Replace legacy add/edit secret views with SecretEditView

This commit is contained in:
Jeremy Stretch 2020-05-22 11:24:49 -04:00
parent ab60a5d73d
commit bae050e689
4 changed files with 58 additions and 119 deletions

View File

@ -1,24 +0,0 @@
from django.contrib import messages
from django.shortcuts import redirect
from .models import UserKey
def userkey_required():
"""
Decorator for views which require that the user has an active UserKey (typically for encryption/decryption of
Secrets).
"""
def _decorator(view):
def wrapped_view(request, *args, **kwargs):
try:
uk = UserKey.objects.get(user=request.user)
except UserKey.DoesNotExist:
messages.warning(request, "This operation requires an active user key, but you don't have one.")
return redirect('user:userkey')
if not uk.is_active():
messages.warning(request, "This operation is not available. Your user key has not been activated.")
return redirect('user:userkey')
return view(request, *args, **kwargs)
return wrapped_view
return _decorator

View File

@ -17,12 +17,12 @@ urlpatterns = [
# Secrets # Secrets
path('secrets/', views.SecretListView.as_view(), name='secret_list'), path('secrets/', views.SecretListView.as_view(), name='secret_list'),
path('secrets/add/', views.secret_add, name='secret_add'), path('secrets/add/', views.SecretEditView.as_view(), name='secret_add'),
path('secrets/import/', views.SecretBulkImportView.as_view(), name='secret_import'), path('secrets/import/', views.SecretBulkImportView.as_view(), name='secret_import'),
path('secrets/edit/', views.SecretBulkEditView.as_view(), name='secret_bulk_edit'), path('secrets/edit/', views.SecretBulkEditView.as_view(), name='secret_bulk_edit'),
path('secrets/delete/', views.SecretBulkDeleteView.as_view(), name='secret_bulk_delete'), path('secrets/delete/', views.SecretBulkDeleteView.as_view(), name='secret_bulk_delete'),
path('secrets/<int:pk>/', views.SecretView.as_view(), name='secret'), path('secrets/<int:pk>/', views.SecretView.as_view(), name='secret'),
path('secrets/<int:pk>/edit/', views.secret_edit, name='secret_edit'), path('secrets/<int:pk>/edit/', views.SecretEditView.as_view(), name='secret_edit'),
path('secrets/<int:pk>/delete/', views.SecretDeleteView.as_view(), name='secret_delete'), path('secrets/<int:pk>/delete/', views.SecretDeleteView.as_view(), name='secret_delete'),
path('secrets/<int:pk>/changelog/', ObjectChangeLogView.as_view(), name='secret_changelog', kwargs={'model': Secret}), path('secrets/<int:pk>/changelog/', ObjectChangeLogView.as_view(), name='secret_changelog', kwargs={'model': Secret}),

