Merge branch 'intuitem:main' into nzism-3-8

intuitem · Sep 15, 2024 · ba1f837 · ba1f837
2 parents 7d48e97 + 383af8a
commit ba1f837
Show file tree

Hide file tree

Showing 217 changed files with 109,391 additions and 9,191 deletions.
diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml
@@ -33,7 +33,7 @@ jobs:
       max-parallel: 4
       matrix:
         python-version: ["3.11"]
-        playwright-browser: ["chromium", "firefox"]
+        playwright-browser: ["chromium"]
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ db/
 /backend/profiles
 ./backend/ciso_assistant/.meta
 caddy_data/
+**/dist/
diff --git a/LICENSE → LICENSE-AGPL.txt b/LICENSE → LICENSE-AGPL.txt
diff --git a/LICENSE.txt b/LICENSE.txt
@@ -0,0 +1,11 @@
+Source code in this repository is variously licensed under the GNU Affero General Public License (AGPL), or the intuitem Commercial License (https://intuitem.com/license/commercial/).
+
+- All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License.
+
+- All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/).
+
+Binary files are generated for each edition for CISO Assistant:
+- Binaries located at ghcr.io/intuitem/ciso-assistant-community/ are released under the AGPL.
+- Binaries located at ghcr.io/intuitem/ciso-assistant-pro/ and ghcr.io/intuitem/ciso-assistant-enterprise/ are released under the intuitem Commercial Software License.
+
+intuitem Commercial Software License requires a valid contract between the licensee and intuitem.
diff --git a/README.md b/README.md
@@ -87,7 +87,7 @@ and run the starter script
 > If you're getting warnings or errors about image's platform not matching host platform, raise an issue with the details and we'll add it shortly after. You can also use `docker-compose-build.sh` instead (see below) to build for your specific architecture.
 
 > [!CAUTION]
-> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our developemnt. Either use the `tags` for stable versions or prebuilt images. 
+> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our development. Either use the `tags` for stable versions or prebuilt images. 
 
 ## End-user Documentation
 
@@ -149,6 +149,9 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 52. NCSC Cyber Essentials 🇬🇧
 53. Directive Nationale de la Sécurité des Systèmes d'Information (DNSSI) Maroc 🇲🇦
 54. Part-IS ✈️🇪🇺
+55. ENS Esquema Nacional de seguridad 🇪🇸
+56. Korea ISA ISMS-P 🇰🇷
+57. Swiss ICT minimum standard 🇨🇭
 
 ### Community contributions
 
@@ -159,7 +162,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 5. ANSSI : Recommandations pour la protection des systèmes d'information essentiels 🇫🇷
 6. ANSSI : Recommandations de sécurité pour l'architecture d'un système de journalisation  🇫🇷
 7. ANSSI : Recommandations de sécurité relatives à TLS 🇫🇷
-8. New Zealand Information Security Manual (NZISM) ɴᴢ
+8. New Zealand Information Security Manual (NZISM) 🇳🇿
 <br/>
 
 > [!NOTE]
@@ -171,9 +174,7 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the
 
 ### Coming soon
 
-- ENS Esquema Nacional de seguridad (español)
 - NIST 800-82
-- Korea ISA: ISMS-P
 
 - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉
 
@@ -480,6 +481,8 @@ Set DJANGO_DEBUG=False for security reason.
 - IT: Italian
 - PL: Polish
 - RO: Romanian
+- HI: Hindi
+- UR: Urdu
 
 ## Built With 💜
 
@@ -500,4 +503,12 @@ Great care has been taken to follow security best practices. Please report any i
 
