def insecurelogin(self, username=None, password=None, return_to=None): ''' Provide insecure login endpoint for HTTP GET-based credential passing ''' # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) output = jsonresponse.JsonResponse() if not splunk.util.normalizeBoolean( cherrypy.config.get('enable_insecure_login')): cherrypy.response.status = 403 output.success = False output.addError( 'The insecure login endpoint is disabled. See web.conf for details.' ) return self.render_json(output) if not username or not password: cherrypy.response.status = 400 output.success = False output.addError('Missing credentials') return self.render_json(output) try: sessionKey = splunk.auth.getSessionKey( username, password, hostPath=self.splunkd_urlhost) except Exception, e: output.parseRESTException(e) output.success = False return self.render_json(output)
def insecurelogin(self, username=None, password=None, return_to=None): ''' Provide insecure login endpoint for HTTP GET-based credential passing ''' # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) output = jsonresponse.JsonResponse() if not splunk.util.normalizeBoolean(cherrypy.config.get('enable_insecure_login')): cherrypy.response.status = 403 output.success = False output.addError('The insecure login endpoint is disabled. See web.conf for details.') return self.render_json(output) if not username or not password: cherrypy.response.status = 400 output.success = False output.addError('Missing credentials') return self.render_json(output) ua = cherrypy.request.headers.get('user-agent', 'unknown') ip = cherrypy.request.remote.ip try: sessionKey = splunk.auth.getSessionKey(username, password, hostPath=self.splunkd_urlhost) except Exception, e: logger.error('user=%s action=insecurelogin status=failure session=%s ' \ 'reason=user-initiated useragent="%s" clientip=%s' % (username, sessionKey, ua, ip)) output.parseRESTException(e) output.success = False return self.render_json(output)
def insecurelogin(self, username=None, password=None, return_to=None): ''' Provide insecure login endpoint for HTTP GET-based credential passing ''' # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) output = jsonresponse.JsonResponse() if not splunk.util.normalizeBoolean(cherrypy.config.get('enable_insecure_login')): cherrypy.response.status = 403 output.success = False output.addError('The insecure login endpoint is disabled. See web.conf for details.') return self.render_json(output) if not username or not password: cherrypy.response.status = 400 output.success = False output.addError('Missing credentials') return self.render_json(output) try: sessionKey = splunk.auth.getSessionKey(username, password, hostPath=self.splunkd_urlhost) except Exception, e: output.parseRESTException(e) output.success = False return self.render_json(output)
def check(fn, self, *a, **kw): is_api = util.is_api() request = cherrypy.request if not handle_api and is_api: raise RequestRefused(404) if handle_api is ONLY_API and not is_api: raise RequestRefused(404) _methods = methods if _methods: if isinstance(_methods, basestring): _methods = [ _methods ] if request.method not in _methods: raise RequestRefused(405) # verify that version info is good; do it here so that any URI access # will trigger the check startup.initVersionInfo() # add a convenience property to all request objects to get at the # current relative URI request.relative_uri = request.path_info + (('?' + request.query_string) if request.query_string else '') if cherrypy.config.get('root_endpoint') not in ['/', None, '']: request.relative_uri = cherrypy.config.get('root_endpoint') + request.relative_uri # CSRF protection # Disable in tests by setting cherrypy.config.update({'environment': 'test_suite'}) if verify_session and request.method == 'POST' and not cherrypy.config.get('environment') == 'test_suite': is_xhr = util.is_xhr() form_key = request.headers.get('X-Splunk-Form-Key') if is_xhr else request.params.get('splunk_form_key') # verify that the incoming form key matches server's version if not util.isValidFormKey(form_key): if is_xhr: logger.warn('CSRF: validation failed because client XHR did not include proper header') else: logger.warn('CSRF: validation failed because HTTP POST did not include expected parameter') if must_login: if is_xhr: raise cherrypy.HTTPError(401, _('Splunk cannot authenticate the request. CSRF validation failed.')) else: return self.redirect_to_url('/account/login', _qs=[ ('return_to', util.current_url_path()) ] ) logger.warn('CSRF: skipping 401 redirect response because endpoint did not request protection') # basic input cleansing if trim_spaces: for key, value in kw.iteritems(): if isinstance(value, basestring): kw[key] = value.strip() if kw[key] != value: logger.debug('Leading/trailing whitespaces were trimmed in "%s" argument' % key) return fn(self, *a, **kw)
def logout(self): # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) # Log to file try: username = cherrypy.session['user']['name'] session = cherrypy.session['sessionKey'] ip = cherrypy.request.remote.ip ua = cherrypy.request.headers.get('user-agent', 'unknown') logger.info('user=%s action=logout status=success ' \ 'reason=user-initiated useragent="%s" clientip=%s session=%s' % (username, ua, ip, session)) except (KeyError, AttributeError), e: # User wasn't logged in, or no session pass
def insecurelogin(self, username=None, password=None, return_to=None): ''' Provide insecure login endpoint for HTTP GET-based credential passing ''' # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) output = jsonresponse.JsonResponse() if not splunk.util.normalizeBoolean( cherrypy.config.get('enable_insecure_login')): cherrypy.response.status = 403 output.success = False output.addError( 'The insecure login endpoint is disabled. See web.conf for details.' ) return self.render_json(output) if not username or not password: cherrypy.response.status = 400 output.success = False output.addError('Missing credentials') return self.render_json(output) ua = cherrypy.request.headers.get('user-agent', 'unknown') ip = cherrypy.request.remote.ip try: sessionKey = splunk.auth.getSessionKey( username, password, hostPath=self.splunkd_urlhost) except Exception, e: logger.error('user=%s action=insecurelogin status=failure session=%s ' \ 'reason=user-initiated useragent="%s" clientip=%s' % (username, sessionKey, ua, ip)) output.parseRESTException(e) output.success = False return self.render_json(output)
def login(self, username=None, password=None, return_to=None, cval=None, newpassword=None, **kwargs): # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) updateCheckerBaseURL = self.getUpdateCheckerBaseURL() # set a long lived uid cookie self.updateCookieUID() templateArgs = self.getLoginTemplateArgs(return_to=return_to) if not return_to: return_to = '/' if return_to[0] != '/': return_to = '/' + return_to #dont allow new login if session established. if cherrypy.session.get('sessionKey') and return_to: raise cherrypy.HTTPRedirect(util.make_url_internal(return_to)) # Storm if cherrypy.config.get('storm_enabled'): return self.handleStormLogin(return_to=return_to, **kwargs) # # GET # if cherrypy.request.method == 'GET' and newpassword is None: # free license will auth on anything so statically seed if cherrypy.config.get('is_free_license'): # Start with a clean and minty fresh session cherrypy.session.regenerate() cherrypy.session['user'] = { 'name': 'admin', 'fullName': 'Administrator', 'id': 1 } sessionKey = splunk.auth.getSessionKey("admin", "freeneedsnopassword", hostPath=self.splunkd_urlhost) cherrypy.session['sessionKey'] = sessionKey if not updateCheckerBaseURL: return self.redirect_to_url('/app/%s' % splunk.getDefault('namespace')) # check for previously successful login templateArgs['hasLoggedIn'] = self.hasLoggedIn() if templateArgs['return_to'] is None and cherrypy.config.get('root_endpoint') not in ['/', None, '']: templateArgs['return_to'] = util.make_url_internal(cherrypy.config.get('root_endpoint')) # otherwise, show page return self.render_template('account/login.html', templateArgs) # # POST # # Check that the cookie we set when the login page was loaded has made it to us intact if 'cval' not in cherrypy.request.cookie or not self.cookieTest(cval): templateArgs['bad_cookies'] = 1 return self.render_template('account/login.html', templateArgs) ua = cherrypy.request.headers.get('user-agent', 'unknown') ip = cherrypy.request.remote.ip if username: username = username.strip().lower() try: sessionKey = splunk.auth.getSessionKey(username, password, hostPath=self.splunkd_urlhost, newPassword=newpassword) except splunk.AuthenticationFailed, e: logger.error('user=%s action=login status=failure ' \ 'reason=user-initiated useragent="%s" clientip=%s ERROR=%s' % (username, ua, ip, str(e.msg))) templateArgs['invalid_password'] = 1 forced_password_change = str(e.msg).count('fpc') forced_password_message = str(e.extendedMessages) if forced_password_change: templateArgs['fpc'] = True # cache current credentials in memory only credentials = {'username': username, 'password': password} with AccountController.credential_lock: AccountController.credential_cache[cherrypy.session.id] = credentials cherrypy.session['cval'] = cval cherrypy.session['fpc'] = True # forced password change templateArgs['err'] = _(forced_password_message) logger.info('user=%s action=login status=%s' % (username, forced_password_message)) return self.render_template('account/passwordchange.html', templateArgs) else: return self.render_template('account/login.html', templateArgs)
def login(self, username=None, password=None, return_to=None, cval=None, **kwargs): # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) updateCheckerBaseURL = self.getUpdateCheckerBaseURL() # set a long lived uid cookie self.updateCookieUID() templateArgs = self.getLoginTemplateArgs(return_to=return_to, cval=cval) # Storm if cherrypy.config.get('storm_enabled'): return self.handleStormLogin(**kwargs) # # GET # if cherrypy.request.method == 'GET': # free license will auth on anything so statically seed if cherrypy.config.get('is_free_license'): # Start with a clean and minty fresh session cherrypy.session.regenerate() cherrypy.session['user'] = { 'name': 'admin', 'fullName': 'Administrator', 'id': 1 } sessionKey = splunk.auth.getSessionKey( "admin", "freeneedsnopassword", hostPath=self.splunkd_urlhost) cherrypy.session['sessionKey'] = sessionKey if not updateCheckerBaseURL: return self.redirect_to_url('/app/%s' % splunk.getDefault('namespace')) # check for previously successful login templateArgs['hasLoggedIn'] = self.hasLoggedIn() # otherwise, show page return self.render_template('account/login.html', templateArgs) # # POST # # Check that the cookie we set when the login page was loaded has made it to us intact if 'cval' not in cherrypy.request.cookie or not self.cookieTest(cval): templateArgs['bad_cookies'] = 1 templateArgs['cval'] = self.updateCookieTest() return self.render_template('account/login.html', templateArgs) try: sessionKey = splunk.auth.getSessionKey( username, password, hostPath=self.splunkd_urlhost) except splunk.AuthenticationFailed, e: templateArgs['invalid_password'] = 1 templateArgs['cval'] = self.updateCookieTest() return self.render_template('account/login.html', templateArgs)
def check(fn, self, *a, **kw): is_api = util.is_api() request = cherrypy.request if not handle_api and is_api: raise RequestRefused(404) if handle_api is ONLY_API and not is_api: raise RequestRefused(404) _methods = methods if _methods: if isinstance(_methods, basestring): _methods = [_methods] if request.method not in _methods: raise RequestRefused(405) # verify that version info is good; do it here so that any URI access # will trigger the check startup.initVersionInfo() # add a convenience property to all request objects to get at the # current relative URI request.relative_uri = request.path_info + ( ('?' + request.query_string) if request.query_string else '') if cherrypy.config.get('root_endpoint') not in ['/', None, '']: request.relative_uri = cherrypy.config.get( 'root_endpoint') + request.relative_uri # CSRF protection # Disable in tests by setting cherrypy.config.update({'environment': 'test_suite'}) if verify_session and request.method == 'POST' and not cherrypy.config.get( 'environment') == 'test_suite': is_xhr = util.is_xhr() form_key = request.headers.get( 'X-Splunk-Form-Key') if is_xhr else request.params.get( 'splunk_form_key') # verify that the incoming form key matches server's version if not util.isValidFormKey(form_key): if is_xhr: logger.warn( 'CSRF: validation failed because client XHR did not include proper header' ) else: logger.warn( 'CSRF: validation failed because HTTP POST did not include expected parameter' ) if must_login: if is_xhr: raise cherrypy.HTTPError( 401, _('Splunk cannot authenticate the request. CSRF validation failed.' )) else: return self.redirect_to_url( '/account/login', _qs=[('return_to', util.current_url_path())]) logger.warn( 'CSRF: skipping 401 redirect response because endpoint did not request protection' ) # basic input cleansing if trim_spaces: for key, value in kw.iteritems(): if isinstance(value, basestring): kw[key] = value.strip() if kw[key] != value: logger.debug( 'Leading/trailing whitespaces were trimmed in "%s" argument' % key) return fn(self, *a, **kw)
def login(self, username=None, password=None, return_to=None, cval=None, newpassword=None, **kwargs): # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) updateCheckerBaseURL = self.getUpdateCheckerBaseURL() # set a long lived uid cookie self.updateCookieUID() templateArgs = self.getLoginTemplateArgs(return_to=return_to) if not return_to: return_to = '/' if return_to[0] != '/': return_to = '/' + return_to #dont allow new login if session established. if cherrypy.session.get('sessionKey') and return_to: raise cherrypy.HTTPRedirect(util.make_url_internal(return_to)) # Storm if cherrypy.config.get('storm_enabled'): return self.handleStormLogin(return_to=return_to, **kwargs) # # GET # if cherrypy.request.method == 'GET' and newpassword is None: # free license will auth on anything so statically seed if cherrypy.config.get('is_free_license'): # Start with a clean and minty fresh session cherrypy.session.regenerate() cherrypy.session['user'] = { 'name': 'admin', 'fullName': 'Administrator', 'id': 1 } sessionKey = splunk.auth.getSessionKey( "admin", "freeneedsnopassword", hostPath=self.splunkd_urlhost) cherrypy.session['sessionKey'] = sessionKey if not updateCheckerBaseURL: return self.redirect_to_url('/app/%s' % splunk.getDefault('namespace')) # check for previously successful login templateArgs['hasLoggedIn'] = self.hasLoggedIn() if templateArgs['return_to'] is None and cherrypy.config.get( 'root_endpoint') not in ['/', None, '']: templateArgs['return_to'] = util.make_url_internal( cherrypy.config.get('root_endpoint')) # otherwise, show page return self.render_template('account/login.html', templateArgs) # # POST # # Check that the cookie we set when the login page was loaded has made it to us intact if 'cval' not in cherrypy.request.cookie or not self.cookieTest(cval): templateArgs['bad_cookies'] = 1 return self.render_template('account/login.html', templateArgs) ua = cherrypy.request.headers.get('user-agent', 'unknown') ip = cherrypy.request.remote.ip if username: username = username.strip().lower() try: sessionKey = splunk.auth.getSessionKey( username, password, hostPath=self.splunkd_urlhost, newPassword=newpassword) except splunk.AuthenticationFailed, e: logger.error('user=%s action=login status=failure ' \ 'reason=user-initiated useragent="%s" clientip=%s ERROR=%s' % (username, ua, ip, str(e.msg))) templateArgs['invalid_password'] = 1 forced_password_change = str(e.msg).count('fpc') forced_password_message = str(e.extendedMessages) if forced_password_change: templateArgs['fpc'] = True # cache current credentials in memory only credentials = {'username': username, 'password': password} with AccountController.credential_lock: AccountController.credential_cache[ cherrypy.session.id] = credentials cherrypy.session['cval'] = cval cherrypy.session['fpc'] = True # forced password change templateArgs['err'] = _(forced_password_message) logger.info('user=%s action=login status=%s' % (username, forced_password_message)) return self.render_template('account/passwordchange.html', templateArgs) else: return self.render_template('account/login.html', templateArgs)
def login(self, username=None, password=None, return_to=None, cval=None, **kwargs): # Force a refresh of startup info so that we know to # redirect if license stuff has expired. startup.initVersionInfo(force=True) updateCheckerBaseURL = self.getUpdateCheckerBaseURL() # set a long lived uid cookie self.updateCookieUID() templateArgs = self.getLoginTemplateArgs(return_to=return_to, cval=cval) # Storm if cherrypy.config.get('storm_enabled'): return self.handleStormLogin(**kwargs) # # GET # if cherrypy.request.method == 'GET': # free license will auth on anything so statically seed if cherrypy.config.get('is_free_license'): # Start with a clean and minty fresh session cherrypy.session.regenerate() cherrypy.session['user'] = { 'name': 'admin', 'fullName': 'Administrator', 'id': 1 } sessionKey = splunk.auth.getSessionKey("admin", "freeneedsnopassword", hostPath=self.splunkd_urlhost) cherrypy.session['sessionKey'] = sessionKey if not updateCheckerBaseURL: return self.redirect_to_url('/app/%s' % splunk.getDefault('namespace')) # check for previously successful login templateArgs['hasLoggedIn'] = self.hasLoggedIn() # otherwise, show page return self.render_template('account/login.html', templateArgs) # # POST # # Check that the cookie we set when the login page was loaded has made it to us intact if 'cval' not in cherrypy.request.cookie or not self.cookieTest(cval): templateArgs['bad_cookies'] = 1 templateArgs['cval'] = self.updateCookieTest() return self.render_template('account/login.html', templateArgs) try: sessionKey = splunk.auth.getSessionKey(username, password, hostPath=self.splunkd_urlhost) except splunk.AuthenticationFailed, e: templateArgs['invalid_password'] = 1 templateArgs['cval'] = self.updateCookieTest() return self.render_template('account/login.html', templateArgs)