def encrypt_handler(args):
if not get_server_setting('secret_keeping:enabled'):
sys.exit('You cannot encrypt when secret-keeping is disabled.')
db = get_db()
selectors = get_selectors()
spec = {'$or': [{s.plain_mongo: {'$exists': True}} for s in selectors]}
for doc in db.clients.find(spec):
doc, update = encrypt_document(doc)
if update:
db.clients.update({'_id': doc['_id']}, update)
log.info('Encrypted data in client document {} (host {})',
doc['_id'], doc['hostname'])
print('Encrypted client document {} (host {})'.format(
doc['_id'], doc['hostname']))
spec = {'key': {'$in': [s.plain_mongo for s in selectors]}}
for doc in db.audit_trail.find(spec):
doc, update = encrypt_document(doc, selectors=audit_trail_selectors)
if update:
update['$set']['key'] = next(s.enc_mongo for s in selectors
if s.plain_mongo == doc['key'])
db.audit_trail.update({'_id': doc['_id']}, update)
log.info('Encrypted data in audit trail document {} (host {})',
doc['_id'], doc['hostname'])
print('Encrypted audit trail document {} (host {})'.format(
doc['_id'], doc['hostname']))
def submit():
db = get_db()
which = []
now = datetime.datetime.utcnow()
try:
data = json.loads(request.form['data'])
except json.decoder.JSONDecodeError as e:
log.exception('Failed to parse request data as JSON. Content=<<<{}>>>',
request.data)
return Response(str(e), status=400)
hostname = data['hostname']
spec = {'hostname': hostname}
update = {
'submitted_at': now,
'hostname': hostname,
}
if 'plugins' in data:
data['plugins']['submitted_at'] = now
update['plugins'] = data['plugins']
which.append('plugins')
if data.get('commands', {}):
for name, output in data['commands'].items():
output['submitted_at'] = now
update['commands.{}'.format(name)] = output
which.append('commands')
if which:
old = db.clients.find_one(spec)
update_result = db.clients.update_one(spec, {
'$set': update,
'$unset': {
'suspended': True
}
})
if update_result.modified_count == 0:
db.clients.save(update)
log.info('Added new client: {}', hostname)
log.info('Successful submission of {} by {}', ', '.join(which),
hostname)
if old:
new = db.clients.find_one(spec)
strip_dates(old)
strip_dates(new)
new, updates = encrypt_document(new)
if updates:
db.clients.update_one({'_id': new['_id']}, updates)
log.info('Encrypted secret data for {} in document {}',
hostname, new['_id'])
changes, audit_trail = dict_changes(old, new)
for change in changes:
log.info('Change for {}: {}', hostname, change)
if audit_trail:
audit_trail_write({
'audited_at': now,
'hostname': hostname
}, audit_trail)
return ('ok')
else:
log.error('Empty submission from {}', hostname)
return ('error')