search

IBM-Security / isam-ansible-roles

Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

Role `delete_reverseproxy_conf` is not doing it's job ? #141

Closed kalemontes closed 4 years ago

kalemontes commented 5 years ago

Hi, Am trying to delete a stanza value, but the role is returning ok, even though the value it's on the webseal.conf. An nothing get deleted.

Here it's the playbook am running :

- hosts: isam_itaas_internet, isam_itaas_intranet
  connection: local
  tasks:
    - import_role: 
        name: isam-ansible-roles/start_config
    - name: Removes the challenge type to be used with basic authentication
      import_role:
        name: isam-ansible-roles/delete_reverseproxy_conf
      vars:
        - delete_reverseproxy_conf_reverseproxy_id : "{{ webseal_oidc_instance_id }}"
        - delete_reverseproxy_conf_entries : 
          - stanza_id: "server"
            entry_id: "auth-challenge-type"

Here the chunk of the relevant part of the webseal.conf :

[server]
...
# For example:
#
# auth-challenge-type = [+*MSIE*]ba, [-*MSIE*;+*]forms
#
# This configuration will present a basic authentication challenge to user
# agents containing 'MSIE' (Internet Explorer browsers) and a forms based
# challenge to all other user agents. See the WebSEAL administration guide
# for further information.
#
# Do not use authentication challenge types as a security or enforcement
# measure. If no challenge types can be determined for a given user agent
# string, WebSEAL will fall back to the list of all configured authentication
# mechanisms.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [server:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
# auth-challenge-type =
auth-challenge-type = [+*MpgOAuthTokens*]ba, [-*MpgOAuthTokens*;+*]forms

And here it's the result :

image

So i was wandering if there is a known bug when using this role ?

Thanks for the support

MalikDE commented 5 years ago

delete_reverseproxy_conf role calls that action : ibmsecurity.isam.web.reverse_proxy.configuration.entry.delete even if value_id has not been provided. After some investigations, it should instead calls ibmsecurity.isam.web.reverse_proxy.configuration.entry.delete_all, or the python lib should forward to delete_all if value_id is empty.

djorgen-ibm commented 4 years ago

ibmsecurity.isam.web.reverse_proxy.configuration.entry.delete is fixed to handle when value_id is empty.