From 7605781decd03cb493e09893aa60a5cdbed15d35 Mon Sep 17 00:00:00 2001 From: Bo Maryniuk Date: Thu, 24 Jan 2019 18:12:35 +0100 Subject: [PATCH] temporary fix: extend the whitelist of allowed commands --- salt/auth/__init__.py | 48 +++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py index c4cf163a67..ee1eac7ce4 100644 --- a/salt/auth/__init__.py +++ b/salt/auth/__init__.py @@ -1,4 +1,3 @@ -# -*- coding: utf-8 -*- """ Salt's pluggable authentication system @@ -13,7 +12,6 @@ so that any external authentication system can be used inside of Salt # 5. Cache auth token with relative data opts['token_dir'] # 6. Interface to verify tokens -from __future__ import absolute_import, print_function, unicode_literals import collections import getpass @@ -48,6 +46,8 @@ AUTH_INTERNAL_KEYWORDS = frozenset( "gather_job_timeout", "kwarg", "match", + "id_", + "force", "metadata", "print_event", "raw", @@ -56,7 +56,7 @@ AUTH_INTERNAL_KEYWORDS = frozenset( ) -class LoadAuth(object): +class LoadAuth: """ Wrap the authentication system to handle peripheral components """ @@ -76,7 +76,7 @@ class LoadAuth(object): """ if "eauth" not in load: return "" - fstr = "{0}.auth".format(load["eauth"]) + fstr = "{}.auth".format(load["eauth"]) if fstr not in self.auth: return "" try: @@ -94,7 +94,7 @@ class LoadAuth(object): """ if "eauth" not in load: return False - fstr = "{0}.auth".format(load["eauth"]) + fstr = "{}.auth".format(load["eauth"]) if fstr not in self.auth: return False # When making auth calls, only username, password, auth, and token @@ -144,7 +144,7 @@ class LoadAuth(object): mod = self.opts["eauth_acl_module"] if not mod: mod = load["eauth"] - fstr = "{0}.acl".format(mod) + fstr = "{}.acl".format(mod) if fstr not in self.auth: return None fcall = salt.utils.args.format_call( @@ -163,7 +163,7 @@ class LoadAuth(object): """ if "eauth" not in load: return auth_list - fstr = "{0}.process_acl".format(load["eauth"]) + fstr = "{}.process_acl".format(load["eauth"]) if fstr not in self.auth: return auth_list try: @@ -179,7 +179,7 @@ class LoadAuth(object): """ if "eauth" not in load: return False - fstr = "{0}.groups".format(load["eauth"]) + fstr = "{}.groups".format(load["eauth"]) if fstr not in self.auth: return False fcall = salt.utils.args.format_call( @@ -237,7 +237,7 @@ class LoadAuth(object): if groups: tdata["groups"] = groups - return self.tokens["{0}.mk_token".format(self.opts["eauth_tokens"])]( + return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])]( self.opts, tdata ) @@ -248,7 +248,7 @@ class LoadAuth(object): """ tdata = {} try: - tdata = self.tokens["{0}.get_token".format(self.opts["eauth_tokens"])]( + tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])]( self.opts, tok ) except salt.exceptions.SaltDeserializationError: @@ -275,7 +275,7 @@ class LoadAuth(object): """ List all tokens in eauth_tokn storage. """ - return self.tokens["{0}.list_tokens".format(self.opts["eauth_tokens"])]( + return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])]( self.opts ) @@ -283,7 +283,7 @@ class LoadAuth(object): """ Remove the given token from token storage. """ - self.tokens["{0}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok) + self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok) def authenticate_token(self, load): """ @@ -459,7 +459,7 @@ class LoadAuth(object): ret["error"] = { "name": "EauthAuthenticationError", "message": 'Authentication failure of type "eauth" occurred for ' - "user {0}.".format(username), + "user {}.".format(username), } return ret @@ -469,7 +469,7 @@ class LoadAuth(object): msg = 'Authentication failure of type "user" occurred' if not auth_ret: # auth_ret can be a boolean or the effective user id if show_username: - msg = "{0} for user {1}.".format(msg, username) + msg = "{} for user {}.".format(msg, username) ret["error"] = {"name": "UserAuthenticationError", "message": msg} return ret @@ -501,7 +501,7 @@ class LoadAuth(object): return ret -class Resolver(object): +class Resolver: """ The class used to resolve options for the command line and for generic interactive interfaces @@ -514,7 +514,7 @@ class Resolver(object): def _send_token_request(self, load): master_uri = "tcp://{}:{}".format( salt.utils.zeromq.ip_bracket(self.opts["interface"]), - six.text_type(self.opts["ret_port"]), + str(self.opts["ret_port"]), ) with salt.transport.client.ReqChannel.factory( self.opts, crypt="clear", master_uri=master_uri @@ -530,16 +530,16 @@ class Resolver(object): if not eauth: print("External authentication system has not been specified") return ret - fstr = "{0}.auth".format(eauth) + fstr = "{}.auth".format(eauth) if fstr not in self.auth: print( ( - 'The specified external authentication system "{0}" is ' + 'The specified external authentication system "{}" is ' "not available" ).format(eauth) ) print( - "Available eauth types: {0}".format( + "Available eauth types: {}".format( ", ".join([k[:-5] for k in self.auth if k.endswith(".auth")]) ) ) @@ -550,14 +550,14 @@ class Resolver(object): if arg in self.opts: ret[arg] = self.opts[arg] elif arg.startswith("pass"): - ret[arg] = getpass.getpass("{0}: ".format(arg)) + ret[arg] = getpass.getpass("{}: ".format(arg)) else: - ret[arg] = input("{0}: ".format(arg)) + ret[arg] = input("{}: ".format(arg)) for kwarg, default in list(args["kwargs"].items()): if kwarg in self.opts: ret["kwarg"] = self.opts[kwarg] else: - ret[kwarg] = input("{0} [{1}]: ".format(kwarg, default)) + ret[kwarg] = input("{} [{}]: ".format(kwarg, default)) # Use current user if empty if "username" in ret and not ret["username"]: @@ -579,7 +579,7 @@ class Resolver(object): with salt.utils.files.set_umask(0o177): with salt.utils.files.fopen(self.opts["token_file"], "w+") as fp_: fp_.write(tdata["token"]) - except (IOError, OSError): + except OSError: pass return tdata @@ -602,7 +602,7 @@ class Resolver(object): return tdata -class AuthUser(object): +class AuthUser: """ Represents a user requesting authentication to the salt master """ -- 2.29.2