remove: Credential Manager (2.57 deprecation, 2.59 EOL)

.github/workflows/integration-tests.yml

@@ -22,7 +22,6 @@ jobs:
           "tests/check_various_pages.py",
           "tests/close_old_findings_dedupe_test.py",
           "tests/close_old_findings_test.py",
-          "tests/credential_test.py",
           "tests/dashboard_test.py",
           "tests/dedupe_test.py",
           "tests/endpoint_extended_test.py",
@@ -46,7 +45,6 @@ jobs:
           "tests/notification_webhook_test.py",
           "tests/notifications_test.py",
           "tests/object_test.py",
-          "tests/product_credential_test.py",
           "tests/product_group_test.py",
           "tests/product_member_test.py",
           "tests/product_metadata_test.py",

dojo/api_v2/permissions.py

@@ -20,7 +20,6 @@
 from dojo.importers.auto_create_context import AutoCreateContextManager
 from dojo.location.models import Location
 from dojo.models import (
-    Cred_Mapping,
     Development_Environment,
     Dojo_Group,
     Endpoint,
@@ -146,38 +145,6 @@ def has_object_permission(self, request, view, obj):
         )
 
 
-class UserHasCredentialPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        if request.data.get("product") is not None:
-            return check_post_permission(
-                request, Cred_Mapping, "product", Permissions.Credential_Add,
-            )
-        if request.data.get("engagement") is not None:
-            return check_post_permission(
-                request, Cred_Mapping, "engagement", Permissions.Credential_Add,
-            )
-        if request.data.get("test") is not None:
-            return check_post_permission(
-                request, Cred_Mapping, "test", Permissions.Credential_Add,
-            )
-        if request.data.get("finding") is not None:
-            return check_post_permission(
-                request, Cred_Mapping, "finding", Permissions.Credential_Add,
-            )
-        return check_post_permission(
-            request, Cred_Mapping, "product", Permissions.Credential_Add,
-        )
-
-    def has_object_permission(self, request, view, obj):
-        return check_object_permission(
-            request,
-            obj.product,
-            Permissions.Credential_View,
-            Permissions.Credential_Edit,
-            Permissions.Credential_Delete,
-        )
-
-
 class UserHasDojoGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "GET":

dojo/api_v2/serializers.py

@@ -51,8 +51,6 @@
     App_Analysis,
     BurpRawRequestResponse,
     Check_List,
-    Cred_Mapping,
-    Cred_User,
     Development_Environment,
     Dojo_Group,
     Dojo_Group_Member,
@@ -2144,18 +2142,6 @@ def update(self, instance, validated_data):
         return super().update(instance, validated_data)
 
 
-class CredentialSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Cred_User
-        exclude = ("password",)
-
-
-class CredentialMappingSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Cred_Mapping
-        fields = "__all__"
-
-
 class ProductSerializer(serializers.ModelSerializer):
     findings_count = serializers.SerializerMethodField()
     findings_list = serializers.SerializerMethodField()

dojo/api_v2/views.py

@@ -49,7 +49,6 @@
 from dojo.authorization.authorization import user_has_permission_or_403
 from dojo.authorization.roles_permissions import Permissions
 from dojo.celery_dispatch import dojo_dispatch_task
-from dojo.cred.queries import get_authorized_cred_mappings
 from dojo.endpoint.queries import (
     get_authorized_endpoint_status,
     get_authorized_endpoints,
@@ -59,7 +58,6 @@
 from dojo.engagement.services import close_engagement, reopen_engagement
 from dojo.filters import (
     ApiAppAnalysisFilter,
-    ApiCredentialsFilter,
     ApiDojoMetaFilter,
     ApiEndpointFilter,
     ApiEngagementFilter,
@@ -93,8 +91,6 @@
     App_Analysis,
     BurpRawRequestResponse,
     Check_List,
-    Cred_Mapping,
-    Cred_User,
     Development_Environment,
     Dojo_Group,
     Dojo_Group_Member,
@@ -872,130 +868,6 @@ def get_queryset(self):
         return get_authorized_app_analysis(Permissions.Product_View)
 
 
-# Authorization: object-based
-@extend_schema_view(**schema_with_prefetch())
-class CredentialsViewSet(
-    PrefetchDojoModelViewSet,
-    DeprecationNoticeMixin,
-):
-    deprecated = True
-    end_of_life_date = datetime(2026, 6, 1)
-    serializer_class = serializers.CredentialSerializer
-    queryset = Cred_User.objects.all()
-    filter_backends = (DjangoFilterBackend,)
-    permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)
-
-    def get_queryset(self):
-        return Cred_User.objects.all().order_by("id")
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def list(self, request, *args, **kwargs):
-        return super().list(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def retrieve(self, request, *args, **kwargs):
-        return super().retrieve(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def create(self, request, *args, **kwargs):
-        return super().create(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def update(self, request, *args, **kwargs):
-        return super().update(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def partial_update(self, request, *args, **kwargs):
-        return super().partial_update(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def destroy(self, request, *args, **kwargs):
-        return super().destroy(request, *args, **kwargs)
-
-
-# Authorization: configuration
-# @extend_schema_view(**schema_with_prefetch())
-# Nested models with prefetch make the response schema too long for Swagger UI
-class CredentialsMappingViewSet(
-    PrefetchDojoModelViewSet,
-    DeprecationNoticeMixin,
-):
-    deprecated = True
-    end_of_life_date = datetime(2026, 6, 1)
-    serializer_class = serializers.CredentialMappingSerializer
-    queryset = Cred_Mapping.objects.none()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_class = ApiCredentialsFilter
-
-    permission_classes = (
-        IsAuthenticated,
-        permissions.UserHasCredentialPermission,
-    )
-
-    def get_queryset(self):
-        return get_authorized_cred_mappings(Permissions.Credential_View)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def list(self, request, *args, **kwargs):
-        return super().list(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def retrieve(self, request, *args, **kwargs):
-        return super().retrieve(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def create(self, request, *args, **kwargs):
-        return super().create(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def update(self, request, *args, **kwargs):
-        return super().update(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def partial_update(self, request, *args, **kwargs):
-        return super().partial_update(request, *args, **kwargs)
-
-    @extend_schema(
-        deprecated=True,
-        description="This endpoint is deprecated and will be removed on 2026-06-01.",
-    )
-    def destroy(self, request, *args, **kwargs):
-        return super().destroy(request, *args, **kwargs)
-
-
 # Authorization: configuration
 class FindingTemplatesViewSet(
     DojoModelViewSet,

dojo/apps.py

@@ -76,7 +76,6 @@ def ready(self):
         # Importing the signals file is good enough if using the receiver decorator
         import dojo.announcement.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.benchmark.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
-        import dojo.cred.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
 
         # TODO: Delete this after the move to Locations
         import dojo.endpoint.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady

dojo/auditlog/backfill.py

@@ -20,7 +20,6 @@ def get_excluded_fields(model_name):
     excluded_fields_map = {
         "Dojo_User": ["password"],
         "Product": ["updated"],
-        "Cred_User": ["password"],
         "Notification_Webhooks": ["header_name", "header_value"],
     }
     return excluded_fields_map.get(model_name, [])
@@ -43,9 +42,6 @@ def get_table_names(model_name):
     elif model_name == "Finding_Template":
         table_name = "dojo_finding_template"
         event_table_name = "dojo_finding_templateevent"
-    elif model_name == "Cred_User":
-        table_name = "dojo_cred_user"
-        event_table_name = "dojo_cred_userevent"
     elif model_name == "Notification_Webhooks":
         table_name = "dojo_notification_webhooks"
         event_table_name = "dojo_notification_webhooksevent"
@@ -366,7 +362,7 @@ def get_tracked_models():
     return [
         "Dojo_User", "Endpoint", "Engagement", "Finding", "Finding_Group",
         "Product_Type", "Product", "Test", "Risk_Acceptance",
-        "Finding_Template", "Cred_User", "Notification_Webhooks",
+        "Finding_Template", "Notification_Webhooks",
         "FindingReviewers",  # M2M through table for Finding.reviewers
         "Location", "URL",
         # Tag through tables (tagulous auto-generated)

dojo/auditlog/services.py

@@ -151,7 +151,6 @@ def register_django_pghistory_models():
     from dojo.location.models import Location  # noqa: PLC0415
     from dojo.models import (  # noqa: PLC0415
         App_Analysis,
-        Cred_User,
         Dojo_User,
         # TODO: Delete this after the move to Locations
         Endpoint,
@@ -312,21 +311,6 @@ def register_django_pghistory_models():
         },
     )(Finding_Template)
 
-    pghistory.track(
-        pghistory.InsertEvent(),
-        pghistory.UpdateEvent(condition=pghistory.AnyChange(exclude_auto=True)),
-        pghistory.DeleteEvent(),
-        pghistory.ManualEvent(label="initial_backfill"),
-        exclude=["password"],
-        meta={
-            "indexes": [
-                models.Index(fields=["pgh_created_at"]),
-                models.Index(fields=["pgh_label"]),
-                models.Index(fields=["pgh_context_id"]),
-            ],
-        },
-    )(Cred_User)
-
     pghistory.track(
         pghistory.InsertEvent(),
         pghistory.UpdateEvent(condition=pghistory.AnyChange(exclude_auto=True)),

dojo/authorization/authorization.py

@@ -10,7 +10,6 @@
 from dojo.location.models import AbstractLocation, Location
 from dojo.models import (
     App_Analysis,
-    Cred_Mapping,
     Dojo_Group,
     Dojo_Group_Member,
     Dojo_User,
@@ -219,25 +218,6 @@ def user_has_permission(user: Dojo_User, obj: Model, permission: int) -> bool:
                 user, obj.group, permission,
             )
         return user_has_permission(user, obj.group, permission)
-    if (
-        isinstance(obj, Cred_Mapping)
-        and permission in Permissions.get_credential_permissions()
-    ):
-        if obj.product:
-            return user_has_permission(user, obj.product, permission)
-        if obj.engagement:
-            return user_has_permission(
-                user, obj.engagement.product, permission,
-            )
-        if obj.test:
-            return user_has_permission(
-                user, obj.test.engagement.product, permission,
-            )
-        if obj.finding:
-            return user_has_permission(
-                user, obj.finding.test.engagement.product, permission,
-            )
-        return None
     msg = f"No authorization implemented for class {type(obj).__name__} and permission {permission}"
     raise NoAuthorizationImplementedError(msg)