2021-01-08 13:41:50 +01:00
|
|
|
From 7605781decd03cb493e09893aa60a5cdbed15d35 Mon Sep 17 00:00:00 2001
|
2019-04-12 11:57:21 +02:00
|
|
|
From: Bo Maryniuk <bo@suse.de>
|
|
|
|
Date: Thu, 24 Jan 2019 18:12:35 +0100
|
2021-01-08 13:41:50 +01:00
|
|
|
Subject: [PATCH] temporary fix: extend the whitelist of allowed
|
|
|
|
commands
|
2019-04-12 11:57:21 +02:00
|
|
|
|
|
|
|
---
|
2021-01-08 13:41:50 +01:00
|
|
|
salt/auth/__init__.py | 48 +++++++++++++++++++++----------------------
|
|
|
|
1 file changed, 24 insertions(+), 24 deletions(-)
|
2019-04-12 11:57:21 +02:00
|
|
|
|
|
|
|
diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py
|
2021-01-08 13:41:50 +01:00
|
|
|
index c4cf163a67..ee1eac7ce4 100644
|
2019-04-12 11:57:21 +02:00
|
|
|
--- a/salt/auth/__init__.py
|
|
|
|
+++ b/salt/auth/__init__.py
|
2021-01-08 13:41:50 +01:00
|
|
|
@@ -1,4 +1,3 @@
|
|
|
|
-# -*- coding: utf-8 -*-
|
|
|
|
"""
|
|
|
|
Salt's pluggable authentication system
|
|
|
|
|
|
|
|
@@ -13,7 +12,6 @@ so that any external authentication system can be used inside of Salt
|
|
|
|
# 5. Cache auth token with relative data opts['token_dir']
|
|
|
|
# 6. Interface to verify tokens
|
|
|
|
|
|
|
|
-from __future__ import absolute_import, print_function, unicode_literals
|
|
|
|
|
|
|
|
import collections
|
|
|
|
import getpass
|
|
|
|
@@ -48,6 +46,8 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
|
|
|
|
"gather_job_timeout",
|
|
|
|
"kwarg",
|
|
|
|
"match",
|
|
|
|
+ "id_",
|
|
|
|
+ "force",
|
|
|
|
"metadata",
|
|
|
|
"print_event",
|
|
|
|
"raw",
|
|
|
|
@@ -56,7 +56,7 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
-class LoadAuth(object):
|
|
|
|
+class LoadAuth:
|
|
|
|
"""
|
|
|
|
Wrap the authentication system to handle peripheral components
|
|
|
|
"""
|
|
|
|
@@ -76,7 +76,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
if "eauth" not in load:
|
|
|
|
return ""
|
|
|
|
- fstr = "{0}.auth".format(load["eauth"])
|
|
|
|
+ fstr = "{}.auth".format(load["eauth"])
|
|
|
|
if fstr not in self.auth:
|
|
|
|
return ""
|
|
|
|
try:
|
|
|
|
@@ -94,7 +94,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
if "eauth" not in load:
|
|
|
|
return False
|
|
|
|
- fstr = "{0}.auth".format(load["eauth"])
|
|
|
|
+ fstr = "{}.auth".format(load["eauth"])
|
|
|
|
if fstr not in self.auth:
|
|
|
|
return False
|
|
|
|
# When making auth calls, only username, password, auth, and token
|
|
|
|
@@ -144,7 +144,7 @@ class LoadAuth(object):
|
|
|
|
mod = self.opts["eauth_acl_module"]
|
|
|
|
if not mod:
|
|
|
|
mod = load["eauth"]
|
|
|
|
- fstr = "{0}.acl".format(mod)
|
|
|
|
+ fstr = "{}.acl".format(mod)
|
|
|
|
if fstr not in self.auth:
|
|
|
|
return None
|
|
|
|
fcall = salt.utils.args.format_call(
|
|
|
|
@@ -163,7 +163,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
if "eauth" not in load:
|
|
|
|
return auth_list
|
|
|
|
- fstr = "{0}.process_acl".format(load["eauth"])
|
|
|
|
+ fstr = "{}.process_acl".format(load["eauth"])
|
|
|
|
if fstr not in self.auth:
|
|
|
|
return auth_list
|
|
|
|
try:
|
|
|
|
@@ -179,7 +179,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
if "eauth" not in load:
|
|
|
|
return False
|
|
|
|
- fstr = "{0}.groups".format(load["eauth"])
|
|
|
|
+ fstr = "{}.groups".format(load["eauth"])
|
|
|
|
if fstr not in self.auth:
|
|
|
|
return False
|
|
|
|
fcall = salt.utils.args.format_call(
|
|
|
|
@@ -237,7 +237,7 @@ class LoadAuth(object):
|
|
|
|
if groups:
|
|
|
|
tdata["groups"] = groups
|
|
|
|
|
|
|
|
- return self.tokens["{0}.mk_token".format(self.opts["eauth_tokens"])](
|
|
|
|
+ return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])](
|
|
|
|
self.opts, tdata
|
|
|
|
)
|
|
|
|
|
|
|
|
@@ -248,7 +248,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
tdata = {}
|
|
|
|
try:
|
|
|
|
- tdata = self.tokens["{0}.get_token".format(self.opts["eauth_tokens"])](
|
|
|
|
+ tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])](
|
|
|
|
self.opts, tok
|
|
|
|
)
|
|
|
|
except salt.exceptions.SaltDeserializationError:
|
|
|
|
@@ -275,7 +275,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
List all tokens in eauth_tokn storage.
