Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure with default ansible user-agent (Python-urllib) #37

Open
1 of 3 tasks
lwhitworth opened this issue Sep 1, 2021 · 1 comment
Open
1 of 3 tasks

Failure with default ansible user-agent (Python-urllib) #37

lwhitworth opened this issue Sep 1, 2021 · 1 comment
Labels
contributor kind/bug

Comments

@lwhitworth
Copy link

Summary

Login failure on privliegecloud if user-agent not set

Steps to Reproduce

Simple ansible playbook to auth again privlige cloud API:

---
- name: cyberark
  hosts: localhost
  tasks:
    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark.pas.cyberark_authentication:
        api_base_url: https://totallyfakedomain.privilegecloud.cyberark.com
        username: "apitest"
        password: "password123!"
        use_cyberark_authentication: yes

Expected Results

I would expect it to return me a token for my session as per the result when doing:

curl -X POST --header 'Content-Type: application/json' -d '{ "username": "apitest", "password": "password123!" }' https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon

Actual Results

fatal: [localhost]: FAILED! => changed=false 
  headers:
    Content-Type: application/json
  msg: |-
    Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.
    *** end_point=https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon
     ==> HTTP Error 403: Forbidden
  payload: '{"username": "apitest", "password": "********"}'
  status_code: 403

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

ansible [core 2.11.4]
python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]
jinja version = 2.11.2

Environment setup

Simple ubuntu linux desktop host. Ansible installed from pip. Tried cyberark module from galaxy and from git (ansible-galaxy collection install git+https://github.com/cyberark/ansible-security-automation-collection)

Additional Information

Appears that it needs a user-agent that isn't python-urllib, editing:

~/.ansible/collections/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py

and modifying the block at line 232 from:

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs
        )

to

        response = open_url(
            api_base_url + end_point,
            method="POST",
            headers=headers,
            data=payload,
            validate_certs=validate_certs,
            http_agent="DefinitelyNotPython-urllib/3.8"
        )

Makes it work.

By default it sends User-Agent: Python-urllib/3.8 and something doesn't like this it seems.
@lwhitworth
Copy link
Author

Same appears to be true of everywhere that open_url is used in all the other modules too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contributor kind/bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lwhitworth @ConjOps