Added Splunk 6.3 support via auth decorator chaining

[hackgnar]

In order to support Splunk versions over 6.0 which no longer use the login method in accounts.py, these changes take a different approach by hooking into Splunk's authentication decorator chain. This requires the patching of both accounts.py and decorators.py.

The installer and uninstaller have also been updated to support the new patch files.

This approach was tested and verified to work on Splunk 6.3, 6.2 and 6.1 but it may work on Splunk versions as old as 5.0. I have yet to test on versions before 6.3 so for now those versions are still covered under the installers old patch flow.

[BradleyHiggins]

The PR doesn't work for me, testing with Splunk 6.3. In my testing, the login fails with an invalid sig_request, which I traced back to an invalid username, 'None'. It seems I don't have REMOTE-USER set. Are you testing this in an SSO environment?

The existing duo code works fine for me on Splunk 6.3, configured in legacy mode.

[hackgnar]

Steps to Install and Test Duo for Splunk with 6.3 Support

• This does not require Splunk legacy mode as Splunk advises users not to use legacy mode.
• These steps utilize the 6.3 support branch from my pull request.

Step 1: Log into Duo's web panel and Setup New Duo Credentials for a Splunk Application

1. go do duoseurity.com/applications
2. click "+ Protect an Application"
3. in the Splunk section click "Protect this application". leave the defaults
4. get your integration key, secret key and api hostname
5. click add a user for you new application
   a. add a user named "admin" and set an email. Leave the defaults.
   b. click "send enrollment email"
   c. enroll the new user

Step 2: Install a Clean Instance of Splunk

• I am using OSX in this example

cd /Applications
tar xfvz splunk-6.3.0-aa7d4b1ccb80-darwin-64.tgz
cd splunk/bin
./splunk start --answer-yes --no-prompt --accept-license
touch ../etc/.ui_login
./splunk stop

Step 3: Install The Duo for Splunk 6.3 Support Branch

cd /tmp
git clone https://github.com/hackgnar/duo_splunk.git
cd duo_splunk
git checkout splunk_63_support
./install.sh -d /Applications/splunk -i DUO_IKEY -s DUO_SKEY -h DUO_HOST -f true

Step 4: Restart Splunk

cd /Applications/splunk/bin
./splunk start

Step 5: Login to Splunk

1. go to http://localhost:8000
2. log in as admin
3. pick a duo login option (I chose push)

Let me know if there are any issues reproducing these install and test steps. If there are any issues, send them my way and I will resolve them. Thanks again for looking at this. Hopefully we can get it merged in so Splunk legacy mode is not needed.

[awurster]

FYI few observations i found:

• the install.sh script restarts splunkweb for you, but does not restart splunkd...!? can someone from duo confirm the reasoning behind this? preferred method AFAIK is to restart "splunk" which does both splunkd and splunkweb. from install.sh:

  echo 'Restarting splunkweb...'
  $SPLUNK/bin/splunk restart splunkweb
  

• also, the steps above should be tuned to use "SPLUNK_HOME" env variable instead, so that OS X vs linux users can use the same steps.

• will need a step on the client side if already authenticated to delete the cookies, otherwise might get an "access denied" message from the cherrypy server.

• using this method, you can now disable "legacy mode" because Splunk recommends you don't use it.. this is how i did it in my install scripts:
  sed '/appServerPort/d' /opt/splunk/etc/system/local/web.conf

[BradleyHiggins]

I think the issue I ran into when testing this PR was due to a stale cookie in my environment generated when running in Legacy mode (as awurster mentioned in his 3rd bullet point). Cleaning the browser's cookies and authenticating again worked fine.

Duo is actively exploring new ways to protect Splunk authentications while also obviating the patching of installed splunk python files, as the existing code and PR both do. Considering this goal, along with the fact that the current patching mechanism works fine in Legacy mode, I'm reluctant to accept the PR. Of course, feel free to continue using this code in your Splunk environment :)

Thanks for using Duo!