def test_parse_auth_cookie_allow_current(current_cookie, with_user,
session_id):
assert login.user_from_cookie(login._fetch_cookie(current_cookie)) == (
UserId(with_user[0]),
session_id,
login._generate_auth_hash(with_user[0], session_id),
)
def _verify_user(environ: WSGIEnvironment, now: datetime) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get("HTTP_AUTHORIZATION", "")
basic_user = None
if auth_header:
auth_type, _ = auth_header.split(None, 1)
if auth_type == "Bearer":
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
if automation_user:
verified.append(automation_user)
else:
# GUI user and Automation users are mutually exclusive. Checking only once is less
# work for the system.
gui_user = gui_user_auth(user_id, secret, now)
if gui_user:
verified.append(gui_user)
elif auth_type == "Basic":
# We store this for sanity checking below, once we get a REMOTE_USER key.
# If we don't get a REMOTE_USER key, this value will be ignored.
basic_user = user_from_basic_header(auth_header)
else:
raise MKAuthException(f"Unsupported Auth Type: {auth_type}")
remote_user = environ.get("REMOTE_USER", "")
if remote_user and userdb.user_exists(UserId(remote_user)):
if basic_user and basic_user[0] != remote_user:
raise MKAuthException("Mismatch in authentication headers.")
verified.append(rfc7662_subject(UserId(remote_user), "web_server"))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, "cookie"))
if not verified:
raise MKAuthException(
"You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the order in the code.
final_candidate = verified[0]
user_id = final_candidate["sub"]
if not userdb.is_customer_user_allowed_to_login(user_id):
raise MKAuthException(f"{user_id} may not log in here.")
if userdb.user_locked(user_id):
raise MKAuthException(f"{user_id} not authorized.")
if change_reason := userdb.need_to_change_pw(user_id, now):
raise MKAuthException(
f"{user_id} needs to change the password ({change_reason}).")
def _verify_user(environ) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get('HTTP_AUTHORIZATION', '')
basic_user = None
if auth_header:
auth_type, _ = auth_header.split(None, 1)
if auth_type == 'Bearer':
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
if automation_user:
verified.append(automation_user)
gui_user = gui_user_auth(user_id, secret)
if gui_user:
verified.append(gui_user)
elif auth_type == 'Basic':
# We store this for sanity checking below, once we get a REMOTE_USER key.
# If we don't get a REMOTE_USER key, this value will be ignored.
basic_user = user_from_basic_header(auth_header)
else:
raise MKAuthException(f"Unsupported Auth Type: {auth_type}")
remote_user = environ.get('REMOTE_USER', '')
if remote_user and userdb.user_exists(UserId(remote_user)):
if basic_user and basic_user[0] != remote_user:
raise MKAuthException("Mismatch in authentication headers.")
verified.append(rfc7662_subject(UserId(remote_user), 'webserver'))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, 'cookie'))
if not verified:
raise MKAuthException("You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the oder in the code.
final_candidate = verified[0]
if not userdb.is_customer_user_allowed_to_login(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} may not log in here.")
if userdb.user_locked(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} not authorized.")
return final_candidate
def _verify_user(environ) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get('HTTP_AUTHORIZATION', '')
if auth_header:
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
gui_user = gui_user_auth(user_id, secret)
if not (automation_user or gui_user):
raise MKAuthException(f"{user_id} not authorized.")
if automation_user:
verified.append(automation_user)
if gui_user:
verified.append(gui_user)
remote_user = environ.get('REMOTE_USER', '')
if remote_user and userdb.user_exists(UserId(remote_user)):
verified.append(rfc7662_subject(UserId(remote_user), 'webserver'))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, 'cookie'))
if not verified:
raise MKAuthException(
"You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the oder in the code.
final_candidate = verified[0]
if not userdb.is_customer_user_allowed_to_login(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} may not log in here.")
if userdb.user_locked(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} not authorized.")
return final_candidate
def test_parse_auth_cookie_refuse_pre_20(pre_20_cookie):
with pytest.raises(MKAuthException, match="Refusing pre 2.0"):
login.user_from_cookie(login._fetch_cookie(pre_20_cookie))
