From 8be65604bd1da2f837735c6ffea6e9b0feb99cf9 Mon Sep 17 00:00:00 2001
From: Sasha Romijn <github@mxsasha.eu>
Date: Thu, 28 Nov 2024 14:51:42 +0100
Subject: [PATCH] Add #949 - Add support for inline PGP signatures in RPSL
 update form

---
 irrd/webui/endpoints.py             | 9 ++++++---
 irrd/webui/templates/rpsl_form.html | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/irrd/webui/endpoints.py b/irrd/webui/endpoints.py
index c6e603bf..c5984259 100644
--- a/irrd/webui/endpoints.py
+++ b/irrd/webui/endpoints.py
@@ -18,6 +18,7 @@
 from irrd.storage.orm_provider import ORMSessionProvider, session_provider_manager
 from irrd.storage.queries import RPSLDatabaseQuery
 from irrd.updates.handler import ChangeSubmissionHandler
+from irrd.utils.pgp import validate_pgp_signature
 from irrd.webui.auth.decorators import authentication_required, mark_user_mfa_incomplete
 from irrd.webui.helpers import filter_auth_hash_non_mntner
 from irrd.webui.rendering import template_context_render
@@ -101,7 +102,6 @@ async def rpsl_detail(request: Request, user_mfa_incomplete: bool, session_provi
         )
 
 
-@csrf_protect
 @mark_user_mfa_incomplete
 @session_provider_manager
 async def rpsl_update(
@@ -147,6 +147,7 @@ async def rpsl_update(
 
     elif request.method == "POST":
         form_data = await request.form()
+        submission = form_data.get("data", form_data.get("DATA"))
         request_meta = {
             META_KEY_HTTP_CLIENT_IP: request.client.host if request.client else "",
             "HTTP-User-Agent": request.headers.get("User-Agent"),
@@ -160,8 +161,10 @@ async def rpsl_update(
         # and therefore needs wrapping in a thread
         @sync_to_async
         def save():
+            signed_submission, pgp_fingerprint = validate_pgp_signature(submission)
             return ChangeSubmissionHandler().load_text_blob(
-                object_texts_blob=form_data["data"],
+                object_texts_blob=signed_submission if signed_submission else submission,
+                pgp_fingerprint=pgp_fingerprint,
                 origin=AuthoritativeChangeOrigin.webui,
                 request_meta=request_meta,
                 internal_authenticated_user=active_user,
@@ -172,7 +175,7 @@ def save():
             "rpsl_form.html",
             request,
             {
-                "existing_data": form_data["data"],
+                "existing_data": submission,
                 "status": handler.status(),
                 "report": handler.submitter_report_human(),
                 "mntner_perms": mntner_perms,
diff --git a/irrd/webui/templates/rpsl_form.html b/irrd/webui/templates/rpsl_form.html
index 8f8d85f0..6cf05d37 100644
--- a/irrd/webui/templates/rpsl_form.html
+++ b/irrd/webui/templates/rpsl_form.html
@@ -28,8 +28,8 @@ <h2>Change/create/delete object(s){% if status %}: {{ status }}{% endif %}</h2>
                     This form is identical to email submissions, which means you
                     can use the pseudo-attributes <code>delete</code> for deletions
                     or <code>password</code> for password authentication.
-                    PGP is not supported.
-                    See the <a href="TODO">IRRD documentation</a> for more details.
+                    PGP inline signatures are supported.
+                    See the <a href="https://irrd.readthedocs.io/">IRRD documentation</a> for more details.
                 </p>
                 {% if user and user.override %}
                     <p>