search

puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
23 stars 12 forks source link

Password sanitation before hashing #120

Closed DonGiovanni83 closed 4 months ago

DonGiovanni83 commented 4 months ago

Describe the bug When creating or updating a user password, we do not sanitize the unhashed password before hashing it. This results in the php error being written to the config instead of a valid hash. Therefore those users will not be able to log in anymore. To Reproduce Steps to reproduce the behavior:

  1. Execute this example playbook: 
    ---
- name: converge
hosts: all
become: true
tasks:
  # Test User minimum requirements
- name: "Test User 1: Test minimum requirements User Creation"
  puzzle.opnsense.system_access_users:
    username: test_user_1
    password: test_password_1\
- name: "Test User 2: Test minimum requirements User Creation"
  puzzle.opnsense.system_access_users:
    username: test_user_2
    password: test_password_'
  2. Results in this XML: 
    <user>
<name>test_user_1</name>
<password>Parse error: syntax error, unexpected identifier "cost", expecting ")" in Command line code on line
    1
</password>
<scope>User</scope>
<descr>[ ANSIBLE ]</descr>
<ipsecpsk/>
<otp_seed/>
<shell>/sbin/nologin</shell>
<uid>2001</uid>
<full_name>[ ANSIBLE ]</full_name>
<expires/>
<authorizedkeys/>
</user>
<user>
<name>test_user_2</name>
<password>Parse error: syntax error, unexpected single-quoted string ",PASSWORD_BCRYPT,[ ", expecting ")" in
    Command line code on line 1
</password>
<scope>User</scope>
<descr>[ ANSIBLE ]</descr>
<ipsecpsk/>
<otp_seed/>
<shell>/sbin/nologin</shell>
<uid>2002</uid>
<full_name>[ ANSIBLE ]</full_name>
<expires/>
<authorizedkeys/>
</user>

    Expected behavior The password input must be sanitized before it is passed to the PHP hash function.

Additional context The plugins/module_utils/system_access_users_util.py:UserSet.set_user_password function is the one that currently causes this issue.

cfasnacht commented 4 months ago

Another issue is that it seems the change was persisted only today.

As far as I remember I didn't see a change in the ansible Task. The log output seems to confirm my suspition:

TASK [opnsense_manage : Get api key print] ***************************************************************************************************************************************************
ok: [fw02.cloud-staging.puzzle.ch] => 
  msg:
    changed: true
    diff:
      after:
        system: ""
        system/nextgid: '2000'
        system/nextuid: '2015'
        system/user: ""
      before:
        system: ""
        system/nextgid: '2000'
        system/nextuid: '2015'
        system/user: ""
    failed: false
    generated_apikeys:
    - key=...
    - secret=...

Output ok: but: changed: true