Consolidation of notification creation

[kiblik]

Purpose of this PR: If some action triggers the creation of a notification during clicking in UI. The same notification should be triggered also if the same happens via API. Until now many actions have been avoiding these notifications. Implementation is done by Django Signals.

Some notes:

• General rule: if the object is removed in cascade (e.g. removal product triggers removal of all engagements, tests, ...) notification is created only for the highest removed element (to avoid spamming).
• The only exception to this ^ general rule is the removal of the Product. If Product Type is removed, notification is triggered for all Products as well
• PR hasn't announced any new notifications. All of them have been created based on existing implementation.
• There is a set of notifications which hasn't been migrated and they are performed only for UI actions because they would generate useless noise. E.g. "creation of findings" vs "creation of findings during scan imports". But "TODO" comments have been added.
• If AuditLog is enabled, the message might contain also the actor's name. If the user disabled Auditlog, the user will be notified without knowing who did it. This is a small step back compared to the previous implementation.
• Most of the actions have been with the label event="other". Now notification engine accepts any event name as meaningful and for Alerts event is translated to source name. If event type does not exist as the field in Notification, the engine works with the event as with other

[github-actions]

python: can't open file '/home/runner/work/django-DefectDojo/django-DefectDojo/.github/scripts/git_protect.py': [Errno 2] No such file or directory

[github-actions]

The following files are protected and cannot be modified:
dojo/product_type/views.py
dojo/engagement/views.py
dojo/product/views.py
dojo/test/views.py
dojo/notifications/helper.py
dojo/finding/views.py
unittests/test_notifications.py
dojo/utils.py
dojo/endpoint/views.py

[github-actions]

The following files are protected and cannot be modified:
dojo/endpoint/views.py
dojo/engagement/views.py
dojo/product_type/views.py
dojo/utils.py
unittests/test_notifications.py
dojo/product/views.py
dojo/notifications/helper.py
dojo/test/views.py
dojo/finding/views.py

[github-actions]

The following files are protected and cannot be modified:
dojo/finding/views.py
dojo/utils.py
unittests/test_rest_framework.py
dojo/test/views.py
dojo/engagement/views.py
dojo/product_type/views.py
dojo/notifications/helper.py
dojo/endpoint/views.py
unittests/test_notifications.py
dojo/product/views.py

[github-actions]

The following files are protected and cannot be modified:
dojo/finding/views.py
unittests/test_rest_framework.py
dojo/utils.py
dojo/product_type/views.py
dojo/engagement/views.py
dojo/endpoint/views.py
dojo/test/views.py
dojo/product/views.py
dojo/notifications/helper.py
.github/workflows/check-protected-files.yml
requirements.txt
unittests/test_notifications.py

[github-actions]

The following files are protected and cannot be modified:
dojo/engagement/views.py
dojo/notifications/helper.py
dojo/product/views.py
dojo/utils.py
dojo/product_type/views.py
requirements.txt
dojo/endpoint/views.py
dojo/finding/views.py
.github/workflows/check-protected-files.yml
dojo/test/views.py
unittests/test_notifications.py
unittests/test_rest_framework.py

[github-actions]

The following files are protected and cannot be modified:
dojo/utils.py
dojo/endpoint/views.py
unittests/test_notifications.py
dojo/product/views.py
unittests/test_rest_framework.py
dojo/product_type/views.py
dojo/notifications/helper.py
requirements.txt
dojo/engagement/views.py
.github/workflows/check-protected-files.yml
dojo/finding/views.py
dojo/test/views.py

[github-actions]

The following files are protected and cannot be modified:
unittests/test_notifications.py
dojo/product_type/views.py
dojo/engagement/views.py
unittests/test_rest_framework.py
dojo/product/views.py
dojo/notifications/helper.py
dojo/utils.py
dojo/test/views.py
dojo/endpoint/views.py
dojo/finding/views.py

[github-actions]

The following files are protected and cannot be modified:
dojo/endpoint/views.py
unittests/test_notifications.py
dojo/product/views.py
dojo/test/views.py
dojo/engagement/views.py
dojo/notifications/helper.py
dojo/finding/views.py
dojo/product_type/views.py
dojo/utils.py
dojo/endpoint/receivers.py
unittests/test_rest_framework.py

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[cneill]

Most of the issues I found last time have been fixed! Thanks for digging into this. I think I found the source of the issue with endpoint deletions not triggering alerts: bulk delete (see video). I'm not sure whether that deserves its own PR or if it would be in scope for this one, I'll leave that up to you.

[cneill]

I just checked this again and it looks like the actor is being populated successfully now when the alert is created (API and UI)!

However, I think I may have found the source of the missing notifications that I mentioned last time - using bulk delete on the Endpoints page does not trigger an alert.

Screen.Recording.2024-05-16.at.11.42.58.mov

[cneill]

This remains true - no Test deletion alerts when deleting from either the UI or API

[cneill]

This is working with both API and UI now 👍

[kiblik]

Most of the issues I found last time have been fixed! Thanks for digging into this. I think I found the source of the issue with endpoint deletions not triggering alerts: bulk delete (see video). I'm not sure whether that deserves its own PR or if it would be in scope for this one, I'll leave that up to you.

Thank you for your feedback and for testing again.

• Bulk removal of endpoint: It hasn't been implemented before this PR. Only single removal was implemented. So we would not be speaking only about fixing a bug but implementing the new feature. I would prefer to implement it in the new PR because smaller changes are easier to review and this PR is focused only on the migration of the notification processor.
  • If you are interested in the reason why it is not working now: post_delete signals are sending origin to inform you who triggered deletion. In case of removal of one endpoint (ep = Endpoint.objects.get(id=pk).delete()) origin is the endpoint itself. In case of bulk removal (eps = Endpoint.objects.filter(id__in=[pk1, pk2, pk3]).delete()), origin is QuerySet. This will need some special handling. By the way, Findings support bulk removal so they will need this handling as well.
• Removal of test: This has been implemented before however I found a bug in the implementation. So this kind of notification was broken before this PR.
  • dojo/test/views.py:delete_test sends in create_notification list of recipients as users (as Django models)

    django-DefectDojo/dojo/test/views.py

    Line 342 in 2234848

    recipients=[test.engagement.lead],

    but dojo/notifications/helper.py:create_notification expects usernames (as strings)

    django-DefectDojo/dojo/notifications/helper.py

    Line 33 in 2234848

    for recipient_notifications in Notifications.objects.filter(user__username__in=kwargs['recipients'], user__is_active=True, product=None):

    So same as Endpoints, I would prefer fix this bug in separated PR. Sidenote: I noticed the same bug in some other places as well. I will fix them there as well. Interesting that nobody complained :).

If everybody agrees, I hope this PR is ready for merge.

[cneill]

Thanks for the thorough explanation! I agree that it would be better to address the work required for those additional fixes in one or more follow-on PRs 👍