salt/temporary-fix-extend-the-whitelist-of-allowed-comman.patch

From 7605781decd03cb493e09893aa60a5cdbed15d35 Mon Sep 17 00:00:00 2001
From: Bo Maryniuk <bo@suse.de>
Date: Thu, 24 Jan 2019 18:12:35 +0100
Subject: [PATCH] temporary fix: extend the whitelist of allowed
 commands

---
 salt/auth/__init__.py | 48 +++++++++++++++++++++----------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py
index c4cf163a67..ee1eac7ce4 100644
--- a/salt/auth/__init__.py
+++ b/salt/auth/__init__.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 """
 Salt's pluggable authentication system
 
@@ -13,7 +12,6 @@ so that any external authentication system can be used inside of Salt
 # 5. Cache auth token with relative data opts['token_dir']
 # 6. Interface to verify tokens
 
-from __future__ import absolute_import, print_function, unicode_literals
 
 import collections
 import getpass
@@ -48,6 +46,8 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
         "gather_job_timeout",
         "kwarg",
         "match",
+        "id_",
+        "force",
         "metadata",
         "print_event",
         "raw",
@@ -56,7 +56,7 @@ AUTH_INTERNAL_KEYWORDS = frozenset(
 )
 
 
-class LoadAuth(object):
+class LoadAuth:
     """
     Wrap the authentication system to handle peripheral components
     """
@@ -76,7 +76,7 @@ class LoadAuth(object):
         """
         if "eauth" not in load:
             return ""
-        fstr = "{0}.auth".format(load["eauth"])
+        fstr = "{}.auth".format(load["eauth"])
         if fstr not in self.auth:
             return ""
         try:
@@ -94,7 +94,7 @@ class LoadAuth(object):
         """
         if "eauth" not in load:
             return False
-        fstr = "{0}.auth".format(load["eauth"])
+        fstr = "{}.auth".format(load["eauth"])
         if fstr not in self.auth:
             return False
         # When making auth calls, only username, password, auth, and token
@@ -144,7 +144,7 @@ class LoadAuth(object):
         mod = self.opts["eauth_acl_module"]
         if not mod:
             mod = load["eauth"]
-        fstr = "{0}.acl".format(mod)
+        fstr = "{}.acl".format(mod)
         if fstr not in self.auth:
             return None
         fcall = salt.utils.args.format_call(
@@ -163,7 +163,7 @@ class LoadAuth(object):
         """
         if "eauth" not in load:
             return auth_list
-        fstr = "{0}.process_acl".format(load["eauth"])
+        fstr = "{}.process_acl".format(load["eauth"])
         if fstr not in self.auth:
             return auth_list
         try:
@@ -179,7 +179,7 @@ class LoadAuth(object):
         """
         if "eauth" not in load:
             return False
-        fstr = "{0}.groups".format(load["eauth"])
+        fstr = "{}.groups".format(load["eauth"])
         if fstr not in self.auth:
             return False
         fcall = salt.utils.args.format_call(
@@ -237,7 +237,7 @@ class LoadAuth(object):
         if groups:
             tdata["groups"] = groups
 
-        return self.tokens["{0}.mk_token".format(self.opts["eauth_tokens"])](
+        return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])](
             self.opts, tdata
         )
 
@@ -248,7 +248,7 @@ class LoadAuth(object):
         """
         tdata = {}
         try:
-            tdata = self.tokens["{0}.get_token".format(self.opts["eauth_tokens"])](
+            tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])](
                 self.opts, tok
             )
         except salt.exceptions.SaltDeserializationError:
@@ -275,7 +275,7 @@ class LoadAuth(object):
         """
         List all tokens in eauth_tokn storage.
         """
-        return self.tokens["{0}.list_tokens".format(self.opts["eauth_tokens"])](
+        return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])](
             self.opts
         )
 
@@ -283,7 +283,7 @@ class LoadAuth(object):
         """
         Remove the given token from token storage.
         """
-        self.tokens["{0}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
+        self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
 
     def authenticate_token(self, load):
         """
@@ -459,7 +459,7 @@ class LoadAuth(object):
                 ret["error"] = {
                     "name": "EauthAuthenticationError",
                     "message": 'Authentication failure of type "eauth" occurred for '
-                    "user {0}.".format(username),
+                    "user {}.".format(username),
                 }
                 return ret
 
@@ -469,7 +469,7 @@ class LoadAuth(object):
             msg = 'Authentication failure of type "user" occurred'
             if not auth_ret:  # auth_ret can be a boolean or the effective user id
                 if show_username:
-                    msg = "{0} for user {1}.".format(msg, username)
+                    msg = "{} for user {}.".format(msg, username)
                 ret["error"] = {"name": "UserAuthenticationError", "message": msg}
                 return ret
 
@@ -501,7 +501,7 @@ class LoadAuth(object):
         return ret
 
 
-class Resolver(object):
+class Resolver:
     """
     The class used to resolve options for the command line and for generic
     interactive interfaces
@@ -514,7 +514,7 @@ class Resolver(object):
     def _send_token_request(self, load):
         master_uri = "tcp://{}:{}".format(
             salt.utils.zeromq.ip_bracket(self.opts["interface"]),
-            six.text_type(self.opts["ret_port"]),
+            str(self.opts["ret_port"]),
         )
         with salt.transport.client.ReqChannel.factory(
             self.opts, crypt="clear", master_uri=master_uri
@@ -530,16 +530,16 @@ class Resolver(object):
         if not eauth:
             print("External authentication system has not been specified")
             return ret
-        fstr = "{0}.auth".format(eauth)
+        fstr = "{}.auth".format(eauth)
         if fstr not in self.auth:
             print(
                 (
-                    'The specified external authentication system "{0}" is '
+                    'The specified external authentication system "{}" is '
                     "not available"
                 ).format(eauth)
             )
             print(
-                "Available eauth types: {0}".format(
+                "Available eauth types: {}".format(
                     ", ".join([k[:-5] for k in self.auth if k.endswith(".auth")])
                 )
             )
@@ -550,14 +550,14 @@ class Resolver(object):
             if arg in self.opts:
                 ret[arg] = self.opts[arg]
             elif arg.startswith("pass"):
-                ret[arg] = getpass.getpass("{0}: ".format(arg))
+                ret[arg] = getpass.getpass("{}: ".format(arg))
             else:
-                ret[arg] = input("{0}: ".format(arg))
+                ret[arg] = input("{}: ".format(arg))
         for kwarg, default in list(args["kwargs"].items()):
             if kwarg in self.opts:
                 ret["kwarg"] = self.opts[kwarg]
             else:
-                ret[kwarg] = input("{0} [{1}]: ".format(kwarg, default))
+                ret[kwarg] = input("{} [{}]: ".format(kwarg, default))
 
         # Use current user if empty
         if "username" in ret and not ret["username"]:
@@ -579,7 +579,7 @@ class Resolver(object):
             with salt.utils.files.set_umask(0o177):
                 with salt.utils.files.fopen(self.opts["token_file"], "w+") as fp_:
                     fp_.write(tdata["token"])
-        except (IOError, OSError):
+        except OSError:
             pass
         return tdata
 
@@ -602,7 +602,7 @@ class Resolver(object):
         return tdata
 
 
-class AuthUser(object):
+class AuthUser:
     """
     Represents a user requesting authentication to the salt master
     """
-- 
2.29.2