diff options
| author | Simo Sorce <ssorce@redhat.com> | 2008-08-07 16:14:37 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2008-09-10 15:43:41 -0400 |
| commit | 1e2ee3fe3c21bef78352b4c1b5455a53ff0cbd79 (patch) | |
| tree | 890510db0d1792f4ec68a7a98b2c5bb6fd07ee52 | |
| parent | 09a473ec45c681b5c26752a9e123222e2c91f9ef (diff) | |
| download | freeipa-1e2ee3fe3c21bef78352b4c1b5455a53ff0cbd79.tar.gz freeipa-1e2ee3fe3c21bef78352b4c1b5455a53ff0cbd79.tar.xz freeipa-1e2ee3fe3c21bef78352b4c1b5455a53ff0cbd79.zip | |
Add encrypt_file and decrypt_file utility functions. We will use them to encrypt the replica file so that we can transport it over more safely. It contains sensitive data, by encrypting it we assure that even if a distracted admin leaves it around it cannot be accessed without knowing the access passphrase (usually the Directory Manager password)
Along the way fix also ipautil.run which was buggy and not passing
in correctly stdin.
Add dependency for gnupg in spec file
| -rwxr-xr-x | ipa-python/ipa-python.spec.in | 2 | ||||
| -rw-r--r-- | ipa-python/ipautil.py | 65 |
2 files changed, 65 insertions, 2 deletions
diff --git a/ipa-python/ipa-python.spec.in b/ipa-python/ipa-python.spec.in index 7d270b4f0..774464951 100755 --- a/ipa-python/ipa-python.spec.in +++ b/ipa-python/ipa-python.spec.in @@ -10,7 +10,7 @@ Source0: http://www.freeipa.org/downloads/%{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: python-devel -Requires: python-kerberos +Requires: python-kerberos gnupg %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} diff --git a/ipa-python/ipautil.py b/ipa-python/ipautil.py index 3526cc7a8..b175e275f 100644 --- a/ipa-python/ipautil.py +++ b/ipa-python/ipautil.py @@ -72,11 +72,13 @@ def write_tmp_file(txt): return fd def run(args, stdin=None): - p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) if stdin: + p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) stdout,stderr = p.communicate(stdin) else: + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) stdout,stderr = p.communicate() + logging.info(stdout) logging.info(stderr) @@ -114,6 +116,67 @@ def backup_file(fname): if file_exists(fname): os.rename(fname, fname + ".orig") +# uses gpg to compress and encrypt a file +def encrypt_file(source, dest, password, workdir = None): + if type(source) is not StringType or not len(source): + raise ValueError('Missing Source File') + #stat it so that we get back an exception if it does no t exist + os.stat(source) + + if type(dest) is not StringType or not len(dest): + raise ValueError('Missing Destination File') + + if type(password) is not StringType or not len(password): + raise ValueError('Missing Password') + + #create a tempdir so that we can clean up with easily + tempdir = tempfile.mkdtemp('', 'ipa-', workdir) + gpgdir = tempdir+"/.gnupg" + + try: + try: + #give gpg a fake dir so that we can leater remove all + #the cruft when we clean up the tempdir + os.mkdir(gpgdir) + args = ['/usr/bin/gpg', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-c', source] + run(args, password) + except: + raise + finally: + #job done, clean up + shutil.rmtree(tempdir, ignore_errors=True) + + +def decrypt_file(source, dest, password, workdir = None): + if type(source) is not StringType or not len(source): + raise ValueError('Missing Source File') + #stat it so that we get back an exception if it does no t exist + os.stat(source) + + if type(dest) is not StringType or not len(dest): + raise ValueError('Missing Destination File') + + if type(password) is not StringType or not len(password): + raise ValueError('Missing Password') + + #create a tempdir so that we can clean up with easily + tempdir = tempfile.mkdtemp('', 'ipa-', workdir) + gpgdir = tempdir+"/.gnupg" + + try: + try: + #give gpg a fake dir so that we can leater remove all + #the cruft when we clean up the tempdir + os.mkdir(gpgdir) + args = ['/usr/bin/gpg', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-d', source] + run(args, password) + except: + raise + finally: + #job done, clean up + shutil.rmtree(tempdir, ignore_errors=True) + + class CIDict(dict): """ Case-insensitive but case-respecting dictionary. |