search

cyberark / ansible-security-automation-collection

CyberArk Ansible Security Automation Collection
MIT License
60 stars 39 forks source link

Failure with default ansible user-agent (Python-urllib) #37

Open lwhitworth opened 3 years ago

lwhitworth commented 3 years ago

Summary

Login failure on privliegecloud if user-agent not set

Steps to Reproduce

Simple ansible playbook to auth again privlige cloud API:

---
- name: cyberark
  hosts: localhost
  tasks:
    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark.pas.cyberark_authentication:
        api_base_url: https://totallyfakedomain.privilegecloud.cyberark.com
        username: "apitest"
        password: "password123!"
        use_cyberark_authentication: yes

Expected Results

I would expect it to return me a token for my session as per the result when doing:

curl -X POST --header 'Content-Type: application/json' -d '{ "username": "apitest", "password": "password123!" }' https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon

Actual Results

fatal: [localhost]: FAILED! => changed=false 
  headers:
    Content-Type: application/json
  msg: |-
    Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.
    *** end_point=https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon
     ==> HTTP Error 403: Forbidden
  payload: '{"username": "apitest", "password": "********"}'
  status_code: 403

Reproducible

Version/Tag number

ansible [core 2.11.4] python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0] jinja version = 2.11.2

Environment setup

Simple ubuntu linux desktop host. Ansible installed from pip. Tried cyberark module from galaxy and from git (ansible-galaxy collection install git+https://github.com/cyberark/ansible-security-automation-collection)

Additional Information

Appears that it needs a user-agent that isn't python-urllib, editing:

~/.ansible/collections/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py

and modifying the block at line 232 from:

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs
        )

to

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs,
            http_agent="DefinitelyNotPython-urllib/3.8"
        )

Makes it work.

By default it sends User-Agent: Python-urllib/3.8 and something doesn't like this it seems.

lwhitworth commented 3 years ago

Same appears to be true of everywhere that open_url is used in all the other modules too