Module: check_mk
Branch: master
Commit: 095dc7d63c4c9a92e633e61eaed6adf9a8a7ae2a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=095dc7d63c4c9a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jan 17 16:56:27 2017 +0100
4280 FIX Interactive login is now denied for automation users
It was possible to log into the Check_MK GUI interactively (using the login form)
as automation user. This was never intended and was a bug.
Automation users are only meant to authenticate with the GUI for a single page or API
call using the URL variables (<tt>_username</tt> and <tt>_secret</tt>).
In case you want to login interactively to access multiple pages, you need a "normal"
user that has a password configured instead of an automation secret.
Change-Id: I6901bdb04a34ab1c4d170f0dbff8e08bc35c29f0
---
.werks/4280 | 16 ++++++++++++++++
ChangeLog | 1 +
web/htdocs/userdb.py | 4 ++++
web/plugins/userdb/htpasswd.py | 3 +++
4 files changed, 24 insertions(+)
diff --git a/.werks/4280 b/.werks/4280
new file mode 100644
index 0000000..9ed838e
--- /dev/null
+++ b/.werks/4280
@@ -0,0 +1,16 @@
+Title: Interactive login is now denied for automation users
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.4.0i4
+Date: 1484667468
+Class: fix
+
+It was possible to log into the Check_MK GUI interactively (using the login form)
+as automation user. This was never intended and was a bug.
+
+Automation users are only meant to authenticate with the GUI for a single page or API
+call using the URL variables (<tt>_username</tt> and <tt>_secret</tt>).
+
+In case you want to login interactively to access multiple pages, you need a "normal"
+user that has a password configured instead of an automation secret.
diff --git a/ChangeLog b/ChangeLog
index 4d64795..bbe59da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -69,6 +69,7 @@
* 4220 FIX: WATO folder filter: improve output of unknown folders
* 4226 FIX: Custom inventory painters are now correctly loaded when declared with inventory_displayhints
* 4228 FIX: Context links to HW/SW inventory views are only shown when useful
+ * 4280 FIX: Interactive login is now denied for automation users...
WATO:
* 4142 New extended search dialog for rulesets and rules...
diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index beff081..3ca11ad 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -212,6 +212,10 @@ def create_non_existing_user(connection_id, username):
hook_sync(connection_id = connection_id, only_username = username)
+def is_automation_user(user_id):
+ return os.path.isfile(cmk.paths.var_dir + "/web/" + user_id.encode("utf-8") + "/automation.secret")
+
+
# This function is called very often during regular page loads so it has to be efficient
# even when having a lot of users.
#
diff --git a/web/plugins/userdb/htpasswd.py b/web/plugins/userdb/htpasswd.py
index ab20287..4265547 100644
--- a/web/plugins/userdb/htpasswd.py
+++ b/web/plugins/userdb/htpasswd.py
@@ -63,6 +63,9 @@ class HtpasswdUserConnector(UserConnector):
if username not in users:
return None # not existing user, skip over
+ if is_automation_user(username):
+ raise MKUserError(None, _("Automation user rejected"))
+
if self.password_valid(users[username], password):
return username
else:
Module: check_mk
Branch: master
Commit: 70c8593df6c7fe34a947a2dd51a5b1a70f750221
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=70c8593df6c7fe…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jan 17 13:54:46 2017 +0100
Added new eventconsolerules table to livestatus
Change-Id: Ie44f1fdb65598033429a0739e3fe69ad4791a566
---
livestatus/src/Makefile.am | 1 +
livestatus/src/Store.cc | 4 ++-
livestatus/src/Store.h | 2 ++
livestatus/src/TableEventConsoleRules.cc | 46 ++++++++++++++++++++++++++++++++
livestatus/src/TableEventConsoleRules.h | 40 +++++++++++++++++++++++++++
5 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/livestatus/src/Makefile.am b/livestatus/src/Makefile.am
index 74dd51c..f4ded8c 100644
--- a/livestatus/src/Makefile.am
+++ b/livestatus/src/Makefile.am
@@ -129,6 +129,7 @@ livestatus_so_SOURCES = \
TableEventConsoleEvents.cc \
TableEventConsoleHistory.cc \
TableEventConsoleReplication.cc \
+ TableEventConsoleRules.cc \
TableEventConsoleStatus.cc \
TableHostGroups.cc \
TableHosts.cc \
diff --git a/livestatus/src/Store.cc b/livestatus/src/Store.cc
index e1f3ea4..59abfc0 100644
--- a/livestatus/src/Store.cc
+++ b/livestatus/src/Store.cc
@@ -76,7 +76,8 @@ Store::Store(MonitoringCore *core)
, _table_eventconsoleevents(core, _downtimes, _comments)
, _table_eventconsolehistory(core, _downtimes, _comments)
, _table_eventconsolestatus(core)
- , _table_eventconsolereplication(core) {
+ , _table_eventconsolereplication(core)
+ , _table_eventconsolerules(core) {
addTable(&_table_columns);
addTable(&_table_commands);
addTable(&_table_comments);
@@ -98,6 +99,7 @@ Store::Store(MonitoringCore *core)
addTable(&_table_eventconsolehistory);
addTable(&_table_eventconsolestatus);
addTable(&_table_eventconsolereplication);
+ addTable(&_table_eventconsolerules);
}
void Store::addTable(Table *table) {
diff --git a/livestatus/src/Store.h b/livestatus/src/Store.h
index 8b51c05..5e4e2df 100644
--- a/livestatus/src/Store.h
+++ b/livestatus/src/Store.h
@@ -42,6 +42,7 @@
#include "TableEventConsoleEvents.h"
#include "TableEventConsoleHistory.h"
#include "TableEventConsoleReplication.h"
+#include "TableEventConsoleRules.h"
#include "TableEventConsoleStatus.h"
#include "TableHostGroups.h"
#include "TableHosts.h"
@@ -97,6 +98,7 @@ private:
TableEventConsoleHistory _table_eventconsolehistory;
TableEventConsoleStatus _table_eventconsolestatus;
TableEventConsoleReplication _table_eventconsolereplication;
+ TableEventConsoleRules _table_eventconsolerules;
std::map<std::string, Table *> _tables;
diff --git a/livestatus/src/TableEventConsoleRules.cc b/livestatus/src/TableEventConsoleRules.cc
new file mode 100644
index 0000000..9682652
--- /dev/null
+++ b/livestatus/src/TableEventConsoleRules.cc
@@ -0,0 +1,46 @@
+// +------------------------------------------------------------------+
+// | ____ _ _ __ __ _ __ |
+// | / ___| |__ ___ ___| | __ | \/ | |/ / |
+// | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+// | | |___| | | | __/ (__| < | | | | . \ |
+// | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+// | |
+// | Copyright Mathias Kettner 2014 mk(a)mathias-kettner.de |
+// +------------------------------------------------------------------+
+//
+// This file is part of Check_MK.
+// The official homepage is at http://mathias-kettner.de/check_mk.
+//
+// check_mk is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by
+// the Free Software Foundation in version 2. check_mk is distributed
+// in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+// out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+// PARTICULAR PURPOSE. See the GNU General Public License for more de-
+// tails. You should have received a copy of the GNU General Public
+// License along with GNU Make; see the file COPYING. If not, write
+// to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+// Boston, MA 02110-1301 USA.
+
+#include "TableEventConsoleRules.h"
+#include <memory>
+#include "Column.h"
+
+using std::make_unique;
+using std::string;
+
+TableEventConsoleRules::TableEventConsoleRules(MonitoringCore *mc)
+ : TableEventConsole(mc) {
+ addColumn(make_unique<StringEventConsoleColumn>(
+ "rule_id", "The ID of the rule"));
+
+ addColumn(make_unique<IntEventConsoleColumn>(
+ "rule_hits",
+ "The times rule matched an incoming message"));
+}
+
+string TableEventConsoleRules::name() const { return "eventconsolerules"; }
+
+string TableEventConsoleRules::namePrefix() const {
+ return "eventconsolerules_";
+}
diff --git a/livestatus/src/TableEventConsoleRules.h b/livestatus/src/TableEventConsoleRules.h
new file mode 100644
index 0000000..180c579
--- /dev/null
+++ b/livestatus/src/TableEventConsoleRules.h
@@ -0,0 +1,40 @@
+// +------------------------------------------------------------------+
+// | ____ _ _ __ __ _ __ |
+// | / ___| |__ ___ ___| | __ | \/ | |/ / |
+// | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+// | | |___| | | | __/ (__| < | | | | . \ |
+// | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+// | |
+// | Copyright Mathias Kettner 2014 mk(a)mathias-kettner.de |
+// +------------------------------------------------------------------+
+//
+// This file is part of Check_MK.
+// The official homepage is at http://mathias-kettner.de/check_mk.
+//
+// check_mk is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by
+// the Free Software Foundation in version 2. check_mk is distributed
+// in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+// out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+// PARTICULAR PURPOSE. See the GNU General Public License for more de-
+// tails. You should have received a copy of the GNU General Public
+// License along with GNU Make; see the file COPYING. If not, write
+// to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+// Boston, MA 02110-1301 USA.
+
+#ifndef TableEventConsoleRules_h
+#define TableEventConsoleRules_h
+
+#include "config.h" // IWYU pragma: keep
+#include <string>
+#include "TableEventConsole.h"
+class MonitoringCore;
+
+class TableEventConsoleRules : public TableEventConsole {
+public:
+ explicit TableEventConsoleRules(MonitoringCore *mc);
+ std::string name() const override;
+ std::string namePrefix() const override;
+};
+
+#endif // TableEventConsoleRules_h