intuitem · eric-intuitem · Feb 14, 2024 · Feb 14, 2024 · Feb 14, 2024 · Feb 14, 2024
diff --git a/backend/app_tests/api/test_api_policies.py b/backend/app_tests/api/test_api_policies.py
@@ -0,0 +1,206 @@
+import pytest
+from rest_framework.test import APIClient
+from core.models import SecurityFunction, Policy
+from iam.models import Folder
+
+from test_api import EndpointTestsQueries
+
+# Generic policy data for tests
+POLICY_NAME = "Test Policy"
+POLICY_DESCRIPTION = "Test Description"
+POLICY_STATUS = ("planned", "Planned")
+POLICY_STATUS2 = ("active", "Active")
+POLICY_EFFORT = ("L", "Large")
+POLICY_EFFORT2 = ("M", "Medium")
+POLICY_LINK = "https://example.com"
+POLICY_ETA = "2024-01-01"
+
+
+@pytest.mark.django_db
+class TestPolicysUnauthenticated:
+    """Perform tests on policies API endpoint without authentication"""
+
+    client = APIClient()
+
+    def test_get_security_measures(self):
+        """test to get policies from the API without authentication"""
+
+        EndpointTestsQueries.get_object(
+            self.client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "folder": Folder.objects.create(name="test"),
+            },
+        )
+
+    def test_create_security_measures(self):
+        """test to create policies with the API without authentication"""
+
+        EndpointTestsQueries.create_object(
+            self.client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "folder": Folder.objects.create(name="test").id,
+            },
+        )
+
+    def test_update_security_measures(self):
+        """test to update policies with the API without authentication"""
+
+        EndpointTestsQueries.update_object(
+            self.client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "folder": Folder.objects.create(name="test"),
+            },
+            {
+                "name": "new " + POLICY_NAME,
+                "description": "new " + POLICY_DESCRIPTION,
+                "folder": Folder.objects.create(name="test2").id,
+            },
+        )
+
+    def test_delete_security_measures(self):
+        """test to delete policies with the API without authentication"""
+
+        EndpointTestsQueries.delete_object(
+            self.client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "folder": Folder.objects.create(name="test"),
+            },
+        )
+
+
+@pytest.mark.django_db
+class TestPolicysAuthenticated:
+    """Perform tests on policies API endpoint with authentication"""
+
+    def test_get_security_measures(self, authenticated_client):
+        """test to get policies from the API with authentication"""
+
+        EndpointTestsQueries.Auth.get_object(
+            authenticated_client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "status": POLICY_STATUS[0],
+                "link": POLICY_LINK,
+                "eta": POLICY_ETA,
+                "effort": POLICY_EFFORT[0],
+                "folder": Folder.get_root_folder(),
+            },
+            {
+                "folder": {"str": Folder.get_root_folder().name},
+                "security_function": None,
+                "status": POLICY_STATUS[1],
+                "effort": POLICY_EFFORT[1],
+            },
+        )
+
+    def test_create_security_measures(self, authenticated_client):
+        """test to create policies with the API with authentication"""
+
+        security_function = SecurityFunction.objects.create(
+            name="test", typical_evidence={}, folder=Folder.objects.create(name="test")
+        )
+
+        EndpointTestsQueries.Auth.create_object(
+            authenticated_client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "status": POLICY_STATUS[0],
+                "link": POLICY_LINK,
+                "eta": POLICY_ETA,
+                "effort": POLICY_EFFORT[0],
+                "folder": str(Folder.get_root_folder().id),
+            },
+            {
+                "folder": {"str": Folder.get_root_folder().name},
+                "status": POLICY_STATUS[1],
+                "effort": POLICY_EFFORT[1],
+            },
+        )
+
+    def test_update_security_measures(self, authenticated_client):
+        """test to update policies with the API with authentication"""
+
+        folder = Folder.objects.create(name="test")
+        security_function = SecurityFunction.objects.create(
+            name="test", typical_evidence={}, folder=folder
+        )
+
+        EndpointTestsQueries.Auth.update_object(
+            authenticated_client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "description": POLICY_DESCRIPTION,
+                "status": POLICY_STATUS[0],
+                "link": POLICY_LINK,
+                "eta": POLICY_ETA,
+                "effort": POLICY_EFFORT[0],
+                "folder": Folder.get_root_folder(),
+            },
+            {
+                "name": "new " + POLICY_NAME,
+                "description": "new " + POLICY_DESCRIPTION,
+                "status": POLICY_STATUS2[0],
+                "link": "new " + POLICY_LINK,
+                "eta": "2025-01-01",
+                "effort": POLICY_EFFORT2[0],
+                "folder": str(folder.id),
+            },
+            {
+                "folder": {"str": Folder.get_root_folder().name},
+                "status": POLICY_STATUS[1],
+                "effort": POLICY_EFFORT[1],
+            },
+        )
+
+    def test_delete_security_measures(self, authenticated_client):
+        """test to delete policies with the API with authentication"""
+
+        EndpointTestsQueries.Auth.delete_object(
+            authenticated_client,
+            "policies",
+            Policy,
+            {
+                "name": POLICY_NAME,
+                "folder": Folder.objects.create(name="test"),
+            },
+        )
+
+    def test_get_effort_choices(self, authenticated_client):
+        """test to get policies effort choices from the API with authentication"""
+
+        EndpointTestsQueries.Auth.get_object_options(
+            authenticated_client, "policies", "effort", Policy.EFFORT
+        )
+
+    def test_get_status_choices(self, authenticated_client):
+        """test to get policies status choices from the API with authentication"""
+
+        EndpointTestsQueries.Auth.get_object_options(
+            authenticated_client,
+            "policies",
+            "status",
+            Policy.Status.choices,
+        )
diff --git a/backend/app_tests/test_vars.py b/backend/app_tests/test_vars.py
@@ -16,6 +16,7 @@
 RISK_SCENARIOS_ENDPOINT = "risk-scenarios-list"
 SECURITY_FUNCTIONS_ENDPOINT = "security-functions-list"
 SECURITY_MEASURES_ENDPOINT = "security-measures-list"
+POLICIES_ENDPOINT = "policies-list"
 THREATS_ENDPOINT = "threats-list"
 USERS_ENDPOINT = "users-list"
 

diff --git a/backend/core/apps.py b/backend/core/apps.py
@@ -1,19 +1,21 @@
 from django.apps import AppConfig
 
+
 def startup():
     """Implement CISO Assistant 1.0 default Roles and User Groups"""
 
-    from iam.models import Folder
-    from iam.models import UserGroup, Role, RoleAssignment
+    from ciso_assistant.settings import (
+        CISO_ASSISTANT_SUPERUSER_EMAIL,
+    )
     from django.contrib.auth.models import Permission
-    from iam.models import User
-    from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL, EMAIL_HOST, EMAIL_HOST_RESCUE
+    from iam.models import Folder, Role, RoleAssignment, User, UserGroup
 
     auditor_permissions = Permission.objects.filter(
         codename__in=[
             "view_project",
             "view_riskassessment",
             "view_securitymeasure",
+            "view_policy",
             "view_riskscenario",
             "view_riskacceptance",
             "view_asset",
@@ -34,6 +36,7 @@ def startup():
             "view_project",
             "view_riskassessment",
             "view_securitymeasure",
+            "view_policy",
             "view_riskscenario",
             "view_riskacceptance",
             "approve_riskacceptance",
@@ -60,10 +63,15 @@ def startup():
             "add_riskassessment",
             "view_riskassessment",
             "change_riskassessment",
-            "delete_riskassessment" "add_securitymeasure",
+            "delete_riskassessment",
+            "add_securitymeasure",
             "view_securitymeasure",
             "change_securitymeasure",
             "delete_securitymeasure",
+            "add_policy",
+            "view_policy",
+            "change_policy",
+            "delete_policy",
             "add_riskscenario",
             "view_riskscenario",
             "change_riskscenario",
@@ -109,6 +117,10 @@ def startup():
             "view_securitymeasure",
             "change_securitymeasure",
             "delete_securitymeasure",
+            "add_policy",
+            "view_policy",
+            "change_policy",
+            "delete_policy",
             "add_riskscenario",
             "view_riskscenario",
             "change_riskscenario",
@@ -183,6 +195,10 @@ def startup():
             "view_securitymeasure",
             "change_securitymeasure",
             "delete_securitymeasure",
+            "add_policy",
+            "view_policy",
+            "change_policy",
+            "delete_policy",
             "add_riskscenario",
             "view_riskscenario",
             "change_riskscenario",

diff --git a/backend/core/migrations/0004_policy.py b/backend/core/migrations/0004_policy.py
@@ -0,0 +1,26 @@
+# Generated by Django 5.0.2 on 2024-02-14 15:40
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0003_library_dependencies_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Policy',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Policy',
+                'verbose_name_plural': 'Policies',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('core.securitymeasure',),
+        ),
+    ]
diff --git a/backend/core/models.py b/backend/core/models.py
@@ -828,6 +828,25 @@ def get_linked_requirements_count(self):
         ).count()
 
 
+class PolicyManager(models.Manager):
+    def create(self, *args, **kwargs):
+        kwargs["category"] = "policy"  # Ensure category is always "policy"
+        return super().create(*args, **kwargs)
+
+
+class Policy(SecurityMeasure):
+    class Meta:
+        proxy = True
+        verbose_name = _("Policy")
+        verbose_name_plural = _("Policies")
+
+    objects = PolicyManager()  # Use the custom manager
+
+    def save(self, *args, **kwargs):
+        self.category = "policy"
+        super(Policy, self).save(*args, **kwargs)
+
+
 class RiskScenario(AbstractBaseModel, NameDescriptionMixin):
     TREATMENT_OPTIONS = [
         ("open", _("Open")),