netbox-community-netbox/netbox/secrets/forms.py

from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA
from django import forms
from taggit.forms import TagField

from dcim.models import Device
from extras.forms import AddRemoveTagsForm, CustomFieldBulkEditForm, CustomFieldFilterForm, CustomFieldForm
from utilities.forms import (
    APISelect, APISelectMultiple, BootstrapMixin, FilterChoiceField, FlexibleModelChoiceField, SlugField,
    StaticSelect2Multiple, TagFilterField
)
from .models import Secret, SecretRole, UserKey


def validate_rsa_key(key, is_secret=True):
    """
    Validate the format and type of an RSA key.
    """
    try:
        key = RSA.importKey(key)
    except ValueError:
        raise forms.ValidationError("Invalid RSA key. Please ensure that your key is in PEM (base64) format.")
    except Exception as e:
        raise forms.ValidationError("Invalid key detected: {}".format(e))
    if is_secret and not key.has_private():
        raise forms.ValidationError("This looks like a public key. Please provide your private RSA key.")
    elif not is_secret and key.has_private():
        raise forms.ValidationError("This looks like a private key. Please provide your public RSA key.")
    try:
        PKCS1_OAEP.new(key)
    except Exception:
        raise forms.ValidationError("Error validating RSA key. Please ensure that your key supports PKCS#1 OAEP.")


#
# Secret roles
#

class SecretRoleForm(BootstrapMixin, forms.ModelForm):
    slug = SlugField()

    class Meta:
        model = SecretRole
        fields = [
            'name', 'slug', 'users', 'groups',
        ]
        widgets = {
            'users': StaticSelect2Multiple(),
            'groups': StaticSelect2Multiple(),
        }


class SecretRoleCSVForm(forms.ModelForm):
    slug = SlugField()

    class Meta:
        model = SecretRole
        fields = SecretRole.csv_headers
        help_texts = {
            'name': 'Name of secret role',
        }


#
# Secrets
#

class SecretForm(BootstrapMixin, CustomFieldForm):
    plaintext = forms.CharField(
        max_length=65535,
        required=False,
        label='Plaintext',
        widget=forms.PasswordInput(
            attrs={
                'class': 'requires-session-key',
            }
        )
    )
    plaintext2 = forms.CharField(
        max_length=65535,
        required=False,
        label='Plaintext (verify)',
        widget=forms.PasswordInput()
    )
    tags = TagField(
        required=False
    )

    class Meta:
        model = Secret
        fields = [
            'role', 'name', 'plaintext', 'plaintext2', 'tags',
        ]
        widgets = {
            'role': APISelect(
                api_url="/api/secrets/secret-roles/"
            )
        }

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

        # A plaintext value is required when creating a new Secret
        if not self.instance.pk:
            self.fields['plaintext'].required = True

    def clean(self):

        # Verify that the provided plaintext values match
        if self.cleaned_data['plaintext'] != self.cleaned_data['plaintext2']:
            raise forms.ValidationError({
                'plaintext2': "The two given plaintext values do not match. Please check your input."
            })


class SecretCSVForm(forms.ModelForm):
    device = FlexibleModelChoiceField(
        queryset=Device.objects.all(),
        to_field_name='name',
        help_text='Device name or ID',
        error_messages={
            'invalid_choice': 'Device not found.',
        }
    )
    role = forms.ModelChoiceField(
        queryset=SecretRole.objects.all(),
        to_field_name='name',
        help_text='Name of assigned role',
        error_messages={
            'invalid_choice': 'Invalid secret role.',
        }
    )
    plaintext = forms.CharField(
        help_text='Plaintext secret data'
    )

    class Meta:
        model = Secret
        fields = Secret.csv_headers
        help_texts = {
            'name': 'Name or username',
        }

    def save(self, *args, **kwargs):
        s = super().save(*args, **kwargs)
        s.plaintext = str(self.cleaned_data['plaintext'])
        return s


class SecretBulkEditForm(BootstrapMixin, AddRemoveTagsForm, CustomFieldBulkEditForm):
    pk = forms.ModelMultipleChoiceField(
        queryset=Secret.objects.all(),
        widget=forms.MultipleHiddenInput()
    )
    role = forms.ModelChoiceField(
        queryset=SecretRole.objects.all(),
        required=False,
        widget=APISelect(
            api_url="/api/secrets/secret-roles/"
        )
    )
    name = forms.CharField(
        max_length=100,
        required=False
    )

    class Meta:
        nullable_fields = [
            'name',
        ]


class SecretFilterForm(BootstrapMixin, CustomFieldFilterForm):
    model = Secret
    q = forms.CharField(
        required=False,
        label='Search'
    )
    role = FilterChoiceField(
        queryset=SecretRole.objects.all(),
        to_field_name='slug',
        widget=APISelectMultiple(
            api_url="/api/secrets/secret-roles/",
            value_field="slug",
        )
    )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['tag'] = TagFilterField(self.model)


