generate computer name

Author: timogoebel

config/realm_ad.yml.example

@@ -2,10 +2,23 @@
 # Authentication for Kerberos-based Realms
 :realm: EXAMPLE.COM
 
-:keytab_path:  /etc/foreman-proxy/realm_ad.keytab
+# Kerberos pricipal used to authenticate against Active Directory
 :principal: realm-proxy@EXAMPLE.COM
 
+# Path to the keytab used to authenticate against Active Directory
+:keytab_path:  /etc/foreman-proxy/realm_ad.keytab
+
+# FQDN of the Domain Controller
+:domain_controller: dc.example.com
+
 # Optional: OU where the machine account shall be placed
 #:ou: OU=Linux,OU=Servers,DC=example,DC=com
 
-:domain_controller: dc.example.com
+# Optional: Prefix for the computername
+#:computername_prefix: ''
+
+# Optional: Generate the computername by calculating the SHA256 hexdigest of the hostname
+#:computername_hash: false
+
+# Optional:  use the fqdn of the host to generate the computername
+#:computername_use_fqdn: false

lib/smart_proxy_realm_ad/configuration_loader.rb

@@ -8,11 +8,14 @@ def load_dependency_injection_wirings(container_instance, settings)
       container_instance.dependency :realm_provider_impl,
                                     lambda {
                                       ::Proxy::AdRealm::Provider.new(
-                                        settings[:realm],
-                                        settings[:keytab_path],
-                                        settings[:principal],
-                                        settings[:domain_controller],
-                                        settings[:ou]
+                                        realm: settings[:realm],
+                                        keytab_path: settings[:keytab_path],
+                                        principal: settings[:principal],
+                                        domain_controller: settings[:domain_controller],
+                                        ou: settings[:ou],
+                                        computername_prefix: settings[:computername_prefix],
+                                        computername_hash: settings[:computername_hash],
+                                        computername_use_fqdn: settings[:computername_use_fqdn]
                                       )
                                     }
     end

lib/smart_proxy_realm_ad/provider.rb

@@ -1,20 +1,26 @@
 require 'proxy/kerberos'
 require 'radcli'
+require 'digest'
 
 module Proxy::AdRealm
   class Provider
     include Proxy::Log
     include Proxy::Util
     include Proxy::Kerberos
 
-    def initialize(realm, keytab_path, principal, domain_controller, ou)
-      @realm = realm
-      @keytab_path = keytab_path
-      @principal = principal
-      @domain_controller = domain_controller
-      @domain = realm.downcase
-      @ou = ou
-      logger.info "Proxy::AdRealm: initialize... #{@realm}, #{@keytab_path}, #{@principal}, #{@domain_controller}, #{@domain}, #{@ou}"
+    attr_reader :realm, :keytab_path, :principal, :domain_controller, :domain, :ou, :computername_prefix, :computername_hash, :computername_use_fqdn
+
+    def initialize(options = {})
+      @realm = options[:realm]
+      @keytab_path = options[:keytab_path]
+      @principal = options[:principal]
+      @domain_controller = options[:domain_controller]
+      @domain = options[:realm].downcase
+      @ou = options[:ou]
+      @computername_prefix = options[:computername_prefix]
+      @computername_hash = options.fetch(:computername_hash, false)
+      @computername_use_fqdn = options.fetch(:computername_use_fqdn, false)
+      logger.info 'Proxy::AdRealm: initialize...'
     end
 
     def check_realm(realm)
@@ -33,10 +39,12 @@ def create(realm, hostfqdn, params)
       password = generate_password
       result = { randompassword: password }
 
+      computername = hostfqdn_to_computername(hostfqdn)
+
       if params[:rebuild] == 'true'
-        do_host_rebuild(hostfqdn, password)
+        radcli_password(computername, password)
       else
-        do_host_create(hostfqdn, password)
+        radcli_join(hostfqdn, computername, password)
       end
 
       JSON.pretty_generate(result)
@@ -46,24 +54,31 @@ def delete(realm, hostfqdn)
       logger.info "Proxy::AdRealm: delete... #{realm}, #{hostfqdn}"
       kinit_radcli_connect
       check_realm(realm)
-      radcli_delete(hostfqdn)
+      computername = hostfqdn_to_computername(hostfqdn)
+      radcli_delete(computername)
     end
 
     private
 
-    def hostfqdn_to_hostname(host_fqdn)
-      host_fqdn_split = host_fqdn.split('.')
-      host_fqdn_split.first
-    end
+    def hostfqdn_to_computername(hostfqdn)
+      computername = hostfqdn
+
+      # strip the domain from the host
+      computername = computername.split('.').first unless computername_use_fqdn
+
+      # generate the SHA256 hexdigest from the computername
+      computername = Digest::SHA256.hexdigest(computername) if computername_hash
+
+      # apply prefix if it has not already been applied
+      computername = computername_prefix + computername if apply_computername_prefix?(computername)
 
-    def do_host_create(hostfqdn, password)
-      hostname = hostfqdn_to_hostname(hostfqdn)
-      radcli_join(hostfqdn, hostname, password)
+      # limit length to 15 characters and upcase the computername
+      # see https://support.microsoft.com/en-us/kb/909264
+      computername[0, 15].upcase
     end
 
-    def do_host_rebuild(hostfqdn, password)
-      hostname = hostfqdn_to_hostname hostfqdn
-      radcli_password(hostname, password)
+    def apply_computername_prefix?(computername)
+      !computername_prefix.nil? && !computername_prefix.empty? && (computername_hash || !computername[0, computername_prefix.size].casecmp(computername_prefix).zero?)
     end
 
     def kinit_radcli_connect
@@ -81,10 +96,10 @@ def radcli_connect
       conn
     end
 
-    def radcli_join(hostfqdn, hostname, password)
+    def radcli_join(hostfqdn, computername, password)
       # Join computer
       enroll = Adcli::AdEnroll.new(@adconn)
-      enroll.set_computer_name(hostname)
+      enroll.set_computer_name(computername)
       enroll.set_host_fqdn(hostfqdn)
       enroll.set_domain_ou(@ou) if @ou
       enroll.set_computer_password(password)
@@ -96,19 +111,19 @@ def generate_password
       Array.new(20) { characters.sample }.join
     end
 
-    def radcli_password(hostname, password)
+    def radcli_password(computername, password)
       # Reset a computer's password
       enroll = Adcli::AdEnroll.new(@adconn)
-      enroll.set_computer_name(hostname)
+      enroll.set_computer_name(computername)
       enroll.set_domain_ou(@ou) if @ou
       enroll.set_computer_password(password)
       enroll.password
     end
 
-    def radcli_delete(hostname)
+    def radcli_delete(computername)
       # Delete a computer's account
       enroll = Adcli::AdEnroll.new(@adconn)
-      enroll.set_computer_name(hostname)
+      enroll.set_computer_name(computername)
       enroll.set_domain_ou(@ou) if @ou
       enroll.delete
     end

test/ad_provider_test.rb

@@ -6,13 +6,36 @@
 class RealmAdTest < Test::Unit::TestCase
   def setup
     @realm = 'test_realm'
-    @provider = Proxy::AdRealm::Provider.new('example.com', 'keytab_path', 'principal', 'domain-controller', nil)
+    @provider = Proxy::AdRealm::Provider.new(
+      realm: 'example.com',
+      keytab_path: 'keytab_path',
+      principal: 'principal',
+      domain_controller: 'domain-controller',
+      ou: nil,
+      computername_prefix: nil,
+      computername_hash: false,
+      computername_use_fqdn: false
+    )
   end
 
   def test_create_host
     hostname = 'host.example.com'
-    params = {}
-    params[:rebuild] = 'false'
+    computername = 'HOST'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_generates_password
+    hostname = 'host.example.com'
+    params = {
+      rebuild: 'false'
+    }
     @provider.expects(:check_realm).with(@realm)
     @provider.expects(:kinit_radcli_connect)
     @provider.expects(:radcli_join)
@@ -21,6 +44,47 @@ def test_create_host
     assert_equal 20, response['randompassword'].size
   end
 
+  def test_create_host_prefixes_computername
+    hostname = 'host.example.com'
+    computername = 'ORG-HOST'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.stubs(:computername_prefix).returns('ORG-')
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_limits_computername_to_15_characters
+    hostname = 'superlonghostname.example.com'
+    computername = 'SUPERLONGHOSTNA'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_applies_sha256_to_computername
+    hostname = 'host.example.com'
+    computername = '4740AE6347B0172'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.stubs(:computername_hash).returns(true)
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
   def test_create_with_unrecognized_realm_raises_exception
     assert_raises(Exception) { @provider.create('unknown_realm', 'a_host', {}) }
   end