netbox-community-netbox/netbox/secrets/api/views.py

import base64
from Crypto.PublicKey import RSA

from django.core.urlresolvers import reverse
from django.http import HttpResponseBadRequest

from rest_framework.authentication import BasicAuthentication, SessionAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.renderers import JSONRenderer
from rest_framework.response import Response
from rest_framework.viewsets import ViewSet, ModelViewSet

from extras.api.renderers import FormlessBrowsableAPIRenderer, FreeRADIUSClientsRenderer
from secrets.exceptions import InvalidSessionKey
from secrets.filters import SecretFilter
from secrets.models import Secret, SecretRole, SessionKey, UserKey
from utilities.api import WritableSerializerMixin
from . import serializers


ERR_USERKEY_MISSING = "No UserKey found for the current user."
ERR_USERKEY_INACTIVE = "UserKey has not been activated for decryption."
ERR_PRIVKEY_MISSING = "Private key was not provided."
ERR_PRIVKEY_INVALID = "Invalid private key."


#
# Secret Roles
#

class SecretRoleViewSet(ModelViewSet):
    queryset = SecretRole.objects.all()
    serializer_class = serializers.SecretRoleSerializer
    permission_classes = [IsAuthenticated]


#
# Secrets
#

# TODO: Need to implement custom create() and update() methods to handle secret encryption.
class SecretViewSet(WritableSerializerMixin, ModelViewSet):
    queryset = Secret.objects.select_related(
        'device__primary_ip4', 'device__primary_ip6', 'role',
    ).prefetch_related(
        'role__users', 'role__groups',
    )
    serializer_class = serializers.SecretSerializer
    write_serializer_class = serializers.WritableSecretSerializer
    filter_class = SecretFilter
    # DRF's BrowsableAPIRenderer can't support passing the secret key as a header, so we disable it.
    renderer_classes = [FormlessBrowsableAPIRenderer, JSONRenderer, FreeRADIUSClientsRenderer]
    # Enabled BasicAuthentication for testing (until we have TokenAuthentication implemented)
    authentication_classes = [BasicAuthentication, SessionAuthentication]
    permission_classes = [IsAuthenticated]

    def _read_session_key(self, request):

        # Check for a session key provided as a cookie or header
        if 'session_key' in request.COOKIES:
            return base64.b64decode(request.COOKIES['session_key'])
        elif 'HTTP_X_SESSION_KEY' in request.META:
            return base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
        return None

    def retrieve(self, request, *args, **kwargs):

        secret = self.get_object()
        session_key = self._read_session_key(request)

        # Retrieve session key cipher (if any) for the current user
        if session_key is not None:
            try:
                sk = SessionKey.objects.get(user=request.user)
                master_key = sk.get_master_key(session_key)
                secret.decrypt(master_key)
            except SessionKey.DoesNotExist:
                return HttpResponseBadRequest("No active session key for current user.")
            except InvalidSessionKey:
                return HttpResponseBadRequest("Invalid session key.")

        serializer = self.get_serializer(secret)
        return Response(serializer.data)

    def list(self, request, *args, **kwargs):

        queryset = self.filter_queryset(self.get_queryset())

        # Attempt to retrieve the master key for decryption
        session_key = self._read_session_key(request)
        master_key = None
        if session_key is not None:
            try:
                sk = SessionKey.objects.get(user=request.user)
                master_key = sk.get_master_key(session_key)
            except SessionKey.DoesNotExist:
                return HttpResponseBadRequest("No active session key for current user.")
            except InvalidSessionKey:
                return HttpResponseBadRequest("Invalid session key.")

        # Pagination
        page = self.paginate_queryset(queryset)
        if page is not None:
            secrets = []
            if master_key is not None:
                for secret in page:
                    secret.decrypt(master_key)
                    secrets.append(secret)
                serializer = self.get_serializer(secrets, many=True)
            else:
                serializer = self.get_serializer(page, many=True)
            return self.get_paginated_response(serializer.data)

        serializer = self.get_serializer(queryset, many=True)
        return Response(serializer.data)


class GetSessionKeyViewSet(ViewSet):
    """
    Retrieve a temporary session key to use for encrypting and decrypting secrets via the API. The user's private RSA
    key is POSTed with the name `private_key`. An example:

        curl -v -X POST -H "Authorization: Token <token>" -H "Accept: application/json; indent=4" \\
        --data-urlencode "private_key@<filename>" https://netbox/api/secrets/get-session-key/

