All Set-Cookie responses incorrectly assumed to be auth cookies

[bendikro]

In short:
splunklib expects any Set-Cookie to be an auth cookie from Splunk. This is a problem when authenticating with a bearer token.

When hosting Splunk behind a load balancer like F5, which sets its own Set-Cookie in the response for connection persistence (stickiness), the Set-Cookie in the response from F5 will be included in the request headers instead of the splunk bearer token due to the logic in splunklib/binding.py#L520

When authenticating with user/pass, this makes sense, since Splunk API responds with a Set-Cookie for the session token (splunkd_8089). With a bearer token, Splunk does not respond with a session token, however the _auth_headers function seems to expect any Set-Cookie to be a session token.

The result is that, with bearer token authentication, requests to the Splunk API after the initial request will fail with "Request failed: Session is not logged in"

To Reproduce

1. Host Splunk behind F5 with stickiness enabled (Or any middleware that adds a Set-Cookie to the HTTP response)
2. Create a splunklib.client.Service with bearer token authentication
3. Perform a call that requires authentication and see that it fails

client = splunklib.client.Service(host='..', splunkToken='XXXX')
client.info()

Expected behavior
Authentication should work

Workaround
By passing the splunk token header manually, splunklib will include both the stickiness cookie as well as the splunk token in the requests.

client = splunklib.client.Service(host='..', splunkToken='XXXX', headers=[('Authorization', 'Splunk {}'.format('<token>'))])
client.info()

Splunk:

• Version: Any, presumably

SDK:

• Version: Tested with 1.6.16

[akaila-splunk]

Thanks for reporting this issue with the detailed information, we'll investigate it and try to provide a fix.

[ashah-splunk]

Hi @bendikro , we have added the fix and it will be available in the next release. Reference

[bendikro]

Thanks, that solves the authentication problem. However, the fix does not take the Set-Cookie from the middleware into consideration. Any non-auth-cookies in self.http._cookies are no longer included in the requests unless there is an auth cookie as well.

[ashah-splunk]

@bendikro we would request you to use the latest Python SDK and let us know if it resolves the issue.

[bendikro]

@bendikro we would request you to use the latest Python SDK and let us know if it resolves the issue.

Hi

Version 1.7.0 gives TypeError due to this change: https://github.com/splunk/splunk-sdk-python/pull/463/files#diff-701b42a0245cf832be44eb595d99bef52b3afca77ae631caa24643ed1ea6c4f3R547

Btw, why would you be calling __len__ directly on https://github.com/splunk/splunk-sdk-python/pull/463/files#diff-701b42a0245cf832be44eb595d99bef52b3afca77ae631caa24643ed1ea6c4f3R546 ?
if self.get_cookies(): should be sufficient?

[ashah-splunk]

Hi @bendikro , we have fixed the TypeError and it will be available in the next release. Reference

[ashah-splunk]

@bendikro we would request you to use the latest Python SDK release. We have fixed the code for TypeError and also considered your suggestion in the fix. Please let us know if it resolves your issue. Thanks!

[bendikro]

@bendikro we would request you to use the latest Python SDK release. We have fixed the code for TypeError and also considered your suggestion in the fix. Please let us know if it resolves your issue. Thanks!

Seems to be working now with version 1.7.1. Thanks!