summaryrefslogtreecommitdiffstats
path: root/src/lib/Bcfg2/Server/Plugins/Cfg
diff options
context:
space:
mode:
authorChris St. Pierre <chris.a.st.pierre@gmail.com>2012-05-15 13:24:58 -0400
committerChris St. Pierre <chris.a.st.pierre@gmail.com>2012-05-15 13:24:58 -0400
commitd221337beaaafd7ce71717da64e4c9d91babd712 (patch)
treefb8cba5caf9e8e42f71c523707fffcf5cbcb22ff /src/lib/Bcfg2/Server/Plugins/Cfg
parent4df3945eeecb31e3234e894202868a373c95e3aa (diff)
downloadbcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.gz
bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.bz2
bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.zip
Added ability to store Cfg files with AES encryption
Diffstat (limited to 'src/lib/Bcfg2/Server/Plugins/Cfg')
-rw-r--r--src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py54
1 files changed, 54 insertions, 0 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py
new file mode 100644
index 000000000..6ba470fd5
--- /dev/null
+++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py
@@ -0,0 +1,54 @@
+import logging
+import Bcfg2.Server.Plugin
+from Bcfg2.Server.Plugins.Cfg import CfgGenerator, SETUP
+try:
+ from Bcfg2.Encryption import ssl_decrypt, EVPError
+ have_crypto = True
+except ImportError:
+ have_crypto = False
+
+logger = logging.getLogger(__name__)
+
+class CfgEncryptedGenerator(CfgGenerator):
+ __extensions__ = ["crypt"]
+
+ def __init__(self, fname, spec, encoding):
+ CfgGenerator.__init__(self, fname, spec, encoding)
+ if not have_crypto:
+ msg = "Cfg: M2Crypto is not available: %s" % entry.get("name")
+ logger.error(msg)
+ raise Bcfg2.Server.Plugin.PluginExecutionError(msg)
+
+ @property
+ def passphrases(self):
+ section = "cfg:encryption"
+ if SETUP.cfp.has_section(section):
+ return dict([(o, SETUP.cfp.get(section, o))
+ for o in SETUP.cfp.options(section)])
+ else:
+ return dict()
+
+ def handle_event(self, event):
+ if event.code2str() == 'deleted':
+ return
+ try:
+ crypted = open(self.name).read()
+ except UnicodeDecodeError:
+ crypted = open(self.name, mode='rb').read()
+ except:
+ logger.error("Failed to read %s" % self.name)
+ return
+ # todo: let the user specify a passphrase by name
+ self.data = None
+ for passwd in self.passphrases.values():
+ try:
+ self.data = ssl_decrypt(crypted, passwd)
+ return
+ except EVPError:
+ pass
+ logger.error("Failed to decrypt %s" % self.name)
+
+ def get_data(self, entry, metadata):
+ if self.data is None:
+ raise Bcfg2.Server.Plugin.PluginExecutionError("Failed to decrypt %s" % self.name)
+ return CfgGenerator.get_data(self, entry, metadata)