Cannot create ressource with API (ansible)

choco02 · October 22, 2023, 4:39pm

Hi,

I’m currently playing with the ansible collection to get and create ressources on my self-hosted (docker) passbolt. I’m trying to run the tasks given in the “passbolt/lab-passbolt-ansible-poc”.

Viewing a resource is working well as you can see here:

“GET /secrets/resource/55e3d90e-b1b1-4ff8-84d4-97bd8188791d.json HTTP/1.1” 200 1911 “-” “python-httpx/0.23.3”

But when i try to create a new one, i got a 403 error code on the POST request:

passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “POST /auth/login.json HTTP/1.1” 200 4030 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /users/me.json HTTP/1.1” 200 4049 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET / HTTP/1.1” 200 1198 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /resource-types.json HTTP/1.1” 200 3388 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /resources.json HTTP/1.1” 200 1126 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:47 +0000] “GET /users/ecb21632-2921-4a4d-96c6-7fa9eb4fe9c3.json HTTP/1.1” 200 4083 “-” “python-httpx/0.23.3”
passbolt | 172.19.0.1 - - [22/Oct/2023:16:29:48 +0000] “POST /resources.json HTTP/1.1” 403 303 “-” “python-httpx/0.23.3”

As you can see, the previous request to authenticate the user and check if the resource already exists seems to success. What’s more, this user is admin so I can’t figure out why it is forbidden.

Is it safe to use the ansible collection ? It depends on the py-passbolt python module and seems to be experimental, I can’t find many documentation on it or other examples, am I the only one to use it ? I don’t know if this is better to not use it at all.

Thanks for your help !

AnatomicJC · October 22, 2023, 7:38pm

Hi,

Thanks yo giving a try to this ansible collection. Can you share the playbook you are using to create your resource ?

Did you set the PASSBOLT_CREATE_NEW_RESOURCE environnement variable to true like in the exemple playbook https://github.com/passbolt/lab-passbolt-ansible-poc/blob/main/playbooks/example-playbook.yml ?

Regards,

choco02 · October 23, 2023, 6:38pm

Here is the playbook:

hosts: all
gather_facts: no
vars_files:
- keys.yml
  environment:
  PASSBOLT_BASE_URL: “https://localhost:443”
  PASSBOLT_PRIVATE_KEY: “{{ private_key }}”
  PASSBOLT_PASSPHRASE: “{{ passphrase }}”
  PASSBOLT_CREATE_NEW_RESOURCE: ‘true’
  PASSBOLT_NEW_RESOURCE_PASSWORD_LENGTH: 12
  PASSBOLT_NEW_RESOURCE_PASSWORD_SPECIAL_CHARS: true
  tasks:
- name: Get
  debug:
  msg: ‘{{ lookup(“passbolt”, “OVH”) }}’
- name: Create
  debug:
  var: lookup(‘passbolt’, ‘test’, password=‘PASSWORD1234’)

And here the output:

TASK [Get] ********************************************************************************************************************************************************************************************************
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:192: CryptographyDeprecationWarning: IDEA has been deprecated
bs = {SymmetricKeyAlgorithm.IDEA: algorithms.IDEA,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:194: CryptographyDeprecationWarning: CAST5 has been deprecated
SymmetricKeyAlgorithm.CAST5: algorithms.CAST5,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:195: CryptographyDeprecationWarning: Blowfish has been deprecated
SymmetricKeyAlgorithm.Blowfish: algorithms.Blowfish,
ok: [local1] => {
“msg”: {
“created”: “2023-10-22T16:12:02+00:00”,
“deleted”: false,
“description”: “”,
“folder_parent_id”: null,
“modified”: “2023-10-22T16:12:02+00:00”,
“modified_by”: “ecb21632-2921-4a4d-96c6-7fa9eb4fe9c3”,
“name”: “OVH”,
“password”: “the_password”,
“personal”: true,
“resource_type_id”: “a28a04cd-6f53-518a-967c-9963bf9cec51”,
“uri”: “”,
“username”: “choco”
}
}

TASK [Create] *****************************************************************************************************************************************************************************************************
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:192: CryptographyDeprecationWarning: IDEA has been deprecated
bs = {SymmetricKeyAlgorithm.IDEA: algorithms.IDEA,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:194: CryptographyDeprecationWarning: CAST5 has been deprecated
SymmetricKeyAlgorithm.CAST5: algorithms.CAST5,
/usr/local/lib/python3.11/dist-packages/pgpy/constants.py:195: CryptographyDeprecationWarning: Blowfish has been deprecated
SymmetricKeyAlgorithm.Blowfish: algorithms.Blowfish,
ok: [local1] => {
“lookup(‘passbolt’, ‘test’, password=‘PASSWORD1234’)”: {
“created”: “”,
“deleted”: “”,
“description”: “”,
“folder_parent_id”: “”,
“modified”: “”,
“modified_by”: “”,
“name”: “”,
“password”: “”,
“personal”: “”,
“resource_type_id”: “”,
“uri”: “”,
“username”: “”
}
}

