From 521013e50a4bd694c4d2816ed38ef78aacf04ff7 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 1 Feb 2019 15:42:44 -0500 Subject: [PATCH] Implement SMM password policy configuration The discovery.passwordrules is extended to support the SMM --- .../confluent/discovery/handlers/smm.py | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/discovery/handlers/smm.py b/confluent_server/confluent/discovery/handlers/smm.py index aba470d9..f5b17ae9 100644 --- a/confluent_server/confluent/discovery/handlers/smm.py +++ b/confluent_server/confluent/discovery/handlers/smm.py @@ -36,9 +36,42 @@ class NodeHandler(bmchandler.NodeHandler): uuid = fixuuid(uuid[0]) self.info['uuid'] = uuid + def _validate_cert(self, certificate): + # Assumption is by the time we call config, that discovery core has + # vetted self._fp. Our job here then is just to make sure that + # the currect connection matches the previously saved cert + return certificate == self._fp + + def set_password_policy(self, ic): + rules = [] + for rule in self.ruleset.split(','): + if '=' not in rule: + continue + name, value = rule.split('=') + if value.lower() in ('no', 'none', 'disable', 'disabled'): + value = '0' + if name.lower() in ('expiry', 'expiration'): + rules.append('passwordDurationDays:' + value) + warndays = '5' if int(value) > 5 else value + rules.append('passwordExpireWarningDays:' + warndays) + if name.lower() in ('lockout', 'loginfailures'): + rules.append('passwordFailAllowdNum:' + value) + if name.lower() == 'reuse': + rules.append('passwordReuseCheckNum:' + value) + if rules: + apirequest = 'set={0}'.format(','.join(rules)) + ic.register_key_handler(self._validate_cert) + ic.oem_init() + ic._oem.smmhandler.wc.request('POST', '/data', apirequest) + ic._oem.smmhandler.wc.getresponse().read() + def config(self, nodename): # SMM for now has to reset to assure configuration applies - super(NodeHandler, self).config(nodename) + dpp = self.configmanager.get_node_attributes( + nodename, 'discovery.passwordrules') + self.ruleset = dpp.get(nodename, {}).get( + 'discovery.passwordrules', {}).get('value', '') + ic = self._bmcconfig(nodename, customconfig=self.set_password_policy) # notes for smm: # POST to: