Add bearer token auth to splunk driver (#708)

* add token auth to splunk driver and fix splunk port value type * fix flask8 error * fix flask8 error * fix flask8 error * Fixing some linting errors in splunk_driver.py --------- Co-authored-by: Ian Hellen <ianhelle@microsoft.com>
microsoft · Sep 29, 2023 · 15fb44b · 15fb44b
1 parent fdc2a5a
commit 15fb44b
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 14 deletions.
diff --git a/docs/source/data_acquisition/SplunkProvider.rst b/docs/source/data_acquisition/SplunkProvider.rst
@@ -38,7 +38,7 @@ The settings in the file should look like the following:
       Splunk:
           Args:
             host: splunk_host
-            port: 8089
+            port: '8089'
             username: splunk_user
             password: [PLACEHOLDER]
 
@@ -54,7 +54,7 @@ to a Key Vault secret using the MSTICPy configuration editor.
       Splunk:
           Args:
             host: splunk_host
-            port: 8089
+            port: '8089'
             username: splunk_user
             password:
               KeyVault:
@@ -67,8 +67,13 @@ Parameter    Description
 host         (string) The host name (the default is 'localhost').
 username     (string) The Splunk account username, which is used to authenticate the Splunk instance.
 password     (string) The password for the Splunk account.
+splunkToken  (string) The Authorization Bearer Token <JWT> created in the Splunk.
 ===========  ===========================================================================================================================
 
+The username and password are needed for user account authentication.
+On the other hand, splunkToken is needed for Token authentication.
+The user auth method has a priority to token auth method if both username and splunkToken are set.
+
 
 Optional configuration parameters:
 
@@ -106,11 +111,11 @@ in msticpy config file.
 For more information on how to create new user with appropriate roles
 and permissions, follow the Splunk documents:
 
-`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Addandeditusers>`__
+`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Addandeditusers>`__
 
 and
 
-`About users and roles <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles>`__.
+`About users and roles <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Aboutusersandroles>`__
 
 The user should have permission to at least run its own searches or more
 depending upon the actions to be performed by user.
@@ -120,10 +125,20 @@ require the following details to specify while connecting:
 
 - host = "localhost" (Splunk server FQDN hostname to connect, for locally
   installed splunk, you can specify localhost)
-- port = 8089 (Splunk REST API )
+- port = "8089" (Splunk REST API)
 - username = "admin" (username to connect to Splunk instance)
 - password = "yourpassword" (password of the user specified in username)
 
+On the other hand, you can use the authentification token to connect.
+
+`Create authentication token <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/CreateAuthTokens>`__
+
+- host = "localhost" (Splunk server FQDN hostname to connect, for locally
+  installed splunk, you can specify localhost)
+- port = "8089" (Splunk REST API)
+- splunkToken = "<Authorization Bearer Token>" (token can be used instead of username/password)
+
+
 Once you have details, you can specify it in ``msticpyconfig.yaml`` as
 described earlier.
 
@@ -146,6 +161,11 @@ as parameters to connect.
 
     qry_prov.connect(host=<hostname>, username=<username>, password=<password>)
 
+OR
+
+.. code:: ipython3
+
+    qry_prov.connect(host=<hostname>, splunkToken=<token_string>)
 
 
 Listing available queries
@@ -217,7 +237,7 @@ For more information, see
         (default value is: | head 100)
     end: datetime (optional)
         Query end time
-        (default value is: 08/26/2017:00:00:00)
+        (default value is: current time + 1 day)
     index: str (optional)
         Splunk index name
         (default value is: \*)
@@ -229,7 +249,7 @@ For more information, see
         (default value is: \*)
     start: datetime (optional)
         Query start time
-        (default value is: 08/25/2017:00:00:00)
+        (default value is: current time - 1 day)
     timeformat: str (optional)
         Datetime format to use in Splunk query
         (default value is: "%Y-%m-%d %H:%M:%S.%6N")

diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py
@@ -35,14 +35,14 @@
     ) from imp_err
 
 __version__ = VERSION
-__author__ = "Ashwin Patil"
+__author__ = "Ashwin Patil, Tatsuya Hasegawa"
 
 logger = logging.getLogger(__name__)
 
 
 SPLUNK_CONNECT_ARGS = {
     "host": "(string) The host name (the default is 'localhost').",
-    "port": "(integer) The port number (the default is 8089).",
+    "port": "(string) The port number (the default is '8089').",
     "http_scheme": "('https' or 'http') The scheme for accessing the service "
     + "(the default is 'https').",
     "verify": "(Boolean) Enable (True) or disable (False) SSL verrification for "
@@ -60,15 +60,16 @@
     "username": "(string) The Splunk account username, which is used to "
     + "authenticate the Splunk instance.",
     "password": "(string) The password for the Splunk account.",
+    "splunkToken": "(string) The Authorization Bearer Token <JWT> created in the Splunk.",
 }
 
 
 @export
 class SplunkDriver(DriverBase):
     """Driver to connect and query from Splunk."""
 
-    _SPLUNK_REQD_ARGS = ["host", "username", "password"]
-    _CONNECT_DEFAULTS: Dict[str, Any] = {"port": 8089}
+    _SPLUNK_REQD_ARGS = ["host"]
+    _CONNECT_DEFAULTS: Dict[str, Any] = {"port": "8089"}
     _TIME_FORMAT = '"%Y-%m-%d %H:%M:%S.%6N"'
 
     def __init__(self, **kwargs):
@@ -79,6 +80,7 @@ def __init__(self, **kwargs):
         self._connected = False
         if kwargs.get("debug", False):
             logger.setLevel(logging.DEBUG)
+        self._required_params = self._SPLUNK_REQD_ARGS
 
         self.set_driver_property(
             DriverProps.PUBLIC_ATTRS,
@@ -142,7 +144,7 @@ def connect(self, connection_str: Optional[str] = None, **kwargs):
                 help_uri="https://msticpy.readthedocs.io/en/latest/DataProviders.html",
             ) from err
         self._connected = True
-        print("connected")
+        print("Connected.")
 
     def _get_connect_args(
         self, connection_str: Optional[str], **kwargs
@@ -172,12 +174,19 @@ def _get_connect_args(
         elif isinstance(verify_opt, bool):
             cs_dict["verify"] = verify_opt
 
-        missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys()
+        # Different required parameters for the REST API authentication method
+        # between user/pass and authorization bearer token
+        if "username" in cs_dict:
+            self._required_params = ["host", "username", "password"]
+        else:
+            self._required_params = ["host", "splunkToken"]
+
+        missing_args = set(self._required_params) - cs_dict.keys()
         if missing_args:
             raise MsticpyUserConfigError(
                 "One or more connection parameters missing for Splunk connector",
                 ", ".join(missing_args),
-                f"Required parameters are {', '.join(self._SPLUNK_REQD_ARGS)}",
+                f"Required parameters are {', '.join(self._required_params)}",
                 "All parameters:",
                 *[f"{arg}: {desc}" for arg, desc in SPLUNK_CONNECT_ARGS.items()],
                 title="no Splunk connection parameters",