mirror of
https://github.com/netbox-community/netbox.git
synced 2024-05-10 07:54:54 +00:00
Added API doc for working with secrets
This commit is contained in:
Jeremy Stretch
136
docs/api/working-with-secrets.md
Normal file
136
docs/api/working-with-secrets.md
Normal file
@ -0,0 +1,136 @@
|
||||
As with most other objects, the NetBox API can be used to create, modify, and delete secrets. However, additional steps are needed to encrypt or decrypt secret data.
|
||||
|
||||
# Generating a Session Key
|
||||
|
||||
In order to encrypt or decrypt secret data, a session key must be attached to the API request. To generate a session key, send an authenticated request to the `/api/secrets/get-session-key/` endpoint with the private RSA key which matches your [UserKey](../data-model/secrets/#user-keys). The private key must be POSTed with the name `private_key`.
|
||||
|
||||
```
|
||||
$ curl -X POST http://localhost:8000/api/secrets/get-session-key/ \
|
||||
-H "Authorization: Token c639d619ecbeb1f3055c4141ba6870e20572edd7" \
|
||||
-H "Accept: application/json; indent=4" \
|
||||
--data-urlencode "private_key@<filename>"
|
||||
{
|
||||
"session_key": "dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
|
||||
}
|
||||
```
|
||||
|
||||
!!! note
|
||||
To read the private key from a file, use the convention above. Alternatively, the private key can be read from an environment variable using `--data-urlencode "private_key=$PRIVATE_KEY"`.
|
||||
|
||||
The request uses your private key to unlock your stored copy of the master key and generate a session key which can be attached in the `X-Session-Key` header of future API requests.
|
||||
|
||||
# Retrieving Secrets
|
||||
|
||||
A session key is not needed to retrieve unencrypted secrets: The secret is returned like any normal object with its `plaintext` field set to null.
|
||||
|
||||
```
|
||||
$ curl http://localhost:8000/api/secrets/secrets/2587/ \
|
||||
-H "Authorization: Token c639d619ecbeb1f3055c4141ba6870e20572edd7" \
|
||||
-H "Accept: application/json; indent=4"
|
||||
{
|
||||
"id": 2587,
|
||||
"device": {
|
||||
"id": 1827,
|
||||
"url": "http://localhost:8000/api/dcim/devices/1827/",
|
||||
"name": "MyTestDevice",
|
||||
"display_name": "MyTestDevice"
|
||||
},
|
||||
"role": {
|
||||
"id": 1,
|
||||
"url": "http://localhost:8000/api/secrets/secret-roles/1/",
|
||||
"name": "Login Credentials",
|
||||
"slug": "login-creds"
|
||||
},
|
||||
"name": "admin",
|
||||
"plaintext": null,
|
||||
"hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",
|
||||
"created": "2017-03-21",
|
||||
"last_updated": "2017-03-21T19:28:44.265582Z"
|
||||
}
|
||||
```
|
||||
|
||||
To decrypt a secret, we must include our session key in the `X-Session-Key` header:
|
||||
|
||||
```
|
||||
$ curl http://localhost:8000/api/secrets/secrets/2587/ \
|
||||
-H "Authorization: Token c639d619ecbeb1f3055c4141ba6870e20572edd7" \
|
||||
-H "Accept: application/json; indent=4" \
|
||||
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
|
||||
{
|
||||
"id": 2587,
|
||||
"device": {
|
||||
"id": 1827,
|
||||
"url": "http://localhost:8000/api/dcim/devices/1827/",
|
||||
"name": "MyTestDevice",
|
||||
"display_name": "MyTestDevice"
|
||||
},
|
||||
"role": {
|
||||
"id": 1,
|
||||
"url": "http://localhost:8000/api/secrets/secret-roles/1/",
|
||||
"name": "Login Credentials",
|
||||
"slug": "login-creds"
|
||||
},
|
||||
"name": "admin",
|
||||
"plaintext": "foobar",
|
||||
"hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",
|
||||
"created": "2017-03-21",
|
||||
"last_updated": "2017-03-21T19:28:44.265582Z"
|
||||
}
|
||||
```
|
||||
|
||||
Lists of secrets can be decrypted in this manner as well:
|
||||
|
||||
```
|
||||
$ curl http://localhost:8000/api/secrets/secrets/?limit=3 \
|
||||
-H "Authorization: Token c639d619ecbeb1f3055c4141ba6870e20572edd7" \
|
||||
-H "Accept: application/json; indent=4" \
|
||||
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
|
||||
{
|
||||
"count": 3482,
|
||||
"next": "http://localhost:8000/api/secrets/secrets/?limit=3&offset=3",
|
||||
"previous": null,
|
||||
"results": [
|
||||
{
|
||||
"id": 2587,
|
||||
...
|
||||
"plaintext": "foobar",
|
||||
...
|
||||
},
|
||||
{
|
||||
"id": 2588,
|
||||
...
|
||||
"plaintext": "MyP@ssw0rd!",
|
||||
...
|
||||
},
|
||||
{
|
||||
"id": 2589,
|
||||
...
|
||||
"plaintext": "AnotherSecret!",
|
||||
...
|
||||
},
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
# Creating Secrets
|
||||
|
||||
Session keys are also used to decrypt new or modified secrets. This is done by setting the `plaintext` field of the submitted object:
|
||||
|
||||
```
|
||||
$ curl -X POST http://localhost:8000/api/secrets/secrets/ \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Token c639d619ecbeb1f3055c4141ba6870e20572edd7" \
|
||||
-H "Accept: application/json; indent=4" \
|
||||
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk=" \
|
||||
--data '{"device": 1827, "role": 1, "name": "backup", "plaintext": "Drowssap1"}'
|
||||
{
|
||||
"id": 2590,
|
||||
"device": 1827,
|
||||
"role": 1,
|
||||
"name": "backup",
|
||||
"plaintext": "Drowssap1"
|
||||
}
|
||||
```
|
||||
|
||||
!!! note
|
||||
Don't forget to include the `Content-Type: application/json` header when making a POST request.
|
||||
Reference in New Issue
Block a user