Checkmk BI backend: Add option 'site_internal_auth' for Checkmk 2.4

Can be used to enable the Checkmk 2.4 site internal authentication. This
option is configured automatically for the sites local backend
('backend_[site]_bi') which is created automatiocally in Checkmk sites.

Author: LarsMichelsen

ChangeLog

@@ -2,6 +2,9 @@
   * Feature: add option to verify session cookie via curl. Before when having allow_url_fopen
     disabled, NagVis was not able to verify the session cookie. Now you can use curl to verify
     the session cookie. Depending on your distribution the curl extension can be installed differently.
+  * Checkmk BI backend: Add option 'site_internal_auth' to enable the Checkmk 2.4 site internal
+    authentication. This option is configured automatically for the sites local
+    backend ('backend_[site]_bi') which is created automatiocally in Checkmk sites.
 
 1.9.45
   * FIX: Fix XSS on support info page (Thanks to jmacario24)

docs/en_US/backend_mkbi.html

@@ -38,18 +38,34 @@ <h2>Configuration</h2>
             It serves the AJAX-API which the backend connects to. This URL must be reachable
             from the host NagVis is running on.</td>
     </tr>
+    <tr>
+        <td>site_internal_auth</td>
+        <td>0</td>
+        <td>Use the so called site internal authentication introduced with Checkmk 2.4. The
+            site internal secret is automatically derived from the Checkmk sites environment.
+        </td>
+    </tr>
     <tr>
         <td>auth_user</td>
         <td></td>
         <td>User to use for authentication when accessing the <code>base_url</code>. It
             has to be created within Checkmk as &quot;automation&quot; user in order to 
-            configure a backend which is allowed to retrieve Checkmk BI states.</td>
+            configure a backend which is allowed to retrieve Checkmk BI states.
+            Used for the automation authentication together with auth_secret or auth_secret_file.
+            This was the authentication mechanism until Checkmk 2.3.
+        </td>
     </tr>
     <tr>
         <td>auth_secret</td>
         <td></td>
         <td>The authentication secret configured within Checkmk for the given user.</td>
     </tr>
+    <tr>
+        <td>auth_secret_file</td>
+        <td></td>
+        <td>Read the authentication secret configured within Checkmk for the given user from this
+            path.</td>
+    </tr>
     <tr>
         <td>verify_peer</td>
         <td>1</td>

omd_install.sh

@@ -121,6 +121,11 @@ backend="$OMD_SITE"
 [backend_$OMD_SITE]
 backendtype="mklivestatus"
 socket="unix:$OMD_ROOT/tmp/run/live"
+EOF
+
+# The automation secrets were removed with Checkmk 2.4. Care for both cases for now.
+if [ -f "$OMD_ROOT/var/check_mk/web/automation/automation.secret" ]; then
+    cat >>"$OMD_CFG" <<EOF
 
 [backend_${OMD_SITE}_bi]
 backendtype="mkbi"
@@ -129,6 +134,16 @@ auth_user="automation"
 auth_secret_file="$OMD_ROOT/var/check_mk/web/automation/automation.secret"
 timeout=10
 EOF
+else
+    cat >>"$OMD_CFG" <<EOF
+
+[backend_${OMD_SITE}_bi]
+backendtype="mkbi"
+base_url="http://localhost/$OMD_SITE/check_mk/"
+site_internal_auth=1
+timeout=10
+EOF
+fi
 
 # Backup the agvis.conf on first time using omd_install.sh
 if ! grep omd_install.sh $OMD_ROOT/etc/apache/conf.d/nagvis.conf >/dev/null 2>&1; then

share/server/core/classes/GlobalBackendmkbi.php

@@ -63,6 +63,16 @@ class GlobalBackendmkbi implements GlobalBackendInterface {
             'default'  => 'http://localhost/check_mk/',
             'match'    => MATCH_STRING_URL,
         ),
+        // The automation user based authentication was removed in Checkmk 2.4 and replaced by the
+        // site internal authentication. For the local site backend we make use of it with the
+        // automatically configured backend.
+        'site_internal_auth' => Array(
+            'must'     => 0,
+            'editable' => 1,
+            'default'  => 0,
+            'match'    => MATCH_BOOLEAN,
+            'field_type' => 'boolean',
+        ),
         'auth_user' => Array(
             'must'     => 0,
             'editable' => 1,
@@ -141,12 +151,17 @@ public function __construct($backendId) {
             );
         }
 
-        // Always set the HTTP basic auth header
-        $username = cfg('backend_'.$backendId, 'auth_user');
-        $secret = $this->getSecret();
-        if($username && $secret) {
-            $authCred = base64_encode($username.':'.$secret);
-            $httpContext['header'] = 'Authorization: Basic '.$authCred."\r\n";
+        if ($this->isSiteInternalAuthEnabled()) {
+            $httpContext['header'] = 'Authorization: InternalToken '
+                                     .base64_encode($this->siteInternalAuthSecret())."\r\n";
+        } else {
+            // Always set the HTTP basic auth header
+            $username = cfg('backend_'.$backendId, 'auth_user');
+            $secret = $this->getSecret();
+            if($username && $secret) {
+                $authCred = base64_encode($username.':'.$secret);
+                $httpContext['header'] = 'Authorization: Basic '.$authCred."\r\n";
+            }
         }
 
         $this->context = stream_context_create(array(
@@ -159,6 +174,14 @@ public function __construct($backendId) {
      * HELPERS
      *************************************************************************/
 
+    private function isSiteInternalAuthEnabled() {
+        return cfg('backend_'.$this->backendId, 'site_internal_auth') == 1;
+    }
+
+    private function siteInternalAuthSecret() {
+        return file_get_contents($_SERVER['OMD_ROOT'] . "/etc/site_internal.secret");
+    }
+
     private function getSecret() {
         $secret_file_path = cfg('backend_'.$this->backendId, 'auth_secret_file');
         if ($secret_file_path)
@@ -178,10 +201,13 @@ private function aggrUrl($name) {
      */
     private function getUrl($params) {
         $url = $this->baseUrl.$params.'&output_format=json';
-        $username = cfg('backend_'.$this->backendId, 'auth_user');
-        $secret   = $this->getSecret();
-        if ($username && $secret)
-            $url .= '&_username='.$username.'&_secret='.$secret;
+
+        if (!$this->isSiteInternalAuthEnabled()) {
+            $username = cfg('backend_'.$this->backendId, 'auth_user');
+            $secret   = $this->getSecret();
+            if ($username && $secret)
+                $url .= '&_username='.$username.'&_secret='.$secret;
+        }
 
         // Is there some cache to use? The cache is not persisted. It is available
         // until the request has finished.