diff options
author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-05-15 13:24:58 -0400 |
---|---|---|
committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-05-15 13:24:58 -0400 |
commit | d221337beaaafd7ce71717da64e4c9d91babd712 (patch) | |
tree | fb8cba5caf9e8e42f71c523707fffcf5cbcb22ff /src/lib/Bcfg2/Server/Plugins/Cfg | |
parent | 4df3945eeecb31e3234e894202868a373c95e3aa (diff) | |
download | bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.gz bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.bz2 bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.zip |
Added ability to store Cfg files with AES encryption
Diffstat (limited to 'src/lib/Bcfg2/Server/Plugins/Cfg')
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py new file mode 100644 index 000000000..6ba470fd5 --- /dev/null +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py @@ -0,0 +1,54 @@ +import logging +import Bcfg2.Server.Plugin +from Bcfg2.Server.Plugins.Cfg import CfgGenerator, SETUP +try: + from Bcfg2.Encryption import ssl_decrypt, EVPError + have_crypto = True +except ImportError: + have_crypto = False + +logger = logging.getLogger(__name__) + +class CfgEncryptedGenerator(CfgGenerator): + __extensions__ = ["crypt"] + + def __init__(self, fname, spec, encoding): + CfgGenerator.__init__(self, fname, spec, encoding) + if not have_crypto: + msg = "Cfg: M2Crypto is not available: %s" % entry.get("name") + logger.error(msg) + raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + + @property + def passphrases(self): + section = "cfg:encryption" + if SETUP.cfp.has_section(section): + return dict([(o, SETUP.cfp.get(section, o)) + for o in SETUP.cfp.options(section)]) + else: + return dict() + + def handle_event(self, event): + if event.code2str() == 'deleted': + return + try: + crypted = open(self.name).read() + except UnicodeDecodeError: + crypted = open(self.name, mode='rb').read() + except: + logger.error("Failed to read %s" % self.name) + return + # todo: let the user specify a passphrase by name + self.data = None + for passwd in self.passphrases.values(): + try: + self.data = ssl_decrypt(crypted, passwd) + return + except EVPError: + pass + logger.error("Failed to decrypt %s" % self.name) + + def get_data(self, entry, metadata): + if self.data is None: + raise Bcfg2.Server.Plugin.PluginExecutionError("Failed to decrypt %s" % self.name) + return CfgGenerator.get_data(self, entry, metadata) |