mirror of
https://github.com/netbox-community/netbox.git
synced 2025-07-24 17:38:37 -06:00
Replace legacy add/edit secret views with SecretEditView
This commit is contained in:
parent
ab60a5d73d
commit
bae050e689
@ -1,24 +0,0 @@
|
|||||||
from django.contrib import messages
|
|
||||||
from django.shortcuts import redirect
|
|
||||||
|
|
||||||
from .models import UserKey
|
|
||||||
|
|
||||||
|
|
||||||
def userkey_required():
|
|
||||||
"""
|
|
||||||
Decorator for views which require that the user has an active UserKey (typically for encryption/decryption of
|
|
||||||
Secrets).
|
|
||||||
"""
|
|
||||||
def _decorator(view):
|
|
||||||
def wrapped_view(request, *args, **kwargs):
|
|
||||||
try:
|
|
||||||
uk = UserKey.objects.get(user=request.user)
|
|
||||||
except UserKey.DoesNotExist:
|
|
||||||
messages.warning(request, "This operation requires an active user key, but you don't have one.")
|
|
||||||
return redirect('user:userkey')
|
|
||||||
if not uk.is_active():
|
|
||||||
messages.warning(request, "This operation is not available. Your user key has not been activated.")
|
|
||||||
return redirect('user:userkey')
|
|
||||||
return view(request, *args, **kwargs)
|
|
||||||
return wrapped_view
|
|
||||||
return _decorator
|
|
@ -17,12 +17,12 @@ urlpatterns = [
|
|||||||
|
|
||||||
# Secrets
|
# Secrets
|
||||||
path('secrets/', views.SecretListView.as_view(), name='secret_list'),
|
path('secrets/', views.SecretListView.as_view(), name='secret_list'),
|
||||||
path('secrets/add/', views.secret_add, name='secret_add'),
|
path('secrets/add/', views.SecretEditView.as_view(), name='secret_add'),
|
||||||
path('secrets/import/', views.SecretBulkImportView.as_view(), name='secret_import'),
|
path('secrets/import/', views.SecretBulkImportView.as_view(), name='secret_import'),
|
||||||
path('secrets/edit/', views.SecretBulkEditView.as_view(), name='secret_bulk_edit'),
|
path('secrets/edit/', views.SecretBulkEditView.as_view(), name='secret_bulk_edit'),
|
||||||
path('secrets/delete/', views.SecretBulkDeleteView.as_view(), name='secret_bulk_delete'),
|
path('secrets/delete/', views.SecretBulkDeleteView.as_view(), name='secret_bulk_delete'),
|
||||||
path('secrets/<int:pk>/', views.SecretView.as_view(), name='secret'),
|
path('secrets/<int:pk>/', views.SecretView.as_view(), name='secret'),
|
||||||
path('secrets/<int:pk>/edit/', views.secret_edit, name='secret_edit'),
|
path('secrets/<int:pk>/edit/', views.SecretEditView.as_view(), name='secret_edit'),
|
||||||
path('secrets/<int:pk>/delete/', views.SecretDeleteView.as_view(), name='secret_delete'),
|
path('secrets/<int:pk>/delete/', views.SecretDeleteView.as_view(), name='secret_delete'),
|
||||||
path('secrets/<int:pk>/changelog/', ObjectChangeLogView.as_view(), name='secret_changelog', kwargs={'model': Secret}),
|
path('secrets/<int:pk>/changelog/', ObjectChangeLogView.as_view(), name='secret_changelog', kwargs={'model': Secret}),
|
||||||
|
|
||||||
|
@ -1,20 +1,17 @@
|
|||||||
import base64
|
import base64
|
||||||
|
import logging
|
||||||
|
|
||||||
from django.contrib import messages
|
from django.contrib import messages
|
||||||
from django.contrib.auth.decorators import permission_required
|
|
||||||
from django.contrib.auth.mixins import PermissionRequiredMixin
|
|
||||||
from django.db.models import Count
|
from django.db.models import Count
|
||||||
from django.shortcuts import get_object_or_404, redirect, render
|
from django.shortcuts import get_object_or_404, redirect, render
|
||||||
from django.urls import reverse
|
from django.utils.html import escape
|
