search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.71k stars 1.55k forks source link

[Oauth Gitlab] GITLAB_PROJECT_AUTO_IMPORT fails because of 403 insufficient_scope #8434

Open jdfresser opened 1 year ago

jdfresser commented 1 year ago

Problem description I tried to the Gitlab Oauth, I managed to connect. When I tried to use the DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT option, login fails.

image

[...]
gitlab.exceptions.GitlabListError: 403: insufficient_scope
   raise error(e.error_message, e.response_code, e.response_body) from e
File "/usr/local/lib/python3.11/site-packages/gitlab/exceptions.py", line 338, in wrapped_f
   projects = gl.projects.list(membership=True, min_access_level=settings.GITLAB_PROJECT_MIN_ACCESS_LEVEL, all=True)
File "/app/dojo/pipeline.py", line 142, in update_product_access
[...]

So it seems the issue is a right issue when the gl.projects.list function, I understand it is a right/scope related issue. I tried to activate all Scopes but not changes. I sticked to the minimum rights: image

The annoying thing is that if this function fails, the login fails too.

I asked to Gitlab about the scope issue but I was wondering if somebody else faced this issue.

Steps to reproduce Steps to reproduce the behavior:

  1. Create OAuth Gitlab described in https://documentation.defectdojo.com/integrations/social-authentication/#gitlab
  2. Don't grant the read_repository right so that PROJECT_AUTO_IMPORT will fail
  3. Login with Gitlab
  4. See error

Expected behavior While login in & GITLAB_PROJECT_AUTO_IMPORT option activated, if there are troubles with the Gitlab API, login should still work.

Deployment method (select with an X)

Environment information

avlahop commented 1 year ago

I have the same error with Gitlab and project import. This is the error I get

error_json  
{'error': 'insufficient_scope',
 'error_description': 'The request requires higher privileges than provided by '
                      'the access token.',
 'scope': 'api read_api'}

I have given my Gitlab application read_user, read_repository and openapi scopes, which are correctly setup and requested from defect dojo when redirecting to Gitlab. But when redirecting back to the callback I get the following error and import fails in 

projects = gl.projects.list(membership=True, min_access_level=settings.GITLAB_PROJECT_MIN_ACCESS_LEVEL, all=True)

Removing auto import option and gitlab authentication works.

bgoareguer commented 1 year ago

I had the same issue.

Here is how I solved it:

DD_SOCIAL_AUTH_GITLAB_SCOPE: "read_api, read_user, openid, read_repository"
Ma1tobiose commented 2 months ago

Same problem, still not solved. And settings.dist.py now has sha256 checksum.

mtesauro commented 2 months ago

@Ma1tobiose The sha256sum is quite on purpose.

If you look at the top of settings.dist.py, you'll see this:

#########################################################################################################
# It is not allowed to edit file 'settings.dist.py', for production deployemnts.                        #
# Any customization of variables need to be done via environmental variables or in 'local_settings.py'. #
# For more information check https://documentation.defectdojo.com/getting_started/configuration/        #
#########################################################################################################

DefectDojo have local_settings.py to specifically allow customization local to your DefectDojo install in a way that makes upgrades safe as settings.dist.py can be overwritten on upgrades.

There's an example of a local_settings.py file at https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/template-local_settings

If you create a local_settings.py and make the changes you want there, you'll be safe from upgrades and the sha256sum check.

Ma1tobiose commented 2 months ago

@mtesauro Thanks for reply. Yes, I agree with the behavior of sha256, and it is a very reliable solution. I mention it here because the previous fix solution failed, and I want to warn people who come across the same problem later. So I think the login 403 problem of GITLAB_PROJECT_AUTO_IMPORT should be fixed. Maybe we can merge this part of the code instead of setting it as a local setting?

mtesauro commented 2 months ago

@Ma1tobiose Got it. If you'd like to put in a PR to add that to settings.dist.py, I don't have a problem with that.