From 27a30fc549d0e850f69149173232b22c74268cc8 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Tue, 7 Jan 2014 15:43:36 -0500
Subject: bcfg2-lint: new Crypto plugin checks for data that should be
 encrypted but isn't

---
 src/lib/Bcfg2/Server/Lint/Crypto.py | 61 +++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 src/lib/Bcfg2/Server/Lint/Crypto.py

(limited to 'src/lib/Bcfg2/Server/Lint')

diff --git a/src/lib/Bcfg2/Server/Lint/Crypto.py b/src/lib/Bcfg2/Server/Lint/Crypto.py
new file mode 100644
index 000000000..53a54031c
--- /dev/null
+++ b/src/lib/Bcfg2/Server/Lint/Crypto.py
@@ -0,0 +1,61 @@
+""" Check for data that claims to be encrypted, but is not. """
+
+import os
+import lxml.etree
+import Bcfg2.Options
+from Bcfg2.Server.Lint import ServerlessPlugin
+from Bcfg2.Server.Encryption import is_encrypted
+
+
+class Crypto(ServerlessPlugin):
+    """ Check for templated scripts or executables. """
+
+    def Run(self):
+        if os.path.exists(os.path.join(Bcfg2.Options.setup.repository, "Cfg")):
+            self.check_cfg()
+        if os.path.exists(os.path.join(Bcfg2.Options.setup.repository,
+                                       "Properties")):
+            self.check_properties()
+        # TODO: check all XML files
+
+    @classmethod
+    def Errors(cls):
+        return {"unencrypted-cfg": "error",
+                "empty-encrypted-properties": "error",
+                "unencrypted-properties": "error"}
+
+    def check_cfg(self):
+        """ Check for Cfg files that end in .crypt but aren't encrypted """
+        for root, _, files in os.walk(
+                os.path.join(Bcfg2.Options.setup.repository, "Cfg")):
+            for fname in files:
+                fpath = os.path.join(root, fname)
+                if self.HandlesFile(fpath) and fname.endswith(".crypt"):
+                    if not is_encrypted(open(fpath).read()):
+                        self.LintError(
+                            "unencrypted-cfg",
+                            "%s is a .crypt file, but it is not encrypted" %
+                            fpath)
+
+    def check_properties(self):
+        """ Check for Properties data that has an ``encrypted`` attribute but
+        aren't encrypted """
+        for root, _, files in os.walk(
+                os.path.join(Bcfg2.Options.setup.repository, "Properties")):
+            for fname in files:
+                fpath = os.path.join(root, fname)
+                if self.HandlesFile(fpath) and fname.endswith(".xml"):
+                    xdata = lxml.etree.parse(fpath)
+                    for elt in xdata.xpath('//*[@encrypted]'):
+                        if not elt.text:
+                            self.LintError(
+                                "empty-encrypted-properties",
+                                "Element in %s has an 'encrypted' attribute, "
+                                "but no text content: %s" %
+                                (fpath, self.RenderXML(elt)))
+                        elif not is_encrypted(elt.text):
+                            self.LintError(
+                                "unencrypted-properties",
+                                "Element in %s has an 'encrypted' attribute, "
+                                "but is not encrypted: %s" %
+                                (fpath, self.RenderXML(elt)))
-- 
cgit v1.2.3-1-g7c22