Merge pull request #30 from llnagy76/fix_missing_enclosing_and_escaping

Fix missing enclosing and escaping
OneIdentity · Jun 10, 2022 · 6771be0 · 6771be0
2 parents 7d6ee8a + 4d44166
commit 6771be0
Show file tree

Hide file tree

Showing 23 changed files with 83 additions and 53 deletions.
diff --git a/README.md b/README.md
@@ -106,14 +106,14 @@ To install from [GitHub](https://github.com/OneIdentity/ansible-authentication-s
 
 Using `ansible-galaxy` command:
 ```bash
-ansible-galaxy collection install https://github.com/OneIdentity/ansible-authentication-services/releases/download/v0.1.0/oneidentity-authentication_services-0.1.0.tar.gz
+ansible-galaxy collection install https://github.com/OneIdentity/ansible-authentication-services/releases/download/v0.1.1/oneidentity-authentication_services-0.1.1.tar.gz
 ```
 
 The collection can also be added to a project's `requirements.yml` file
 ```yaml
 ---
 collections:
-  - name: https://github.com/OneIdentity/ansible-authentication-services/releases/download/v0.1.0/oneidentity-authentication_services-0.1.0.tar.gz
+  - name: https://github.com/OneIdentity/ansible-authentication-services/releases/download/v0.1.1/oneidentity-authentication_services-0.1.1.tar.gz
 ```
 
 and installed using the `ansible-galaxy` command.  This method allows all required collections for a project to be specified in one place and installed with one command.
@@ -143,7 +143,7 @@ For local build and installation, you can clone the Git repository, build the co
     The build command will generate an Ansible Galaxy collection artifact with a `tar.gz` file extension, sample output will look like the following:
 
     ```
-    Created collection for oneidentity.authentication_services at /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.0.tar.gz
+    Created collection for oneidentity.authentication_services at /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.1.tar.gz
     ```
 
     `Pleae note the path shown above is just an example, the path to your build artifact will be in the root directory of the cloned repository.`
@@ -153,14 +153,14 @@ For local build and installation, you can clone the Git repository, build the co
     Using `ansible-galaxy` command:
 
     ```bash
-    ansible-galaxy collection install /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.0.tar.gz
+    ansible-galaxy collection install /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.1.tar.gz
     ```
 
     The collection can also be added to a project's `requirements.yml` file
     ```yaml
     ---
     collections:
-    - name: /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.0.tar.gz
+    - name: /home/user/ansible-authentication-services/oneidentity-authentication_services-0.1.1.tar.gz
     ```
 
     and installed using the `ansible-galaxy` command.  This method allows all required collections for a project to be specified in one place and installed with one command.

diff --git a/galaxy.yml b/galaxy.yml
@@ -10,7 +10,7 @@ namespace: oneidentity
 name: authentication_services  
 
 # Semantic versioning compliant version designation
-version: "0.1.0"
+version: "0.1.1"
 
 # The path do the Markdown(.md) readme file
 readme: README.md

diff --git a/plugins/module_utils/misc_utils.py b/plugins/module_utils/misc_utils.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# ------------------------------------------------------------------------------
+# Copyright (c) 2022, One Identity LLC
+# File: misc_utils.py
+# Desc: Ansible utils module that contains miscellaneous functions.
+# Auth: Laszlo Nagy
+# Note:
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+# Functions
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+def enclose_shell_arg(arg):
+    """
+    Encloses shell argument in quotation marks because it may contain space(s).
+    If the string contains a single quotation mark then it must be replaced
+    by '"'"'. See https://stackoverflow.com/q/1250079/26449
+    """
+
+    return "'" + arg.replace("'", "'\"'\"'") + "'"
diff --git a/plugins/modules/get_local_unix_groups.py b/plugins/modules/get_local_unix_groups.py
@@ -124,7 +124,7 @@
 import subprocess
 import sys
 import traceback
-import ansible_collections.oneidentity.authentication_services.plugins.module_utils.check_file_exec as cfe
+from ansible_collections.oneidentity.authentication_services.plugins.module_utils.misc_utils import enclose_shell_arg
 
