From 3efc1536159f2d3459fc77bf55e67622c8abff67 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 3 Jul 2019 11:39:36 -0400
Subject: [PATCH] Improve conversion reliability

It was frequent that a token expiration would impact attempt to convert
an account.  Suppress the token based authentication to more reliably
have a fresh login.

Additionally, mitigate chance of exhausting user login limit.

Finally, switch to a generated password for the temporary account.  Should something go awry
between deleting the third-party account and recreating it, this
means the system will have to be reset through OS or F1 menu.  However this is better
than the risk of a well known backdoor account being inadvertently
created.
---
 .../confluent/discovery/handlers/xcc.py       | 27 +++++++++----------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/confluent_server/confluent/discovery/handlers/xcc.py b/confluent_server/confluent/discovery/handlers/xcc.py
index c19e607f..7151ab1a 100644
--- a/confluent_server/confluent/discovery/handlers/xcc.py
+++ b/confluent_server/confluent/discovery/handlers/xcc.py
@@ -12,12 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import confluent.discovery.handlers.imm as immhandler
 import confluent.netutil as netutil
 import confluent.util as util
 import eventlet
 import eventlet.support.greendns
 import json
+import os
 import pyghmi.exceptions as pygexc
 xcc = eventlet.import_patched('pyghmi.redfish.oem.lenovo.xcc')
 import pyghmi.util.webclient as webclient
@@ -133,20 +135,13 @@ class NodeHandler(immhandler.NodeHandler):
             print(repr(e))
             pass
 
-    def _get_next_userid(self):
-        userinfo = self.wc.grab_json_response('/api/dataset/imm_users')
+    def _get_next_userid(self, wc):
+        userinfo = wc.grab_json_response('/api/dataset/imm_users')
         userinfo = userinfo['items'][0]['users']
         for user in userinfo:
             if user['users_user_name'] == '':
                 return user['users_user_id']
 
-    def _create_tmp_user(self):
-        # If we need to convert a pre-hashed account, we will need a temporary account
-        userparams = "{0},6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,".format(self._get_next_userid())
-        self.wc.grab_json_response('/api/function/', {'USER_UserCreate', userparams})
-        # POST to /api/function
-        # {"USER_UserCreate":"2,6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,"}
-    
     def _setup_xcc_account(self, username, passwd, wc):
         userinfo = wc.grab_json_response('/api/dataset/imm_users')
         uid = None
@@ -166,7 +161,7 @@ class NodeHandler(immhandler.NodeHandler):
                              {'USER_UserPassChange': '{0},{1}'.format(uid, passwd)})
         if username != 'USERID':
             wc.grab_json_response(
-                '/api/function', 
+                '/api/function',
                 {'USER_UserModify': '{0},{1},,1,4,0,0,0,0,,8,'.format(uid, username)})
 
     def _convert_sha256account(self, user, passwd, wc):
@@ -179,16 +174,19 @@ class NodeHandler(immhandler.NodeHandler):
                 curruser = userent
                 break
         if curruser.get('users_pass_is_sha256', 0):
+            self._wc = None
+            wc = self.wc
             nwc = wc.dupe()
             # Have to convert it for being useful with most Lenovo automation tools
             # This requires deleting the account entirely and trying again
-            tmpuid = self._get_next_userid()
+            tmpuid = self._get_next_userid(wc)
             try:
-                userparams = "{0},6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,".format(tmpuid)
+                tpass = base64.b64encode(os.urandom(9)) + 'Iw47$'
+                userparams = "{0},6pmu0ezczzcp,{1},1,4,0,0,0,0,,8,".format(tmpuid, tpass)
                 result = wc.grab_json_response('/api/function', {'USER_UserCreate': userparams})
                 adata = json.dumps({
                     'username': '6pmu0ezczzcp',
-                    'password': 'pwrfijvpiw47$',
+                    'password': tpass,
                 })
                 headers = {'Connection': 'keep-alive', 'Content-Type': 'application/json'}
                 nwc.request('POST', '/api/login', adata, headers)
@@ -200,7 +198,7 @@ class NodeHandler(immhandler.NodeHandler):
                     if '_csrf_token' in wc.cookies:
                         nwc.set_header('X-XSRF-TOKEN', wc.cookies['_csrf_token'])
                     if rspdata.get('reason', False):
-                        newpass = 'lkfBh2rGxqpJ$'
+                        newpass = base64.b64encode(os.urandom(9)) + 'q4J$'
                         nwc.grab_json_response(
                             '/api/function',
                             {'USER_UserPassChange': '{0},{1}'.format(tmpuid, newpass)})
@@ -226,7 +224,6 @@ class NodeHandler(immhandler.NodeHandler):
             'secret.hardwaremanagementpassword'], decrypt=True)
         user, passwd, isdefault = self.get_node_credentials(nodename, creds, 'USERID', 'PASSW0RD')
         if self._atdefaultcreds:
-
             if not isdefault:
                 self._setup_xcc_account(user, passwd, wc)
         self._convert_sha256account(user, passwd, wc)