From c8ed877fda583541534d049ed126dd5584601a96 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 1 Apr 2025 14:05:46 -0400
Subject: [PATCH] Make clearer api grant errors

---
 .../scripts/casper-bottom/99confluent         |  8 ++++
 confluent_osdeploy/utils/clortho.c            |  2 +-
 confluent_server/confluent/networking/lldp.py | 48 ++++++++++++++++++-
 .../confluent/networking/macmap.py            | 16 +------
 4 files changed, 56 insertions(+), 18 deletions(-)

diff --git a/confluent_osdeploy/ubuntu22.04/initramfs/scripts/casper-bottom/99confluent b/confluent_osdeploy/ubuntu22.04/initramfs/scripts/casper-bottom/99confluent
index d629cf32..90a7fd56 100755
--- a/confluent_osdeploy/ubuntu22.04/initramfs/scripts/casper-bottom/99confluent
+++ b/confluent_osdeploy/ubuntu22.04/initramfs/scripts/casper-bottom/99confluent
@@ -28,7 +28,15 @@ if [ -e /tmp/cnflnthmackeytmp ]; then
     DEVICE=$(cat /tmp/autodetectnic)
     IP=done
 else
+    APIKEY=
     chroot . custom-installation/confluent/bin/clortho $NODENAME $MGR > /root/custom-installation/confluent/confluent.apikey
+    APIKEY=$(cat /root/custom-installation/confluent.apikey)
+    while [ -z "$APIKEY" ]; do
+	echo "Failure trying to get confluent node token registered, check nodedeploy status, retrying in 5 seconds..."
+        sleep 5
+        chroot . custom-installation/confluent/bin/clortho $NODENAME $MGR > /root/custom-installation/confluent/confluent.apikey
+        APIKEY=$(cat /root/custom-installation/confluent.apikey)
+    done
     MGR=[$MGR]
     nic=$(grep ^MANAGER /custom-installation/confluent/confluent.info|grep fe80::|sed -e s/.*%//|head -n 1)
     nic=$(ip link |grep ^$nic:|awk '{print $2}')
diff --git a/confluent_osdeploy/utils/clortho.c b/confluent_osdeploy/utils/clortho.c
index 887deee2..6d6789d8 100644
--- a/confluent_osdeploy/utils/clortho.c
+++ b/confluent_osdeploy/utils/clortho.c
@@ -246,6 +246,6 @@ int main(int argc, char* argv[]) {
             buffer[0] = 255;
             ret = read(sock, buffer, 2);
         }
-        fprintf(stderr, "Password was not accepted\n");
+        fprintf(stderr, "Confluent API token grant denied by server\n");
         exit(1);
 }
diff --git a/confluent_server/confluent/networking/lldp.py b/confluent_server/confluent/networking/lldp.py
index e181d46f..ad556d55 100644
--- a/confluent_server/confluent/networking/lldp.py
+++ b/confluent_server/confluent/networking/lldp.py
@@ -34,6 +34,7 @@ if __name__ == '__main__':
     import sys
     import confluent.config.configmanager as cfm
 import base64
+import confluent.networking.nxapi as nxapi
 import confluent.exceptions as exc
 import confluent.log as log
 import confluent.messages as msg
@@ -174,11 +175,54 @@ def _init_lldp(data, iname, idx, idxtoportid, switch):
         data[iname] = {'port': iname, 'portid': str(idxtoportid[idx]),
                        'chassisid': _chassisidbyswitch[switch]}
 
-def _extract_neighbor_data_affluent(switch, user, password, cfm, lldpdata):
+_fastbackends = {}
+def detect_backend(switch, verifier)
+        backend = _fastbackends.get(switch, None)
+        if backend:
+            return backend
+        wc =  webclient.SecureHTTPConnection(
+            switch, 443, verifycallback=verifier, timeout=5)
+        wc.set_basic_credentials(user, password)
+        apicheck, retcode = wc.grab_json_response_with_status('/affluent/')
+        if retcode == 401 and apicheck == b'{}':
+            _fastbackends[switch] = 'affluent'
+        else:
+            apicheck, retcode = wc.grab_json_response_with_status('/api/')
+            if retcode == 400 and apicheck.startswith(b'{"imdata":['):
+                    _fastbackends[switch] = 'nxapi'
+        return _fastbackends.get(switch, None)
+
+def _extract_neighbor_data_https(switch, user, password, cfm, lldpdata):
     kv = util.TLSCertVerifier(cfm, switch,
                                   'pubkeys.tls_hardwaremanager').verify_cert
+    backend = detect_backend(switch, kv)
+    if not backend:
+        raise Exception("No HTTPS backend identified")
     wc =  webclient.SecureHTTPConnection(
                 switch, 443, verifycallback=kv, timeout=5)
+    if backend == 'affluent':
+        return _extract_neighbor_data_affluent(switch, user, password, cfm, lldpdata, wc)
+    elif backend == 'nxapi':
+        return _nxapi_map_switch(switch, password, user, cfgm)
+
+
+
+def _extract_neighbor_data_nxapi(switch, user, password, cfm, lldpdata, wc):
+    cli = nxapi.NxApiClient(switch, user, password, cfm)
+    lldipinfo = cli.get_lldp()
+    for port in lldpinfo:
+        portdata = lldpinfo[port]
+        peerid = '{0}.{1}'.format(
+            portdata.get('peerchassisid', '').replace(':', '-').replace('/', '-'),
+            portdata.get('peerportid', '').replace(':', '-').replace('/', '-'),
+        )
+        _extract_extended_desc(portdata, portdata['peerdescription'], True)
+
+
+        mt = cli.get_mac_table()
+        _macsbyswitch[switch] = mt
+        _fast_backend_fixup(mt, switch)
+def _extract_neighbor_data_affluent(switch, user, password, cfm, lldpdata, wc):
     wc.set_basic_credentials(user, password)
     neighdata = wc.grab_json_response('/affluent/lldp/all')
     chassisid = neighdata['chassis']['id']
@@ -219,7 +263,7 @@ def _extract_neighbor_data_b(args):
         return
     lldpdata = {'!!vintage': now}
     try:
-        return _extract_neighbor_data_affluent(switch, user, password, cfm, lldpdata)
+        return _extract_neighbor_data_https(switch, user, password, cfm, lldpdata)
     except Exception:
         pass
     conn = snmp.Session(switch, password, user)
diff --git a/confluent_server/confluent/networking/macmap.py b/confluent_server/confluent/networking/macmap.py
index 94e7bf5d..32f4d52d 100644
--- a/confluent_server/confluent/networking/macmap.py
+++ b/confluent_server/confluent/networking/macmap.py
@@ -152,26 +152,12 @@ def _nodelookup(switch, ifname):
             return _switchportmap[switch][portdesc]
     return None
 
-_fastbackends = {}
 def _fast_map_switch(args):
     switch, password, user, cfgm = args
     macdata = None
-    backend = _fastbackends.get(switch, None)
     kv = util.TLSCertVerifier(cfgm, switch,
                               'pubkeys.tls_hardwaremanager').verify_cert
-    if not backend:
-        wc =  webclient.SecureHTTPConnection(
-            switch, 443, verifycallback=kv, timeout=5)
-        wc.set_basic_credentials(user, password)
-        macdata, retcode = wc.grab_json_response_with_status('/affluent/macs/by-port')
-        if retcode == 200:
-            _fastbackends[switch] = 'affluent'
-        else:
-            apicheck, retcode = wc.grab_json_response_with_status('/api/')
-            if retcode == 400:
-                if apicheck.startswith(b'{"imdata":['):
-                    _fastbackends[switch] = 'nxapi'
-    backend = _fastbackends.get(switch, None)
+    backend = lldp.detect_backend(switch, kv)
     if backend == 'affluent':
         return _affluent_map_switch(switch, password, user, cfgm, macdata)
     elif backend == 'nxapi':