o

�N�g0�@sNdZd
dl
Z
d
dlZe
�e�
ZdZdd�Zdd�Z	dd	�Z
d
d�Zdd
�ZdS)a�
Provide authentication using a REST call

REST auth can be defined like any other eauth module:

.. code-block:: yaml

    external_auth:
      rest:
        ^url: https://url/for/rest/call
        fred:
          - .*
          - '@runner'

If there are entries underneath the ^url entry then they are merged with any responses
from the REST call.  In the above example, assuming the REST call does not return
any additional ACLs, this will authenticate Fred via a REST call and allow him to
run any execution module and all runners.

The REST call should return a JSON array that maps to a regular eauth YAML
structure of a user as above.

�N�restc
CstS)
N)
�__virtualname__�rr�B/opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/rest.py�__virtual__"s
rcCs$d
tddvrtddd
SdS)Nz^url�
external_authrF)
�__opts__rrrr�_rest_auth_setup&s
r	cCsht�}||
d
�}t
jjj|d|ddd�}|ddkr,t�d|�
|dd	u
r*|dSgSt�d
|�
dS)z/
    Call the rest authentication endpoint
    )�username�password�POSTT)�method�data�status�decoder��z eauth REST call returned 200: %s�dictN�eauth REST call failed: %sF)r	�salt�utils�http�query�log�debug)r
r�urlr�resultrrr�fetch.s


�


rcCs2t||
�}|d
urt
�d|�
d
St
�d|�
dS)z
    REST authentication
    Frzeauth REST call Ok: %sT)rrr)r
rrrrr�authHs




rc
Ksltd
d�
|g�}t�d||�
g}t||
d�}|r%|}t�d||�
||}t�d||�
|s4dS|S)z
    REST authorization
    rrzacl from salt for user %s: %srzacl from rest for user %s: %sz-acl from salt and rest merged for user %s: %sN)r�getrrr)r
�kwargsZsalt_eauth_aclZeauth_rest_aclrZ
merged_aclrrr�aclVs





r )
�__doc__�loggingZsalt.utils.httpr�	getLogger�__name__rrrr	rrr rrrr�<module>
s