mitre · vanessuniq · Dec 20, 2022
diff --git a/app/controllers/security_requirements_guides_controller.rb b/app/controllers/security_requirements_guides_controller.rb
@@ -4,6 +4,7 @@
 class SecurityRequirementsGuidesController < ApplicationController
   before_action :authorize_admin, except: %i[index]
   before_action :security_requirements_guide, only: %i[destroy]
+  before_action :read_uploaded_file, only: %i[create]
 
   def index
     @srgs = SecurityRequirementsGuide.all.order(:srg_id, :version).select(:id, :srg_id, :title, :version, :release_date)
@@ -14,24 +15,25 @@ def index
   end
 
   def create
-    file = params.require('file')
-    parsed_benchmark = Xccdf::Benchmark.parse(file.read)
-    srg = SecurityRequirementsGuide.from_mapping(parsed_benchmark)
-    file.tempfile.seek(0)
-    srg.parsed_benchmark = parsed_benchmark
-    srg.xml = file.read
-    if srg.save
-      render(json: { toast: 'Successfully created SRG.' }, status: :ok)
-    else
-      render(json: {
-               toast: {
-                 title: 'Could not create SRG.',
-                 message: srg.errors.full_messages,
-                 variant: 'danger'
-               },
-               status: :unprocessable_entity
-             })
+    if @upload_errors.empty?
+      srg_models = build_srg_from_xml(@upload_contents)
+      failed_instances = SecurityRequirementsGuide.import(srg_models, all_or_none: true,
+                                                                      recursive: true).failed_instances
+      if failed_instances.blank?
+        render(json: { toast: "Successfully created #{srg_models.size} SRG." }, status: :ok) and return
+      end
+
+      @upload_errors = failed_instances.map { |instance| instance.errors.full_messages }.flatten
     end
+
+    render(json: {
+             toast: {
+               title: 'Could not create SRG.',
+               message: @upload_errors,
+               variant: 'danger'
+             },
+             status: :unprocessable_entity
+           })
   end
 
   def destroy
@@ -48,4 +50,39 @@ def destroy
   def security_requirements_guide
     @srg = SecurityRequirementsGuide.find(params[:id])
   end
+
+  def read_uploaded_file
+    file = params.require('file')
+    file_name = file.original_filename
+    @upload_contents = []
+    @upload_errors = []
+
+    if file_name.ends_with?('.xml')
+      @upload_contents << file.read
+    elsif file_name.ends_with?('.zip')
+      Zip::File.open_buffer(file.read) do |zf|
+        if zf.all? { |f| f.name.ends_with?('.xml') }
+          zf.each do |entry|
+            entry.get_input_stream { |io| @upload_contents << io.read }
+          end
+        else
+          @upload_errors << 'Error reading the submitted zip file. Ensure that all files in the zip are XML files.'
+        end
+      end
+    else
+      @upload_errors << 'Wrong file type submitted: accepted file type are XML or zip archive of XML files.'
+    end
+  end
+
+  def build_srg_from_xml(xmls)
+    srgs = []
+    xmls.each do |xml|
+      parsed_benchmark = Xccdf::Benchmark.parse(xml)
+      srg = SecurityRequirementsGuide.from_mapping(parsed_benchmark)
+      srg.parsed_benchmark = parsed_benchmark
+      srg.xml = xml
+      srgs << srg
+    end
+    srgs
+  end
 end
diff --git a/app/javascript/components/security_requirements_guides/SecurityRequirementsGuidesUpload.vue b/app/javascript/components/security_requirements_guides/SecurityRequirementsGuidesUpload.vue
@@ -9,9 +9,9 @@
     >
       <b-form-file
         v-model="file"
-        placeholder="Choose or drop an SRG XML here..."
-        drop-placeholder="Drop SRG XML here..."
-        accept="text/xml, application/xml"
+        placeholder="Choose or drop an SRG XML or zip of multi XML here..."
+        drop-placeholder="Drop SRG XML or zip XML here..."
+        accept="text/xml, application/xml, application/zip"
       />
       <template #modal-footer>
         <div class="row w-100">

diff --git a/app/models/security_requirements_guide.rb b/app/models/security_requirements_guide.rb
@@ -23,7 +23,7 @@ def self.from_mapping(benchmark_mapping)
     title = benchmark_mapping.title.first rescue nil
     version = "V#{benchmark_mapping.version.version}" \
               "#{SecurityRequirementsGuide.revision(benchmark_mapping.plaintext.first)}" rescue nil
-    release_date = SecurityRequirementsGuide.release_date(benchmark_mapping.plaintext.first)
+    release_date = SecurityRequirementsGuide.release_date(benchmark_mapping.plaintext.first) rescue nil
     # rubocop:enable Style/RescueModifier
 
     SecurityRequirementsGuide.new(srg_id: id, title: title, version: version, release_date: release_date)