Merge pull request CERTCC#156 from sei-vsarvepalli/version-3.0.5

VINCE Upgrade to 3.0.5

CHANGELOG.md

@@ -3,6 +3,22 @@
 CHANGELOG
 VINCE Coordination platform code
 
+Version 3.0.5 2024-07-17
+
+* Dependabot update recommendations: `urllib3` 1.26.18 to 1.26.19, `certifi` 2023.7.22 to 2024.7.4, `zipp` 3.10.1 to 1.19.1 `Django` 4.2.11 to 4.2.14
+* Added code to make the tag, vulnote, email & CVE sections of the reports page load async to reduce loading time (Internal-662)
+* Made all sections of the reports page expandable/collapsible, collapsed on load, to ease async loading (Internal-662)
+* Ensured that transient bounce messages automatically get posted to the user's activity stream
+* Set up automatic logging of user deactivation due to bounce issues to the user's activity stream
+* Directed bounce messages for users with already open bounce tickets into a followup on original bounce ticket
+* Added code to intercept emails addressed to recent bouncers before they are sent (Internal-752)
+* Added field to API case view with timestamp field for most recent update (Isseu #149)
+* Started improving vulnote review process with css alteration to remove need for unnecessary scrolling (Internal-755)
+* Fixed bug in date processing for the vincepub search function (Internal-756)
+* Added code to handle errors that arise in certain cases when resetting user MFA (Internal-757)
+* Ensured that deactivated users are removed from VINCE Track and from all relevant Groups, with logging to Activity stream (Internal-759)
+
+
 Version 3.0.4 2024-06-10
 
 * Fixed bug that prevented display of "No data" message in certain circumstances on the VINCE Track case page vendor tab

bigvince/settings_.py

@@ -54,7 +54,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "3.0.4"
+VERSION = "3.0.5"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

lib/vince/utils.py

@@ -3,51 +3,54 @@
 import mimetypes
 import uuid
 import re
-#Utilities for VINCE to use that are generic
+
+# Utilities for VINCE to use that are generic
+
 
 def get_ip(request):
-    """ GET IP address of a request object and find it using simple
+    """GET IP address of a request object and find it using simple
     method of the first X-Forwarded-For header IP from proxy/web server
     or the REMOTE_ADDR environment setup by the appserver. Returns a
     string not an IP validated item/object.
     """
     try:
-        if request.META.get('HTTP_X_FORWARDED_FOR'):
-            return request.META.get('HTTP_X_FORWARDED_FOR').split(',')[0]
-        elif request.META.get('REMOTE_ADDR'):
-            return request.META.get('REMOTE_ADDR')
+        if request.META.get("HTTP_X_FORWARDED_FOR"):
+            return request.META.get("HTTP_X_FORWARDED_FOR").split(",")[0]
+        elif request.META.get("REMOTE_ADDR"):
+            return request.META.get("REMOTE_ADDR")
         else:
             return "Unknown"
     except Exception as e:
         return f"IP lookup Exception {e}"
     return "Unknown"
 
 
-def deepGet(obj,idir):
-    """ Given an object of any kind find if it is a dictionary
+def deepGet(obj, idir):
+    """Given an object of any kind find if it is a dictionary
     or a list or an abstract object or instance of a class
     that has a burried element.
     """
     x = obj
     for s in idir.split("."):
         if not x:
             return None
-        if isinstance(x,dict) and s in x:
+        if isinstance(x, dict) and s in x:
             x = x[s]
-        elif isinstance(x,list) and s.isdigit() and int(s) < len(x):
+        elif isinstance(x, list) and s.isdigit() and int(s) < len(x):
             x = x[int(s)]
-        elif hasattr(x,s):
-            x = getattr(x,s)
+        elif hasattr(x, s):
+            x = getattr(x, s)
             if callable(x) and not inspect.isclass(x):
                 x = x()
         else:
             return None
     return x
 
