search

splunk / splunk-sdk-python

Splunk Software Development Kit for Python
http://dev.splunk.com
Apache License 2.0
687 stars 369 forks source link

User property role_entites does not check if role exist #527

Closed seiimonn closed 5 months ago

seiimonn commented 1 year ago

Describe the bug As Splunk allows users to have non existent roles, calling role_entites on a user with roles assigned that are not existent leads to exceptions.

Defective code:

class User(Entity):
    """This class represents a Splunk user.
    """
    @property
    def role_entities(self):
       """Returns a list of roles assigned to this user.

       :return: The list of roles.
       :rtype: 
       """
       return [self.service.roles[name] for name in self.content.roles]

Possible solution:

class User(Entity):
    """This class represents a Splunk user.
    """
    @property
    def role_entities(self):
        """Returns a list of roles assigned to this user.

        :return: The list of roles.
        :rtype: 
        """
        all_role_names = [r.name for r in self.service.roles.list()]
        return [self.service.roles[name] for name in self.content.roles if name in all_role_names]

Or with (I suppose more calls to the API) return [self.service.roles[name] for name in self.content.roles if name in self.content.roles]

Splunk (please complete the following information):

SDK (please complete the following information):

akaila-splunk commented 1 year ago

Hi @seiimonn , Sorry for the delay in response. We are unable to reproduce the issue on our end with similar environment. Also can you please elaborate more on how Splunk allows users to have non existent roles, which may help us to reproduce the issue.

seiimonn commented 1 year ago

Hi @akaila-splunk It's a bit tricky to reproduce. I was only able to get this situation once and I think the order was the following.

Somehow the role is still in the users roles even though it does not exist anymore in the system. But in general I think it makes sense to check if an object is existing before getting it from the API.

akaila-splunk commented 1 year ago

Hi @seiimonn , we have tried the below steps, but couldn't reproduce the issue.

  1. Setup the LDAP server with the couple of test user and assign them to group.
  2. Configured Splunk with LDAP using UI, Settings>Authentication method> set it to LDAP.
  3. Created new roles and added it into to user group, which mapped the roles with the LDAP users
  4. After that, deleted the roles from the UI.

Note - When we verified the user roles through code and UI, the deleted role was not present. So please let us know if we have missed any step while reproducing the issue.

ashah-splunk commented 6 months ago

Hi @seiimonn , sorry for the delay but we have published a new version of Python SDK v2.0.1 with the suggested change. Request you to test with the latest SDK and let us know if the issue is resolved. Thanks

ashah-splunk commented 5 months ago

Closing the Issue as we haven't received any response. @seiimonn please reopen the Issue if you are still facing the issue.