def _check_auth(request: Request) -> Optional[UserId]:
user_id = _check_auth_web_server(request)
if html.request.var("_secret"):
user_id = _check_auth_automation()
elif config.auth_by_http_header:
if not config.user_login:
return None
user_id = _check_auth_http_header()
if user_id is None:
if not config.user_login:
return None
user_id = _check_auth_by_cookie()
if (user_id is not None
and not isinstance(user_id, str)) or user_id == u'':
raise MKInternalError(_("Invalid user authentication"))
if user_id and not userdb.is_customer_user_allowed_to_login(user_id):
# A CME not assigned with the current sites customer
# is not allowed to login
auth_logger.debug(
"User '%s' is not allowed to authenticate: Invalid customer" %
user_id)
return None
return user_id
def _verify_user(environ: WSGIEnvironment, now: datetime) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get("HTTP_AUTHORIZATION", "")
basic_user = None
if auth_header:
auth_type, _ = auth_header.split(None, 1)
if auth_type == "Bearer":
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
if automation_user:
verified.append(automation_user)
else:
# GUI user and Automation users are mutually exclusive. Checking only once is less
# work for the system.
gui_user = gui_user_auth(user_id, secret, now)
if gui_user:
verified.append(gui_user)
elif auth_type == "Basic":
# We store this for sanity checking below, once we get a REMOTE_USER key.
# If we don't get a REMOTE_USER key, this value will be ignored.
basic_user = user_from_basic_header(auth_header)
else:
raise MKAuthException(f"Unsupported Auth Type: {auth_type}")
remote_user = environ.get("REMOTE_USER", "")
if remote_user and userdb.user_exists(UserId(remote_user)):
if basic_user and basic_user[0] != remote_user:
raise MKAuthException("Mismatch in authentication headers.")
verified.append(rfc7662_subject(UserId(remote_user), "web_server"))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, "cookie"))
if not verified:
raise MKAuthException(
"You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the order in the code.
final_candidate = verified[0]
user_id = final_candidate["sub"]
if not userdb.is_customer_user_allowed_to_login(user_id):
raise MKAuthException(f"{user_id} may not log in here.")
if userdb.user_locked(user_id):
raise MKAuthException(f"{user_id} not authorized.")
if change_reason := userdb.need_to_change_pw(user_id, now):
raise MKAuthException(
f"{user_id} needs to change the password ({change_reason}).")
def _verify_user(environ) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get('HTTP_AUTHORIZATION', '')
basic_user = None
if auth_header:
auth_type, _ = auth_header.split(None, 1)
if auth_type == 'Bearer':
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
if automation_user:
verified.append(automation_user)
gui_user = gui_user_auth(user_id, secret)
if gui_user:
verified.append(gui_user)
elif auth_type == 'Basic':
# We store this for sanity checking below, once we get a REMOTE_USER key.
# If we don't get a REMOTE_USER key, this value will be ignored.
basic_user = user_from_basic_header(auth_header)
else:
raise MKAuthException(f"Unsupported Auth Type: {auth_type}")
remote_user = environ.get('REMOTE_USER', '')
if remote_user and userdb.user_exists(UserId(remote_user)):
if basic_user and basic_user[0] != remote_user:
raise MKAuthException("Mismatch in authentication headers.")
verified.append(rfc7662_subject(UserId(remote_user), 'webserver'))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, 'cookie'))
if not verified:
raise MKAuthException("You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the oder in the code.
final_candidate = verified[0]
if not userdb.is_customer_user_allowed_to_login(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} may not log in here.")
if userdb.user_locked(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} not authorized.")
return final_candidate
def _verify_user(environ) -> RFC7662:
verified: List[RFC7662] = []
auth_header = environ.get('HTTP_AUTHORIZATION', '')
if auth_header:
user_id, secret = user_from_bearer_header(auth_header)
automation_user = automation_auth(user_id, secret)
gui_user = gui_user_auth(user_id, secret)
if not (automation_user or gui_user):
raise MKAuthException(f"{user_id} not authorized.")
if automation_user:
verified.append(automation_user)
if gui_user:
verified.append(gui_user)
remote_user = environ.get('REMOTE_USER', '')
if remote_user and userdb.user_exists(UserId(remote_user)):
verified.append(rfc7662_subject(UserId(remote_user), 'webserver'))
cookie = Request(environ).cookies.get(f"auth_{omd_site()}")
if cookie:
user_id, session_id, cookie_hash = user_from_cookie(cookie)
check_parsed_auth_cookie(user_id, session_id, cookie_hash)
verified.append(rfc7662_subject(user_id, 'cookie'))
if not verified:
raise MKAuthException(
"You need to be authenticated to use the REST API.")
# We pick the first successful authentication method, which means the precedence is the same
# as the oder in the code.
final_candidate = verified[0]
if not userdb.is_customer_user_allowed_to_login(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} may not log in here.")
if userdb.user_locked(final_candidate['sub']):
raise MKAuthException(f"{final_candidate['sub']} not authorized.")
return final_candidate
user_id = _check_auth_automation()
elif auth_by_http_header := config.auth_by_http_header:
if not config.user_login:
return None
user_id = _check_auth_http_header(auth_by_http_header)
if user_id is None:
if not config.user_login:
return None
user_id = _check_auth_by_cookie()
if (user_id is not None and not isinstance(user_id, str)) or user_id == "":
raise MKInternalError(_("Invalid user authentication"))
if user_id and not userdb.is_customer_user_allowed_to_login(user_id):
# A CME not assigned with the current sites customer
# is not allowed to login
auth_logger.debug(
"User '%s' is not allowed to authenticate: Invalid customer" %
user_id)
return None
if user_id and auth_type in ("http_header", "web_server"):
_check_auth_cookie_for_web_server_auth(user_id)
return user_id
def verify_automation_secret(user_id: UserId, secret: str) -> bool:
if secret and user_id and "/" not in user_id:
