Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

backend/application/core/queries/product.py

@@ -5,6 +5,7 @@
 from django.db.models.query import QuerySet
 
 from application.access_control.services.current_user import get_current_user
+from application.commons.models import Settings
 from application.core.models import (
     Observation,
     Product,
@@ -86,6 +87,12 @@ def _add_annotations(queryset: QuerySet, is_product_group: bool, with_annotation
     if not with_annotations:
         return queryset
 
+    queryset = _add_observation_annotations(queryset, is_product_group)
+    queryset = _add_license_annotations(queryset, is_product_group)
+    return queryset
+
+
+def _add_observation_annotations(queryset: QuerySet, is_product_group: bool) -> QuerySet:
     subquery_open_critical = (
         _get_product_group_observation_subquery(Severity.SEVERITY_CRITICAL)
         if is_product_group
@@ -117,49 +124,58 @@ def _add_annotations(queryset: QuerySet, is_product_group: bool, with_annotation
         else _get_product_observation_subquery(Severity.SEVERITY_UNKNOWN)
     )
 
-    subquery_license_forbidden = (
-        _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_FORBIDDEN)
-        if is_product_group
-        else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_FORBIDDEN)
-    )
-    subquery_license_review_required = (
-        _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_REVIEW_REQUIRED)
-        if is_product_group
-        else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_REVIEW_REQUIRED)
-    )
-    subquery_license_unknown = (
-        _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_UNKNOWN)
-        if is_product_group
-        else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_UNKNOWN)
-    )
-    subquery_license_allowed = (
-        _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_ALLOWED)
-        if is_product_group
-        else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_ALLOWED)
-    )
-    subquery_license_ignored = (
-        _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_IGNORED)
-        if is_product_group
-        else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_IGNORED)
-    )
-
     queryset = queryset.annotate(
         open_critical_observation_count=Coalesce(subquery_open_critical, 0),
         open_high_observation_count=Coalesce(subquery_open_high, 0),
         open_medium_observation_count=Coalesce(subquery_open_medium, 0),
         open_low_observation_count=Coalesce(subquery_open_low, 0),
         open_none_observation_count=Coalesce(subquery_open_none, 0),
         open_unknown_observation_count=Coalesce(subquery_open_unknown, 0),
-        forbidden_licenses_count=Coalesce(subquery_license_forbidden, 0),
-        review_required_licenses_count=Coalesce(subquery_license_review_required, 0),
-        unknown_licenses_count=Coalesce(subquery_license_unknown, 0),
-        allowed_licenses_count=Coalesce(subquery_license_allowed, 0),
-        ignored_licenses_count=Coalesce(subquery_license_ignored, 0),
     )
 
     return queryset
 
 
+def _add_license_annotations(queryset: QuerySet, is_product_group: bool) -> QuerySet:
+    settings = Settings.load()
+    if settings.feature_license_management:
+        subquery_license_forbidden = (
+            _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_FORBIDDEN)
+            if is_product_group
+            else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_FORBIDDEN)
+        )
+        subquery_license_review_required = (
+            _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_REVIEW_REQUIRED)
+            if is_product_group
+            else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_REVIEW_REQUIRED)
+        )
+        subquery_license_unknown = (
+            _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_UNKNOWN)
+            if is_product_group
+            else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_UNKNOWN)
+        )
+        subquery_license_allowed = (
+            _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_ALLOWED)
+            if is_product_group
+            else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_ALLOWED)
+        )
+        subquery_license_ignored = (
+            _get_product_group_license_subquery(License_Policy_Evaluation_Result.RESULT_IGNORED)
+            if is_product_group
+            else _get_product_license_subquery(License_Policy_Evaluation_Result.RESULT_IGNORED)
+        )
+
+        queryset = queryset.annotate(
+            forbidden_licenses_count=Coalesce(subquery_license_forbidden, 0),
+            review_required_licenses_count=Coalesce(subquery_license_review_required, 0),
+            unknown_licenses_count=Coalesce(subquery_license_unknown, 0),
+            allowed_licenses_count=Coalesce(subquery_license_allowed, 0),
+            ignored_licenses_count=Coalesce(subquery_license_ignored, 0),
+        )
+
+    return queryset
+
+
 def _get_product_observation_subquery(severity: str) -> Subquery:
     branch_filter = Q(branch__is_default_branch=True) | (
         Q(branch__isnull=True) & Q(product__repository_default_branch__isnull=True)

charts/secobserve/README.md

@@ -113,6 +113,8 @@ A Helm chart to deploy SecObserve, an open-source vulnerability and license mana
 | frontend.env[4].value | string | `"https://secobserve.dev/"` |  |
 | frontend.env[5].name | string | `"OIDC_POST_LOGOUT_REDIRECT_URI"` |  |
 | frontend.env[5].value | string | `"https://secobserve.dev/"` |  |
+| frontend.env[5].name | string | `"OIDC_PROMPT"` |  |
+| frontend.env[5].value | string | null |  |
 | frontend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | frontend.image.registry | string | `"docker.io"` |  |
 | frontend.image.repository | string | `"ghcr.io/secobserve/secobserve-frontend"` |  |

