Allowed the ability to provide a static SECRET_KEY for use with CSRF protection (fixes #128)

2015-05-10 23:22:57 +10:00
parent 3f681da85d
commit 25df8c071a
4 changed files with 17 additions and 10 deletions
--- a/puppetboard/app.py
+++ b/puppetboard/app.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 from __future__ import absolute_import

-import os
 import logging
 import collections
 try:
@@ -15,6 +14,7 @@ from flask import (
    Response, stream_with_context, redirect,
    request
    )
+from flask_wtf.csrf import CsrfProtect

 from pypuppetdb import connect

@@ -26,11 +26,13 @@ from puppetboard.utils import (


 app = Flask(__name__)
+CsrfProtect(app)
+
 app.config.from_object('puppetboard.default_settings')
 graph_facts = app.config['GRAPH_FACTS']
 app.config.from_envvar('PUPPETBOARD_SETTINGS', silent=True)
 graph_facts += app.config['GRAPH_FACTS']
-app.secret_key = os.urandom(24)
+app.secret_key = app.config['SECRET_KEY']

 app.jinja_env.filters['jsonprint'] = jsonprint

--- a/puppetboard/default_settings.py
+++ b/puppetboard/default_settings.py
@@ -1,9 +1,12 @@
+import os
+
 PUPPETDB_HOST = 'localhost'
 PUPPETDB_PORT = 8080
 PUPPETDB_SSL_VERIFY = True
 PUPPETDB_KEY = None
 PUPPETDB_CERT = None
 PUPPETDB_TIMEOUT = 20
+SECRET_KEY = os.urandom(24)
 DEV_LISTEN_HOST = '127.0.0.1'
 DEV_LISTEN_PORT = 5000
 DEV_COFFEE_LOCATION = 'coffee'
--- a/puppetboard/templates/query.html
+++ b/puppetboard/templates/query.html
@@ -4,29 +4,28 @@
 {% with messages = get_flashed_messages(with_categories=true) %}
 {% if messages %}
 {% for category, message in messages %}
-<div class="ui {{category}} message">
-  {{message}}
+<div class="ui {{ category }} message">
+  {{ message }}
 </div>
 {% endfor %}
 {% endif %}
 {% endwith %}
 <div class="ui form">
-  <form method="POST" action="{{ url_for('query')}}"
+  <form method="POST" action="{{ url_for('query') }}">
    {{ form.csrf_token }}
    <div class="field {% if form.query.errors %} error {% endif %}">
-      {{form.query(autofocus="autofocus", rows=5, placeholder="Enter your query: [\"=\", \"name\", \"hostname\"]. You may omit the opening and closing bracket.")}}
+      {{ form.query(autofocus="autofocus", rows=5, placeholder="Enter your query: [\"=\", \"name\", \"hostname\"]. You may omit the opening and closing bracket.") }}
    </div>
    <div class="inline fields">
      {% for subfield in form.endpoints %}
      <div class="field">
        <div class="ui radio checkbox">
-          {{subfield }}
-          {{subfield.label}}
+          {{ subfield }}
+          {{ subfield.label }}
        </div>
      </div>
      {% endfor %}
    </div>
-    {{ form.hidden_tag() }}
    <input type=submit class="ui submit button" value='Submit'>
    <input type=reset class="ui red submit button" value='Cancel'>
  </form>
@@ -36,7 +35,7 @@
 <div class="row">
  <div class="span12">
    <h2>Result</h2>
-      <pre><code>{{result|jsonprint}}</code></pre>
+      <pre><code>{{ result|jsonprint }}</code></pre>
  </div>
 </div>
 {% endif %}