o

�N�g}Y�@sH
dZd
dl
Z
d
dlZd
dlmZ
d
dlZd
dlZd
dlm	Z	m
Z

e�e�
Z
zd
dlZd
dlZd
dlZdZWney@


dZYn
widd�
d	d�
d
d�
dd
�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
d g�
Zd3d!d"�
Zd#d$�ZGd%d&�d&�Zd4d'd(�
Zd4d)d*�
Zd+d,�Zd-d.�Zd5d/d0�
Zd5d1d2�
ZdS)6zR
Provide authentication using simple LDAP binds

:depends:   - ldap Python module
�N)
�Environment)�CommandExecutionError�SaltInvocationErrorTFzauth.ldap.basedn�z
auth.ldap.urizauth.ldap.serverZ	localhostzauth.ldap.portZ389zauth.ldap.starttlsz
auth.ldap.tlszauth.ldap.no_verifyzauth.ldap.anonymouszauth.ldap.scope�zauth.ldap.groupouZGroupszauth.ldap.accountattributenameZ	memberUidzauth.ldap.groupattributeZmemberOfzauth.ldap.persontypeZpersonzauth.ldap.groupclassZ
posixGroupzauth.ldap.activedirectoryzauth.ldap.freeipa�auth.ldap.minion_stripdomainscCs�z|r
|d
|��}W|Std
|��}W|St
y@


ztd
|��}WY|St
y?


|
r;d|�d�}t|�
�
YYdSww)zP
    Return a value for 'name' from master config file options or defaults.
    z
auth.ldap.zmissing auth.ldap.z in master configF)Z__opts__�KeyError�__defopts__r)�key�	mandatory�opts�value�msg�r�B/opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/ldap.py�_config3s"

�	�

�



��rcCs"t�}|�
|�
}d
|
i
}|�|�
S)zD
    Render config template, substituting username where found.
    �username)rZfrom_stringZrender)�paramr�env�templateZ	variablesrrr�_render_templateGs




rc@seZ
dZd
Z	ddd�
ZdS)�_LDAPConnectionz#
    Setup an LDAP connection.
    Fc
Cs&
|
|_||_
||_||_||_||_||_tstd
�
�
|jr%|jr%td�
�
|r)dn
d}|jdkr=|�d|j
�d|j��|_z>|rHt	�
t	jt	j�
t	�
|j��
|_	d|j	_|j	�
t	jd	�
|	sy|jsetd
�
�
|jrm|j	��
|j	�|j|j�
WdSWdSty�
}

ztd�|j|j|
��
�
d}
~
w
w)
zE
        Bind to an LDAP directory using passed credentials.
        zzLDAP connection could not be made, the python-ldap module is not installed. Install python-ldap to use LDAP external auth.zVCannot bind with both starttls and tls enabled.Please enable only one of the protocolsZldaps�ldaprz://�
:�r
zWLDAP bind password is not set: password cannot be empty if auth.ldap.anonymous is Falsez*Failed to bind to LDAP server {} as {}: {}N)�uri�server�port�starttls�tls�binddn�bindpw�HAS_LDAPrrZ
set_optionZOPT_X_TLS_REQUIRE_CERTZOPT_X_TLS_NEVERZ
initializeZprotocol_versionZ
OPT_REFERRALSZstart_tls_sZ
simple_bind_s�	Exception�format)�selfrrrrr�	no_verifyr r!�	anonymous�accountattributename�activedirectoryZschemaZ
ldap_errorrrr�__init__VsR








�

�









�


�



����z_LDAPConnection.__init__N)
F)�__name__�
__module__�__qualname__�__doc__r*rrrrrQs
�rcCs�i}gd
�
gd�
d�}i}|dD]
}t||
d�||<q|dD]}t|d|
d�||<q ||d	<|d
rE|d
|d
<|drE|d�
d�

|dD]}||||<qI|d	sf|d
rh|drjtd
i|�
�
jSdSdSdS)z�
    Bind with binddn and bindpw only for searching LDAP
    :param anonymous: Try binding anonymously
    :param opts: Pass in when __opts__ is not available
    :return: LDAPConnection object
    �	rrrrrr&r'r(r)�r r!�filter�
groupclass�auth_by_group_membership_only�r�
additionalr�
rr5F�rrr'r r!Nr)r�appendrr)r'r�connargs�params�paramvaluesr�namerrr�_bind_for_search�s*�






�
r=cCs�td
|d�}td|d�}i}gd�
gd�
d�}i}|dD]
}	t|	|d�||	<q|dD]}	t|	d	|d
�||	<q,||d<|drSt
|d|�|d<tj�|d�
|d<|d
rftj�|�
}
t
|d
|
�|d
<|dr{|d|d<|dr{|d�d�

|dD]}||||<q|d�
s|dr�|dr�td!i|�
�
j}t�d|d
||�
|�	|t
|�
|d
�}
|
s�t�d|�
d	St|
�
dkr�dd�|
D�
}t
dd�|D�
�
}|dkr�t�d|�
d	S|dkr�t�d|�
d	S|
dd|d<|d�
r|d�
s|d|d<n|d�
r|d�
s|d|d<|
|d<|d�
r"t�d�

nt�d|d�
z
td!i|�
�
j}Wnt�
yR


|�dd�
t�d|�
tjddd�
Yd	Swt�d |d�
|S)"z'
    Authenticate via an LDAP bind
    �basednr6�scoper/r0r4rr5Fr7r'r r1r!z;Running LDAP user dn search with filter:%s, dn:%s, scope:%szUnable to find user %s�
c
Ssg|]}
|
d�qS)
r
r)�.0�tuprrr�
<listcomp>*
sz_bind.<locals>.<listcomp>c
ss�|]	}
|
du
rd
V
qdS)Nr@r)rA�
crrr�	<genexpr>+
s�z_bind.<locals>.<genexpr>z.LDAP lookup found multiple results for user %sr
z/LDAP lookup--unable to find CN matching user %szAttempting anonymous LDAP bindz%Attempting LDAP bind with user dn: %sNz+Failed to authenticate user dn via LDAP: %sz&Error authenticating user dn via LDAP:T)
�exc_infoz/Successfully authenticated user dn via LDAP: %sr)rrrr1�escape_filter_charsr8r�log�debug�search_s�int�warning�len�sum�errorr#�pop)r�passwordr'rr>r?r9r:r;r�escaped_usernamer<Z_ldap�resultZcnsZtotal_not_noneZ	ldap_connrrr�_bind�s�

�






�










�







�


�

�










�
rTcCs�ts	t
�d
�

dSd}tddd�r8tddd�r8ttddd�d�
}|r7|r7|
r7t||
td	dd�o4tddd�d�}nt||
td	dd�oFtddd�d�}|rRt
�d
�

|St
�d�

dS)z
    Simple LDAP auth
    z/LDAP authentication requires python-ldap moduleFNr �
rr!r'�
r'r3zLDAP authentication successfulz LDAP _bind authentication FAILED)r"rHrOrr=rTrI)rrQ�bindZsearch_bindrrr�authP
s2









��




�




rXc
Ksxg}td
dd�rtddd�rt
tddd�d�
}nt||
�dd�td	dd�o*tddd�d�}|�r5t�d
�

td�
r�zd�td
�
|td�
�}|�td�
tj	|dg
�}Wnt
yl
}
zt�d|�
|WYd}~Sd}~w
w|swt�d|�
|Stj�
|dd�
}d�|td�
�}t�d|�
z|�td�
tj	|tjj�td
�
�
dg�}	Wnt
y�
}
zt�d|�
|WYd}~Sd}~w
w|	D]\}
}d|vr�|�tjj�|dd�
�

q�t�d||�
|Std�
�
rktj�
|�
}td�
}
ttd�
|�}|�|
tj	|tjj�td
�
�
tjj�td�
�
dg�}	|	D]>\}}t�|�td
�
g�|�td�
g��D]&}|tjj�|�
�d�
d�d �
d!k�
rO|�|�d�
d�d �
d!�

�
q*�
qt�d||�
t||
d��
sit�d"�

gS|Std#�
�
r{d$�td#�
td�
�}
nd%�td�
�
}
d�td
�
|td�
�}|�|
tj	|tjj�td
�
�
dtjj�td�
�
g�}	|	D]!\}
}|tjj�|td
�
�
v�
r�|�tjj�|dd�
�

�
q�|	D]<\}}|tjj�|�
�d�
d�d �
d!k�rtjj�|td�
�
D]}|�tjj�|�
�d�
d�d �
d!�

�
q�
q�t�d||�
d&|
v�r3t||
�d�
td	dd��o(tddd�d��s3t�d"�

gS|St�d'�

|S)(a�

    Authenticate against an LDAP group

    Behavior is highly dependent on if Active Directory is in use.

