[checkmk-commits] 4280 FIX Interactive login is now denied for automation users

Module: check_mk Branch: master Commit: 095dc7d63c4c9a92e633e61eaed6adf9a8a7ae2a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=095dc7d63c4c9a… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Jan 17 16:56:27 2017 +0100 4280 FIX Interactive login is now denied for automation users It was possible to log into the Check_MK GUI interactively (using the login form) as automation user. This was never intended and was a bug. Automation users are only meant to authenticate with the GUI for a single page or API call using the URL variables (<tt>_username</tt> and <tt>_secret</tt>). In case you want to login interactively to access multiple pages, you need a "normal" user that has a password configured instead of an automation secret. Change-Id: I6901bdb04a34ab1c4d170f0dbff8e08bc35c29f0 --- .werks/4280 | 16 ++++++++++++++++ ChangeLog | 1 + web/htdocs/userdb.py | 4 ++++ web/plugins/userdb/htpasswd.py | 3 +++ 4 files changed, 24 insertions(+) diff --git a/.werks/4280 b/.werks/4280 new file mode 100644 index 0000000..9ed838e --- /dev/null +++ b/.werks/4280 @@ -0,0 +1,16 @@ +Title: Interactive login is now denied for automation users +Level: 1 +Component: multisite +Compatible: compat +Version: 1.4.0i4 +Date: 1484667468 +Class: fix + +It was possible to log into the Check_MK GUI interactively (using the login form) +as automation user. This was never intended and was a bug. + +Automation users are only meant to authenticate with the GUI for a single page or API +call using the URL variables (<tt>_username</tt> and <tt>_secret</tt>). + +In case you want to login interactively to access multiple pages, you need a "normal" +user that has a password configured instead of an automation secret. diff --git a/ChangeLog b/ChangeLog index 4d64795..bbe59da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,7 @@ * 4220 FIX: WATO folder filter: improve output of unknown folders * 4226 FIX: Custom inventory painters are now correctly loaded when declared with inventory_displayhints * 4228 FIX: Context links to HW/SW inventory views are only shown when useful + * 4280 FIX: Interactive login is now denied for automation users... WATO: * 4142 New extended search dialog for rulesets and rules... diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py index beff081..3ca11ad 100644 --- a/web/htdocs/userdb.py +++ b/web/htdocs/userdb.py @@ -212,6 +212,10 @@ def create_non_existing_user(connection_id, username): hook_sync(connection_id = connection_id, only_username = username) +def is_automation_user(user_id): + return os.path.isfile(cmk.paths.var_dir + "/web/" + user_id.encode("utf-8") + "/automation.secret") + + # This function is called very often during regular page loads so it has to be efficient # even when having a lot of users. # diff --git a/web/plugins/userdb/htpasswd.py b/web/plugins/userdb/htpasswd.py index ab20287..4265547 100644 --- a/web/plugins/userdb/htpasswd.py +++ b/web/plugins/userdb/htpasswd.py @@ -63,6 +63,9 @@ class HtpasswdUserConnector(UserConnector): if username not in users: return None # not existing user, skip over + if is_automation_user(username): + raise MKUserError(None, _("Automation user rejected")) + if self.password_valid(users[username], password): return username else: