2024-02-24 12:56:46 +00:00
10 changed files with 68 additions and 2 deletions
--- a/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md
+++ b/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md
@ -102,3 +102,5 @@ Once the [server component](server.md#remote%20network%20scannning) has been set

 !!! danger "Security"
    Failing to secure the server component communication with TLS will allow anyone with direct access to the line of communication to view the `auth_token`. Anyone who has the `auth_token` will be able to upload data to the server.
+
+    In an attempt to mitigate this, the scanner will fail to communicate with the server if you have set an `auth_token` and attempt non-TLS communication with the server.
--- a/playbooks/tasks/scan_subnet.yaml
+++ b/playbooks/tasks/scan_subnet.yaml
@ -60,6 +60,25 @@
      {% endfor %}
      ]

+
+- name: Force Failure for non-HTTPS Communication
+  ansible.builtin.assert:
+    that:
+      - |-
+        not
+          (
+            (
+              'http:' in (nofusscomputing_phpipam_scan_agent.http_server | default(nfc_c_http_server) | string)
+                and
+              'http://127.0.0.1' not in (nofusscomputing_phpipam_scan_agent.http_server | default(nfc_c_http_server) | string)
+            )
+              and
+            nofusscomputing_phpipam_scan_agent.auth_token | default('no-token-set') != 'no-token-set'
+          )
+    fail_msg: 'Failing task as an attempt was made to communicate with the server over a non-encrypted channel'
+    success_msg: 'OK'
+
+
 - name: To JSON - {{ subnet.address }}
  ansible.builtin.set_fact:
    subnet_scan_results: "{{ subnet_scan_results | from_yaml }}"