File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/__pycache__/win_pki.cpython-310.pyc
o
�����N�g ?�����������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l m
Z
m�Z���d�Z�d�Z
d�Z�e���e���Z�d�Z�d�d ��Z�d"d�d���Z�d
d���Z�d�d���Z�d�d���Z�e�e�f�d�d���Z�e
d�f�d�d���Z�e
e�e�d�d�d�f�d�d���Z�e
e�e�d�f�d�d���Z�e�e�d
d�d�f�d�d���Z�e�e�f�d d!��Z�d�S�)#a����
Microsoft certificate management via the PKI Client PowerShell module.
https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/pkiclient
The PKI Client PowerShell module is only available on Windows 8+ and Windows
Server 2012+.
https://technet.microsoft.com/en-us/library/hh848636(v=wps.620).aspx
:platform: Windows
:depends:
- PowerShell 4
- PKI Client Module (Windows 8+ / Windows Server 2012+)
.. versionadded:: 2016.11.0
�����N)���CommandExecutionError��SaltInvocationErrorZ�LocalMachine��cerZ�MyZ�win_pkic��������������������C���sV���t�j�j�����s�d�S�t�j�j���t�d���d���d�k�r�d�S�t�d���d���d���s d S�t�j�j�� d
��s)d�S�t
S�)�z�
Requires Windows
Requires Windows 8+ / Windows Server 2012+
Requires PowerShell
Requires PKI Client PowerShell module installed.
)�Fz!Only available on Windows SystemsZ osversionz�6.2.9200���)�Fz4Only available on Windows 8+ / Windows Server 2012 +z�cmd.shell_info�
powershellZ installed)�Fz�Powershell not availableZ�PKI)�Fz#PowerShell PKI module not available)���salt��utils��platformZ
is_windowsZ�versionsZ�version_cmpZ
__grains__��__salt__r����Z
module_exists��__virtualname__��r����r�����H/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/win_pki.py��__virtual__%���s����������������������r����Fc��������������������C���s����d�g�}�|�r�|���d���|�������n�|���|�����t�d���d���|���d�d�d���}�|�d���r-t�d ��|�|�d���������|�rNz�t�j�j�j�|�d
��d�d���}�|�W�S���t yM������t�d
��|�d
��������w�|�d
��S�)�zh
Ensure that the Pki module is loaded, and convert to and extract data from
Json as needed.
z�Import-Module -Name PKI; z4ConvertTo-Json -Compress -Depth 4 -InputObject @({})z�cmd.run_all��r����T)���shellZ�python_shell��stderrz'Unable to execute command: {}
Error: {}��stdoutF)���strictz'Unable to parse return data as JSON:
{})
��append��formatr
�����joinr����r����r������json��loads�
ValueError)���cmd��as_jsonZ�cmd_fullZ�cmd_ret��itemsr����r����r
�����_cmd_run;���s.�������������
�����������������������������������r����c��������������������C���s.���d�|���d���}�t���t�|�d�����s�t�d�|���������d�S�)�zS
Ensure that the certificate path, as determind from user input, is valid.
z�Test-Path -Path '��'��r����z�Invalid path specified: N)���ast��literal_evalr����r����)���namer����r����r����r
�����_validate_cert_path]���s������������r#���c��������������������C���s$���d�d�g�}�|�|�v�r�t�d���|�|�������d�S�)�zU
Ensure that the certificate format, as determind from user input, is valid.
r������pfxz<Invalid certificate format '{}' specified. Valid formats: {}N)�r����r����)�r"���Z�cert_formatsr����r����r
�����_validate_cert_formatg���s��������������������r%���c��������������������C���sR���t���}�d�}�t�|�d�d���}�|�D�]�}�t���|�|�d���<�|�d���D�]�}�|�|�d�������|�����q�q
|�S�)�z�
Get the certificate location contexts and their corresponding stores.
:return: A dictionary of the certificate location contexts and stores.
:rtype: dict
CLI Example:
.. code-block:: bash
salt '*' win_pki.get_stores
zEGet-ChildItem -Path 'Cert:\' | Select-Object LocationName, StoreNamesT��r����r����Z�LocationNameZ
StoreNames)���dictr������listr����)���retr����r������item��storer����r����r
����
get_storesu���s�����
����������������r,���c��������������������C���s����t���}�t���}�d�g�}�d�|���d�|�����}�t�|�d�����|���d�|���d�������|���d�����t�d���|���d d
��}�|�D�]5}�t���}�|�D�]�} | |�v�rD|�| ��|�| ����<�q6|���d�d���}
t�|
t���rZd�d
��|
D���|�d�<�n�g�|�d�<�|�|�|�d���<�q/|�S�)�am���
Get the available certificates in the given store.
:param str context: The name of the certificate store location context.
:param str store: The name of the certificate store.
:return: A dictionary of the certificate thumbprints and properties.
