generated from ansible-collections/collection_template
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement/password sanitation before hashing (#122)
* added tests to verify proper password sanitizion * added password sanitizion * created the password_verify function * updated the __eq__ function so that the password is no longer ignored and verified if updated * splited up the add_or_update function, so that passwords are only created if updated or not existing * updated tests, so that password_verify can be used * updated naming * added default value for password * added additonal tests * sanity errors * applied DonGiovanni suggestion * applied DonGiovanni suggestion * applied DonGiovanni suggestion * applied DonGiovanni suggestion (password_verify typing) * updated tests, so that a new testuser can be added * updated group removal, so that the groupname attribute is removed from the user as well * updated tests to verify changes * added fragment * added minor_changes fragment
- Loading branch information
Showing
4 changed files
with
326 additions
and
82 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
changelogs/fragments/122-implement-password-sanitation-before-hashing.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| bugfixes: | ||
| - system_access_users - Introduced password sanitization to fix parsing errors. | ||
| - system_access_users - Introduced password verification to fix passwords not being updated. | ||
|
|
||
| minor_changes: | ||
| - system_access_users - Enhanced group removal handling |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,165 +7,165 @@ | |
| ansible.builtin.debug: | ||
| msg: "test" | ||
|
|
||
| # Test User minimum requirements | ||
| # Test User minimum requirements | ||
| - name: "Test User 1: Test minimum requirements User Creation" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_1 | ||
| password: test_password_1 | ||
|
|
||
| # Test User minimum requirements disabled | ||
| # Test User minimum requirements disabled | ||
| - name: "Test User 2: Test disabled User Creation" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_2 | ||
| password: test_password_2 | ||
| full_name: "Test User 2: Test disabled User Creation" | ||
| disabled: True | ||
|
|
||
| # Test User with Full Name | ||
| # Test User with Full Name | ||
| - name: "Test User 3: Test User Creation with Full Name" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_3 | ||
| password: test_password_3 | ||
| full_name: "Test User 3: Test User Creation with Full Name" | ||
|
|
||
| # Test User with E-Mail | ||
| # Test User with E-Mail | ||
| - name: "Test User 4: Test User Creation with E-Mail" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_4 | ||
| password: test_password_4 | ||
| email: [email protected] | ||
| full_name: "Test User 4: Test User Creation with E-Mail" | ||
|
|
||
| # Test User with Comment | ||
| # Test User with Comment | ||
| - name: "Test User 5: Test User Creation with Comment" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_5 | ||
| password: test_password_5 | ||
| comment: Test User 5 Comment | ||
| full_name: "Test User 5: Test User Creation with Comment" | ||
|
|
||
| # Test User with Preferred landing page | ||
| # Test User with Preferred landing page | ||
| - name: "Test User 6: Test User Creation with Preferred landing page" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_6 | ||
| password: test_password_6 | ||
| landing_page: /ui/ipsec/sessions | ||
| full_name: "Test User 6: Test User Creation with Preferred landing page" | ||
|
|
||
| # Test User with nologin shell | ||
| # Test User with nologin shell | ||
| - name: "Test User 7: Test User Creation with nologin shell" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_7 | ||
| password: test_password_7 | ||
| shell: /sbin/nologin | ||
| full_name: "Test User 7: Test User Creation with nologin shell" | ||
|
|
||
| # Test User with csh shell | ||
| # Test User with csh shell | ||
| - name: "Test User 8: Test User Creation with csh shell" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_8 | ||
| password: test_password_8 | ||
| shell: /bin/csh | ||