 ## License
 
-[AGPLv3](https://choosealicense.com/licenses/agpl-3.0/)
+This repository contains the source code for both the Open Source edition of CISO Assistant (Community Edition), released under the AGPL v3, as well as the commercial edition of CISO Assistant (Pro and Enterprise Editions), released under the intuitem Commercial Software License. This mono-repository approach is adopted for simplicity.
+
+All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License.
+
+All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/).
+
+See [LICENSE.txt](./LICENSE.txt) for details.
+
+Unless otherwise noted, all files are © intuitem.
diff --git a/backend/.gitignore b/backend/.gitignore
@@ -17,3 +17,4 @@ db/pg_password.txt
 ./db/
 .coverage
 pytest-report.html
+enterprise/
diff --git a/backend/README.md b/backend/README.md
diff --git a/backend/app_tests/api/test_api_applied_controls.py b/backend/app_tests/api/test_api_applied_controls.py
@@ -10,12 +10,14 @@
 APPLIED_CONTROL_DESCRIPTION = "Test Description"
 APPLIED_CONTROL_CATEGORY = ("technical", "Technical")
 APPLIED_CONTROL_CATEGORY2 = ("process", "Process")
-APPLIED_CONTROL_STATUS = ("planned", "Planned")
-APPLIED_CONTROL_STATUS2 = ("active", "Active")
+APPLIED_CONTROL_STATUS = AppliedControl.Status.IN_PROGRESS
+APPLIED_CONTROL_STATUS2 = AppliedControl.Status.ACTIVE
 APPLIED_CONTROL_EFFORT = ("L", "Large")
 APPLIED_CONTROL_EFFORT2 = ("M", "Medium")
 APPLIED_CONTROL_LINK = "https://example.com"
 APPLIED_CONTROL_ETA = "2024-01-01"
+APPLIED_CONTROL_COST = 24.42
+APPLIED_CONTROL_COST2 = 25.43
 
 
 @pytest.mark.django_db
@@ -100,17 +102,18 @@ def test_get_applied_controls(self, test):
                 "name": APPLIED_CONTROL_NAME,
                 "description": APPLIED_CONTROL_DESCRIPTION,
                 "category": APPLIED_CONTROL_CATEGORY[0],
-                "status": APPLIED_CONTROL_STATUS[0],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "link": APPLIED_CONTROL_LINK,
                 "eta": APPLIED_CONTROL_ETA,
                 "effort": APPLIED_CONTROL_EFFORT[0],
+                "cost": APPLIED_CONTROL_COST,
                 "folder": test.folder,
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
                 "reference_control": None,
                 "category": APPLIED_CONTROL_CATEGORY[1],
-                "status": APPLIED_CONTROL_STATUS[1],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "effort": APPLIED_CONTROL_EFFORT[1],
             },
             user_group=test.user_group,
@@ -131,16 +134,17 @@ def test_create_applied_controls(self, test):
                 "name": APPLIED_CONTROL_NAME,
                 "description": APPLIED_CONTROL_DESCRIPTION,
                 "category": APPLIED_CONTROL_CATEGORY[0],
-                "status": APPLIED_CONTROL_STATUS[0],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "link": APPLIED_CONTROL_LINK,
                 "eta": APPLIED_CONTROL_ETA,
                 "effort": APPLIED_CONTROL_EFFORT[0],
+                "cost": APPLIED_CONTROL_COST,
                 "folder": str(test.folder.id),
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
                 "category": APPLIED_CONTROL_CATEGORY[1],
-                "status": APPLIED_CONTROL_STATUS[1],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "effort": APPLIED_CONTROL_EFFORT[1],
             },
             user_group=test.user_group,
@@ -163,26 +167,28 @@ def test_update_applied_controls(self, test):
                 "name": APPLIED_CONTROL_NAME,
                 "description": APPLIED_CONTROL_DESCRIPTION,
                 "category": APPLIED_CONTROL_CATEGORY[0],
-                "status": APPLIED_CONTROL_STATUS[0],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "link": APPLIED_CONTROL_LINK,
                 "eta": APPLIED_CONTROL_ETA,
                 "effort": APPLIED_CONTROL_EFFORT[0],
+                "cost": APPLIED_CONTROL_COST,
                 "folder": test.folder,
             },
             {
                 "name": "new " + APPLIED_CONTROL_NAME,
                 "description": "new " + APPLIED_CONTROL_DESCRIPTION,
                 "category": APPLIED_CONTROL_CATEGORY2[0],
-                "status": APPLIED_CONTROL_STATUS2[0],
+                "status": APPLIED_CONTROL_STATUS2._value_,
                 "link": "new " + APPLIED_CONTROL_LINK,
                 "eta": "2025-01-01",
                 "effort": APPLIED_CONTROL_EFFORT2[0],
+                "cost": APPLIED_CONTROL_COST2,
                 "folder": str(folder.id),
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
                 "category": APPLIED_CONTROL_CATEGORY[1],
-                "status": APPLIED_CONTROL_STATUS[1],
+                "status": APPLIED_CONTROL_STATUS._value_,
                 "effort": APPLIED_CONTROL_EFFORT[1],
             },
             user_group=test.user_group,

diff --git a/backend/app_tests/api/test_api_libraries.py b/backend/app_tests/api/test_api_libraries.py
@@ -66,7 +66,6 @@ def test_import_frameworks(self, test):
         )
         lib_detail_response = lib_detail_response.content
         lib_detail_response = json.loads(lib_detail_response)
-        lib_detail_response = json.loads(lib_detail_response)
         lib_detail_response = lib_detail_response["framework"]
 
         # Asserts that the library is not already loaded
@@ -135,7 +134,6 @@ def test_import_risk_matrix(self, test):
         )
         lib_detail_response = lib_detail_response.content
         lib_detail_response = json.loads(lib_detail_response)
-        lib_detail_response = json.loads(lib_detail_response)
         lib_detail_response = lib_detail_response["risk_matrix"][0]
 
         # Asserts that the library is not already loaded

diff --git a/backend/app_tests/api/test_api_policies.py b/backend/app_tests/api/test_api_policies.py
@@ -8,8 +8,8 @@
 # Generic policy data for tests
 POLICY_NAME = "Test Policy"
 POLICY_DESCRIPTION = "Test Description"
-POLICY_STATUS = ("planned", "Planned")
-POLICY_STATUS2 = ("active", "Active")
+POLICY_STATUS = Policy.Status.TO_DO
+POLICY_STATUS2 = Policy.Status.ACTIVE
 POLICY_EFFORT = ("L", "Large")
 POLICY_EFFORT2 = ("M", "Medium")
 POLICY_LINK = "https://example.com"
@@ -97,7 +97,7 @@ def test_get_policies(self, test):
             {
                 "name": POLICY_NAME,
                 "description": POLICY_DESCRIPTION,
-                "status": POLICY_STATUS[0],
+                "status": POLICY_STATUS._value_,
                 "link": POLICY_LINK,
                 "eta": POLICY_ETA,
                 "effort": POLICY_EFFORT[0],
@@ -106,7 +106,7 @@ def test_get_policies(self, test):
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
                 "reference_control": None,
-                "status": POLICY_STATUS[1],
+                "status": POLICY_STATUS._value_,
                 "effort": POLICY_EFFORT[1],
             },
             user_group=test.user_group,
@@ -122,15 +122,15 @@ def test_create_policies(self, test):
             {
                 "name": POLICY_NAME,
                 "description": POLICY_DESCRIPTION,
-                "status": POLICY_STATUS[0],
+                "status": POLICY_STATUS._value_,
                 "link": POLICY_LINK,
                 "eta": POLICY_ETA,
                 "effort": POLICY_EFFORT[0],
                 "folder": str(test.folder.id),
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
-                "status": POLICY_STATUS[1],
+                "status": POLICY_STATUS._value_,
                 "effort": POLICY_EFFORT[1],
             },
             user_group=test.user_group,
@@ -149,7 +149,7 @@ def test_update_policies(self, test):
             {
                 "name": POLICY_NAME,
                 "description": POLICY_DESCRIPTION,
-                "status": POLICY_STATUS[0],
+                "status": POLICY_STATUS._value_,
                 "link": POLICY_LINK,
                 "eta": POLICY_ETA,
                 "effort": POLICY_EFFORT[0],
@@ -158,15 +158,15 @@ def test_update_policies(self, test):
             {
                 "name": "new " + POLICY_NAME,
                 "description": "new " + POLICY_DESCRIPTION,
-                "status": POLICY_STATUS2[0],
+                "status": POLICY_STATUS2._value_,
                 "link": "new " + POLICY_LINK,
                 "eta": "2025-01-01",
                 "effort": POLICY_EFFORT2[0],
                 "folder": str(folder.id),
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
-                "status": POLICY_STATUS[1],
+                "status": POLICY_STATUS._value_,
                 "effort": POLICY_EFFORT[1],
             },
             user_group=test.user_group,

