search

Onemind-Services-LLC / netbox-secrets

Enhance your secret management with encrypted storage and flexible, user-friendly features.
Apache License 2.0
95 stars 8 forks source link

[Bug]: /get-session-key/ does not accept query string parameter ?preserve_key=True any more #65

Closed uedvt359 closed 1 year ago

uedvt359 commented 1 year ago

NetBox Secrets plugin version

v1.8.1

NetBox version

v3.5.2

Steps to Reproduce

This seems to have been broken with 1.8.x, it worked in 1.7.x. The problem is that if one user (e.g. some automation system) requests multiple session keys, it MUST specify preserve_key=True or only the last requested session key will work.

This very big commit (https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414) has removed the support for the query string version; now only adding it to the json payload is supported, as can be seen here: https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414#diff-9990b46add1ad8ae1af4d8e4ee578166248d807cff0d20ba7724fa400e71388dR338

It seems that we can't update to the new endpoint /session-keys/, since accessing it from the api always returns {"detail":"You do not have permission to perform this action."} (403). But there is no permission to enable it in the admin space.

note that to get this to work at all, i had to apply this workaround for #60: https://github.com/Onemind-Services-LLC/netbox-secrets/pull/64/files

Expected Behavior

The preserved session key should be returned if the query parameter is set. Even though the endpoint is declared deprecated, it should still work (especially if the replacement doesn't)

Observed Behavior

A new key is generated, even when the query parameter is set.

abhi1693 commented 1 year ago

This very big commit (https://github.com/Onemind-Services-LLC/netbox-secrets/commit/84cb21b9d320d9c3d7dae83d8cccdf509204e414) has removed the support for the query string version

Since this fork has been publicly released, the preserve_key has been in the JSON payload but it was not working as expected and was not throwing any issues when wrong values were passed to it. It pretty much always defaulted to true no matter what. You can see this in the 1st public release here

https://github.com/Onemind-Services-LLC/netbox-secrets/blob/v1.4.0/netbox_secrets/api/views.py#L181 And, same is in the latest release here with the exception that it now properly validates the value: https://github.com/Onemind-Services-LLC/netbox-secrets/blob/v1.8.1/netbox_secrets/api/views.py#L187

The issue that you are facing is with the get_queryset not returning the expected value which #64 attempts to solve but that too can cause various other issues in the future.

I'll be fixing this tonight and rolling out a release soon to get this working for NetBox v3.5.

It seems that we can't update to the new endpoint /session-keys/, since accessing it from the api always returns {"detail":"You do not have permission to perform this action."} (403).

The new endpoint was created to provide the NetBox standard way of providing serialized data. So, it is currently behind the standard NetBox API token authentication.

But there is no permission to enable it in the admin space.

And, I see it on the permissions page. image

uedvt359 commented 1 year ago

But there is no permission to enable it in the admin space. And, I see it on the permissions page.

what I meant was that the permission you screenshotted is active for the user, but it still produces an error

abhi1693 commented 1 year ago

Please try v1.8.2 if that solves the issue for you. If you are still facing the 403 status code, please provide more detailed steps to reproduce the issue.

mlorentz75 commented 1 year ago

Netbox 3.5.2 / Secrets 1.8.2 here. When calling the endpoint from outside of Netbox, using Token authentication, I'm able to reproduce it. This breaks working with secrets from outside Netbox.

I'm using Ansible's uri module to query Netbox like this:

  - name: get session key to decrypt secrets
    ansible.builtin.uri:
      url: "{{ lookup('env','NETBOX_API') }}/api/plugins/secrets/session-keys/"
      headers:
        Authorization: "Token {{ lookup('env','NETBOX_TOKEN') }}"
      method: POST
      body_format: json
      body:
        private_key: "{{ lookup('env','NETBOX_PRIVATE_KEY') }}"
    register: session_key_req

This always returns 403 You do not have permission to perform this action even when the user the token belongs to has all permissions on all models.

abhi1693 commented 1 year ago

@mlorentz75 Please provide detailed steps to reproduce the issue using REST API calls instead that anyone can reproduce. Your example does not constitute any information about how the user is set up, what permissions have been assigned to it.

mlorentz75 commented 1 year ago

I'm glad to come up with any information needed to reproduce. Here's an attempt using curl.

This is the token used to authenticate against the REST API.

$ curl -H "Authorization: Token $NETBOX_TOKEN" "$NETBOX_API/api/users/tokens/?user=martin.lorentz@netcom-kassel.de" | jq .results[0]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   584  100   584    0     0   3280      0 --:--:-- --:--:-- --:--:--  3262
{
  "id": 30,
  "url": "https://netboxdev.<blah>/api/users/tokens/30/",
  "display": "f2<blah>8f",
  "user": {
    "id": 1,
    "url": "https://netboxdev.<blah>/api/users/users/1/",
    "display": "martin.lorentz@netcom-kassel.de (Martin Lorentz)",
    "username": "martin.lorentz@netcom-kassel.de"
  },
  "created": "2023-05-31T17:44:28.898154+02:00",
  "expires": null,
  "last_used": "2023-06-01T09:19:00.421257+02:00",
  "key": "f2<blah>8f",
  "write_enabled": false,
  "description": "",
  "allowed_ips": []
}

That account is active, has staff and admin bits set, is a member of the "admin" group with these permissions assigned:

image

Upon trying to request a session key, this happens:

curl -X POST $NETBOX_API/api/plugins/secrets/session-keys/ -H "Authorization: Token $NETBOX_TOKEN" -H "Accept: application/json; indent=4" --data-urlencode "private_key@netbox_private_key.tmp"
{
    "detail": "You do not have permission to perform this action."
}

A similar request to the legacy ../get-session-key/ endpoint of netbox_secretstore used to work fine.

abhi1693 commented 1 year ago

@mlorentz75 I've not tested this but I think you'd need a write token to be able to create a session key.

I think the legacy API used to work because it was not doing this validation properly.

uedvt359 commented 1 year ago

you mean this on https://netbox/admin/users/token/?

image

The token we are using is write-enabled, but still throws this error. the user that owns the token has the following object permissions for secrets (note that it has actions=view only): image

Also, why would the token need to be writable, just to *read* secrets?

abhi1693 commented 1 year ago

To read the secret, you need to create the session key, so it doesn't make sense to only have view access to it. That's the wrong implementation IMO

mlorentz75 commented 1 year ago

@mlorentz75 I've not tested this but I think you'd need a write token to be able to create a session key.

Yep. That did the trick. Thanks.