starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Secret role restrictions not enforced via API #3315

New Issue
Closed
opened 2025-12-29 18:27:38 +01:00 by adam · 2 comments
adam commented 2025-12-29 18:27:38 +01:00
Owner
Copy Link

Originally created by @anatole-tol on GitHub (Feb 12, 2020).

Originally assigned to: @jeremystretch on GitHub.

Environment

  • Python version: 3.6.8
  • NetBox version: 2.7.4

(seen also in this comment https://github.com/netbox-community/netbox/issues/2869#issuecomment-584106870 on closed ticket )

Steps to Reproduce

  1. Create a non admin account with granted all secret* permission (in my case it's thru and AD account and group)
  2. Add public key to account
  3. Activate public key with an admin acount
  4. User try to see a secret (unlock button is stil grey even after log off log on)
  5. Go on one secret page (/secrets/secrets/$secret-id/)
  6. we've got warning message : "you do not have permission to view secret"
  7. clic on edit button
  8. unlock button is now green and works

Expected Behavior

step 4 : unlock button is green and permit to add private key to session then see password
step 6 : unlock button is green and permit to add private key to session then see password

Observed Behavior

step 4 : unlock button is stil grey and permission deny message when try to use it
step 6 : we've got warning message : "you do not have permission to view secret"

The fact that we can see secret in step 8 is also an issue as the permission should works exactly the same way in any view.

Best regards,
Al

Originally created by @anatole-tol on GitHub (Feb 12, 2020). Originally assigned to: @jeremystretch on GitHub. ### Environment * Python version: 3.6.8 * NetBox version: 2.7.4 (seen also in this comment https://github.com/netbox-community/netbox/issues/2869#issuecomment-584106870 on closed ticket ) ### Steps to Reproduce 1. Create a non admin account with granted all secret* permission (in my case it's thru and AD account and group) 2. Add public key to account 3. Activate public key with an admin acount 4. User try to see a secret (unlock button is stil grey even after log off log on) 5. Go on one secret page (/secrets/secrets/$secret-id/) 6. we've got warning message : "you do not have permission to view secret" 7. clic on edit button 8. **unlock button is now green and works** ### Expected Behavior step 4 : unlock button is green and permit to add private key to session then see password step 6 : unlock button is green and permit to add private key to session then see password ### Observed Behavior step 4 : unlock button is stil grey and permission deny message when try to use it step 6 : we've got warning message : "you do not have permission to view secret" The fact that we can see secret in step 8 is also an issue as the permission should works exactly the same way in any view. Best regards, Al
adam added the type: bugstatus: accepted labels 2025-12-29 18:27:38 +01:00
adam closed this issue 2025-12-29 18:27:38 +01:00
adam commented 2025-12-29 18:27:38 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Feb 12, 2020):

The root issue here is that secret role assignment is not being enforced on API calls. When you create a secret, it must be assigned to a role. This role is assigned certain users and/or groups which have permission to decrypt the secrets belonging to it. Users which don't belong to the role should not be able to decrypt the secret.

Everything above is correct until step eight: The user should not be given the option to decrypt the secret, assuming he has not been assigned to the secret's role. Further, decryption via the API should fail, and it currently does not.

We'll need to take measures to ensure that

  1. The UI displays the "unlock" button only if the user belongs to the secret's role, and
  2. Secrets retrieved via the API are decrypted only if the user belongs to the secret's role.
@jeremystretch commented on GitHub (Feb 12, 2020): The root issue here is that secret role assignment is not being enforced on API calls. When you create a secret, it must be assigned to a role. This role is assigned certain users and/or groups which have permission to decrypt the secrets belonging to it. Users which don't belong to the role should not be able to decrypt the secret. Everything above is correct until step eight: The user should not be given the option to decrypt the secret, assuming he has not been assigned to the secret's role. Further, decryption via the API should fail, and it currently does not. We'll need to take measures to ensure that 1) The UI displays the "unlock" button only if the user belongs to the secret's role, and 2) Secrets retrieved via the API are decrypted _only_ if the user belongs to the secret's role.
adam commented 2025-12-29 18:27:38 +01:00
Author
Owner
Copy Link

@anatole-tol commented on GitHub (Feb 12, 2020):

This answer is awesome.

It's permit me to find how to manage access to some passwords and not the other one. I was searching for it and just found how to : edit secret role, i did not find it previously.

Thanks!

@anatole-tol commented on GitHub (Feb 12, 2020): This answer is awesome. It's permit me to find how to manage access to some passwords and not the other one. I was searching for it and just found how to : edit secret role, i did not find it previously. Thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#3315
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?