Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a bug in the ansible module: cp_gaia_user - Failing to change password-hash of user with name "admin" #49

Open
chkp-jimo opened this issue Dec 12, 2024 · 0 comments

Comments

@chkp-jimo
Copy link

chkp-jimo commented Dec 12, 2024

There is a bug in the ansible module: cp_gaia_user

Reproducible with the following playbook: cp_gaia_user.yml

The result of changing the user "admin" password hash ends with error:**

fatal: [192.168.233.51]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}"}

This is the task failing:

collections:
    - check_point.gaia
  tasks:
    - name: Set password for the admin user
      cp_gaia_user:
        name: admin
        password_hash: '$6$OgI.RZCV3v8fzV31$1lUh7jWPnZ7Kgig.8GiLcB3aVvQKZBSoarUCIRDNMwUHonNvSnAT4XV3UT4x2ZifMuMGLWGay6T7STn4TcTKD0'
        # set password to vpn123
      register: updated_admin_user

This is from /var/log/gaia_api_server.log when using ansible moduled cp_gaia_user
12/12/24 09:43:46: MainThread: server_util.udsListener: INFO: remote_addr IP = 192.168.233.200
12/12/24 09:43:46: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.users.SetUserV18'>
12/12/24 09:43:46: MainThread: infra.urlGeneratorIS: INFO: Execute validators
12/12/24 09:43:46: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
12/12/24 09:43:46: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.users.SetUserV18'>
12/12/24 09:43:46: MainThread: requests.users: ERROR: Cannot change this attribute of user admin
12/12/24 09:43:46: MainThread: infra.pipeline: ERROR: Failed to handle request, reason: 'Cannot change this attribute of user admin'
12/12/24 09:43:46: MainThread: infra.pipeline: ERROR: Cannot change this attribute of user admin
Traceback (most recent call last):
File "/rest_api/ckp/infra/urlGeneratorIS.py", line 67, in actor
res = execute(inst, requestData)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/rest_api/ckp/infra/pipeline.py", line 214, in execute
res = doCommit(inst, inst.CommitHandler, requestData)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/rest_api/ckp/infra/pipeline.py", line 175, in doCommit
res, buf = method(requestData)
^^^^^^^^^^^^^^^^^^^
File "/rest_api/ckp/requests/users.py", line 829, in commit
SetUser.commit(self, data)
File "/rest_api/ckp/requests/users.py", line 672, in commit
raise ValidationException("Cannot change this attribute of user admin")
genericException.ValidationException: Cannot change this attribute of user admin
12/12/24 09:43:46: MainThread: server_util.udsListener: INFO: Request for endpoint /set-user [method: POST], for source 192.168.233.200, FAILED [duration 136ms]

Doing the same task with user named "test" works fine:

collections:
    - check_point.gaia
  tasks:
    - name: Set password for the admin user
      cp_gaia_user:
        name: test
        password_hash: '$6$OgI.RZCV3v8fzV31$1lUh7jWPnZ7Kgig.8GiLcB3aVvQKZBSoarUCIRDNMwUHonNvSnAT4XV3UT4x2ZifMuMGLWGay6T7STn4TcTKD0'
        # set password to vpn123
      register: updated_admin_user

TASK [Set password for the test user] **********************************************************************************************************************************************************************************************************************
changed: [192.168.233.51]

This is the result from /var/log/gaia_api_server.log when using the same task with user named "test"
12/12/24 10:42:30: MainThread: server_util.udsListener: INFO: remote_addr IP = 192.168.233.200
12/12/24 10:42:30: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.users.SetUserV18'>
12/12/24 10:42:30: MainThread: infra.urlGeneratorIS: INFO: Execute validators
12/12/24 10:42:30: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
12/12/24 10:42:30: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.users.SetUserV18'>
12/12/24 10:42:31: MainThread: infra.pipeline: INFO: Handling output
12/12/24 10:42:31: MainThread: objects.users: INFO: Collecting users data from the system
12/12/24 10:42:31: MainThread: objects.users: INFO: Processing users data from the system
12/12/24 10:42:32: MainThread: objects.users: INFO: Information collected and processed successfully
12/12/24 10:42:32: MainThread: objects.users: INFO: Collecting users data from the system
12/12/24 10:42:32: MainThread: objects.users: INFO: Processing users data from the system
12/12/24 10:42:33: MainThread: objects.users: INFO: Information collected and processed successfully
12/12/24 10:42:33: MainThread: server_util.udsListener: INFO: Request for endpoint /set-user [method: POST], for source 192.168.233.200, SUCCEEDED [duration 2925ms]

Doing the same with mgmt._cli and set-user for user "admin" works fine:**

[Expert@rugg-sm:0]#  mgmt_cli -m 192.168.233.51 set user name 'admin' password-hash '$6$OgI.RZCV3v8fzV31$1lUh7jWPnZ7Kgig.8GiLcB3aVvQKZBSoarUCIRDNMwUHonNvSnAT4XV3UT4x2ZifMuMGLWGay6T7STn4TcTKD0' --context gaia_api
Username: admin
Password:
[Expert@rugg-sm:0]#

This is from /var/log/gaia_api_server.log when using mgmt._cli set-user
12/12/24 09:40:09: MainThread: server_util.udsListener: INFO: remote_addr IP = 192.168.233.40
12/12/24 09:40:09: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.users.SetUserV18'>
12/12/24 09:40:09: MainThread: infra.urlGeneratorIS: INFO: Execute validators
12/12/24 09:40:09: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
12/12/24 09:40:09: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.users.SetUserV18'>
12/12/24 09:40:10: MainThread: infra.pipeline: INFO: Handling output
12/12/24 09:40:10: MainThread: objects.users: INFO: Collecting users data from the system
12/12/24 09:40:10: MainThread: objects.users: INFO: Processing users data from the system
12/12/24 09:40:11: MainThread: objects.users: INFO: Information collected and processed successfully
12/12/24 09:40:11: MainThread: objects.users: INFO: Collecting users data from the system
12/12/24 09:40:11: MainThread: objects.users: INFO: Processing users data from the system
12/12/24 09:40:12: MainThread: objects.users: INFO: Information collected and processed successfully
12/12/24 09:40:12: MainThread: server_util.udsListener: INFO: Request for endpoint /set-user [method: POST], for source 192.168.233.40, SUCCEEDED [duration 2741ms]
12/12/24 09:40:12: MainThread: server_util.udsListener: INFO: url:http://192.168.233.51/set-user return response in text/plain format

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant