finalize the secret authentication page

titurius · Sep 13, 2018 · 443349e · 443349e
1 parent eca98ec
commit 443349e
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 12 deletions.
diff --git a/cuckoo/common/config.py b/cuckoo/common/config.py
@@ -222,8 +222,8 @@ class Config(object):
                     exists=True, writable=True, readable=False,
                     allow_empty=True
                 ),
-                "api_token": String(allow_empty=True),
-                "web_secret": String(allow_empty=True),
+                "api_token": String(allow_empty=True, sanitize=True),
+                "web_secret": String(allow_empty=True, sanitize=True),
                 "rooter": Path(
                     "/tmp/cuckoo-rooter",
                     exists=False, writable=False, readable=False

diff --git a/cuckoo/web/misc/views.py b/cuckoo/web/misc/views.py
@@ -3,12 +3,12 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 from django.shortcuts import redirect
-from django.views.decorators.http import require_safe
+from django.views.decorators.http import require_http_methods
 
 from cuckoo.common.config import config
 from cuckoo.web.utils import render_template
 
-@require_safe
+@require_http_methods(["GET", "POST"])
 def secret(request):
     if request.method == "GET":
         return render_template(request, "secret.html")

diff --git a/cuckoo/web/src/scripts/secret.js b/cuckoo/web/src/scripts/secret.js
@@ -6,7 +6,7 @@ window.addEventListener('DOMContentLoaded', e => {
 
   const modal   = document.querySelector('.modal-cuckoo');
   const form    = modal.querySelector('form.modal-dialog');
-  const secret  = form.querySelector('input#cuckoo-secret');
+  const secret  = form.querySelector('input#secret');
   const smsg    = secret.parentNode.querySelector('label .input-message');
   const action  = modal.querySelectorAll('a[href^="action:"]');
   const more    = modal.querySelector('[data-toggleable-col]');

diff --git a/cuckoo/web/static/js/cuckoo/secret.js b/cuckoo/web/static/js/cuckoo/secret.js
diff --git a/cuckoo/web/templates/secret.html b/cuckoo/web/templates/secret.html
@@ -28,8 +28,8 @@ <h4>Secret <i class="fal fa-fingerprint effect effect-fade effect-fade-hold" dat
               <div class="modal-section modal-form no-flex arrow">
                 <div class="form-col">
                   <fieldset>
-                    <input type="password" name="cuckoo-secret" id="cuckoo-secret" required />
-                    <label for="cuckoo-secret">
+                    <input type="password" name="secret" id="secret" required />
+                    <label for="secret">
                       Secret
                       <span class="input-message">
                         {% if fail and fail != False %}
@@ -44,20 +44,19 @@ <h4>Secret <i class="fal fa-fingerprint effect effect-fade effect-fade-hold" dat
                     <a class="button variation-grey" href="action:toggle-info">What is this?</a>
                   </div>
                   <div class="button-nav__right">
-                    <a class="button variation-grey" href="action:leave">Leave</a>
                     <button type="submit" class="button variation-blue">Enter</button>
                   </div>
                 </nav>
               </div>
               <div class="modal-section hidden" data-toggleable-col>
                 <p>
-                  You are seeiing this dialog because this web-ui has
+                  You are seeing this dialog because this Web Interface has
                   been locked away safely with a secret. This functionality has
                   been turned on the by the owner of this instance and cannot be
                   accessed without this secret. If you're not the owner, please
                   contact the owner to obtain the key. This key ensures that this
                   system is not directly accessible for the world-wide web and can
-                  be interpret as a bold safety and/or privacy measure taken by
+                  be interpreted as a bold safety and/or privacy measure taken by
                   the owner of this instance.
                 </p>
               </div>

diff --git a/tests/settings.py b/tests/settings.py
@@ -43,7 +43,7 @@ def __mod__(self, other):
 
 MIDDLEWARE_CLASSES = (
     # Cuckoo headers.
-    "web.headers.CuckooHeaders",
+    "web.middle.CuckooHeaders",
     "web.errors.ExceptionMiddleware",
 )
 

diff --git a/tests/test_config.py b/tests/test_config.py
@@ -1174,6 +1174,8 @@ def test_migration_206_210():
     cfg = migrate(cfg, "2.0.6", "2.1.0")
 
     assert cfg["auxiliary"]["replay"]["certificate"] == "bin/cert.p12"
+    assert cfg["cuckoo"]["cuckoo"]["api_token"] is None
+    assert cfg["cuckoo"]["cuckoo"]["web_secret"] is None
 
 class FullMigration(object):
     DIRPATH = None