-def safe_filename(filename,file_uuid=str(uuid.uuid4()),mime_type="application/octet-stream"):
-    filename = filename.replace("\r"," ").replace("\n"," ").strip()
-    if re.search(r'[^\x00-\x7F]+',filename):
-        #non-ascii filenames use uuid and extension
+
+def safe_filename(filename, file_uuid=str(uuid.uuid4()), mime_type="application/octet-stream"):
+    filename = filename.replace("\r", " ").replace("\n", " ").strip()
+    if re.search(r"[^\x00-\x7F]+", filename):
+        # non-ascii filenames use uuid and extension
         if file_uuid == None:
             file_uuid = uuid.uuid4()
         file_extension = "".join(pathlib.Path(filename).suffixes)
@@ -58,3 +61,10 @@ def safe_filename(filename,file_uuid=str(uuid.uuid4()),mime_type="application/oc
         else:
             filename = file_uuid
     return filename
+
+
+def is_uuid(inuuid):
+    try:
+        return uuid.UUID(inuuid)
+    except Exception as e:
+        return None

requirements.txt

@@ -14,7 +14,7 @@ boto==2.49.0
 boto3==1.26.11
 botocore==1.29.11
 cached-property==1.5.2
-certifi==2023.7.22
+certifi==2024.7.4
 cffi==1.15.1
 chardet==5.0.0
 charset-normalizer==2.1.1
@@ -24,7 +24,7 @@ cryptography==42.0.4
 cvelib==1.3.0
 Deprecated==1.2.13
 dictdiffer==0.9.0
-Django==4.2.11
+Django==4.2.14
 django-appconf==1.0.5
 django-countries==7.4.2
 django-environ==0.9.0
@@ -77,9 +77,9 @@ six==1.16.0
 soupsieve==2.3.2.post1
 sqlparse==0.5.0
 typing-extensions==4.4.0
-urllib3==1.26.18
+urllib3==1.26.19
 vine==5.0.0
 watchtower==3.0.0
 webencodings==0.5.1
 wrapt==1.14.1
-zipp==3.10.0
+zipp==3.19.1

vince/lib.py

@@ -2019,17 +2019,55 @@ def create_bounce_ticket(headers, bounce_info):
     bounce_type = bounce_info.get("bounceType")
     date = headers.get("date")
 
+    # weed out the bounces for inactive users
     dead_users = []
     for email in email_to:
-        if User.objects.filter(username=email, is_active=False):
-            logger.debug(f"Ignoring {email} as this user is inactive")
-            dead_users.append(email)
-        elif (bounce_type == "Transient") and VINCE_IGNORE_TRANSIENT_BOUNCES:
-            create_bounce_record(email, bounce_type, subject)
+        try:
+            user = User.objects.using("vincecomm").filter(username=email).first()
+        except:
+            logger.debug(f"bounce ticket creation process failed to find user with email address {email}")
+        if user:
+            if user.is_active == False:
+                logger.debug(f"Ignoring {email} as this user is inactive")
+                dead_users.append(email)
+            elif bounce_type == "Transient":
+                va = VendorAction(user=user, title="A transient bounce message was received for {user}")
+                if VINCE_IGNORE_TRANSIENT_BOUNCES:
+                    create_bounce_record(email, bounce_type, subject)
 
     if dead_users:
         email_to = list(set(email_to) - set(dead_users))
         email_to_str = ", ".join(email_to)
+        if not email_to:
+            logger.debug("No valid bounced recipients. Found all recipients are inactive")
+            return
+
+    # weed out the bounces for users with prexisting open bounce tickets
+    preexisting_bounce_users = []
+    for email in email_to:
+        try:
+            preexisting_bounce_ticket = Ticket.objects.filter(
+                title=f"Email Bounce Notification to {email}",
+                status__in=[Ticket.OPEN_STATUS, Ticket.REOPENED_STATUS, Ticket.IN_PROGRESS_STATUS],
+            ).first()
+            if preexisting_bounce_ticket:
+                logger.debug(f"preexisting_bounce_ticket is {preexisting_bounce_ticket}")
+                logger.debug(f"in particular, preexisting_bounce_ticket.id is {preexisting_bounce_ticket.id}")
+                fup = FollowUp(
+                    ticket=preexisting_bounce_ticket,
+                    date=timezone.now(),
+                    title=f"Another Email Bounce Notification to {email} was received",
+                )
+                if bounce_info:
+                    fup.comment = json.dumps(bounce_info)
+                fup.save()
+                preexisting_bounce_users.append(email)
+        except:
+            logger.debug(f"emails have started bouncing back from {email}")
+
+    if preexisting_bounce_users:
+        email_to = list(set(email_to) - set(preexisting_bounce_users))
+        email_to_str = ", ".join(email_to)
         if not email_to:
             logger.debug("No valid bounced recipients found all recipients are inactive")
             return

vince/static/vince/css/style.css

@@ -2895,6 +2895,18 @@ button:hover, .button:hover{
     display: block;
 }
 
+.collapse-inline {
+    display: none;
+}
+
+.expanded-inline {
+    display: inline;
+}
+
+.expandable-section-heading {
+    cursor: pointer;
+}
+
 tr.delete td {
     background-color: #FDC;
 }
@@ -2990,7 +3002,6 @@ tr.equal td {
 }
 
 .diff-container td {
-    white-space: pre;
     font-family: monospace;
     padding: 0.2rem 0.3rem 0.3rem;
 }

vince/static/vince/js/contactverify.js

@@ -111,28 +111,22 @@ $(document).ready(function() {
             // Previously submitted - don't submit again
             e.preventDefault();
         } else {
-            console.log(1)
             let email_body = $("#id_email_body").val();
-            console.log(2)
             if ((email_body.search(/VENDOR/) >= 0)) {
                 alert("Please check email text and replace VENDOR placeholder text");
                 return false;
             }
-            console.log(3)
             if ((email_body.search(/EMAIL/) >= 0)) {
                 alert("Please check email text and replace EMAIL placeholder text");
                 return false;
             }
-            console.log(4)
             if ((email_body.search(/JUSTIFICATION/) >= 0)) {
                 alert("Please check email text and replace JUSTIFICATION placeholder text");
                 return false;
             }
-            console.log(5)
             if (internal_verification_checkbox.checked && taggle.getTagValues().length == 0){
                 taggle.add(user_to_verify)
             }
-            console.log(6)
             // Mark it so that the next submit can be ignored
             $form.data('submitted', true);
         }
@@ -155,10 +149,6 @@ $(document).ready(function() {
 	    });
     };
 
-
-    // This is all code for VIN-731. It's commented out because we didn't quite have time to test all possible edge cases before a separate process
-    // required us to put out a VINCE release.
-
     let user_to_verify_field = document.getElementById('id_user');
     let user_to_verify = user_to_verify_field.value;
     let email_field = document.getElementById('email_field');

vince/static/vince/js/reports.js

@@ -29,6 +29,41 @@
 */
 $(document).ready(function() {
 
+    function togglesectionvisibility(classtotoggle){
+        let elementstotoggle = document.getElementsByClassName(classtotoggle)
+        for (let i = 0; i < elementstotoggle.length; i++) {
+            if (elementstotoggle[i].classList.contains('collapse')){
+                elementstotoggle[i].classList.add('expanded')
+                elementstotoggle[i].classList.remove('collapse')
+            } else if (elementstotoggle[i].classList.contains('expanded')) {
+                elementstotoggle[i].classList.add('collapse')
+                elementstotoggle[i].classList.remove('expanded')
+            } else if (elementstotoggle[i].classList.contains('collapse-inline')) {
+                elementstotoggle[i].classList.add('expanded-inline')
+                elementstotoggle[i].classList.remove('collapse-inline')
+            } else if (elementstotoggle[i].classList.contains('expanded-inline')) {
+                elementstotoggle[i].classList.add('collapse-inline')
+                elementstotoggle[i].classList.remove('expanded-inline')
+            } else if (elementstotoggle[i].classList.contains('fa-caret-right')) {
+                elementstotoggle[i].classList.add('fa-caret-down')
+                elementstotoggle[i].classList.remove('fa-caret-right')
+            } else if (elementstotoggle[i].classList.contains('fa-caret-down')) {
+                elementstotoggle[i].classList.add('fa-caret-right')
+                elementstotoggle[i].classList.remove('fa-caret-down')
+            }
+        }
+    }
+
+    document.getElementById("reports_page_wrapper").addEventListener("click", function(e) {
+        let classtotoggle = ""
+        if(e.target && e.target.classList.contains('expandable-section-heading-icon')) {
+            classtotoggle = e.target.parentElement.id
+        }
+        if(e.target && e.target.classList.contains('expandable-section-heading')) {
+            classtotoggle = e.target.id
+        }
+        togglesectionvisibility(classtotoggle)
+    });
 
     $('#moreVendor').click(function(e) {
         $("#hidevendors").toggle();