diff --git a/netbox/secrets/api/views.py b/netbox/secrets/api/views.py index e2874c9cc..aaf94f998 100644 --- a/netbox/secrets/api/views.py +++ b/netbox/secrets/api/views.py @@ -1,6 +1,7 @@ import base64 from Crypto.PublicKey import RSA +from django.core.urlresolvers import reverse from django.http import HttpResponseBadRequest from rest_framework.authentication import BasicAuthentication, SessionAuthentication @@ -113,11 +114,9 @@ class GetSessionKeyViewSet(ViewSet): curl -v -X POST -H "Authorization: Token " -H "Accept: application/json; indent=4" \\ --data-urlencode "private_key@" https://netbox/api/secrets/get-session-key/ - This request will yield a session key to be included in an `X-Session-Key` header in future requests, as well as its - expiration time: + This request will yield a base64-encoded session key to be included in an `X-Session-Key` header in future requests: { - "expiration_time": "2017-03-09T10:42:23.095267Z", "session_key": "+8t4SI6XikgVmB5+/urhozx9O5qCQANyOk1MNe6taRf=" } """ @@ -149,14 +148,17 @@ class GetSessionKeyViewSet(ViewSet): # Create a new SessionKey sk = SessionKey(user=request.user) sk.save(master_key=master_key) + encoded_key = base64.b64encode(sk.key) - # Return the session key both as JSON and as a cookie + # Craft the response response = Response({ - 'session_key': base64.b64encode(sk.key), - 'expiration_time': sk.expiration_time, + 'session_key': encoded_key, }) - # TODO: Limit cookie path to secrets API URLs - response.set_cookie('session_key', base64.b64encode(sk.key), expires=sk.expiration_time) + + # If token authentication is not in use, assign the session key as a cookie + if request.auth is None: + response.set_cookie('session_key', value=encoded_key, path=reverse('secrets-api:secret-list')) + return response diff --git a/netbox/secrets/migrations/0002_add_sessionkeys.py b/netbox/secrets/migrations/0002_add_sessionkeys.py index c4b848b35..139b68331 100644 --- a/netbox/secrets/migrations/0002_add_sessionkeys.py +++ b/netbox/secrets/migrations/0002_add_sessionkeys.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -# Generated by Django 1.10.4 on 2017-02-03 17:10 +# Generated by Django 1.10.6 on 2017-03-14 14:46 from __future__ import unicode_literals from django.conf import settings @@ -22,7 +22,6 @@ class Migration(migrations.Migration): ('cipher', models.BinaryField(max_length=512)), ('hash', models.CharField(editable=False, max_length=128)), ('created', models.DateTimeField(auto_now_add=True)), - ('expiration_time', models.DateTimeField(blank=True, editable=False, null=True)), ('user', models.OneToOneField(editable=False, on_delete=django.db.models.deletion.CASCADE, related_name='session_key', to=settings.AUTH_USER_MODEL)), ], options={ diff --git a/netbox/secrets/models.py b/netbox/secrets/models.py index 8542c9bf3..f51fdd664 100644 --- a/netbox/secrets/models.py +++ b/netbox/secrets/models.py @@ -1,4 +1,3 @@ -import datetime import os from Crypto.Cipher import AES, PKCS1_OAEP, XOR from Crypto.PublicKey import RSA @@ -9,7 +8,6 @@ from django.contrib.auth.models import Group, User from django.core.exceptions import ValidationError from django.core.urlresolvers import reverse from django.db import models -from django.utils import timezone from django.utils.encoding import force_bytes, python_2_unicode_compatible from dcim.models import Device @@ -192,7 +190,6 @@ class SessionKey(models.Model): cipher = models.BinaryField(max_length=512, editable=False) hash = models.CharField(max_length=128, editable=False) created = models.DateTimeField(auto_now_add=True) - expiration_time = models.DateTimeField(blank=True, null=True, editable=False) key = None @@ -217,10 +214,6 @@ class SessionKey(models.Model): # Encrypt master key using the session key self.cipher = xor_keys(self.key, master_key) - # Calculate expiration time - # TODO: Define a SESSION_KEY_MAX_AGE configuration setting - self.expiration_time = timezone.now() + datetime.timedelta(hours=12) - super(SessionKey, self).save(*args, **kwargs) def get_master_key(self, session_key):