Only attempt to process session key if user is authenticated

This commit is contained in:
Jeremy Stretch 2017-03-22 17:43:29 -04:00
parent 007fe6a030
commit 0899a1052e

View File

@ -64,27 +64,28 @@ class SecretViewSet(WritableSerializerMixin, ModelViewSet):
super(SecretViewSet, self).initial(request, *args, **kwargs) super(SecretViewSet, self).initial(request, *args, **kwargs)
# Read session key from HTTP cookie or header if it has been provided. The session key must be provided in order if request.user.is_authenticated():
# to encrypt/decrypt secrets.
if 'session_key' in request.COOKIES:
session_key = base64.b64decode(request.COOKIES['session_key'])
elif 'HTTP_X_SESSION_KEY' in request.META:
session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
else:
session_key = None
# We can't encrypt secret plaintext without a session key. # Read session key from HTTP cookie or header if it has been provided. The session key must be provided in
# assert False, self.action # order to encrypt/decrypt secrets.
if self.action in ['create', 'update'] and session_key is None: if 'session_key' in request.COOKIES:
raise ValidationError("A session key must be provided when creating or updating secrets.") session_key = base64.b64decode(request.COOKIES['session_key'])
elif 'HTTP_X_SESSION_KEY' in request.META:
session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
else:
session_key = None
# Attempt to retrieve the master key for encryption/decryption if a session key has been provided. # We can't encrypt secret plaintext without a session key.
if session_key is not None: if self.action in ['create', 'update'] and session_key is None:
try: raise ValidationError("A session key must be provided when creating or updating secrets.")
sk = SessionKey.objects.get(userkey__user=request.user)
self.master_key = sk.get_master_key(session_key) # Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
except (SessionKey.DoesNotExist, InvalidSessionKey): if session_key is not None:
raise ValidationError("Invalid session key.") try:
sk = SessionKey.objects.get(userkey__user=request.user)
self.master_key = sk.get_master_key(session_key)
except (SessionKey.DoesNotExist, InvalidSessionKey):
raise ValidationError("Invalid session key.")
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):