fix(oauth2): google oauth2 whitelisting.

[JGodin-C2C]

Fix google oauth2 whitelisting.

The variable is a tuple and should be managed as such

Description

Fixes: #6748

What

Google oauth using environment variables as configuration (k8s for instance) could not get the correct configuration.
The google whitelisting is an array and was red as a string.
It was hence not working the way it was intended to.

How

I used the same method used as the allowed_hosts to pars arrays and updated the documentation to explain how to use the configuration keys in a helm deployments.

Checklist

This checklist is for your information.

• Bugfixes should be submitted against the bugfix branch.

[dryrunsecurity]

DryRun Security Summary

This pull request enhances the security of the Google OAuth2 authentication functionality in the DefectDojo application by adding support for configuring environment variables to specify whitelisted domains and emails, and updating the configuration file to properly handle the whitelisted values.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security of the Google OAuth2 authentication
functionality in the DefectDojo application. The changes include adding support for configuring environment
variables to specify whitelisted domains and emails for Google OAuth2 authentication, and updating the
configuration file to use the env.list() function to properly handle the whitelisted values.

From an application security perspective, these changes are positive as they allow for more granular control
over who can authenticate to the DefectDojo application. Whitelisting domains and emails helps prevent
unauthorized access and improves the overall security of the application. However, it's important to ensure
that the whitelisted domains and emails are properly maintained and updated as needed, as outdated or overly
permissive whitelists could still lead to security risks.

Files Changed:

1. docs/content/en/open_source/archived_docs/integrations/social-authentication.md:

   • This file adds new code blocks that show how to configure the DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS
     and DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS environment variables.
   • This allows administrators to specify a list of allowed domains and emails that can be used to authenticate
     users via Google OAuth2.
   • The documentation should emphasize the importance of properly configuring these settings and the potential
     security implications of misconfiguration, as well as provide guidance on best practices for managing the
     whitelists.

2. dojo/settings/settings.dist.py:

   • The changes update the SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS and
     SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS settings to use the env.list() function instead of
     the regular env() function.
   • This ensures that the values are properly converted to a tuple, which is the expected data type for
     these settings, reducing the risk of configuration errors or unexpected behavior.

Overall, these code changes appear to be security-focused improvements that enhance the security of the
Google OAuth2 authentication functionality in the DefectDojo application.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved