Updates

ETB-API/security/serializers/__init__.py

@@ -0,0 +1 @@
+# Serializers for security API endpoints

ETB-API/security/serializers/security.py

@@ -0,0 +1,277 @@
+"""
+Security-related serializers for API endpoints
+"""
+from rest_framework import serializers
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
+
+from ..models import (
+    DataClassification, Role, User, MFADevice, 
+    AuditLog, SSOProvider, AccessPolicy
+)
+
+User = get_user_model()
+
+
+class DataClassificationSerializer(serializers.ModelSerializer):
+    """Serializer for data classification levels"""
+    
+    class Meta:
+        model = DataClassification
+        fields = [
+            'id', 'name', 'level', 'description', 
+            'color_code', 'requires_clearance', 
+            'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+
+
+class PermissionSerializer(serializers.ModelSerializer):
+    """Serializer for permissions"""
+    
+    class Meta:
+        model = Permission
+        fields = ['id', 'name', 'codename', 'content_type']
+
+
+class RoleSerializer(serializers.ModelSerializer):
+    """Serializer for roles"""
+    permissions = PermissionSerializer(many=True, read_only=True)
+    permission_ids = serializers.ListField(
+        child=serializers.IntegerField(),
+        write_only=True,
+        required=False
+    )
+    data_classification_access = DataClassificationSerializer(many=True, read_only=True)
+    classification_ids = serializers.ListField(
+        child=serializers.IntegerField(),
+        write_only=True,
+        required=False
+    )
+    
+    class Meta:
+        model = Role
+        fields = [
+            'id', 'name', 'description', 'permissions', 'permission_ids',
+            'data_classification_access', 'classification_ids',
+            'is_active', 'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+    
+    def create(self, validated_data):
+        permission_ids = validated_data.pop('permission_ids', [])
+        classification_ids = validated_data.pop('classification_ids', [])
+        
+        role = Role.objects.create(**validated_data)
+        
+        if permission_ids:
+            role.permissions.set(permission_ids)
+        if classification_ids:
+            role.data_classification_access.set(classification_ids)
+            
+        return role
+    
+    def update(self, instance, validated_data):
+        permission_ids = validated_data.pop('permission_ids', None)
+        classification_ids = validated_data.pop('classification_ids', None)
+        
+        for attr, value in validated_data.items():
+            setattr(instance, attr, value)
+        instance.save()
+        
+        if permission_ids is not None:
+            instance.permissions.set(permission_ids)
+        if classification_ids is not None:
+            instance.data_classification_access.set(classification_ids)
+            
+        return instance
+
+
+class UserSerializer(serializers.ModelSerializer):
+    """Serializer for users"""
+    roles = RoleSerializer(many=True, read_only=True)
+    role_ids = serializers.ListField(
+        child=serializers.IntegerField(),
+        write_only=True,
+        required=False
+    )
+    clearance_level = DataClassificationSerializer(read_only=True)
+    clearance_level_id = serializers.IntegerField(write_only=True, required=False)
+    mfa_enabled = serializers.BooleanField(read_only=True)
+    is_account_locked = serializers.BooleanField(read_only=True)
+    password = serializers.CharField(write_only=True, required=False)
+    
+    class Meta:
+        model = User
+        fields = [
+            'id', 'username', 'email', 'first_name', 'last_name',
+            'employee_id', 'department', 'clearance_level', 'clearance_level_id',
+            'roles', 'role_ids', 'attributes', 'mfa_enabled', 'mfa_secret',
+            'last_login_ip', 'failed_login_attempts', 'is_account_locked',
+            'sso_provider', 'sso_identifier', 'is_active', 'is_staff', 'is_superuser',
+            'date_joined', 'last_login', 'created_at', 'updated_at', 'password'
+        ]
+        read_only_fields = [
+            'id', 'mfa_enabled', 'mfa_secret', 'last_login_ip', 
+            'failed_login_attempts', 'is_account_locked', 'sso_provider', 
+            'sso_identifier', 'date_joined', 'last_login', 'created_at', 'updated_at'
+        ]
+    
+    def create(self, validated_data):
+        password = validated_data.pop('password', None)
+        role_ids = validated_data.pop('role_ids', [])
+        clearance_level_id = validated_data.pop('clearance_level_id', None)
+        
+        if clearance_level_id:
+            validated_data['clearance_level_id'] = clearance_level_id
+        
+        user = User.objects.create_user(**validated_data)
+        
+        if password:
+            user.set_password(password)
+            user.save()
+        
+        if role_ids:
+            user.roles.set(role_ids)
+            
+        return user
+    
+    def update(self, instance, validated_data):
+        password = validated_data.pop('password', None)
+        role_ids = validated_data.pop('role_ids', None)
+        clearance_level_id = validated_data.pop('clearance_level_id', None)
+        
+        if clearance_level_id:
+            validated_data['clearance_level_id'] = clearance_level_id
+        
+        for attr, value in validated_data.items():
+            setattr(instance, attr, value)
+        
+        if password:
+            instance.set_password(password)
+        
+        instance.save()
+        
+        if role_ids is not None:
+            instance.roles.set(role_ids)
+            
+        return instance
+
+
+class MFADeviceSerializer(serializers.ModelSerializer):
+    """Serializer for MFA devices"""
+    user = serializers.StringRelatedField(read_only=True)
+    secret_key = serializers.CharField(read_only=True)  # Never expose secret
+    
+    class Meta:
+        model = MFADevice
+        fields = [
+            'id', 'user', 'device_type', 'name', 'is_active', 
+            'is_primary', 'last_used', 'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'user', 'secret_key', 'created_at', 'updated_at']
+
+
+class MFASetupSerializer(serializers.Serializer):
+    """Serializer for MFA setup"""
+    device_name = serializers.CharField(max_length=100)
+    device_type = serializers.ChoiceField(choices=MFADevice.DEVICE_TYPES)
+    
+    def validate_device_name(self, value):
+        """Validate device name is unique for user"""
+        user = self.context['request'].user
+        if MFADevice.objects.filter(user=user, name=value).exists():
+            raise serializers.ValidationError("Device name already exists")
+        return value
+
+
+class MFAVerificationSerializer(serializers.Serializer):
+    """Serializer for MFA verification"""
+    token = serializers.CharField(max_length=10, min_length=6)
+    device_id = serializers.UUIDField(required=False)
+
+
+class AuditLogSerializer(serializers.ModelSerializer):
+    """Serializer for audit logs"""
+    user = serializers.StringRelatedField(read_only=True)
+    
+    class Meta:
+        model = AuditLog
+        fields = [
+            'id', 'timestamp', 'user', 'action_type', 'resource_type',
+            'resource_id', 'ip_address', 'user_agent', 'details',
+            'severity', 'hash_value'
+        ]
+        read_only_fields = ['id', 'timestamp', 'hash_value']
+
+
+class SSOProviderSerializer(serializers.ModelSerializer):
+    """Serializer for SSO providers"""
+    configuration = serializers.JSONField()
+    attribute_mapping = serializers.JSONField()
+    
+    class Meta:
+        model = SSOProvider
+        fields = [
+            'id', 'name', 'provider_type', 'is_active',
+            'configuration', 'attribute_mapping',
+            'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+
+
+class AccessPolicySerializer(serializers.ModelSerializer):
+    """Serializer for access policies"""
+    conditions = serializers.JSONField()
+    actions = serializers.JSONField()
+    
+    class Meta:
+        model = AccessPolicy
+        fields = [
+            'id', 'name', 'description', 'policy_type',
+            'conditions', 'resource_type', 'actions',
+            'priority', 'is_active', 'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+
+
+class LoginSerializer(serializers.Serializer):
+    """Serializer for user login"""
+    username = serializers.CharField()
+    password = serializers.CharField()
+    mfa_token = serializers.CharField(required=False, allow_blank=True)
+    remember_me = serializers.BooleanField(default=False)
+
+
+class PasswordChangeSerializer(serializers.Serializer):
+    """Serializer for password change"""
+    current_password = serializers.CharField()
+    new_password = serializers.CharField(min_length=8)
+    confirm_password = serializers.CharField()
+    
+    def validate(self, data):
+        """Validate password change"""
+        if data['new_password'] != data['confirm_password']:
+            raise serializers.ValidationError("Passwords do not match")
+        return data
+
+
+class UserProfileSerializer(serializers.ModelSerializer):
+    """Serializer for user profile"""
+    roles = RoleSerializer(many=True, read_only=True)
+    clearance_level = DataClassificationSerializer(read_only=True)
+    mfa_devices = MFADeviceSerializer(many=True, read_only=True)
+    
+    class Meta:
+        model = User
+        fields = [
+            'id', 'username', 'email', 'first_name', 'last_name',
+            'employee_id', 'department', 'clearance_level', 'roles',
+            'mfa_enabled', 'mfa_devices', 'is_superuser', 'is_staff', 'is_active',
+            'date_joined', 'last_login', 'created_at', 'updated_at'
+        ]
+        read_only_fields = [
+            'id', 'username', 'employee_id', 'clearance_level', 
