Notification Settings panel not working

[johnjeffers]

Please make sure that you have checked the boxes:

• Review the Quickstart guide
• Search for both open and closed issues regarding the problem you are experiencing
• For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue:
  AWS, GCP, OpenStack, GitHub

Description of issue:

Notification Settings panel is not allowing me to enable notifications on my account.

I select the Notify box on my account, set the Change Emails dropdown to With Issues, and click Save.

After clicking Save, I get the following error:

[mikegrima]

I was able to replicate. Need to dig in more to see why.

[mikegrima]

The UI is not sending a list but rather a string of the first account ID in the list. The Security Monkey API is expecting a list of IDs.

[mikegrima]

I was spending some time looking into this, and there is some oddities going on in Dart.

Since we are actively trying to get rid of Dart (it's awful), we're going to put this on the backburner or fix it via the replacement.

[johnjeffers]

Is there a workaround in the meantime to enable notifications? Sorry if this is a dumb question. I'm new to Security Monkey.

[devlin84]

Hello, Is there any update regarding this? Maybe a workaround?

[mikegrima]

Unfortunately, the bug lies somewhere in an underlying Dart package that is extremely hard to debug.

The best work around is for there to be a monkey command that does this. It's not ideal, but it would unblock you. You would have to implement this, however.

[devlin84]

I don't mind implementing it if you could give me a little more direction. Not much of a developer.

[arnitolog]

I don't think that this is a UI bug. I tried to do the same with curl and POST and got the same result.
Here is my curl without cookies and tokens:
curl -X POST -d "{'accounts': [1,2,3], 'daily_audit_email': true, 'change_report_setting': 'ISSUES'}" -H "Accept: application/json" -H "cookie: session=.....; XSRF-COOKIE=....." -H "X-CSRFToken: ....." -k --insecure 'https://localhost/api/1/settings'

And here is the result:
"message": {"accounts": "Must provide accounts"}}

I found a workaround in case you have only one account. You just need to change a type from list to str in the file /views/user_settings.py, line 151
self.reqparse.add_argument('accounts', required=True, type=str, help='Must provide accounts', location='json')

But this is definitely a dirty hack. And it will not work in case you want to receive notifications for more than one account.

[devlin84]

@arnitolog

That's a great find but, sadly I have like 9 accounts I need notifications for and I am unable to make a Monkey command to enable the notifications.

[mikegrima]

@arnitolog : I am going to take another look.

When I was debugging this the last time, what I saw was Dart sending over an incorrect JSON (as seen in the Chrome networking console).

I will double-check with the curl you posted above.

[mikegrima]

It looks like there are some issues with flask_restful reqparse (among other things).

I'm going to replace it with Marshmallow.

[arnitolog]

yeah, I've also thought that it is something in the flask_restful. But didn't have enough evidence to mention that. Anyway, thanks Mike for your help.

[mikegrima]

Just Submitted #1042 with a possible fix.

That should fix the API at the very least.

[arnitolog]

thanks. I will test it a little bit later

[mikegrima]

Good news: Code wise, it now appears to be working (I don't know what issues were with Dart before... but now it's working properly) .

Once I get TravisCI to cooperate, I will merge it in.

[mikegrima]

This should now be fixed in #1042 . Please make sure that you move celeryconfig.py to security_monkey/celeryconfig.py. I'm going to deploy it and see if it works in my environment.

[mikegrima]

Confirmed that it's now fixed.