authorizations: cache results per requests if possible

Author: valentijnscholten

dojo/cred/queries.py

@@ -3,15 +3,19 @@
 
 from dojo.authorization.authorization import get_roles_for_permission, user_has_global_permission
 from dojo.models import Cred_Mapping, Product_Group, Product_Member, Product_Type_Group, Product_Type_Member
+from dojo.request_cache import cache_for_request
 
 
-def get_authorized_cred_mappings(permission, queryset=None):
+# Cached: all parameters are hashable, no dynamic queryset filtering
+@cache_for_request
+def get_authorized_cred_mappings(permission):
+    """Cached - returns all cred mappings the user is authorized to see."""
     user = get_current_user()
 
     if user is None:
         return Cred_Mapping.objects.none()
 
-    cred_mappings = Cred_Mapping.objects.all().order_by("id") if queryset is None else queryset
+    cred_mappings = Cred_Mapping.objects.all().order_by("id")
 
     if user.is_superuser:
         return cred_mappings
@@ -45,3 +49,44 @@ def get_authorized_cred_mappings(permission, queryset=None):
         | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups))
         | Q(product_id__in=Subquery(authorized_product_groups)),
     )
+
+
+def get_authorized_cred_mappings_for_queryset(permission, queryset):
+    """Filters a provided queryset for authorization. Not cached due to dynamic queryset parameter."""
+    user = get_current_user()
+
+    if user is None:
+        return Cred_Mapping.objects.none()
+
+    if user.is_superuser:
+        return queryset
+
+    if user_has_global_permission(user, permission):
+        return queryset
+
+    roles = get_roles_for_permission(permission)
+
+    # Get authorized product/product_type IDs via subqueries
+    authorized_product_type_roles = Product_Type_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_roles = Product_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_id")
+
+    authorized_product_type_groups = Product_Type_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_groups = Product_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_id")
+
+    # Filter using IN with Subquery - no annotations needed
+    return queryset.filter(
+        Q(product__prod_type_id__in=Subquery(authorized_product_type_roles))
+        | Q(product_id__in=Subquery(authorized_product_roles))
+        | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups))
+        | Q(product_id__in=Subquery(authorized_product_groups)),
+    )

dojo/endpoint/queries.py

@@ -10,17 +10,20 @@
     Product_Type_Group,
     Product_Type_Member,
 )
+from dojo.request_cache import cache_for_request
 
 
-def get_authorized_endpoints(permission, queryset=None, user=None):
-
+# Cached: all parameters are hashable, no dynamic queryset filtering
+@cache_for_request
+def get_authorized_endpoints(permission, user=None):
+    """Cached - returns all endpoints the user is authorized to see."""
     if user is None:
         user = get_current_user()
 
     if user is None:
         return Endpoint.objects.none()
 
-    endpoints = Endpoint.objects.all().order_by("id") if queryset is None else queryset
+    endpoints = Endpoint.objects.all().order_by("id")
 
     if user.is_superuser:
         return endpoints
@@ -56,15 +59,59 @@ def get_authorized_endpoints(permission, queryset=None, user=None):
     )
 
 
-def get_authorized_endpoint_status(permission, queryset=None, user=None):
+def get_authorized_endpoints_for_queryset(permission, queryset, user=None):
+    """Filters a provided queryset for authorization. Not cached due to dynamic queryset parameter."""
+    if user is None:
+        user = get_current_user()
+
+    if user is None:
+        return Endpoint.objects.none()
+
+    if user.is_superuser:
+        return queryset
+
+    if user_has_global_permission(user, permission):
+        return queryset
+
+    roles = get_roles_for_permission(permission)
+
+    # Get authorized product/product_type IDs via subqueries
+    authorized_product_type_roles = Product_Type_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_roles = Product_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_id")
+
+    authorized_product_type_groups = Product_Type_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_groups = Product_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_id")
+
+    # Filter using IN with Subquery - no annotations needed
+    return queryset.filter(
+        Q(product__prod_type_id__in=Subquery(authorized_product_type_roles))
+        | Q(product_id__in=Subquery(authorized_product_roles))
+        | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups))
+        | Q(product_id__in=Subquery(authorized_product_groups)),
+    )
+
 
+# Cached: all parameters are hashable, no dynamic queryset filtering
+@cache_for_request
+def get_authorized_endpoint_status(permission, user=None):
+    """Cached - returns all endpoint statuses the user is authorized to see."""
     if user is None:
         user = get_current_user()
 
     if user is None:
         return Endpoint_Status.objects.none()
 
-    endpoint_status = Endpoint_Status.objects.all().order_by("id") if queryset is None else queryset
+    endpoint_status = Endpoint_Status.objects.all().order_by("id")
 
     if user.is_superuser:
         return endpoint_status
@@ -98,3 +145,45 @@ def get_authorized_endpoint_status(permission, queryset=None, user=None):
         | Q(endpoint__product__prod_type_id__in=Subquery(authorized_product_type_groups))
         | Q(endpoint__product_id__in=Subquery(authorized_product_groups)),
     )
+
+
+def get_authorized_endpoint_status_for_queryset(permission, queryset, user=None):
+    """Filters a provided queryset for authorization. Not cached due to dynamic queryset parameter."""
+    if user is None:
+        user = get_current_user()
+
+    if user is None:
+        return Endpoint_Status.objects.none()
+
+    if user.is_superuser:
+        return queryset
+
+    if user_has_global_permission(user, permission):
+        return queryset
+
+    roles = get_roles_for_permission(permission)
+
+    # Get authorized product/product_type IDs via subqueries
+    authorized_product_type_roles = Product_Type_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_roles = Product_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_id")
+
+    authorized_product_type_groups = Product_Type_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_groups = Product_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_id")
+
+    # Filter using IN with Subquery - no annotations needed
+    return queryset.filter(
+        Q(endpoint__product__prod_type_id__in=Subquery(authorized_product_type_roles))
+        | Q(endpoint__product_id__in=Subquery(authorized_product_roles))
+        | Q(endpoint__product__prod_type_id__in=Subquery(authorized_product_type_groups))
+        | Q(endpoint__product_id__in=Subquery(authorized_product_groups)),
+    )

dojo/endpoint/views.py

@@ -18,7 +18,7 @@
 from dojo.authorization.authorization import user_has_permission_or_403
 from dojo.authorization.authorization_decorators import user_is_authorized
 from dojo.authorization.roles_permissions import Permissions
-from dojo.endpoint.queries import get_authorized_endpoints
+from dojo.endpoint.queries import get_authorized_endpoints_for_queryset
 from dojo.endpoint.utils import clean_hosts_run, endpoint_meta_import
 from dojo.filters import EndpointFilter, EndpointFilterWithoutObjectLookups
 from dojo.forms import AddEndpointForm, DeleteEndpointForm, DojoMetaDataForm, EditEndpointForm, ImportEndpointMetaForm
@@ -52,7 +52,7 @@ def process_endpoints_view(request, *, host_view=False, vulnerable=False):
         endpoints = Endpoint.objects.all()
 
     endpoints = endpoints.prefetch_related("product", "product__tags", "tags").distinct()
-    endpoints = get_authorized_endpoints(Permissions.Endpoint_View, endpoints, request.user)
+    endpoints = get_authorized_endpoints_for_queryset(Permissions.Endpoint_View, endpoints, request.user)
     filter_string_matching = get_system_setting("filter_string_matching", False)
     filter_class = EndpointFilterWithoutObjectLookups if filter_string_matching else EndpointFilter
     if host_view:
@@ -365,7 +365,7 @@ def endpoint_bulk_update_all(request, pid=None):
                 product = get_object_or_404(Product, id=pid)
                 user_has_permission_or_403(request.user, product, Permissions.Endpoint_Delete)
 
-            endpoints = get_authorized_endpoints(Permissions.Endpoint_Delete, endpoints, request.user)
+            endpoints = get_authorized_endpoints_for_queryset(Permissions.Endpoint_Delete, endpoints, request.user)
 
             skipped_endpoint_count = total_endpoint_count - endpoints.count()
             deleted_endpoint_count = endpoints.count()
@@ -389,7 +389,7 @@ def endpoint_bulk_update_all(request, pid=None):
                 product = get_object_or_404(Product, id=pid)
                 user_has_permission_or_403(request.user, product, Permissions.Finding_Edit)
 
-            endpoints = get_authorized_endpoints(Permissions.Endpoint_Edit, endpoints, request.user)
+            endpoints = get_authorized_endpoints_for_queryset(Permissions.Endpoint_Edit, endpoints, request.user)
 
             skipped_endpoint_count = total_endpoint_count - endpoints.count()
             updated_endpoint_count = endpoints.count()

dojo/engagement/queries.py

@@ -3,8 +3,11 @@
 
 from dojo.authorization.authorization import get_roles_for_permission, user_has_global_permission
 from dojo.models import Engagement, Product_Group, Product_Member, Product_Type_Group, Product_Type_Member
+from dojo.request_cache import cache_for_request
 
 
+# Cached: all parameters are hashable, no dynamic queryset filtering
+@cache_for_request
 def get_authorized_engagements(permission):
     user = get_current_user()
 

dojo/filters.py

@@ -38,7 +38,7 @@
 # from tagulous.forms import TagWidget
 # import tagulous
 from dojo.authorization.roles_permissions import Permissions
-from dojo.endpoint.queries import get_authorized_endpoints
+from dojo.endpoint.queries import get_authorized_endpoints_for_queryset
 from dojo.engagement.queries import get_authorized_engagements
 from dojo.finding.helper import (
     ACCEPTED_FINDINGS_QUERY,
@@ -52,8 +52,8 @@
     VERIFIED_FINDINGS_QUERY,
     WAS_ACCEPTED_FINDINGS_QUERY,
 )
-from dojo.finding.queries import get_authorized_findings
-from dojo.finding_group.queries import get_authorized_finding_groups
+from dojo.finding.queries import get_authorized_findings_for_queryset
+from dojo.finding_group.queries import get_authorized_finding_groups_for_queryset
 from dojo.labels import get_labels
 from dojo.models import (
     EFFORT_FOR_FIXING_CHOICES,
@@ -2098,7 +2098,7 @@ def set_related_object_fields(self, *args: list, **kwargs: dict):
         if self.form.fields.get("test__engagement__product"):
             self.form.fields["test__engagement__product"].queryset = get_authorized_products(Permissions.Product_View)
         if self.form.fields.get("finding_group", None):
-            self.form.fields["finding_group"].queryset = get_authorized_finding_groups(Permissions.Finding_Group_View, queryset=finding_group_query)
+            self.form.fields["finding_group"].queryset = get_authorized_finding_groups_for_queryset(Permissions.Finding_Group_View, finding_group_query)
         self.form.fields["reporter"].queryset = get_authorized_users(Permissions.Finding_View)
         self.form.fields["reviewers"].queryset = self.form.fields["reporter"].queryset
 
@@ -2205,7 +2205,7 @@ def set_hash_codes(self, *args: list, **kwargs: dict):
 
     def filter_queryset(self, *args: list, **kwargs: dict):
         queryset = super().filter_queryset(*args, **kwargs)
-        queryset = get_authorized_findings(Permissions.Finding_View, queryset, self.user)
+        queryset = get_authorized_findings_for_queryset(Permissions.Finding_View, queryset, self.user)
         return queryset.exclude(pk=self.finding.pk)
 
 
@@ -2751,7 +2751,7 @@ def __init__(self, *args, **kwargs):
     @property
     def qs(self):
         parent = super().qs
-        return get_authorized_endpoints(Permissions.Endpoint_View, parent)
+        return get_authorized_endpoints_for_queryset(Permissions.Endpoint_View, parent)
 
     class Meta:
         model = Endpoint
@@ -2892,7 +2892,7 @@ def __init__(self, *args, **kwargs):
     @property
     def qs(self):
         parent = super().qs
-        return get_authorized_endpoints(Permissions.Endpoint_View, parent)
+        return get_authorized_endpoints_for_queryset(Permissions.Endpoint_View, parent)
 
     class Meta:
         model = Endpoint
@@ -3240,7 +3240,7 @@ def manage_kwargs(self, kwargs):
     @property
     def qs(self):
         parent = super().qs
-        return get_authorized_findings(Permissions.Finding_View, parent)
+        return get_authorized_findings_for_queryset(Permissions.Finding_View, parent)
 
 
 class ReportFindingFilter(ReportFindingFilterHelper, FindingTagFilter):
@@ -3260,7 +3260,7 @@ def __init__(self, *args, **kwargs):
         # duplicate_finding queryset needs to restricted in line with permissions
         # and inline with report scope to avoid a dropdown with 100K entries
         duplicate_finding_query_set = self.form.fields["duplicate_finding"].queryset
-        duplicate_finding_query_set = get_authorized_findings(Permissions.Finding_View, duplicate_finding_query_set)
+        duplicate_finding_query_set = get_authorized_findings_for_queryset(Permissions.Finding_View, duplicate_finding_query_set)
 
         if self.test:
             duplicate_finding_query_set = duplicate_finding_query_set.filter(test=self.test)