Enterprise/enhancements

README.md

@@ -57,7 +57,6 @@ Here is an overview of CISO Assistant features and capabilities:
 
 ![overview](features.png)
 
-
 CISO Assistant is developed and maintained by [intuitem](https://intuitem.com/), a French 🇫🇷 company specialized in Cyber Security, Cloud and Data/AI.
 
 ## Quick Start 🚀
@@ -87,11 +86,11 @@ and run the starter script
 > If you're getting warnings or errors about image's platform not matching host platform, raise an issue with the details and we'll add it shortly after. You can also use `docker-compose-build.sh` instead (see below) to build for your specific architecture.
 
 > [!CAUTION]
-> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our developemnt. Either use the `tags` for stable versions or prebuilt images. 
+> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our developemnt. Either use the `tags` for stable versions or prebuilt images.
 
 ## End-user Documentation
 
-Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant.
+Check out the online documentation on <https://intuitem.gitbook.io/ciso-assistant>.
 
 ## Supported frameworks 🐙
 
@@ -158,13 +157,12 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 3. ANSSI : Recommandations de configuration d'un système GNU/Linux 🇫🇷
 4. PSSI-MCAS (Politique de sécurité des systèmes d’information pour les ministères chargés des affaires sociales) 🇫🇷
 5. ANSSI : Recommandations pour la protection des systèmes d'information essentiels 🇫🇷
-6. ANSSI : Recommandations de sécurité pour l'architecture d'un système de journalisation  🇫🇷
+6. ANSSI : Recommandations de sécurité pour l'architecture d'un système de journalisation 🇫🇷
 7. ANSSI : Recommandations de sécurité relatives à TLS 🇫🇷
 8. New Zealand Information Security Manual (NZISM) 🇳🇿
-<br/>
+   <br/>
 
-> [!NOTE]
-> `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
+> [!NOTE] > `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
 
 <br/>
 
@@ -364,7 +362,7 @@ python manage.py migrate
 python manage.py createsuperuser
 ```
 
-9.  Run development server.
+9. Run development server.
 
 ```sh
 python manage.py runserver
@@ -398,7 +396,7 @@ npm install
 npm run dev
 ```
 
-4. Reach the frontend on http://localhost:5173
+4. Reach the frontend on <http://localhost:5173>
 
 > [!NOTE]
 > Safari will not properly work in this setup, as it requires https for secure cookies. The simplest solution is to use Chrome or Firefox. An alternative is to use a caddy proxy. This is the solution used in docker-compose, so you can use it as an example.
@@ -407,13 +405,13 @@ npm run dev
 
 All variables in the frontend have handy default values.
 
-If you move the frontend on another host, you should set the following variable: PUBLIC_BACKEND_API_URL. Its default value is http://localhost:8000/api.
+If you move the frontend on another host, you should set the following variable: PUBLIC_BACKEND_API_URL. Its default value is <http://localhost:8000/api>.
 
-When you launch "node server" instead of "npm run dev", you need to set the ORIGIN variable to the same value as CISO_ASSISTANT_URL in the backend (e.g. http://localhost:3000).
+When you launch "node server" instead of "npm run dev", you need to set the ORIGIN variable to the same value as CISO_ASSISTANT_URL in the backend (e.g. <http://localhost:3000>).
 
 ### Managing migrations
 
-The migrations are tracked by version control, https://docs.djangoproject.com/en/4.2/topics/migrations/#version-control
+The migrations are tracked by version control, <https://docs.djangoproject.com/en/4.2/topics/migrations/#version-control>
 
 For the first version of the product, it is recommended to start from a clean migration.
 
@@ -449,7 +447,7 @@ The goal of the test harness is to prevent any regression, i.e. all the tests sh
 
 ## API and Swagger
 
-- The API documentation is available in dev mode on the `<backend_endpoint>/api/schema/swagger/`, for instance http://127.0.0.1:8000/api/schema/swagger/
+- The API documentation is available in dev mode on the `<backend_endpoint>/api/schema/swagger/`, for instance <http://127.0.0.1:8000/api/schema/swagger/>
 
 To interact with it:
 
@@ -496,7 +494,7 @@ Set DJANGO_DEBUG=False for security reason.
 
 ## Security
 
-Great care has been taken to follow security best practices. Please report any issue to [email protected].
+Great care has been taken to follow security best practices. Please report any issue to <[email protected]>.
 
 ## License
 
@@ -506,6 +504,6 @@ All the files within the top-level "enterprise" directory are released under the
 
 All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/).
 
-See [LICENSE.txt](./LICENSE.txt) for details.
+See [LICENSE.txt](./LICENSE.txt) for details. For more details about the commercial editions, you can reach us on <[email protected]>.
 
 Unless otherwise noted, all files are © intuitem.

backend/Dockerfile

@@ -13,6 +13,7 @@ RUN apk add --no-cache bash yaml-cpp
 RUN apk add --no-cache py3-cffi libc-dev libffi-dev gcc python3-dev glib pango cairo
 RUN apk add --no-cache musl musl-utils musl-locales tzdata lang
 RUN apk add --no-cache gettext fontconfig ttf-freefont font-noto terminus-font
+RUN apk add --no-cache file-dev gcc
 
 COPY . /code/
 COPY startup.sh /code/

backend/pyproject.toml

@@ -26,6 +26,7 @@ django-rest-knox = "4.2.0"
 django-allauth = "0.63.5"
 python3-saml = "^1.16"
 requests = "^2.32"
+python-magic = "^0.4.27"
 
 [tool.poetry.group.dev.dependencies]
 pytest-django = "4.8.0"

backend/requirements.txt

@@ -22,3 +22,4 @@ django-allauth[socialaccount]==0.63.5
 pre-commit==3.7.1
 django-allauth[saml]==0.63.5
 django-allauth==0.63.5
+python-magic==0.4.27

enterprise/backend/Dockerfile

@@ -21,6 +21,7 @@ RUN apk add --no-cache bash yaml-cpp
 RUN apk add --no-cache py3-cffi libc-dev libffi-dev gcc python3-dev glib pango cairo
 RUN apk add --no-cache musl musl-utils musl-locales tzdata lang
 RUN apk add --no-cache gettext fontconfig ttf-freefont font-noto terminus-font
+RUN apk add --no-cache file-dev gcc
 
 COPY backend /code/
 COPY enterprise/backend /code/enterprise

enterprise/backend/README.md

@@ -1,23 +1,15 @@
 # Quick start (development)
 
-1. Install the `enterprise_core` package
+1. Make sure you are in the `enterprise/backend` directory
 
-```bash
-cd enterprise/backend
-poetry install
-```
-
-2. Start the development server with the enterprise settings file
+2. Install the `enterprise_core` package
 
