xCAT/pyghmi
2
0
Fork 0
mirror of https://opendev.org/x/pyghmi synced 2025-11-04 05:12:25 +00:00
Code Issues Projects Releases Wiki Activity

Implement XCC cryptography settings

Browse Source 
Change-Id: Ib883726bae3e0113499c40d4fb70da6348a48011
This commit is contained in:
Jarrod Johnson
2022-09-23 07:53:19 -04:00
parent 7d0bfd32ff
commit 308b1d49be
1 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
pyghmi/redfish/oem/lenovo/xcc.py
View File

@@ -43,6 +43,22 @@ funtypes = {
12: 'Fabric Controller',
}
tls_ver = {
1: 'TLS1.1',
2: 'TLS1.2',
3: 'TLS1.3'
}
sec_mode = {
0: ('Compatible',
'Maximum compatibility of cipher suites, without NIST compliance'),
1: ('NIST',
'Maximum compatibility within the constraints of being NIST '
'compliant with perfect forward secrecy'),
2: ('High', 'Support only modern and strong ciphers, NIST '
'compliant with perfect forward security'),
}
def naturalize_string(key):
"""Analyzes string in a human way to enable natural sort
@@ -138,6 +154,26 @@ class OEMHandler(generic.OEMHandler):
settings['presence_assert'] = {
'value': 'Enable' if asserted else 'Disable'
}
secparms = self.wc.grab_json_response('/api/providers/imm_tls_mode')
if secparms and secparms.get('return', 1) == 0:
tlsmode = secparms.get('tls_ver', -1)
if tlsmode in tls_ver:
settings['minimum_tls_version'] = {
'value': tls_ver[tlsmode],
'help': 'The minimum TLS level allowed by the XCC when '
'communicating',
'possible': [tls_ver[x] for x in tls_ver],
}
secmode = secparms.get('sec_mode', -1)
if secmode in sec_mode:
settings['cryptography_mode'] = {
'value': sec_mode[secmode][0],
'help': 'Select cryptography mode, compatible allows all '
'supported ciphers, NIST restricts to NIST '
'compliant ciphers, and High further restricts '
'to a modern subset of NIST compliance',
'possible': [sec_mode[x][0] for x in sec_mode],
}
usbparms = self.wc.grab_json_response('/api/dataset/imm_usb')
if usbparms:
usbparms = usbparms.get('items', [{}])[0]
@@ -177,6 +213,7 @@ class OEMHandler(generic.OEMHandler):
def set_bmc_configuration(self, changeset):
ruleset = {}
usbsettings = {}
secparms = {}
for key in changeset:
if isinstance(changeset[key], six.string_types):
changeset[key] = {'value': changeset[key]}
@@ -203,14 +240,57 @@ class OEMHandler(generic.OEMHandler):
'usb_ethernet', 'usb_ethernet_port_forwarding',
'usb_forwarded_ports'):
usbsettings[key] = changeset[key]['value']
elif key.lower() in ('cryptography_mode', 'minimum_tls_version'):
secparms[key] = changeset[key]['value']
else:
raise pygexc.InvalidParameterValue(
'{0} not a known setting'.format(key))
if usbsettings:
self.apply_usb_configuration(usbsettings)
if secparms:
self.apply_sec_configuration(secparms)
if ruleset:
self.wc.grab_json_response('/api/dataset', ruleset)
def apply_sec_configuration(self, secparms):
secmode = None
tlsver = None
if 'cryptography_mode' in secparms:
secmode = secparms['cryptography_mode'].lower()
for sm in sec_mode:
if sec_mode[sm].lower().startswith(secmode):
secmode = sm
break
else:
raise pygexc.InvalidParameterValue(
'"{0}" is not a recognized cryptography mode'.format(
secparms['cryptography_mode']
)
)
if 'minimum_tls_version' in secparms:
tlsver = secparms['minimum_tls_version'].lower()
for tv in tls_ver:
if tls_ver[tv].lower() == tlsver:
tlsver = tv
break
else:
raise pygexc.InvalidParameterValue(
'"{0}" is not a recognized TLS version'.format(
secparms['minimum_tls_version'])
)
if len(secparms) < 2:
currsecparms = self.wc.grab_json_response(
'/api/providers/imm_tls_mode')
del currsecparms['return']
else:
currsecparms = {}
if secmode is not None:
currsecparms['sec_mode'] = secmode
if tlsver is not None:
currsecparms['tls_ver'] = tlsver
self.wc.grab_json_response('/api/providers/imm_tls_mode',
currsecparms)
def apply_usb_configuration(self, usbsettings):
def numify(val):
if 'enabled'.startswith(val.lower()):