||||||
from django.views.generic import View
|
from django.utils.safestring import mark_safe
|
||||||
|
|
||||||
from utilities.views import (
|
from utilities.views import (
|
||||||
BulkDeleteView, BulkEditView, BulkImportView, GetReturnURLMixin, ObjectView, ObjectDeleteView, ObjectEditView,
|
BulkDeleteView, BulkEditView, BulkImportView, ObjectView, ObjectDeleteView, ObjectEditView, ObjectListView,
|
||||||
ObjectListView,
|
|
||||||
)
|
)
|
||||||
from . import filters, forms, tables
|
from . import filters, forms, tables
|
||||||
from .decorators import userkey_required
|
from .models import SecretRole, Secret, SessionKey, UserKey
|
||||||
from .models import SecretRole, Secret, SessionKey
|
|
||||||
|
|
||||||
|
|
||||||
def get_session_key(request):
|
def get_session_key(request):
|
||||||
@ -79,107 +76,73 @@ class SecretView(ObjectView):
|
|||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
@permission_required('secrets.add_secret')
|
class SecretEditView(ObjectEditView):
|
||||||
@userkey_required()
|
queryset = Secret.objects.all()
|
||||||
def secret_add(request):
|
model_form = forms.SecretForm
|
||||||
|
template_name = 'secrets/secret_edit.html'
|
||||||
|
|
||||||
secret = Secret()
|
def dispatch(self, request, *args, **kwargs):
|
||||||
session_key = get_session_key(request)
|
|
||||||
|
# Check that the user has a valid UserKey
|
||||||
|
try:
|
||||||
|
uk = UserKey.objects.get(user=request.user)
|
||||||
|
except UserKey.DoesNotExist:
|
||||||
|
messages.warning(request, "This operation requires an active user key, but you don't have one.")
|
||||||
|
return redirect('user:userkey')
|
||||||
|
if not uk.is_active():
|
||||||
|
messages.warning(request, "This operation is not available. Your user key has not been activated.")
|
||||||
|
return redirect('user:userkey')
|
||||||
|
|
||||||
|
return super().dispatch(request, *args, **kwargs)
|
||||||
|
|
||||||
|
def post(self, request, *args, **kwargs):
|
||||||
|
logger = logging.getLogger('netbox.views.ObjectEditView')
|
||||||
|
session_key = get_session_key(request)
|
||||||
|
secret = self.get_object(kwargs)
|
||||||
|
form = self.model_form(request.POST, instance=secret)
|
||||||
|
|
||||||
if request.method == 'POST':
|
|
||||||
form = forms.SecretForm(request.POST, instance=secret)
|
|
||||||
if form.is_valid():
|
if form.is_valid():
|
||||||
|
logger.debug("Form validation was successful")
|
||||||
|
|
||||||
# We need a valid session key in order to create a Secret
|
# We must have a session key in order to create a secret or update the plaintext of an existing secret
|
||||||
if session_key is None:
|
if (form.cleaned_data['plaintext'] or secret.pk is None) and session_key is None:
|
||||||
|
logger.debug("Unable to proceed: No session key was provided with the request")
|
||||||
form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.")
|
form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.")
|
||||||
|
|
||||||
# Create and encrypt the new Secret
|
|
||||||
else:
|
else:
|
||||||
master_key = None
|
master_key = None
|
||||||
try:
|
try:
|
||||||
sk = SessionKey.objects.get(userkey__user=request.user)
|
sk = SessionKey.objects.get(userkey__user=request.user)
|
||||||
master_key = sk.get_master_key(session_key)
|
master_key = sk.get_master_key(session_key)
|
||||||
except SessionKey.DoesNotExist:
|
except SessionKey.DoesNotExist:
|
||||||
|
logger.debug("Unable to proceed: User has no session key assigned")
|
||||||
form.add_error(None, "No session key found for this user.")
|
form.add_error(None, "No session key found for this user.")
