Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:
401 (Splunk cannot authenticate the request. CSRF validation failed.)
My endpoint looks like this (my_app/bin/test.py):
#!/usr/bin/python
import os
import csv
import splunk
class Echo(splunk.rest.BaseRestHandler):
def handle_GET(self):
self.response.setStatus(200)
self.response.write('session: ' + self.sessionKey + '\n')
for key, value in self.request["headers"].iteritems():
self.response.write(key + ': ' + value + '\n')
handle_POST = handle_GET
Splunk restmap.conf (my_app/default/restmap.conf):
[script:echo]
match=/echo
handler=test.Echo
Splunk web.conf (my_app/default/web.conf):
[expose:echo]
pattern=echo
methods=GET,POST
I've tried communicating with the API two different ways:
Over port 8000 (POST not working)
Over port 8089 (POST and GET working)
My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""
What I've tried:
skipCSRFProtection=1
to the endpoints config in web.conf
(documented feature) but it seems to have zero effect.answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
X-Splunk-Form-Key
as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html
It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.
What I need:
I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:
const service = mvc.createService({
owner: 'username here'
});
service.post(
'/services/echo',
JSON.stringify({ my: data }),
function(err, response) {
// what ever
}
);
Other Info:
I'm running splunk in docker, using the 7.1.2 tag.
You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI
$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':
session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */
x-splunk-form-key: 5089449155758749034*
Please make sure to include those headers for your testing.
You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI
$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':
session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */
x-splunk-form-key: 5089449155758749034*
Please make sure to include those headers for your testing.
Could you please farther explain? I looked at the browser devtools and it seems that the csrf token is already added. Why is this happening only on post requests and not on get requests?