platform(general): Implement SSO Relay State Parameter in Checkov Output Links #5217
Conversation
…SimOnPanw/checkov into feature/add-relaystate-from-prismacloud
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
…prismacloud_url function
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
| if request.status == 401: | ||
| logging.error(f'Received 401 response from Prisma /login endpoint: {request.data.decode("utf8")}') | ||
| raise BridgecrewAuthError() | ||
| elif request.status == 403: | ||
| logging.error('Received 403 (Forbidden) response from Prisma /login endpoint') | ||
| raise BridgecrewAuthError() |
There was a problem hiding this comment.
@mikeurbanski1 any thoughts about raising an exception here or should we just log it and return the normal URL?
There was a problem hiding this comment.
I like returning the normal URL. Then at least they can go to it after signing in separately.
There was a problem hiding this comment.
@mikeurbanski1 @gruebel instead of raising an exception, I could return the normal URL as follow:
request = self.http.request("GET", url_saml_config, headers=headers, timeout=10) # type:ignore[no-untyped-call]
if request.status >= 300:
return report_url
With the problem that we don't trigger an exception if the BC_API_KEY is not provided. I am not sure this is better. What do you think ?
There was a problem hiding this comment.
We won't get to this code if there is no BC_API_KEY though
There was a problem hiding this comment.
@mikeurbanski1, of course, you are correct. I committed the change.
Co-authored-by: Anton Grübel <[email protected]>
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
Co-authored-by: Anton Grübel <[email protected]>
SimOnPanw
had a problem deploying
to
scan-security
GitHub Actions
Failure
There was a problem hiding this comment.
nice, looks good from my side, just waiting for @mikeurbanski1 🙂
| @@ -572,7 +573,7 @@ def commit_repository(self, branch: str) -> str | None: | |||
| get_user_agent_header() | |||
| )) | |||
| response = json.loads(request.data.decode("utf8")) | |||
| url: str = response.get("url", None) | |||
| url: str = self.get_sso_prismacloud_url(response.get("url", None)) | |||
There was a problem hiding this comment.
@SimOnPanw what happens if SSO isn't configured?
There was a problem hiding this comment.
Hello @mikeurbanski1, we will be returning the standard URL that directly points to the platform. To return the URL with RelayState parameter, you'll have to provide a prisma_api_url and ensure that your Prisma Cloud tenant is configured with both relay_state_param_name and access_saml_url.
Here is an example:
There was a problem hiding this comment.
Hello @mikeurbanski1 and @gruebel, any news on this PR ?
There was a problem hiding this comment.
But what does {bc_integration.prisma_api_url}/saml/config return if SSO is not configured? It looks like we are always going to try to get this, and throw an exception if it doesn't work, so I am worried that we won't fall back.
There was a problem hiding this comment.
It returns a json with an empty fields for relayStateParamName and redLockAccessSamlUrl, even if a tenant has no SAML configuration.
I checked if there is any value return below in the code.
…put Links (bridgecrewio#5217) * add RelayState param from Prisma Cloud * fix flake8 issues * add the type of the input arguments and the return value for get_sso_prismacloud_url function * add exception handling and timeout to meet bandit requirements * fix flake8 * fix flake8 * move the get_sso_prismacloud_url function to platform_integration.py * call the function get_sso_prismacloud_url from commit_repository function * Update checkov/common/bridgecrew/platform_integration.py Co-authored-by: Anton Grübel <[email protected]> * Update checkov/common/bridgecrew/platform_integration.py Co-authored-by: Anton Grübel <[email protected]> * remove dot in front of type-ignore-no-untyped-call * return normal url if any errors * fix mypy issues --------- Co-authored-by: Anton Grübel <[email protected]>
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
This PR introduces an enhancement to the way Checkov generates output links. Previously, output links were generated and printed to the console without considering any specific state parameters required for Single Sign-On (SSO) procedures.
The code in this PR updates the
_print_to_consolemethod to incorporate a relay state parameter when generating output links. This is achieved through the implementation of a new method,get_sso_prismacloud_url, which calls the Prisma Cloud Platform API to get the necessary relay state from the SAML configuration. This state is then appended to the URL before it's printed to the console.These changes ensure that the output links generated by Checkov are compatible with SSO procedures that rely on relay state parameters.
Before the merge, Checkov generate the report link without considering any specific relaystate parameters:
After the merge, Checkov will use the RelayState Parameter:
Please review and let me know if any changes are required.
Checklist: