Disable user login"),
+        ),
+    ]

backend/application/commons/migrations/0005_settings_feature_general_rules_need_approval.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.2.11 on 2024-04-30 04:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("commons", "0004_settings_feature_disable_user_login"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="settings",
+            name="feature_general_rules_need_approval",
+            field=models.BooleanField(
+                default=False, help_text="General rules need approval"
+            ),
+        ),
+    ]

backend/application/commons/models.py

@@ -157,6 +157,12 @@ class Settings(Model):
     feature_vex = BooleanField(
         default=False, help_text="Generate VEX documents in OpenVEX and CSAF format"
     )
+    feature_disable_user_login = BooleanField(
+        default=False, help_text="Disable user login"
+    )
+    feature_general_rules_need_approval = BooleanField(
+        default=False, help_text="General rules need approval"
+    )
 
     def save(self, *args, **kwargs):
         """