| full_name: "Test User 8: Test User Creation with csh shell" | ||
|
|
||
| # Test User with sh shell | ||
| # Test User with sh shell | ||
| - name: "Test User 9: Test User Creation with sh shell" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_9 | ||
| password: test_password_9 | ||
| shell: /bin/sh | ||
| full_name: "Test User 9: Test User Creation with sh shell" | ||
|
|
||
| # Test User with tcsh shell | ||
| # Test User with tcsh shell | ||
| - name: "Test User 10: Test User Creation with tcsh shell" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_10 | ||
| password: test_password_10 | ||
| shell: /bin/tcsh | ||
| full_name: "Test User 10: Test User Creation with tcsh shell" | ||
|
|
||
| # Test User with Expiration date | ||
| # Test User with Expiration date | ||
| - name: "Test User 11: Test User Creation with Expiration date" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_11 | ||
| password: test_password_11 | ||
| expires: 02/27/2024 | ||
| full_name: "Test User 11: Test User Creation with Expiration date" | ||
|
|
||
| # Test User with group as string | ||
| # Test User with group as string | ||
| - name: "Test User 12: Test User Creation with group as string" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_12 | ||
| password: test_password_12 | ||
| full_name: "Test User 12: Test User Creation with group as string" | ||
| groups: admins | ||
|
|
||
| # Test User with group as list | ||
| # Test User with group as list | ||
| - name: "Test User 13: Test User Creation with group as list" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_13 | ||
| password: test_password_13 | ||
| full_name: "Test User 13: Test User Creation with group as list" | ||
| groups: | ||
| - admins | ||
| - admins | ||
|
|
||
| # Test User with not existing group as list | ||
| # Test User with not existing group as list | ||
| - name: "Test User 14: Test User Creation with not existing group as list" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_14 | ||
| password: test_password_14 | ||
| full_name: "Test User 14: Test User Creation with not existing group as list" | ||
| groups: | ||
| - test | ||
| - test | ||
| register: test_user_14_result | ||
| ignore_errors: yes | ||
|
|
||
| - name: "Verify that the user creation failed due to non-existing group" | ||
| ansible.builtin.assert: | ||
| that: | ||
| - test_user_14_result is failed | ||
| - test_user_14_result is failed | ||
| fail_msg: "User creation should fail due to non-existing group" | ||
| success_msg: "User creation failed as expected due to non-existing group" | ||
|
|
||
| # Test User with empty otp_seed | ||
| # Test User with empty otp_seed | ||
| - name: "Test User 15: Test User Creation with empty otp_seed" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_15 | ||
| password: test_password_15 | ||
| otp_seed: "" | ||
| full_name: "Test User 15: Test User Creation with empty otp_seed" | ||
|
|
||
| # Test User with otp_seed | ||
| # Test User with otp_seed | ||
| - name: "Test User 16: Test User Creation with otp_seed" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_16 | ||
| password: test_password_16 | ||
| otp_seed: test_seed | ||
| full_name: "Test User 16: Test User Creation with otp_seed" | ||
|
|
||
| # Test User with empty authorizedkeys | ||
| # Test User with empty authorizedkeys | ||
| - name: "Test User 17: Test User Creation with empty authorizedkeys" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_17 | ||
| password: test_password_17 | ||
| authorizedkeys: "" | ||
| full_name: "Test User 17: Test User Creation with empty authorizedkeys" | ||
|
|
||
| # Test User with authorizedkeys | ||
| # Test User with authorizedkeys | ||
| - name: "Test User 18: Test User Creation with authorizedkeys" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_18 | ||
| password: test_password_18 | ||
| authorizedkeys: test_authorized_key | ||
| full_name: "Test User 18: Test User Creation with authorizedkeys" | ||
| username: test_user_18 | ||
| password: test_password_18 | ||
| authorizedkeys: test_authorized_key | ||
| full_name: "Test User 18: Test User Creation with authorizedkeys" | ||
