BUG: REST API User handling broken for some attributes

MHK · December 7, 2021, 9:17pm

Hi,

I was using the (old, deprecated) WebAPI to fully generate an automated setup by an external (predefined) configuration. In this setup everything is configured by a python script using via API (using GitHub - brennerm/check-mk-web-api: Python library to talk to the Check_Mk Web API).

This worked quite well until 2.0.0p15, where the user creation stopped working, which forced me to fork the WebAPI-Lib or migrate to the REST API.
At this point I found out, that not all user properties are populated by the REST API and even worse: Setting them causes an error -.-

Did I miss something? Is there a “additional config” field or something like that?
The fields I tried to configure (configured with the old WebAPI):

‘enforce_pw_change’: False, (at least!)
‘icons_per_item’: ‘entry’,
‘ui_sidebar_position’: ‘left’

RuntimeError: ("{'title': 'Bad Request', 'status': 400, 'detail': 'These fields have problems: icons_per_item, enforce_pw_change, ui_sidebar_position', 'fields': {'icons_per_item': ['Unknown field.'], 'enforce_pw_change': ['Unknown field.'], 'ui_sidebar_position': ['Unknown field.']}}")

Any help / fix is appreciated

Best regards,
Michael

MHK · December 13, 2021, 8:49pm

Any chances to get a reply here?

May be I should workaround the whole problem the hard (old) way and start editing / generate config files again, at least there are no hidden options (or fancy bugs introduced in a new patch release)

andreas-doehler · December 13, 2021, 10:00pm

If no one uses this functions then the probability is small
I had a look at the interactive API gui and got some strange results.
As you found out the “enforce_pw_change” is rejected as a unknown field. You can use “enforce_password_change” but the transferred value is not used anywhere → BUG

I think the problem can be found inside this file
cmk/gui/plugins/openapi/restful_objects/request_schemas.py
If the UpdateUser class is changed/extended with the right attributes it will work.

The other two options are completely not available thru the API.
Funny fact - inside the tests files you find all the options you want to set.
from tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py

MHK · December 13, 2021, 10:40pm

Thanks for the answer (and the re-classification of the topic).

I know that my use case is a little bit uncommon, but I did not know, that this is a community only forum, I expected some developer presence here, too (at least because the possiblity of bug reports or possible improvement requests/ideas).

And another thanks for the digging, too. As far as I can see, the CreateUser class must be extended(, too), the UpdateUser class contains at least the enforce_password_change parameter. But I found this:

# The interface options must be set for a new user but we restrict the setting through the API

github.com

Checkmk/checkmk/blob/v2.0.0p16/cmk/gui/plugins/openapi/endpoints/user_config.py#L84


      
                    'cmk/create',
                    method='post',
                    etag='output',
                    request_schema=request_schemas.CreateUser,
                    response_schema=response_schemas.DomainObject)
          def create_user(params):
              """Create a user"""
              api_attrs = params['body']
              username = api_attrs['username']
          
              # The interface options must be set for a new user but we restrict the setting through the API
              internal_attrs: Dict[str, Any] = {
                  "ui_theme": None,
                  "ui_sidebar_position": None,
                  "nav_hide_icons_title": None,
                  "icons_per_item": None,
                  "show_mode": None,
                  "start_url": None,
                  "force_authuser": False,
                  "enforce_pw_change": False,
              }

PS: checkmk/cmk/gui/plugins/openapi/endpoints/user_config.py at v2.0.0p16 · Checkmk/checkmk · GitHub confuses me even more.

r.sander · December 14, 2021, 9:36am

Sometimes I get the impression that the team working on the REST API is completely separate from the rest of the checkmk developers and do not know anything about the application, @LaMi …

ChristophRauch · December 15, 2021, 8:48am

Hello,

this is definitely a bug and the fix has been added to our queue for the 2.0.0p18 release.

The internal ticket number is CMK-9253.

Best Regards,
Christoph Rauch

Main Developer REST API

MHK · December 15, 2021, 9:07am

Many thanks. I will provide feedback after release (and the update of my environment, probably next year ).

MHK · December 15, 2021, 4:11pm

I did some digging by myself and found this:

github.com

tribe29/checkmk/blob/7b90b5a4974b91f502be767edf311fa94806cc5c/cmk/gui/plugins/openapi/endpoints/user_config.py#L373

    
      
          
          
def _update_auth_options(internal_attrs, auth_options: AuthOptions, new_user=False):
              if not auth_options:
                  return internal_attrs
          
          
    if auth_options.get("auth_type") == "remove":
                  internal_attrs.pop("automation_secret", None)
                  internal_attrs.pop("password", None)
              else:
                  internal_auth_attrs = _auth_options_to_internal_format(
                      auth_options, enforce_pw_change=new_user
                  )
                  if internal_auth_attrs:
                      if "automation_secret" not in internal_auth_attrs:  # new password
                          internal_attrs.pop("automation_secret", None)
                      # Note: changing from password to automation secret leaves enforce_pw_change
                      internal_attrs.update(internal_auth_attrs)
          
          
            if new_user:
                          internal_attrs["serial"] = 1
              return internal_attrs

which leads to this:

github.com

tribe29/checkmk/blob/7b90b5a4974b91f502be767edf311fa94806cc5c/cmk/gui/plugins/openapi/endpoints/user_config.py#L418

    
      
          
          
    if auth_details["auth_type"] == "automation":
                  secret = auth_details["secret"]
                  auth_options["automation_secret"] = secret
                  auth_options["password"] = htpasswd.hash_password(secret)
              else:  # password
                  auth_options["password"] = htpasswd.hash_password(auth_details["password"])
                  auth_options["last_pw_change"] = int(time.time())
          
          
        # this can be configured in WATO but we enforce this here
                  if enforce_pw_change:
                      auth_options["enforce_pw_change"] = True
          
          
    return auth_options
          
          

          
IdleDetails = TypedDict(
              "IdleDetails",
              {
                  "option": Literal["disable", "individual", "global"],
                  "duration": int,

And that is the point, were at least the previously set password is worthless. May be this helps a little bit.

Eventhough it would be nice to configure the behaviour in general.

And here is my patch, which solves at least my problem.

request_schemas.py:

@@ -1285,6 +1285,25 @@
         enum=["de", "en", "ro"],
     )

+    enforce_pw_change = fields.Bool(
+        required=False,
+        description="Enforce the password change on next login. This has no effect if you remove "
+        "the authentication option",
+        example=False,
+    )
+
+    icons_per_item = fields.String(
+        required=False,
+        description="",
+        example="entry",
+    )
+
+    ui_sidebar_position = fields.String(
+        required=False,
+        description="",
+        example="left",
+    )
+

 class UpdateUser(BaseSchema):
     fullname = fields.String(
@@ -1307,7 +1326,7 @@
         },
         missing=dict,
     )
-    enforce_password_change = fields.Bool(
+    enforce_pw_change = fields.Bool(
         required=False,
         description="Enforce the password change on next login. This has no effect if you remove "
         "the authentication option",

user_config.py:

@@ -339,8 +339,12 @@
         internal_attrs.pop("automation_secret", None)
         internal_attrs.pop("password", None)
     else:
+        changepw=new_user
+        if auth_options["password"] != "":
+            changepw=False
+
         internal_auth_attrs = _auth_options_to_internal_format(auth_options,
-                                                               enforce_pw_change=new_user)
+                                                               enforce_pw_change=changepw)
         if internal_auth_attrs:
             if "automation_secret" not in internal_auth_attrs:  # new password
                 internal_attrs.pop("automation_secret", None)

system · December 15, 2022, 4:12pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.