 ```bash
-python manage.py runserver --settings=enterprise_core.settings
+poetry install
 ```
 
-# Running a white label instance
-
-This can be done by running the development server with the `FF_WHITE_LABEL` environment variable set to `true`.
+3. Start the development server with the enterprise settings file
 
 ```bash
-export FF_WHITE_LABEL=true
-python manage.py runserver --settings=enterprise_core.settings
+poetry run manage.sh runserver
 ```

enterprise/backend/enterprise_core/models.py

@@ -1,5 +1,6 @@
 from enum import Enum
 import os
+from django.core.validators import FileExtensionValidator
 from django.db import models
 from iam.models import FolderMixin
 from core.base_models import AbstractBaseModel
@@ -11,8 +12,18 @@ class FileField(Enum):
         FAVICON = "favicon"
 
     name = models.CharField(max_length=255, blank=True)
-    logo = models.ImageField(upload_to="client_logos", null=True, blank=True)
-    favicon = models.ImageField(upload_to="client_favicons", null=True, blank=True)
+    logo = models.ImageField(
+        upload_to="client_logos",
+        null=True,
+        blank=True,
+        validators=[FileExtensionValidator(["png", "jpeg", "jpg", "webp", "svg"])],
+    )
+    favicon = models.ImageField(
+        upload_to="client_favicons",
+        null=True,
+        blank=True,
+        validators=[FileExtensionValidator(["ico", "png", "jpeg", "jpg", "webp"])],
+    )
 
     def __str__(self):
         return self.name

enterprise/backend/enterprise_core/serializers.py

@@ -1,3 +1,4 @@
+from rest_framework import serializers
 from core.serializers import BaseModelSerializer
 from iam.models import Folder
 
@@ -23,10 +24,3 @@ class ClientSettingsReadSerializer(BaseModelSerializer):
     class Meta:
         model = ClientSettings
         exclude = ["is_published", "folder"]
-
-    def update(self, instance, validated_data):
-        instance = self.instance
-        for key, value in validated_data.items():
-            setattr(instance, key, value)
-        instance.save()
-        return instance

enterprise/backend/enterprise_core/settings.py

@@ -387,13 +387,10 @@ def set_ciso_assistant_url(_, __, event_dict):
 
 MODULE_PATHS["serializers"] = ["enterprise_core.serializers"]
 
-FEATURE_FLAGS["whiteLabel"] = os.environ.get("FF_WHITE_LABEL", "false") == "true"
-
-if FEATURE_FLAGS["whiteLabel"]:
-    ROUTES["client-settings"] = {
-        "viewset": "enterprise_core.views.ClientSettingsViewSet",
-        "basename": "client-settings",
-    }
+ROUTES["client-settings"] = {
+    "viewset": "enterprise_core.views.ClientSettingsViewSet",
+    "basename": "client-settings",
+}
 
 logger.info(
     "Enterprise startup info", feature_flags=FEATURE_FLAGS, module_paths=MODULE_PATHS

enterprise/backend/enterprise_core/views.py

@@ -1,4 +1,5 @@
 import mimetypes
+import magic
 
 import structlog
 from core.views import BaseModelViewSet
@@ -86,6 +87,22 @@ def handle_file_upload(self, request, pk, field_name):
 
         try:
             settings = ClientSettings.objects.get(id=pk)
+            file = request.FILES["file"]
+            content_type = magic.Magic(mime=True).from_buffer(file.read())
+
+            if content_type not in [
+                "image/png",
+                "image/jpeg",
+                "image/webp",
+                "image/x-icon",
