File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/__pycache__/pki.cpython-310.pyc
o
�����N�g|������������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�z6z
d�d�l�m�Z���d�Z�W�n'��e�y<������d�Z�z�d�d�l�m Z ��W�n���e�y5������d�d�l
m Z ��Y�n�w�d�d�l�Z�Y�n�w�d�Z�W�n���e�yK������d�Z�Y�n�w�e��
e���Z�d�d���Z�d d
��Z�d�S�)�az���
Authenticate via a PKI certificate.
.. note::
This module is Experimental and should be used with caution
Provides an authenticate function that will allow the caller to authenticate
a user via their public cert against a pre-defined Certificate Authority.
TODO: Add a 'ca_dir' option to configure a directory of CA files, a la Apache.
:depends: - pyOpenSSL module
�����N)���X509TF)���asn1c��������������������C���s����t�r�d�S�d�S�)�z/
Requires newer pycrypto and pyOpenSSL
TF)���HAS_DEPS��r����r�����A/opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/pki.py��__virtual__+���s����������r����c���������������� ���K���s����|�}�t�d���d���}�t���d�����t���d�|�����t���d�|�����t�r@t���|�t�j���}�t���|�t�j���}�|���|�� ����r8t��
d�|�����d�S�t��
d�|�����d S�t�j�}�|��
|�j�|���}�t�j�j���|�����}�|��
|�j�|�������}�W�d
��������n�1�sew�������Y���|�����} |���|�j�|���}
t�����}�|���|
����|�d���}�|�d���}
t�����}�|���|
����|�j�}�|�d���d
k�r�t�d�����|�d�d
����}�z!|���|�|�|�| ����t�|�����������d���|�k�s�J�d�����t��
d�|�����W�d�S���t�j�j t!f�y�������t��
d�|�����Y�d S�w�)�a����
Returns True if the given user cert (password is the cert contents)
was issued by the CA and if cert's Common Name is equal to username.
Returns False otherwise.
``username``: we need it to run the auth function from CLI/API;
it should be in master config auth/acl
``password``: contents of user certificate (pem-encoded user public key);
why "password"? For CLI, it's the only available name
Configure the CA cert in the master config file:
.. code-block:: yaml
external_auth:
pki:
ca_file: /etc/pki/tls/ca_certs/trusted-ca.crt
your_user:
- .*
z
config.getz�external_auth:pki:ca_filez#Attempting to authenticate via pki.z�Using CA file: %sz�Certificate contents: %sz*Successfully authenticated certificate: %sTz&Failed to authenticate certificate: %sFNr������������z Number of unused bits is strange�����Z�CNz*Certificate's CN should match the username)"Z�__salt__��log��debug��HAS_M2r����Z�load_cert_stringZ
FORMAT_PEMZ load_certZ�verifyZ
get_pubkey��info��OpenSSLZ�cryptoZ�load_certificateZ�FILETYPE_PEM��salt��utils��filesZ�fopen��readZ�get_signature_algorithmZ�dump_certificateZ
FILETYPE_ASN1r����Z�DerSequence��decodeZ DerObject��payload� Exception��dictZ�get_subjectZ�get_components��Error��AssertionError)���username��password��kwargsZ�pemZ�cacert_file��certZ�cacert��c��fZ�algoZ cert_asn1Z�derZ�der_certZ�der_sigZ
der_sig_inZ�sig0��sigr����r����r������auth4���sR�������
�������������������������������������
�������
�������������������������������r!���)���__doc__��loggingZ�salt.utils.filesr����Z�M2Cryptor����r
�����ImportErrorZ�Cryptodome.Utilr����Z�Crypto.Utilr����r����� getLogger��__name__r����r����r!���r����r����r����r������<module>����s.�������������������������������������������
����