diff --git a/backend/app_tests/api/test_api_risk_scenarios.py b/backend/app_tests/api/test_api_risk_scenarios.py
@@ -110,8 +110,8 @@
     "description": "acceptable risk",
     "hexcolor": "#00FF00",
 }
-RISK_SCENARIO_TREATMENT_STATUS = ("accept", "Accept")
-RISK_SCENARIO_TREATMENT_STATUS2 = ("mitigate", "Mitigate")
+RISK_SCENARIO_TREATMENT_STATUS = ("accept", "accept")
+RISK_SCENARIO_TREATMENT_STATUS2 = ("mitigate", "mitigate")
 RISK_SCENARIO_JUSTIFICATION = "Test justification"
 
 

diff --git a/backend/app_tests/api/test_utils.py b/backend/app_tests/api/test_utils.py
@@ -1,5 +1,5 @@
 from django.db import models
-from knox.auth import AuthToken
+from knox.models import AuthToken
 import pytest
 import json
 import re
@@ -1027,7 +1027,8 @@ def compare_results(
             ), "reference endpoint is not accessible"
 
             content = json.loads(reference.content)
-            content = json.loads(content)
+            if isinstance(content, str):
+                content = json.loads(content)
 
             for object in content["framework"][object_name.lower().replace(" ", "_")][
                 :count

diff --git a/backend/app_tests/conftest.py b/backend/app_tests/conftest.py
@@ -4,7 +4,7 @@
 from test_vars import GROUPS_PERMISSIONS
 from iam.models import User, UserGroup
 from core.apps import startup
-from knox.auth import AuthToken
+from knox.models import AuthToken
 
 
 class Test(dict):

diff --git a/backend/app_tests/test_vars.py b/backend/app_tests/test_vars.py
@@ -1,5 +1,5 @@
 from typing import Any
-from core.apps import (
+from core.startup import (
     READER_PERMISSIONS_LIST,
     APPROVER_PERMISSIONS_LIST,
     ANALYST_PERMISSIONS_LIST,

diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py
@@ -81,6 +81,10 @@ def set_ciso_assistant_url(_, __, event_dict):
 logging.config.dictConfig(LOGGING)
 logger = structlog.getLogger(__name__)
 
+FEATURE_FLAGS = {}
+MODULE_PATHS = {}
+ROUTES = {}
+
 logger.info("BASE_DIR: %s", BASE_DIR)
 logger.info("VERSION: %s", VERSION)
 logger.info("BUILD: %s", BUILD)
@@ -94,7 +98,7 @@ def set_ciso_assistant_url(_, __, event_dict):
 SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key())
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = os.environ.get("DJANGO_DEBUG") == "True"
+DEBUG = os.environ.get("DJANGO_DEBUG", "False") == "True"
 
 logger.info("DEBUG mode: %s", DEBUG)
 logger.info("CISO_ASSISTANT_URL: %s", CISO_ASSISTANT_URL)
@@ -200,7 +204,7 @@ def set_ciso_assistant_url(_, __, event_dict):
 }
 
 REST_KNOX = {
-    "SECURE_HASH_ALGORITHM": "cryptography.hazmat.primitives.hashes.SHA512",
+    "SECURE_HASH_ALGORITHM": "hashlib.sha512",
     "AUTH_TOKEN_CHARACTER_LENGTH": 64,
     "TOKEN_TTL": timedelta(seconds=AUTH_TOKEN_TTL),
     "TOKEN_LIMIT_PER_USER": None,
@@ -292,6 +296,8 @@ def set_ciso_assistant_url(_, __, event_dict):
     ("pt", "Portuguese"),
     ("ar", "Arabic"),
     ("ro", "Romanian"),
+    ("hi", "Hindi"),
+    ("ur", "Urdu"),
 ]
 
 PROJECT_PATH = os.path.dirname(os.path.abspath(__file__))