search

puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
23 stars 12 forks source link

get api key breaks user if group is no set #123

Closed cfasnacht closed 2 months ago

cfasnacht commented 4 months ago

This breaks all users:

    - name: Get api key
      puzzle.opnsense.system_access_users:
        username: root
        password: "{{ ansible_password }}"
        apikeys: ""

Output:

TASK [Get api key] *******************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: Exception occurred: string indices must be integers
fatal: [server]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 5.102.147.95 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_puzzle.opnsense.system_access_users_payload_un5bf5od/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/system_access_users.py\", line 239, in main\r\n  File \"/tmp/ansible_puzzle.opnsense.system_access_users_payload_un5bf5od/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/config_utils.py\", line 362, in apply_settings\r\nTypeError: string indices must be integers\r\n\r\nDuring handling of the above exception, another exception occurred:\r\n\r\nTraceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1714575278.1885858-38775-199945021915507/AnsiballZ_system_access_users.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1714575278.1885858-38775-199945021915507/AnsiballZ_system_access_users.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1714575278.1885858-38775-199945021915507/AnsiballZ_system_access_users.py\", line 47, in invoke_module\r\n    runpy.run_module(mod_name='ansible_collections.puzzle.opnsense.plugins.modules.system_access_users', init_globals=dict(_module_fqn='ansible_collections.puzzle.opnsense.plugins.modules.system_access_users', _modlib_path=modlib_path),\r\n  File \"/usr/local/lib/python3.9/runpy.py\", line 225, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File \"/usr/local/lib/python3.9/runpy.py\", line 97, in _run_module_code\r\n    _run_code(code, mod_globals, init_globals,\r\n  File \"/usr/local/lib/python3.9/runpy.py\", line 87, in _run_code\r\n    exec(code, run_globals)\r\n  File \"/tmp/ansible_puzzle.opnsense.system_access_users_payload_un5bf5od/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/system_access_users.py\", line 268, in <module>\r\n  File \"/tmp/ansible_puzzle.opnsense.system_access_users_payload_un5bf5od/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/system_access_users.py\", line 253, in main\r\n  File \"/tmp/ansible_puzzle.opnsense.system_access_users_payload_un5bf5od/ansible_puzzle.opnsense.system_access_users_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/config_utils.py\", line 172, in __exit__\r\nTypeError: Exception occurred: string indices must be integers\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
DonGiovanni83 commented 4 months ago

I think this behavior might be because of the handling of the group member with uid =0. An XML diff results in this:

199a200,215
>     <group>
>       <name>admins</name>
>       <description>System Administrators</description>
>       <scope>system</scope>
>       <gid>1999</gid>
>       <member>0</member>
>       <priv>page-all</priv>
>     </group>
>     <user>
>       <name>root</name>
>       <descr>System Administrator</descr>
>       <scope>system</scope>
>       <groupname>admins</groupname>
>       <password></password>
>       <uid>0</uid>
>     </user>
265,292d280
<     <group>
<       <name>admins</name>
<       <description>System Administrators</description>
<       <scope>system</scope>
<       <priv>page-all</priv>
<       <gid>1999</gid>
<       <member/>
<     </group>
<     <user>
<       <name>root</name>
<       <password></password>
<       <scope>system</scope>
<       <descr>[ ANSIBLE ]</descr>
<       <ipsecpsk/>
<       <otp_seed/>
<       <shell>/sbin/nologin</shell>
<       <uid>0</uid>
<       <full_name>[ ANSIBLE ]</full_name>
<       <expires/>
<       <authorizedkeys/>
<       <apikeys>
<         <item>
<           <key>XW+sfiAV5bpfHekR4t7OAOaWtYE4eADgHYHKPQKdfxeSHFjh0M6fRVmMfILZSG6avVpLRMlMgTdb7ciS</key>
<           <secret>$6$$eQrsnn4atGr.8N8G.HHCKktddJQwBsdfgOf9qNfCH.P2Ki2gvM05kJXmzGlOEYwXnYJwvjSn5iteNQmzszu30j.</secret>
<         </item>
<       </apikeys>
<       <groupname>admins</groupname>
<     </user>

Since we have always tested this module with vagrant boxes, where we used the user vagrant with some other uid we have not yet encountered this case.

We need to test and fix those cases where uid could have some special values like 0 and potentially even 1.