feat: sync applied controls to reference control (#3600)

* Feat: sync applied controls to reference control

* Code corrections

* Deduce good skip_sync value

* Sync applied control to their reference control

* Implement dry run + better UX

* Formatter

* Fix zod4 migration

* update emoji

---------

Co-authored-by: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com>

Author: monsieurswag

backend/core/models.py

@@ -26,6 +26,7 @@
 from django.core.files.storage import default_storage
 from django.db import models, transaction
 from django.db.models import F, Q, OuterRef, Subquery, Prefetch, Count
+from django.db.models.query import QuerySet
 from django.forms.models import model_to_dict
 from django.urls import reverse
 from django.utils.html import format_html
@@ -2190,6 +2191,15 @@ def is_deletable(self) -> bool:
     def frameworks(self):
         return Framework.objects.filter(requirement__reference_controls=self).distinct()
 
+    def get_unsynced_applied_controls_queryset(self) -> QuerySet[AppliedControl]:
+        """Return a `QuerySet` selecting all `AppliedControl` objects linked to this `ReferenceControl` which are not currently synced to it."""
+
+        unsynced_applied_controls_query = self.appliedcontrol_set.exclude(
+            csf_function=self.csf_function,
+            category=self.category,
+        )
+        return unsynced_applied_controls_query
+
 
 class RiskMatrix(ReferentialObjectMixin, I18nObjectMixin, EditableMixin):
     library = models.ForeignKey(
@@ -4797,7 +4807,18 @@ class Status(models.TextChoices):
 
     IMPACT = [(1, "Very Low"), (2, "Low"), (3, "Medium"), (4, "High"), (5, "Very High")]
     MAP_EFFORT = {None: -1, "XS": 1, "S": 2, "M": 3, "L": 4, "XL": 5}
-    # todo: think about a smarter model for ranking
+
+    INTEGRATION_SYNCABLE_FIELDS: Final[set[str]] = {
+        "name",
+        "description",
+        "status",
+        "priority",
+        "eta",
+        "start_date",
+        "effort",
+        "observation",
+    }
+
     reference_control = models.ForeignKey(
         ReferenceControl,
         on_delete=models.CASCADE,
@@ -4988,22 +5009,11 @@ def save(self, *args, **kwargs):
 
         BuiltinMetricSample.update_or_create_snapshot(self.folder)
 
-    def _get_changed_fields(self, old_instance):
+    def _get_changed_fields(self, old_instance) -> list[str]:
         """Detect which fields changed"""
         changed = []
-        # Check syncable fields only
-        syncable_fields = [
-            "name",
-            "description",
-            "status",
-            "priority",
-            "eta",
-            "start_date",
-            "effort",
-            "observation",
-        ]
 
-        for field in syncable_fields:
+        for field in self.INTEGRATION_SYNCABLE_FIELDS:
             old_val = getattr(old_instance, field)
             new_val = getattr(self, field)
             if old_val != new_val:

backend/core/views.py

@@ -16,7 +16,7 @@
 import zipfile
 import tempfile
 from datetime import date, datetime, timedelta
-from typing import Dict, Any, List, Tuple
+from typing import Dict, Any, List, Tuple, Final
 import time
 from django.db.models import (
     F,
@@ -39,7 +39,7 @@
     QuerySet,
     Prefetch,
 )
-from django.db.models.functions import Greatest, Coalesce
+from django.db.models.functions import Coalesce
 
 from collections import defaultdict
 import pytz
@@ -76,10 +76,11 @@
 
 
 from django.apps import apps
-from django.contrib.auth.models import Permission
+from django.contrib.auth.models import AnonymousUser, Permission
 from django.conf import settings
 from django.core.exceptions import FieldDoesNotExist
 from django.core.files.storage import default_storage
+from django.contrib.auth.base_user import AbstractBaseUser
 
 from django.db import models, transaction
 from django.forms import ValidationError
@@ -2434,6 +2435,75 @@ def category(self, request):
     def csf_function(self, request):
         return Response(dict(ReferenceControl.CSF_FUNCTION))
 
