mirror of
				https://github.com/xcat2/confluent.git
				synced 2025-10-26 00:45:43 +00:00 
			
		
		
		
	Improve conversion reliability
It was frequent that a token expiration would impact attempt to convert an account. Suppress the token based authentication to more reliably have a fresh login. Additionally, mitigate chance of exhausting user login limit. Finally, switch to a generated password for the temporary account. Should something go awry between deleting the third-party account and recreating it, this means the system will have to be reset through OS or F1 menu. However this is better than the risk of a well known backdoor account being inadvertently created.
This commit is contained in:
		| @@ -12,12 +12,14 @@ | ||||
| # See the License for the specific language governing permissions and | ||||
| # limitations under the License. | ||||
|  | ||||
| import base64 | ||||
| import confluent.discovery.handlers.imm as immhandler | ||||
| import confluent.netutil as netutil | ||||
| import confluent.util as util | ||||
| import eventlet | ||||
| import eventlet.support.greendns | ||||
| import json | ||||
| import os | ||||
| import pyghmi.exceptions as pygexc | ||||
| xcc = eventlet.import_patched('pyghmi.redfish.oem.lenovo.xcc') | ||||
| import pyghmi.util.webclient as webclient | ||||
| @@ -133,20 +135,13 @@ class NodeHandler(immhandler.NodeHandler): | ||||
|             print(repr(e)) | ||||
|             pass | ||||
|  | ||||
|     def _get_next_userid(self): | ||||
|         userinfo = self.wc.grab_json_response('/api/dataset/imm_users') | ||||
|     def _get_next_userid(self, wc): | ||||
|         userinfo = wc.grab_json_response('/api/dataset/imm_users') | ||||
|         userinfo = userinfo['items'][0]['users'] | ||||
|         for user in userinfo: | ||||
|             if user['users_user_name'] == '': | ||||
|                 return user['users_user_id'] | ||||
|  | ||||
|     def _create_tmp_user(self): | ||||
|         # If we need to convert a pre-hashed account, we will need a temporary account | ||||
|         userparams = "{0},6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,".format(self._get_next_userid()) | ||||
|         self.wc.grab_json_response('/api/function/', {'USER_UserCreate', userparams}) | ||||
|         # POST to /api/function | ||||
|         # {"USER_UserCreate":"2,6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,"} | ||||
|      | ||||
|     def _setup_xcc_account(self, username, passwd, wc): | ||||
|         userinfo = wc.grab_json_response('/api/dataset/imm_users') | ||||
|         uid = None | ||||
| @@ -166,7 +161,7 @@ class NodeHandler(immhandler.NodeHandler): | ||||
|                              {'USER_UserPassChange': '{0},{1}'.format(uid, passwd)}) | ||||
|         if username != 'USERID': | ||||
|             wc.grab_json_response( | ||||
|                 '/api/function',  | ||||
|                 '/api/function', | ||||
|                 {'USER_UserModify': '{0},{1},,1,4,0,0,0,0,,8,'.format(uid, username)}) | ||||
|  | ||||
|     def _convert_sha256account(self, user, passwd, wc): | ||||
| @@ -179,16 +174,19 @@ class NodeHandler(immhandler.NodeHandler): | ||||
|                 curruser = userent | ||||
|                 break | ||||
|         if curruser.get('users_pass_is_sha256', 0): | ||||
|             self._wc = None | ||||
|             wc = self.wc | ||||
|             nwc = wc.dupe() | ||||
|             # Have to convert it for being useful with most Lenovo automation tools | ||||
|             # This requires deleting the account entirely and trying again | ||||
|             tmpuid = self._get_next_userid() | ||||
|             tmpuid = self._get_next_userid(wc) | ||||
|             try: | ||||
|                 userparams = "{0},6pmu0ezczzcp,pwrfijvpiw47$,1,4,0,0,0,0,,8,".format(tmpuid) | ||||
|                 tpass = base64.b64encode(os.urandom(9)) + 'Iw47$' | ||||
|                 userparams = "{0},6pmu0ezczzcp,{1},1,4,0,0,0,0,,8,".format(tmpuid, tpass) | ||||
|                 result = wc.grab_json_response('/api/function', {'USER_UserCreate': userparams}) | ||||
|                 adata = json.dumps({ | ||||
|                     'username': '6pmu0ezczzcp', | ||||
|                     'password': 'pwrfijvpiw47$', | ||||
|                     'password': tpass, | ||||
|                 }) | ||||
|                 headers = {'Connection': 'keep-alive', 'Content-Type': 'application/json'} | ||||
|                 nwc.request('POST', '/api/login', adata, headers) | ||||
| @@ -200,7 +198,7 @@ class NodeHandler(immhandler.NodeHandler): | ||||
|                     if '_csrf_token' in wc.cookies: | ||||
|                         nwc.set_header('X-XSRF-TOKEN', wc.cookies['_csrf_token']) | ||||
|                     if rspdata.get('reason', False): | ||||
|                         newpass = 'lkfBh2rGxqpJ$' | ||||
|                         newpass = base64.b64encode(os.urandom(9)) + 'q4J$' | ||||
|                         nwc.grab_json_response( | ||||
|                             '/api/function', | ||||
|                             {'USER_UserPassChange': '{0},{1}'.format(tmpuid, newpass)}) | ||||
| @@ -226,7 +224,6 @@ class NodeHandler(immhandler.NodeHandler): | ||||
|             'secret.hardwaremanagementpassword'], decrypt=True) | ||||
|         user, passwd, isdefault = self.get_node_credentials(nodename, creds, 'USERID', 'PASSW0RD') | ||||
|         if self._atdefaultcreds: | ||||
|  | ||||
|             if not isdefault: | ||||
|                 self._setup_xcc_account(user, passwd, wc) | ||||
|         self._convert_sha256account(user, passwd, wc) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user