Migrate application settings to model

ansible/dev-install/templates/settings.py.j2

@@ -9,11 +9,6 @@ LOGIN_REDIRECT_URL = '/'
 SESSION_COOKIE_HTTPONLY = True
 CSRF_COOKIE_HTTPONLY = True
 TEST_RUNNER = 'django.test.runner.DiscoverRunner'
-ENABLE_DEDUPLICATION = False
-ENABLE_JIRA = False
-# True will display S0, S1, S2, ect in most places
-# False will display Critical, High, Medium, etc
-S_FINDING_SEVERITY_NAMING = False
 URL_PREFIX = ''
 
 # Uncomment this line if you enable SSL

docs/upgrading.rst

@@ -71,3 +71,27 @@ The following needs to be added to settings.py: ::
     ]
 
 Once all these steps are completed your installation of DefectDojo will be running under Django 1.11
+
+
+July 6th 2017 - New location for system settings
+================================================
+
+Pull request #313 moves a number of system settings previously located in the application's settings.py
+to a model that can be used and changed within the web application under "Configuration -> System Settings". 
+
+If you're using a custom ``URL_PREFIX`` you will need to set this in the model after upgrading by
+editing ``dojo/fixtures/system_settings.json`` and setting your URL prefix in the ``url_prefix`` value there. 
+Then issue the command ``./manage.py loaddata system_settings.json`` to load your settings into the database.
+
+If you're not using a custom ``URL_PREFIX``, after upgrading simply go to the System Settings page and review
+which values you want to set for each setting, as they're not automatically migrated from settings.py. 
+
+If you like you can then remove the following settings from settings.py to avoid confusion:
+
+* ``ENABLE_DEDUPLICATION``
+* ``ENABLE_JIRA``
+* ``S_FINDING_SEVERITY_NAMING``
+* ``URL_PREFIX``
+* ``TIME_ZONE``
+* ``TEAM_NAME``
+

dojo/api.py

@@ -24,10 +24,10 @@
     ScanSettingsForm, FindingForm, StubFindingForm, FindingTemplateForm, \
     ImportScanForm, SEVERITY_CHOICES
 from dojo.tools.factory import import_parser_factory
-
+from dojo.utils import get_system_setting
 from datetime import datetime
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 """
     Setup logging for the api

dojo/cred/views.py

@@ -26,10 +26,10 @@
 from dojo.forms import *
 from dojo.tasks import *
 from dojo.forms import *
-from dojo.utils import dojo_crypto_encrypt, prepare_for_view, FileIterWrapper
+from dojo.utils import dojo_crypto_encrypt, prepare_for_view, FileIterWrapper, get_system_setting
 from dojo.product import views as ds
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,

dojo/development_environment/views.py

@@ -12,9 +12,9 @@
 from dojo.filters import DevelopmentEnvironmentFilter
 from dojo.forms import Development_EnvironmentForm
 from dojo.models import Development_Environment
-from dojo.utils import get_page_items, add_breadcrumb
+from dojo.utils import get_page_items, add_breadcrumb, get_system_setting
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,

dojo/endpoint/views.py

@@ -17,11 +17,11 @@
 from dojo.forms import EditEndpointForm, \
     DeleteEndpointForm, AddEndpointForm, EndpointMetaDataForm
 from dojo.models import Product, Endpoint, Finding
-from dojo.utils import get_page_items, add_breadcrumb, get_period_counts
+from dojo.utils import get_page_items, add_breadcrumb, get_period_counts, get_system_setting
 from django.contrib.contenttypes.models import ContentType
 from custom_field.models import CustomFieldValue, CustomField
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,

dojo/engagement/views.py

@@ -26,10 +26,10 @@
     JIRA_PKey, JIRA_Conf, JIRA_Issue, Cred_User, Cred_Mapping
 from dojo.tools.factory import import_parser_factory
 from dojo.utils import get_page_items, add_breadcrumb, handle_uploaded_threat, \
-    FileIterWrapper, get_cal_event, message
+    FileIterWrapper, get_cal_event, message, get_system_setting
 from dojo.tasks import update_epic_task, add_epic_task, close_epic_task
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,
@@ -141,12 +141,12 @@ def edit_engagement(request, eid):
         except:
             enabled = False
             pass
-        if hasattr(settings, "ENABLE_JIRA"):
-            if settings.ENABLE_JIRA:
-                if JIRA_PKey.objects.filter(product=eng.product).count() != 0:
-                    jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
-                else:
-                    jform = None
+
+        if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=eng.product).count() != 0:
+            jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
+        else:
+            jform = None
+
     form.initial['tags'] = [tag.name for tag in eng.tags]
     add_breadcrumb(parent=eng, title="Edit Engagement", top_level=False, request=request)
     return render(request, 'dojo/new_eng.html',

dojo/filters.py

@@ -14,8 +14,10 @@
     MultipleChoiceFilter
 from django_filters.filters import ChoiceFilter, _truncate, DateTimeFilter
 from pytz import timezone
+from dojo.utils import get_system_setting
+
+local_tz = timezone(get_system_setting('time_zone'))
 
-local_tz = timezone(settings.TIME_ZONE)
 SEVERITY_CHOICES = (('Info', 'Info'), ('Low', 'Low'), ('Medium', 'Medium'),
                     ('High', 'High'), ('Critical', 'Critical'))
 BOOLEAN_CHOICES = (('false', 'No'), ('true', 'Yes'),)

dojo/finding/views.py

@@ -33,11 +33,11 @@
     FindingImageAccessToken, JIRA_Issue, JIRA_PKey, JIRA_Conf, Dojo_User, Cred_User, Cred_Mapping, Test
 from dojo.utils import get_page_items, add_breadcrumb, FileIterWrapper, send_review_email, process_notifications, \
     add_comment, add_epic, add_issue, update_epic, update_issue, close_epic, jira_get_resolution_id, \
-    jira_change_resolution_id, get_jira_connection
+    jira_change_resolution_id, get_jira_connection, get_system_setting
 
 from dojo.tasks import add_issue_task, update_issue_task, add_comment_task
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,
@@ -357,11 +357,11 @@ def edit_finding(request, fid):
         enabled = True
     except:
         enabled = False
-    pass
-    if hasattr(settings, 'ENABLE_JIRA'):
-        if settings.ENABLE_JIRA:
-            if JIRA_PKey.objects.filter(product=finding.test.engagement.product) != 0:
-                jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
+        pass
+
+    if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=finding.test.engagement.product) != 0:
+        jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
+
     if request.method == 'POST':
         form = FindingForm(request.POST, instance=finding)
         if form.is_valid():
@@ -649,14 +649,14 @@ def promote_to_finding(request, fid):
     test = finding.test
     form_error = False
     jira_available = False
-    if hasattr(settings, 'ENABLE_JIRA'):
-         if settings.ENABLE_JIRA:
-             if JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
-                jform = JIRAFindingForm(request.POST, prefix='jiraform',
-                                         enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
-                jira_available = True
+
+    if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
+        jform = JIRAFindingForm(request.POST, prefix='jiraform',
+                                enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
+        jira_available = True
     else:
-         jform = None
+        jform = None
+
     form = PromoteFindingForm(initial={'title': finding.title,
                                        'date': finding.date,
                                        'severity': finding.severity,

dojo/fixtures/system_settings.json

@@ -0,0 +1,13 @@
+[
+{
+  "model": "dojo.system_settings",
+  "pk": 1,
+  "fields": {
+    "enable_deduplication": false,
+    "enable_jira": false,
+    "s_finding_severity_naming": false,
+    "url_prefix": "",
+    "time_zone": "UTC"
+  }
+}
+]

dojo/forms.py

@@ -20,10 +20,12 @@
     Check_List, User, Engagement, Test, Test_Type, Notes, Risk_Acceptance, \
     Development_Environment, Dojo_User, Scan, Endpoint, Stub_Finding, Finding_Template, Report, FindingImage, \
     JIRA_Issue, JIRA_PKey, JIRA_Conf, UserContactInfo, Tool_Type, Tool_Configuration, Tool_Product_Settings, \
-    Cred_User, Cred_Mapping
+    Cred_User, Cred_Mapping, System_Settings
+from dojo.utils import get_system_setting
 
 RE_DATE = re.compile(r'(\d{4})-(\d\d?)-(\d\d?)$')
-localtz = timezone(settings.TIME_ZONE)
+
+localtz = timezone(get_system_setting('time_zone'))
 
 FINDING_STATUS = (('verified', 'Verified'),
                   ('false_p', 'False Positive'),
@@ -1275,6 +1277,13 @@ class Meta:
         fields = ['cred_id', 'url', 'is_authn_provider']
         exclude = ['product', 'finding', 'engagement', 'test']
 
+class SystemSettingsForm(forms.ModelForm):
+
+    class Meta:
+        model = System_Settings
+        exclude = ['']
+
+
 class CredUserForm(forms.ModelForm):
     #selenium_script = forms.FileField(widget=forms.widgets.FileInput(
     #    attrs={"accept": ".py"}),

dojo/home/views.py

@@ -13,9 +13,9 @@
 from pytz import timezone
 
 from dojo.models import Finding, Engagement, Risk_Acceptance
-from dojo.utils import add_breadcrumb, get_punchcard_data
+from dojo.utils import add_breadcrumb, get_punchcard_data, get_system_setting
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,

dojo/jira_link/views.py

@@ -20,7 +20,7 @@
 from dojo.filters import ProductFilter, ProductFindingFilter
 from dojo.forms import ProductForm, EngForm, DeleteProductForm
 from dojo.models import Product_Type, Finding, Product, Engagement, ScanSettings, Risk_Acceptance
-from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data
+from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data, get_system_setting
 from dojo.models import *
 from dojo.models import *
 from dojo.forms import *
@@ -29,7 +29,7 @@
 from dojo.forms import *
 from dojo.product import views as ds
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 logging.basicConfig(
     level=logging.DEBUG,

