diff options
| -rw-r--r-- | doc/server/info.txt | 4 | ||||
| -rw-r--r-- | man/bcfg2.conf.5 | 4 | ||||
| -rw-r--r-- | schemas/info.xsd | 1 | ||||
| -rw-r--r-- | src/lib/Client/Tools/POSIX.py | 14 | ||||
| -rw-r--r-- | src/lib/Options.py | 3 | ||||
| -rw-r--r-- | src/lib/Server/Plugin.py | 6 | ||||
| -rw-r--r-- | src/lib/Server/Plugins/DBStats.py | 5 | ||||
| -rw-r--r-- | src/lib/Server/Plugins/SSHbase.py | 6 | ||||
| -rwxr-xr-x | src/lib/Server/Reports/importscript.py | 9 | ||||
| -rw-r--r-- | src/lib/Server/Reports/reports/models.py | 1 | ||||
| -rw-r--r-- | src/lib/Server/Reports/reports/templates/config_items/item.html | 22 | ||||
| -rw-r--r-- | src/lib/Server/Reports/updatefix.py | 1 |
12 files changed, 55 insertions, 21 deletions
diff --git a/doc/server/info.txt b/doc/server/info.txt index 7f466528f..0d273c2b6 100644 --- a/doc/server/info.txt +++ b/doc/server/info.txt @@ -44,6 +44,10 @@ possible fields in an info file are: | | | 'inherit' | (or inherits from the files on | | | | | disk if set to inherit) | | +------------+-------------------+----------------------------------+---------+ +| sensitive: | true | false | The contents of sensitive | false | +| | | entries aren't included in | | +| | | reports | | ++------------+-------------------+----------------------------------+---------+ A sample info file for CGI script on a web server might look like:: diff --git a/man/bcfg2.conf.5 b/man/bcfg2.conf.5 index 7cd04a0b7..def850b67 100644 --- a/man/bcfg2.conf.5 +++ b/man/bcfg2.conf.5 @@ -285,6 +285,10 @@ Global permissions for Paths (defaults to 644) .B paranoid Global paranoid settings for Paths (defaults to false) +.TP +.B sensitive +Global sensitive settings for Paths (defaults to false) + .SH CLIENT OPTIONS These options only affect client functionality, specified in the diff --git a/schemas/info.xsd b/schemas/info.xsd index 2ff1d937e..169310ab6 100644 --- a/schemas/info.xsd +++ b/schemas/info.xsd @@ -15,6 +15,7 @@ <xsd:attribute name='owner' type='xsd:string'/> <xsd:attribute name='perms' type='xsd:string'/> <xsd:attribute name='paranoid' type='xsd:boolean'/> + <xsd:attribute name='sensitive' type='xsd:boolean'/> </xsd:complexType> <xsd:complexType name='GroupType'> diff --git a/src/lib/Client/Tools/POSIX.py b/src/lib/Client/Tools/POSIX.py index faec2e251..f16b714ff 100644 --- a/src/lib/Client/Tools/POSIX.py +++ b/src/lib/Client/Tools/POSIX.py @@ -148,7 +148,8 @@ class POSIX(Bcfg2.Client.Tools.Tool): entry.set('perms', str(oct(ondisk[ST_MODE])[-4:])) try: content = open(entry.get('name')).read() - entry.set('current_bfile', binascii.b2a_base64(content)) + if (entry.get('sensitive') not in ['true', 'True']): + entry.set('current_bfile', binascii.b2a_base64(content)) except IOError: error = sys.exc_info()[1] self.logger.error("Failed to read %s: %s" % (error.filename, @@ -482,7 +483,8 @@ class POSIX(Bcfg2.Client.Tools.Tool): contentStatus = content == tempdata if not contentStatus: if tbin or not isString(content, self.setup['encoding']): - entry.set('current_bfile', binascii.b2a_base64(content)) + if (entry.get('sensitive') not in ['true', 'True']): + entry.set('current_bfile', binascii.b2a_base64(content)) nqtext = entry.get('qtext', '') nqtext += '\nBinary file, no printable diff' else: @@ -504,8 +506,9 @@ class POSIX(Bcfg2.Client.Tools.Tool): do_diff = False break if do_diff: - diff = '\n'.join(rawdiff) - entry.set("current_bdiff", binascii.b2a_base64(diff)) + if (entry.get('sensitive') not in ['true', 'True']): + diff = '\n'.join(rawdiff) + entry.set("current_bdiff", binascii.b2a_base64(diff)) # entry.set("current_diff", diff) udiff = '\n'.join([x for x in \ difflib.unified_diff(content.split('\n'), \ @@ -521,7 +524,8 @@ class POSIX(Bcfg2.Client.Tools.Tool): nqtext += '\n' nqtext += dudiff else: - entry.set('current_bfile', binascii.b2a_base64(content)) + if (entry.get('sensitive') not in ['true', 'True']): + entry.set('current_bfile', binascii.b2a_base64(content)) nqtext = entry.get('qtext', '') nqtext += '\nDiff took too long to compute, no printable diff' entry.set('qtext', nqtext) diff --git a/src/lib/Options.py b/src/lib/Options.py index 619b16787..6b3110107 100644 --- a/src/lib/Options.py +++ b/src/lib/Options.py @@ -242,6 +242,9 @@ MDATA_PERMS = Option('Default Path permissions', MDATA_PARANOID = Option('Default Path paranoid setting', 'false', cf=('mdata', 'paranoid'), odesc='Path paranoid setting') +MDATA_SENSITIVE = Option('Default Path sensitive setting', + 'false', cf=('mdata', 'sensitive'), + odesc='Path sensitive setting') # Server options SERVER_REPOSITORY = Option('Server repository path', '/var/lib/bcfg2', diff --git a/src/lib/Server/Plugin.py b/src/lib/Server/Plugin.py index f1d9ce75f..3841e637d 100644 --- a/src/lib/Server/Plugin.py +++ b/src/lib/Server/Plugin.py @@ -30,7 +30,8 @@ opts = {'owner': Bcfg2.Options.MDATA_OWNER, 'group': Bcfg2.Options.MDATA_GROUP, 'important': Bcfg2.Options.MDATA_IMPORTANT, 'perms': Bcfg2.Options.MDATA_PERMS, - 'paranoid': Bcfg2.Options.MDATA_PARANOID} + 'paranoid': Bcfg2.Options.MDATA_PARANOID, + 'sensitive': Bcfg2.Options.MDATA_SENSITIVE} mdata_setup = Bcfg2.Options.OptionParser(opts) mdata_setup.parse([]) del mdata_setup['args'] @@ -46,7 +47,8 @@ info_regex = re.compile( \ 'mtime:(\s)*(?P<mtime>\w+)|' + 'owner:(\s)*(?P<owner>\S+)|' + 'paranoid:(\s)*(?P<paranoid>\S+)|' + - 'perms:(\s)*(?P<perms>\w+)|') + 'perms:(\s)*(?P<perms>\w+)|' + + 'sensitive:(\s)*(?P<sensitive>\S+)|') class PluginInitError(Exception): diff --git a/src/lib/Server/Plugins/DBStats.py b/src/lib/Server/Plugins/DBStats.py index 103fb7353..8761d282d 100644 --- a/src/lib/Server/Plugins/DBStats.py +++ b/src/lib/Server/Plugins/DBStats.py @@ -98,8 +98,9 @@ class DBStats(Bcfg2.Server.Plugin.Plugin, ret.append(getattr(entry.reason, t)) else: ret.append(getattr(entry.reason, "current_%s" % t)) - - if entry.reason.current_diff != '': + if entry.reason.is_sensitive: + raise Bcfg2.Server.Plugin.PluginExecutionError + elif entry.reason.current_diff != '': if entry.reason.is_binary: ret.append(binascii.a2b_base64(entry.reason.current_diff)) else: diff --git a/src/lib/Server/Plugins/SSHbase.py b/src/lib/Server/Plugins/SSHbase.py index 4a33c0cb0..b15275815 100644 --- a/src/lib/Server/Plugins/SSHbase.py +++ b/src/lib/Server/Plugins/SSHbase.py @@ -230,10 +230,12 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, keydata = self.entries[filename].data permdata = {'owner': 'root', 'group': 'root', - 'type': 'file', - 'perms': '0600'} + 'type': 'file'} if entry.get('name')[-4:] == '.pub': permdata['perms'] = '0644' + else: + permdata['perms'] = '0600' + permdata['sensitive'] = 'true' [entry.attrib.