    This request will yield a base64-encoded session key to be included in an `X-Session-Key` header in future requests:

        {
            "session_key": "+8t4SI6XikgVmB5+/urhozx9O5qCQANyOk1MNe6taRf="
        }
    """
    permission_classes = [IsAuthenticated]

    def create(self, request):

        # Read private key
        private_key = request.POST.get('private_key', None)
        if private_key is None:
            return HttpResponseBadRequest(ERR_PRIVKEY_MISSING)

        # Validate user key
        try:
            user_key = UserKey.objects.get(user=request.user)
        except UserKey.DoesNotExist:
            return HttpResponseBadRequest(ERR_USERKEY_MISSING)
        if not user_key.is_active():
            return HttpResponseBadRequest(ERR_USERKEY_INACTIVE)

        # Validate private key
        master_key = user_key.get_master_key(private_key)
        if master_key is None:
            return HttpResponseBadRequest(ERR_PRIVKEY_INVALID)

        # Delete the existing SessionKey for this user if one exists
        SessionKey.objects.filter(user=request.user).delete()

        # Create a new SessionKey
        sk = SessionKey(user=request.user)
        sk.save(master_key=master_key)
        encoded_key = base64.b64encode(sk.key)

        # Craft the response
        response = Response({
            'session_key': encoded_key,
        })

        # If token authentication is not in use, assign the session key as a cookie
        if request.auth is None:
            response.set_cookie('session_key', value=encoded_key, path=reverse('secrets-api:secret-list'))

        return response


class GenerateRSAKeyPairViewSet(ViewSet):
    """
    This endpoint can be used to generate a new RSA key pair. The keys are returned in PEM format.

        {
            "public_key": "<public key>",
            "private_key": "<private key>"
        }
    """
    permission_classes = [IsAuthenticated]

    def list(self, request):

        # Determine what size key to generate
        key_size = request.GET.get('key_size', 2048)
        if key_size not in range(2048, 4097, 256):
            key_size = 2048

        # Export RSA private and public keys in PEM format
        key = RSA.generate(key_size)
        private_key = key.exportKey('PEM')
        public_key = key.publickey().exportKey('PEM')

        return Response({
            'private_key': private_key,
            'public_key': public_key,
        })
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`import base64`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from Crypto.PublicKey import RSA`

Simplify SessionKey usage 2017-03-14 10:58:57 -04:00			`from django.core.urlresolvers import reverse`
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`from django.http import HttpResponseBadRequest`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Moved secret views into a ViewSet (no write ability yet) 2017-02-01 16:21:33 -05:00			`from rest_framework.authentication import BasicAuthentication, SessionAuthentication`
Introduced per-role decryption permissions 2016-04-07 12:37:09 -04:00			`from rest_framework.permissions import IsAuthenticated`
Introduced a no-forms browseable API renderer; changed secrets decyption endpoint from GET to POST 2016-04-12 14:03:18 -04:00			`from rest_framework.renderers import JSONRenderer`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from rest_framework.response import Response`
Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`from rest_framework.viewsets import ViewSet, ModelViewSet`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Introduced a no-forms browseable API renderer; changed secrets decyption endpoint from GET to POST 2016-04-12 14:03:18 -04:00			`from extras.api.renderers import FormlessBrowsableAPIRenderer, FreeRADIUSClientsRenderer`
Secrets UI work 2017-03-14 12:32:08 -04:00			`from secrets.exceptions import InvalidSessionKey`
Enabled secret list filtering 2016-03-17 14:57:08 -04:00			`from secrets.filters import SecretFilter`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`from secrets.models import Secret, SecretRole, SessionKey, UserKey`
Moved secret views into a ViewSet (no write ability yet) 2017-02-01 16:21:33 -05:00			`from utilities.api import WritableSerializerMixin`
Code cleanup 2016-05-18 16:35:35 -04:00			`from . import serializers`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Reworked secrets API to allow optional decryption by POSTing a private key 2016-03-22 12:17:49 -04:00			`ERR_USERKEY_MISSING = "No UserKey found for the current user."`
			`ERR_USERKEY_INACTIVE = "UserKey has not been activated for decryption."`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`ERR_PRIVKEY_MISSING = "Private key was not provided."`
Reworked secrets API to allow optional decryption by POSTing a private key 2016-03-22 12:17:49 -04:00			`ERR_PRIVKEY_INVALID = "Invalid private key."`