The output shows an empty resource with OK status but in the docker logs I can clearly see the 403 error code from the server on the POST request (cf first post output)

regards,

choco02 · October 23, 2023, 7:06pm

But when I set PASSBOLT_CREATE_NEW_RESOURCE to ‘false’, it tells me that the resource doesn’t exist:

fatal: [local1]: FAILED! => {“msg”: “An unhandled exception occurred while running the lookup plugin ‘passbolt’. Error was a <class ‘Exception’>, original message: resource test not found. resource test not found”}

AnatomicJC · October 24, 2023, 6:08am

I’m not able to reproduce your issue, I used the docker environment and playbook from GitHub - passbolt/lab-passbolt-ansible-poc without issue.

In the playbook, the password is randomly generated, but you can force the password as you set in your ecample. I got no issue on my side.

Can you tell me more about your environment where you are running ansible, how did you setup your ansible environment and give me the output of these commands?

cat /etc/os-release
pip list
ansible --version
ansible-galaxy collection list

Can you also use this icon to format your code?

Because it is very hard to read your code snippets.

Thanks and regards,

basan12 · October 26, 2023, 8:39pm

Having same problem as described, playbook able to fetch passwords, but not able to create passwords if it doesn’t exists, PASSBOLT_CREATE_NEW_RESOURCE=“true”.

I checked your previous comment where you are using image: passbolt/passbolt:latest , But i got into this problem with image: passbolt/passbolt:latest-ce

AnatomicJC · October 27, 2023, 10:35am

Hi @basan12 and welcome to passbolt community forum

passbolt/passbolt:latest and passbolt/passbolt:latest-ce are the same image.

Can you tell me more about your environment where you are running ansible, how did you setup your ansible environment and give me the output of these commands?

cat /etc/os-release
pip list
ansible --version
ansible-galaxy collection list

Cheers,

eddie4 · February 2, 2024, 5:28pm

Did you ever figure out your issue @basan12 ? I think I am running into the same issue.

Am able to get passwords but it’s not creating any.

Playbook: - hosts: all gather_facts: no environment: PASSBOLT_BASE_URL: "https: - Pastebin.com
Debug log: ansible-playbook [core 2.15.9] config file = None configured module search - Pastebin.com

The access log shows a 403, however via the addon am able to create passwords.
x.x.x.x - - [02/Feb/2024:18:13:21 +0100] “POST /resources.json HTTP/1.1” 403 303 “-” “python-httpx/0.23.3”

The passbolt error log shows:
2024-02-02 17:26:40 error: [Cake\Http\Exception\InvalidCsrfTokenException] CSRF token from either the request body or request headers did not match or is missing. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 417
Request URL: /resources.json
Client IP:XXXX

AnatomicJC · February 2, 2024, 10:41pm

Hi @eddie4 ,

It seems the issue is located in the python library, in the get_cookies function, as explained in this issue: CSRF token from either the request body or request headers did not match or is missing. · Issue #3 · passbolt/lab-passbolt-py · GitHub

@remy @Steph Do you have any tip about the extract of the token?

github.com

passbolt/lab-passbolt-py/blob/c84d7b94611977baf3b5377f3eb3acd0d4d205a6/passbolt/init.py#L139C4-L145C60


      
          def get_cookie(self):
              response = self.session.get(self.me_url)
              token = response.headers.get("set-cookie")
              user_id = json.loads(response.text)
              self.user_id = user_id["body"]["id"]
              self.token = token[10:-8]
              self.session.headers = {"X-CSRF-Token": self.token}

Thanks!

AnatomicJC · February 3, 2024, 10:48am

Hi,

Thank you all for your input and details about this issue. I just published a 0.0.18 release including a fix for this issue.

Please update and let me know if you encounter any issues.

Cheers,

remy · February 5, 2024, 10:11am

The recommended way:

Outside a browser, like for a CLI or SDK, read the value from the csrf cookie and send it back with the request in HTTP headers.
Inside a browser (if you can’t access the cookie), get it from the csrf token API endpoint and send it back with the request in HTTP headers. (not recommended, we will deprecate this at some point)

Hope that helps!

AnatomicJC · February 5, 2024, 12:09pm

Thanks Remy,

I fixed the issue, waiting for feedback now

Cheers,

eddie4 · February 6, 2024, 10:41am

Can confirm problem has been solved.