Fuzzy gitlab integration

[ch-lepp]

I try to integrate Threat Dragon (docker app) with my gitlab server.

The documentation on this is open for interpretation (to put it mildly) ^^
All I could find was a list of possible gitlab related env vars (without explanation of what they do or how they behave): https://owasp.org/www-project-threat-dragon/docs-2/development-environment/

The first issue I have was with the GITLAB_SCOPE var.
If left empty, its set to the default value of 'read_user,read_repository,write_repository,profile'.
This default value results in a gitlab error upon auth request: The requested scope is invalid, unknown, or malformed.

The second issue comes with the GITLAB_REDIRECT_URI var.
This defaults to 'undefined'.
I tried to figure out the correct value for the var.
This line of code suggests that the value should be https://my-domain/#/oauth-return.
But gitlab does not allow redirect uris to contain #.
The screenshots in this issue suggest, that the value should be https://my-domain/api/oauth/return.
But the token request now results in a Threat Dragon backend error:

threatdragon-1  | error: controllers/auth.js:  {"service":"threat-dragon","timestamp":"2024-07-03 12:38:16"}
threatdragon-1  | error: Gitlab Enterprise is not supported yet {"service":"threat-dragon","stack":"Error: Gitlab Enterprise is not supported yet\n    at getClient (/app/td.server/dist/repositories/gitlabrepo.js:29:11)\n    at Object.userAsync (/app/td.server/dist/repositories/gitlabrepo.js:88:10)\n    at _callee$ (/app/td.server/dist/providers/gitlab.js:99:23)\n    at tryCatch (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:45:16)\n    at Generator.<anonymous> (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:133:17)\n    at Generator.next (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:74:21)\n    at asyncGeneratorStep (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)\n    at _next (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:22:9)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)","timestamp":"2024-07-03 12:38:16"}
threatdragon-1  | error: undefined {"service":"threat-dragon","timestamp":"2024-07-03 12:38:16"}

Do you know how I have to fill my env vars to make the integration work?

[ch-lepp]

The correct default value for the GITLAB_REDIRECT_URI would be 'read_user read_repository write_repository profile'.
So separation by spaces instead of commas.

This is also defined here:

The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.

[ch-lepp]

I opened an issue for the scope param: #995

[jgadsden]

@fdellwing and @steve-winter , can you help with the second issue involving GITLAB_REDIRECT_URI variable?
I have very little experience of gitlab

[fdellwing]

The correct (working) GITLAB_REDIRECT_URI is https://example.com/api/oauth/return.

They error message from OP is because the version that support OnPrem Gitlab is not yet released.

[ch-lepp]

@jgadsden, @fdellwing thx a lot for the quick replies.

Do you have a rough idea when the new version supporting my Gitlab will be released?

Could you also please elaborate a bit on how the oauth flow for OnPrem Gitlab differs from the one for the Gitlab that is currently supported?

[fdellwing]

There is not really a difference. It just was not implemented. #965

[jgadsden]

We think version 2.3 will be out in August 2024, with the changes so far rolled in - but this is relevant mainly for desktop app
if you are running the web app then you can use the source from the repo or go with the latest docker container from:
https://hub.docker.com/r/threatdragon/owasp-threat-dragon/tags

[ch-lepp]

That seems to work indeed. It is just a bit unstable to always use the latest release.
But for now that solution absolutely suffices 👍

[jgadsden]

excellent, and next month is release of version 2.4 so that will have a stable version for you