+    @staticmethod
+    def _get_syncable_applied_controls(
+        reference_control: ReferenceControl, user: AbstractBaseUser | AnonymousUser
+    ) -> list[AppliedControl]:
+        """Return the list of syncable `AppliedControl` objects (meaning they are currently unsynced) the `User` can synchronize (based on his permissions)."""
+
+        _, changeable_applied_controls, _ = RoleAssignment.get_accessible_object_ids(
+            Folder.get_root_folder(), user, AppliedControl
+        )
+
+        syncable_applied_controls = (
+            reference_control.get_unsynced_applied_controls_queryset().filter(
+                id__in=changeable_applied_controls,
+            )
+        )
+        return list(syncable_applied_controls)
+
+    @action(detail=True, methods=["get"], url_path="syncable-applied-controls")
+    def syncable_applied_controls(self, request, pk):
+        reference_control = self.get_object()
+        syncable_applied_controls = self._get_syncable_applied_controls(
+            reference_control, request.user
+        )
+
+        return Response(
+            [
+                {"id": applied_control.id, "name": applied_control.name}
+                for applied_control in syncable_applied_controls
+            ]
+        )
+
+    @action(detail=True, methods=["post"], url_path="sync-applied-controls")
+    def sync_applied_controls(self, request, pk):
+        reference_control = self.get_object()
+        syncable_applied_controls = self._get_syncable_applied_controls(
+            reference_control, request.user
+        )
+
+        FIELDS_TO_SYNC: Final[list[str]] = [
+            "category",
+            "csf_function",
+        ]
+
+        for syncable_applied_control in syncable_applied_controls:
+            for field_to_sync in FIELDS_TO_SYNC:
+                reference_control_value = getattr(reference_control, field_to_sync)
+
+                setattr(
+                    syncable_applied_control, field_to_sync, reference_control_value
+                )
+
+        AppliedControl.objects.bulk_update(
+            syncable_applied_controls, FIELDS_TO_SYNC, batch_size=100
+        )
+
+        skip_sync = all(
+            field_to_sync not in AppliedControl.INTEGRATION_SYNCABLE_FIELDS
+            for field_to_sync in FIELDS_TO_SYNC
+        )
+        for applied_control in syncable_applied_controls:
+            applied_control.save(skip_sync=skip_sync)
+
+        return Response(
+            [
+                {"id": applied_control.id, "name": applied_control.name}
+                for applied_control in syncable_applied_controls
+            ]
+        )
+
 
 class RiskMatrixViewSet(BaseModelViewSet):
     """
@@ -5649,6 +5719,41 @@ def build_sunburst_data(data_dict, name="Root", level=0, parent_color=None):
 
         return Response({"results": sunburst_data})
 
+    @action(detail=True, methods=["post"], url_path="sync-to-reference-control")
+    def sync_applied_controls(self, request, pk):
+        dry_run = request.query_params.get("dry_run", True)
+        if dry_run == "false":
+            dry_run = False
+
+        applied_control = self.get_object()
+        reference_control = applied_control.reference_control
+        changes: list[tuple[str, str]] = []  # List of (old_value, new_value) tuples.
+
+        FIELDS_TO_SYNC: Final[list[str]] = [
+            "category",
+            "csf_function",
+        ]
+
+        for field_to_sync in FIELDS_TO_SYNC:
+            reference_control_value = getattr(reference_control, field_to_sync)
+
+            applied_control_value = getattr(applied_control, field_to_sync)
+            if reference_control_value != applied_control_value:
+                changes.append((reference_control_value, applied_control_value))
+
+            setattr(applied_control, field_to_sync, reference_control_value)
+
+        if dry_run:
+            return Response(changes)
+
+        skip_sync = all(
+            field_to_sync not in AppliedControl.INTEGRATION_SYNCABLE_FIELDS
+            for field_to_sync in FIELDS_TO_SYNC
+        )
+        applied_control.save(update_fields=FIELDS_TO_SYNC, skip_sync=skip_sync)
+
+        return Response(changes)
+
 
 class ActionPlanList(generics.ListAPIView):
     search_fields = ["name", "description", "ref_id"]

frontend/messages/ar.json

@@ -1106,5 +1106,9 @@
 	"serverConfigurationError": "Server configuration error",
 	"libraryLoadFailed": "Library load failed",
 	"sortAscending": "ترتيب أ ← ي",
-	"sortDescending": "ترتيب ي ← أ"
+	"sortDescending": "ترتيب ي ← أ",
+	"confirmModalMessagePlural": "هل أنت متأكد؟ سيؤثر هذا الإجراء بشكل دائم على الكائنات التالية",
+	"syncAppliedControlsMessage": "سيتم مزامنة عناصر التحكم المطبقة التي تستخدم عنصر التحكم المرجعي هذا معه. يرجى ملاحظة أن هذا الإجراء لا يمكن التراجع عنه.",
+	"syncToAppliedControl": "مزامنة مع التحكم المطبق",
+	"syncToReferenceControl": "مزامنة مع التحكم المرجعي"
 }

frontend/messages/cs.json

@@ -1126,5 +1126,9 @@
 	"serverConfigurationError": "Server configuration error",
 	"libraryLoadFailed": "Library load failed",
 	"sortAscending": "Řadit A → Z",
-	"sortDescending": "Řadit Z → A"
+	"sortDescending": "Řadit Z → A",
+	"confirmModalMessagePlural": "Jste si jistí? Tato akce trvale ovlivní následující objekty",
+	"syncAppliedControlsMessage": "Použité kontroly využívající tuto referenční kontrolu s ní budou synchronizovány. Upozorňujeme, že tuto akci nelze vrátit zpět.",
+	"syncToAppliedControl": "Synchronizovat s aplikovanou kontrolou",
+	"syncToReferenceControl": "Synchronizovat s referenční kontrolou"
 }

frontend/messages/da.json

@@ -1420,5 +1420,9 @@
 	"serverConfigurationError": "Server configuration error",
 	"libraryLoadFailed": "Library load failed",
 	"sortAscending": "Sorter A → Z",
-	"sortDescending": "Sorter Z → A"
+	"sortDescending": "Sorter Z → A",
+	"confirmModalMessagePlural": "Er du sikker? Denne handling vil permanent påvirke følgende objekter",
+	"syncAppliedControlsMessage": "De anvendte kontroller, der bruger denne referencekontrol, vil blive synkroniseret med den. Bemærk venligst, at dette ikke kan fortrydes.",
+	"syncToAppliedControl": "Synkroniser med anvendt kontrol",
+	"syncToReferenceControl": "Synkroniser med referencekontrol"
 }

frontend/messages/de.json

@@ -488,7 +488,7 @@
 	"revoke": "Widerrufen",
 	"riskAcceptanceValidatedMessage": "Diese Risikoakzeptanz ist validiert. Sie kann widerrufen werden, jedoch nicht rückgängig gemacht werden. Erstellen Sie ggf. eine neue Version.",
 	"confirmModalTitle": "Bestätigen",
-	"confirmModalMessage": "Sind Sie sicher? Diese Aktion wirkt sich dauerhaft auf folgendes Objekt aus:",
+	"confirmModalMessage": "Sind Sie sicher? Diese Aktion wirkt sich dauerhaft auf folgendes Objekt aus",
 	"submit": "Einreichen",
 	"requirementAssessment": "Anforderungsbewertung",
 	"requirementAssessments": "Anforderungsbewertungen",
@@ -3013,5 +3013,9 @@
 	"serverConfigurationError": "Serverkonfigurationsfehler",
 	"libraryLoadFailed": "Bibliothek konnte nicht geladen werden",
 	"sortAscending": "Sortieren A → Z",
-	"sortDescending": "Sortieren Z → A"
+	"sortDescending": "Sortieren Z → A",
+	"confirmModalMessagePlural": "Sind Sie sicher? Diese Aktion wirkt sich dauerhaft auf folgende Objekte aus",
+	"syncAppliedControlsMessage": "Die angewendeten Kontrollen, die diese Referenzkontrolle verwenden, werden mit ihr synchronisiert. Bitte beachten Sie, dass dies nicht rückgängig gemacht werden kann.",
+	"syncToAppliedControl": "Mit angewendeter Maßnahme synchronisieren",
+	"syncToReferenceControl": "Mit Referenzkontrolle synchronisieren"
 }

frontend/messages/el.json

@@ -1837,5 +1837,9 @@
 	"serverConfigurationError": "Server configuration error",
 	"libraryLoadFailed": "Library load failed",
 	"sortAscending": "Ταξινόμηση Α → Ω",
-	"sortDescending": "Ταξινόμηση Ω → Α"
+	"sortDescending": "Ταξινόμηση Ω → Α",
+	"confirmModalMessagePlural": "Είστε σίγουροι; Αυτή η ενέργεια θα επηρεάσει μόνιμα τα ακόλουθα αντικείμενα",
+	"syncAppliedControlsMessage": "Οι εφαρμοζόμενοι έλεγχοι που χρησιμοποιούν αυτόν τον πρότυπο έλεγχο θα συγχρονιστούν με αυτόν. Λάβετε υπόψη ότι αυτή η ενέργεια δεν μπορεί να αναιρεθεί.",
+	"syncToAppliedControl": "Συγχρονισμός με τον εφαρμοζόμενο έλεγχο",
+	"syncToReferenceControl": "Συγχρονισμός με τον πρότυπο έλεγχο"
 }

frontend/messages/en.json

@@ -1436,6 +1436,7 @@
 	"selectRequirementsToAssign": "Select requirements to include in a new assignment",
 	"makeSureActorsHavePermissions": "Make sure that the assigned users have access to the domain of this audit",
 	"selectAllAvailable": "Select all available",
+	"clearSelection": "Clear selection",
 	"expandAll": "Expand all",
 	"collapseAll": "Collapse all",
 	"clickToSelect": "click to select",
@@ -2287,7 +2288,6 @@
 	"changeTreatment": "Change treatment",
 	"changeAssignee": "Change assignee",
 	"changeResult": "Change result",
-	"clearSelection": "Clear selection",
 	"itemsSelected": "{count} item(s) selected",
 	"batchActionConfirmDelete": "Are you sure you want to delete {count} item(s)?",
 	"batchActionConfirmChange": "Apply to {count} item(s):",
@@ -3857,6 +3857,8 @@
 	"showProcessed": "Show processed ({count})",
 	"hideProcessed": "Hide processed",
 	"ctrlEnterToPost": "Ctrl+Enter to post",
+	"confirmModalMessagePlural": "Are you sure? This action will permanently affect the following objects",
+	"syncAppliedControlsMessage": "The applied controls using this reference control will be synced to it. Please note that this cannot be undone.",
 	"presets": "Journeys",
 	"presetsDescription": "Follow guided journeys to set up your security program step by step. You can also explore the platform freely and unlock all capabilities from the settings.",
 	"availablePresets": "Available Templates",
@@ -3989,6 +3991,9 @@
 	"addLanguage": "Add language",
 	"untitledMatrix": "Untitled Matrix",
 	"closeEditor": "Close editor",
+	"removeLanguageConfirm": "Remove {lang} translations?",
+	"syncToAppliedControl": "Sync to applied control",
+	"syncToReferenceControl": "Sync to reference control",
 	"statementOfApplicability": "Statement of Applicability",
 	"soaDescription": "Generate a Statement of Applicability from a compliance assessment and optionally enrich it with risk assessment data",
 	"soaSelectCompliance": "Select a compliance assessment",

frontend/messages/es.json

@@ -3154,5 +3154,9 @@
 	"serverConfigurationError": "Error de configuración del servidor",
 	"libraryLoadFailed": "Error al cargar la biblioteca",
 	"sortAscending": "Ordenar A → Z",
-	"sortDescending": "Ordenar Z → A"
+	"sortDescending": "Ordenar Z → A",
+	"confirmModalMessagePlural": "¿Estás seguro? Esta acción afectará permanentemente a los siguientes objetos",
+	"syncAppliedControlsMessage": "Los controles aplicados que utilizan este control de referencia se sincronizarán con él. Tenga en cuenta que esto no se puede deshacer.",
+	"syncToAppliedControl": "Sincronizar con el control aplicado",
+	"syncToReferenceControl": "Sincronizar con el control de referencia"
 }

frontend/messages/fr.json

@@ -1313,6 +1313,7 @@
 	"selectRequirementsToAssign": "Sélectionnez les exigences à inclure dans une nouvelle affectation",
 	"makeSureActorsHavePermissions": "Assurez-vous que les personnes assignées disposent des droits sur le domaine de cet audit",
 	"selectAllAvailable": "Tout sélectionner",
+	"clearSelection": "Effacer la sélection",
 	"expandAll": "Tout déplier",
 	"collapseAll": "Tout replier",
 	"clickToSelect": "cliquer pour sélectionner",
@@ -2170,7 +2171,6 @@
 	"changeTreatment": "Changer le traitement",
 	"changeAssignee": "Changer le responsable",
 	"changeResult": "Changer le résultat",
-	"clearSelection": "Effacer la sélection",
 	"itemsSelected": "{count} élément(s) sélectionné(s)",
 	"batchActionConfirmDelete": "Êtes-vous sûr de vouloir supprimer {count} élément(s) ?",
 	"batchActionConfirmChange": "Appliquer à {count} élément(s) :",
@@ -3721,6 +3721,8 @@
 	"libraryLoadFailed": "Échec du chargement de la bibliothèque",
 	"sortAscending": "Trier A → Z",
 	"sortDescending": "Trier Z → A",
+	"confirmModalMessagePlural": "Êtes-vous sûr ? Cette action affectera définitivement les objets suivants",
+	"syncAppliedControlsMessage": "Les mesures appliquées utilisant cette mesure de référence seront synchronisées avec celle-ci. Cette opération ne pourrait pas être annulée.",
 	"assignmentStatusDraft": "Brouillon",
 	"assignmentStatusInProgress": "En cours",
 	"assignmentStatusSubmitted": "Soumis",
@@ -3954,6 +3956,8 @@
 	"chatRetry": "Réessayer",
 	"chatNoConversations": "Aucune conversation",
 	"chatDisclaimer": "L'IA peut se tromper. Les données sont envoyées uniquement à votre fournisseur IA configuré.",
+	"syncToAppliedControl": "Synchroniser avec la mesure appliquée",
+	"syncToReferenceControl": "Synchroniser avec la mesure de référence",
 	"riskCoverage": "Couverture des risques",
 	"soaSelectRiskDescription": "La s\u00e9lection d\u2019analyses de risques enrichira la DdA avec les sc\u00e9narios de risques et les d\u00e9cisions de traitement associ\u00e9s"
 }