def _handle_not_authenticated() -> Response:
if fail_silently():
# While api call don't show the login dialog
raise MKUnauthenticatedException(_("You are not authenticated."))
# Redirect to the login-dialog with the current url as original target
# Never render the login form directly when accessing urls like "index.py"
# or "dashboard.py". This results in strange problems.
requested_file = requested_file_name(request)
if requested_file != "login":
post_login_url = makeuri(request, [])
if requested_file != "index":
# Ensure that users start with a navigation after they have logged in
post_login_url = makeuri_contextless(
request, [("start_url", post_login_url)], filename="index.py"
)
raise HTTPRedirect(
"%scheck_mk/login.py?_origtarget=%s" % (url_prefix(), urlencode(post_login_url))
)
# This either displays the login page or validates the information submitted
# to the login form. After successful login a http redirect to the originally
# requested page is performed.
login_page = login.LoginPage()
login_page.set_no_html_output(plain_error())
login_page.handle_page()
return response
def site_cookie_suffix() -> str:
prefix = url_prefix()
# Strip of eventual present "http://<host>". DIRTY!
if prefix.startswith("http:"):
prefix = prefix[prefix[7:].find("/") + 7:]
return os.path.dirname(prefix).replace("/", "_")
def page(self) -> None:
assert user.id is not None
_invalidate_auth_session()
session_id = _get_session_id_from_cookie(user.id,
revalidate_cookie=True)
userdb.on_logout(user.id, session_id)
if auth_type == "cookie": # type: ignore[has-type]
raise HTTPRedirect(url_prefix() + "check_mk/login.py")
# Implement HTTP logout with cookie hack
if not request.has_cookie("logout"):
response.headers["WWW-Authenticate"] = (
'Basic realm="OMD Monitoring Site %s"' % omd_site())
response.set_http_cookie("logout", "1", secure=request.is_secure)
raise FinalizeRequest(http.client.UNAUTHORIZED)
response.delete_cookie("logout")
raise HTTPRedirect(url_prefix() + "check_mk/")
def render_link(text: Union[str, HTML],
url: str,
target: str = "main",
onclick: Optional[str] = None) -> HTML:
# Convert relative links into absolute links. We have three kinds
# of possible links and we change only [3]
# [1] protocol://hostname/url/link.py
# [2] /absolute/link.py
# [3] relative.py
if not (":" in url[:10]) and not url.startswith("javascript") and url[0] != '/':
url = url_prefix() + "check_mk/" + url
return html.render_a(text,
href=url,
class_="link",
target=target or '',
onfocus="if (this.blur) this.blur();",
onclick=onclick or None)
def default_single_site_configuration() -> SiteConfigurations:
return {
omd_site(): {
"alias": _("Local site %s") % omd_site(),
"socket": ("local", None),
"disable_wato": True,
"disabled": False,
"insecure": False,
"url_prefix": url_prefix(),
"multisiteurl": "",
"persist": False,
"replicate_ec": False,
"replication": None,
"timeout": 5,
"user_login": True,
"proxy": None,
}
}
def default_single_site_configuration() -> SiteConfigurations:
return {
omd_site(): {
'alias': _("Local site %s") % omd_site(),
'socket': ("local", None),
'disable_wato': True,
'disabled': False,
'insecure': False,
'url_prefix': url_prefix(),
'multisiteurl': '',
'persist': False,
'replicate_ec': False,
'replication': None,
'timeout': 5,
'user_login': True,
'proxy': None,
}
}
def _do_login(self) -> None:
"""handle the sent login form"""
if not request.var("_login"):
return
try:
if not config.user_login:
raise MKUserError(None,
_("Login is not allowed on this site."))
username_var = request.get_unicode_input("_username", "")
assert username_var is not None
username = UserId(username_var.rstrip())
if not username:
raise MKUserError("_username", _("Missing username"))
password = request.var("_password", "")
if not password:
raise MKUserError("_password", _("Missing password"))
default_origtarget = url_prefix() + "check_mk/"
origtarget = request.get_url_input("_origtarget",
default_origtarget)
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
if "logout.py" in origtarget or "side.py" in origtarget:
origtarget = default_origtarget
result = userdb.check_credentials(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
session_id = userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
_create_auth_session(username, session_id)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
change_pw_result = userdb.need_to_change_pw(username)
if change_pw_result:
raise HTTPRedirect(
"user_change_pw.py?_origtarget=%s&reason=%s" %
(urlencode(origtarget), change_pw_result))
raise HTTPRedirect(origtarget)
userdb.on_failed_login(username)
raise MKUserError(None, _("Invalid login"))
except MKUserError as e:
user_errors.add(e)
