Merge pull request #3957 from kobayashi/3923-validate-key-format

Fixes: #3923 validate key format

docs/core-functionality/secrets.md

@@ -24,6 +24,20 @@ Each user within NetBox can associate his or her account with an RSA public key.
 
 User keys may be created by users individually, however they are of no use until they have been activated by a user who already possesses an active user key.
 
+## Supported Key Format
+
+Public key formats supported
+
+- PKCS#1 RSAPublicKey* (PEM header: BEGIN RSA PUBLIC KEY)
+- X.509 SubjectPublicKeyInfo** (PEM header: BEGIN PUBLIC KEY)
+- **OpenSSH line format is not supported.**
+
+Private key formats supported (unencrypted)
+
+- PKCS#1 RSAPrivateKey** (PEM header: BEGIN RSA PRIVATE KEY)
+- PKCS#8 PrivateKeyInfo* (PEM header: BEGIN PRIVATE KEY)
+
+
 ## Creating the First User Key
 
 When NetBox is first installed, it contains no encryption keys. Before it can store secrets, a user (typically the superuser) must create a user key. This can be done by navigating to Profile > User Key.

docs/release-notes/version-2.7.md

@@ -10,6 +10,7 @@
 
 * [#3721](https://github.com/netbox-community/netbox/issues/3721) - Allow Unicode characters in tag slugs
 * [#3951](https://github.com/netbox-community/netbox/issues/3951) - Fix exception in webhook worker due to missing constant
+* [#3923](https://github.com/netbox-community/netbox/issues/3923) - Fix user key validation 
 * [#3953](https://github.com/netbox-community/netbox/issues/3953) - Fix validation error when creating child devices
 * [#3960](https://github.com/netbox-community/netbox/issues/3960) - Fix legacy device status choice
 * [#3962](https://github.com/netbox-community/netbox/issues/3962) - Fix display of unnamed devices in rack elevations

netbox/secrets/forms.py

@@ -16,6 +16,8 @@ def validate_rsa_key(key, is_secret=True):
     """
     Validate the format and type of an RSA key.
     """
+    if key.startswith('ssh-rsa '):
+        raise forms.ValidationError("OpenSSH line format is not supported. Please ensure that your public is in PEM (base64) format.")
     try:
         key = RSA.importKey(key)
     except ValueError:

netbox/secrets/tests/constants.py

@@ -36,3 +36,5 @@ GY2b4PKuSTcsYjbg8adOGzFL9RXLI1X4PHNCzD/Y1vdM3jJXv+luk3TU+JIbzJeN
 5ZEEz+sIdlMPCAACaZAY/t9Kd/LxHr0o4K/6gqkZIukxFCK6sN53gibAXfaKc4xl
 qQIDAQAB
 -----END PUBLIC KEY-----"""
+
+SSH_PUBLIC_KEY = """ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCy2yMGnuvmM5CnFG8CsohfUYobXU7+pz/RJtvUUnARAY11Ybc3cn0tvzn4aPxclX8+514n6R7jJCZuVGJXXapqZDq2l+PLmgLhyBJxE9qq7rbp4EAJiUP0inDyf8qFzSKT7Rm8cjHvY3v2GI32JUXuWACA23t5YPUqVglkjfdVX8VHJh6fMQrQ4O3CKKh2x0S82UHH7SaYH0HqOknPgyRQ+ZQorUU25IpzJPesk29nN3DYqfY+VQsKJOLglWvoapaZiu+wK/7ovXqYXNuhfAwlkjbCRKjwix1kZjtDS44US1//BCaT7AeuwMpFLI44v/VajoxTfE0h74Mxl48mNt7Qme4lbXxH8yMa6HNfDp4vjnxPE1CWuSrFo4G+HI1rc22qSmw9e67qIGRbcI7/cIFpeBvnfCCgWrqWZ6ZzdAZJCnu7/aWn00+VG+54GFmJ+3R2xhWcu+Uzn+o1aWROtUuzq0qR6zdXME3A0Oud2uQrQAiAGFdWpfvcOEbD+tlPNDk= test"""

netbox/secrets/tests/test_form.py

@@ -0,0 +1,33 @@
+from django.test import TestCase
+from secrets.forms import UserKeyForm
+from secrets.models import UserKey
+from utilities.testing import create_test_user
+from .constants import PUBLIC_KEY, SSH_PUBLIC_KEY
+
+
+class UserKeyFormTestCase(TestCase):
+
+    def setUp(self):
+        user = create_test_user(
+            permissions=[
+                'secrets.view_secretrole',
+                'secrets.add_secretrole',
+            ]
+        )
+        self.userkey = UserKey(user=user)
+
+    def test_upload_rsakey(self):
+        form = UserKeyForm(
+            data={'public_key': PUBLIC_KEY},
+            instance=self.userkey,
+        )
+        self.assertTrue(form.is_valid())
+        self.assertTrue(form.save())
+
+    def test_upload_sshkey(self):
+        form = UserKeyForm(
+            data={'public_key': SSH_PUBLIC_KEY},
+            instance=self.userkey,
+        )
+        print(form.is_valid())
+        self.assertFalse(form.is_valid())