diff options
Diffstat (limited to 'src/lib/Bcfg2')
-rw-r--r-- | src/lib/Bcfg2/Options.py | 45 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py | 2 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Properties.py | 58 |
3 files changed, 103 insertions, 2 deletions
diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py index 0791ce343..6d3dd0a8c 100644 --- a/src/lib/Bcfg2/Options.py +++ b/src/lib/Bcfg2/Options.py @@ -730,6 +730,43 @@ CFG_VALIDATION = \ long_arg=True, cook=get_bool) +# bcfg2-crypt options +ENCRYPT = \ + Option('Encrypt the specified file', + default=False, + cmd='--encrypt', + long_arg=True) +DECRYPT = \ + Option('Decrypt the specified file', + default=False, + cmd='--decrypt', + long_arg=True) +CRYPT_PASSPHRASE = \ + Option('Encryption passphrase (name or passphrase)', + default=None, + cmd='-p', + odesc='<passphrase>') +CRYPT_XPATH = \ + Option('XPath expression to select elements to encrypt', + default=None, + cmd='--xpath', + odesc='<xpath>', + long_arg=True) +CRYPT_PROPERTIES = \ + Option('Encrypt the specified file as a Properties file', + default=False, + cmd="--properties", + long_arg=True) +CRYPT_CFG = \ + Option('Encrypt the specified file as a Cfg file', + default=False, + cmd="--cfg", + long_arg=True) +CRYPT_REMOVE = \ + Option('Remove the plaintext file after encrypting', + default=False, + cmd="--remove", + long_arg=True) # Option groups CLI_COMMON_OPTIONS = dict(configfile=CFILE, @@ -754,6 +791,14 @@ SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY, ca=SERVER_CA, protocol=SERVER_PROTOCOL) +CRYPT_OPTIONS = dict(encrypt=ENCRYPT, + decrypt=DECRYPT, + passphrase=CRYPT_PASSPHRASE, + xpath=CRYPT_XPATH, + properties=CRYPT_PROPERTIES, + cfg=CRYPT_CFG, + remove=CRYPT_REMOVE) + DRIVER_OPTIONS = \ dict(apt_install_path=CLIENT_APT_TOOLS_INSTALL_PATH, apt_var_path=CLIENT_APT_TOOLS_VAR_PATH, diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py index 0839e3536..2c926fae7 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py @@ -10,7 +10,7 @@ except ImportError: logger = logging.getLogger(__name__) def passphrases(): - section = "cfg:encryption" + section = "encryption" if SETUP.cfp.has_section(section): return dict([(o, SETUP.cfp.get(section, o)) for o in SETUP.cfp.options(section)]) diff --git a/src/lib/Bcfg2/Server/Plugins/Properties.py b/src/lib/Bcfg2/Server/Plugins/Properties.py index 680881858..a81cdadd2 100644 --- a/src/lib/Bcfg2/Server/Plugins/Properties.py +++ b/src/lib/Bcfg2/Server/Plugins/Properties.py @@ -5,11 +5,31 @@ import copy import logging import lxml.etree import Bcfg2.Server.Plugin +try: + from Bcfg2.Encryption import ssl_decrypt, EVPError + have_crypto = True +except ImportError: + have_crypto = False + +logger = logging.getLogger(__name__) + +SETUP = None + +def passphrases(): + section = "encryption" + if SETUP.cfp.has_section(section): + return dict([(o, SETUP.cfp.get(section, o)) + for o in SETUP.cfp.options(section)]) + else: + return dict() -logger = logging.getLogger('Bcfg2.Plugins.Properties') class PropertyFile(Bcfg2.Server.Plugin.StructFile): """Class for properties files.""" + def __init__(self, name): + Bcfg2.Server.Plugin.StructFile.__init__(self, name) + self.passphrase = None + def write(self): """ Write the data in this data structure back to the property file """ @@ -47,6 +67,39 @@ class PropertyFile(Bcfg2.Server.Plugin.StructFile): else: return True + def Index(self): + Bcfg2.Server.Plugin.StructFile.Index(self) + if self.xdata.get("encryption", "false").lower() != "false": + logger.error("decrypting data in %s" % self.name) + if not have_crypto: + msg = "Properties: M2Crypto is not available: %s" % self.name + logger.error(msg) + raise Bcxfg2.Server.Plugin.PluginExecutionError(msg) + for el in self.xdata.xpath("*[@encrypted='true']"): + logger.error("decrypting data in %s in %s" % (el.tag, self.name)) + try: + el.text = self._decrypt(el.text) + except EVPError: + msg = "Failed to decrypt %s element in %s" % (el.tag, + self.name) + logger.error(msg) + raise Bcfg2.Server.PluginExecutionError(msg) + + def _decrypt(self, crypted): + if self.passphrase is None: + for passwd in passphrases().values(): + try: + rv = ssl_decrypt(crypted, passwd) + self.passphrase = passwd + return rv + except EVPError: + pass + else: + try: + return ssl_decrypt(crypted, self.passphrase) + except EVPError: + pass + raise EVPError("Failed to decrypt") class PropDirectoryBacked(Bcfg2.Server.Plugin.DirectoryBacked): __child__ = PropertyFile @@ -62,6 +115,7 @@ class Properties(Bcfg2.Server.Plugin.Plugin, name = 'Properties' def __init__(self, core, datastore): + global SETUP Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore) Bcfg2.Server.Plugin.Connector.__init__(self) try: @@ -72,5 +126,7 @@ class Properties(Bcfg2.Server.Plugin.Plugin, (e.strerror, e.filename)) raise Bcfg2.Server.Plugin.PluginInitError + SETUP = core.setup + def get_additional_data(self, _): return copy.copy(self.store.entries) |