search

puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
23 stars 12 forks source link

User Module: ValueError UserLoginShell #116

Closed DonGiovanni83 closed 2 months ago

DonGiovanni83 commented 4 months ago

Describe the bug Running the system_access_users module (collection version <=1.1.1), depending on the available shells on a given system we encounter the following ValueError: 

TASK [opnsense_manage : Get api key] *********************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'UserLoginShell' enum not found for '/usr/local/bin/bash'
fatal: [fw02.cloud-staging.puzzle.ch]: FAILED! => changed=false 
  module_stderr: |-
    Traceback (most recent call last):
      File "<stdin>", line 107, in <module>
      File "<stdin>", line 99, in _ansiballz_main
      File "<stdin>", line 47, in invoke_module
      File "/usr/local/lib/python3.9/runpy.py", line 225, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/usr/local/lib/python3.9/runpy.py", line 97, in _run_module_code
        _run_code(code, mod_globals, init_globals,
      File "/usr/local/lib/python3.9/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/system_access_users.py", line 268, in <module>
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/system_access_users.py", line 227, in main
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/system_access_users_utils.py", line 596, in __init__
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/system_access_users_utils.py", line 632, in _load_users
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/system_access_users_utils.py", line 632, in <listcomp>
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/system_access_users_utils.py", line 543, in from_xml
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/system_access_users_utils.py", line 249, in __init__
      File "/tmp/ansible_puzzle.opnsense.system_access_users_payload_m07m_544/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/enum_utils.py", line 39, in from_string
    ValueError: 'UserLoginShell' enum not found for '/usr/local/bin/bash'
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

To Reproduce Run an Ansible task using the system_access_users module on a system that does have user shells assigned which are not one of the following:

class UserLoginShell(ListEnum):
    """Represents the user login shell."""

    NOLOGIN = "/sbin/nologin"
    CSH = "/bin/csh"
    SH = "/bin/sh"
    TCSH = "/bin/tcsh"

Expected behavior The module should be flexible enough to handle any type of shell. Ideally we would validate user shells using /etc/shells or maybe more efficient, use the php function auth_get_shells (/usr/local/etc/lib/auth.inc) to get a list of available shells.

Additional context Since the current release is affected by this issue, i suggest approaching the resolution of this issue in two steps:

  1. Quick hotfix: Remove the UserLoginShell enum and make User.shell a string type to prevent a too strict validation of the shells.
    1. Further refactoring: Implement a dynamic shell validation using OPNsenses auth_get_shells php utility.
DonGiovanni83 commented 2 months ago

These changes are part of the new release v1.2.0