|
|
|
|
"""
|
|
|
|
- return self.tokens["{0}.list_tokens".format(self.opts["eauth_tokens"])](
|
|
|
|
+ return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])](
|
|
|
|
self.opts
|
|
|
|
)
|
|
|
|
|
|
|
|
@@ -283,7 +283,7 @@ class LoadAuth(object):
|
|
|
|
"""
|
|
|
|
Remove the given token from token storage.
|
|
|
|
"""
|
|
|
|
- self.tokens["{0}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
|
|
|
|
+ self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
|
|
|
|
|
|
|
|
def authenticate_token(self, load):
|
|
|
|
"""
|
|
|
|
@@ -459,7 +459,7 @@ class LoadAuth(object):
|
|
|
|
ret["error"] = {
|
|
|
|
"name": "EauthAuthenticationError",
|
|
|
|
"message": 'Authentication failure of type "eauth" occurred for '
|
|
|
|
- "user {0}.".format(username),
|
|
|
|
+ "user {}.".format(username),
|
|
|
|
}
|
|
|
|
return ret
|
|
|
|
|
|
|
|
@@ -469,7 +469,7 @@ class LoadAuth(object):
|
|
|
|
msg = 'Authentication failure of type "user" occurred'
|
|
|
|
if not auth_ret: # auth_ret can be a boolean or the effective user id
|
|
|
|
if show_username:
|
|
|
|
- msg = "{0} for user {1}.".format(msg, username)
|
|
|
|
+ msg = "{} for user {}.".format(msg, username)
|
|
|
|
ret["error"] = {"name": "UserAuthenticationError", "message": msg}
|
|
|
|
return ret
|
|
|
|
|
|
|
|
@@ -501,7 +501,7 @@ class LoadAuth(object):
|
|
|
|
return ret
|
|
|
|
|
|
|
|
|
|
|
|
-class Resolver(object):
|
|
|
|
+class Resolver:
|
|
|
|
"""
|
|
|
|
The class used to resolve options for the command line and for generic
|
|
|
|
interactive interfaces
|
|
|
|
@@ -514,7 +514,7 @@ class Resolver(object):
|
|
|
|
def _send_token_request(self, load):
|
|
|
|
master_uri = "tcp://{}:{}".format(
|
|
|
|
salt.utils.zeromq.ip_bracket(self.opts["interface"]),
|
|
|
|
- six.text_type(self.opts["ret_port"]),
|
|
|
|
+ str(self.opts["ret_port"]),
|
|
|
|
)
|
|
|
|
with salt.transport.client.ReqChannel.factory(
|
|
|
|
self.opts, crypt="clear", master_uri=master_uri
|
|
|
|
@@ -530,16 +530,16 @@ class Resolver(object):
|
|
|
|
if not eauth:
|
|
|
|
print("External authentication system has not been specified")
|
|
|
|
return ret
|
|
|
|
- fstr = "{0}.auth".format(eauth)
|
|
|
|
+ fstr = "{}.auth".format(eauth)
|
|
|
|
if fstr not in self.auth:
|
|
|
|
print(
|
|
|
|
(
|
|
|
|
- 'The specified external authentication system "{0}" is '
|
|
|
|
+ 'The specified external authentication system "{}" is '
|
|
|
|
"not available"
|
|
|
|
).format(eauth)
|
|
|
|
)
|
|
|
|
print(
|
|
|
|
- "Available eauth types: {0}".format(
|
|
|
|
+ "Available eauth types: {}".format(
|
|
|
|
", ".join([k[:-5] for k in self.auth if k.endswith(".auth")])
|
|
|
|
)
|
|
|
|
)
|
|
|
|
@@ -550,14 +550,14 @@ class Resolver(object):
|
|
|
|
if arg in self.opts:
|
|
|
|
ret[arg] = self.opts[arg]
|
|
|
|
elif arg.startswith("pass"):
|
|
|
|
- ret[arg] = getpass.getpass("{0}: ".format(arg))
|
|
|
|
+ ret[arg] = getpass.getpass("{}: ".format(arg))
|
|
|
|
else:
|
|
|
|
- ret[arg] = input("{0}: ".format(arg))
|
|
|
|
+ ret[arg] = input("{}: ".format(arg))
|
|
|
|
for kwarg, default in list(args["kwargs"].items()):
|
|
|
|
if kwarg in self.opts:
|
|
|
|
ret["kwarg"] = self.opts[kwarg]
|
|
|
|
else:
|
|
|
|
- ret[kwarg] = input("{0} [{1}]: ".format(kwarg, default))
|
|
|
|
+ ret[kwarg] = input("{} [{}]: ".format(kwarg, default))
|
|
|
|
|
|
|
|
# Use current user if empty
|
|
|
|
if "username" in ret and not ret["username"]:
|
|
|
|
@@ -579,7 +579,7 @@ class Resolver(object):
|
|
|
|
with salt.utils.files.set_umask(0o177):
|
|
|
|
with salt.utils.files.fopen(self.opts["token_file"], "w+") as fp_:
|
|
|
|
fp_.write(tdata["token"])
|
|
|
|
- except (IOError, OSError):
|
|
|
|
+ except OSError:
|
|
|
|
pass
|
|
|
|
return tdata
|
|
|
|
|
|
|
|
@@ -602,7 +602,7 @@ class Resolver(object):
|
|
|
|
return tdata
|
|
|
|
|
|
|
|
|
|
|
|
-class AuthUser(object):
|
|
|
|
+class AuthUser:
|
|
|
|
"""
|
|
|
|
Represents a user requesting authentication to the salt master
|
|
|
|
"""
|
2019-04-12 11:57:21 +02:00
|
|
|
--
|
2021-01-08 13:41:50 +01:00
|
|
|
2.29.2
|
2019-04-12 11:57:21 +02:00
|
|
|
|
|
|
|
|