From f1b956c55be5402fffc6dba0d266beabfc07f689 Mon Sep 17 00:00:00 2001
From: Eduardo Otubo <otubo@redhat.com>
Date: Mon, 15 Feb 2021 12:37:48 -0500
Subject: [PATCH] DataSourceAzure: update password for defuser if exists (#671)

RH-Author: Eduardo Otubo <otubo@redhat.com>
Message-id: <20210215123748.21974-1-otubo@redhat.com>
Patchwork-id: 101062
O-Subject: [RHEL-7.7.z/RHEL-7.9.z cloud-init PATCH] DataSourceAzure: update password for defuser if exists (#671)
Bugzilla: 1900807
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>

BZ: 1927438
BRANCH: rhel7/master-18.5
BREW: 34944983

BZ: 1900807
BRANCH: rhel7/master-19.4
BREW: 34945000

For RHEL-7.7, this patch should be applied on top of "azure: Do not lock user
on instance id change". Overseer will complain about it since it cannot
be applied cleanly without that patch.

commit eea754492f074e00b601cf77aa278e3623857c5a
Author: Anh Vo <anhvo@microsoft.com>
Date:   Thu Nov 19 00:35:46 2020 -0500

    DataSourceAzure: update password for defuser if exists (#671)

    cc_set_password will only update the password for the default user if
    cfg['password'] is set. The existing code of datasource Azure will fail
    to update the default user's password because it does not set that
    metadata. If the default user doesn't exist in the image, the current
    code works fine because the password is set during user create and
    not in cc_set_password

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Jon Maloy <jmaloy.redhat.com>
---
 cloudinit/sources/DataSourceAzure.py          | 2 +-
 tests/unittests/test_datasource/test_azure.py | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py
index 6fb889c4..69454c40 100755
--- a/cloudinit/sources/DataSourceAzure.py
+++ b/cloudinit/sources/DataSourceAzure.py
@@ -1206,7 +1206,7 @@ def read_azure_ovf(contents):
     if password:
         defuser['lock_passwd'] = False
         if DEF_PASSWD_REDACTION != password:
-            defuser['passwd'] = encrypt_pass(password)
+            defuser['passwd'] = cfg['password'] = encrypt_pass(password)
 
     if defuser:
         cfg['system_info'] = {'default_user': defuser}
diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py
index a809fd87..f141dc6c 100644
--- a/tests/unittests/test_datasource/test_azure.py
+++ b/tests/unittests/test_datasource/test_azure.py
@@ -899,6 +899,9 @@ scbus-1 on xpt0 bus 0
                          crypt.crypt(odata['UserPassword'],
                                      defuser['passwd'][0:pos]))
 
+        # the same hashed value should also be present in cfg['password']
+        self.assertEqual(defuser['passwd'], dsrc.cfg['password'])
+
     def test_user_not_locked_if_password_redacted(self):
         odata = {'HostName': "myhost", 'UserName': "myuser",
                  'UserPassword': dsaz.DEF_PASSWD_REDACTION}
-- 
2.18.2