o

�N�g�S�@s�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlmZmZ
d
dlZ	d
dl
Z	d
dlZ	d
dlZ	d
dl
Z	d
dlZ	d
dlZ	d
dlZ	d
dlZ	d
dlZ	d
dlZ	d
dlZ	e�e�
Zegd�
�
ZGdd�d�ZGdd�d�ZGd	d
�d
�ZdS)z�
Salt's pluggable authentication system

This system allows for authentication to be managed in a module pluggable way
so that any external authentication system can be used inside of Salt
�N)�Iterable�Mapping)�client�cmd�eauthZfunZgather_job_timeout�kwarg�match�metadataZprint_event�rawZyield_pub_datac@s�eZ
dZd
Zd&dd�
Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd �Zd&d!d"�
Zd'd$d%�
ZdS)(�LoadAuthzH
    Wrap the authentication system to handle peripheral components
    NcCs@|
|_d
|_
tj�|
�
|_tj�|
�
|_|ptjj�	|
�
|_
dS)Ng�?)�opts�max_fail�salt�loader�auth�eauth_tokens�tokens�utilsZminionsZ	CkMinions�	ckminions)�selfrr�r�F/opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/__init__.py�__init__:s





zLoadAuth.__init__cCsdd
|
v
rdSd�|
d
�
}||j
v
rdSztjj�|j
|�
dd}|
|WSty1


YdSw)z�
        Return the primary name associate with the load, if an empty string
        is returned then the load does not match the function
        r��{}.auth�argsr
)�formatrrrr�
arg_lookup�
IndexError)r�load�fstrZ	pname_argrrr�	load_nameAs










�zLoadAuth.load_namec
s�d
|
v
rdSd�|
d
�
}||j
v
rdSgd�
��f
dd�|
��D�
}tjjj|j
||td�}zd|vrD|j
||d	i|d�
�
WS|j
||d	�WStyf
}
z
t	�
d
|�
WYd}~dSd}~w
w)z�
        Return the token and set the cache data for use

        Do not call this directly! Use the time_auth method to overcome timing
        attacks
        rFr)�username�passwordr�tokenc
si|]\}
}|
�vr|
|�qSrr)�.0�key�value�
Z_validrr�
<dictcomp>`sz(LoadAuth.__auth_call.<locals>.<dictcomp>�
Zexpected_extra_kws�kwargsr�Authentication module threw %sN)rr�itemsrrr�format_call�AUTH_INTERNAL_KEYWORDS�	Exception�log�debug)rrr �_load�fcall�
err(rZ__auth_callQs&






�




��zLoadAuth.__auth_callcCs�t��}|�
|
�
}|r
|St��|}||jkr||_|jd
}t���|j||j|�}||t��krCt�d�

||t��ks6dS)zO
        Make sure that all failures happen in the same amount of time
        �g����MbP?F)�time�_LoadAuth__auth_callr
�random�SystemRandom�uniform�sleep)rr�start�retZf_timeZ	deviationZr_timerrr�	time_authns











�

�zLoadAuth.time_authc
Cs�d
|
v
rdS|jd}|s|
d
}|�d�}||j
v
rdStjjj|j
||
td�}z|j
||di|d�
�
WStyR
}
z
t�	d|�
WYd}~dSd}~w
w)	z�
        Returns ACL for a specific user.
        Returns None if eauth doesn't provide any for the user. I. e. None means: use acl declared
        in master config.
        rNZeauth_acl_modulez.aclr*rr+r,)
rrrrrr.r/r0r1r2)rr�modr r4r5rrrZ	__get_acl�s$











�



��zLoadAuth.__get_aclc
Csrd
|
v
r|Sd�|
d
�
}||j
v
r|Sz
|j
|||j�WSty8
}
zt�d|�
|WYd}~Sd}~w
w)z�
        Allows eauth module to modify the access list right before it'll be applied to the request.
        For example ldap auth module expands entries
        rz{}.process_aclr,N)rrrr0r1r2)rr�	auth_listr r5rrrZ
__process_acl�s









��zLoadAuth.__process_aclcCs�d
|
v
rdSd�|
d
�
}||j
v
rdStjjj|j
||
td�}z|j
||di|d�
�
WSty:


YdStyC


YdSw)zw
        Read in a load and return the groups a user is a member of
        by asking the appropriate provider
        rFz	{}.groupsr*rr+N)	rrrrrr.r/rr0)rrr r4rrr�
get_groups�s






�




�zLoadAuth.get_groupscCsT|j�
d
d�}|dur
dSt|t�r(|�
|
dg�}t|t�r(|
�
d�
|vr(dSdS)zP
        Return bool if requesting user is allowed to set custom expire
        Ztoken_expire_user_overrideFTrr")r�get�
isinstancerr)rrZexpire_overrideZexpire_whitelistrrr�_allow_custom_expire�s






zLoadAuth._allow_custom_expirecCs�|�|
�
siS|�
|
�
r|
�d
|jd
�}n|
�d
d�}|jd
}t��t��||�|
�
|
dd�}|jdrA|�|
�
}||d<|�|
�
}|rL||d<|jd�	|jd	�
|j|�S)
zM
        Run time_auth and create a token. Return False or the token
        �token_expireNr)r=�expire�namer�keep_acl_in_tokenrA�groupsz{}.mk_tokenr)
�authenticate_eauthrE�poprr7r!�_LoadAuth__get_aclrBrr)rrrF�
_�tdataZacl_retrJrrr�mk_token�s(









�







�zLoadAuth.mk_tokencCs�i}z|jd
�
|jd�
|j|
�}Wntjjy&


t�d|
�
d}Ynw|s+iSd}|�dd�t	�	�kr9d}|rB|�
|
�

iS|S)zg
        Return the name associated with the token, or False if the token is
        not valid
        z{}.get_tokenrz5Failed to load token %r - removing broken/empty file.TFrGr
)rrrr�
exceptionsZSaltDeserializationErrorr1�warningrCr7�rm_token)r�tokrOZrm_tokrrr�get_tok�s$


�

�




zLoadAuth.get_tokc

Cs|jd
�
|jd�
|j�
S)z8
        List all tokens in eauth_tokn storage.
        z{}.list_tokensr�rrr�
rrrr�list_tokens
s
�zLoadAuth.list_tokenscCs"|jd
�
|jd�
|j|
�
dS)z<
        Remove the given token from token storage.
        z{}.rm_tokenrNrV)rrTrrrrS
s"zLoadAuth.rm_tokencCs6|�|
d
�
}|r|d|j
dv
rt�d�

dS|S)z~
        Authenticate a user by the token specified in load.
        Return the token object or False if auth failed.
        r$r�
external_auth�0Authentication failure of type "token" occurred.F)rUrr1rR)rrr$rrr�authenticate_token
s



zLoadAuth.authenticate_tokencCsbd
|
v
rt�
d�

dS|
d
|jdv
r#t�
d|
d
�
t�
d�

dS|�|
�
s/t�
d�

dSdS)z�
        Authenticate a user by the external auth module specified in load.
        Return True on success or False on failure.
        rz0Authentication failure of type "eauth" occurred.FrY�$The eauth system "%s" is not enabledT)r1rRrr?)rrrrrrK(
s










zLoadAuth.authenticate_eauthcCs�
d
}|
�dd�}|durt
�|�

dSd|
vr�t|
d�
}|��r4|D]}|||kr1|��
Sq#dS|
d|j�dd�ksE|
ddkrh|D]}|||krR
dSqGt
�d|j�dd�|
d�
t
�|�

dS|��r~||�|
d�
kr|t
�|�

dSdS||�d�
kr�	dS||�d	�
kr�	dS|
d|vr�|||
dkr�t
�|�

dS|
dSt
�|�

dS|D]}|||kr�
dSq�t
�|�

dS)
a

        Authenticate a user by the key passed in load.
        Return the effective user id (name) if it's different from the specified one (for sudo).
        If the effective user id is the same as the passed one, return True on success or False on
        failure.
        z/Authentication failure of type "user" occurred.r&NF�user�rootTz,Master runs as %r, but user in payload is %rr)	rLr1rR�AuthUser�is_sudo�	sudo_namerrC�is_running_user)rrr&Z	error_msgZauth_keyZ	auth_userZ	check_keyrrr�authenticate_key>
sb








�"

�


�





�
��







�

zLoadAuth.authenticate_keycCs�|r|jd
rd|vr|dS|�
|
�
}|du
r|S|r |dn|
d}||jdv
r8t�d|�
t�d�

dS|rD|d}|�d	�
}n
|�|
�
}|�|
�
}|jd|}|s]t�d
|�
|sag}|j�	|||�}|�
|
|�}t�d|�
|S)a�

        Retrieve access list for the user specified in load.
        The list is built by eauth module or from master eauth configuration.
        Return None if current configuration doesn't provide any ACL for the user. Return an empty
        list if the user has no rights to execute anything on this master and returns non-empty list
        if user is allowed to execute particular functions.
        rIrANrrYr\zAuthorization failure occurred.rHrJz!eauth "%s" configuration is emptyzCompiled auth_list: %s)rrMr1r2rRrCr!rBrZfill_auth_list�_LoadAuth__process_aclZtrace)rrr$rArrHrJZeauth_configrrr�
get_auth_list~
s0	
















zLoadAuth.get_auth_listFcCsh
g}|
�d
d�}||id�}|dkr2|�
|
�
}|s"ddd�|d<|S|d	}||d
<|j|
|d
�}n||dkrM|�|
�
sGdd
�|�
d�|d<|S|�|
�
}na|dkr�|�|
|�}	d}
|	sn|re|
�d|�d�}
d|
d�|d<|S|	du
r�t|
d�
��r�|jdr�|jds�d}	|	du
r�ddl	}|j
j�|jd|	�}|s�d|
d�|d<|Sn	ddd�|d<|S||d<|S)a�

        .. versionadded:: 2018.3.0

        Go through various checks to see if the token/eauth/user can be authenticated.

        Returns a dictionary containing the following keys:

        - auth_list
        - username
        - error

        If an error is encountered, return immediately with the relevant error dictionary
        as authentication has failed. Otherwise, return the username and valid auth_list.
        r"�UNKNOWN)rAr"�errorr$ZTokenAuthenticationErrorrZ)rH�messagergrH)
r$rZEauthAuthenticationErrorz<Authentication failure of type "eauth" occurred for user {}.r]z.Authentication failure of type "user" occurredz
 for user �
.ZUserAuthenticationErrorTZsudo_aclZ
publisher_aclr
NZSaltInvocationErrorz"Authentication type not supported.rA)
rCr[rerKrrcr_r`rZsalt.utils.masterrZmasterZget_values_of_matching_keys)rrZ	auth_typer&Z
show_usernamerAr"r>r$Zauth_ret�msgrrrr�check_authentication�
sb






�






�
�












�

�

�
zLoadAuth.check_authentication�
N)NF)�__name__�
__module__�__qualname__�__doc__rr!r8r?rMrdrBrErPrUrXrSr[rKrcrerkrrrrr5s&

 
@.rc@s@eZ
dZd
Zdd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dS)�Resolverzk
    The class used to resolve options for the command line and for generic
    interactive interfaces
    cCs|
|_t
j�|
�
|_dSrl)rrrr)rrrrrrs

zResolver.__init__cCsld
�t
jj�|jd�
t|jd�
�}t
jjj	j
|jd|d��
}|�|
�
Wd�
S1s/w



Y
dS)Nztcp://{}:{}Z	interfaceZret_port�clear)Zcrypt�
master_uri)rrr�networkZ
ip_bracketr�str�channelrZ
ReqChannel�factory�send)rrrsrvrrr�_send_token_requests


�

�
$�zResolver._send_token_requestcCs<
i}|
s
td
�

|S|
�d�}||j
v
r/td�|
�
�

td�d�tdd�|j
D�
�
�
�
�

|Stjj�|j
|�
}|dD](}||j	vrL|j	|||<q=|�
d	�
r\t�|�d
��
||<q=t|�d
��
||<q=t
|d���
D]\}}||j	vr|j	||d<qnt|�d
|�d��
||<qnd|vr�|ds�tjj��|d<|S)zo
        Execute the CLI options to fill in the extra data needed for the
        defined eauth system
        z5External authentication system has not been specified�.authzBThe specified external authentication system "{}" is not availablezAvailable eauth types: {}z, c
ss&�|]}
|
�d�
r|
d
d�V
qd
S)rzN���)
�endswith)r%�
krrr�	<genexpr>#s�$zResolver.cli.<locals>.<genexpr>r�passz: r+rz [z]: r")�printrr�join�sortedrrrrr�
startswith�getpass�input�listr-r]�get_user)rrr>r r�argr�defaultrrr�clis>









��

��











zResolver.clic	Cs�d
|d<|
|d<|�|�
}d|v
r|SzGt
jj�d�
�5
t
jj�|jdd��}|�|d�

Wd�
n1s9w



Y
Wd�
W|SWd�
W|S1sSw



Y
W|Styd


Y|Sw)	z�
        Create the token from the CLI and request the correct data to
        authenticate via the passed authentication mechanism
        rPrrr$�Z
token_filezw+N)	ryrr�filesZ	set_umaskZfopenr�write�OSError)rrrrOZfp_rrr�	token_cli<s*








������

�zResolver.token_clicCsd
|
d<|�|
�
}|S)�1
        Request a token from the master
        rPr�
ry)rrrOrrrrPNs


zResolver.mk_tokencCs"i}|
|d
<d|d<|�|�
}|S)r�r$�	get_tokenrr�)rr$rrOrrrr�Vs





zResolver.get_tokenN)
rmrnrorprryr�r�rPr�rrrrrq�
s

+rqc@s0eZ
dZd
Zdd�Zdd�Zdd�Zdd	�Zd
S)r_zH
    Represents a user requesting authentication to the salt master
    cCs
|
|_d
S)za
        Instantiate an AuthUser object.

        Takes a user to reprsent, as a string.
        N)
r])rr]rrrrfs
zAuthUser.__init__c

Cs|j�
d
�
S)z�
        Determines if the user is running with sudo

        Returns True if the user is running with sudo and False if the
        user is not running with sudo
        Zsudo_)r]r�rWrrrr`nszAuthUser.is_sudoc

Cs|jt
jj��kS)
z�
        Determines if the user is the same user as the one running
        this process

        Returns True if the user is the same user as the one running
        this process and False if not.
        )r]rrr�rWrrrrbwszAuthUser.is_running_userc

Cs|j�
d
d�dS)zh
        Returns the username of the sudoer, i.e. self.user without the
        'sudo_' prefix.
        rN�
���)r]�splitrWrrrra�szAuthUser.sudo_nameN)rmrnrorprr`rbrarrrrr_as
	
r_)rpr��loggingr9r7�collections.abcrrZsalt.channel.clientrZsalt.configZsalt.exceptionsZsalt.loaderZsalt.payloadZsalt.utils.argsZsalt.utils.dictupdateZsalt.utils.filesZsalt.utils.minionsZsalt.utils.networkZsalt.utils.userZsalt.utils.versions�	getLoggerrmr1�	frozensetr/rrqr_rrrr�<module>
s8
















�Kd