|
||||||
|
|
||||||
if master_key is not None:
|
if master_key is not None:
|
||||||
|
logger.debug("Successfully resolved master key for encryption")
|
||||||
secret = form.save(commit=False)
|
secret = form.save(commit=False)
|
||||||
secret.plaintext = str(form.cleaned_data['plaintext'])
|
if form.cleaned_data['plaintext']:
|
||||||
|
secret.plaintext = str(form.cleaned_data['plaintext'])
|
||||||
secret.encrypt(master_key)
|
secret.encrypt(master_key)
|
||||||
secret.save()
|
secret.save()
|
||||||
form.save_m2m()
|
form.save_m2m()
|
||||||
|
|
||||||
messages.success(request, "Added new secret: {}.".format(secret))
|
msg = '{} secret'.format('Created' if not form.instance.pk else 'Modified')
|
||||||
if '_addanother' in request.POST:
|
logger.info(f"{msg} {secret} (PK: {secret.pk})")
|
||||||
return redirect('secrets:secret_add')
|
msg = '{} <a href="{}">{}</a>'.format(msg, secret.get_absolute_url(), escape(secret))
|
||||||
else:
|
messages.success(request, mark_safe(msg))
|
||||||
return redirect('secrets:secret', pk=secret.pk)
|
|
||||||
|
|
||||||
else:
|
return redirect(self.get_return_url(request, secret))
|
||||||
initial_data = {
|
|
||||||
'device': request.GET.get('device'),
|
|
||||||
}
|
|
||||||
form = forms.SecretForm(initial=initial_data)
|
|
||||||
|
|
||||||
return render(request, 'secrets/secret_edit.html', {
|
else:
|
||||||
'secret': secret,
|
logger.debug("Form validation failed")
|
||||||
'form': form,
|
|
||||||
'return_url': GetReturnURLMixin().get_return_url(request, secret)
|
|
||||||
})
|
|
||||||
|
|
||||||
|
return render(request, self.template_name, {
|
||||||
@permission_required('secrets.change_secret')
|
'obj': secret,
|
||||||
@userkey_required()
|
'obj_type': self.queryset.model._meta.verbose_name,
|
||||||
def secret_edit(request, pk):
|
'form': form,
|
||||||
|
'return_url': self.get_return_url(request, secret),
|
||||||
secret = get_object_or_404(Secret, pk=pk)
|
})
|
||||||
session_key = get_session_key(request)
|
|
||||||
|
|
||||||
if request.method == 'POST':
|
|
||||||
form = forms.SecretForm(request.POST, instance=secret)
|
|
||||||
if form.is_valid():
|
|
||||||
|
|
||||||
# Re-encrypt the Secret if a plaintext and session key have been provided.
|
|
||||||
if form.cleaned_data['plaintext'] and session_key is not None:
|
|
||||||
|
|
||||||
# Retrieve the master key using the provided session key
|
|
||||||
master_key = None
|
|
||||||
try:
|
|
||||||
sk = SessionKey.objects.get(userkey__user=request.user)
|
|
||||||
master_key = sk.get_master_key(session_key)
|
|
||||||
except SessionKey.DoesNotExist:
|
|
||||||
form.add_error(None, "No session key found for this user.")
|
|
||||||
|
|
||||||
# Create and encrypt the new Secret
|
|
||||||
if master_key is not None:
|
|
||||||
secret = form.save(commit=False)
|
|
||||||
secret.plaintext = form.cleaned_data['plaintext']
|
|
||||||
secret.encrypt(master_key)
|
|
||||||
secret.save()
|
|
||||||
messages.success(request, "Modified secret {}.".format(secret))
|
|
||||||
return redirect('secrets:secret', pk=secret.pk)
|
|
||||||
else:
|
|
||||||
form.add_error(None, "Invalid session key. Unable to encrypt secret data.")
|
|
||||||
|
|
||||||
# We can't save the plaintext without a session key.
|
|
||||||
elif form.cleaned_data['plaintext']:
|
|
||||||
form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.")
