Unable to Define Multiple Organization-Level Analyzer Secrets

phage-nz commented 1 year ago

What happened

Environment

OS: Docker on Ubuntu 20.04 LTS
IntelOwl version: 4.1.2

What did you expect to happen

Adding more than 1 organization-level analyzer secret.

How to reproduce your issue

Performed a fresh install via Docker Compose.

Edited application domain, database user name and password in the env files - otherwise the templates are untouched. Started with python3 start.py prod up and then created a superuser as-per documentation.

Logged in, created an organization, defined 1 analyzer secret (with attribute: api_key_name). Then attempted to add another (which also had attribute: api_key_name) and it failed to save, returning an error 500. Then tried to add it via the Django console, and received an error as well (see below). It's worth noting that trying to add an analyzer with attribute type other than api_key_name succeeded (e.g. api_key_name_test). I'm also able to add multiple plugins against my user without trouble. The failure only appears to occur with organization analyzers. "plugin_name" doesn't appear to be considered when determining whether the entry is unique.

Error messages and logs

500 error reported in GUI.
Plugin config with this Type, Attribute, Organization and Owner already exists. reported when attempting to add via Django console.

Log message below:

intelowl_postgres        | 2022-11-21 00:29:29.172 UTC [235] ERROR:  duplicate key value violates unique constraint "unique_custom_config_entry"
intelowl_postgres        | 2022-11-21 00:29:29.172 UTC [235] DETAIL:  Key (type, attribute, organization_id, owner_id)=(1, api_key_name, 1, 1) already exists.
intelowl_postgres        | 2022-11-21 00:29:29.172 UTC [235] STATEMENT:  INSERT INTO "api_app_pluginconfig" ("type", "config_type", "attribute", "value", "organization_id", "owner_id", "plugin_name", "updated_at") VALUES ('1', '2', 'api_key_name', '"API KEY HERE"', 1, 1, 'VirusTotal_v3_Get_File', '2022-11-21T00:29:29.171638+00:00'::timestamptz) RETURNING "api_app_pluginconfig"."id"

phage-nz commented 1 year ago

Appears this line could be the root cause: https://github.com/intelowlproject/IntelOwl/blob/master/api_app/models.py#L273

0x0elliot commented 1 year ago

you're right. it appears that both an owner and an organization can only add one secret. i think removing the unique constraints should do it without causing any weird bugs.

mlodic commented 1 year ago

thank you for reporting this and for all the provided details!

as already told by @0x0elliot , what you have found seems pretty straightforward and a fast fix.

However, I have just did some manual testing and I really got strange results. I'll get back once I get more time to do more tests and understand if there are other correlated bugs

mlodic commented 1 year ago

apologies for coming back so late...life happens...I should have fixed it now in develop (so available next release or by building the dev version)

Plus, if you would like to migrate all the secrets of an user to a specific organization, now you can do that by leveraging the Django command python3 manage.py migrate_secrets_to_org -u <user> -o <org>. In that way you can migrate easier your actual user-based configuration to org-based

mlodic commented 1 year ago

deplyoed in v4.1.4

intelowlproject / IntelOwl