Closed uedvt359 closed 1 year ago
This very big commit (https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414) has removed the support for the query string version
Since this fork has been publicly released, the preserve_key
has been in the JSON payload but it was not working as expected and was not throwing any issues when wrong values were passed to it. It pretty much always defaulted to true
no matter what.
You can see this in the 1st public release here
https://github.com/Onemind-Services-LLC/netbox-secrets/blob/v1.4.0/netbox_secrets/api/views.py#L181 And, same is in the latest release here with the exception that it now properly validates the value: https://github.com/Onemind-Services-LLC/netbox-secrets/blob/v1.8.1/netbox_secrets/api/views.py#L187
The issue that you are facing is with the get_queryset
not returning the expected value which #64 attempts to solve but that too can cause various other issues in the future.
I'll be fixing this tonight and rolling out a release soon to get this working for NetBox v3.5.
It seems that we can't update to the new endpoint /session-keys/, since accessing it from the api always returns {"detail":"You do not have permission to perform this action."} (403).
The new endpoint was created to provide the NetBox standard way of providing serialized data. So, it is currently behind the standard NetBox API token authentication.
But there is no permission to enable it in the admin space.
And, I see it on the permissions page.
But there is no permission to enable it in the admin space. And, I see it on the permissions page.
what I meant was that the permission you screenshotted is active for the user, but it still produces an error
Please try v1.8.2 if that solves the issue for you. If you are still facing the 403 status code, please provide more detailed steps to reproduce the issue.
Netbox 3.5.2 / Secrets 1.8.2 here. When calling the endpoint from outside of Netbox, using Token authentication, I'm able to reproduce it. This breaks working with secrets from outside Netbox.
I'm using Ansible's uri module to query Netbox like this:
- name: get session key to decrypt secrets
ansible.builtin.uri:
url: "{{ lookup('env','NETBOX_API') }}/api/plugins/secrets/session-keys/"
headers:
Authorization: "Token {{ lookup('env','NETBOX_TOKEN') }}"
method: POST
body_format: json
body:
private_key: "{{ lookup('env','NETBOX_PRIVATE_KEY') }}"
register: session_key_req
This always returns 403 You do not have permission to perform this action
even when the user the token belongs to has all permissions on all models.
@mlorentz75 Please provide detailed steps to reproduce the issue using REST API calls instead that anyone can reproduce. Your example does not constitute any information about how the user is set up, what permissions have been assigned to it.
I'm glad to come up with any information needed to reproduce. Here's an attempt using curl.
This is the token used to authenticate against the REST API.
$ curl -H "Authorization: Token $NETBOX_TOKEN" "$NETBOX_API/api/users/tokens/?user=martin.lorentz@netcom-kassel.de" | jq .results[0]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 584 100 584 0 0 3280 0 --:--:-- --:--:-- --:--:-- 3262
{
"id": 30,
"url": "https://netboxdev.<blah>/api/users/tokens/30/",
"display": "f2<blah>8f",
"user": {
"id": 1,
"url": "https://netboxdev.<blah>/api/users/users/1/",
"display": "martin.lorentz@netcom-kassel.de (Martin Lorentz)",
"username": "martin.lorentz@netcom-kassel.de"
},
"created": "2023-05-31T17:44:28.898154+02:00",
"expires": null,
"last_used": "2023-06-01T09:19:00.421257+02:00",
"key": "f2<blah>8f",
"write_enabled": false,
"description": "",
"allowed_ips": []
}
That account is active, has staff and admin bits set, is a member of the "admin" group with these permissions assigned:
Upon trying to request a session key, this happens:
curl -X POST $NETBOX_API/api/plugins/secrets/session-keys/ -H "Authorization: Token $NETBOX_TOKEN" -H "Accept: application/json; indent=4" --data-urlencode "private_key@netbox_private_key.tmp"
{
"detail": "You do not have permission to perform this action."
}
A similar request to the legacy ../get-session-key/ endpoint of netbox_secretstore used to work fine.
@mlorentz75 I've not tested this but I think you'd need a write token to be able to create a session key.
I think the legacy API used to work because it was not doing this validation properly.
you mean this on https://netbox/admin/users/token/
?
The token we are using is write-enabled, but still throws this error. the user that owns the token has the following object permissions for secrets (note that it has actions=view only):
Also, why would the token need to be writable, just to *read* secrets?
To read the secret, you need to create the session key, so it doesn't make sense to only have view access to it. That's the wrong implementation IMO
@mlorentz75 I've not tested this but I think you'd need a write token to be able to create a session key.
Yep. That did the trick. Thanks.
NetBox Secrets plugin version
v1.8.1
NetBox version
v3.5.2
Steps to Reproduce
This seems to have been broken with 1.8.x, it worked in 1.7.x. The problem is that if one user (e.g. some automation system) requests multiple session keys, it MUST specify preserve_key=True or only the last requested session key will work.
This very big commit (https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414) has removed the support for the query string version; now only adding it to the json payload is supported, as can be seen here: https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414#diff-9990b46add1ad8ae1af4d8e4ee578166248d807cff0d20ba7724fa400e71388dR338
It seems that we can't update to the new endpoint /session-keys/, since accessing it from the api always returns
{"detail":"You do not have permission to perform this action."}
(403). But there is no permission to enable it in the admin space.note that to get this to work at all, i had to apply this workaround for #60: https://github.com/Onemind-Services-LLC/netbox-secrets/pull/64/files
Expected Behavior
The preserved session key should be returned if the query parameter is set. Even though the endpoint is declared deprecated, it should still work (especially if the replacement doesn't)
Observed Behavior
A new key is generated, even when the query parameter is set.