Product Announcements: Add messages to relevant features (#12525)

* Product Announcements: Add messages to relevant features

* Specify exactly where the error is modified

* Correcting ruff

* Ruff can be dangerous?

Author: Maffooch

dojo/api_v2/exception_handler.py

@@ -12,6 +12,7 @@
 from rest_framework.views import exception_handler
 
 from dojo.models import System_Settings
+from dojo.product_announcements import ErrorPageProductAnnouncement
 
 logger = logging.getLogger(__name__)
 
@@ -36,6 +37,7 @@ def custom_exception_handler(exc, context):
         response.status_code = HTTP_400_BAD_REQUEST
         response.data = {}
         response.data["message"] = str(exc)
+        ErrorPageProductAnnouncement(response=response)
     elif response is None:
         if System_Settings.objects.get().api_expose_error_details:
             exception_message = str(exc.args[0])
@@ -51,6 +53,7 @@ def custom_exception_handler(exc, context):
         response.data[
             "message"
         ] = exception_message
+        ErrorPageProductAnnouncement(response=response)
     elif response.status_code < 500:
         # HTTP status codes lower than 500 are no technical errors.
         # They need not to be logged and we provide the exception
@@ -60,6 +63,7 @@ def custom_exception_handler(exc, context):
             exc,
         ) != response.data.get("detail", ""):
             response.data["message"] = str(exc)
+            ErrorPageProductAnnouncement(response=response)
     else:
         # HTTP status code 500 or higher are technical errors.
         # They get logged and we don't change the response.

dojo/api_v2/serializers.py

@@ -3,6 +3,7 @@
 import json
 import logging
 import re
+import time
 from datetime import datetime
 
 import six
@@ -112,6 +113,10 @@
     Vulnerability_Id_Template,
     get_current_date,
 )
+from dojo.product_announcements import (
+    LargeScanSizeProductAnnouncement,
+    ScanTypeProductAnnouncement,
+)
 from dojo.tools.factory import (
     get_choices_sorted,
     requires_file,
@@ -2193,6 +2198,7 @@ class CommonImportScanSerializer(serializers.Serializer):
     product_id = serializers.IntegerField(read_only=True)
     product_type_id = serializers.IntegerField(read_only=True)
     statistics = ImportStatisticsSerializer(read_only=True, required=False)
+    pro = serializers.ListField(read_only=True, required=False)
     apply_tags_to_findings = serializers.BooleanField(
         help_text="If set to True, the tags will be applied to the findings",
         required=False,
@@ -2224,6 +2230,7 @@ def process_scan(
         Raises exceptions in the event of an error
         """
         try:
+            start_time = time.perf_counter()
             importer = self.get_importer(**context)
             context["test"], _, _, _, _, _, _ = importer.process_scan(
                 context.pop("scan", None),
@@ -2236,6 +2243,9 @@ def process_scan(
                 data["product_id"] = test.engagement.product.id
                 data["product_type_id"] = test.engagement.product.prod_type.id
                 data["statistics"] = {"after": test.statistics}
+            duration = time.perf_counter() - start_time
+            LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
+            ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:
@@ -2491,6 +2501,7 @@ def process_scan(
         """
         statistics_before, statistics_delta = None, None
         try:
+            start_time = time.perf_counter()
             if test := context.get("test"):
                 statistics_before = test.statistics
                 context["test"], _, _, _, _, _, test_import = self.get_reimporter(
@@ -2525,6 +2536,9 @@ def process_scan(
                 if statistics_delta:
                     data["statistics"]["delta"] = statistics_delta
                 data["statistics"]["after"] = test.statistics
+            duration = time.perf_counter() - start_time
+            LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
+            ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:

dojo/engagement/views.py

@@ -3,6 +3,7 @@
 import mimetypes
 import operator
 import re
+import time
 from datetime import datetime
 from functools import reduce
 from pathlib import Path
@@ -88,6 +89,11 @@
 )
 from dojo.notifications.helper import create_notification
 from dojo.product.queries import get_authorized_products
+from dojo.product_announcements import (
+    ErrorPageProductAnnouncement,
+    LargeScanSizeProductAnnouncement,
+    ScanTypeProductAnnouncement,
+)
 from dojo.risk_acceptance.helper import prefetch_for_expiration
 from dojo.tools.factory import get_scan_types_sorted
 from dojo.user.queries import get_authorized_users
@@ -1027,16 +1033,22 @@ def process_credentials_form(
 