:rtype: dict
CLI Example:
.. code-block:: bash
salt '*' win_pki.get_certs
��DnsNameList��Cert:\��\��r"���z�Get-ChildItem -Path 'z�' | Select-Objectz8 DnsNameList, SerialNumber, Subject, Thumbprint, Versionr����Tr&���Nc��������������������S���s����g�|�]�}�|���d�����q�S���Z�Unicode)���get����.0r"���r����r����r
����
<listcomp>����s������z�get_certs.<locals>.<listcomp>��dnsnamesZ
Thumbprint) r'���r(���r#���r����r����r������lowerr2����
isinstance)���contextr+���r)���r������blacklist_keys�
store_pathr����r*���Z cert_info��key��namesr����r����r
���� get_certs����s(�����������
���
�����������������
���������r>���r����c������������ �������C���sd���t���}�t���}�d�g�}�|�����}�t�|�d�����|�r�t�j���|���s"t���d�|�����|�S�|�d�k�r^|�rO|�� d�����|�� d�����|�� d�|���d�������|�� d |���d�������|�� d
����|�� d�����n'|�� d�|���d�������|�� d�����n�|�� d�����|�� d�����|�� d�|���d
������|�� d�����t
d���|���d�d���}�|�D�]�}�|�D�]�}�|�|�v�r�|�|���|�|�����<�q�d�d���|�d���D���|�d�<�q�|�r�t���d�|�����|�S�t���d�|�����|�S�)�a����
Get the details of the certificate file.
:param str name: The filesystem path of the certificate file.
:param str cert_format: The certificate format. Specify 'cer' for X.509, or
'pfx' for PKCS #12.
:param str password: The password of the certificate. Only applicable to pfx
format. Note that if used interactively, the password will be seen by all minions.
To protect the password, use a state and get the password from pillar.
:return: A dictionary of the certificate thumbprints and properties.
:rtype: dict
CLI Example:
.. code-block:: bash
salt '*' win_pki.get_cert_file name='C:\certs\example.cer'
r-���r0���z�Path is not present: %sr$���z�$CertObject = New-Objectz@ System.Security.Cryptography.X509Certificates.X509Certificate2;z� $CertObject.Import('r����z�,'z�,'DefaultKeySet') ; $CertObjectzH | Select-Object DnsNameList, SerialNumber, Subject, Thumbprint, Versionz�Get-PfxCertificate -FilePath 'z�'); $CertObjectr����Tr&���c��������������������S���s����g�|�]�}�|�d�����q�S�r1���r����r3���r����r����r
���r5�������s������z!get_cert_file.<locals>.<listcomp>r6���z0Certificate thumbprint obtained successfully: %sz+Unable to obtain certificate thumbprint: %s)
r'���r(���r7���r%�����os��path��isfile��_LOG��errorr����r����r������debug) r"�����cert_format��passwordr)���r����r:���r����r*���r<���r����r����r
����
get_cert_file����sT�����������
�����������
�����������
���������������
�
���������������������������������rG���T��basec��������������������C���s����t���}�d�}�d�|���d�|�����} |�����}�t�|�d�����t�d���|�|���}
|
s't���d�|�����d�S�|�r1t�|
|�|�d���}�n�t�|
|�d ��}�t�|�|�d
��}�|�d���|�v�rNt���d�|�d���| ����d
S�|�d�k�r�|�rb|�� d��
|�������|�� d�����n�|�� d�����|�� d��
|
������|�� d�| ��d�������|�� d�����|�r�|�� d�����n�|�� d��
|
������|�� d�| ��d�������t�d���|���d�����t�|�|�d
��}
|
D�]�}�|�|�v�r�|�}�q�|�r�t���d�|�����d
S�t���d�|�����d�S�)�a����
Import the certificate file into the given certificate store.
:param str name: The path of the certificate file to import.
:param str cert_format: The certificate format. Specify 'cer' for X.509, or
'pfx' for PKCS #12.
:param str context: The name of the certificate store location context.
:param str store: The name of the certificate store.
:param bool exportable: Mark the certificate as exportable. Only applicable
to pfx format.
:param str password: The password of the certificate. Only applicable to pfx
format. Note that if used interactively, the password will be seen by all minions.
To protect the password, use a state and get the password from pillar.
:param str saltenv: The environment the file resides in.
:return: A boolean representing whether all changes succeeded.
:rtype: bool
CLI Example:
.. code-block:: bash
salt '*' win_pki.import_cert name='salt://cert.cer'
Nr.���r/���r0���z
cp.cache_filez%Unable to get cached copy of file: %sF)�r"���rE���rF���)�r"���rE�����r9���r+����
thumbprintz8Certificate thumbprint '%s' already present in store: %sTr$����/$Password = ConvertTo-SecureString -String '{}'�� -AsPlainText -Force; �5$Password = New-Object System.Security.SecureString; z$Import-PfxCertificate -FilePath '{}'z� -CertStoreLocation 'r������ -Password $Passwordz� -Exportablez!Import-Certificate -FilePath '{}'r����r����z%Certificate imported successfully: %sz Unable to import certificate: %s)
r(���r7���r%���r
���rB���rC���rG���r>���rD���r����r����r����r����)�r"���rE���r9���r+���Z
exportablerF���Z�saltenvr����rJ���r;���Z�cached_source_pathZ
cert_props�
current_certs� new_certsZ�new_certr����r����r
�����import_cert����sd����!������
�����������������������������������������������
���������
���
�����������������������������rQ���c������������ �������C���s����t���}�|�����}�d�|���d�|���d�|�����}�|�����}�t�|�d�����t�|�d�����|�d�k�rH|�r4|���d���|�������|���d�����n�|���d�����|���d���|�|�������|���d ����n |���d
��|�|�������|���d�|���d�������t���t d
�
|���d�����}�|�rot���d�|�����|�S�t��
d�|�����|�S�)�a����
Export the certificate to a file from the given certificate store.
:param str name: The destination path for the exported certificate file.
:param str thumbprint: The thumbprint value of the target certificate.
:param str cert_format: The certificate format. Specify 'cer' for X.509, or
'pfx' for PKCS #12.
:param str context: The name of the certificate store location context.
:param str store: The name of the certificate store.
:param str password: The password of the certificate. Only applicable to pfx
format. Note that if used interactively, the password will be seen by all minions.
To protect the password, use a state and get the password from pillar.
:return: A boolean representing whether all changes succeeded.
:rtype: bool
CLI Example:
.. code-block:: bash
salt '*' win_pki.export_cert name='C:\certs\example.cer' thumbprint='AAA000'
r.���r/���r0���r$���rK���rL���rM���z/Export-PfxCertificate -Cert '{}' -FilePath '{}'rN���z,Export-Certificate -Cert '{}' -FilePath '{}'z� | Out-Null; Test-Path -Path 'r����r����r����z%Certificate exported successfully: %sz Unable to export certificate: %s)�r(�����upperr7���r#���r%���r����r����r ���r!���r����r����rB���rD���rC���) r"���rJ���rE���r9���r+���rF���r����� cert_pathr)���r����r����r
�����export_certj���s8�����������
�
�������������
�������������
�����������������rT���c��������������������C���s����t���}�|�����}�d�|���d�|���d�|�����}�|���d�|���d�������t�|�d�����|�r'|���d�����|�r2|���d�|���d�������|�r=|���d�|���d�������|���d ����t���t�d
��|���d�����S�)�a����
Check the certificate for validity.
:param str thumbprint: The thumbprint value of the target certificate.
:param str context: The name of the certificate store location context.
:param str store: The name of the certificate store.
:param bool untrusted_root: Whether the root certificate is required to be
trusted in chain building.
:param str dns_name: The DNS name to verify as valid for the certificate.
:param str eku: The enhanced key usage object identifiers to verify for the
certificate chain.
:return: A boolean representing whether the certificate was considered
valid.
:rtype: bool
CLI Example:
.. code-block:: bash
salt '*' win_pki.test_cert thumbprint='AAA000' dns_name='example.test'
r.���r/���z�Test-Certificate -Cert 'r����r0���z� -AllowUntrustedRootz� -DnsName 'z� -EKU 'z� -ErrorAction SilentlyContinuer����r����)�r(���rR���r����r#���r ���r!���r����r����)�rJ���r9���r+���Z�untrusted_rootZ�dns_nameZ�ekur����rS���r����r����r
���� test_cert����s������������
���
���������
���rU���c��������������������C���s����|�����}�d�|���d�|�����}�|���d�|�����}�d�|���d���}�t�|�|�d���}�|�|�v�r,t���d�|�|�����d�S�t�|�d�����t�|�d ����t�|�|�d���}�|�|�v�rHt���d
|�����d�S�t���d�|�����d�S�)
a����
Remove the certificate from the given certificate store.
:param str thumbprint: The thumbprint value of the target certificate.
:param str context: The name of the certificate store location context.
:param str store: The name of the certificate store.
:return: A boolean representing whether all changes succeeded.
:rtype: bool
CLI Example:
.. code-block:: bash
salt '*' win_pki.remove_cert thumbprint='AAA000'
r.���r/���z�Remove-Item -Path 'r����rI���z,Certificate '%s' already absent in store: %sTr0���r����z Unable to remove certificate: %sFz$Certificate removed successfully: %s)�rR���r>���rB���rD���r#���r����rC���)�rJ���r9���r+���r;���rS���r����rO���rP���r����r����r
�����remove_cert����s$�����������������������
�
�������������rV���)�F)���__doc__r �����loggingr?���Z�salt.utils.jsonr����Z�salt.utils.platformZ�salt.utils.powershellZ�salt.utils.versionsZ�salt.exceptionsr����r����Z�_DEFAULT_CONTEXTZ�_DEFAULT_FORMATZ�_DEFAULT_STORE� getLogger��__name__rB���r����r����r����r#���r%���r,���r>���rG���rQ���rT���rU���rV���r����r����r����r
�����<module>����sP���������������������������
�����
��"�
�����+�L����������
��i������
��I��������
��1