From ae58c24f72a8ed72327fbc3f7305bd69ec6a13db Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Thu, 17 Jan 2013 09:20:37 -0500 Subject: Made a few encryption things simpler: * Only one strict/lax setting, in [encryption], rather than separate settings in [properties] and [sshkeys] * No longer necessary to enable encryption on each Properties file --- .../Server/Plugins/Cfg/CfgPrivateKeyCreator.py | 6 ++-- src/lib/Bcfg2/Server/Plugins/Properties.py | 37 +++++++++++----------- src/sbin/bcfg2-crypt | 19 ++++++----- 3 files changed, 33 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgPrivateKeyCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgPrivateKeyCreator.py index 597f8f57b..aaeb65cd6 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgPrivateKeyCreator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgPrivateKeyCreator.py @@ -215,8 +215,10 @@ class CfgPrivateKeyCreator(CfgCreator, StructFile): def Index(self): StructFile.Index(self) if HAS_CRYPTO: - strict = SETUP.cfp.get("sshkeys", "decrypt", - default="strict") == "strict" + strict = self.xdata.get( + "decrypt", + SETUP.cfp.get(Bcfg2.Encryption.CFG_SECTION, "decrypt", + default="strict")) == "strict" for el in self.xdata.xpath("//*[@encrypted]"): try: el.text = self._decrypt(el).encode('ascii', diff --git a/src/lib/Bcfg2/Server/Plugins/Properties.py b/src/lib/Bcfg2/Server/Plugins/Properties.py index b3c0a6ae5..a51dd8adc 100644 --- a/src/lib/Bcfg2/Server/Plugins/Properties.py +++ b/src/lib/Bcfg2/Server/Plugins/Properties.py @@ -205,28 +205,27 @@ class XMLPropertyFile(Bcfg2.Server.Plugin.StructFile, PropertyFile): def Index(self): Bcfg2.Server.Plugin.StructFile.Index(self) - if self.xdata.get("encryption", "false").lower() != "false": + strict = self.xdata.get( + "decrypt", + SETUP.cfp.get(Bcfg2.Encryption.CFG_SECTION, "decrypt", + default="strict")) == "strict" + for el in self.xdata.xpath("//*[@encrypted]"): if not HAS_CRYPTO: raise PluginExecutionError("Properties: M2Crypto is not " "available: %s" % self.name) - strict = self.xdata.get( - "decrypt", - SETUP.cfp.get("properties", "decrypt", - default="strict")) == "strict" - for el in self.xdata.xpath("//*[@encrypted]"): - try: - el.text = self._decrypt(el).encode('ascii', - 'xmlcharrefreplace') - except UnicodeDecodeError: - LOGGER.info("Properties: Decrypted %s to gibberish, " - "skipping" % el.tag) - except Bcfg2.Encryption.EVPError: - msg = "Properties: Failed to decrypt %s element in %s" % \ - (el.tag, self.name) - if strict: - raise PluginExecutionError(msg) - else: - LOGGER.warning(msg) + try: + el.text = self._decrypt(el).encode('ascii', + 'xmlcharrefreplace') + except UnicodeDecodeError: + LOGGER.info("Properties: Decrypted %s to gibberish, " + "skipping" % el.tag) + except Bcfg2.Encryption.EVPError: + msg = "Properties: Failed to decrypt %s element in %s" % \ + (el.tag, self.name) + if strict: + raise PluginExecutionError(msg) + else: + LOGGER.warning(msg) Index.__doc__ = Bcfg2.Server.Plugin.StructFile.Index.__doc__ def _decrypt(self, element): diff --git a/src/sbin/bcfg2-crypt b/src/sbin/bcfg2-crypt index 9eab7bd29..fde6af582 100755 --- a/src/sbin/bcfg2-crypt +++ b/src/sbin/bcfg2-crypt @@ -55,7 +55,7 @@ class Encryptor(object): def set_passphrase(self): """ set the passphrase for the current file """ - if (not self.setup.cfp.has_section("encryption") or + if (not self.setup.cfp.has_section(Bcfg2.Encryption.CFG_SECTION) or len(Bcfg2.Encryption.get_passphrases(self.setup)) == 0): self.logger.error("No passphrases available in %s" % self.setup['configfile']) @@ -70,9 +70,11 @@ class Encryptor(object): self.pname = self.setup['passphrase'] if self.pname: - if self.setup.cfp.has_option("encryption", self.pname): - self.passphrase = self.setup.cfp.get("encryption", - self.pname) + if self.setup.cfp.has_option(Bcfg2.Encryption.CFG_SECTION, + self.pname): + self.passphrase = \ + self.setup.cfp.get(Bcfg2.Encryption.CFG_SECTION, + self.pname) self.logger.debug("Using passphrase %s specified on command " "line" % self.pname) return True @@ -241,8 +243,10 @@ class Encryptor(object): self.logger.info("No passphrase given on command line or " "found in file") return False - elif self.setup.cfp.has_option("encryption", pname): - passphrase = self.setup.cfp.get("encryption", pname) + elif self.setup.cfp.has_option(Bcfg2.Encryption.CFG_SECTION, + pname): + passphrase = self.setup.cfp.get(Bcfg2.Encryption.CFG_SECTION, + pname) else: self.logger.error("Could not find passphrase %s in %s" % (pname, self.setup['configfile'])) @@ -339,13 +343,12 @@ class PropertiesEncryptor(Encryptor): # find root element while xdata.getparent() != None: xdata = xdata.getparent() - xdata.set("encryption", "true") return lxml.etree.tostring(xdata, xml_declaration=False, pretty_print=True).decode('UTF-8') def _get_passphrase(self, chunk): - pname = chunk.get("encrypted") or chunk.get("encryption") + pname = chunk.get("encrypted") if pname and pname.lower() != "true": return pname return None -- cgit v1.2.3-1-g7c22