Unable to delete radius account. #86
Comments
|
We use this method in several projects where 5.X software controllers are involved and see no issues there. Can you verify through the developer tools what happens when you delete a Radius account through the web interface? URL, request method (DELETE, GET, POST, PUT) and payload if that exists are relevant. For multiple reasons we don’t deploy UDM PROs so I’m unable to replicate/test... |
|
Here is what I got from Chromium developer tools, I dont see any payload: |
|
I just tested editing ( |
|
Interesting. Can you shared the modified function? |
|
That is what I use for testing, creating account works, editing (I change password to be precise) works but deletion is not. if ($argc==2){
$account_id = $argv[1];
if ($unifi_connection->delete_radius_account($account_id)) {
echo "\naccount deletion succeeds ...\n";
}
else {
echo "\naccount deletion FAILED ...\n";
}
}
if ($argc==3) {
if ($unifi_connection->create_radius_account($argv[1], $argv[2], 13, 6, 2810)) {
echo "\naccount creation succeeds ...\n";
}
else {
echo "\naccount creation FAILED ...\n";
}
}
if ($argc==4) {
$payload = [
'name' => $argv[1],
'x_password' => $argv[2],
'tunnel_type' => 13,
'tunnel_medium_type' => 6,
'vlan' => 2810
];
$account_id = $argv[3];
if ($unifi_connection->set_radius_account_base($account_id, $payload)) {
echo "\naccount edition succeeds ...\n";
}
else {
echo "\naccount edition FAILED ...\n";
}
} |
|
I just ran a test with the I need to find some time to add a USG to one of the sites on our 6.0.43 test controller and run the test there again. |
|
I would be happy to run some test just let me know how can I help. |
|
Thanks. First I need to figure out what we're looking for... |
|
I am not an expert but I was able to reproduce "NOT FOUND" response playing with BurpSuite, to do that I had to modify And with the correct value of Modified value: When I was trying to DELETE already (deleted above) non-existed account the response was: I hope it is helpful. |
|
Interesting observation. Can you confirm whether the x-csrf-token that is returned in the response headers changes after the first request which follows the login? This would make sense why the second request after the login fails. Probably the delete request will succeed after you re-login. |
|
I just re-log and it seems that csrf token stays the same as it was in first request after login: response: I copied csrf token, cookie and user id and delete (via BurpSuite) is a success : |
|
@paciks Can you see whether this version of the /**
* Execute the cURL request
*
* @param string $path path for the request
* @param object|array $payload optional, payload to pass with the request
* @return bool|array response returned by the controller API
*/
protected function exec_curl($path, $payload = null)
{
if (!in_array($this->request_type, $this->request_types_allowed)) {
trigger_error('an invalid HTTP request type was used: ' . $this->request_type);
}
if (!($ch = $this->get_curl_resource())) {
trigger_error('$ch as returned by get_curl_resource() is not a resource');
return false;
}
/**
* assigne default values to these vars
*/
$json_payload = '';
$headers = [];
if ($this->is_unifi_os) {
$url = $this->baseurl . '/proxy/network' . $path;
} else {
$url = $this->baseurl . $path;
}
/**
* prepare cURL options
*/
$curl_options = [
CURLOPT_URL => $url
];
if (!is_null($payload)) {
$json_payload = json_encode($payload, JSON_UNESCAPED_SLASHES);
$curl_options[CURLOPT_POST] = true;
$curl_options[CURLOPT_POSTFIELDS] = $json_payload;
$headers = [
'Content-Type: application/json',
'Content-Length: ' . strlen($json_payload)
];
/**
* we shouldn't be using GET (the default request type) or DELETE when passing a payload,
* switch to POST instead
*/
switch ($this->request_type) {
case 'GET':
$this->request_type = 'POST';
break;
case 'DELETE':
$this->request_type = 'POST';
break;
case 'PUT':
$curl_options[CURLOPT_CUSTOMREQUEST] = 'PUT';
break;
}
}
switch ($this->request_type) {
case 'DELETE':
$curl_options[CURLOPT_CUSTOMREQUEST] = 'DELETE';
break;
case 'PATCH':
$curl_options[CURLOPT_CUSTOMREQUEST] = 'PATCH';
break;
case 'POST':
$curl_options[CURLOPT_CUSTOMREQUEST] = 'POST';
break;
}
if ($this->is_unifi_os && $this->request_type !== 'GET') {
$csrf_token = $this->extract_csrf_token_from_cookie();
if ($csrf_token) {
$headers[] = 'x-csrf-token: ' . $csrf_token;
}
}
if (count($headers) > 0) {
$curl_options[CURLOPT_HTTPHEADER] = $headers;
}
curl_setopt_array($ch, $curl_options);
/**
* execute the cURL request
*/
$content = curl_exec($ch);
if (curl_errno($ch)) {
trigger_error('cURL error: ' . curl_error($ch));
}
/**
* fetch the HTTP response code
*/
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
/**
* an HTTP response code 401 (Unauthorized) indicates the Cookie/Token has expired in which case
* we need to login again.
*/
if ($http_code == 401) {
if ($this->debug) {
error_log(__FUNCTION__ . ': needed to reconnect to UniFi controller');
}
if ($this->exec_retries == 0) {
/**
* explicitly clear the expired Cookie/Token, update other properties and log out before logging in again
*/
if (isset($_SESSION['unificookie'])) {
$_SESSION['unificookie'] = '';
}
$this->is_loggedin = false;
$this->exec_retries++;
curl_close($ch);
/**
* then login again
*/
$this->login();
/**
* when re-login was successful, simply execute the same cURL request again
*/
if ($this->is_loggedin) {
if ($this->debug) {
error_log(__FUNCTION__ . ': re-logged in, calling exec_curl again');
}
return $this->exec_curl($path, $payload);
}
if ($this->debug) {
error_log(__FUNCTION__ . ': re-login failed');
}
}
return false;
}
if ($this->debug) {
print PHP_EOL . '<pre>';
print PHP_EOL . '---------cURL INFO-----------' . PHP_EOL;
print_r(curl_getinfo($ch));
print PHP_EOL . '-------URL & PAYLOAD---------' . PHP_EOL;
print $url . PHP_EOL;
if (empty($json_payload)) {
print 'empty payload';
} else {
print $json_payload;
}
print PHP_EOL . '----------RESPONSE-----------' . PHP_EOL;
print $content;
print PHP_EOL . '-----------------------------' . PHP_EOL;
print '</pre>' . PHP_EOL;
}
curl_close($ch);
/**
* set request_type value back to default, just in case
*/
$this->request_type = 'GET';
return $content;
} |
|
@paciks I applied a small change to the above function/method to only pass the headers to cURL when the $headers array isn't empty. This is to prevent possible issues with future controller versions. |
|
Success! Deletion is working now, I also checked modifying existing account and creating new one and all of them succeeded. |
|
Thanks for confirming! Basically the controller now also requires the x-csrf-token headers for other requests other than POST. I'll push an update later today with this change included. |
malle-pietje
added a commit
that referenced
this issue
Jan 6, 2021
- changed references to *UbiOS* back to *UniFi OS* - removed capitalization from all header strings (per RFC, header fields are case-insensitive: https://tools.ietf.org/html/rfc7230#section-3.2) - removed charset parameter from headers (not required per RFC) - added x-csrf-token header to all requests except GET when talking to UniFi OS-based controllers, thanks go to @paciks for raising #86
|
Fixed with v1.1.63 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am unable to delete radius account.
UDM Pro v. 1.8.4
UniFi Network v. 6.0.43 (Build: atag_6.0.43_14348)
List radius accounts:
Trying to delete that account:
Used code:
The text was updated successfully, but these errors were encountered: