puzzle
diff --git a/‎changelogs/fragments/122-implement-password-sanitation-before-hashing.yml
Lines changed: 7 additions & 0 deletions b/‎changelogs/fragments/122-implement-password-sanitation-before-hashing.yml
Lines changed: 7 additions & 0 deletions
diff --git a/‎molecule/system_access_users/converge.yml
Lines changed: 74 additions & 42 deletions b/‎molecule/system_access_users/converge.yml
Lines changed: 74 additions & 42 deletions
@@ -0,0 +1,7 @@
+---
+bugfixes:
+    - system_access_users - Introduced password sanitization to fix parsing errors.
+    - system_access_users - Introduced password verification to fix passwords not being updated.
+
+minor_changes:
+    - system_access_users - Enhanced group removal handling
@@ -7,165 +7,165 @@
       ansible.builtin.debug:
         msg: "test"
 
-      # Test User minimum requirements
+    # Test User minimum requirements
     - name: "Test User 1: Test minimum requirements User Creation"
       puzzle.opnsense.system_access_users:
         username: test_user_1
         password: test_password_1
 
-      # Test User minimum requirements disabled
+    # Test User minimum requirements disabled
     - name: "Test User 2: Test disabled User Creation"
       puzzle.opnsense.system_access_users:
         username: test_user_2
         password: test_password_2
         full_name: "Test User 2: Test disabled User Creation"
         disabled: True
 
-      # Test User with Full Name
+    # Test User with Full Name
     - name: "Test User 3: Test User Creation with Full Name"
       puzzle.opnsense.system_access_users:
         username: test_user_3
         password: test_password_3
         full_name: "Test User 3: Test User Creation with Full Name"
 
-      # Test User with E-Mail
+    # Test User with E-Mail
     - name: "Test User 4: Test User Creation with E-Mail"
       puzzle.opnsense.system_access_users:
         username: test_user_4
         password: test_password_4
         email: test_user_4@test.ch
         full_name: "Test User 4: Test User Creation with E-Mail"
 
-      # Test User with Comment
+    # Test User with Comment
     - name: "Test User 5: Test User Creation with Comment"
       puzzle.opnsense.system_access_users:
         username: test_user_5
         password: test_password_5
         comment: Test User 5 Comment
         full_name: "Test User 5: Test User Creation with Comment"
 
-      # Test User with Preferred landing page
+    # Test User with Preferred landing page
     - name: "Test User 6: Test User Creation with Preferred landing page"
       puzzle.opnsense.system_access_users:
         username: test_user_6
         password: test_password_6
         landing_page: /ui/ipsec/sessions
         full_name: "Test User 6: Test User Creation with Preferred landing page"
 
-      # Test User with nologin shell
+    # Test User with nologin shell
     - name: "Test User 7: Test User Creation with nologin shell"
       puzzle.opnsense.system_access_users:
         username: test_user_7
         password: test_password_7
         shell: /sbin/nologin
         full_name: "Test User 7: Test User Creation with nologin shell"
 
-      # Test User with csh shell
+    # Test User with csh shell
     - name: "Test User 8: Test User Creation with csh shell"
       puzzle.opnsense.system_access_users:
         username: test_user_8
         password: test_password_8
         shell: /bin/csh
         full_name: "Test User 8: Test User Creation with csh shell"
 
-      # Test User with sh shell
+    # Test User with sh shell
     - name: "Test User 9: Test User Creation with sh shell"
       puzzle.opnsense.system_access_users:
         username: test_user_9
         password: test_password_9
         shell: /bin/sh
         full_name: "Test User 9: Test User Creation with sh shell"
 
-      # Test User with tcsh shell
+    # Test User with tcsh shell
     - name: "Test User 10: Test User Creation with tcsh shell"
       puzzle.opnsense.system_access_users:
         username: test_user_10
         password: test_password_10
         shell: /bin/tcsh
         full_name: "Test User 10: Test User Creation with tcsh shell"
 
-      # Test User with Expiration date
+    # Test User with Expiration date
     - name: "Test User 11: Test User Creation with Expiration date"
       puzzle.opnsense.system_access_users:
         username: test_user_11
         password: test_password_11
         expires: 02/27/2024
         full_name: "Test User 11: Test User Creation with Expiration date"
 
-     # Test User with group as string
+    # Test User with group as string
     - name: "Test User 12: Test User Creation with group as string"
       puzzle.opnsense.system_access_users:
         username: test_user_12
         password: test_password_12
         full_name: "Test User 12: Test User Creation with group as string"
         groups: admins
 
-      # Test User with group as list
+    # Test User with group as list
     - name: "Test User 13: Test User Creation with group as list"
       puzzle.opnsense.system_access_users:
         username: test_user_13
         password: test_password_13
         full_name: "Test User 13: Test User Creation with group as list"
         groups:
-          - admins
+            - admins
 
-      # Test User with not existing group as list
+    # Test User with not existing group as list
     - name: "Test User 14: Test User Creation with not existing group as list"
       puzzle.opnsense.system_access_users:
         username: test_user_14
         password: test_password_14
         full_name: "Test User 14: Test User Creation with not existing group as list"
         groups:
-          - test
+            - test
       register: test_user_14_result
       ignore_errors: yes
 
     - name: "Verify that the user creation failed due to non-existing group"
       ansible.builtin.assert:
         that:
-          - test_user_14_result is failed
+            - test_user_14_result is failed
         fail_msg: "User creation should fail due to non-existing group"
         success_msg: "User creation failed as expected due to non-existing group"
 
-      # Test User with empty otp_seed
+    # Test User with empty otp_seed
     - name: "Test User 15: Test User Creation with empty otp_seed"
       puzzle.opnsense.system_access_users:
         username: test_user_15
         password: test_password_15
         otp_seed: ""
         full_name: "Test User 15: Test User Creation with empty otp_seed"
 
-      # Test User with otp_seed
+    # Test User with otp_seed
     - name: "Test User 16: Test User Creation with otp_seed"
       puzzle.opnsense.system_access_users:
         username: test_user_16
         password: test_password_16
         otp_seed: test_seed
         full_name: "Test User 16: Test User Creation with otp_seed"
 
-      # Test User with empty authorizedkeys
+    # Test User with empty authorizedkeys
     - name: "Test User 17: Test User Creation with empty authorizedkeys"
       puzzle.opnsense.system_access_users:
         username: test_user_17
         password: test_password_17
         authorizedkeys: ""
         full_name: "Test User 17: Test User Creation with empty authorizedkeys"
 
-      # Test User with authorizedkeys
+    # Test User with authorizedkeys
     - name: "Test User 18: Test User Creation with authorizedkeys"
       puzzle.opnsense.system_access_users:
-          username: test_user_18
-          password: test_password_18
-          authorizedkeys: test_authorized_key
-          full_name: "Test User 18: Test User Creation with authorizedkeys"
+            username: test_user_18
+            password: test_password_18
+            authorizedkeys: test_authorized_key
+            full_name: "Test User 18: Test User Creation with authorizedkeys"
 
-      # Test User with empty api_keys
+    # Test User with empty api_keys
     - name: "Test User 19: Test User Creation with empty api_keys"
       puzzle.opnsense.system_access_users:
-          username: test_user_19
-          password: test_password_19
-          apikeys: ""
-          full_name: "Test User 19: Test User Creation with empty api_keys"
+            username: test_user_19
+            password: test_password_19
+            apikeys: ""
+            full_name: "Test User 19: Test User Creation with empty api_keys"
       register: api_keys_result
 
     - name: Return the created apikeys and secret of Test User 19
@@ -175,35 +175,67 @@
         - "'generated_apikeys' in api_keys_result"
         - api_keys_result.generated_apikeys | length > 0
 
-      # Test User with too short api_keys
+    # Test User with too short api_keys
     - name: "Test User 20: Test User Creation with too short api_keys"
       puzzle.opnsense.system_access_users:
-          username: test_user_20
-          password: test_password_20
-          apikeys: "TEST_API_KEY"
-          full_name: "Test User 20: Test User Creation with too short api_keys"
+            username: test_user_20
+            password: test_password_20
+            apikeys: "TEST_API_KEY"
+            full_name: "Test User 20: Test User Creation with too short api_keys"
       register: test_user_20_result
       ignore_errors: yes
 
     - name: "Verify that the user creation failed due to too short api key"
       ansible.builtin.assert:
         that:
-          - test_user_20_result is failed
+            - test_user_20_result is failed
         fail_msg: "The API key: TEST_API_KEY is not a valid string. Must be >= 80 characters."
         success_msg: "The API key: TEST_API_KEY is not a valid string. Must be >= 80 characters."
 
-      # Test User with valid api_keys
+    # Test User with valid api_keys
     - name: "Test User 21: Test User Creation with valid api_keys"
       puzzle.opnsense.system_access_users:
-          username: test_user_21
-          password: test_password_21
-          apikeys: "TEST_API_KEY_WITH_RANDOM_CHARS_UNTIL_80_zo5Y3bUpOQFfbQnAOB6GqbHsPAP9Jqbjofnqu9xc"
-          full_name: "Test User 21: Test User Creation with valid api_keys"
+            username: test_user_21
+            password: test_password_21
+            apikeys: "TEST_API_KEY_WITH_RANDOM_CHARS_UNTIL_80_zo5Y3bUpOQFfbQnAOB6GqbHsPAP9Jqbjofnqu9xc"
+            full_name: "Test User 21: Test User Creation with valid api_keys"
       register: api_keys_result
 
     - name: Return the created apikeys and secret of Test User 21
       ansible.builtin.debug:
         msg: "The following api_keys were created {{ api_keys_result.generated_apikeys }}"
       when:
         - "'generated_apikeys' in api_keys_result"
-        - api_keys_result.generated_apikeys | length > 0
+        - api_keys_result.generated_apikeys | length > 0
+
+    # Test User password escaping
+    - name: "Test User 22: Test password escaping"
+      puzzle.opnsense.system_access_users:
+        username: test_user_22
+        password: test_password_22\
+        shell: /bin/sh
+        groups:
+            - admins
+
+    # Test User password escaping
+    - name: "Test User 23: Test password escaping"
+      puzzle.opnsense.system_access_users:
+        username: test_user_23
+        password: test_password_23'
+        shell: /bin/sh
+        groups:
+            - admins
+
+    # we have no alternative way to compare the values
+    # other than getting them from the config
+    # see https://github.com/opnsense/core/blob/24.1/src/opnsense/scripts/syslog/log_archive#L36
+    - name: Get current config
+      ansible.builtin.slurp:
+        src: /conf/config.xml
+      register: current_config
+
+    - name: Test that no error message is in config
+      ansible.builtin.assert:
+        that:
+          - "'syntax error, unexpected identifier \"cost\", expecting \")\" in Command line code on line 1' not in (current_config.content | b64decode | string)"
+          - "'syntax error, unexpected single-quoted string \",PASSWORD_BCRYPT,[ \", expecting \")\" in Command line code on line 1' not in (current_config.content | b64decode | string)"