     def success_redirect(
         self,
+        request: HttpRequest,
         context: dict,
     ) -> HttpResponseRedirect:
         """Redirect the user to a place that indicates a successful import"""
+        duration = time.perf_counter() - request._start_time
+        LargeScanSizeProductAnnouncement(request=request, duration=duration)
+        ScanTypeProductAnnouncement(request=request, scan_type=context.get("scan_type"))
         return HttpResponseRedirect(reverse("view_test", args=(context.get("test").id, )))
 
     def failure_redirect(
         self,
+        request: HttpRequest,
         context: dict,
     ) -> HttpResponseRedirect:
         """Redirect the user to a place that indicates a failed import"""
+        ErrorPageProductAnnouncement(request=request)
         return HttpResponseRedirect(reverse(
             "import_scan_results",
             args=(context.get("engagement", context.get("product")).id, ),
@@ -1071,27 +1083,28 @@ def post(
             engagement_id=engagement_id,
             product_id=product_id,
         )
+        request._start_time = time.perf_counter()
         # ensure all three forms are valid first before moving forward
         if not self.validate_forms(context):
-            return self.failure_redirect(context)
+            return self.failure_redirect(request, context)
         # Process the jira form if it is present
         if form_error := self.process_jira_form(request, context.get("jform"), context):
             add_error_message_to_response(form_error)
-            return self.failure_redirect(context)
+            return self.failure_redirect(request, context)
         # Process the import form
         if form_error := self.process_form(request, context.get("form"), context):
             add_error_message_to_response(form_error)
-            return self.failure_redirect(context)
+            return self.failure_redirect(request, context)
         # Kick off the import process
         if import_error := self.import_findings(context):
             add_error_message_to_response(import_error)
-            return self.failure_redirect(context)
+            return self.failure_redirect(request, context)
         # Process the credential form
         if form_error := self.process_credentials_form(request, context.get("cred_form"), context):
             add_error_message_to_response(form_error)
-            return self.failure_redirect(context)
+            return self.failure_redirect(request, context)
         # Otherwise return the user back to the engagement (if present) or the product
-        return self.success_redirect(context)
+        return self.success_redirect(request, context)
 
 
 @user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")

dojo/middleware.py

@@ -1,5 +1,6 @@
 import logging
 import re
+import time
 from contextlib import suppress
 from threading import local
 from urllib.parse import quote
@@ -12,6 +13,8 @@
 from django.urls import reverse
 from django.utils.functional import SimpleLazyObject
 
+from dojo.product_announcements import LongRunningRequestProductAnnouncement
+
 logger = logging.getLogger(__name__)
 
 EXEMPT_URLS = [re.compile(settings.LOGIN_URL.lstrip("/"))]
@@ -184,3 +187,24 @@ def __call__(self, request):
 
         with context:
             return self.get_response(request)
+
+
+class LongRunningRequestAlertMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.ignored_paths = [
+            re.compile(r"^/api/v2/.*"),
+            re.compile(r"^/product/(?P<product_id>\d+)/import_scan_results$"),
+            re.compile(r"^/engagement/(?P<engagement_id>\d+)/import_scan_results$"),
+            re.compile(r"^/test/(?P<test_id>\d+)/re_import_scan_results"),
+            re.compile(r"^/alerts/count"),
+        ]
+
+    def __call__(self, request):
+        start_time = time.perf_counter()
+        response = self.get_response(request)
+        duration = time.perf_counter() - start_time
+        if not any(pattern.match(request.path_info) for pattern in self.ignored_paths):
+            LongRunningRequestProductAnnouncement(request=request, duration=duration)
+
+        return response

dojo/product_announcements.py

@@ -0,0 +1,167 @@
+from django.conf import settings
+from django.contrib import messages
+from django.http import HttpRequest, HttpResponse
+from django.utils.safestring import mark_safe
+from django.utils.translation import gettext_lazy as _
+
+
+class ProductAnnouncementManager:
+
+    """Base class for centralized helper methods"""
+
+    base_try_free = "Try today for free"
+    base_contact_us = "email us at"
+    base_email_address = "hello@defectdojo.com"
+    ui_try_free = f'<b><a href="https://cloud.defectdojo.com/accounts/onboarding/plg_step_1" target="_blank">{base_try_free}</a></b>'
+    ui_contact_us = f'{base_contact_us} <b><a href="mailto:{base_email_address}">{base_email_address}</a></b>'
+    ui_outreach = f"{ui_try_free} or {ui_contact_us}."
+    api_outreach = f"{base_try_free} or {base_contact_us} {base_email_address}"
+
+    def __init__(
+        self,
+        *args: list,
+        request: HttpRequest = None,
+        response: HttpResponse = None,
+        response_data: dict | None = None,
+        **kwargs: dict,
+    ):
+        """Skip all this if the CREATE_CLOUD_BANNER is not set"""
+        if not settings.CREATE_CLOUD_BANNER:
+            return
+        # Fill in the vars if the were supplied correctly
+        if request is not None and isinstance(request, HttpRequest):
+            self._add_django_message(
+                request=request,
+                message=mark_safe(f"{self.base_message} {self.ui_outreach}"),
+            )
+        elif response is not None and isinstance(response, HttpResponse):
+            response.data = self._add_api_response_key(
+                message=f"{self.base_message} {self.api_outreach}", data=response.data,
+            )
+        elif response_data is not None and isinstance(response_data, dict):
+            response_data = self._add_api_response_key(
+                message=f"{self.base_message} {self.api_outreach}", data=response_data,
+            )
+        else:
+            msg = "At least one of request, response, or response_data must be supplied"
+            raise ValueError(msg)
+
+    def _add_django_message(self, request: HttpRequest, message: str):
+        """Add a message to the UI"""
+        messages.add_message(
+            request=request,
+            level=messages.INFO,
+            message=_(message),
+            extra_tags="alert-info",
+        )
+
+    def _add_api_response_key(self, message: str, data: dict) -> dict:
+        """Update the response data in place"""
+        if (feature_list := data.get("pro")) is not None and isinstance(
+            feature_list,
+            list,
+        ):
+            data["pro"] = [*feature_list, _(message)]
+        else:
+            data["pro"] = [_(message)]
+        return data
+
+
+class ErrorPageProductAnnouncement(ProductAnnouncementManager):
+    def __init__(
+        self,
+        *args: list,
+        request: HttpRequest = None,
+        response: HttpResponse = None,
+        response_data: dict | None = None,
+        **kwargs: dict,
+    ):
+        self.base_message = "Pro comes with support."
+        super().__init__(
+            *args,
+            request=request,
+            response=response,
+            response_data=response_data,
+            **kwargs,
+        )
+
+
+class LargeScanSizeProductAnnouncement(ProductAnnouncementManager):
+    def __init__(
+        self,
+        *args: list,
+        request: HttpRequest = None,
+        response: HttpResponse = None,
+        response_data: dict | None = None,
+        duration: float = 0.0,  # seconds
+        **kwargs: dict,
+    ):
+        self.trigger_threshold = 60.0
+        minute_duration = round(duration / 60.0)
+        self.base_message = f"Your import took about {minute_duration} minute(s). Did you know Pro has async imports?"
+        if duration > self.trigger_threshold:
+            super().__init__(
+                *args,
+                request=request,
+                response=response,
+                response_data=response_data,
+                **kwargs,
+            )
+
+
+class LongRunningRequestProductAnnouncement(ProductAnnouncementManager):
+    def __init__(
+        self,
+        *args: list,
+        request: HttpRequest = None,
+        response: HttpResponse = None,
+        response_data: dict | None = None,
+        duration: float = 0.0,  # seconds
+        **kwargs: dict,
+    ):
+        self.trigger_threshold = 15.0
+        self.base_message = "Did you know, Pro has a new UI and is performance tested up to 22M findings?"
+        if duration > self.trigger_threshold:
+            super().__init__(
+                *args,
+                request=request,
+                response=response,
+                response_data=response_data,
+                **kwargs,
+            )
+
+
+class ScanTypeProductAnnouncement(ProductAnnouncementManager):
+    supported_scan_types = [
+        "Snyk Scan",
+        "Semgrep JSON Report",
+        "Burp Enterprise Scan",
+        "AWS Security Hub Scan",
+        "Probely Scan",  # No OS support here
+        "Checkmarx One Scan",
+        "Tenable Scan",
+        "SonarQube Scan",
+        "Dependency Track Finding Packaging Format (FPF) Export",
+        "Wiz Scan",
+    ]
+
+    def __init__(
+        self,
+        *args: list,
+        request: HttpRequest = None,
+        response: HttpResponse = None,
+        response_data: dict | None = None,
+        scan_type: str | None = None,
+        **kwargs: dict,
+    ):
+        self.base_message = (
+            f"Did you know, Pro has an automated no-code connector for {scan_type}?"
+        )
+        if scan_type in self.supported_scan_types:
+            super().__init__(
+                *args,
+                request=request,
+                response=response,
+                response_data=response_data,
+                **kwargs,
+            )

dojo/settings/settings.dist.py

@@ -913,6 +913,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "dojo.middleware.AuditlogMiddleware",
     "crum.CurrentRequestUserMiddleware",
     "dojo.request_cache.middleware.RequestCacheMiddleware",
+    "dojo.middleware.LongRunningRequestAlertMiddleware",
 ]
 
 MIDDLEWARE = DJANGO_MIDDLEWARE_CLASSES