HEX

File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/__pycache__/minions.cpython-310.pyc
o

�N�g���@sdZddlZddlZddlZddlZddlZddlZddlZddl	Zddl
ZddlZddlZddl
ZddlZddlmZddlmZddlmZmZdZzddlZdZWn	ey]Ynwe�e�Ze�d�Zd	d
�Zdd�Z d
d�Z!ddd�Z"Gdd�d�Z#dS)za
This module contains routines used to verify the matcher against the minions
expected to return
�N)�	ipaddress)�DEFAULT_TARGET_DELIM)�CommandExecutionError�SaltCacheErrorFTam(?x)
        (
            (?P<engine>G|P|I|J|L|N|S|E|R)  # Possible target engines
            (?P<delimiter>(?<=G|P|I|J).)?  # Optional delimiter for specific engines
        @)?                                # Engine+delimiter are separated by a '@'
                                           # character and are optional for the target
        (?P<pattern>.+)$cs�t|�}|}t|�|t|�krOt�d��gd���fdd�|D�sQ�fdd�|D�r=dd�|�}t�d|||�|gSd	d�|�}t�d
|||�|gSdSdS)Nz^[A-Z]@)�(�[�{�\�?�}�]�)cs"g|]
}d|vs
��|�r|�qS)�*��match��.0�x)�
group_type_re��F/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/minions.py�
<listcomp>5s"z$_nodegroup_regex.<locals>.<listcomp>cs&g|]���fdd��D�vr��qS)csg|]}|�vr��qSrr)r�y�rrrr8�z/_nodegroup_regex.<locals>.<listcomp>.<listcomp>r)r)�regex_charsrrr8s&zE@�,zXNodegroup '%s' (%s) detected as an expression. Assuming compound matching syntax of '%s'zL@z\Nodegroup '%s' (%s) detected as list of nodenames. Assuming compound matching syntax of '%s')�set�re�compile�join�log�debug)�	nodegroup�words�opersZ	opers_set�ret�joinedr)rrr�_nodegroup_regex-s2
���	�r(cCs6t�|�}|st�d|�dd|d�}|S|��}|S)zaParse `target_expressing` splitting it into `engine`, `delimiter`,
    `pattern` - returns a dictzUnable to parse target "%s"N)�engine�	delimiter�pattern)�
TARGET_REXrr!�warning�	groupdict)Ztarget_expressionrr&rrr�parse_targetPs
��r/cCs�d}d}|�dd�rDtj�|�}|dur+|�d�D]}|�d|��d�}|dur)qqn	|�d|��d�}|durD|�dd�}|�dd�}|rK|||fSd||fS)	z�
    Get the grains/pillar for a specific minion.  If minion is None, it
    will return the grains/pillar for the first minion it finds.

    Return value is a tuple of the minion ID, grains, and pillar
    N�minion_data_cacheF�minions�minions/�data�grains�pillar)�get�salt�cache�factory�list�fetch)�minion�optsr4r5r8�id_r3rrr�get_minion_dataas ��r?c	Cs�d}|dur
t�}n||vrt�d|�dS||vr"t�d|�dS||}t|t�r0|��}nt|ttf�r:|}n	t�d||�dS|�|�g}gd�}|D]7}	t|	t�s[t|	�}	|	|vre|�	|	�qPt
|	�dkr�|	�d	�r�d
}|�t
|	dd�||dd��qP|�	|	�qP|r�|�d
d�|�	d�|�|�t�d||�|s�|s�|s�t|||�}
|
r�|
S|S|}t|||�}
|
r�|
St�d||�|S)a#
    Recursively expand ``nodegroup`` from ``nodegroups``; ignore nodegroups in ``skip``

    If a top-level (non-recursive) call finds no nodegroups, return the original
    nodegroup definition (for backwards compatibility). Keep track of recursive
    calls via `first_call` argument
    FNz9Failed nodegroup expansion: illegal nested nodegroup "%s"�z2Failed nodegroup expansion: unknown nodegroup "%s"z7Nodegroup '%s' (%s) is neither a string, list nor tuple��and�or�notrr
�zN@T�)�skip�
first_callrrr
znodegroup_comp(%s) => %szFNo nested nodegroups detected. Using original nodegroup definition: %s)rr!�error�
isinstance�str�splitr:�tuple�add�append�len�
startswith�extend�nodegroup_comp�insert�remover"r()r#�
nodegroupsrGrHZexpanded_nodegroupZnglookupr$r&r%�wordr'rrrrSysp�

