Only apply the FREEZE method in pfconfig

lib/pf/config/crypt.pm

@@ -87,7 +87,7 @@ sub pf_encrypt {
  my $iv = random_bytes(12);
  my $ad = '';
  my ($ciphertext, $tag) = gcm_encrypt_authenticate('AES', $DERIVED_KEY, $iv, $ad, $text);
- return 'PF_ENC[' . encode_tags(data => $ciphertext, tag => $tag, iv => $iv, ad => $ad) . ']';
+ return  $PREFIX . encode_tags(data => $ciphertext, tag => $tag, iv => $iv, ad => $ad) . ']';
 }
 
 sub pf_decrypt {

lib/pf/config/crypt/object.pm

@@ -21,24 +21,18 @@ sub new {
  return bless(\$data, $class)
 }
 
-sub FREEZE {
- my ($self, $serializer) = @_;
- my $data = $$self;
- if (rindex($data, $pf::config::crypt::PREFIX, 0) == 0) {
- return $data;
- }
-
- return pf::config::crypt::pf_encrypt($data)
-}
-
 sub THAW {
  my ($class, $serializer, $data) = @_;
  if (rindex($data, $pf::config::crypt::PREFIX, 0) == 0) {
  my $result = pf::config::crypt::pf_decrypt($data);
  #return $result;
- return __PACKAGE__->new($result);
+ return $class->new($result);
  }
- return __PACKAGE__->new($data);
+ return $class->new($data);
+}
+
+sub TO_JSON {
+ ${$_[0]}
 }
 
 use overload 
@@ -47,10 +41,13 @@ use overload
 
 
 sub stringify {
+ if (rindex(${$_[0]}, $pf::config::crypt::PREFIX, 0) == 0) {
+ ${$_[0]} = pf::config::crypt::pf_decrypt(${$_[0]});
+ }
+
  ${$_[0]}
 }
 
-
 =head1 AUTHOR
 
 Inverse inc. <[email protected]>

lib/pf/config/crypt/object/freeze.pm

@@ -0,0 +1,55 @@
+package pf::config::crypt::object::freeze;
+
+=head1 NAME
+
+pf::config::crypt::object::freeze -
+
+=head1 DESCRIPTION
+
+pf::config::crypt::object::freeze
+
+=cut
+
+use strict;
+use warnings;
+use pf::config::crypt;
+
+sub pf::config::crypt::object::FREEZE {
+ my ($self, $serializer) = @_;
+ my $data = $$self;
+ if (rindex($data, $pf::config::crypt::PREFIX, 0) == 0) {
+ return $data;
+ }
+
+ return pf::config::crypt::pf_encrypt($data)
+}
+
+=head1 AUTHOR
+
+Inverse inc. <[email protected]>
+
+=head1 COPYRIGHT
+
+Copyright (C) 2005-2024 Inverse inc.
+
+=head1 LICENSE
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
+USA.
+
+=cut
+
+1;
+

lib/pfconfig/manager.pm

@@ -48,6 +48,9 @@ use Tie::IxHash;
 use pfconfig::config;
 use pf::constants::user;
 use pfconfig::git_storage;
+use pf::config::crypt;
+use pf::config::crypt::object;
+use Scalar::Util qw(reftype);
 
 my $ordered_prefix = "ORDERED::";
 
@@ -63,7 +66,37 @@ sub config_builder {
  my $logger = get_logger;
  my $elem = $self->get_namespace($namespace);
  my $tmp = $elem->build();
- return $tmp;
+ return filter_data($tmp);
+}
+
+sub filter_data {
+ my ($value) = @_;
+ return $value if !defined $value;
+ my $ref_type = reftype($value);
+ if (!defined ($ref_type)) {
+ if (rindex($value, $pf::config::crypt::PREFIX, 0) == 0) {
+ return pf::config::crypt::object->new($value);
+ }
+ return $value;
+ }
+
+ if ($ref_type eq 'ARRAY') {
+ for (my $i =0;$i<@$value;$i++) {
+ $value->[$i] = filter_data($value->[$i]);
+ }
+
+ return $value;
+ }
+
+ if ($ref_type eq 'HASH') {
+ while (my ($k, $v) = each %$value) {
+ $value->{$k} = filter_data($v);
+ }
+
+ return $value;
+ }
+
+ return $value;
 }
 
 =head2 get_namespace
@@ -231,9 +264,7 @@ sub touch_cache {
  my $filename = pfconfig::util::control_file_path($what);
  $filename = untaint_chain($filename);
  touch_file($filename);
- $self->{last_touch_cache} = time;
- $pfconfig::cached::LAST_TOUCH_CACHE = time;
- $pfconfig::cached::RELOADED_TOUCH_CACHE = time;
+ $self->{last_touch_cache} = $pfconfig::cached::LAST_TOUCH_CACHE = $pfconfig::cached::RELOADED_TOUCH_CACHE = time;
 }
 
 =head2 get_cache
@@ -339,11 +370,12 @@ sub cache_resource {
  # inflates the element if necessary
  $result = $self->post_process_element($what, $result);
  my $cache_w = $self->{cache}->set( $what, $result, 864000 );
- $logger->trace("Cache write gave : $cache_w");
  unless ($cache_w) {
  my $message = "Could not write namespace $what to L2 cache !";
  print STDERR $message . "\n";
  $logger->error($message);
+ } else {
+ $logger->trace("Cache write gave : $cache_w");
  }
  if($self->{pfconfig_server}) {
  $self->touch_cache($what);

sbin/pfconfig

@@ -55,6 +55,8 @@ use Linux::Systemd::Daemon 'sd_ready';
 use POSIX 'WNOHANG';
 use pfconfig::git_storage;
 use Tie::IxHash;
+use pf::config::crypt::object;
+use pf::config::crypt::object::freeze;
 
 our $RUNNING = 1;
 

t/unittest/config/crypt/object.t → t/unittest/config/crypt/object/freeze.t

@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-object
+freeze
 
 =head1 DESCRIPTION
 
@@ -22,6 +22,7 @@ BEGIN {
 
 use Test::More tests => 4;
 use pf::config::crypt::object;
+use pf::config::crypt::object::freeze;
 use pf::Sereal qw($DECODER $ENCODER_FREEZER);
 use Sereal::Encoder qw(sereal_encode_with_object);
 use Sereal::Decoder qw(sereal_decode_with_object);
@@ -41,8 +42,8 @@ my $data = sereal_encode_with_object($ENCODER_FREEZER, $object);
 $thawed = sereal_decode_with_object($DECODER, $data);
 is($secret, $thawed, "Data frozen and thawed");
 
+use Data::Dumper; print Dumper($authentication_lookup{LDAPWITHENCRYPTEDPASSWORD});
 is($secret, $authentication_lookup{LDAPWITHENCRYPTEDPASSWORD}{password}, "Data frozen and thawed from pfconfig");
-#use Data::Dumper; print Dumper($authentication_lookup{LDAPWITHENCRYPTEDPASSWORD});
 
 =head1 AUTHOR