View File

@ -1,20 +1,17 @@
import base64 import base64
import logging
from django.contrib import messages from django.contrib import messages
from django.contrib.auth.decorators import permission_required
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.db.models import Count from django.db.models import Count
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse from django.utils.html import escape
from django.views.generic import View from django.utils.safestring import mark_safe
from utilities.views import ( from utilities.views import (
BulkDeleteView, BulkEditView, BulkImportView, GetReturnURLMixin, ObjectView, ObjectDeleteView, ObjectEditView, BulkDeleteView, BulkEditView, BulkImportView, ObjectView, ObjectDeleteView, ObjectEditView, ObjectListView,
ObjectListView,
) )
from . import filters, forms, tables from . import filters, forms, tables
from .decorators import userkey_required from .models import SecretRole, Secret, SessionKey, UserKey
from .models import SecretRole, Secret, SessionKey
def get_session_key(request): def get_session_key(request):
@ -79,107 +76,73 @@ class SecretView(ObjectView):
}) })
@permission_required('secrets.add_secret') class SecretEditView(ObjectEditView):
@userkey_required() queryset = Secret.objects.all()
def secret_add(request): model_form = forms.SecretForm
template_name = 'secrets/secret_edit.html'
secret = Secret() def dispatch(self, request, *args, **kwargs):
session_key = get_session_key(request)
# Check that the user has a valid UserKey
try:
uk = UserKey.objects.get(user=request.user)
except UserKey.DoesNotExist:
messages.warning(request, "This operation requires an active user key, but you don't have one.")
return redirect('user:userkey')
if not uk.is_active():
messages.warning(request, "This operation is not available. Your user key has not been activated.")
return redirect('user:userkey')
return super().dispatch(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
logger = logging.getLogger('netbox.views.ObjectEditView')
session_key = get_session_key(request)
secret = self.get_object(kwargs)
form = self.model_form(request.POST, instance=secret)
if request.method == 'POST':
form = forms.SecretForm(request.POST, instance=secret)
if form.is_valid(): if form.is_valid():
logger.debug("Form validation was successful")
# We need a valid session key in order to create a Secret # We must have a session key in order to create a secret or update the plaintext of an existing secret
if session_key is None: if (form.cleaned_data['plaintext'] or secret.pk is None) and session_key is None:
logger.debug("Unable to proceed: No session key was provided with the request")
form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.") form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.")
# Create and encrypt the new Secret
else: else:
master_key = None master_key = None
try: try:
sk = SessionKey.objects.get(userkey__user=request.user) sk = SessionKey.objects.get(userkey__user=request.user)
master_key = sk.get_master_key(session_key) master_key = sk.get_master_key(session_key)
except SessionKey.DoesNotExist: except SessionKey.DoesNotExist:
logger.debug("Unable to proceed: User has no session key assigned")
form.add_error(None, "No session key found for this user.") form.add_error(None, "No session key found for this user.")
if master_key is not None: if master_key is not None:
logger.debug("Successfully resolved master key for encryption")
secret = form.save(commit=False) secret = form.save(commit=False)
secret.plaintext = str(form.cleaned_data['plaintext']) if form.cleaned_data['plaintext']:
secret.plaintext = str(form.cleaned_data['plaintext'])
secret.encrypt(master_key) secret.encrypt(master_key)
secret.save() secret.save()
form.save_m2m() form.save_m2m()
messages.success(request, "Added new secret: {}.".format(secret)) msg = '{} secret'.format('Created' if not form.instance.pk else 'Modified')
if '_addanother' in request.POST: logger.info(f"{msg} {secret} (PK: {secret.pk})")
return redirect('secrets:secret_add') msg = '{} <a href="{}">{}</a>'.format(msg, secret.get_absolute_url(), escape(secret))
else: messages.success(request, mark_safe(msg))
return redirect('secrets:secret', pk=secret.pk)
else: return redirect(self.get_return_url(request, secret))
initial_data = {
'device': request.GET.get('device'),
}
form = forms.SecretForm(initial=initial_data)
return render(request, 'secrets/secret_edit.html', { else:
'secret': secret, logger.debug("Form validation failed")
'form': form,
'return_url': GetReturnURLMixin().get_return_url(request, secret)
})
return render(request, self.template_name, {
@permission_required('secrets.change_secret') 'obj': secret,
@userkey_required() 'obj_type': self.queryset.model._meta.verbose_name,
def secret_edit(request, pk): 'form': form,
'return_url': self.get_return_url(request, secret),
secret = get_object_or_404(Secret, pk=pk) })
session_key = get_session_key(request)
if request.method == 'POST':
form = forms.SecretForm(request.POST, instance=secret)
if form.is_valid():
# Re-encrypt the Secret if a plaintext and session key have been provided.
if form.cleaned_data['plaintext'] and session_key is not None:
# Retrieve the master key using the provided session key
master_key = None
try:
sk = SessionKey.objects.get(userkey__user=request.user)
master_key = sk.get_master_key(session_key)
except SessionKey.DoesNotExist:
form.add_error(None, "No session key found for this user.")
# Create and encrypt the new Secret
if master_key is not None:
secret = form.save(commit=False)
secret.plaintext = form.cleaned_data['plaintext']
secret.encrypt(master_key)
secret.save()
messages.success(request, "Modified secret {}.".format(secret))
return redirect('secrets:secret', pk=secret.pk)
else:
form.add_error(None, "Invalid session key. Unable to encrypt secret data.")
# We can't save the plaintext without a session key.
elif form.cleaned_data['plaintext']:
form.add_error(None, "No session key was provided with the request. Unable to encrypt secret data.")
# If no new plaintext was specified, a session key is not needed.
else:
secret = form.save()
messages.success(request, "Modified secret {}.".format(secret))
return redirect('secrets:secret', pk=secret.pk)
else:
form = forms.SecretForm(instance=secret)
return render(request, 'secrets/secret_edit.html', {
'secret': secret,
'form': form,
'return_url': reverse('secrets:secret', kwargs={'pk': secret.pk}),
})
class SecretDeleteView(ObjectDeleteView): class SecretDeleteView(ObjectDeleteView):