�

�

�rSc@s6eZdZdZdd�Zdd�Zdd�Z	dBd	d
�Zdd�Zd
d�Z		dCdd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd �Z	dBd!d"�ZdDd$d%�ZdEd&d'�Zd(ed)fd*d+�ZdFd,d-�Zd.d/�Z	(	#	dGd0d1�Z	(	#		#	#dHd2d3�Zd4d5�Z	#dFd6d7�Zd8d9�Zd:d;�Zd<d=�Z dFd>d?�Z!dFd@dA�Z"d#S)I�	CkMinionsaA
    Used to check what minions should respond from a target

    Note: This is a best-effort set of the minions that would match a target.
    Depending on master configuration (grains caching, etc.) and topology (syndics)
    the list may be a subset-- but we err on the side of too-many minions in this
    class.
    cCs>||_tj�|�|_|j�dd�tjjvrd|_dSd|_dS)N�	transportZzeromqr1Zaccepted)r=r7r8r9r6rYZ
TRANSPORTS�acc)�selfr=rrr�__init__�s


zCkMinions.__init__cCs|�t||jd�t|�S)z?
        Return minions found by looking at nodegroups
        rV)�_check_compound_minionsrSr=r�r[�expr�greedyrrr�_check_nodegroup_minions�s�z"CkMinions._check_nodegroup_minionscCst�|��|�gd�S)z?
        Return the minions found by looking via globs
        �r1�missing)�fnmatch�filter�_pki_minionsr^rrr�_check_glob_minions�szCkMinions._check_glob_minionsFcsXt|t�rdd�|�d�D�}|����fdd�|D�|r!gd�S�fdd�|D�d�S)z@
        Return the minions found by looking via a list
        cSsg|]}|r|�qSrr�r�mrrrr�sz1CkMinions._check_list_minions.<locals>.<listcomp>rcsg|]}|�vr|�qSrrr�r1rrr�rcsg|]}|�vr|�qSrrrrjrrr�rrb)rJrKrLrf)r[r_r`Zignore_missingrrjr�_check_list_minions�s
��zCkMinions._check_list_minionscs&t�|���fdd�|��D�gd�S)zM
        Return the minions found by looking via regular expressions
        csg|]	}��|�r|�qSrrrh�Zregrrr��z1CkMinions._check_pcre_minions.<locals>.<listcomp>rb)rrrfr^rrlr�_check_pcre_minions�s
�zCkMinions._check_pcre_minionsc
CsHg}tj�|jd|jd�}zt�tj�|��Wn	ty"Ynwzf|jdrWtj�|�rWt	�
d�tjj
j|dd��}tj�|�Wd�WS1sOwY|WStjj�t�tj�|jd|j���D]}|�d�s�tj�tj�|jd|j|��r�|�|�qj|WSty�}zt	�d	|�|WYd}~Sd}~ww)
zb
        Retreive complete minion list from PKI dir.
        Respects cache if configured
        �pki_dirz
.key_cacheZ	key_cachezReturning cached minion list�rb)�modeN�.z;Encountered OSError while evaluating minions in PKI dir: %s)�os�pathr r=rZ�makedirs�dirname�OSError�existsr!r"r7�utils�filesZfopen�payload�loadr3�sorted_ignorecase�listdirrQ�isfilerOrI)r[r1Zpki_cache_fn�fn_�excrrrrfs<�

