Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Broken Swagger when Remote User enabled #9960

Merged
merged 1 commit into from
Apr 22, 2024
Merged

Fix: Broken Swagger when Remote User enabled #9960

merged 1 commit into from
Apr 22, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Apr 18, 2024

Combination of #9108 and enabled DD_AUTH_REMOTEUSER_ENABLED was breaking API Swagger because of removed settings.SWAGGER_SETTINGS.

image

uwsgi-1         | [18/Apr/2024 12:50:56] ERROR [dojo.api_v2.exception_handler:41] 'Settings' object has no attribute 'SWAGGER_SETTINGS'
uwsgi-1         | Traceback (most recent call last):
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
uwsgi-1         |     response = handler(request, *args, **kwargs)
uwsgi-1         |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/views.py", line 84, in get
uwsgi-1         |     return self._get_schema_response(request)
uwsgi-1         |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/views.py", line 92, in _get_schema_response
uwsgi-1         |     data=generator.get_schema(request=request, public=self.serve_public),
uwsgi-1         |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/generators.py", line 281, in get_schema
uwsgi-1         |     paths=self.parse(request, public),
uwsgi-1         |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/generators.py", line 252, in parse
uwsgi-1         |     operation = view.schema.get_operation(
uwsgi-1         |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/openapi.py", line 103, in get_operation
uwsgi-1         |     auth = self.get_auth()
uwsgi-1         |            ^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/drf_spectacular/openapi.py", line 342, in get_auth
uwsgi-1         |     names, definitions = [scheme.name], [scheme.get_security_definition(self)]
uwsgi-1         |                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/app/dojo/remote_user.py", line 108, in get_security_definition
uwsgi-1         |     return settings.SWAGGER_SETTINGS['SECURITY_DEFINITIONS']['remoteUserAuth']
uwsgi-1         |            ^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/conf/__init__.py", line 94, in __getattr__
uwsgi-1         |     val = getattr(_wrapped, name)
uwsgi-1         |           ^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         | AttributeError: 'Settings' object has no attribute 'SWAGGER_SETTINGS'
uwsgi-1         | [18/Apr/2024 12:50:56] ERROR [django.request:241] Internal Server Error: /api/v2/oa3/schema/

Unittest added as well.
Now it should work fine.

image

@dryrunsecurity DryRunSecurity
Copy link

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
AppSec Analyzer (beta) 0 findings
Secrets Analyzer 0 findings
Authn/Authz Analyzer 1 findings
Configured Codepaths Analyzer 0 findings
Sensitive Files Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Tip

Get answers to your security questions. Add a comment in this PR starting with @DryRunSecurity. For example...

@dryrunsecurity What are common security issues with web application cookies?

Powered by DryRun Security

mtesauro
mtesauro approved these changes Apr 20, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@blakeaowens blakeaowens merged commit c69c22a into DefectDojo:bugfix Apr 22, 2024
122 checks passed
@kiblik kiblik deleted the fix_remote_user_swagger branch April 22, 2024 06:17
hblankenship pushed a commit to hblankenship/django-DefectDojo that referenced this pull request Apr 26, 2024
@kiblik @hblankenship
Fix: Broken Swagger when Remote User enabled (DefectDojo#9960)
eb5f93e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @cneill @mtesauro @Maffooch @blakeaowens