 
 # ------------------------------------------------------------------------------
@@ -315,7 +315,7 @@ def run_dscl(args):
 # ------------------------------------------------------------------------------
 def get_group_property(group, prop):
 
-    rc, rval_str = run_dscl('. -read /Groups/' + group + ' ' + prop)
+    rc, rval_str = run_dscl('. -read /Groups/' + enclose_shell_arg(group) + ' ' + prop)
     if rc == 0:
         # -read: Prints a directory. The property key is followed by colon, then a
         # space-separated list of the values for that property. If any value contains

diff --git a/plugins/modules/get_local_unix_user_conflicts.py b/plugins/modules/get_local_unix_user_conflicts.py
@@ -110,7 +110,7 @@
 import subprocess
 import sys
 import traceback
-import ansible_collections.oneidentity.authentication_services.plugins.module_utils.check_file_exec as cfe
+from ansible_collections.oneidentity.authentication_services.plugins.module_utils.misc_utils import enclose_shell_arg
 
 
 # ------------------------------------------------------------------------------
@@ -275,7 +275,7 @@ def run_dscl(args):
 # ------------------------------------------------------------------------------
 def get_user_property(user, prop):
 
-    rc, rval_str = run_dscl('. -read /Users/' + user + ' ' + prop)
+    rc, rval_str = run_dscl('. -read /Users/' + enclose_shell_arg(user) + ' ' + prop)
     if rc == 0:
         # -read: Prints a directory. The property key is followed by colon, then a
         # space-separated list of the values for that property. If any value contains

diff --git a/plugins/modules/get_local_unix_users.py b/plugins/modules/get_local_unix_users.py
@@ -138,7 +138,7 @@
 import subprocess
 import sys
 import traceback
-import ansible_collections.oneidentity.authentication_services.plugins.module_utils.check_file_exec as cfe
+from ansible_collections.oneidentity.authentication_services.plugins.module_utils.misc_utils import enclose_shell_arg
 
 
 # ------------------------------------------------------------------------------
@@ -339,7 +339,7 @@ def run_dscl(args):
 # ------------------------------------------------------------------------------
 def get_user_property(user, prop):
 
-    rc, rval_str = run_dscl('. -read /Users/' + user + ' ' + prop)
+    rc, rval_str = run_dscl('. -read /Users/' + enclose_shell_arg(user) + ' ' + prop)
     if rc == 0:
         # -read: Prints a directory. The property key is followed by colon, then a
         # space-separated list of the values for that property. If any value contains

diff --git a/plugins/modules/get_local_unix_users_with_ad_logon.py b/plugins/modules/get_local_unix_users_with_ad_logon.py
@@ -279,7 +279,7 @@ def run_dscl(args):
 # ------------------------------------------------------------------------------
 def get_user_property(user, prop):
 
-    rc, rval_str = run_dscl('. -read /Users/' + user + ' ' + prop)
+    rc, rval_str = run_dscl('. -read /Users/' + enclose_shell_arg(user) + ' ' + prop)
     if rc == 0:
         # -read: Prints a directory. The property key is followed by colon, then a
         # space-separated list of the values for that property. If any value contains

diff --git a/plugins/modules/preflight.py b/plugins/modules/preflight.py
@@ -154,6 +154,7 @@
 import traceback
 import subprocess
 import ansible_collections.oneidentity.authentication_services.plugins.module_utils.check_file_exec as cfe
+from ansible_collections.oneidentity.authentication_services.plugins.module_utils.misc_utils import enclose_shell_arg
 
 
 # ------------------------------------------------------------------------------
@@ -345,15 +346,18 @@ def run_preflight(
     Run preflight
     """
 
+    if not password:
+        return 'Error: password is empty string!', []
+
     # Return values
     err = None
     steps = []
 
