feat(api-token): Add ability to use API tokens but not disable "api-token-auth" (#10786)

Author: kiblik

docs/content/en/integrations/api-v2-docs.md

@@ -47,6 +47,7 @@ For example: :
 
 If you use [an alternative authentication method](../social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \
 Using of DefectDojo API tokens can be disabled by specifying the environment variable `DD_API_TOKENS_ENABLED` to `False`.
+Or only `api/v2/api-token-auth/` endpoint can be disabled by setting `DD_API_TOKEN_AUTH_ENDPOINT_ENABLED` to `False`.
 
 ## Sample Code
 

dojo/context_processors.py

@@ -25,6 +25,7 @@ def globalize_vars(request):
         "SAML2_LOGOUT_URL": settings.SAML2_LOGOUT_URL,
         "DOCUMENTATION_URL": settings.DOCUMENTATION_URL,
         "API_TOKENS_ENABLED": settings.API_TOKENS_ENABLED,
+        "API_TOKEN_AUTH_ENDPOINT_ENABLED": settings.API_TOKEN_AUTH_ENDPOINT_ENABLED,
     }
 
 

dojo/settings/.settings.dist.py.sha256sum

@@ -1 +1 @@
-66ee64ade0a61b090efd059a63e39f11683bd53e33bd25b8d41009cbbde06073
+c2ba2c95bb8a9b55330a5c3a8a627cfcaf2135780893367399f8eb51f4a0b3d8

dojo/settings/settings.dist.py

@@ -282,6 +282,9 @@
     # When disabled, existing user tokens will not be removed but it will not be
     # possible to create new and it will not be possible to use exising.
     DD_API_TOKENS_ENABLED=(bool, True),
+    # Enable endpoint which allow user to get API token when user+pass is provided
+    # It is useful to disable when non-local authentication (like SAML, Azure, ...) is in place
+    DD_API_TOKEN_AUTH_ENDPOINT_ENABLED=(bool, True),
     # You can set extra Jira headers by suppling a dictionary in header: value format (pass as env var like "headr_name=value,another_header=anohter_value")
     DD_ADDITIONAL_HEADERS=(dict, {}),
     # Set fields used by the hashcode generator for deduplication, via en env variable that contains a JSON string
@@ -750,6 +753,8 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 API_TOKENS_ENABLED = env("DD_API_TOKENS_ENABLED")
 
+API_TOKEN_AUTH_ENDPOINT_ENABLED = env("DD_API_TOKEN_AUTH_ENDPOINT_ENABLED")
+
 REST_FRAMEWORK = {
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
     "DEFAULT_AUTHENTICATION_CLASSES": (

dojo/templates/dojo/api_v2_key.html

@@ -15,9 +15,11 @@ <h2> {{ name }}</h2>
         <input class="btn btn-primary" type="submit" value="{% trans "Generate New Key" %}"/>
     </form>
     <hr/>
+    {% if API_TOKEN_AUTH_ENDPOINT_ENABLED %}
     <p>{% trans "Alternatively, you can use /api/v2/api-token-auth/ to get your token. Example:" %}</p>
     <pre>
 curl -X POST -H 'content-type: application/json' {% if request.is_secure %}https{% else %}http{% endif %}://{{ request.META.HTTP_HOST }}/api/v2/api-token-auth/ -d '{"username": "&lt;YOURUSERNAME&gt;", "password": "&lt;YOURPASSWORD&gt;"}'</pre>
+    {% endif %}
     <p>{% trans "To use your API Key you need to specify an Authorization header. Example:" %}</p>
     <pre>
 # As a header

dojo/urls.py

@@ -215,8 +215,8 @@
     re_path(r"^{}api/v2/user_profile/".format(get_system_setting("url_prefix")), UserProfileView.as_view(), name="user_profile"),
 ]
 
-if hasattr(settings, "API_TOKENS_ENABLED"):
-    if settings.API_TOKENS_ENABLED:
+if hasattr(settings, "API_TOKENS_ENABLED") and hasattr(settings, "API_TOKEN_AUTH_ENDPOINT_ENABLED"):
+    if settings.API_TOKENS_ENABLED and settings.API_TOKEN_AUTH_ENDPOINT_ENABLED:
         api_v2_urls += [
             re_path(
                 f"^{get_system_setting('url_prefix')}api/v2/api-token-auth/",