Add message when insecure is needed

Practically speaking, this will be only choice for most people, but we must make sure that the user acknowledges the risk.
2024-11-22 17:43:14 +00:00 · 2020-03-12 17:42:56 -04:00 · 2020-03-12 17:42:56 -04:00 · 1bfc949466
commit 1bfc949466
parent e97214ca50
1 changed files with 10 additions and 1 deletions
--- a/confluent_server/confluent/discovery/protocols/pxe.py
+++ b/confluent_server/confluent/discovery/protocols/pxe.py
@ -23,6 +23,7 @@
 # option 97 = UUID (wireformat)

 import confluent.config.configmanager as cfm
+import confluent.log as log
 import ctypes
 import ctypes.util
 import eventlet.green.socket as socket
@ -302,9 +303,17 @@ def remap_nodes(nodeattribs, configmanager):

 def check_reply(node, info, packet, sock, cfg):
    cfd = cfg.get_node_attributes(node, ('deployment.*'))
+    profile = cfd.get(node, {}).get('deployment.pendingprofile', {}).get('value', None)
+    if not profile:
+        return
    insecuremode = cfd.get(node, {}).get('deployment.useinsecureprotocols', 'never')
    if insecuremode == 'never' and info['architecture'] != 'uefi-httpboot':
-        print('Ignoring request')
+        log.log(
+            {'info': 'Boot attempt by {0} detected in insecure mode, but '
+                     'insecure mode is disabled.  Set the attribute '
+                     '`deployment.useinsecureprotocols` to `firmware` or '
+                     '`always` to enable support, or use UEFI HTTP boot '
+                     'with HTTPS.'.format(node)})
        return
    print('Thinking about reply to {0}'.format(node))