Project

General

Profile

Bug #10585

auth.inc: Exception calling XMLRPC method restore_config_section #-1 : Authentication failed: Invalid username or password

Added by Abelardo Acosta Moyano 5 months ago. Updated 2 days ago.

Status:
Resolved
Priority:
Normal
Category:
High Availability
Target version:
Start date:
05/22/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

Hi:
I opened a discussion on this problem in the forum:
https://forum.netgate.com/topic/152604/exception-calling-xmlrpc-method-restore_config_section-1-authentication-failed-invalid-username-or-password-error-when-creating-or-deleting-a-user-in-the-local-pfsense-database

I want to thank Jim Pingle for the information and help provided.

How I reached to the problem:
Set up two pfsense with HA Sync. Create 200 users on the main (master) node in the local database. In my production environment I came up with this error when I reached approximately 100 users. If a user name was among the last of the alphabetical list, there was no problem but there was an error if it was created in the rest of cases.

Where is the problem:
I am not a professional programmer but I have located the problem in the function "getUserEntry" in the global variable $userindex of auth.inc that returns a different user than the one searched and that does not have permission for the HA Sync produced in the secondary node. I don't know the reason why the problem occurs.

Source:

function & getUserEntry ($ name) {
    global $debug, $config, $userindex;
    $authcfg = auth_get_authserver ($config['system']['webgui']['authmode']);

    if (isset($userindex[$name])) {
        return $config['system']['user'][$userindex[$name]];
    } elseif ($authcfg['type']!="Local Database"){
        $user=array();
        $user['name']=$name;
        return $user;
    }
}

My fix:

function & getUserEntry ($name) {
    global $debug, $config;

    $userindex = index_users();

    $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);

    if (isset($ userindex[$name])) {
        return $config['system']['user'][$userindex[$ name]];
    } elseif ($authcfg['type']!="Local Database") {
        $user=array();
        $user['name']=$name;
        return $user;
    }
}

I want to point out again that I am not a professional programmer. I am writing this post to inform and request that you fix the problem with the best possible solution that may not be mine. I also want to report that when I was trying to locate the problem I saw code that I did not understand and that it is possible to delete it and make the code cleaner. For example:
- In the previous code the global variable $debug, is not used and it could disappear.
- In other functions I have seen another global variable called $g that is not used in these functions either.
- I have seen that the function getUserEntry, and others, are defined that way with the "&". I have searched for information about the function declaration with "&" but still do not understand how it is used. And I don't know if this is going to be the problem.
- In the authenticate_user function it calls the local_backed function with three parameters when it is defined with two parameters.

Thanks for your attention, and collaboration.

Associated revisions

Revision c472f9a1 (diff)
Added by Jim Pingle 5 months ago

Reindex users before performing XMLRPC auth. Fixes #10585

The users may have changed between XMLRPC calls, so take that into
account.

History

#1 Updated by Jim Pingle 5 months ago

  • Description updated (diff)
  • Target version set to 2.5.0

- In the previous code the global variable $debug, is not used and it could disappear.

It may not be used directly, but it may be used by other functions called within, and would be inherited.

- In other functions I have seen another global variable called $g that is not used in these functions either.

That is for custom global values common to many places. In many places it is required. It's not relevant here.

- I have seen that the function getUserEntry, and others, are defined that way with the "&". I have searched for information about the function declaration with "&" but still do not understand how it is used. And I don't know if this is going to be the problem.

That is so the caller gets a reference to the value rather than a copy, so the target can be modified (also saves memory).

- In the authenticate_user function it calls the local_backed function with three parameters when it is defined with two parameters.

authenticate_user() can take up to four parameters, the last two are optional.

Altering the function as you have is probably not the right thing to do. That could impact performance of looking up user entries if it has to reindex the users every time it looks one up.

Try this change, which will only reindex before performing XMLRPC auth which is more likely to fix your original problem without causing a performance hit.

diff --git a/src/usr/local/www/xmlrpc.php b/src/usr/local/www/xmlrpc.php
index 397c2a0732..fdd3ac5964 100644
--- a/src/usr/local/www/xmlrpc.php
+++ b/src/usr/local/www/xmlrpc.php
@@ -45,7 +45,9 @@ class pfsense_xmlrpc_server {
     private $remote_addr;

     private function auth() {
-        global $config;
+        global $config, $userindex;
+        $userindex = index_users();
+
         $username = $_SERVER['PHP_AUTH_USER'];
         $password = $_SERVER['PHP_AUTH_PW'];

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Renato Botelho about 1 month ago

  • Assignee set to Jim Pingle

#4 Updated by Steve Beaver 8 days ago

  • Assignee changed from Jim Pingle to Abelardo Acosta Moyano

Please confirm

#5 Updated by Max Leighton 2 days ago

  • Status changed from Feedback to Resolved

Tested in

2.5.0-DEVELOPMENT (amd64)
built on Thu Oct 22 01:05:07 EDT 2020
FreeBSD 12.2-STABLE

I was able to replicate the behavior in 2.4.5_1. I can confirm that the "Exception calling XMLRPC method restore_config_section #-1 : Authentication failed: Invalid username or password @ 2020-10-22 08:35:01" error is not being triggered in the latest 2.5 snap.

Marking the ticket resolved.

Also available in: Atom PDF