search

faloker / purify

All-in-one tool for managing vulnerability reports from AppSec pipelines
https://faloker.gitbook.io/purify
MIT License
105 stars 18 forks source link

docker-compose pull | api fails #60

Closed dmspils closed 4 years ago

dmspils commented 4 years ago

I just did a docker-compose pull && docker-compose up -d to update my deployment to the latest images but the api now fails to start and goes into a restart loop (nothing has changed in the config).

Looking at the logs for the api container, I see this failure which looks to be linked to SSO (which I have set in my .env file to USE_SAML=false):

[Nest] 39   - 07/15/2020, 11:41:07 AM   [ExceptionHandler] Invalid property: cert must not be empty +2ms
Error: Invalid property: cert must not be empty
    at SAML.initialize (/home/node/app/node_modules/passport-saml/lib/passport-saml/saml.js:28:11)
    at new SAML (/home/node/app/node_modules/passport-saml/lib/passport-saml/saml.js:18:23)
    at new Strategy (/home/node/app/node_modules/passport-saml/lib/passport-saml/strategy.js:28:16)
    at new MixinStrategy (/home/node/app/node_modules/@nestjs/passport/dist/passport/passport.strategy.js:31:13)
    at new SamlStrategy (/home/node/app/dist/auth/saml.strategy.js:20:9)
    at Injector.instantiateClass (/home/node/app/node_modules/@nestjs/core/injector/injector.js:288:19)
    at callback (/home/node/app/node_modules/@nestjs/core/injector/injector.js:75:41)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Injector.resolveConstructorParams (/home/node/app/node_modules/@nestjs/core/injector/injector.js:116:24)
    at async Injector.loadInstance (/home/node/app/node_modules/@nestjs/core/injector/injector.js:79:9)
    at async Injector.loadProvider (/home/node/app/node_modules/@nestjs/core/injector/injector.js:36:9)
    at async Promise.all (index 8)
    at async InstanceLoader.createInstancesOfProviders (/home/node/app/node_modules/@nestjs/core/injector/instance-loader.js:42:9)
    at async /home/node/app/node_modules/@nestjs/core/injector/instance-loader.js:27:13
    at async Promise.all (index 10)
    at async InstanceLoader.createInstances (/home/node/app/node_modules/@nestjs/core/injector/instance-loader.js:26:9)

The cert for the website is fine and has a couple of months left on it so I assume it is a SAML cert error. As I mentioned, I've disabled the use of SAML (and LDAP) in my config but it still seems to be calling them. Is there any way to completely disable that check?

dmspils commented 4 years ago

I've tried rolling back to previous tags of purify-api but all seem to have been updated over the past couple of days and all now exhibit the same error behaviour.

dmspils commented 4 years ago

I've found a temporary fix! By modding .api/.env.custom to include the following, it now doesn't check the SAML cert and the api successfully loads:

USE_LDAP=false
USE_SAML=false
SAML_LOCAL_KEY_ONELINE=<random value that is insignificant>
SAML_IDP_CERT_ONELINE=<random value that is insignificant>
SAML_EMAIL_FIELD_NAME=email
SAML_USERNAME_FIELD_NAME=name
faloker commented 4 years ago

Yep, you're right, SAML_IDP_CERT_ONELINE should have some value, even fake, to load the rest of a module.

I will fix this one by adding a default value for this variable at startup.