    AD handles group membership very differently than OpenLDAP.
    See the :ref:`External Authentication <acl-eauth>` documentation for a thorough
    discussion of available parameters for customizing the search.

    OpenLDAP allows you to search for all groups in the directory
    and returns members of those groups.  Then we check against
    the username entered.

    r FrUr!r'rVrQrr3z2ldap bind to determine group membership succeeded!r)z(&({}={})(objectClass={}))r(Z
persontyper>ZdistinguishedNamez3Exception thrown while looking up user DN in AD: %sNz,Could not get distinguished name for user %sr
z(&(member={})(objectClass={}))r2z(Running LDAP group membership search: %s�cnz<Exception thrown while retrieving group membership in AD: %sz!User %s is a member of groups: %sZfreeipaZgroup_basednZgroup_filterZgroupattribute�
,�
=���z'LDAP username and password do not matchZgroupouzou={},{}z{}Zshow_jidz/ldap bind to determine group membership FAILED!)rr=rT�getrHrIr$rJr�
SCOPE_SUBTREEr#rOr1rG�salt�utilsZstringutilsZto_strr8Z
to_unicoder�	itertools�chain�splitrX�data�decode)r�kwargsZ
group_listrWZget_user_dn_searchZuser_dn_results�
e�dnZldap_search_string�search_results�
_�entryrR�search_base�
search_stringrS�user�grouprrr�groupsv
s







�




�



�

��



�





��	

���

�
X
�








��


�

�����


6
�


�




��




��


���

�

����




�


�rpcCsN
t|
d
�
}g}|D]�}t
|t�s|�|�

q	|��D]�\}}|}g}|�d�
r�|�d�
�d�
}	d}
zZ|�|	t	j
|
dg
�}|D]9}z.|ddd��}
|
�dd	�rh|
dD]}|
�
|�
rg|
d	t|�
�}

n
qU|�|
�

Wq>tyw


Yq>w|D]	}
|�|
|i
�

qzt�d
|�
Wqt	jy�


Yqw|�||i
�

qq	t�d|�
|S)a�

    :param entries: ldap subtree in external_auth config option
    :param opts: Opts to use when __opts__ not defined
    :return: Dictionary with all allowed operations

    Takes the ldap subtree in the external_auth config option and expands it
    with actual minion names

    webadmins%:  <all users in the AD 'webadmins' group>
      - server1
          - .*
      - ldap(OU=webservers,dc=int,dc=bigcompany,dc=com)
        - test.ping
        - service.restart
      - ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com)
        - allowed_fn_list_attribute^

    This function only gets called if auth.ldap.activedirectory = True
    r6�ldap(�
)z(objectClass=computer)rYr@r
rNzExpanded acl_tree is: %sz__expand_ldap_entries: %s)r=�
isinstance�dictr8�items�
startswith�lstrip�rstriprJrr^�lowerr]�endswithrM�	TypeErrorrHZtraceZNO_SUCH_OBJECT)�entriesrrWZacl_treeZuser_or_group_dictZminion_or_ouZmatchersZpermissionsZretrieved_minion_idsrlrmriZ
ldap_matchZ	minion_id�domainrrr�__expand_ldap_entriessN
















�






�
�



��&
r~cCsDg}|D]}t|t
�rq|�d
d�|��D�
�

q|r t||
�}|S)a+

    Query LDAP, retrieve list of minion_ids from an OU or other search.
    For each minion_id returned from the LDAP search, copy the perms
    matchers into the auth dictionary
    :param auth_list:
    :param opts: __opts__ for when __opts__ is not injected
    :return: Modified auth list.
    c
Ssg|]	}
|
�d�
r|
�qS)
rq)
rv)rAZpotential_ourrrrCls
�
�zprocess_acl.<locals>.<listcomp>)rs�str�extend�keysr~)Z	auth_listrZou_names�itemrrr�process_acl^s	





��


r�)TN)FN)
N)r.ra�loggingZjinja2rZsalt.utils.datar_Zsalt.utils.stringutilsZsalt.exceptionsrr�	getLoggerr+rHrZldap.filterZldap.modlistr"�ImportErrorr	rrrr=rTrXrpr~r�rrrr�<module>
s|






�
��������	�
���
�����


D
;
&
$E