Security

AppInspect API error: "Do not use `default/setup.xml` in the Cloud environment"

gsabhay77
Explorer

I ran the latest Splunk's AppInspect API 2.1.0 using the Postman for the Splunk app we are developing. We have a setup.xml file located inside the default folder of the app project.

After running the AppInspect recently, I got an issue "Do not use default/setup.xml in the Cloud environment. Please consider use Authorization Code Flow for server-side web applications that can securely store secrets.". This error was not shown when I ran the app a week before. I guess this rule should be recently introduced in the Splunk AppInspect.

Can someone please provide some info on where to place the setup.xml file for this to error to disappear and also work for Splunk Cloud as well?

Tags (2)
0 Karma

ravi
Loves-to-Learn Lots

Hi @gsabhay77  were you able to shift from setup.xml to setup_view

0 Karma

gsabhay77
Explorer

Yeah. It worked for me!

0 Karma

ravi
Loves-to-Learn Lots

@gsabhay77 

Is your App published in Splunkbase. I want to refer to something 

0 Karma

thellmann
Splunk Employee
Splunk Employee

I would recommend using a setup page instead of setup.xml to perform configuration. We released an updated manual on this topic here: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/setuppage/

This code example might also be helpful: 

PavelP
Motivator

Hello @gsabhay77 ay77,

the appinspect 2.1.0 checks if there is a file setup.xml in the app default folder:

# setup.xml
# -------------------
@splunk_appinspect.tags("cloud")
@splunk_appinspect.cert_version(min="2.1.0")
def check_setup_xml_in_default(app, reporter):
    """Check that `setup.xml` does not exist in the app default folder
    """
    if app.file_exists("default", "setup.xml"):
        reporter_output = (
            "Do not use `default/setup.xml` in the Cloud environment. "
            "Please consider use Authorization Code Flow for server-side web applications "
            "that can securely store secrets. "
        )
        reporter.fail(reporter_output)

The setup.xml file, which should be located in $SPLUNK_HOME/etc/<your_app_name>/default/, defines the setup page that prompts users for configuration settings (i.e. credentials): https://dev.splunk.com/enterprise/docs/developapps/setuppage/setupxmlsyntax/

Apparently Splunk will move from local credentials to secure credential mechanism, https://dev.splunk.com/scs/docs/apps/plan/ : Use Authorization Code Flow to authorize in the system for server-side web applications that can securely store secrets. Authorization Code Flow uses a confidential setup.

where to place the setup.xml : you can place it outside of default to bypass the check, but the Setup Screen will not be triggered when the user first runs the app.

You can also bypass cloud checks completely by using --excluded-tags cloud, but you asked also work for Splunk Cloud as well

gsabhay77
Explorer

Hi PavelP,

Thanks for providing the info. I did try to place the setup.xml outside the default folder. But that seems to make the error go away but I cannot access the setup page as the "Set up" option doesn't appear for the Application.

Can you please provide any documentation on how to create "Authorization Code Flow" in Splunk app for authentication?

0 Karma

PavelP
Motivator

Hello @gsabhay77 ,

The setup.xml file should be located in $SPLUNK_HOME/etc//default/, else the Setup Screen will not be triggered when the user first runs the app.

I haven't done it before yet, the introduction is here: https://dev.splunk.com/scs/docs/apps/plan/

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...