1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
|
# Copyright 2015 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Changes:
# March 2020: Modified example found here:
# https://github.com/GoogleCloudPlatform/compute-image-windows/blob/master/examples/windows_auth_python_sample.py
# to enable fog-google to change windows passwords.
require "openssl"
require "base64"
require "json"
module Fog
module Compute
class Google
class Mock
def reset_windows_password(_server:, _user:)
Fog::Mock.not_implemented
end
end
class Real
##
# Resets Windows passwords for users on Google's Windows based images. Code based on Google provided example.
#
# @param instance [String] the name of the instance
# @param zone [String] the name of the zone of the instance
# @param user [String] the user whose password should be reset
#
# @return [String] new password
#
# @see https://cloud.google.com/compute/docs/instances/windows/automate-pw-generation
def reset_windows_password(server:, user:)
# Pull the e-mail address of user authenticated to API
email = @compute.request_options.authorization.issuer
# Create a new key
key = OpenSSL::PKey::RSA.new(2048)
modulus, exponent = get_modulus_exponent_in_base64(key)
# Get Old Metadata
old_metadata = server.metadata
# Create JSON Object with needed information
metadata_entry = get_json_string(user, modulus, exponent, email)
# Create new metadata object
new_metadata = update_windows_keys(old_metadata, metadata_entry)
# Set metadata on instance
server.set_metadata(new_metadata, false)
# Get encrypted password from Serial Port 4 Output
# If machine is booting for the first time, there appears to be a
# delay before the password appears on the serial port.
sleep(1) until server.ready?
serial_port_output = server.serial_port_output(:port => 4)
loop_cnt = 0
while serial_port_output.empty?
if loop_cnt > 12
Fog::Logger.warning("Encrypted password never found on Serial Output Port 4")
raise "Could not reset password."
end
sleep(5)
serial_port_output = server.serial_port_output(:port => 4)
loop_cnt += 1
end
# Parse and decrypt password
enc_password = get_encrypted_password_from_serial_port(serial_port_output, modulus)
password = decrypt_password(enc_password, key)
return password
end
def get_modulus_exponent_in_base64(key)
mod = [key.n.to_s(16)].pack("H*").strip
exp = [key.e.to_s(16)].pack("H*").strip
modulus = Base64.strict_encode64(mod).strip
exponent = Base64.strict_encode64(exp).strip
return modulus, exponent
end
def get_expiration_time_string
utc_now = Time.now.utc
expire_time = utc_now + 5 * 60
return expire_time.strftime("%Y-%m-%dT%H:%M:%SZ")
end
def get_json_string(user, modulus, exponent, email)
expire = get_expiration_time_string
data = { 'userName': user,
'modulus': modulus,
'exponent': exponent,
'email': email,
'expireOn': expire }
return ::JSON.dump(data)
end
def update_windows_keys(old_metadata, metadata_entry)
if old_metadata[:items]
new_metadata = Hash[old_metadata[:items].map { |item| [item[:key], item[:value]] }]
else
new_metadata = {}
end
new_metadata["windows-keys"] = metadata_entry
return new_metadata
end
def get_encrypted_password_from_serial_port(serial_port_output, modulus)
output = serial_port_output.split("\n")
output.reverse_each do |line|
begin
if line.include?("modulus") && line.include?("encryptedPassword")
entry = ::JSON.parse(line)
if modulus == entry["modulus"]
return entry["encryptedPassword"]
end
else
next
end
rescue ::JSON::ParserError
Fog::Logger.warning("Parsing encrypted password from serial output
failed. Trying to parse next matching line.")
next
end
end
end
def decrypt_password(enc_password, key)
decoded_password = Base64.strict_decode64(enc_password)
begin
return key.private_decrypt(decoded_password, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
rescue OpenSSL::PKey::RSAError
Fog::Logger.warning("Error decrypting password received from Google.
Maybe check output on Serial Port 4 and Metadata key: windows-keys?")
end
end
end
end
end
end
|