     # Build preflight command
     cmd = []
     cmd += [path]
-    cmd += ['-u ' + username]
-    cmd += ['-w ' + password]
+    cmd += ['-u ' + enclose_shell_arg(username)]
+    cmd += ['-w ' + enclose_shell_arg(password)]
     cmd += ['--csv']
     cmd += ['-t ' + str(timeout)]
     cmd += ['-S'] if timesync else []

diff --git a/plugins/modules/vastool_join.py b/plugins/modules/vastool_join.py
@@ -163,6 +163,7 @@
 import re
 import ansible_collections.oneidentity.authentication_services.plugins.module_utils.vastool as vt
 import ansible_collections.oneidentity.authentication_services.plugins.module_utils.check_file_exec as cfe
+from ansible_collections.oneidentity.authentication_services.plugins.module_utils.misc_utils import enclose_shell_arg
 
 
 # ------------------------------------------------------------------------------
@@ -429,12 +430,12 @@ def run_vastool_join(
     # Build vastool command
     cmd = []
     cmd += [vt.VASTOOL_PATH]
-    cmd += ['-u ' + username]
-    cmd += ['-w ' + password]
+    cmd += ['-u ' + enclose_shell_arg(username)]
+    cmd += ['-w ' + enclose_shell_arg(password)]
     cmd += ['join']
     cmd += ['-f']
     cmd += ['-n ' + account_name] if account_name else []
-    cmd += ['-c ' + account_container] if account_container else []
+    cmd += ['-c ' + enclose_shell_arg(account_container)] if account_container else []
     cmd += [extra_args] if extra_args else []
     cmd += [domain]
     cmd += servers if servers else []
@@ -473,8 +474,8 @@ def run_vastool_unjoin(
     # Build vastool command
     cmd = []
     cmd += [vt.VASTOOL_PATH]
-    cmd += ['-u ' + username]
-    cmd += ['-w ' + password]
+    cmd += ['-u ' + enclose_shell_arg(username)]
+    cmd += ['-w ' + enclose_shell_arg(password)]
     cmd += ['unjoin']
     cmd += ['-f']
     cmd += ['-n ' + account_name] if account_name else []

diff --git a/roles/ad_group_conflicts/templates/ad_group_conflicts_report_common.html.j2 b/roles/ad_group_conflicts/templates/ad_group_conflicts_report_common.html.j2
@@ -86,8 +86,8 @@
       {% for group in groups_with_same_gid | sort %}
       {
       'gidnumber': '{{ group[2] }}',
-      'samaccountname': '{{ group[1] }}',
-      'distinguishedname': '{{ group[0] }}'
+      'samaccountname': '{{ group[1] | replace("'", '\\x27') }}',
+      'distinguishedname': '{{ group[0] | replace("'", '\\x27') }}'
       },
       {% endfor %}
       {% endfor %}

diff --git a/roles/ad_user_conflicts/templates/ad_user_conflicts_report_common.html.j2 b/roles/ad_user_conflicts/templates/ad_user_conflicts_report_common.html.j2
@@ -86,8 +86,8 @@
       {% for user in users_with_same_uid | sort(attribute='sAMAccountName') %}
       {
       'uidnumber': '{{ user['uidNumber'] }}',
-      'samaccountname': '{{ user['sAMAccountName'] }}',
-      'distinguishedname': '{{ user['DistinguishedName'] }}'
+      'samaccountname': '{{ user['sAMAccountName'] | replace("'", '\\x27') }}',
+      'distinguishedname': '{{ user['DistinguishedName'] | replace("'", '\\x27') }}'
       },
       {% endfor %}
       {% endfor %}

diff --git a/roles/client_sw/templates/OneIdentityQuestRGB.png b/roles/client_sw/templates/OneIdentityQuestRGB.png
diff --git a/roles/client_sw/templates/OneIdentityQuestRGB.txt b/roles/client_sw/templates/OneIdentityQuestRGB.txt
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
@@ -1,3 +1,3 @@
 ---
 
