search

munkireport / munkireport-php

A reporting tool for munki
MIT License
392 stars 138 forks source link

http auth basic broken on 5.8.0 with python 3.10 #1515

Open jstaubr opened 1 year ago

jstaubr commented 1 year ago

Hi,

after upgrading to the latest release with newer python I'm unable to upload new data to the server from my test client because I get 401 unauthorized. I'm using an MDM profile with MunkiReport payload containing the http basic token.

Downgrading back to 5.7.1 with python 2.7 makes the authentication and upload work.

5.8.0 client

    Requesting printer
    Authentication challenge for Host: xxxxx.cz Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
    Allowing OS to handle authentication request
    Authentication challenge for Host: xxxxx.cz Realm: Restricted Content AuthMethod: NSURLAuthenticationMethodHTTPBasic
    Allowing OS to handle authentication request
    Authentication challenge for Host: xxxxx.cz Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
    Allowing OS to handle authentication request
    Status: 401
    Headers: {'Server': 'nginx/1.20.2', 'Date': 'Fri, 23 Jun 2023 07:08:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1', 'Connection': 'keep-alive', 'Www-Authenticate': 'Basic realm="Restricted Content"', 'Content-Length': '468'}
    ERROR: https://xxxxx.cz/index.php?/report/hash_check failed, HTTP returncode 401 (unauthorized)

Server log

[23/Jun/2023:09:03:08 +0200] "POST /index.php?/report/hash_check HTTP/1.0" 401 703 "-" "Python/3.10.9 CFNetwork/1465.1 Darwin/23.0.0"
[23/Jun/2023:09:03:08 +0200] "POST /index.php?/report/hash_check HTTP/1.0" 401 703 "-" "Python/3.10.9 CFNetwork/1465.1 Darwin/23.0.0"

5.7.1 client

    Requesting printer
    connection_willSendRequestForAuthenticationChallenge_
    Authentication challenge for Host: xxxxx.cz Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
    Allowing OS to handle authentication request
    ...
    Sending items (109KB)

Server log

[23/Jun/2023:09:14:22 +0200] "POST /index.php?/report/hash_check HTTP/1.0" 200 401 "-" "Python/2.7.18 CFNetwork/1465.1 Darwin/23.0.0"
[23/Jun/2023:09:14:22 +0200] "POST /index.php?/report/check_in HTTP/1.0" 200 327 "-" "Python/2.7.18 CFNetwork/1465.1 Darwin/23.0.0"

Thanks :)

tuxudo commented 1 year ago

What is the exact key you have set that contains the HTTP auth? Do you see the proper config when you run sudo munkireport-runner --show-config when running MunkiReport 5.8?

jstaubr commented 1 year ago

This is the config:

AdditionalHttpHeaders: (
    "Authorization: Basic xxxxxxxxxxxxx="
) [MANAGED]
                BaseUrl: 'https://xxxxxx.cz/' [/Library/Preferences/MunkiReport.plist]
                FollowHTTPRedirects: False [/Library/Preferences/MunkiReport.plist]
                HttpConnectionTimeout:    60 [/Library/Preferences/MunkiReport.plist]
                LogFile: '/Library/MunkiReport/Logs/MunkiReport.log' [/Library/Preferences/MunkiReport.plist]
                LogToSyslog: False [/Library/Preferences/MunkiReport.plist]
                Passphrase:  None [not set]
                UseAdditionalHttpHeaders: False [/Library/Preferences/MunkiReport.plist]
                scriptTimeOut:    30 [/Library/Preferences/MunkiReport.plist]
                ...

The profile:

<dict>
  <key>PayloadContent</key>
  <dict>
    <key>MunkiReport</key>
    <dict>
      <key>Forced</key>
      <array>
        <dict>
          <key>mcx_preference_settings</key>
          <dict>
            <key>UseMunkiAdditionalHttpHeaders</key>
            <true/>
            <key>AdditionalHttpHeaders</key>
            <array>
              <string>Authorization: Basic xxxxxxxxxxxxx =</string>
            </array>
          </dict>
        </dict>
      </array>
    </dict>
  </dict>
....
tuxudo commented 1 year ago

There is a bug with this. Add the following to the mcx_preference_settings dict and it'll work correctly. A pull request for this has been filed. 


            <true/>```