mirror of
https://github.com/netbox-community/netbox.git
synced 2025-07-19 09:53:34 -06:00
Only attempt to process session key if user is authenticated
This commit is contained in:
parent
007fe6a030
commit
0899a1052e
@ -64,27 +64,28 @@ class SecretViewSet(WritableSerializerMixin, ModelViewSet):
|
|||||||
|
|
||||||
super(SecretViewSet, self).initial(request, *args, **kwargs)
|
super(SecretViewSet, self).initial(request, *args, **kwargs)
|
||||||
|
|
||||||
# Read session key from HTTP cookie or header if it has been provided. The session key must be provided in order
|
if request.user.is_authenticated():
|
||||||
# to encrypt/decrypt secrets.
|
|
||||||
if 'session_key' in request.COOKIES:
|
|
||||||
session_key = base64.b64decode(request.COOKIES['session_key'])
|
|
||||||
elif 'HTTP_X_SESSION_KEY' in request.META:
|
|
||||||
session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
|
|
||||||
else:
|
|
||||||
session_key = None
|
|
||||||
|
|
||||||
# We can't encrypt secret plaintext without a session key.
|
# Read session key from HTTP cookie or header if it has been provided. The session key must be provided in
|
||||||
# assert False, self.action
|
# order to encrypt/decrypt secrets.
|
||||||
if self.action in ['create', 'update'] and session_key is None:
|
if 'session_key' in request.COOKIES:
|
||||||
raise ValidationError("A session key must be provided when creating or updating secrets.")
|
session_key = base64.b64decode(request.COOKIES['session_key'])
|
||||||
|
elif 'HTTP_X_SESSION_KEY' in request.META:
|
||||||
|
session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
|
||||||
|
else:
|
||||||
|
session_key = None
|
||||||
|
|
||||||
# Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
|
# We can't encrypt secret plaintext without a session key.
|
||||||
if session_key is not None:
|
if self.action in ['create', 'update'] and session_key is None:
|
||||||
try:
|
raise ValidationError("A session key must be provided when creating or updating secrets.")
|
||||||
sk = SessionKey.objects.get(userkey__user=request.user)
|
|
||||||
self.master_key = sk.get_master_key(session_key)
|
# Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
|
||||||
except (SessionKey.DoesNotExist, InvalidSessionKey):
|
if session_key is not None:
|
||||||
raise ValidationError("Invalid session key.")
|
try:
|
||||||
|
sk = SessionKey.objects.get(userkey__user=request.user)
|
||||||
|
self.master_key = sk.get_master_key(session_key)
|
||||||
|
except (SessionKey.DoesNotExist, InvalidSessionKey):
|
||||||
|
raise ValidationError("Invalid session key.")
|
||||||
|
|
||||||
def retrieve(self, request, *args, **kwargs):
|
def retrieve(self, request, *args, **kwargs):
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user