mirror of
https://github.com/netinvent/npbackup.git
synced 2024-09-20 23:06:17 +08:00
Fix config encryption and update from gui
This commit is contained in:
parent
655eca698a
commit
f1f01edb18
|
@ -106,13 +106,13 @@ ordereddict.d = d
|
||||||
# NPF-SEC-00003: Avoid password command divulgation
|
# NPF-SEC-00003: Avoid password command divulgation
|
||||||
ENCRYPTED_OPTIONS = [
|
ENCRYPTED_OPTIONS = [
|
||||||
"repo_uri",
|
"repo_uri",
|
||||||
"repo_password",
|
"repo_opts.repo_password",
|
||||||
"repo_password_command",
|
"repo_opts.repo_password_command",
|
||||||
"http_username",
|
"prometheus.http_username",
|
||||||
"http_password",
|
"prometheus.http_username",
|
||||||
"encrypted_variables",
|
"env.encrypted_env_variables",
|
||||||
"auto_upgrade_server_username",
|
"global_options.auto_upgrade_server_username",
|
||||||
"auto_upgrade_server_password",
|
"global_options.auto_upgrade_server_password",
|
||||||
]
|
]
|
||||||
|
|
||||||
# This is what a config file looks like
|
# This is what a config file looks like
|
||||||
|
@ -239,25 +239,36 @@ def get_default_config() -> dict:
|
||||||
return convert_to(full_config)
|
return convert_to(full_config)
|
||||||
|
|
||||||
|
|
||||||
|
def key_should_be_encrypted(key, encrypted_options: List[str]):
|
||||||
|
"""
|
||||||
|
Checks whether key should be encrypted
|
||||||
|
"""
|
||||||
|
for option in encrypted_options:
|
||||||
|
if option in key:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
def crypt_config(
|
def crypt_config(
|
||||||
full_config: dict, aes_key: str, encrypted_options: List[str], operation: str
|
full_config: dict, aes_key: str, encrypted_options: List[str], operation: str
|
||||||
):
|
):
|
||||||
try:
|
try:
|
||||||
|
|
||||||
def _crypt_config(key: str, value: Any) -> Any:
|
def _crypt_config(key: str, value: Any) -> Any:
|
||||||
if key in encrypted_options:
|
if key_should_be_encrypted(key, encrypted_options):
|
||||||
|
print("operation", operation)
|
||||||
if operation == "encrypt":
|
if operation == "encrypt":
|
||||||
if (
|
if (
|
||||||
isinstance(value, str)
|
(isinstance(value, str)
|
||||||
and not value.startswith("__NPBACKUP__")
|
and (not value.startswith(ID_STRING) or not value.endswith(ID_STRING)))
|
||||||
or not isinstance(value, str)
|
or not isinstance(value, str)
|
||||||
):
|
):
|
||||||
value = enc.encrypt_message_hf(
|
value = enc.encrypt_message_hf(
|
||||||
value, aes_key, ID_STRING, ID_STRING
|
value, aes_key, ID_STRING, ID_STRING
|
||||||
)
|
).decode(
|
||||||
|
"utf-8"
|
||||||
|
)
|
||||||
elif operation == "decrypt":
|
elif operation == "decrypt":
|
||||||
if isinstance(value, str) and value.startswith("__NPBACKUP__"):
|
if isinstance(value, str) and value.startswith(ID_STRING) and value.endswith(ID_STRING):
|
||||||
value = enc.decrypt_message_hf(
|
_, value = enc.decrypt_message_hf(
|
||||||
value,
|
value,
|
||||||
aes_key,
|
aes_key,
|
||||||
ID_STRING,
|
ID_STRING,
|
||||||
|
@ -267,9 +278,10 @@ def crypt_config(
|
||||||
raise ValueError(f"Bogus operation {operation} given")
|
raise ValueError(f"Bogus operation {operation} given")
|
||||||
return value
|
return value
|
||||||
|
|
||||||
return replace_in_iterable(full_config, _crypt_config, callable_wants_key=True)
|
return replace_in_iterable(full_config, _crypt_config, callable_wants_key=True, callable_wants_root_key=True)
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
logger.error(f"Cannot {operation} configuration: {exc}.")
|
logger.error(f"Cannot {operation} configuration: {exc}.")
|
||||||
|
logger.info("Trace:", exc_info=True)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
@ -279,12 +291,12 @@ def is_encrypted(full_config: dict) -> bool:
|
||||||
def _is_encrypted(key, value) -> Any:
|
def _is_encrypted(key, value) -> Any:
|
||||||
nonlocal is_encrypted
|
nonlocal is_encrypted
|
||||||
|
|
||||||
if key in ENCRYPTED_OPTIONS:
|
if key_should_be_encrypted(key, ENCRYPTED_OPTIONS):
|
||||||
if isinstance(value, str) and not value.startswith("__NPBACKUP__"):
|
if isinstance(value, str) and (not value.startswith(ID_STRING) or not value.endswith(ID_STRING)):
|
||||||
is_encrypted = True
|
is_encrypted = False
|
||||||
return value
|
return value
|
||||||
|
|
||||||
replace_in_iterable(full_config, _is_encrypted, callable_wants_key=True)
|
replace_in_iterable(full_config, _is_encrypted, callable_wants_key=True, callable_wants_root_key=True)
|
||||||
return is_encrypted
|
return is_encrypted
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@ command_runner>=1.5.2
|
||||||
cryptidy>=1.2.2
|
cryptidy>=1.2.2
|
||||||
python-dateutil
|
python-dateutil
|
||||||
ofunctions.logger_utils>=2.4.1
|
ofunctions.logger_utils>=2.4.1
|
||||||
ofunctions.misc>=1.6.1
|
ofunctions.misc>=1.6.3
|
||||||
ofunctions.process>=2.0.0
|
ofunctions.process>=2.0.0
|
||||||
ofunctions.threading>=2.2.0
|
ofunctions.threading>=2.2.0
|
||||||
ofunctions.platform>=1.4.1
|
ofunctions.platform>=1.4.1
|
||||||
|
|
Loading…
Reference in a new issue