From a702a5ee53ae8cb5870844237fe88c55dac97734 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Holger=20Wei=C3=9F?= <holger@zedat.fu-berlin.de>
Date: Wed, 29 Jun 2011 15:55:45 +0200
Subject: New Info attribute: "sensitive"

The contents/diffs of <Path>s which are marked as "sensitive" are now
omitted from the reports transmitted to the server, so that they won't
end up in the statistics database.
---
 src/lib/Client/Tools/POSIX.py     | 14 +++++++++-----
 src/lib/Options.py                |  3 +++
 src/lib/Server/Plugin.py          |  6 ++++--
 src/lib/Server/Plugins/SSHbase.py |  6 ++++--
 4 files changed, 20 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/lib/Client/Tools/POSIX.py b/src/lib/Client/Tools/POSIX.py
index faec2e251..f16b714ff 100644
--- a/src/lib/Client/Tools/POSIX.py
+++ b/src/lib/Client/Tools/POSIX.py
@@ -148,7 +148,8 @@ class POSIX(Bcfg2.Client.Tools.Tool):
             entry.set('perms', str(oct(ondisk[ST_MODE])[-4:]))
             try:
                 content = open(entry.get('name')).read()
-                entry.set('current_bfile', binascii.b2a_base64(content))
+                if (entry.get('sensitive') not in ['true', 'True']):
+                    entry.set('current_bfile', binascii.b2a_base64(content))
             except IOError:
                 error = sys.exc_info()[1]
                 self.logger.error("Failed to read %s: %s" % (error.filename,
@@ -482,7 +483,8 @@ class POSIX(Bcfg2.Client.Tools.Tool):
         contentStatus = content == tempdata
         if not contentStatus:
             if tbin or not isString(content, self.setup['encoding']):
-                entry.set('current_bfile', binascii.b2a_base64(content))
+                if (entry.get('sensitive') not in ['true', 'True']):
+                    entry.set('current_bfile', binascii.b2a_base64(content))
                 nqtext = entry.get('qtext', '')
                 nqtext += '\nBinary file, no printable diff'
             else:
@@ -504,8 +506,9 @@ class POSIX(Bcfg2.Client.Tools.Tool):
                         do_diff = False
                         break
                 if do_diff:
-                    diff = '\n'.join(rawdiff)
-                    entry.set("current_bdiff", binascii.b2a_base64(diff))
+                    if (entry.get('sensitive') not in ['true', 'True']):
+                        diff = '\n'.join(rawdiff)
+                        entry.set("current_bdiff", binascii.b2a_base64(diff))
 #                    entry.set("current_diff", diff)
                     udiff = '\n'.join([x for x in \
                                        difflib.unified_diff(content.split('\n'), \
@@ -521,7 +524,8 @@ class POSIX(Bcfg2.Client.Tools.Tool):
                         nqtext += '\n'
                     nqtext += dudiff
                 else:
-                    entry.set('current_bfile', binascii.b2a_base64(content))
+                    if (entry.get('sensitive') not in ['true', 'True']):
+                        entry.set('current_bfile', binascii.b2a_base64(content))
                     nqtext = entry.get('qtext', '')
                     nqtext += '\nDiff took too long to compute, no printable diff'
             entry.set('qtext', nqtext)
diff --git a/src/lib/Options.py b/src/lib/Options.py
index 619b16787..6b3110107 100644
--- a/src/lib/Options.py
+++ b/src/lib/Options.py
@@ -242,6 +242,9 @@ MDATA_PERMS = Option('Default Path permissions',
 MDATA_PARANOID = Option('Default Path paranoid setting',
                      'false', cf=('mdata', 'paranoid'),
                      odesc='Path paranoid setting')
+MDATA_SENSITIVE = Option('Default Path sensitive setting',
+                     'false', cf=('mdata', 'sensitive'),
+                     odesc='Path sensitive setting')
 
 # Server options
 SERVER_REPOSITORY = Option('Server repository path', '/var/lib/bcfg2',
diff --git a/src/lib/Server/Plugin.py b/src/lib/Server/Plugin.py
index f1d9ce75f..3841e637d 100644
--- a/src/lib/Server/Plugin.py
+++ b/src/lib/Server/Plugin.py
@@ -30,7 +30,8 @@ opts = {'owner': Bcfg2.Options.MDATA_OWNER,
         'group': Bcfg2.Options.MDATA_GROUP,
         'important': Bcfg2.Options.MDATA_IMPORTANT,
         'perms': Bcfg2.Options.MDATA_PERMS,
-        'paranoid': Bcfg2.Options.MDATA_PARANOID}
+        'paranoid': Bcfg2.Options.MDATA_PARANOID,
+        'sensitive': Bcfg2.Options.MDATA_SENSITIVE}
 mdata_setup = Bcfg2.Options.OptionParser(opts)
 mdata_setup.parse([])
 del mdata_setup['args']
@@ -46,7 +47,8 @@ info_regex = re.compile( \
     'mtime:(\s)*(?P<mtime>\w+)|' +
     'owner:(\s)*(?P<owner>\S+)|' +
     'paranoid:(\s)*(?P<paranoid>\S+)|' +
-    'perms:(\s)*(?P<perms>\w+)|')
+    'perms:(\s)*(?P<perms>\w+)|' +
+    'sensitive:(\s)*(?P<sensitive>\S+)|')
 
 
 class PluginInitError(Exception):
diff --git a/src/lib/Server/Plugins/SSHbase.py b/src/lib/Server/Plugins/SSHbase.py
index 4a33c0cb0..b15275815 100644
--- a/src/lib/Server/Plugins/SSHbase.py
+++ b/src/lib/Server/Plugins/SSHbase.py
@@ -230,10 +230,12 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin,
         keydata = self.entries[filename].data
         permdata = {'owner': 'root',
                     'group': 'root',
-                    'type': 'file',
-                    'perms': '0600'}
+                    'type': 'file'}
         if entry.get('name')[-4:] == '.pub':
             permdata['perms'] = '0644'
+        else:
+            permdata['perms'] = '0600'
+            permdata['sensitive'] = 'true'
         [entry.attrib.__setitem__(key, permdata[key]) for key in permdata]
         if "ssh_host_key.H_" == filename[:15]:
             entry.attrib['encoding'] = 'base64'
-- 
cgit v1.2.3-1-g7c22