#
# UserKeys
#

class UserKeyForm(BootstrapMixin, forms.ModelForm):

    class Meta:
        model = UserKey
        fields = ['public_key']
        help_texts = {
            'public_key': "Enter your public RSA key. Keep the private one with you; you'll need it for decryption. "
                          "Please note that passphrase-protected keys are not supported.",
        }
        labels = {
            'public_key': ''
        }

    def clean_public_key(self):
        key = self.cleaned_data['public_key']

        # Validate the RSA key format.
        validate_rsa_key(key, is_secret=False)

        return key


class ActivateUserKeyForm(forms.Form):
    _selected_action = forms.ModelMultipleChoiceField(
        queryset=UserKey.objects.all(),
        label='User Keys'
    )
    secret_key = forms.CharField(
        widget=forms.Textarea(
            attrs={
                'class': 'vLargeTextField',
            }
        ),
        label='Your private key'
    )
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from Crypto.Cipher import PKCS1_OAEP`
			`from Crypto.PublicKey import RSA`
			`from django import forms`
Implemented tags for all primary models 2018-05-10 12:53:11 -04:00			`from taggit.forms import TagField`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Changed Secret parent from a GenericForeignKey to ForeignKey(Device) 2016-03-21 11:42:42 -04:00			`from dcim.models import Device`
Closes #1739: Enabled custom fields for secrets 2018-07-17 09:43:57 -04:00			`from extras.forms import AddRemoveTagsForm, CustomFieldBulkEditForm, CustomFieldFilterForm, CustomFieldForm`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`from utilities.forms import (`
			`APISelect, APISelectMultiple, BootstrapMixin, FilterChoiceField, FlexibleModelChoiceField, SlugField,`
Tag filter field for filter forms 2020-01-13 20:16:13 +00:00			`StaticSelect2Multiple, TagFilterField`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`)`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from .models import Secret, SecretRole, UserKey`


			`def validate_rsa_key(key, is_secret=True):`
			`"""`
			`Validate the format and type of an RSA key.`
			`"""`
			`try:`
			`key = RSA.importKey(key)`
			`except ValueError:`
			`raise forms.ValidationError("Invalid RSA key. Please ensure that your key is in PEM (base64) format.")`
			`except Exception as e:`
			`raise forms.ValidationError("Invalid key detected: {}".format(e))`
			`if is_secret and not key.has_private():`
			`raise forms.ValidationError("This looks like a public key. Please provide your private RSA key.")`
			`elif not is_secret and key.has_private():`
			`raise forms.ValidationError("This looks like a private key. Please provide your public RSA key.")`
			`try:`
			`PKCS1_OAEP.new(key)`
Fix pycodestyle errors Mainly two kind of errors: * pokemon exceptions * invalid escape sequences 2018-06-27 17:23:32 +02:00			`except Exception:`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`raise forms.ValidationError("Error validating RSA key. Please ensure that your key supports PKCS#1 OAEP.")`


Added CBVs for SecretRoles 2016-05-16 12:07:12 -04:00			`#`
			`# Secret roles`
			`#`

Standardized inheritance order of BootstrapMixin 2016-12-21 14:15:18 -05:00			`class SecretRoleForm(BootstrapMixin, forms.ModelForm):`
Added JS for SlugField autofill 2016-05-20 15:32:17 -04:00			`slug = SlugField()`
Added CBVs for SecretRoles 2016-05-16 12:07:12 -04:00
			`class Meta:`
			`model = SecretRole`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`fields = [`
			`'name', 'slug', 'users', 'groups',`
			`]`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`widgets = {`
			`'users': StaticSelect2Multiple(),`
			`'groups': StaticSelect2Multiple(),`
			`}`
Added CBVs for SecretRoles 2016-05-16 12:07:12 -04:00

Added bulk import view for secret roles 2017-10-09 15:56:17 -04:00			`class SecretRoleCSVForm(forms.ModelForm):`
			`slug = SlugField()`

			`class Meta:`
			`model = SecretRole`
Standardized declaration of csv_headers on models 2018-02-02 14:26:16 -05:00			`fields = SecretRole.csv_headers`
Added bulk import view for secret roles 2017-10-09 15:56:17 -04:00			`help_texts = {`
			`'name': 'Name of secret role',`
			`}`


Initial push to public repo 2016-03-01 11:23:03 -05:00			`#`
			`# Secrets`
			`#`

Closes #1739: Enabled custom fields for secrets 2018-07-17 09:43:57 -04:00			`class SecretForm(BootstrapMixin, CustomFieldForm):`
Fixes #1955: Require a plaintext value when creating a new secret 2018-03-07 11:20:10 -05:00			`plaintext = forms.CharField(`
			`max_length=65535,`
			`required=False,`
			`label='Plaintext',`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`widget=forms.PasswordInput(`
			`attrs={`
			`'class': 'requires-session-key',`
			`}`
			`)`
Fixes #1955: Require a plaintext value when creating a new secret 2018-03-07 11:20:10 -05:00			`)`
			`plaintext2 = forms.CharField(`
			`max_length=65535,`
			`required=False,`
			`label='Plaintext (verify)',`
			`widget=forms.PasswordInput()`
			`)`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`tags = TagField(`
			`required=False`
			`)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`class Meta:`
			`model = Secret`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`fields = [`
			`'role', 'name', 'plaintext', 'plaintext2', 'tags',`
			`]`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`widgets = {`
			`'role': APISelect(`
			`api_url="/api/secrets/secret-roles/"`
			`)`
			`}`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Fixes #1955: Require a plaintext value when creating a new secret 2018-03-07 11:20:10 -05:00			`def __init__(self, args, *kwargs):`
Closes #2614: Simplify calls of super() for Python 3 2018-11-27 10:52:24 -05:00			`super().__init__(args, *kwargs)`
Fixes #1955: Require a plaintext value when creating a new secret 2018-03-07 11:20:10 -05:00
			`# A plaintext value is required when creating a new Secret`
			`if not self.instance.pk:`
			`self.fields['plaintext'].required = True`

Initial push to public repo 2016-03-01 11:23:03 -05:00			`def clean(self):`
Attributed all model ValidationErrors to specific fields (where appropriate) 2016-10-21 15:39:13 -04:00
Fixes #1955: Require a plaintext value when creating a new secret 2018-03-07 11:20:10 -05:00			`# Verify that the provided plaintext values match`
Attributed all model ValidationErrors to specific fields (where appropriate) 2016-10-21 15:39:13 -04:00			`if self.cleaned_data['plaintext'] != self.cleaned_data['plaintext2']:`
			`raise forms.ValidationError({`
			`'plaintext2': "The two given plaintext values do not match. Please check your input."`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Converted secrets import view to new scheme 2017-06-02 17:23:41 -04:00			`class SecretCSVForm(forms.ModelForm):`
Converted device fields to use FlexibleModelChoiceField; misc cleanup 2017-06-07 15:51:11 -04:00			`device = FlexibleModelChoiceField(`
Converted secrets import view to new scheme 2017-06-02 17:23:41 -04:00			`queryset=Device.objects.all(),`
			`to_field_name='name',`
Converted device fields to use FlexibleModelChoiceField; misc cleanup 2017-06-07 15:51:11 -04:00			`help_text='Device name or ID',`
Converted secrets import view to new scheme 2017-06-02 17:23:41 -04:00			`error_messages={`
			`'invalid_choice': 'Device not found.',`
			`}`
			`)`
			`role = forms.ModelChoiceField(`
			`queryset=SecretRole.objects.all(),`
			`to_field_name='name',`
			`help_text='Name of assigned role',`
			`error_messages={`
			`'invalid_choice': 'Invalid secret role.',`
			`}`
			`)`
			`plaintext = forms.CharField(`
			`help_text='Plaintext secret data'`
			`)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`class Meta:`
			`model = Secret`
Standardized declaration of csv_headers on models 2018-02-02 14:26:16 -05:00			`fields = Secret.csv_headers`
Converted device fields to use FlexibleModelChoiceField; misc cleanup 2017-06-07 15:51:11 -04:00			`help_texts = {`
			`'name': 'Name or username',`
			`}`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Changed Secret parent from a GenericForeignKey to ForeignKey(Device) 2016-03-21 11:42:42 -04:00			`def save(self, args, *kwargs):`
Closes #2614: Simplify calls of super() for Python 3 2018-11-27 10:52:24 -05:00			`s = super().save(args, *kwargs)`
Changed Secret parent from a GenericForeignKey to ForeignKey(Device) 2016-03-21 11:42:42 -04:00			`s.plaintext = str(self.cleaned_data['plaintext'])`
			`return s`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Changed Secret parent from a GenericForeignKey to ForeignKey(Device) 2016-03-21 11:42:42 -04:00
Closes #1739: Enabled custom fields for secrets 2018-07-17 09:43:57 -04:00			`class SecretBulkEditForm(BootstrapMixin, AddRemoveTagsForm, CustomFieldBulkEditForm):`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`pk = forms.ModelMultipleChoiceField(`
			`queryset=Secret.objects.all(),`
			`widget=forms.MultipleHiddenInput()`
			`)`
			`role = forms.ModelChoiceField(`
			`queryset=SecretRole.objects.all(),`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`required=False,`
			`widget=APISelect(`
			`api_url="/api/secrets/secret-roles/"`
			`)`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`)`
			`name = forms.CharField(`
			`max_length=100,`
			`required=False`
			`)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
#527: Initial work to allow nullifying fields during bulk edit 2016-09-30 16:17:41 -04:00			`class Meta:`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`nullable_fields = [`
			`'name',`
			`]`
#527: Initial work to allow nullifying fields during bulk edit 2016-09-30 16:17:41 -04:00
Initial push to public repo 2016-03-01 11:23:03 -05:00
Closes #1739: Enabled custom fields for secrets 2018-07-17 09:43:57 -04:00			`class SecretFilterForm(BootstrapMixin, CustomFieldFilterForm):`
			`model = Secret`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`q = forms.CharField(`
			`required=False,`
			`label='Search'`
			`)`
Closes #927: Upgrade to django-filter 1.0 2017-03-01 13:09:19 -05:00			`role = FilterChoiceField(`
Virtulization Select2 forms 2019-01-10 17:32:23 -05:00			`queryset=SecretRole.objects.all(),`
Secrets Select2 forms 2019-01-09 23:46:45 -05:00			`to_field_name='slug',`
			`widget=APISelectMultiple(`
			`api_url="/api/secrets/secret-roles/",`
			`value_field="slug",`
			`)`
Closes #927: Upgrade to django-filter 1.0 2017-03-01 13:09:19 -05:00			`)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Tag filter field for filter forms 2020-01-13 20:16:13 +00:00			`def __init__(self, args, *kwargs):`
			`super().__init__(args, *kwargs)`
			`self.fields['tag'] = TagFilterField(self.model)`

Initial push to public repo 2016-03-01 11:23:03 -05:00
			`#`
			`# UserKeys`
			`#`

Standardized inheritance order of BootstrapMixin 2016-12-21 14:15:18 -05:00			`class UserKeyForm(BootstrapMixin, forms.ModelForm):`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`class Meta:`
			`model = UserKey`
			`fields = ['public_key']`
			`help_texts = {`
Added note about passphrase-protected keys (#2189) 2018-07-18 11:03:22 -04:00			`'public_key': "Enter your public RSA key. Keep the private one with you; you'll need it for decryption. "`
			`"Please note that passphrase-protected keys are not supported.",`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`}`
Fixes #3514: Label TextVar fields when rendering custom script forms 2019-09-18 15:39:26 -04:00			`labels = {`
			`'public_key': ''`
			`}`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`def clean_public_key(self):`
			`key = self.cleaned_data['public_key']`

			`# Validate the RSA key format.`
			`validate_rsa_key(key, is_secret=False)`

			`return key`


			`class ActivateUserKeyForm(forms.Form):`
Formatting cleanup 2018-11-27 11:57:29 -05:00			`_selected_action = forms.ModelMultipleChoiceField(`
			`queryset=UserKey.objects.all(),`
			`label='User Keys'`
			`)`
			`secret_key = forms.CharField(`
			`widget=forms.Textarea(`
			`attrs={`
			`'class': 'vLargeTextField',`
			`}`
			`),`
			`label='Your private key'`
			`)`