Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(k8s-test): Try login and obtain API token #10496

Closed
wants to merge 1 commit into from
Closed

feat(k8s-test): Try login and obtain API token #10496

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jul 2, 2024
edited
Loading

Simple "give me login page" is not enough. It should be possible to log in to the working application.

This PR add test for:

  • simple login
  • simple API test - get token

Added based on #10490

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 2, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes focus on improving the administration and deployment of the Defect Dojo application, with a specific emphasis on the Engagement Surveys feature and the Kubernetes deployment process.

The changes in the admin.py file set up the administration of the Engagement Surveys models, including Question, Answer, Engagement_Survey, and Answered_Survey, using Django's polymorphic admin functionality. This allows the admin interface to handle different types of questions and answers seamlessly. From a security perspective, these changes do not introduce any obvious vulnerabilities, but it's important to ensure that the underlying data models and business logic are properly secured and validated.

The changes in the .github/workflows/k8s-tests.yml file focus on improving the Kubernetes deployment process by adding checks for login and API functionality, handling errors and retries, and securely retrieving sensitive information. These changes help ensure the core functionality of the application is working as expected after deployment and address potential security concerns related to sensitive information handling.

Files Changed:

  1. dojo/admin.py:

    • Unregisters the LogEntry model from the Django admin interface.
    • Sets up the administration of the Engagement Surveys models, including Question, Answer, Engagement_Survey, and Answered_Survey, using Django's polymorphic admin functionality.
    • Registers the QuestionParentAdmin and AnswerParentAdmin classes, along with the individual child model admins.
    • Registers the Engagement_Survey and Answered_Survey models with the Django admin interface.

  2. .github/workflows/k8s-tests.yml:

    • Adds checks to ensure the login page is accessible and the admin user can authenticate successfully.
    • Checks the API endpoint for token authentication.
    • Checks for any pods in an error state and dumps the logs for those pods.
    • Includes a retry mechanism for the login check.
    • Retrieves the admin password from a Kubernetes secret.
    • Includes a sample curl request to demonstrate how to log in to the DefectDojo application using the admin credentials.

Powered by DryRun Security

@kiblik kiblik force-pushed the k8s_test_login_and_api branch from 5275f54 to 42a7617 Compare July 2, 2024 20:22
@kiblik kiblik closed this Jul 2, 2024
@kiblik kiblik reopened this Jul 2, 2024
@github-actions github-actions bot added the docker label Jul 2, 2024
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from d7c1873 to 7baf72f Compare July 2, 2024 20:39
@github-actions github-actions bot removed the docker label Jul 2, 2024
@kiblik kiblik marked this pull request as ready for review July 2, 2024 20:41
@kiblik kiblik closed this Jul 2, 2024
@kiblik kiblik reopened this Jul 2, 2024
@kiblik kiblik marked this pull request as draft July 2, 2024 20:43
@kiblik kiblik closed this Jul 3, 2024
@kiblik kiblik reopened this Jul 3, 2024
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from 7baf72f to a6568ab Compare July 8, 2024 20:29
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Jul 8, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 8, 2024
edited
Loading

DryRun Security Summary

The changes in this pull request focus on enhancing the GitHub Actions workflow for deploying the DefectDojo application on a Kubernetes cluster, introducing several important security checks and validations to ensure the successful deployment and proper functioning of the application.

Expand for full summary

Summary:

The changes in this pull request are focused on enhancing the GitHub Actions workflow for deploying the DefectDojo application on a Kubernetes cluster. From an application security perspective, these changes introduce several important checks and validations to ensure the successful deployment and proper functioning of the application.

The key security-related aspects of the changes include:

  1. Login and API Checks: The workflow now includes checks to verify the login functionality and the API token authentication are working correctly. These checks help identify any issues with the application's authentication and authorization mechanisms, which are critical for maintaining the overall security of the application.

  2. Kubernetes Secret Management: The code securely retrieves the admin password from a Kubernetes secret, which is a best practice for handling sensitive information without exposing it in the codebase.

  3. Error Handling: The workflow includes error handling and logging mechanisms to capture any issues that may arise during the deployment process. This helps with troubleshooting and identifying potential security-related problems, such as misconfigured components or runtime errors.

Overall, these changes demonstrate a security-conscious approach to the application's deployment and operation, which is essential for maintaining the security and integrity of the DefectDojo application.

Files Changed:

  • .github/workflows/k8s-tests.yml: This file contains the GitHub Actions workflow for deploying the DefectDojo application on a Kubernetes cluster. The changes include:
    • Addition of a "Simple Login check" section to verify the login functionality by attempting to log in with the admin credentials retrieved from the Kubernetes secret.
    • Addition of a "Simple API check" section to verify the API token authentication by attempting to authenticate using the API token endpoint with the admin credentials.
    • Secure retrieval of the admin password from the Kubernetes secret named "defectdojo" using the kubectl get secret command.
    • Inclusion of error handling and logging mechanisms to capture any issues that may arise during the deployment process, such as pods in an error state.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@kiblik kiblik force-pushed the k8s_test_login_and_api branch from a6568ab to fda4ab8 Compare July 8, 2024 20:52
@github-actions github-actions bot removed docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests labels Jul 8, 2024
@github-actions github-actions bot removed the helm label Jul 8, 2024
@kiblik kiblik force-pushed the k8s_test_login_and_api branch 3 times, most recently from d0ad114 to 018c4e8 Compare August 9, 2024 18:35
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from 018c4e8 to 3e242d3 Compare August 19, 2024 18:55
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization labels Aug 19, 2024
@kiblik kiblik changed the base branch from bugfix to dev August 19, 2024 18:57
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from 3e242d3 to 4212f2d Compare October 21, 2024 19:34
@github-actions github-actions bot removed docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization labels Oct 21, 2024
@Maffooch
Copy link
Contributor

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄

@Maffooch Maffooch closed this Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kiblik @Maffooch