dojo/management/commands/csv_findings_export.py

@@ -10,11 +10,11 @@
 from auditlog.models import LogEntry
 from jira import JIRA
 from jira.exceptions import JIRAError
-from dojo.utils import add_comment, add_epic, add_issue, update_epic, update_issue, close_epic
+from dojo.utils import add_comment, add_epic, add_issue, update_epic, update_issue, close_epic, get_system_setting
 from django.core.urlresolvers import get_resolver, reverse
 from itertools import chain
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Author: Aaron Weaver

dojo/management/commands/jira_async_updates.py

@@ -11,10 +11,10 @@
 from jira import JIRA
 from jira.exceptions import JIRAError
 from dojo.utils import add_comment, add_epic, add_issue, update_epic, update_issue, close_epic, jira_get_resolution_id, \
- jira_change_resolution_id, log_jira_message, get_jira_connection
+ jira_change_resolution_id, log_jira_message, get_jira_connection, get_system_setting
 from django.core.urlresolvers import get_resolver, reverse
 
-localtz = timezone(settings.TIME_ZONE)
+localtz = timezone(get_system_setting('time_zone'))
 
 """
 Author: Aaron Weaver

dojo/management/commands/migrate_finding_templates.py

@@ -3,8 +3,9 @@
 from pytz import timezone
 import dojo.settings as settings
 from dojo.models import Finding, Finding_Template
+from dojo.utils import get_system_setting
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Authors: Jay Paz

dojo/management/commands/migrate_product_contacts.py

@@ -3,8 +3,9 @@
 from pytz import timezone
 import dojo.settings as settings
 from dojo.models import Product, Dojo_User
+from dojo.utils import get_system_setting
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Authors: Jay Paz

dojo/management/commands/notify_isoc.py

@@ -8,8 +8,9 @@
 from dojo.models import ScanSettings, Product
 import dojo.settings as settings
 
+from dojo.utils import get_system_setting
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Authors: Fatimah
@@ -44,7 +45,7 @@ def handle(self, *args, **options):
         # Send one giant email to External Unit with a list  of all the
         # ipaddresses that will be scanned
         msg = "\nGreetings, \n\n"
-        msg += settings.TEAM_NAME + " will be performing port scans of "
+        msg += get_system_setting('team_name') + " will be performing port scans of "
         msg += "the following products and target IPs:"
         msg += "\n\nStart Time: " + str(scan_start_time)
         msg += "\n\nStop Time (est): " + str(scan_stop_time)
@@ -61,7 +62,7 @@ def handle(self, *args, **options):
 
         msg += "\n\nPlease let us know if you have any questions.\n Thanks,\n"
         msg += settings.PORT_SCAN_RESULT_EMAIL_FROM
-        send_mail(settings.TEAM_NAME + ' Port Scan',
+        send_mail(get_system_setting('team_name') + ' Port Scan',
                   msg,
                   settings.PORT_SCAN_RESULT_EMAIL_FROM,
                   settings.PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST,

dojo/management/commands/push_to_jira_update.py

@@ -10,10 +10,10 @@
 from auditlog.models import LogEntry
 from jira import JIRA
 from jira.exceptions import JIRAError
-from dojo.utils import add_comment, add_epic, add_issue, update_epic, update_issue, close_epic
+from dojo.utils import add_comment, add_epic, add_issue, update_epic, update_issue, close_epic, get_system_setting
 from django.core.urlresolvers import get_resolver, reverse
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Author: Aaron Weaver

dojo/management/commands/run_scan.py

@@ -11,9 +11,9 @@
 
 from dojo.models import Scan, Product, ScanSettings, IPScan
 import dojo.settings as settings
+from dojo.utils import get_system_setting
 
-
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 
 """
@@ -82,11 +82,11 @@ def runScan(prod_id, p_dict):
             msg += "\nFor any questions please email "
             msg += settings.PORT_SCAN_CONTACT_EMAIL + "\n"
             msg += "Thanks,\nThe "
-            msg += settings.TEAM_NAME
+            msg += get_system_setting('team_name')
             msg += " Team"
             email_to = current_scan.scan_settings.email
 
-            send_mail(settings.TEAM_NAME + ' Port Scan Report',
+            send_mail(get_system_setting('team_name') + ' Port Scan Report',
                       msg,
                       settings.PORT_SCAN_RESULT_EMAIL_FROM,
                       [email_to],

dojo/management/commands/stamp_finding_last_reviewed.py

@@ -6,8 +6,9 @@
 from dojo.models import Finding
 import dojo.settings as settings
 from auditlog.models import LogEntry
+from dojo.utils import get_system_setting
 
-locale = timezone(settings.TIME_ZONE)
+locale = timezone(get_system_setting('time_zone'))
 
 """
 Authors: Jay Paz