65598582f5
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=179
121 lines
4.8 KiB
Diff
121 lines
4.8 KiB
Diff
From bc7acab857b952353a959339b06c79d851a9d879 Mon Sep 17 00:00:00 2001
|
|
From: "Daniel A. Wozniak" <dwozniak@saltstack.com>
|
|
Date: Wed, 16 Sep 2020 00:25:10 +0000
|
|
Subject: [PATCH] Fix CVE-2020-25592 and add tests (bsc#1178319)
|
|
|
|
Properly validate eauth credentials and tokens on SSH calls made by Salt API
|
|
|
|
(bsc#1178319) (bsc#1178362) (bsc#1178361) (CVE-2020-25592) (CVE-2020-17490) (CVE-2020-16846)
|
|
---
|
|
salt/netapi/__init__.py | 43 +++++++++++++++++++++++++
|
|
tests/integration/netapi/test_client.py | 13 ++++++--
|
|
2 files changed, 53 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/salt/netapi/__init__.py b/salt/netapi/__init__.py
|
|
index dec19b37ef..cba1ec574f 100644
|
|
--- a/salt/netapi/__init__.py
|
|
+++ b/salt/netapi/__init__.py
|
|
@@ -109,6 +109,49 @@ class NetapiClient:
|
|
"Authorization error occurred."
|
|
)
|
|
|
|
+ def _prep_auth_info(self, clear_load):
|
|
+ sensitive_load_keys = []
|
|
+ key = None
|
|
+ if "token" in clear_load:
|
|
+ auth_type = "token"
|
|
+ err_name = "TokenAuthenticationError"
|
|
+ sensitive_load_keys = ["token"]
|
|
+ return auth_type, err_name, key, sensitive_load_keys
|
|
+ elif "eauth" in clear_load:
|
|
+ auth_type = "eauth"
|
|
+ err_name = "EauthAuthenticationError"
|
|
+ sensitive_load_keys = ["username", "password"]
|
|
+ return auth_type, err_name, key, sensitive_load_keys
|
|
+ raise salt.exceptions.EauthAuthenticationError(
|
|
+ "No authentication credentials given"
|
|
+ )
|
|
+
|
|
+ def _authorize_ssh(self, low):
|
|
+ auth_type, err_name, key, sensitive_load_keys = self._prep_auth_info(low)
|
|
+ auth_check = self.loadauth.check_authentication(low, auth_type, key=key)
|
|
+ auth_list = auth_check.get("auth_list", [])
|
|
+ error = auth_check.get("error")
|
|
+ if error:
|
|
+ raise salt.exceptions.EauthAuthenticationError(error)
|
|
+ delimiter = low.get("kwargs", {}).get("delimiter", DEFAULT_TARGET_DELIM)
|
|
+ _res = self.ckminions.check_minions(
|
|
+ low["tgt"], low.get("tgt_type", "glob"), delimiter
|
|
+ )
|
|
+ minions = _res.get("minions", list())
|
|
+ missing = _res.get("missing", list())
|
|
+ authorized = self.ckminions.auth_check(
|
|
+ auth_list,
|
|
+ low["fun"],
|
|
+ low.get("arg", []),
|
|
+ low["tgt"],
|
|
+ low.get("tgt_type", "glob"),
|
|
+ minions=minions,
|
|
+ )
|
|
+ if not authorized:
|
|
+ raise salt.exceptions.EauthAuthenticationError(
|
|
+ "Authorization error occurred."
|
|
+ )
|
|
+
|
|
def run(self, low):
|
|
"""
|
|
Execute the specified function in the specified client by passing the
|
|
diff --git a/tests/integration/netapi/test_client.py b/tests/integration/netapi/test_client.py
|
|
index 70471d3148..9eb6e52920 100644
|
|
--- a/tests/integration/netapi/test_client.py
|
|
+++ b/tests/integration/netapi/test_client.py
|
|
@@ -15,10 +15,12 @@ from tests.support.helpers import (
|
|
SKIP_IF_NOT_RUNNING_PYTEST,
|
|
SaveRequestsPostHandler,
|
|
Webserver,
|
|
+ requires_sshd_server,
|
|
slowTest,
|
|
)
|
|
from tests.support.mixins import AdaptedConfigurationTestCaseMixin
|
|
from tests.support.mock import patch
|
|
+from tests.support.paths import TMP, TMP_CONF_DIR
|
|
from tests.support.runtests import RUNTIME_VARS
|
|
from tests.support.unit import TestCase, skipIf
|
|
|
|
@@ -178,7 +180,12 @@ class NetapiSSHClientTest(SSHCase):
|
|
"""
|
|
opts = AdaptedConfigurationTestCaseMixin.get_config("client_config").copy()
|
|
self.netapi = salt.netapi.NetapiClient(opts)
|
|
- self.priv_file = os.path.join(RUNTIME_VARS.TMP_SSH_CONF_DIR, "client_key")
|
|
+ opts = salt.config.client_config(os.path.join(TMP_CONF_DIR, "master"))
|
|
+ naopts = copy.deepcopy(opts)
|
|
+ naopts["ignore_host_keys"] = True
|
|
+ self.netapi = salt.netapi.NetapiClient(naopts)
|
|
+
|
|
+ self.priv_file = os.path.join(RUNTIME_VARS.TMP_CONF_DIR, "key_test")
|
|
self.rosters = os.path.join(RUNTIME_VARS.TMP_CONF_DIR)
|
|
self.roster_file = os.path.join(self.rosters, "roster")
|
|
|
|
@@ -325,7 +332,7 @@ class NetapiSSHClientTest(SSHCase):
|
|
"roster": "cache",
|
|
"client": "ssh",
|
|
"tgt": "root|id>{} #@127.0.0.1".format(path),
|
|
- "roster_file": self.roster_file,
|
|
+ "roster_file": "/tmp/salt-tests-tmpdir/config/roaster",
|
|
"rosters": "/",
|
|
"fun": "test.ping",
|
|
"eauth": "auto",
|
|
@@ -355,7 +362,7 @@ class NetapiSSHClientTest(SSHCase):
|
|
"eauth": "auto",
|
|
"username": "saltdev_auto",
|
|
"password": "saltdev",
|
|
- "roster_file": self.roster_file,
|
|
+ "roster_file": "/tmp/salt-tests-tmpdir/config/roaster",
|
|
"rosters": "/",
|
|
"ssh_options": ["|id>{} #".format(path), "lol"],
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|