-collection_version: '0.1.0' 
+collection_version: '0.1.1' 
diff --git a/roles/local_unix_groups/templates/local_unix_groups_report_common.html.j2 b/roles/local_unix_groups/templates/local_unix_groups_report_common.html.j2
@@ -168,9 +168,9 @@ Report parameters:<br>
     var data = [
 {% for group in local_unix_groups | sort %}
       {
-      'group_name': '{{ group[0] }}',
+      'group_name': '{{ group[0] | replace("'", '\\x27') }}',
       'group_id': '{{ group[2] }}',
-      'members': '{{ group[3] }}'
+      'members': '{{ group[3] | replace("'", '\\x27') }}'
       },
 {% endfor %}
     ];

diff --git a/roles/local_unix_user_conflicts/templates/local_unix_user_conflicts_report_common.html.j2 b/roles/local_unix_user_conflicts/templates/local_unix_user_conflicts_report_common.html.j2
@@ -157,11 +157,11 @@ Report of all local user accounts that conflict with:<br>
     var data = [
 {% for user in local_unix_user_conflicts | sort %}
       {
-      'user_name': '{{ user[0] }}',
+      'user_name': '{{ user[0] | replace("'", '\\x27') }}',
       'user_id': '{{ user[2] }}',
       'group_id': '{{ user[3] }}',
-      'comment': '{{ user[4] }}',
-      'home_directory': '{{ user[5] }}',
+      'comment': '{{ user[4] | replace("'", '\\x27') }}',
+      'home_directory': '{{ user[5] | replace("'", '\\x27') }}',
       'login_shell': '{{ user[6] }}'
       },
 {% endfor %}

diff --git a/roles/local_unix_users/templates/local_unix_users_report_common.html.j2 b/roles/local_unix_users/templates/local_unix_users_report_common.html.j2
@@ -177,11 +177,11 @@ Report parameters:<br>
     var data = [
 {% for user in local_unix_users | sort %}
       {
-      'user_name': '{{ user[0] }}',
+      'user_name': '{{ user[0] | replace("'", '\\x27') }}',
       'user_id': '{{ user[2] }}',
       'group_id': '{{ user[3] }}',
-      'comment': '{{ user[4] }}',
-      'home_directory': '{{ user[5] }}',
+      'comment': '{{ user[4] | replace("'", '\\x27') }}',
+      'home_directory': '{{ user[5] | replace("'", '\\x27') }}',
       'login_shell': '{{ user[6] }}'
       },
 {% endfor %}

diff --git a/...l_unix_users_with_ad_logon/templates/local_unix_users_with_ad_logon_report_common.html.j2 b/...l_unix_users_with_ad_logon/templates/local_unix_users_with_ad_logon_report_common.html.j2
@@ -152,9 +152,9 @@ The Local Unix Users with AD Logon report is used to identify the local user acc
     var data = [
 {% for user in local_unix_users_with_ad_logon | sort %}
       {
-      'unix_name': '{{ user[0] }}',
-      'ad_account': '{{ user[1] | replace("\\", "\\\\") }}',
-      'gecos': '{{ user[2] | replace("\\", "\\\\") }}'
+      'unix_name': '{{ user[0] | replace("'", '\\x27') }}',
+      'ad_account': '{{ user[1] | replace("'", '\\x27') | replace("\\", "\\\\") }}',
+      'gecos': '{{ user[2] | replace("'", '\\x27') | replace("\\", "\\\\") }}'
       },
 {% endfor %}
     ];

diff --git a/roles/logon_policy_for_ad_user/templates/logon_policy_for_ad_user_report_common.html.j2 b/roles/logon_policy_for_ad_user/templates/logon_policy_for_ad_user_report_common.html.j2
@@ -127,11 +127,11 @@
         {
           'unique_id': '{{ loop.index0 }}',
           'num_of_hosts': '{{ logon_policy_for_ad_user[policy]['hosts'] | default() | length }}',
-          'user_name': '{{ logon_policy_for_ad_user[policy]['user'][0] | replace("\\", "\\\\") }}',
+          'user_name': '{{ logon_policy_for_ad_user[policy]['user'][0] | replace("'", '\\x27') | replace("\\", "\\\\") }}',
           'user_id': '{{ logon_policy_for_ad_user[policy]['user'][2] }}',
           'group_id': '{{ logon_policy_for_ad_user[policy]['user'][3] }}',
-          'comment': '{{ logon_policy_for_ad_user[policy]['user'][4] | replace("\\", "\\\\") }}',
-          'home_directory': '{{ logon_policy_for_ad_user[policy]['user'][5] }}',
+          'comment': '{{ logon_policy_for_ad_user[policy]['user'][4] | replace("'", '\\x27') | replace("\\", "\\\\") }}',
+          'home_directory': '{{ logon_policy_for_ad_user[policy]['user'][5] | replace("'", '\\x27') }}',
           'login_shell': '{{ logon_policy_for_ad_user[policy]['user'][6] }}'
         },
       {% endfor %}