+                "image/vnd.microsoft.icon",
+                "image/svg+xml",
+            ]:
+                return Response(
+                    {field_name: "invalidFileType"},
+                    status=status.HTTP_400_BAD_REQUEST,
+                )
+
             setattr(settings, field_name, request.FILES["file"])
             settings.save()
             return Response(status=status.HTTP_200_OK)

enterprise/backend/manage.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+DJANGO_DIR=../../backend
+ENTERPRISE_SETTINGS=enterprise_core.settings
+
+python $DJANGO_DIR/manage.py $@ --settings=$ENTERPRISE_SETTINGS

enterprise/docker-compose-build.yml

@@ -0,0 +1,45 @@
+version: "3.9"
+
+services:
+  backend:
+    container_name: backend
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    restart: always
+    environment:
+      - ALLOWED_HOSTS=backend,localhost
+      - CISO_ASSISTANT_URL=https://localhost:8443
+      - DJANGO_DEBUG=True
+    volumes:
+      - ./db:/code/db
+
+  frontend:
+    container_name: frontend
+    environment:
+      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
+      - PUBLIC_BACKEND_API_EXPOSED_URL=https://localhost:8443/api
+      - PROTOCOL_HEADER=x-forwarded-proto
+      - HOST_HEADER=x-forwarded-host
+
+    build: ./frontend
+    depends_on:
+      - backend
+
+  caddy:
+    container_name: caddy
+    image: caddy:2.7.6
+    environment:
+      - CISO_ASSISTANT_URL=https://localhost:8443
+    restart: unless-stopped
+    ports:
+      - 8443:8443
+    volumes:
+      - ./db:/data
+    command: |
+      sh -c 'echo $$CISO_ASSISTANT_URL "{
+      reverse_proxy /api/iam/sso/redirect/ backend:8000
+      reverse_proxy /api/accounts/saml/0/acs/ backend:8000
+      reverse_proxy /api/accounts/saml/0/acs/finish/ backend:8000
+      reverse_proxy /* frontend:3000
+      }" > Caddyfile && caddy run'

enterprise/docker-compose-pg.yml

@@ -0,0 +1,57 @@
+version: "3.9"
+
+services:
+  backend:
+    container_name: backend
+    image: ghcr.io/intuitem/ciso-assistant-community/enterprise-backend:latest
+    restart: always
+    depends_on:
+      - postgres
+    environment:
+      - ALLOWED_HOSTS=backend
+      - CISO_ASSISTANT_URL=https://localhost:8443
+      - DJANGO_DEBUG=True
+      - POSTGRES_NAME=ciso_assistant
+      - POSTGRES_USER=ciso_assistant
+      - POSTGRES_PASSWORD=ciso_assistant
+      - DB_HOST=postgres
+    volumes:
+      - ./db:/code/db
+
+  frontend:
+    container_name: frontend
+    environment:
+      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
+      - PROTOCOL_HEADER=x-forwarded-proto
+      - HOST_HEADER=x-forwarded-host
+
+    image: ghcr.io/intuitem/ciso-assistant-community/enterprise-frontend:latest
+    depends_on:
+      - backend
+
+  postgres:
+    container_name: postgres
+    image: postgres:16
+    restart: always
+    environment:
+      POSTGRES_DB: ciso_assistant
+      POSTGRES_USER: ciso_assistant
+      POSTGRES_PASSWORD: ciso_assistant
+    volumes:
+      - ./db/pg:/var/lib/postgresql/data
+
+  caddy:
+    container_name: caddy
+    image: caddy:2.7.6
+    restart: unless-stopped
+    ports:
+      - 8443:8443
+    command:
+      - caddy
+      - reverse-proxy
+      - --from
+      - https://localhost:8443
+      - --to
+      - frontend:3000
+    volumes:
+      - ./db:/data