Add attribute to store root password

We want a non-recoverable form, so hard code it to force it that way.
2024-11-22 17:43:14 +00:00 · 2020-04-15 16:18:39 -04:00 · 2020-04-15 16:18:39 -04:00 · 09700626b5
commit 09700626b5
parent 709ace4c92
2 changed files with 17 additions and 0 deletions
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@ -97,6 +97,10 @@ node = {
        'description': ('Classification of node as server or switch'),
        'validvalues': ('switch', 'server'),
    },
+    'crypted.rootpassword': {
+        'description': 'The password of the local root password. '
+                       'This is stored as a non-recoverable hash.',
+    },
    'deployment.apikey': {
        'description': ('Crypt of api key for self api requests by node'),
    },
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@ -60,6 +60,7 @@ import confluent.util
 import confluent.netutil as netutil
 import confluent.exceptions as exc
 import copy
+import crypt
 try:
    import cPickle
 except ModuleNotFoundError:
@ -475,6 +476,12 @@ def _get_valid_attrname(attrname):
    return attrname


+def hashcrypt_value(value):
+    salt = confluent.util.stringify(base64.b64encode(os.urandom(12)))
+    salt = '$6${0}'.format(salt)
+    return crypt.crypt(value, salt)
+
+
 def crypt_value(value,
                key=None,
                integritykey=None):
@ -1760,6 +1767,9 @@ class ConfigManager(object):
                if 'value' in newdict and attr.startswith("secret."):
                    newdict['cryptvalue'] = crypt_value(newdict['value'])
                    del newdict['value']
+                if 'value' in newdict and attr.startswith("crypted."):
+                    newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    del newdict['value']
                cfgobj[attr] = newdict
                if attr == 'nodes':
                    self._sync_nodes_to_group(group=group,
@ -2162,6 +2172,9 @@ class ConfigManager(object):
                if 'value' in newdict and attrname.startswith("secret."):
                    newdict['cryptvalue'] = crypt_value(newdict['value'])
                    del newdict['value']
+                if 'value' in newdict and attrname.startswith("crypted."):
+                    newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    del newdict['value']
                cfgobj[attrname] = newdict
                if attrname == 'groups':
                    self._sync_groups_to_node(node=node,