Add support for 2FA about ansible-collection HOT 13 CLOSED

Hey, as stated in the notes, the API client is rebuilt every time a task is performed. This means that a new session is started each time. If we supported 2FA, each task would have a delay of approximately 30 seconds. This is because the RFC prohibits the use of a token twice and a new token is only available every 30 seconds: https://tools.ietf.org/html/rfc6238#section-5.2

Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.

One solution we considered would be to save the session to a file and reuse it between tasks. However, we still have to evaluate this solution further. I will inform you once we have found a solution 👍

from ansible-collection.

Yes, that's a must-have feature.

API tokens, or a dedicated module that creates a session that is only saved via register: inwx_session that is passed than to the inwx.collection.dns module as session: inwx_session parameter.

from ansible-collection.

I guess this makes sense.

As far as I can tell, there are also no API tokens one could use at INWX. I don't know how much influence you have on the backend side here, but I think this would be an good solution. Even though it's also the most complex 🙈

Thank you for investigating this :)

from ansible-collection.

I agree. It'd be great to have API tokens, preferrably with limited access (i.e. to specific domain and record types) for access to the API.

from ansible-collection.

So I could make it work by serializing my request (only one at a time) and waiting for a few seconds between them.

That would increase the time Ansible takes but only if you have to make changes. I'll look into that.

I don't think that this is an option. What if you have hundrets of DNS records? The rollout took ages and you must stay attended at the entire rollout.

IMHO, a session module that solves the MFA challenge, so that you carry the session through all following tasks would be the best option.

from ansible-collection.

IMHO this is the wrong approach. ansible has very little support for interaction (only I can think of is -K, "ask for privilege escalation password", which might already be used for the playbook), and even that is problematic as TOTP is time-critical. Instead there should be the option to create API keys in the web frontend and use those. Bonus points if you can allow/deny permissions for every API key.

That is current industry practice, so I'd go with that.

from ansible-collection.

@leegarrett as I already wrote in my message, I completely agree with you that there should be API tokens with specific permissions. But as I also said, this is far from done and there is no ETA. So there is a need for that until we support API tokens.

IMHO this is the wrong approach. ansible has very little support for interaction (only I can think of is -K, "ask for privilege escalation password", which might already be used for the playbook), and even that is problematic as TOTP is time-critical.

What do you mean with that?

You put your username, password & shared secret into a vault, log in once with with another module, e.g. inwx-session, give this module your username, password & shared secret, get the session from that module through a task and register it as a runtime variable and use that session for the actual dns module.

from ansible-collection.

Any news on this? Seems like there is still nothing like that in the module. But there is a shared_secret param in the login function so I guess preparation work has begun?

from ansible-collection.

The feature was already implemented but I forgot that it is not compatible with the way ansible works. Every task creates a new instance of this module. You theoretically must login again with every task with the credentials and the OTP. But a single OTP can only be used once. After that you have to wait up to 30 seconds for the next OTP you can use.
The problem with logging in for every request without an OTP is bypassed by sending the login credentials with every API request. If you send them every time you don't have to call account.login and the authentication happens with every request transparently.

The solutions for this could be:

• We finally implement API tokens (Planned but still far away because of the existing code base)
• The solution of @markuman (sounds good to me)

I must admit I haven't looked into for a long time as I hit multiple road blocks. I hope I can finally find time to fix all the open issues with this project in the coming 3 weeks with input from our sysadmins who use this module.

from ansible-collection.

So I could make it work by serializing my request (only one at a time) and waiting for a few seconds between them.

That would increase the time Ansible takes but only if you have to make changes.
I'll look into that.

from ansible-collection.

Ok, then it might be possible. However, you'll be then storing all those things in the same place, which kind of counter-acts the whole point of 2FA. If a person gains access to your username and password, the shared secret will be at the same place, defeating the whole purpose of a 2nd factor.

It's also important to point out that currently the credentials allow for buying/selling/canceling/transfering domains, something I don't want to do with the ansible module. It's probably better if I create a new ticket for the API key suggestion.

from ansible-collection.

You can enter the TOTP via vars_prompt: at the beginning of the play and the first task creates the session. That's something thousands of users are doing it multiple times in the AWS world with STS tokens.
And in reality, TOTP is not that strict. there are often 2-5 30s windows configured where the TOTP is valid.
Another possibility is, that the TOTP comes from another lookup provider, so there is no need to save it at the same place as the password is stored. Or vice-versa. The password is stored in some password manager (1password, nextcloud passwords, hashicorp vault, you name it) while the TOTP secret is kept in an ansible vault.

from ansible-collection.

I have added an inwx.collection.session module as suggested by @markuman . It is available in the 1.3.0 release. See the following document for usage guidance: https://github.com/inwx/ansible-collection/blob/1.3.0/playbooks/examples/dns_use_2fa.yml

And of course as already said in this thread: don't save username + password and shared secret in the same place as this cancels all benefits of having two factors for authentication.

from ansible-collection.