New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
View authentication and permission fixes #5464
View authentication and permission fixes #5464
Conversation
changes/xxxx.added
Outdated
@@ -0,0 +1 @@ | |||
Added `nautobot.apps.utils.get_url_for_url_pattern` and `nautobot.apps.utils.get_url_patterns` lookup functions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
14 change log entries in 1 PR 😩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah 😢 This one scope crept, but I think everything in it is still relevant/necessary.
yield from get_url_patterns(urlconf, item.url_patterns, base_path + str(item.pattern)) | ||
|
||
|
||
def get_url_for_url_pattern(url_pattern): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be get_valid_url_for_url_pattern
or get_fake_url_for_url_pattern
maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be fine with either.
\* with a very small number of known exceptions such as login and logout views. | ||
""" | ||
|
||
def test_all_views_require_authentication(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be a good test to expose to apps. Not blocking but should we write a generic test for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do plan/want to add a generic test to the cookiecutter that takes in the app's urlconf and iterates/validates its url patterns, yeah. I like the idea of implementing the bulk of it in core rather than in the cookiecutter but that'll take some thinking about how to do it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a follow-up issue for that work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logger.warning( | ||
"Something has changed an OrderedDefaultRouter's APIRootView attribute to a custom class. " | ||
"Please verify that class %s implements appropriate authentication controls.", | ||
self.APIRootView.__name__, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this include the full class path?
name = getattr(view, "name", None) | ||
if name is not None: | ||
return view.name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason this is not:
if getattr(view, "name", None) is not None:
return view.name
OR
name = getattr(view, "name", None)
if name is not None:
return name
Just looks weird to me as written?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be return name
- transcription error on my part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple nitpicks left but nothing blocking. This is great!
Closes GHSA-m732-wvh2-7cq4
What's Changed
Security fixes
/extras/job-results/<uuid:pk>/log-table/
now requires user authentication to access, and also enforces appropriate JobResultview
permissions now./extras/secrets/provider/<str:provider_slug>/form/
now requires user authentication to access./api/users/users/my-profile/
,/api/users/users/session/
,/api/users/tokens/authenticate/
, and/api/users/tokens/logout/
as they are unused at this time./api/graphql/
REST API endpoint now requires user authentication to execute GraphQL queries, even whenEXEMPT_VIEW_PERMISSIONS
is configured.nautobot.apps.api.APIRootView
class now enforces user authentication by default. As a consequence, viewing the browsable REST API root endpoints (e.g./api/
,/api/circuits/
,/api/dcim/
, etc.) now requires user authentication./dcim/racks/<uuid>/dynamic-groups/
,/dcim/devices/<uuid>/dynamic-groups/
,/ipam/prefixes/<uuid>/dynamic-groups/
,/ipam/ip-addresses/<uuid>/dynamic-groups/
,/virtualization/clusters/<uuid>/dynamic-groups/
, and/virtualization/virtual-machines/<uuid>/dynamic-groups/
now require user authentication, even whenEXEMPT_VIEW_PERMISSIONS
is configured.Additional permissions enforcement
/api/dcim/connected-device/?peer_device=...&?peer_interface=...
REST API endpoint now requires the requesting user to haveview
permission on the specifiedpeer_interface
./extras/git-repositories/<uuid:pk>/sync/
and/extras/git-repositories/<uuid:pk>/dry-run/
have corrected permissions now - a user who haschange
permissions for a subset of Git repositories is no longer permitted to sync or dry-run other repositories for which they lack the appropriate permissions.extras.view_note
permissions for each note to display (this is consistent with how change log views for a model enforceextras.view_objectchange
permissions).Bug fixes, housekeeping, documentation
/dcim/<port-type>/<uuid>/connect/<termination_b_type>/
view endpoints with an invalid/nonexistenttermination_b_type
string.nautobot.apps.api.OrderedDefaultRouter
class now accepts aview_name
and/orview_description
as parameters. Specifying these parameters is to be preferred over defining a customAPIRootView
subclass when defining App API URLs.ObjectPermissionRequiredMixin
orLoginRequiredMixin
as appropriate best practices.example_plugin
to includeLoginRequiredMixin
as a best practice.Screenshots
TODO