From 09700626b540eb1d196e0789ee40e19c5dea1d44 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 15 Apr 2020 16:18:39 -0400
Subject: [PATCH] Add attribute to store root password

We want a non-recoverable form,
so hard code it to force it that way.
---
 confluent_server/confluent/config/attributes.py    |  4 ++++
 confluent_server/confluent/config/configmanager.py | 13 +++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/confluent_server/confluent/config/attributes.py b/confluent_server/confluent/config/attributes.py
index ed9cafa4..2165538c 100644
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@@ -97,6 +97,10 @@ node = {
         'description': ('Classification of node as server or switch'),
         'validvalues': ('switch', 'server'),
     },
+    'crypted.rootpassword': {
+        'description': 'The password of the local root password. '
+                       'This is stored as a non-recoverable hash.',
+    },
     'deployment.apikey': {
         'description': ('Crypt of api key for self api requests by node'),
     },
diff --git a/confluent_server/confluent/config/configmanager.py b/confluent_server/confluent/config/configmanager.py
index 440eaf6c..9f6ee4eb 100644
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@@ -60,6 +60,7 @@ import confluent.util
 import confluent.netutil as netutil
 import confluent.exceptions as exc
 import copy
+import crypt
 try:
     import cPickle
 except ModuleNotFoundError:
@@ -475,6 +476,12 @@ def _get_valid_attrname(attrname):
     return attrname
 
 
+def hashcrypt_value(value):
+    salt = confluent.util.stringify(base64.b64encode(os.urandom(12)))
+    salt = '$6${0}'.format(salt)
+    return crypt.crypt(value, salt)
+
+
 def crypt_value(value,
                 key=None,
                 integritykey=None):
@@ -1760,6 +1767,9 @@ class ConfigManager(object):
                 if 'value' in newdict and attr.startswith("secret."):
                     newdict['cryptvalue'] = crypt_value(newdict['value'])
                     del newdict['value']
+                if 'value' in newdict and attr.startswith("crypted."):
+                    newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    del newdict['value']
                 cfgobj[attr] = newdict
                 if attr == 'nodes':
                     self._sync_nodes_to_group(group=group,
@@ -2162,6 +2172,9 @@ class ConfigManager(object):
                 if 'value' in newdict and attrname.startswith("secret."):
                     newdict['cryptvalue'] = crypt_value(newdict['value'])
                     del newdict['value']
+                if 'value' in newdict and attrname.startswith("crypted."):
+                    newdict['hashvalue'] = hashcrypt_value(newdict['value'])
+                    del newdict['value']
                 cfgobj[attrname] = newdict
                 if attrname == 'groups':
                     self._sync_groups_to_node(node=node,