|
|
||
| # Test User with empty api_keys | ||
| # Test User with empty api_keys | ||
| - name: "Test User 19: Test User Creation with empty api_keys" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_19 | ||
| password: test_password_19 | ||
| apikeys: "" | ||
| full_name: "Test User 19: Test User Creation with empty api_keys" | ||
| username: test_user_19 | ||
| password: test_password_19 | ||
| apikeys: "" | ||
| full_name: "Test User 19: Test User Creation with empty api_keys" | ||
| register: api_keys_result | ||
|
|
||
| - name: Return the created apikeys and secret of Test User 19 | ||
|
|
@@ -175,35 +175,67 @@ | |
| - "'generated_apikeys' in api_keys_result" | ||
| - api_keys_result.generated_apikeys | length > 0 | ||
|
|
||
| # Test User with too short api_keys | ||
| # Test User with too short api_keys | ||
| - name: "Test User 20: Test User Creation with too short api_keys" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_20 | ||
| password: test_password_20 | ||
| apikeys: "TEST_API_KEY" | ||
| full_name: "Test User 20: Test User Creation with too short api_keys" | ||
| username: test_user_20 | ||
| password: test_password_20 | ||
| apikeys: "TEST_API_KEY" | ||
| full_name: "Test User 20: Test User Creation with too short api_keys" | ||
| register: test_user_20_result | ||
| ignore_errors: yes | ||
|
|
||
| - name: "Verify that the user creation failed due to too short api key" | ||
| ansible.builtin.assert: | ||
| that: | ||
| - test_user_20_result is failed | ||
| - test_user_20_result is failed | ||
| fail_msg: "The API key: TEST_API_KEY is not a valid string. Must be >= 80 characters." | ||
| success_msg: "The API key: TEST_API_KEY is not a valid string. Must be >= 80 characters." | ||
|
|
||
| # Test User with valid api_keys | ||
| # Test User with valid api_keys | ||
| - name: "Test User 21: Test User Creation with valid api_keys" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_21 | ||
| password: test_password_21 | ||
| apikeys: "TEST_API_KEY_WITH_RANDOM_CHARS_UNTIL_80_zo5Y3bUpOQFfbQnAOB6GqbHsPAP9Jqbjofnqu9xc" | ||
| full_name: "Test User 21: Test User Creation with valid api_keys" | ||
| username: test_user_21 | ||
| password: test_password_21 | ||
| apikeys: "TEST_API_KEY_WITH_RANDOM_CHARS_UNTIL_80_zo5Y3bUpOQFfbQnAOB6GqbHsPAP9Jqbjofnqu9xc" | ||
| full_name: "Test User 21: Test User Creation with valid api_keys" | ||
| register: api_keys_result | ||
|
|
||
| - name: Return the created apikeys and secret of Test User 21 | ||
| ansible.builtin.debug: | ||
| msg: "The following api_keys were created {{ api_keys_result.generated_apikeys }}" | ||
| when: | ||
| - "'generated_apikeys' in api_keys_result" | ||
| - api_keys_result.generated_apikeys | length > 0 | ||
| - api_keys_result.generated_apikeys | length > 0 | ||
|
|
||
| # Test User password escaping | ||
| - name: "Test User 22: Test password escaping" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_22 | ||
| password: test_password_22\ | ||
| shell: /bin/sh | ||
| groups: | ||
| - admins | ||
|
|
||
| # Test User password escaping | ||
| - name: "Test User 23: Test password escaping" | ||
| puzzle.opnsense.system_access_users: | ||
| username: test_user_23 | ||
| password: test_password_23' | ||
| shell: /bin/sh | ||
| groups: | ||
| - admins | ||
|
|
||
| # we have no alternative way to compare the values | ||
| # other than getting them from the config | ||
| # see https://github.com/opnsense/core/blob/24.1/src/opnsense/scripts/syslog/log_archive#L36 | ||
| - name: Get current config | ||
| ansible.builtin.slurp: | ||
| src: /conf/config.xml | ||
| register: current_config | ||
|
|
||
| - name: Test that no error message is in config | ||
| ansible.builtin.assert: | ||
| that: | ||
| - "'syntax error, unexpected identifier \"cost\", expecting \")\" in Command line code on line 1' not in (current_config.content | b64decode | string)" | ||
| - "'syntax error, unexpected single-quoted string \",PASSWORD_BCRYPT,[ \", expecting \")\" in Command line code on line 1' not in (current_config.content | b64decode | string)" | ||
Oops, something went wrong.