Asset/Organizations Endpoints: Patches, permission checking, and API tests (#14080)

* Update AssetSerializer fields to allow null values and set defaults

* Refactor authorization functions to use type hints for better clarity and maintainability

* Enhance permission checks to support multiple primary key attributes in post requests

* Refactor check_post_permission to use list type for post_pk parameter

* Refactor Organization serializers to handle default values for critical and key assets, and update OrganizationViewSet to use OrganizationFilterSet for filtering.

* Refactor API tests to include asset and organization endpoints, enhancing coverage for asset-related functionalities.

* Refactor permission classes to use asset and organization-specific permissions, enhancing clarity and maintainability.

* Add blank line before UserHasOrganizationGroupPermission class for improved readability

Author: Maffooch

dojo/api_v2/permissions.py

@@ -1,12 +1,14 @@
 import re
 
+from django.db.models import Model
 from django.shortcuts import get_object_or_404
 from rest_framework import permissions, serializers
 from rest_framework.exceptions import (
     ParseError,
     PermissionDenied,
     ValidationError,
 )
+from rest_framework.request import Request
 
 from dojo.authorization.authorization import (
     user_has_configuration_permission,
@@ -29,7 +31,7 @@
 )
 
 
-def check_post_permission(request, post_model, post_pk, post_permission):
+def check_post_permission(request: Request, post_model: Model, post_pk: str | list[str], post_permission: int) -> bool:
     if request.method == "POST":
         if request.data.get(post_pk) is None:
             msg = f"Unable to check for permissions: Attribute '{post_pk}' is required"
@@ -40,13 +42,13 @@ def check_post_permission(request, post_model, post_pk, post_permission):
 
 
 def check_object_permission(
-    request,
-    obj,
-    get_permission,
-    put_permission,
-    delete_permission,
-    post_permission=None,
-):
+    request: Request,
+    obj: Model,
+    get_permission: int,
+    put_permission: int,
+    delete_permission: int,
+    post_permission: int | None = None,
+) -> bool:
     if request.method == "GET":
         return user_has_permission(request.user, obj, get_permission)
     if request.method in {"PUT", "PATCH"}:
@@ -507,6 +509,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Add_Product,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Edit,
+            Permissions.Product_Delete,
+        )
+
+
 class UserHasProductMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -523,6 +544,22 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Manage_Members,
+            Permissions.Product_Member_Delete,
+        )
+
+
 class UserHasProductGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -539,6 +576,22 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Group_View,
+            Permissions.Product_Group_Edit,
+            Permissions.Product_Group_Delete,
+        )
+
+
 class UserHasProductTypePermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "POST":
@@ -557,6 +610,24 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            return user_has_global_permission(
+                request.user, Permissions.Product_Type_Add,
+            )
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Edit,
+            Permissions.Product_Type_Delete,
+        )
+
+
 class UserHasProductTypeMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -576,6 +647,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Manage_Members,
+            Permissions.Product_Type_Member_Delete,
+        )
+
+
 class UserHasProductTypeGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -595,6 +685,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_Group_View,
+            Permissions.Product_Type_Group_Edit,
+            Permissions.Product_Type_Group_Delete,
+        )
+
+
 class UserHasReimportPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         # permission check takes place before validation, so we don't have access to serializer.validated_data()
@@ -739,6 +848,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetAPIScanConfigurationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product,
+            "asset",
+            Permissions.Product_API_Scan_Configuration_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_API_Scan_Configuration_View,
+            Permissions.Product_API_Scan_Configuration_Edit,
+            Permissions.Product_API_Scan_Configuration_Delete,
+        )
+
+
 class UserHasJiraProductPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "POST":

dojo/asset/api/serializers.py

@@ -37,11 +37,13 @@ class AssetSerializer(serializers.ModelSerializer):
     # V3 fields
     asset_meta = ProductMetaSerializer(source="product_meta", read_only=True, many=True)
     organization = RelatedOrganizationField(source="prod_type")
-    asset_numeric_grade = serializers.IntegerField(source="prod_numeric_grade")
-    enable_asset_tag_inheritance = serializers.BooleanField(source="enable_product_tag_inheritance")
+    asset_numeric_grade = serializers.IntegerField(source="prod_numeric_grade", required=False, allow_null=True)
+    enable_asset_tag_inheritance = serializers.BooleanField(source="enable_product_tag_inheritance", required=False, default=False)
     asset_managers = serializers.PrimaryKeyRelatedField(
         source="product_manager",
-        queryset=Dojo_User.objects.exclude(is_active=False))
+        queryset=Dojo_User.objects.exclude(is_active=False),
+        required=False, allow_null=True,
+    )
 
     class Meta:
         model = Product

dojo/asset/api/views.py

@@ -43,7 +43,7 @@ class AssetAPIScanConfigurationViewSet(
     filterset_class = AssetAPIScanConfigurationFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductAPIScanConfigurationPermission,
+        permissions.UserHasAssetAPIScanConfigurationPermission,
     )
 
     def get_queryset(self):
@@ -68,7 +68,7 @@ class AssetViewSet(
     filterset_class = ApiAssetFilter
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductPermission,
+        permissions.UserHasAssetPermission,
     )
 
     def get_queryset(self):
@@ -138,7 +138,7 @@ class AssetMemberViewSet(
     filterset_class = AssetMemberFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductMemberPermission,
+        permissions.UserHasAssetMemberPermission,
     )
 
     def get_queryset(self):
@@ -166,7 +166,7 @@ class AssetGroupViewSet(
     filterset_class = AssetGroupFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductGroupPermission,
+        permissions.UserHasAssetGroupPermission,
     )
 
     def get_queryset(self):