Tip

Check out the repository on GitHub

Check out the demo at: demo.webui.ansibleguy.net | Login: User demo, Password Ansible1337

Warning

DISCLAIMER: This is an unofficial community project! Do not confuse it with the vanilla Ansible product!

Warning

This project still in early development! DO NOT USE IN PRODUCTION!

Security

Ansible needs to handle sensible secrets like administrative passwords to function.

That’s why it is very important to keep security in our mind.

You are very welcome to search for security vulnerabilities and report them!


Known Issues

  • Remote-Code-Execution on Controller

    As mentioned in this issue the Ansible-Execution is done in the same context as the Web-Service.

    So you should be aware that every user that can supply the Web-Service with playbooks, or execute ad-hoc commands, is able to execute code in the context of the service-user.

    This includes reading the config-file!

    So if possible - you should set your AW_SECRET (and other secrets) as environmental variable!

    Possible future fixes:


Features

Security considerations this project does take into account:

  • The encryption key is randomized at startup by default - if none was provided by the user.

  • The encryption key has to be at least 30 characters long

  • Job secrets like passwords are stored encrypted (AES256-CBC)

  • Job secrets like passwords are never returned to the user/Web-UI

  • Job secrets are not passed as commandline-arguments but written to files:

    Example:

    [INFO] [play] Running job 'test': 'ansible-playbook --become-password-file /tmp/ansible-webui/2024-01-26_21-14-0066101/.aw_become_pass --vault-password-file /tmp/ansible-webui/2024-01-26_21-14-0066101/.aw_vault_pass -i inventory/hosts.yml --limit myHost playbook1.yml'
    

    These files are:

    • created with mode 0600

    • overwritten and deleted at execution-cleanup

  • Usage of GitHub’s dependabot and CodeQL

Setup

  • You should use a proxy like nginx in front of AW

    Recommended Config: (Example)

    • use HTTPS with a valid certificate

    • restrict the HTTP security headers (X-Frame-Options, X-Content-Type, Content-Security-Policy and Referrer-Policy, HSTS)

    • limit the networks able to access the Web-application using your firewall(s)

    • limit the request rate on the login form /a/* and API /api/*

    • serve static files using the proxy

      /static/ => ${PATH_VENV}/lib/python${PY_VERSION}/site-packages/ansible-webui/aw/static/

  • Make sure the Account passwords and API keys are kept/used safe