Project

General

Profile

Bug #6547

API Authentication for Create resource is missing

Added by Viral Sonawala about 6 years ago. Updated about 6 years ago.

Status:
Closed: Cannot reproduce
Priority:
Nice to have
Assignee:
William Grzybowski
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Trying to Create New Users using the API. Added the steps below.
Issues :
Creating the new User does not require any auth.
if auth is passed to the request it through 500 response.

This can be security issues where any one can send post request and create N number of users on Freenas.

import json
json.dumps(data)

'{"bsdusr_full_name": "test2", "bsdusr_shell": "/usr/local/bin/bash", "bsdusr_mode": "755", "bsdusr_creategroup": "on", "bsdusr_password": "12345", "bsdusr_home": "/nonexistent", "bsdusr_username": "test2", "bsdusr_email": "", "bsdusr_uid": "1100"}'

retest = requests.post('http://10.5.62.1/api/v1.0/account/users/',data=json.dumps(data))
retest

<Response [401]>

History

#1 Updated by William Grzybowski about 6 years ago

  • Status changed from Unscreened to Screened

#2 Updated by William Grzybowski about 6 years ago

its not authorizing to create a user without password. Where did you get that from?

401 means not authorized.

Whats the problem here?

#3 Updated by Viral Sonawala about 6 years ago

Let me check update the ticket.
Issue was not able to create or update the Users.
I will update the ticket with clear steps.

#4 Updated by William Grzybowski about 6 years ago

No you were not, check again.

#5 Updated by William Grzybowski about 6 years ago

  • Status changed from Screened to Closed: Cannot reproduce

Also you don't use Content-Type in your request, you need it.

#6 Updated by Viral Sonawala about 6 years ago

I was not able to Update the User resource. can you correct me if i am missing anything here.

data

{'bsdusr_full_name': 'My Name', 'bsdusr_shell': '/bin/bash'}

url2 = 'http://10.5.62.1/api/v1.0/account/users/29/'
test4 = requests.get(url2, auth=auth, headers=headers)
test4

<Response [200]>

test4.text

u'{"bsdusr_builtin": false, "bsdusr_email": "", "bsdusr_full_name": "test2 blah", "bsdusr_group": 1002, "bsdusr_home": "/nonexistent", "bsdusr_locked": false, "bsdusr_password_disabled": false, "bsdusr_shell": "/bin/csh", "bsdusr_smbhash": "", "bsdusr_sshpubkey": "", "bsdusr_sudo": false, "bsdusr_uid": 1002, "bsdusr_unixhash": "$6$Dpjmr0FVqsUnuIm6$uOR9RhIAEZVnGwBXgsjkcSuJBTY0M2mvanC6vJtaLfVrs4kJ4J7OexJW/M4lkcXcR6sjP79K8Ll7VGm1ltqDT1", "bsdusr_username": "test2", "id": 29}'

test5 = requests.put(url2, data=data, auth=auth, headers=headers)
test5

<Response [400]>

data

{'bsdusr_full_name': 'My Name', 'bsdusr_shell': '/bin/bash'}

url2

'http://10.5.62.1/api/v1.0/account/users/29/'

test5.request.headers

{'Content-Length': '51', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': 'python-requests/2.3.0 CPython/2.7.8 FreeBSD/9.3-RELEASE-p2', 'content-type': 'application/json', 'Authorization': u'Basic cm9vdDphYmNkMTIzNA=='}

#7 Updated by William Grzybowski about 6 years ago

I dont know what you're doing wrong. Your example is a huge mess, sorry.

If you can attach a readable usable python script then maybe I can help.

#8 Updated by Viral Sonawala about 6 years ago

Following are the step tried to update the USER record using API.

1. Get the user record 29.
2. Update 29 user record with name and shell change

Issues ::

Getting 400 REsponse code. expected 200 OK
http://api.freenas.org/resources/account.html#update-resource

>>> data
{'bsdusr_full_name': 'My Name', 'bsdusr_shell': '/bin/bash', }

## Get user record 29

>>> url2 = 'http://10.5.62.1/api/v1.0/account/users/29/'
>>> test4 = requests.get(url2, auth=auth, headers=headers)
>>> test4
<Response [200]>
>>> test4.text
u'{"bsdusr_builtin": false, "bsdusr_email": "", "bsdusr_full_name": "test2 blah", "bsdusr_group": 1002,
    "bsdusr_home": "/nonexistent", "bsdusr_locked": false, "bsdusr_password_disabled": false,
    "bsdusr_shell": "/bin/csh", "bsdusr_smbhash": "", "bsdusr_sshpubkey": "", 
    "bsdusr_sudo": false, "bsdusr_uid": 1002, 
    "bsdusr_unixhash": "$6$Dpjmr0FVqsUnuIm6$uOR9RhIAEZVnGwBXgsjkcSuJBTY0M2mvanC6vJtaLfVrs4kJ4J7OexJW/M4lkcXcR6sjP79K8Ll7VGm1ltqDT1", 
    "bsdusr_username": "test2", "id": 29}'

## Update the 29 user record with name and shell change.

>>> test5 = requests.put(url2, data=json.dumps(data), auth=auth, headers=headers)
>>> test5
<Response [400]>
>>> data
{'bsdusr_full_name': 'My Name', 'bsdusr_shell': '/bin/bash'}
>>> url2
'http://10.5.62.1/api/v1.0/account/users/29/'
>>> test5.request.headers
{'Content-Length': '51', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 
 'User-Agent': 'python-requests/2.3.0 CPython/2.7.8 FreeBSD/9.3-RELEASE-p2',
  'content-type': 'application/json', 'Authorization': u'Basic cm9vdDphYmNkMTIzNA=='} 
>>> headers
{'content-type': 'application/json'}

Also available in: Atom PDF