Module: check_mk
Branch: master
Commit: 095dc7d63c4c9a92e633e61eaed6adf9a8a7ae2a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=095dc7d63c4c9a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jan 17 16:56:27 2017 +0100
4280 FIX Interactive login is now denied for automation users
It was possible to log into the Check_MK GUI interactively (using the login form)
as automation user. This was never intended and was a bug.
Automation users are only meant to authenticate with the GUI for a single page or API
call using the URL variables (<tt>_username</tt> and
<tt>_secret</tt>).
In case you want to login interactively to access multiple pages, you need a
"normal"
user that has a password configured instead of an automation secret.
Change-Id: I6901bdb04a34ab1c4d170f0dbff8e08bc35c29f0
---
.werks/4280 | 16 ++++++++++++++++
ChangeLog | 1 +
web/htdocs/userdb.py | 4 ++++
web/plugins/userdb/htpasswd.py | 3 +++
4 files changed, 24 insertions(+)
diff --git a/.werks/4280 b/.werks/4280
new file mode 100644
index 0000000..9ed838e
--- /dev/null
+++ b/.werks/4280
@@ -0,0 +1,16 @@
+Title: Interactive login is now denied for automation users
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.4.0i4
+Date: 1484667468
+Class: fix
+
+It was possible to log into the Check_MK GUI interactively (using the login form)
+as automation user. This was never intended and was a bug.
+
+Automation users are only meant to authenticate with the GUI for a single page or API
+call using the URL variables (<tt>_username</tt> and
<tt>_secret</tt>).
+
+In case you want to login interactively to access multiple pages, you need a
"normal"
+user that has a password configured instead of an automation secret.
diff --git a/ChangeLog b/ChangeLog
index 4d64795..bbe59da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -69,6 +69,7 @@
* 4220 FIX: WATO folder filter: improve output of unknown folders
* 4226 FIX: Custom inventory painters are now correctly loaded when declared with
inventory_displayhints
* 4228 FIX: Context links to HW/SW inventory views are only shown when useful
+ * 4280 FIX: Interactive login is now denied for automation users...
WATO:
* 4142 New extended search dialog for rulesets and rules...
diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index beff081..3ca11ad 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -212,6 +212,10 @@ def create_non_existing_user(connection_id, username):
hook_sync(connection_id = connection_id, only_username = username)
+def is_automation_user(user_id):
+ return os.path.isfile(cmk.paths.var_dir + "/web/" +
user_id.encode("utf-8") + "/automation.secret")
+
+
# This function is called very often during regular page loads so it has to be efficient
# even when having a lot of users.
#
diff --git a/web/plugins/userdb/htpasswd.py b/web/plugins/userdb/htpasswd.py
index ab20287..4265547 100644
--- a/web/plugins/userdb/htpasswd.py
+++ b/web/plugins/userdb/htpasswd.py
@@ -63,6 +63,9 @@ class HtpasswdUserConnector(UserConnector):
if username not in users:
return None # not existing user, skip over
+ if is_automation_user(username):
+ raise MKUserError(None, _("Automation user rejected"))
+
if self.password_valid(users[username], password):
return username
else: