Merge pull request #2041 from MaibornWolff/dev

chore: merge to main for release 1.20.0

.github/workflows/build_push_dev.yml

@@ -10,13 +10,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8026d2bc3645ea78b0d2544766a1225eb5691f89 # v3.7.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
       -
         name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -52,7 +52,7 @@ jobs:
             VERSION=dev
       - 
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_sca_dev.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}

.github/workflows/build_push_release.yml

@@ -16,15 +16,15 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           ref: 'v${{ github.event.inputs.release }}'
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8026d2bc3645ea78b0d2544766a1225eb5691f89 # v3.7.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
       -
         name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -64,13 +64,13 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}

.github/workflows/check_backend.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Set up Python 3.12
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

.github/workflows/check_frontend.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
     - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version: 20
@@ -30,16 +30,11 @@ jobs:
       run: |
         npx eslint src
 
-    - name: Check build
-      working-directory: ./frontend
+    - name: End-to-end tests
+      working-directory: .
       run: |
-        npm run build
-
-    # - name: End-to-end tests
-    #   working-directory: .
-    #   run: |
-    #     cd end_to_end_tests
-    #     npm install
-    #     cd ..
-    #     docker compose -f docker-compose-playwright.yml build
-    #     docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright
+        cd end_to_end_tests
+        npm install
+        cd ..
+        docker compose -f docker-compose-playwright.yml build
+        docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright

.github/workflows/check_vulnerabilities.yml

@@ -11,10 +11,10 @@ jobs:
     steps:
       - 
         name: Checkout code
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}

.github/workflows/generate_sboms.yml

@@ -21,7 +21,7 @@ jobs:
           node-version: 20
       -
         name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           ref: 'v${{ github.event.inputs.release }}'
       - 

.github/workflows/publish_docs.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - chore/deploy-docs
+      - chore/doc_trivy_secrets
 
 permissions: read-all
 
@@ -14,11 +14,11 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: 3.x
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           key: ${{ github.ref }}
           path: .cache

.github/workflows/scan_sca_current.yml

@@ -13,18 +13,18 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
-          ref: 'v1.19.0'
+          ref: 'v1.20.0'
       -
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run endpoint vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}

.github/workflows/scorecard.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
@@ -59,14 +59,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.19.0"
+__version__ = "1.20.0"
 
 import pymysql
 

backend/application/access_control/api/filters.py

@@ -1,6 +1,12 @@
+from django.db.models import Exists
 from django_filters import CharFilter, FilterSet, NumberFilter, OrderingFilter
 
-from application.access_control.models import API_Token, Authorization_Group, User
+from application.access_control.models import (
+    API_Token,
+    Authorization_Group,
+    Authorization_Group_Member,
+    User,
+)
 
 
 class UserFilter(FilterSet):
@@ -53,6 +59,7 @@ def __init__(self, data=None, queryset=None, *, request=None, prefix=None):
 class AuthorizationGroupFilter(FilterSet):
     name = CharFilter(field_name="name", lookup_expr="icontains")
     oidc_group = CharFilter(field_name="oidc_group", lookup_expr="icontains")
+    user = NumberFilter(field_name="users")
 
     # search is needed for the ReferenceArrayInput field of react-admin
     search = CharFilter(field_name="name", lookup_expr="icontains")
@@ -66,6 +73,36 @@ class Meta:
         model = Authorization_Group
         fields = ["name", "oidc_group", "search"]
 
+    def get_user(self, queryset, name, value):  # pylint: disable=unused-argument
+        # field_name is used as a positional argument
+
+        authorization_group_members = Authorization_Group_Member.objects.filter(
+            user__id=value
+        )
+        queryset = queryset.annotate(
+            member=Exists(authorization_group_members),
+        )
+        return queryset.filter(member=True)
+
+
+class AuthorizationGroupMemberFilter(FilterSet):
+    username = CharFilter(field_name="user__username", lookup_expr="icontains")
+    full_name = CharFilter(field_name="user__full_name", lookup_expr="icontains")
+
+    ordering = OrderingFilter(
+        # tuple-mapping retains order
+        fields=(
+            ("user__full_name", "user_data.full_name"),
+            ("authorization_group", "authorization_group"),
+            ("user", "user"),
+            ("is_manager", "is_manager"),
+        ),
+    )
+
+    class Meta:
+        model = Authorization_Group_Member
+        fields = ["authorization_group", "user", "is_manager", "username", "full_name"]
+
 
 class ApiTokenFilter(FilterSet):
     name = CharFilter(field_name="user__username", lookup_expr="icontains")

backend/application/access_control/api/permissions.py

@@ -1,5 +1,11 @@
+from django.shortcuts import get_object_or_404
 from rest_framework.permissions import BasePermission
 
+from application.access_control.models import (
+    Authorization_Group,
+    Authorization_Group_Member,
+)
+
 
 class UserHasSuperuserPermission(BasePermission):
     def has_permission(self, request, view):
@@ -20,3 +26,48 @@ def has_object_permission(self, request, view, obj):
             return request.user.is_superuser
 
         return True
+
+
+class UserHasAuthorizationGroupPermission(BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            return not request.user.is_external
+
+        return True
+
+    def has_object_permission(self, request, view, obj: Authorization_Group):
+        if request.method != "GET":
+            return _has_manage_permission(request, obj)
+
+        return True
+
+
+class UserHasAuthorizationGroupMemberPermission(BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            authorization_group = get_object_or_404(
+                Authorization_Group, pk=request.data.get("authorization_group")
+            )
+            return _has_manage_permission(request, authorization_group)
+
+        return True
+
+    def has_object_permission(self, request, view, obj: Authorization_Group_Member):
+        if request.method != "GET":
+            return _has_manage_permission(request, obj.authorization_group)
+
+        return True
+
+
+def _has_manage_permission(request, authorization_group: Authorization_Group) -> bool:
+    user = request.user
+    if user and user.is_superuser:
+        return True
+
+    try:
+        authorization_group_member = Authorization_Group_Member.objects.get(
+            authorization_group=authorization_group, user=user
+        )
+        return authorization_group_member.is_manager
+    except Authorization_Group_Member.DoesNotExist:
+        return False