View File

@ -9,7 +9,7 @@
{{ form.private_key }} {{ form.private_key }}
<div class="row"> <div class="row">
<div class="col-md-6 col-md-offset-3"> <div class="col-md-6 col-md-offset-3">
<h3>{% block title %}{% if secret.pk %}Editing {{ secret }}{% else %}Add a Secret{% endif %}{% endblock %}</h3> <h3>{% block title %}{% if obj.pk %}Editing {{ obj }}{% else %}Add a Secret{% endif %}{% endblock %}</h3>
{% if form.non_field_errors %} {% if form.non_field_errors %}
<div class="panel panel-danger"> <div class="panel panel-danger">
<div class="panel-heading"><strong>Errors</strong></div> <div class="panel-heading"><strong>Errors</strong></div>
@ -30,17 +30,17 @@
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading"><strong>Secret Data</strong></div> <div class="panel-heading"><strong>Secret Data</strong></div>
<div class="panel-body"> <div class="panel-body">
{% if secret.pk and secret|decryptable_by:request.user %} {% if obj.pk and obj|decryptable_by:request.user %}
<div class="form-group"> <div class="form-group">
<label class="col-md-3 control-label required">Current Plaintext</label> <label class="col-md-3 control-label required">Current Plaintext</label>
<div class="col-md-7"> <div class="col-md-7">
<p class="form-control-static" id="secret_{{ secret.pk }}">********</p> <p class="form-control-static" id="secret_{{ obj.pk }}">********</p>
</div> </div>
<div class="col-md-2 text-right"> <div class="col-md-2 text-right">
<button class="btn btn-xs btn-success unlock-secret" secret-id="{{ secret.pk }}"> <button class="btn btn-xs btn-success unlock-secret" secret-id="{{ obj.pk }}">
<i class="fa fa-lock"></i> Unlock <i class="fa fa-lock"></i> Unlock
</button> </button>
<button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ secret.pk }}"> <button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ obj.pk }}">
<i class="fa fa-unlock-alt"></i> Lock <i class="fa fa-unlock-alt"></i> Lock
</button> </button>
</div> </div>
@ -69,9 +69,9 @@
<div class="row"> <div class="row">
<div class="form-group"> <div class="form-group">
<div class="col-md-12 text-center"> <div class="col-md-12 text-center">
{% if secret.pk %} {% if obj.pk %}
<button type="submit" name="_update" class="btn btn-primary">Update</button> <button type="submit" name="_update" class="btn btn-primary">Update</button>
<a href="{% url 'secrets:secret' pk=secret.pk %}" class="btn btn-default">Cancel</a> <a href="{% url 'secrets:secret' pk=obj.pk %}" class="btn btn-default">Cancel</a>
{% else %} {% else %}
<button type="submit" name="_create" class="btn btn-primary">Create</button> <button type="submit" name="_create" class="btn btn-primary">Create</button>
<button type="submit" name="_addanother" class="btn btn-primary">Create and Add Another</button> <button type="submit" name="_addanother" class="btn btn-primary">Create and Add Another</button>