From b9befbc0ab3a553f5a102e4076dcd924227c930f Mon Sep 17 00:00:00 2001 From: Radomir Dopieralski Date: Mon, 25 Mar 2024 12:10:11 +0100 Subject: [PATCH] Pass the auth_key for volume transfer in the session, not in the URL We don't want sensitive data in the URLs. Change-Id: I9085eb146b8f013909f6369b731c076aba3216ab --- .../dashboards/project/volumes/forms.py | 19 ++++---- .../dashboards/project/volumes/urls.py | 4 +- .../dashboards/project/volumes/views.py | 46 +++++++++---------- 3 files changed, 33 insertions(+), 36 deletions(-) diff --git a/openstack_dashboard/dashboards/project/volumes/forms.py b/openstack_dashboard/dashboards/project/volumes/forms.py index 3d89d365f..ce03f35e1 100644 --- a/openstack_dashboard/dashboards/project/volumes/forms.py +++ b/openstack_dashboard/dashboards/project/volumes/forms.py @@ -598,22 +598,19 @@ class CreateTransferForm(forms.SelfHandlingForm): return cleaned_name def handle(self, request, data): + volume_id = self.initial['volume_id'] try: - volume_id = self.initial['volume_id'] transfer = cinder.transfer_create(request, volume_id, data['name']) - - msg = _('Created volume transfer: "%s".') % data['name'] - messages.success(request, msg) - kwargs = { - 'transfer_id': transfer.id, - 'auth_key': transfer.auth_key - } - request.method = 'GET' - return self.next_view.as_view()(request, **kwargs) except Exception: redirect = reverse("horizon:project:volumes:index") exceptions.handle(request, _('Unable to create volume transfer.'), redirect=redirect) + else: + msg = _('Created volume transfer: "%s".') % data['name'] + messages.success(request, msg) + request.session['transfer-%s' % transfer.id] = transfer.auth_key + request.method = 'GET' + return self.next_view.as_view()(request, transfer_id=transfer.id) class AcceptTransferForm(forms.SelfHandlingForm): @@ -652,7 +649,7 @@ class ShowTransferForm(forms.SelfHandlingForm): required=False) def handle(self, request, data): - pass + request.session.pop('transfer-%s' % transfer.id, '') class UpdateForm(forms.SelfHandlingForm): diff --git a/openstack_dashboard/dashboards/project/volumes/urls.py b/openstack_dashboard/dashboards/project/volumes/urls.py index 47555bf49..505ccf7a4 100644 --- a/openstack_dashboard/dashboards/project/volumes/urls.py +++ b/openstack_dashboard/dashboards/project/volumes/urls.py @@ -36,7 +36,7 @@ urlpatterns = [ re_path(r'^accept_transfer/$', views.AcceptTransferView.as_view(), name='accept_transfer'), - re_path(r'^(?P[^/]+)/auth/(?P[^/]+)/$', + re_path(r'^(?P[^/]+)/$', views.ShowTransferView.as_view(), name='show_transfer'), re_path(r'^(?P[^/]+)/create_backup/$', @@ -63,7 +63,7 @@ urlpatterns = [ re_path(r'^(?P[^/]+)/encryption_detail/$', views.EncryptionDetailView.as_view(), name='encryption_detail'), - re_path(r'^(?P[^/]+)/download_creds/(?P[^/]+)$', + re_path(r'^(?P[^/]+)/download_creds/$', views.DownloadTransferCreds.as_view(), name='download_transfer_creds'), ] diff --git a/openstack_dashboard/dashboards/project/volumes/views.py b/openstack_dashboard/dashboards/project/volumes/views.py index d1a2027d2..fafaea0f8 100644 --- a/openstack_dashboard/dashboards/project/volumes/views.py +++ b/openstack_dashboard/dashboards/project/volumes/views.py @@ -448,34 +448,36 @@ class ShowTransferView(forms.ModalFormView): download_label = _("Download transfer credentials") page_title = _("Volume Transfer Details") + @memoized.memoized_method def get_object(self): + transfer_id = self.kwargs['transfer_id'] try: - return self._object - except AttributeError: - transfer_id = self.kwargs['transfer_id'] - try: - self._object = cinder.transfer_get(self.request, transfer_id) - return self._object - except Exception: - exceptions.handle(self.request, - _('Unable to retrieve volume transfer.')) + return cinder.transfer_get(self.request, transfer_id) + except Exception: + exceptions.handle(self.request, + _('Unable to retrieve volume transfer.')) def get_context_data(self, **kwargs): + transfer = self.get_object() + auth_key = self.request.session.get('transfer-%s' % transfer.id, '') context = super().get_context_data(**kwargs) - context['transfer_id'] = self.kwargs['transfer_id'] - context['auth_key'] = self.kwargs['auth_key'] - context['download_label'] = self.download_label - context['download_url'] = reverse( - 'horizon:project:volumes:download_transfer_creds', - args=[context['transfer_id'], context['auth_key']] - ) + context.update({ + 'transfer_id': transfer.id, + 'auth_key': auth_key, + 'download_label': self.download_label, + 'download_url': reverse( + 'horizon:project:volumes:download_transfer_creds', + args=[transfer.id] + ), + }) return context def get_initial(self): transfer = self.get_object() + auth_key = self.request.session.get('transfer-%s' % transfer.id, '') return {'id': transfer.id, 'name': transfer.name, - 'auth_key': self.kwargs['auth_key']} + 'auth_key': auth_key} class UpdateView(forms.ModalFormView): @@ -671,14 +673,12 @@ class EncryptionDetailView(generic.TemplateView): class DownloadTransferCreds(generic.View): @method_decorator(never_cache) - def get(self, request, transfer_id, auth_key): - try: - transfer = cinder.transfer_get(self.request, transfer_id) - except Exception: - transfer = None + def get(self, request, transfer_id): + transfer = cinder.transfer_get(self.request, transfer_id) + auth_key = request.session.get('transfer-%s' % transfer.id, '') context = {'transfer': { 'name': getattr(transfer, 'name', ''), - 'id': transfer_id, + 'id': transfer.id, 'auth_key': auth_key, }} response = shortcuts.render( -- 2.43.0