Skip to content

CiscoDNA IPAM breaks authentication for all workflows #134

New issue
New issue
Open
Open
CiscoDNA IPAM breaks authentication for all workflows#134
@techpriest002

Description

@techpriest002
techpriest002
opened on Jan 24, 2022

Incorporating the code from CiscoDNA/ipam/ipam_page.py into an existing Integrity Gateway platform with existing API workflows breaks the ability to authenticate will all workflows. The existing workflows have the @util.rest_workflow_permission_required decorator applied.

Steps to Reproduce

  1. Create an Integrity Gateway 21.8.1 installation with API workflows utilizing the @util.rest_workflow_permission_required decorator
  2. Install the CiscoDNA IPAM driver
  3. Attempt to interact with any API workflows.

Current behavior

The problem code appears to be this section:

@app.before_request
def my_before_request():
    token = request.headers.get('auth')
    if token is not None:
        u = get_user_from_session(token)
        g.user = u
        g.use_rest = True
        if u:
            g.user.logger.debug(request)

The following lines always return None, and set the g.user object to None:

u = get_user_from_session(token)
g.user = u

Attempting to use any API endpoint results in an HTTP 401 error with the following API payload:

{
    "message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."
}

Fix

In our installation, removing the entire @app.before_request section resolved our issue. This section seems to be an unnecessary and broken implementation of code already incorporated in the Gateway product at portal/app.py. The relevant section in app.py follows:

@app.before_request
def before_request():
    """ Before each request hook"""
    g.config = config
    g.use_rest = True
    if request.user_agent.browser:
        g.use_rest = False
    g.url_hit = urlparse(request.url).path
    g.path = request.path.strip("/")

    user, use_rest = _get_user_from_request(request)
    if user is None:
        user, use_rest = _get_user_from_session(session)
    else:
        session["access_token"] = user.get_unique_name()
        session["username"] = user.get_username()
        session["bam_url"] = user.get_api().get_url()

    g.user = user
    if use_rest is not None:
        g.use_rest = use_rest

    log_endpoint(f"Endpoint {request.path} retrieved by {request.remote_addr}")

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions