[checkmk-commits] Check_MK Git: check_mk: New option auth_by_http_header to use the value of a HTTP header variable for authentication (Useful in reverse proxy environments)

Module: check_mk Branch: master Commit: 0e24304a1458e3725927b34fba74c64f83538ee1 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0e24304a1458e3… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Mon Feb 25 12:36:14 2013 +0100 New option auth_by_http_header to use the value of a HTTP header variable for authentication (Useful in reverse proxy environments) --- ChangeLog | 2 ++ web/htdocs/config.py | 3 +++ web/htdocs/login.py | 24 ++++++++++++++++++------ web/htdocs/sidebar.py | 2 +- web/plugins/wato/check_mk_configuration.py | 23 +++++++++++++++++++++++ 5 files changed, 47 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 33d673e..c5e27bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ Multisite: * New availability view for arbitrary host/service collections + * New option auth_by_http_header to use the value of a HTTP header + variable for authentication (Useful in reverse proxy environments) Event Console: * New rule feature: automatically delete event after actions diff --git a/web/htdocs/config.py b/web/htdocs/config.py index 6e94a1f..bf8c5b0 100644 --- a/web/htdocs/config.py +++ b/web/htdocs/config.py @@ -561,6 +561,9 @@ def load_default_values(into): # Maximum livetime of unmodified selections into["selection_livetime"] = 3600 + # Configure HTTP header to read usernames from + into["auth_by_http_header"] = False + # ____ ___ # | __ )_ _| # | _ \| | diff --git a/web/htdocs/login.py b/web/htdocs/login.py index 8af8b71..4c4d7b6 100644 --- a/web/htdocs/login.py +++ b/web/htdocs/login.py @@ -91,6 +91,14 @@ def set_auth_cookie(username, serial): def get_cookie_value(): return auth_cookie_value(config.user_id, load_serial(config.user_id)) +def renew_cookie(cookie_name, username, serial): + # Do not renew if: + # a) The _ajaxid var is set + # b) A logout is requested + if (html.req.myfile != 'logout' or html.has_var('_ajaxid')) \ + and cookie_name == site_cookie_name(): + set_auth_cookie(username, serial) + def check_auth_cookie(cookie_name): username, issue_time, cookie_hash = html.cookie(cookie_name, '::').split(':', 2) @@ -110,12 +118,7 @@ def check_auth_cookie(cookie_name): raise MKAuthException(_('Invalid credentials')) # Once reached this the cookie is a good one. Renew it! - # Do not renew if: - # a) The _ajaxid var is set - # b) A logout is requested - if (html.req.myfile != 'logout' or html.has_var('_ajaxid')) \ - and cookie_name == site_cookie_name(): - set_auth_cookie(username, serial) + renew_cookie(cookie_name, username, serial) # Return the authenticated username return username @@ -135,6 +138,15 @@ def check_auth(): if html.var("_secret"): return check_auth_automation() + # When http header auth is enabled, try to read the username from the var + # and when there is some available, set the auth cookie (for other addons) and proceed. + if config.auth_by_http_header: + username = html.req.headers_in.get(config.auth_by_http_header, None) + if username: + serial = load_serial(username) + renew_cookie(site_cookie_name(), username, serial) + return username + for cookie_name in html.get_cookie_names(): if cookie_name.startswith('auth_'): try: diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py index 473521c..fb990f5 100644 --- a/web/htdocs/sidebar.py +++ b/web/htdocs/sidebar.py @@ -142,7 +142,7 @@ def sidebar_foot(): html.icon_button("user_profile.py", _("Edit your personal settings, change your password"), "sidebar_settings", target="main") # html.write('<li><a class=profile target="main" href="user_profile.py" title="%s"></a></li>' % _('Edit user profile')) - if config.may("general.logout"): + if config.may("general.logout") and not config.auth_by_http_header: html.icon_button("logout.py", _("Log out"), "sidebar_logout", target="_top") # html.write('<li><a class=logout target="_top" href="logout.py" title="%s"></a></li>' % _('Logout')) html.write('</ul>') diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py index bd20672..b0e4c4c 100644 --- a/web/plugins/wato/check_mk_configuration.py +++ b/web/plugins/wato/check_mk_configuration.py @@ -297,6 +297,29 @@ register_configvar(group, "details for each executed compilation.")), domain = "multisite") +register_configvar(group, + "auth_by_http_header", + Optional( + TextAscii( + label = _("HTTP Header Variable"), + help = _("Configure the name of the environment variable to read " + "from the incoming HTTP requests"), + default_value = 'REMOTE_USER', + ), + title = _("Authenticate users by incoming HTTP requests"), + label = _("Activate HTTP header authentication (Warning: Only activate " + "in trusted environments, see help for details)"), + help = _("If this option is enabled, multisite reads the configured HTTP header " + "variable from the incoming HTTP request and simply takes the string " + "in this variable as name of the authenticated user. " + "Be warned: Only allow access from trusted ip addresses " + "(Apache <tt>Allow from</tt>), like proxy " + "servers, to this webpage. A user with access to this page could simply fake " + "the authentication information. This option can be useful to " + " realize authentication in reverse proxy environments.") + ), + domain = "multisite") + # .----------------------------------------------------------------------. # | _ _ __ __ _ | # | | | | |___ ___ _ __ | \/ | __ _ _ __ ___ | |_ |