Initial work on API v2.0 2017-01-24 17:12:16 -05:00			`#`
			`# Secret Roles`
			`#`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Initial work on API v2.0 2017-01-24 17:12:16 -05:00			`class SecretRoleViewSet(ModelViewSet):`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`queryset = SecretRole.objects.all()`
Code cleanup 2016-05-18 16:35:35 -04:00			`serializer_class = serializers.SecretRoleSerializer`
Enforce authentication for all secrets API views 2016-07-18 15:28:36 -04:00			`permission_classes = [IsAuthenticated]`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Initial work on API v2.0 2017-01-24 17:12:16 -05:00			`#`
			`# Secrets`
			`#`

Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`# TODO: Need to implement custom create() and update() methods to handle secret encryption.`
Moved secret views into a ViewSet (no write ability yet) 2017-02-01 16:21:33 -05:00			`class SecretViewSet(WritableSerializerMixin, ModelViewSet):`
			`queryset = Secret.objects.select_related(`
			`'device__primary_ip4', 'device__primary_ip6', 'role',`
			`).prefetch_related(`
			`'role__users', 'role__groups',`
			`)`
			`serializer_class = serializers.SecretSerializer`
			`write_serializer_class = serializers.WritableSecretSerializer`
			`filter_class = SecretFilter`
			`# DRF's BrowsableAPIRenderer can't support passing the secret key as a header, so we disable it.`
			`renderer_classes = [FormlessBrowsableAPIRenderer, JSONRenderer, FreeRADIUSClientsRenderer]`
			`# Enabled BasicAuthentication for testing (until we have TokenAuthentication implemented)`
			`authentication_classes = [BasicAuthentication, SessionAuthentication]`
			`permission_classes = [IsAuthenticated]`

Secrets UI work 2017-03-14 12:32:08 -04:00			`def _read_session_key(self, request):`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00
			`# Check for a session key provided as a cookie or header`
			`if 'session_key' in request.COOKIES:`
Secrets UI work 2017-03-14 12:32:08 -04:00			`return base64.b64decode(request.COOKIES['session_key'])`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`elif 'HTTP_X_SESSION_KEY' in request.META:`
Secrets UI work 2017-03-14 12:32:08 -04:00			`return base64.b64decode(request.META['HTTP_X_SESSION_KEY'])`
			`return None`
Reworked secrets API to allow optional decryption by POSTing a private key 2016-03-22 12:17:49 -04:00
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`def retrieve(self, request, args, *kwargs):`
Secrets UI work 2017-03-14 12:32:08 -04:00
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`secret = self.get_object()`
Secrets UI work 2017-03-14 12:32:08 -04:00			`session_key = self._read_session_key(request)`
Reworked secrets API to allow optional decryption by POSTing a private key 2016-03-22 12:17:49 -04:00
Secrets UI work 2017-03-14 12:32:08 -04:00			`# Retrieve session key cipher (if any) for the current user`
			`if session_key is not None:`
			`try:`
			`sk = SessionKey.objects.get(user=request.user)`
			`master_key = sk.get_master_key(session_key)`
			`secret.decrypt(master_key)`
			`except SessionKey.DoesNotExist:`
			`return HttpResponseBadRequest("No active session key for current user.")`
			`except InvalidSessionKey:`
			`return HttpResponseBadRequest("Invalid session key.")`
Introduced a no-forms browseable API renderer; changed secrets decyption endpoint from GET to POST 2016-04-12 14:03:18 -04:00
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`serializer = self.get_serializer(secret)`
			`return Response(serializer.data)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`def list(self, request, args, *kwargs):`
Secrets UI work 2017-03-14 12:32:08 -04:00
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`queryset = self.filter_queryset(self.get_queryset())`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Secrets UI work 2017-03-14 12:32:08 -04:00			`# Attempt to retrieve the master key for decryption`
			`session_key = self._read_session_key(request)`
			`master_key = None`
			`if session_key is not None:`
			`try:`
			`sk = SessionKey.objects.get(user=request.user)`
			`master_key = sk.get_master_key(session_key)`
			`except SessionKey.DoesNotExist:`
			`return HttpResponseBadRequest("No active session key for current user.")`
			`except InvalidSessionKey:`
			`return HttpResponseBadRequest("Invalid session key.")`

Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`# Pagination`
			`page = self.paginate_queryset(queryset)`
			`if page is not None:`
			`secrets = []`
			`if master_key is not None:`
			`for secret in page:`
			`secret.decrypt(master_key)`
			`secrets.append(secret)`
			`serializer = self.get_serializer(secrets, many=True)`
			`else:`
			`serializer = self.get_serializer(page, many=True)`
			`return self.get_paginated_response(serializer.data)`
Reworked secrets API to allow optional decryption by POSTing a private key 2016-03-22 12:17:49 -04:00
Introduced ability to decrypt secrets by sending the user's private key in an HTTP header 2017-02-01 17:40:50 -05:00			`serializer = self.get_serializer(queryset, many=True)`
			`return Response(serializer.data)`
Introduced a no-forms browseable API renderer; changed secrets decyption endpoint from GET to POST 2016-04-12 14:03:18 -04:00
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`class GetSessionKeyViewSet(ViewSet):`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`"""`
Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`Retrieve a temporary session key to use for encrypting and decrypting secrets via the API. The user's private RSA`
			key is POSTed with the name `private_key`. An example:

			`curl -v -X POST -H "Authorization: Token <token>" -H "Accept: application/json; indent=4" \\`
			`--data-urlencode "private_key@<filename>" https://netbox/api/secrets/get-session-key/`

Simplify SessionKey usage 2017-03-14 10:58:57 -04:00			This request will yield a base64-encoded session key to be included in an `X-Session-Key` header in future requests:
Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00
			`{`
			`"session_key": "+8t4SI6XikgVmB5+/urhozx9O5qCQANyOk1MNe6taRf="`
			`}`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`"""`
			`permission_classes = [IsAuthenticated]`

Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`def create(self, request):`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00
			`# Read private key`
			`private_key = request.POST.get('private_key', None)`
			`if private_key is None:`
			`return HttpResponseBadRequest(ERR_PRIVKEY_MISSING)`

			`# Validate user key`
			`try:`
			`user_key = UserKey.objects.get(user=request.user)`
			`except UserKey.DoesNotExist:`
			`return HttpResponseBadRequest(ERR_USERKEY_MISSING)`
			`if not user_key.is_active():`
			`return HttpResponseBadRequest(ERR_USERKEY_INACTIVE)`

			`# Validate private key`
			`master_key = user_key.get_master_key(private_key)`
			`if master_key is None:`
			`return HttpResponseBadRequest(ERR_PRIVKEY_INVALID)`

Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`# Delete the existing SessionKey for this user if one exists`
			`SessionKey.objects.filter(user=request.user).delete()`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`# Create a new SessionKey`
			`sk = SessionKey(user=request.user)`
			`sk.save(master_key=master_key)`
Simplify SessionKey usage 2017-03-14 10:58:57 -04:00			`encoded_key = base64.b64encode(sk.key)`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00
Simplify SessionKey usage 2017-03-14 10:58:57 -04:00			`# Craft the response`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`response = Response({`
Simplify SessionKey usage 2017-03-14 10:58:57 -04:00			`'session_key': encoded_key,`
Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`})`
Simplify SessionKey usage 2017-03-14 10:58:57 -04:00
			`# If token authentication is not in use, assign the session key as a cookie`
			`if request.auth is None:`
			`response.set_cookie('session_key', value=encoded_key, path=reverse('secrets-api:secret-list'))`

Initial work on using session-based master key ciphers 2017-02-02 21:26:51 -05:00			`return response`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00

Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`class GenerateRSAKeyPairViewSet(ViewSet):`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`"""`
Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`This endpoint can be used to generate a new RSA key pair. The keys are returned in PEM format.`

			`{`
			`"public_key": "<public key>",`
			`"private_key": "<private key>"`
			`}`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00			`"""`
			`permission_classes = [IsAuthenticated]`

Converted GetSessionKey and RSAKeyGeneratorView to ViewSets 2017-03-08 17:57:51 -05:00			`def list(self, request):`
Implemented SessionKeys for secrets 2017-02-03 12:49:32 -05:00
			`# Determine what size key to generate`
			`key_size = request.GET.get('key_size', 2048)`
			`if key_size not in range(2048, 4097, 256):`
			`key_size = 2048`

			`# Export RSA private and public keys in PEM format`
			`key = RSA.generate(key_size)`
			`private_key = key.exportKey('PEM')`
			`public_key = key.publickey().exportKey('PEM')`

			`return Response({`
			`'private_key': private_key,`
			`'public_key': public_key,`
			`})`