diff --git a/roles/logon_policy_for_unix_host/templates/logon_policy_for_unix_host_report_common.html.j2 b/roles/logon_policy_for_unix_host/templates/logon_policy_for_unix_host_report_common.html.j2
@@ -153,11 +153,11 @@
     var data = [
 {% for user in users_allowed | sort %}
       {
-      'user_name': '{{ user[0] }}',
+      'user_name': '{{ user[0] | replace("'", '\\x27') | replace("\\", "\\\\") }}',
       'user_id': '{{ user[2] }}',
       'group_id': '{{ user[3] }}',
-      'comment': '{{ user[4] }}',
-      'home_directory': '{{ user[5] }}',
+      'comment': '{{ user[4] | replace("'", '\\x27') | replace("\\", "\\\\") }}',
+      'home_directory': '{{ user[5] | replace("'", '\\x27') }}',
       'login_shell': '{{ user[6] }}'
       },
 {% endfor %}

diff --git a/roles/unix_computers_in_ad/templates/unix_computers_in_ad_report_common.html.j2 b/roles/unix_computers_in_ad/templates/unix_computers_in_ad_report_common.html.j2
@@ -88,9 +88,9 @@
       var data = [
       {% for computer in computers | sort(attribute='sAMAccountName') %}
       {
-      'samaccountname': '{{ computer.sAMAccountName }}',
-      'operatingsystem': '{{ computer.operatingSystem }}',
-      'distinguishedname': '{{ computer.DistinguishedName }}'
+      'samaccountname': '{{ computer.sAMAccountName | replace("'", '\\x27') }}',
+      'operatingsystem': '{{ computer.operatingSystem | replace("'", '\\x27') }}',
+      'distinguishedname': '{{ computer.DistinguishedName | replace("'", '\\x27') }}'
       },
       {% endfor %}
     ];

diff --git a/roles/unix_enabled_ad_groups/templates/unix_enabled_ad_groups_report_common.html.j2 b/roles/unix_enabled_ad_groups/templates/unix_enabled_ad_groups_report_common.html.j2
@@ -84,9 +84,9 @@
       var data = [
       {% for group in unix_enabled_groups | sort %}
       {
-      'name': '{{ group[1] }}',
-      'distinguished_name': '{{ group[0] }}',
-      'group_name': '{{ group[1] }}',
+      'name': '{{ group[1] | replace("'", '\\x27') }}',
+      'distinguished_name': '{{ group[0] | replace("'", '\\x27') }}',
+      'group_name': '{{ group[1] | replace("'", '\\x27') }}',
       'group_gid_number': '{{ group[2] }}'
       },
       {% endfor %}

diff --git a/roles/unix_enabled_ad_users/templates/unix_enabled_ad_users_report_common.html.j2 b/roles/unix_enabled_ad_users/templates/unix_enabled_ad_users_report_common.html.j2
@@ -88,13 +88,13 @@
       var data = [
       {% for user in unix_enabled_users | sort %}
       {
-      'name': '{{ user[1] }}',
-      'distinguished_name': '{{ user[0] }}',
-      'unix_user_name': '{{ user[1] }}',
+      'name': '{{ user[1] | replace("'", '\\x27') }}',
+      'distinguished_name': '{{ user[0] | replace("'", '\\x27') }}',
+      'unix_user_name': '{{ user[1] | replace("'", '\\x27') }}',
       'uid_number': '{{ user[2] }}',
       'primary_gid_number': '{{ user[3] }}',
-      'gecos': '{{ user[4] }}',
-      'home_directory': '{{ user[5] }}',
+      'gecos': '{{ user[4] | replace("'", '\\x27') }}',
+      'home_directory': '{{ user[5] | replace("'", '\\x27') }}',
       'login_shell': '{{ user[6] }}'
       },
       {% endfor %}