remove: Credential Manager (2.57 deprecation, 2.59 EOL)#14836
Merged
Conversation
Per the 2.59 release notes, retires the Credential Manager feature in its entirety: UI, API, models, DB tables, and the system-settings toggle that gated it. Endpoints removed (now `404`): - /api/v2/credentials/ - /api/v2/credential_mappings/ UI removed: - All `/cred/*`, `/product/<id>/cred/*`, `/engagement/<id>/cred/*`, `/test/<id>/cred/*`, `/finding/<id>/cred/*` routes - "Credential Manager" sidebar entry and per-product Add/View Credentials shortcuts in the navbar - Credential sections from view_test, view_eng, and view_finding Code deleted: - The entire `dojo/cred/` module (views, urls, signals, queries) - All `*cred*.html` templates - `CredMappingForm`, `CredMappingFormProd`, `CredUserForm` in forms.py - `ApiCredentialsFilter` in filters.py - `CredentialsViewSet`, `CredentialsMappingViewSet`, `CredentialSerializer`, `CredentialMappingSerializer`, `UserHasCredentialPermission` - Selenium tests `tests/credential_test.py` and `tests/product_credential_test.py` - The four `Credential_*` permissions and `Permissions.get_credential_permissions()`, plus their entries in every role's permission set - The `Cred_Mapping` reverse-lookup blocks in test/finding/engagement views (and the `cred_form` plumbing in the import-scan flow) - `Cred_User` from audit-log and pghistory tracking lists, including the `Cred_UserEvent` history table Schema dropped via 0265_remove_credential_manager: - `system_settings.enable_credentials` (no longer gates anything) - `Cred_Mapping`, `Cred_User`, `Cred_UserEvent` models, with their pghistory triggers cleared first The 2.59 upgrade doc already documents the removal; nothing to update in `docs/`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
New Migration
- dojo/authorization/roles_permissions.py: add the second blank line before get_roles_with_permissions() that ruff's E302 demands. - Remove the now-orphan dojo.cred_user / dojo.cred_mapping entries from the three test fixtures, drop watson.searchentry rows pointing at those content types, and strip the gone enable_credentials field from System_Settings entries (the loaddata test was failing on it). The fixture normalization picks up small indentation diffs in unrelated sections (Python's json.dump uses one consistent indent) but the data is unchanged otherwise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…+ matrix - dojo/fixtures/defect_dojo_sample_data_locations.json: missed in the previous fixture sweep — strip enable_credentials, cred_user / cred_mapping rows, and the matching watson.searchentry rows so loaddata stops failing. - .github/workflows/integration-tests.yml: drop the credential_test.py and product_credential_test.py entries from the UI test matrix; both files were deleted in this PR and CI was failing trying to run them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maffooch
force-pushed
the
remove-credential-manager
branch
from
1294079 to
1c25b90
Compare
dojo/user/utils.py left a Permission_Helper(name="cred user", ...) in the configuration-permissions form that drives /user/<id>/edit_permissions and /group/<id>/edit_permissions. With Cred_User gone, the underlying view_cred_user / add_cred_user / change_cred_user / delete_cred_user django auth permissions no longer exist and the form 500s on save — which is what was breaking the group_test and user_test UI integration tests. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maffooch
requested review from
Jino-T,
blakeaowens,
paulOsinski and
valentijnscholten
valentijnscholten
approved these changes
May 8, 2026
Jino-T
approved these changes
May 8, 2026
paulOsinski
approved these changes
May 8, 2026
The merge of dev into this branch (2f8f682) collided on the watson search-entry rows: dev removed stub_finding entries while this branch removed cred_user entries, and the three-way merge dropped only the model name from each conflicting row, leaving six entries per fixture with content_type set to ['dojo'] (a one-element natural key). loaddata then failed with: ContentTypeManager.get_by_natural_key() missing 1 required positional argument: 'model' ... (watson.searchentry:pk=4) field_value was '['dojo']' These rows pointed at the now-removed cred_user content type and were already supposed to be deleted (see 12d749f). Remove them from both fixture files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maffooch
added a commit
to devGregA/django-DefectDojo
that referenced
this pull request
May 8, 2026
Resolve conflicts from dev's removal of Credential Manager (DefectDojo#14836), Stub Findings (DefectDojo#14837), deprecated questionnaire API (DefectDojo#14835), plus Xygeni parser (DefectDojo#14769) and import-time tag batching (DefectDojo#14839). Accepted dev's deletions: cred module, stub findings, deprecated viewsets, and their UI sections in view_eng/view_finding/view_test. Kept tailwind's refactored auth (api_permissions shim, action-string roles, _user_authorized_for) over dev's legacy Permissions-enum code. Trimmed cred/Stub_Finding refs from authorization/{api_permissions, query_registrations,url_permissions}.py and the legacy auth tests. Note: dojo/templates_classic/ still references removed URL names (new_cred_*, promote_to_finding, delete_stub_finding) — follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maffooch
pushed a commit
to devGregA/django-DefectDojo
that referenced
this pull request
May 8, 2026
Resolve conflicts from dev's removal of Credential Manager (DefectDojo#14836), Stub Findings (DefectDojo#14837), deprecated questionnaire API (DefectDojo#14835), plus Xygeni parser (DefectDojo#14769) and import-time tag batching (DefectDojo#14839). Accepted dev's deletions: cred module, stub findings, deprecated viewsets, and their UI sections in view_eng/view_finding/view_test. Kept tailwind's refactored auth (api_permissions shim, action-string roles, _user_authorized_for) over dev's legacy Permissions-enum code. Trimmed cred/Stub_Finding refs from authorization/{api_permissions, query_registrations,url_permissions}.py and the legacy auth tests. Note: dojo/templates_classic/ still references removed URL names (new_cred_*, promote_to_finding, delete_stub_finding) — follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maffooch
pushed a commit
to devGregA/django-DefectDojo
that referenced
this pull request
May 8, 2026
Resolve conflicts from dev's removal of Credential Manager (DefectDojo#14836), Stub Findings (DefectDojo#14837), deprecated questionnaire API (DefectDojo#14835), plus Xygeni parser (DefectDojo#14769) and import-time tag batching (DefectDojo#14839). Accepted dev's deletions: cred module, stub findings, deprecated viewsets, and their UI sections in view_eng/view_finding/view_test. Kept tailwind's refactored auth (api_permissions shim, action-string roles, _user_authorized_for) over dev's legacy Permissions-enum code. Trimmed cred/Stub_Finding refs from authorization/{api_permissions, query_registrations,url_permissions}.py and the legacy auth tests. Note: dojo/templates_classic/ still references removed URL names (new_cred_*, promote_to_finding, delete_stub_finding) — follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per the 2.59 upgrade notes, this PR retires the Credential Manager feature (announced for removal in 2.57.0). Full removal: UI, API, models, DB tables, and the toggle that gated it.
Endpoints removed (now
404)/api/v2/credentials//api/v2/credential_mappings/UI removed (now
404)/cred/*,/product/<id>/cred/*,/engagement/<id>/cred/*,/test/<id>/cred/*,/finding/<id>/cred/*routesview_test,view_eng, andview_findingWhat changed
dojo/cred/package (views.py,urls.py,signals.py,queries.py,__init__.py)dojo/templates/dojo/*cred*.htmltemplatesCredMappingForm,CredMappingFormProd,CredUserForm(dojo/forms.py)ApiCredentialsFilter(dojo/filters.py)CredentialsViewSet,CredentialsMappingViewSet,CredentialSerializer,CredentialMappingSerializer,UserHasCredentialPermissionPermissions.Credential_View/Add/Edit/Delete,get_credential_permissions(), plus the credential-perm entries in Reader/API_Importer/Writer/Maintainer/Owner roles, and theCred_Mapping-routing branch inuser_has_object_permissionCred_Mappingreverse-lookup blocks indojo/test/views.py,dojo/finding/views.py, anddojo/engagement/views.py(incl. thecred_formplumbing in import-scan andadd_tests);Cred_Userfromdojo/notes/views.pyCred_Userfromdojo/auditlog/{services,backfill}.pyand the threedojo/management/commands/pghistory_*.pycommandsunittests/test_rest_framework.py(CredentialMappingTest,CredentialTest); Seleniumtests/credential_test.pyandtests/product_credential_test.pydojo.cred.signalsimport indojo/apps.pySchema changes
dojo/db_migrations/0265_remove_credential_manager.py:cred_user(insert_insert,update_update,delete_delete)DeleteModel('Cred_UserEvent')DeleteModel('Cred_Mapping')(drops first because it has FKs toCred_User)DeleteModel('Cred_User')RemoveField('system_settings', 'enable_credentials')Verification
python manage.py checkpython manage.py makemigrations --check→ must report "No changes detected"python manage.py migrate dojo→ applies0265python -m pytest unittests/ -x --timeout=120curl -i /api/v2/credentials/and/api/v2/credential_mappings/→404/credor any/product/<id>/cred/all→404grep -rn "Cred_User\\|Cred_Mapping\\|enable_credentials" dojo/ unittests/ tests/ --include="*.py" --include="*.html"(excludingdb_migrations/) → emptypython manage.py spectacular --file /tmp/schema.yml && grep -cE "/credentials|/credential_mappings" /tmp/schema.yml→0The 2.59 upgrade doc already documents this removal; no doc update required.
Diff:
44 files changed, 59 insertions(+), 2879 deletions(-).🤖 Generated with Claude Code