Add grub password to attributes

This permits opting into using a password to block editing of grub configuration.
2025-01-28 11:57:37 +00:00 · 2020-06-02 10:59:30 -04:00 · 2020-06-02 10:59:30 -04:00 · cf9f4a9691
commit cf9f4a9691
parent 77586c7f4d
3 changed files with 21 additions and 1 deletions
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@ -101,6 +101,9 @@ node = {
        'description': 'The password of the local root password. '
                       'This is stored as a non-recoverable hash.',
    },
+    'crypted.grubpassword': {
+        'description': 'Password required to modify grub behavior at boot',
+    },
    'crypted.selfapikey': {
        'description': ('Crypt of api key for self api requests by node'),
    },
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@ -52,6 +52,7 @@ except ModuleNotFoundError:
    import dbm
 import ast
 import base64
+from binascii import hexlify
 import confluent.config.attributes as allattributes
 import confluent.config.conf as conf
 import confluent.log
@ -71,6 +72,7 @@ import eventlet.event as event
 import eventlet.green.select as select
 import eventlet.green.threading as gthread
 import fnmatch
+import hashlib
 import json
 import msgpack
 import operator
@ -484,6 +486,17 @@ def _get_valid_attrname(attrname):
    return attrname


+def grub_hashcrypt_value(value)
+    salt = os.urandom(64)
+    algo = 'sha512'
+    rounds = 10000
+    crypted = hexlify(hashlib.pbkdf2_hmac(algo, value, salt, rounds))
+    crypted = crypted.upper()
+    salt = hexlify(salt).upper()
+    ret = 'grub.pbkdf2.{0}.{1}.{2}.{3}'.format(algo, rounds, salt, crypted)
+    return ret
+
+
 def hashcrypt_value(value):
    salt = confluent.util.stringify(base64.b64encode(os.urandom(12),
                                    altchars=b'./'))
@ -2206,6 +2219,8 @@ class ConfigManager(object):
                    del newdict['value']
                if 'value' in newdict and attrname.startswith("crypted."):
                    newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    newdict['grubhashvalue'] = grub_hashcrypt_value(
+                        newdict['value'])
                    del newdict['value']
                cfgobj[attrname] = newdict
                if attrname == 'groups':
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@ -64,7 +64,7 @@ def handle_request(env, start_response):
        if ncfg['prefix']:
            ncfg['ipv4_netmask'] = netutil.cidr_to_mask(ncfg['prefix'])
        deployinfo = cfg.get_node_attributes(
-            nodename, ('deployment.*', 'console.method', 'crypted.rootpassword',
+            nodename, ('deployment.*', 'console.method', 'crypted.*',
                       'dns.*'))
        deployinfo = deployinfo.get(nodename, {})
        profile = deployinfo.get(
@ -80,6 +80,8 @@ def handle_request(env, start_response):
            ncfg['protocol'] = 'https'
        ncfg['rootpassword'] = deployinfo.get('crypted.rootpassword', {}).get(
            'hashvalue', None)
+        ncfg['grubpassword'] = deployinfo.get('crypted.grubpassword', {}).get(
+            'grubhashvalue', None)
        if currtzvintage and currtzvintage > (time.time() - 30.0):
            ncfg['timezone'] = currtz
        else: