search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.6k stars 1.52k forks source link

Unable to create an Engagement via REST API #163

Closed mtesauro closed 7 years ago

mtesauro commented 7 years ago

I am trying to create an engagement using the DefectDojo API. I can do various read operations - GET engagements, products, users, etc. without a problem. Engagements is the first POST request I've tried.

In trying to figure out how to create an engagement, I've determined the following fields are the minimal required JSON values for a valid POST to /api/v1/engagements/

{
  "status": "In Progress",
  "product": "/api/v1/products/1/",
  "name": "New Engagement",
  "lead": "/api/v1/users/5/",
  "target_end": "2016-11-25",
  "target_start": "2016-11-18"
}

However, I'm getting the following error response when I POST the JSON above:

{
  "engagements": {
    "lead": [
      "Select a valid choice. That choice is not one of the available choices."
    ],
    "product": [
      "Select a valid choice. That choice is not one of the available choices."
    ]
  }
}

I am using the following curl command: (line-wrapped to make it readable)

curl -H 'Authorization: ApiKey admin:82cc5f244aaba8b64b580e9e88d42684b938b589' \
  -H 'Accept: application/json' -H 'Content-Type: application/json' \
  -X POST -d '{"status": "In Progress", "product": "/api/v1/products/1/", "name": "New Engagement", "lead": "/api/v1/users/5/", "target_end": "2016-11-25", "target_start": "2016-11-18"}' \
  http://localhost:8000/api/v1/engagements/

What are the correct values to use for product and lead?

For reference, here's GET responses from engagements, products and users:

$ jerry-curl -c dojo-jerry-curl.config -u /engagements/ -X GET | jq .
{
  "meta": {
    "limit": 20,
    "next": null,
    "offset": 0,
    "previous": null,
    "total_count": 1
  },
  "objects": [
    {
      "active": true,
      "api_test": true,
      "check_list": true,
      "done_testing": false,
      "eng_type": null,
      "first_contacted": null,
      "id": 1,
      "lead": "/api/v1/users/5/",
      "name": "Pre-PCI Pen Test",
      "pen_test": true,
      "product": "/api/v1/products/1/",
      "product_id": 1,
      "progress": "threat_model",
      "reason": null,
      "report_type": null,
      "requester": null,
      "resource_uri": "/api/v1/engagements/1/",
      "risk_path": "none",
      "status": "In Progress",
      "target_end": "2016-11-25",
      "target_start": "2016-11-18",
      "test_strategy": "",
      "threat_model": true,
      "tmodel_path": "none",
      "updated": null,
      "version": null
    }
  ]
}
$ jerry-curl -c dojo-jerry-curl.config -u /products/ -X GET | jq .
{
  "meta": {
    "limit": 20,
    "next": null,
    "offset": 0,
    "previous": null,
    "total_count": 2
  },
  "objects": [
    {
      "created": null,
      "description": "Purposefully broken application",
      "findings_count": 1,
      "id": 1,
      "name": "BodgeIt Store",
      "prod_type": "Research and Development",
      "resource_uri": "/api/v1/products/1/"
    },
    {
      "created": null,
      "description": "A purposefully broken Java application",
      "findings_count": 0,
      "id": 2,
      "name": "WebGoat",
      "prod_type": "Automation Example",
      "resource_uri": "/api/v1/products/2/"
    }
  ]
}
$ jerry-curl -c dojo-jerry-curl.config -u /users/ -X GET | jq .
{
  "meta": {
    "limit": 20,
    "next": null,
    "offset": 0,
    "previous": null,
    "total_count": 5
  },
  "objects": [
    {
      "first_name": "Admin",
      "id": 1,
      "last_login": "2016-11-15T22:00:10.475108",
      "last_name": "Istrator",
      "resource_uri": "/api/v1/users/1/",
      "username": "admin"
    },
    {
      "first_name": "Marvin",
      "id": 2,
      "last_login": null,
      "last_name": "Manager",
      "resource_uri": "/api/v1/users/2/",
      "username": "manager"
    },
    {
      "first_name": "Tony",
      "id": 3,
      "last_login": null,
      "last_name": "Team",
      "resource_uri": "/api/v1/users/3/",
      "username": "team"
    },
    {
      "first_name": "Tami",
      "id": 4,
      "last_login": null,
      "last_name": "Technical",
      "resource_uri": "/api/v1/users/4/",
      "username": "tech"
    },
    {
      "first_name": "Paul",
      "id": 5,
      "last_login": null,
      "last_name": "Pentester",
      "resource_uri": "/api/v1/users/5/",
      "username": "pentest"
    }
  ]
}
devGregA commented 7 years ago

Hi @grendel513 sorry I know I've been bugging you about a lot lately, but do you have suggestions on debugging tasty pie?

grendel513 commented 7 years ago

@mtesauro, @devGregA - looking into it now. Looks like a tastypie bug. Update soon

grendel513 commented 7 years ago

@mtesauro, @devGregA - pull request #164 ready