charts/secobserve/values.yaml

@@ -25,6 +25,8 @@ frontend:
       value: https://secobserve.dev/
     - name: OIDC_POST_LOGOUT_REDIRECT_URI
       value: https://secobserve.dev/
+    - name: OIDC_PROMPT
+      value: null
   resources:
     limits:
       cpu: 500m

docker-compose-dev-keycloak.yml

@@ -21,6 +21,7 @@ services:
       OIDC_CLIENT_ID: ${SO_OIDC_CLIENT_ID:-secobserve}
       OIDC_REDIRECT_URI: ${SO_OIDC_REDIRECT_URI:-http://localhost:3000}
       OIDC_POST_LOGOUT_REDIRECT_URI: ${SO_OIDC_POST_LOGOUT_REDIRECT_URI:-http://localhost:3000}
+      OIDC_PROMPT: ${SO_OIDC_PROMPT:-}
 
   backend:
     build:

docker-compose-playwright.yml

@@ -18,6 +18,8 @@ services:
       OIDC_CLIENT_ID: dummy
       OIDC_REDIRECT_URI: dummy
       OIDC_POST_LOGOUT_REDIRECT_URI: dummy
+      OIDC_PROMPT: null
+
     networks:
       - secobserve
 

docker-compose-prod-mysql.yml

@@ -50,6 +50,7 @@ services:
       OIDC_REDIRECT_URI: ${SO_OIDC_REDIRECT_URI:-http://secobserve.localhost}
       OIDC_POST_LOGOUT_REDIRECT_URI: ${SO_OIDC_POST_LOGOUT_REDIRECT_URI:-http://secobserve.localhost}
       OIDC_SCOPE: ${SO_OIDC_SCOPE:-openid profile email}
+      OIDC_PROMPT: ${SO_OIDC_PROMPT:-}
     networks:
       - traefik
 

docker-compose-prod-postgres.yml

@@ -50,6 +50,7 @@ services:
       OIDC_REDIRECT_URI: ${SO_OIDC_REDIRECT_URI:-http://secobserve.localhost}
       OIDC_POST_LOGOUT_REDIRECT_URI: ${SO_OIDC_POST_LOGOUT_REDIRECT_URI:-http://secobserve.localhost}
       OIDC_SCOPE: ${SO_OIDC_SCOPE:-openid profile email}
+      OIDC_PROMPT: ${SO_OIDC_PROMPT:-}
     networks:
       - traefik
 

docker-compose-prod-test.yml

@@ -17,6 +17,7 @@ services:
       OIDC_CLIENT_ID: ${SO_OIDC_CLIENT_ID:-dummy}
       OIDC_REDIRECT_URI: ${SO_OIDC_REDIRECT_URI:-http://localhost:3000}
       OIDC_POST_LOGOUT_REDIRECT_URI: ${SO_OIDC_POST_LOGOUT_REDIRECT_URI:-http://localhost:3000}
+      OIDC_PROMPT: ${SO_OIDC_PROMPT:-}
     ports:
       - "3000:3000"
 

docs/getting_started/configuration.md

@@ -46,6 +46,7 @@ A part of the configuration is done with environment variables, which need to be
 | `OIDC_REDIRECT_URI`             | mandatory   | The redirect URI is the URI the identity provider will send the security tokens back to. To be set with the URL of the frontend. |
 | `OIDC_POST_LOGOUT_REDIRECT_URI` | mandatory   | The post logout redirect URI is the URI that will be called after logout. To be set with the URL of the frontend. |
 | `OIDC_SCOPE`                    | optional    | OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name or email. If the variable is not set, the standard scopes `openid profile email` will be used. |
+| `OIDC_PROMPT`                   | optional    | The prompt parameter allows to request specific interactions with the user during the authentication process, values can be `none`, `login`, `consent` and `select_account`. Default is not to set the prompt parameter. |
 
 All the `OIDC_*` environment variables are needed for technical reasons. If `OIDC_ENABLE` is set to `false`, the other `OIDC_*` environment variables can be set to `dummy` or something similar.
 

docs/getting_started/upgrading.md

@@ -10,6 +10,13 @@
 
 * There will be specific upgrade instructions if necessary, e.g. when there are new configuration parameters.
 
+## Release 1.47.0
+
+**Breaking changes**
+
+* The OIDC attribute `prompt` is now configurable and it is not set as default. To return to the former behaviour, you have to set the environment variable `OIDC_PROMPT=select_account` for the frontend in your installation. For further details search for `prompt` in the [OpenID specification](https://openid.net/specs/openid-connect-core-1_0.html).
+
+
 ## Release 1.46.0
 
 **Breaking changes**