|
|
||||||
|
|
||||||
# If no new plaintext was specified, a session key is not needed.
|
|
||||||
else:
|
|
||||||
secret = form.save()
|
|
||||||
messages.success(request, "Modified secret {}.".format(secret))
|
|
||||||
return redirect('secrets:secret', pk=secret.pk)
|
|
||||||
|
|
||||||
else:
|
|
||||||
form = forms.SecretForm(instance=secret)
|
|
||||||
|
|
||||||
return render(request, 'secrets/secret_edit.html', {
|
|
||||||
'secret': secret,
|
|
||||||
'form': form,
|
|
||||||
'return_url': reverse('secrets:secret', kwargs={'pk': secret.pk}),
|
|
||||||
})
|
|
||||||
|
|
||||||
|
|
||||||
class SecretDeleteView(ObjectDeleteView):
|
class SecretDeleteView(ObjectDeleteView):
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
{{ form.private_key }}
|
{{ form.private_key }}
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="col-md-6 col-md-offset-3">
|
<div class="col-md-6 col-md-offset-3">
|
||||||
<h3>{% block title %}{% if secret.pk %}Editing {{ secret }}{% else %}Add a Secret{% endif %}{% endblock %}</h3>
|
<h3>{% block title %}{% if obj.pk %}Editing {{ obj }}{% else %}Add a Secret{% endif %}{% endblock %}</h3>
|
||||||
{% if form.non_field_errors %}
|
{% if form.non_field_errors %}
|
||||||
<div class="panel panel-danger">
|
<div class="panel panel-danger">
|
||||||
<div class="panel-heading"><strong>Errors</strong></div>
|
<div class="panel-heading"><strong>Errors</strong></div>
|
||||||
@ -30,17 +30,17 @@
|
|||||||
<div class="panel panel-default">
|
<div class="panel panel-default">
|
||||||
<div class="panel-heading"><strong>Secret Data</strong></div>
|
<div class="panel-heading"><strong>Secret Data</strong></div>
|
||||||
<div class="panel-body">
|
<div class="panel-body">
|
||||||
{% if secret.pk and secret|decryptable_by:request.user %}
|
{% if obj.pk and obj|decryptable_by:request.user %}
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<label class="col-md-3 control-label required">Current Plaintext</label>
|
<label class="col-md-3 control-label required">Current Plaintext</label>
|
||||||
<div class="col-md-7">
|
<div class="col-md-7">
|
||||||
<p class="form-control-static" id="secret_{{ secret.pk }}">********</p>
|
<p class="form-control-static" id="secret_{{ obj.pk }}">********</p>
|
||||||
</div>
|
</div>
|
||||||
<div class="col-md-2 text-right">
|
<div class="col-md-2 text-right">
|
||||||
<button class="btn btn-xs btn-success unlock-secret" secret-id="{{ secret.pk }}">
|
<button class="btn btn-xs btn-success unlock-secret" secret-id="{{ obj.pk }}">
|
||||||
<i class="fa fa-lock"></i> Unlock
|
<i class="fa fa-lock"></i> Unlock
|
||||||
</button>
|
</button>
|
||||||
<button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ secret.pk }}">
|
<button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ obj.pk }}">
|
||||||
<i class="fa fa-unlock-alt"></i> Lock
|
<i class="fa fa-unlock-alt"></i> Lock
|
||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
@ -69,9 +69,9 @@
|
|||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<div class="col-md-12 text-center">
|
<div class="col-md-12 text-center">
|
||||||
{% if secret.pk %}
|
{% if obj.pk %}
|
||||||
<button type="submit" name="_update" class="btn btn-primary">Update</button>
|
<button type="submit" name="_update" class="btn btn-primary">Update</button>
|
||||||
<a href="{% url 'secrets:secret' pk=secret.pk %}" class="btn btn-default">Cancel</a>
|
<a href="{% url 'secrets:secret' pk=obj.pk %}" class="btn btn-default">Cancel</a>
|
||||||
{% else %}
|
{% else %}
|
||||||
<button type="submit" name="_create" class="btn btn-primary">Create</button>
|
<button type="submit" name="_create" class="btn btn-primary">Create</button>
|
||||||
<button type="submit" name="_addanother" class="btn btn-primary">Create and Add Another</button>
|
<button type="submit" name="_addanother" class="btn btn-primary">Create and Add Another</button>
|
||||||
|
Loading…
Reference in New Issue
Block a user