+            'roles', 'mfa_enabled', 'is_superuser', 'is_staff', 'is_active',
+            'date_joined', 'last_login', 'created_at', 'updated_at'
+        ]

ETB-API/security/serializers/zero_trust.py

@@ -0,0 +1,203 @@
+"""
+Zero Trust Serializers
+Serializers for device posture, geolocation rules, risk assessment, and adaptive authentication
+"""
+from rest_framework import serializers
+from django.contrib.auth import get_user_model
+
+from ..models import (
+    DevicePosture, GeolocationRule, RiskAssessment, 
+    AdaptiveAuthentication, UserBehaviorProfile
+)
+
+User = get_user_model()
+
+
+class DevicePostureSerializer(serializers.ModelSerializer):
+    """Serializer for device posture"""
+    
+    class Meta:
+        model = DevicePosture
+        fields = [
+            'id', 'device_id', 'device_name', 'device_type', 'os_type', 
+            'os_version', 'browser_info', 'is_managed', 'has_antivirus',
+            'antivirus_status', 'firewall_enabled', 'encryption_enabled',
+            'screen_lock_enabled', 'biometric_auth', 'ip_address',
+            'mac_address', 'network_type', 'vpn_connected', 'risk_score',
+            'is_compliant', 'is_trusted', 'trust_level', 'is_active',
+            'first_seen', 'last_seen', 'created_at', 'updated_at'
+        ]
+        read_only_fields = [
+            'id', 'device_id', 'risk_score', 'trust_level', 'is_trusted',
+            'first_seen', 'last_seen', 'created_at', 'updated_at'
+        ]
+
+
+class DeviceRegistrationSerializer(serializers.Serializer):
+    """Serializer for device registration"""
+    device_id = serializers.CharField(max_length=255, required=True)
+    device_name = serializers.CharField(max_length=200, required=False, allow_blank=True)
+    device_type = serializers.ChoiceField(choices=DevicePosture.DEVICE_TYPES, required=False)
+    os_type = serializers.ChoiceField(choices=DevicePosture.OS_TYPES, required=False)
+    os_version = serializers.CharField(max_length=100, required=False, allow_blank=True)
+    browser_info = serializers.CharField(max_length=200, required=False, allow_blank=True)
+    is_managed = serializers.BooleanField(default=False)
+    has_antivirus = serializers.BooleanField(default=False)
+    antivirus_status = serializers.CharField(max_length=50, required=False, allow_blank=True)
+    firewall_enabled = serializers.BooleanField(default=False)
+    encryption_enabled = serializers.BooleanField(default=False)
+    screen_lock_enabled = serializers.BooleanField(default=False)
+    biometric_auth = serializers.BooleanField(default=False)
+    ip_address = serializers.IPAddressField(required=False)
+    mac_address = serializers.CharField(max_length=17, required=False, allow_blank=True)
+    network_type = serializers.CharField(max_length=50, required=False, allow_blank=True)
+    vpn_connected = serializers.BooleanField(default=False)
+
+
+class GeolocationRuleSerializer(serializers.ModelSerializer):
+    """Serializer for geolocation rules"""
+    
+    class Meta:
+        model = GeolocationRule
+        fields = [
+            'id', 'name', 'description', 'rule_type', 'allowed_countries',
+            'blocked_countries', 'allowed_regions', 'blocked_regions',
+            'allowed_cities', 'blocked_cities', 'allowed_ip_ranges',
+            'blocked_ip_ranges', 'allowed_time_zones', 'working_hours_only',
+            'working_hours_start', 'working_hours_end', 'working_days',
+            'max_distance_from_office', 'office_latitude', 'office_longitude',
+            'notification_message', 'log_violation', 'require_manager_approval',
+            'is_active', 'priority', 'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+
+
+class RiskAssessmentSerializer(serializers.ModelSerializer):
+    """Serializer for risk assessments"""
+    
+    class Meta:
+        model = RiskAssessment
+        fields = [
+            'id', 'user', 'assessment_type', 'resource_type', 'resource_id',
+            'device_risk_score', 'location_risk_score', 'behavior_risk_score',
+            'network_risk_score', 'time_risk_score', 'user_risk_score',
+            'overall_risk_score', 'risk_level', 'ip_address', 'user_agent',
+            'location_data', 'device_data', 'behavior_data', 'risk_factors',
+            'mitigation_actions', 'assessment_details', 'access_decision',
+            'decision_reason', 'assessed_at', 'expires_at'
+        ]
+        read_only_fields = [
+            'id', 'user', 'overall_risk_score', 'risk_level', 'access_decision',
+            'assessed_at', 'expires_at'
+        ]
+
+
+class RiskAssessmentRequestSerializer(serializers.Serializer):
+    """Serializer for risk assessment requests"""
+    assessment_type = serializers.ChoiceField(
+        choices=RiskAssessment.RISK_FACTORS,
+        default='LOGIN'
+    )
+    resource_type = serializers.CharField(max_length=100, required=False, allow_blank=True)
+    resource_id = serializers.CharField(max_length=255, required=False, allow_blank=True)
+    device_id = serializers.CharField(max_length=255, required=False, allow_blank=True)
+    location_data = serializers.JSONField(required=False, default=dict)
+    additional_context = serializers.JSONField(required=False, default=dict)
+
+
+class AdaptiveAuthenticationSerializer(serializers.ModelSerializer):
+    """Serializer for adaptive authentication"""
+    
+    class Meta:
+        model = AdaptiveAuthentication
+        fields = [
+            'id', 'name', 'description', 'low_risk_threshold', 'medium_risk_threshold',
+            'high_risk_threshold', 'low_risk_auth_methods', 'medium_risk_auth_methods',
+            'high_risk_auth_methods', 'critical_risk_auth_methods',
+            'device_trust_multiplier', 'location_trust_multiplier', 'time_trust_multiplier',
+            'enable_behavioral_analysis', 'behavior_learning_period', 'anomaly_threshold',
+            'ml_enabled', 'ml_model_path', 'ml_confidence_threshold',
+            'fallback_auth_methods', 'max_auth_attempts', 'lockout_duration',
+            'is_active', 'created_at', 'updated_at'
+        ]
+        read_only_fields = ['id', 'created_at', 'updated_at']
+
+
+class UserBehaviorProfileSerializer(serializers.ModelSerializer):
+    """Serializer for user behavior profiles"""
+    
+    class Meta:
+        model = UserBehaviorProfile
+        fields = [
+            'id', 'user', 'typical_login_times', 'typical_login_locations',
+            'typical_login_devices', 'typical_access_times', 'typical_access_patterns',
+            'typical_session_duration', 'typical_ip_ranges', 'typical_user_agents',
+            'login_frequency', 'access_frequency', 'anomaly_score', 'is_learning',
+            'learning_start_date', 'learning_complete_date', 'sample_count',
+            'last_updated', 'created_at'
+        ]
+        read_only_fields = [
+            'id', 'user', 'anomaly_score', 'learning_start_date', 'learning_complete_date',
+            'sample_count', 'last_updated', 'created_at'
+        ]
+
+
+class ZeroTrustStatusSerializer(serializers.Serializer):
+    """Serializer for Zero Trust system status"""
+    zero_trust_enabled = serializers.BooleanField()
+    user_status = serializers.DictField()
+    system_configuration = serializers.DictField()
+    recommendations = serializers.ListField()
+
+
+class DeviceSecurityRecommendationSerializer(serializers.Serializer):
+    """Serializer for device security recommendations"""
+    type = serializers.CharField()
+    priority = serializers.ChoiceField(choices=['low', 'medium', 'high', 'critical'])
+    message = serializers.CharField()
+    action = serializers.CharField()
+    details = serializers.DictField(required=False)
+
+
+class RiskMitigationActionSerializer(serializers.Serializer):
+    """Serializer for risk mitigation actions"""
+    action_type = serializers.CharField()
+    description = serializers.CharField()
+    priority = serializers.ChoiceField(choices=['low', 'medium', 'high', 'critical'])
+    required_auth_methods = serializers.ListField()
+    estimated_time = serializers.IntegerField(help_text="Estimated time in minutes")
+    automated = serializers.BooleanField(default=False)
+
+
+class GeolocationTestSerializer(serializers.Serializer):
+    """Serializer for testing geolocation rules"""
+    latitude = serializers.FloatField(required=False)
+    longitude = serializers.FloatField(required=False)
+    country_code = serializers.CharField(max_length=2, required=False, allow_blank=True)
+    region = serializers.CharField(max_length=100, required=False, allow_blank=True)
+    city = serializers.CharField(max_length=100, required=False, allow_blank=True)
+    ip_address = serializers.IPAddressField(required=False)
+
+
+class BehavioralAnomalySerializer(serializers.Serializer):
+    """Serializer for behavioral anomaly detection"""
+    login_time = serializers.DateTimeField(required=False)
+    location = serializers.DictField(required=False)
+    device_id = serializers.CharField(max_length=255, required=False, allow_blank=True)
+    ip_address = serializers.IPAddressField(required=False)
+    user_agent = serializers.CharField(required=False, allow_blank=True)
+    session_duration = serializers.FloatField(required=False)
+    access_pattern = serializers.ListField(required=False)
+
+
+class AccessDecisionSerializer(serializers.Serializer):
+    """Serializer for access decisions"""
+    access_granted = serializers.BooleanField()
+    reason = serializers.CharField()
+    required_actions = serializers.ListField()
+    risk_level = serializers.ChoiceField(choices=['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'])
+    risk_score = serializers.IntegerField(min_value=0, max_value=100)
+    auth_requirements = serializers.ListField()
+    assessment_id = serializers.UUIDField()
+    expires_at = serializers.DateTimeField(required=False)
+    mitigation_actions = serializers.ListField(required=False)