diff options
| -rw-r--r-- | doc/server/plugins/connectors/properties.txt | 17 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Properties.py | 12 | ||||
| -rw-r--r-- | testsuite/Testsrc/Testlib/TestServer/TestPlugins/TestProperties.py | 11 |
3 files changed, 36 insertions, 4 deletions
diff --git a/doc/server/plugins/connectors/properties.txt b/doc/server/plugins/connectors/properties.txt index 2a037df94..1d276697a 100644 --- a/doc/server/plugins/connectors/properties.txt +++ b/doc/server/plugins/connectors/properties.txt @@ -150,6 +150,9 @@ raw data, the following access methods are defined: for el in metadata.Properties['ntp.xml'].XMLMatch(metadata).findall("//Server")] %} + ``XMLMatch()`` can be run automatically on properties files by using + the :ref:`server-plugins-connectors-properties-automatch` feature. + You can also access the XML data that comprises a property file directly in one of several ways: @@ -282,6 +285,20 @@ with the other data in the file. Only character content of an element can be encrypted; attribute content and XML elements themselves cannot be encrypted. +By default, decryption is *strict*; that is, if any element cannot be +decrypted, parsing of the file is aborted. If you wish for parsing to +continue, with unencryptable elements simply skipped, then you can set +decryption to *lax* in one of two ways: + +* Set ``decrypt=lax`` in the ``[properties]`` section of + ``bcfg2.conf`` to set lax decryption on all Properties files by + default; or +* Set the ``decrypt="lax"`` attribute on the top-level ``Properties`` + tag of a Properties file to set lax decryption for a single file. + +Note that you could, for instance, set lax decryption by default, and +then set strict decryption on individual files. + To encrypt or decrypt a file, use :ref:`bcfg2-crypt`. See :ref:`server-encryption` for more details on encryption in Bcfg2 diff --git a/src/lib/Bcfg2/Server/Plugins/Properties.py b/src/lib/Bcfg2/Server/Plugins/Properties.py index a3b9c6aec..2b4196ad6 100644 --- a/src/lib/Bcfg2/Server/Plugins/Properties.py +++ b/src/lib/Bcfg2/Server/Plugins/Properties.py @@ -210,12 +210,20 @@ class XMLPropertyFile(Bcfg2.Server.Plugin.StructFile, PropertyFile): if not HAS_CRYPTO: raise PluginExecutionError("Properties: M2Crypto is not " "available: %s" % self.name) + strict = self.xdata.get( + "decrypt", + SETUP.cfp.get("properties", "decrypt", + default="strict")) == "strict" for el in self.xdata.xpath("//*[@encrypted]"): try: el.text = self._decrypt(el) except EVPError: - raise PluginExecutionError("Failed to decrypt %s element " - "in %s" % (el.tag, self.name)) + msg = "Failed to decrypt %s element in %s" % (el.tag, + self.name) + if strict: + raise PluginExecutionError(msg) + else: + LOGGER.warning(msg) Index.__doc__ = Bcfg2.Server.Plugin.StructFile.Index.__doc__ def _decrypt(self, element): diff --git a/testsuite/Testsrc/Testlib/TestServer/TestPlugins/TestProperties.py b/testsuite/Testsrc/Testlib/TestServer/TestPlugins/TestProperties.py index 78cb5f52d..2fff67f8b 100644 --- a/testsuite/Testsrc/Testlib/TestServer/TestPlugins/TestProperties.py +++ b/testsuite/Testsrc/Testlib/TestServer/TestPlugins/TestProperties.py @@ -256,7 +256,7 @@ class TestXMLPropertyFile(TestPropertyFile, TestStructFile): pf._decrypt = Mock() pf._decrypt.return_value = 'plaintext' pf.data = ''' -<Properties encryption="true"> +<Properties encryption="true" decrypt="strict"> <Crypted encrypted="foo"> crypted <Plain foo="bar">plain</Plain> @@ -275,11 +275,18 @@ class TestXMLPropertyFile(TestPropertyFile, TestStructFile): for el in pf.xdata.xpath("//Crypted"): self.assertEqual(el.text, pf._decrypt.return_value) - # test failed decryption + # test failed decryption, strict pf._decrypt.reset_mock() pf._decrypt.side_effect = EVPError self.assertRaises(PluginExecutionError, pf.Index) + # test failed decryption, lax + pf.data = pf.data.replace("strict", "lax") + pf._decrypt.reset_mock() + pf.Index() + self.assertItemsEqual(pf._decrypt.call_args_list, + [call(el) for el in pf.xdata.xpath("//Crypted")]) + @skipUnless(HAS_CRYPTO, "No crypto libraries found, skipping") def test_decrypt(self): |