__setitem__(key, permdata[key]) for key in permdata] if "ssh_host_key.H_" == filename[:15]: entry.attrib['encoding'] = 'base64' diff --git a/src/lib/Server/Reports/importscript.py b/src/lib/Server/Reports/importscript.py index 68774cec6..7dfac6fae 100755 --- a/src/lib/Server/Reports/importscript.py +++ b/src/lib/Server/Reports/importscript.py @@ -40,7 +40,11 @@ from Bcfg2.Bcfg2Py3k import ConfigParser def build_reason_kwargs(r_ent, encoding, logger): binary_file = False - if r_ent.get('current_bfile', False): + sensitive_file = False + if r_ent.get('sensitive') in ['true', 'True']: + sensitive_file = True + rc_diff = '' + elif r_ent.get('current_bfile', False): binary_file = True rc_diff = r_ent.get('current_bfile') if len(rc_diff) > 1024 * 1024: @@ -74,7 +78,8 @@ def build_reason_kwargs(r_ent, encoding, logger): current_version=r_ent.get('current_version', default=""), current_exists=r_ent.get('current_exists', default="True").capitalize() == "True", current_diff=rc_diff, - is_binary=binary_file) + is_binary=binary_file, + is_sensitive=sensitive_file) def load_stats(cdata, sdata, encoding, vlevel, logger, quick=False, location=''): diff --git a/src/lib/Server/Reports/reports/models.py b/src/lib/Server/Reports/reports/models.py index d94b2e1ba..870239641 100644 --- a/src/lib/Server/Reports/reports/models.py +++ b/src/lib/Server/Reports/reports/models.py @@ -277,6 +277,7 @@ class Reason(models.Model): current_exists = models.BooleanField() # False means its missing. Default True current_diff = models.TextField(max_length=1280, blank=True) is_binary = models.BooleanField(default=False) + is_sensitive = models.BooleanField(default=False) def _str_(self): return "Reason" diff --git a/src/lib/Server/Reports/reports/templates/config_items/item.html b/src/lib/Server/Reports/reports/templates/config_items/item.html index 58aed1684..cc99ef503 100644 --- a/src/lib/Server/Reports/reports/templates/config_items/item.html +++ b/src/lib/Server/Reports/reports/templates/config_items/item.html @@ -74,15 +74,21 @@ div.entry_list h3 { </table> {% endif %} - {% if item.reason.current_diff %} - <div class='entry_list'> - <div class='entry_list_head'> - <h3>Incorrect file contents</h3> + {% if item.reason.current_diff or item.reason.is_sensitive %} + <div class='entry_list'> + <div class='entry_list_head'> + {% if item.reason.is_sensitive %} + <h3>File contents unavailable, as they might contain sensitive data.</h3> + {% else %} + <h3>Incorrect file contents</h3> + {% endif %} + </div> + {% if not item.reason.is_sensitive %} + <div class='diff_wrapper'> + {{ item.reason.current_diff|syntaxhilight }} + </div> + {% endif %} </div> - <div class='diff_wrapper'> - {{ item.reason.current_diff|syntaxhilight }} - </div> - </div> {% endif %} diff --git a/src/lib/Server/Reports/updatefix.py b/src/lib/Server/Reports/updatefix.py index 4d3c964f5..7cebaaca9 100644 --- a/src/lib/Server/Reports/updatefix.py +++ b/src/lib/Server/Reports/updatefix.py @@ -102,6 +102,7 @@ _fixes = [_merge_database_table_entries, _populate_interaction_entry_counts, _interactions_constraint_or_idx, 'alter table reports_reason add is_binary bool NOT NULL default False;', + 'alter table reports_reason add is_sensitive bool NOT NULL default False;', ] # this will calculate the last possible version of the database |