search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.66k stars 568 forks source link

Improved and more secure API Key handling #2552

Open rkg-mm opened 1 year ago

rkg-mm commented 1 year ago

Current Behavior

Each team gets an API key automatically. All API keys are visible for admins in the web interface (therefore must be stored somewhere in plaintext or only encrypted to be revertable).

Proposed Behavior

  1. By default a Team should not have API keys
  2. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose
  3. API keys should not be visible in plain text except once after generation
  4. API keys should be stored as a secret with proper one-way hashing (basically it's a secret and must be handled like one!)
  5. We should consider improving the API key length or at least characters, not sure about best practices but most other systems I know use larger keys
  6. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up
  7. Also consider #2543

Checklist

valentijnscholten commented 1 year ago

I agree these improvements are welcome/needed, but probably should be moved to https://github.com/stevespringett/Alpine ?

rkg-mm commented 1 year ago

If this is part of the alpine framework, then yes :D

mprencipe commented 7 months ago

Alpine doesn't automatically create API keys for teams, it's parametrized: https://github.com/stevespringett/Alpine/blob/master/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java#L559

Dependency-Track invokes the inherited AlpineQueryManager#createTeam method with the "true" parameter which generates the API key: https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/resources/v1/TeamResource.java#L135

The simplest fix would be changing true to false.

nscuro commented 7 months ago

@mprencipe That sounds like a sensible thing to do. Do you fancy raising a PR for this?

@rkg-mm:

  1. It shall be able to generate API keys by admins, ideally with an additional comment or name, to document the purpose

Comments to document the purpose is coming in v4.11, as per https://github.com/DependencyTrack/frontend/pull/768.

  1. (Ideally) Creation Date and Last usage date should be shown next to the API key for the admin to be able to clear up

Timestamps to track creation and "last used" timestamps are coming in v4.11, as per https://github.com/DependencyTrack/frontend/pull/768.

  1. Also consider https://github.com/DependencyTrack/dependency-track/issues/2543

This was shipped in v4.9.

mprencipe commented 7 months ago

Sure, I can raise a PR.