How to use a secret within a config template

[jhofmueller]

Hi all!

I managed to access the object from within a config template. The question now is how to decrypt the secret. How to access secrets has been answered here.

[winterheart]

Hello. To do this you need at least access to request where may resides session_key cookie or header. I don't know, is there in config templates you can access to request, but custom scripts can do that. So, my solution is using custom scripts (https://demo.netbox.dev/static/docs/customization/custom-scripts/) like this:

from dcim.models import Device
from extras.scripts import *
from netbox_secrets.models import SessionKey, UserKey
from netbox_secrets import *
from utilities.exceptions import AbortScript

import base64


class OxidizedExportScript(Script):
    class Meta:
        name = "Oxidized Export"
        description = "Exports oxidized config with secrets"

    def run(self, data, commit):
        output = []
        master_key = None
        if self.request.user.is_authenticated:
            if constants.SESSION_COOKIE_NAME in self.request.COOKIES:
                session_key = base64.b64decode(self.request.COOKIES[constants.SESSION_COOKIE_NAME])
            elif 'HTTP_X_SESSION_KEY' in self.request.META:
                session_key = base64.b64decode(self.request.META['HTTP_X_SESSION_KEY'])
            else:
                session_key = None
            if session_key is not None:
                try:
                    sk = SessionKey.objects.get(userkey__user=self.request.user)
                    master_key = sk.get_master_key(session_key)
                except (SessionKey.DoesNotExist, exceptions.InvalidKey):
                    raise AbortScript("Invalid session key.")

        for device in Device.objects.filter(status="active"):
            secret = None
            for itm in device.secrets.all():
                if itm.role.name == "Backup credentionals":
                    secret = itm
                    break

            if device.status == "active" and device.primary_ip and secret is not None:
                secret.decrypt(master_key)
                attrs = [
                    device.name,
                    str(device.primary_ip.address.ip),
                    device.site.name,
                    device.role.name,
                    device.platform.manufacturer.name if device.platform else "None",
                    secret.name,
                    secret.plaintext if secret.plaintext else "None",
                ]
                output.append(':'.join(attrs))
        return '\n'.join(output)

You can both run it from UI and API (after recieve session_key via /api/plugins/secrets/session-keys/), though export template would be more elegant if there any way to access to request's headers.