topic Python SDK - getting username and password (without hard coding) in Splunk Search

Python SDK - getting username and password (without hard coding)

BernardEAI — Mon, 16 Nov 2020 12:41:15 GMT

I'm trying to get the username and password of the user calling a python script from the search bar in the Splunk UI. I need this to log into smtp to send an email (smtp.login(username, password)).

I need to make use of SCPv2, so the

results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

route is not an option. I can get the authenticated session connection via the self object (self.service). I though I should be able to get the username and password using "storage_passwords", however when I use that and output the username and password to the logger, I see the following:

Username:Windows_Usage``splunk_cred_sep``2 Password:``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``

It looks like the username and password is encrypted in some way? If I try to use those credentials, I get a "[HTTP 401] Client is not authenticated" error. Looking at the capabilities o the user, I see that "list_storage_passwords" is included.

Any ideas on how I can get the username and password? If I hardcode the username and password everything works, but I do not like to have passwords in script files.

Re: Python SDK - getting username and password (without hard coding)

Patrick_Peeters — Mon, 16 Nov 2020 13:11:59 GMT

I assume you tried something like this to get the output?

args = {'token': 'your_session_key'} service = client.connect(**args) for storage_password in service.storage_passwords: if storage_password.username == username and storage_password.realm == 'your_app': clear_pw = storage_password.content.clear_password

That works in my case. I've seen something like your output when analysing passwords/secrets that I used when coding using the Splunk Add-on Builder but it's been a long time so not sure if it's related.

Re: Python SDK - getting username and password (without hard coding)

BernardEAI — Mon, 16 Nov 2020 14:01:26 GMT

Hi @Patrick_Peeters

Thanks for the feedback. Correct, I used something very close to your code:

storage_passwords=self.service.storage_passwords for storage_password in service.storage_passwords: if storage_password.username == username and storage_password.realm == 'your_app': clear_pw = storage_password.content.clear_password

Incidentally, how do you get the session key? I do not need the key since the search command already gives me an authenticated session connection via the self object. However I can't seem to get the value of sessionKey from the self object. If I could get the session key there would be another route to get the password.

Re: Python SDK - getting username and password (without hard coding)

Patrick_Peeters — Mon, 16 Nov 2020 22:04:54 GMT

I got it by importing the Script class and using the following line:

from splunklib.modularinput import Script, Scheme, Argument, Event session_key = self._input_definition.metadata["session_key"]

Re: Python SDK - getting username and password (without hard coding)

BernardEAI — Tue, 17 Nov 2020 11:13:42 GMT

@Patrick_Peeters I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run

storage_passwords=self.service.storage_passwords for credential in storage_passwords: usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>