I ran the latest Splunk's AppInspect API 2.1.0 using the Postman for the Splunk app we are developing. We have a setup.xml file located inside the default folder of the app project.
After running the AppInspect recently, I got an issue "Do not use
default/setup.xml in the Cloud environment. Please consider use Authorization Code Flow for server-side web applications that can securely store secrets.". This error was not shown when I ran the app a week before. I guess this rule should be recently introduced in the Splunk AppInspect.
Can someone please provide some info on where to place the setup.xml file for this to error to disappear and also work for Splunk Cloud as well?
I would recommend using a setup page instead of setup.xml to perform configuration. We released an updated manual on this topic here: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/setuppage/
This code example might also be helpful:
Hello @gsabhay77 ay77,
the appinspect 2.1.0 checks if there is a file setup.xml in the app default folder:
# setup.xml # ------------------- @splunk_appinspect.tags("cloud") @splunk_appinspect.cert_version(min="2.1.0") def check_setup_xml_in_default(app, reporter): """Check that `setup.xml` does not exist in the app default folder """ if app.file_exists("default", "setup.xml"): reporter_output = ( "Do not use `default/setup.xml` in the Cloud environment. " "Please consider use Authorization Code Flow for server-side web applications " "that can securely store secrets. " ) reporter.fail(reporter_output)
The setup.xml file, which should be located in $SPLUNK_HOME/etc/<your_app_name>/default/, defines the setup page that prompts users for configuration settings (i.e. credentials): https://dev.splunk.com/enterprise/docs/developapps/setuppage/setupxmlsyntax/
Apparently Splunk will move from local credentials to secure credential mechanism, https://dev.splunk.com/scs/docs/apps/plan/ : Use Authorization Code Flow to authorize in the system for server-side web applications that can securely store secrets. Authorization Code Flow uses a confidential setup.
where to place the setup.xml : you can place it outside of default to bypass the check, but the Setup Screen will not be triggered when the user first runs the app.
You can also bypass cloud checks completely by using --excluded-tags cloud, but you asked also work for Splunk Cloud as well
Thanks for providing the info. I did try to place the setup.xml outside the default folder. But that seems to make the error go away but I cannot access the setup page as the "Set up" option doesn't appear for the Application.
Can you please provide any documentation on how to create "Authorization Code Flow" in Splunk app for authentication?
Hello @gsabhay77 ,
The setup.xml file should be located in $SPLUNK_HOME/etc//default/, else the Setup Screen will not be triggered when the user first runs the app.
I haven't done it before yet, the introduction is here: https://dev.splunk.com/scs/docs/apps/plan/