Allowed the ability to provide a static SECRET_KEY for use with CSRF protection (fixes #128)

2015-05-10 23:22:57 +10:00
parent 3f681da85d
commit 25df8c071a
4 changed files with 17 additions and 10 deletions
--- a/README.rst
+++ b/README.rst
@@ -174,6 +174,8 @@ For information about how to generate the correct keys please refer to the

 Other settings that might be interesting:

+* ``SECRET_KEY``: Refer to `Flask documentation`_, section sessions: How to
+  generate good secret keys, to set the value.
 * ``PUPPETDB_TIMEOUT``: Defaults to 20 seconds but you might need to increase
  this value. It depends on how big the results are when querying PuppetDB.
  This behaviour will change in a future release when pagination will be
@@ -188,6 +190,7 @@ Other settings that might be interesting:
  a set of endpoints in PuppetDB. Change this to ``False`` to disable this.

 .. _pypuppetdb documentation: http://pypuppetdb.readthedocs.org/en/v0.1.0/quickstart.html#ssl
+.. _Flask documentation: http://flask.pocoo.org/docs/0.10/quickstart/#sessions

 Puppet Enterprise
 -----------------
--- a/puppetboard/app.py
+++ b/puppetboard/app.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 from __future__ import absolute_import

-import os
 import logging
 import collections
 try:
@@ -15,6 +14,7 @@ from flask import (
    Response, stream_with_context, redirect,
    request
    )
+from flask_wtf.csrf import CsrfProtect

 from pypuppetdb import connect

@@ -26,11 +26,13 @@ from puppetboard.utils import (


 app = Flask(__name__)
+CsrfProtect(app)
+
 app.config.from_object('puppetboard.default_settings')
 graph_facts = app.config['GRAPH_FACTS']
 app.config.from_envvar('PUPPETBOARD_SETTINGS', silent=True)
 graph_facts += app.config['GRAPH_FACTS']
-app.secret_key = os.urandom(24)
+app.secret_key = app.config['SECRET_KEY']

 app.jinja_env.filters['jsonprint'] = jsonprint

--- a/puppetboard/default_settings.py
+++ b/puppetboard/default_settings.py
@@ -1,9 +1,12 @@
+import os
+
 PUPPETDB_HOST = 'localhost'
 PUPPETDB_PORT = 8080
 PUPPETDB_SSL_VERIFY = True
 PUPPETDB_KEY = None
 PUPPETDB_CERT = None
 PUPPETDB_TIMEOUT = 20
+SECRET_KEY = os.urandom(24)
 DEV_LISTEN_HOST = '127.0.0.1'
 DEV_LISTEN_PORT = 5000
 DEV_COFFEE_LOCATION = 'coffee'
--- a/puppetboard/templates/query.html
+++ b/puppetboard/templates/query.html
@@ -11,7 +11,7 @@
 {% endif %}
 {% endwith %}
 <div class="ui form">
-  <form method="POST" action="{{ url_for('query')}}"
+  <form method="POST" action="{{ url_for('query') }}">
    {{ form.csrf_token }}
    <div class="field {% if form.query.errors %} error {% endif %}">
      {{ form.query(autofocus="autofocus", rows=5, placeholder="Enter your query: [\"=\", \"name\", \"hostname\"]. You may omit the opening and closing bracket.") }}
@@ -26,7 +26,6 @@
      </div>
      {% endfor %}
    </div>
-    {{ form.hidden_tag() }}
    <input type=submit class="ui submit button" value='Submit'>
    <input type=reset class="ui red submit button" value='Cancel'>
  </form>