"�
���
����zCkMinions._pki_minionscsF�j�dd�}�fdd�}|rBg}	tjj�t�tj�	�jd�j
���D]}
|
�d�s@tj�tj�	�jd�j
|
��r@|	�
|
�q$n|rH|�}	nggd�S|r�|rU|�}n|	}|s^|	gd�St|	�}	|D]5}|rm||	vrmqd�j�d|��d	�}
|
d
ur�|s�|	�|�qd|
�|�}tjjj|||||d�s�|	�|�qdt|	�}	|	gd�S)a
        Helper function to search for minions in master caches If 'greedy',
        then return accepted minions matched by the condition or those absent
        from the cache.  If not 'greedy' return the only minions have cache
        data and matched by the condition.
        r0Fcs�j�d�S)Nr1)r8r:r�r[rr�list_cached_minions*sz;CkMinions._check_cache_minions.<locals>.list_cached_minionsrorrrbr2r3N)r*�regex_match�exact_match)r=r6r7ryr3r}rsr~rtr rZrQrrOrr8r;rUZ
subdict_matchr:)r[r_r*r`Zsearch_typer�r��
cache_enabledr�r1r��cminionsr>�mdataZsearch_resultsrr�r�_check_cache_minionssV	��
��



�
�
zCkMinions._check_cache_minionscC�|�|||d�S)z@
        Return the minions found by looking via grains
        r4�r��r[r_r*r`rrr�_check_grain_minionsW�zCkMinions._check_grain_minionscC�|j|||ddd�S)zJ
        Return the minions found by looking via grains with PCRE
        r4T�r�r�r�rrr�_check_grain_pcre_minions]�
�z#CkMinions._check_grain_pcre_minionscCr�)�@
        Return the minions found by looking via pillar
        r5r�r�rrr�_check_pillar_minionser�zCkMinions._check_pillar_minionscCr�)zJ
        Return the minions found by looking via pillar with PCRE
        r5Tr�r�r�rrr�_check_pillar_pcre_minionskr�z$CkMinions._check_pillar_pcre_minionscCr�)r�r5T)r�r�r�rrr�_check_pillar_exact_minionssr�z%CkMinions._check_pillar_exact_minionscCs�|j�dd�}|r|��}n|r|j�d�}nggd�S|r�|r'|j�d�}n|}|dur2|gd�S|}zt�|�}Wn'tybzt�|�}Wnty_t	�
d|�ggd�YYSwYnwd|j��}t|�}|D]O}|j�
d|��d	�}	|	dur�|s�|�|�qo|	�d
�}
|
dus�||
vr�d}nt|tjtjf�r�t|�|
|v}n
tjj�||
|�}|s�||vr�|�|�qot|�gd�S)z@
        Return the minions found by looking via ipcidr
        r0Fr1rbNzInvalid IP/CIDR target: %sZipvr2r3r4)r=r6rfr8r:r�
ip_address�	Exception�
ip_networkr!rI�versionrr;rUrJ�IPv4Address�IPv6AddressrKr7ry�networkZ	in_subnet)r[r_r`r�r1r��tgt�protor>r�r4rrrr�_check_ipcidr_minions{sT


���


�zCkMinions._check_ipcidr_minionscCs&tstd��t|d�stj�|jd�|_z|j�|�WStjj	y�}zht
�d|�|j�dd�}|rrg}t
jj�t�tj�|jd|j���D]}|�d�sftj�tj�|jd|j|��rf|�|�qJ|gd	�WYd
}~S|r�|j�d�gd	�WYd
}~Sggd	�WYd
}~Sd
}~ww)zJ
        Return the minions found by looking via range expression
        zYRange matcher unavailable (unable to import seco.range, module most likely not installed)�_rangeZrange_serverz%Range exception in compound match: %sr0FrorrrbNr1)�	HAS_RANGEr�hasattr�seco�rangeZRanger=r��expandZRangeExceptionr!rIr6r7ryr3r}rsr~rtr rZrQrrOr8r:)r[r_r`r�r��mlistr�rrr�_check_range_minions�s6�
��
���zCkMinions._check_range_minionscCs|j|||dd�S)zp
        Return the minions found by looking via compound matcher

        Disable pillar glob matching
        T)�pillar_exact)r]r�rrr�$_check_compound_pillar_exact_minions�sz.CkMinions._check_compound_pillar_exact_minionsc
Cs�t|t�st|ttf�st�d�ggd�St|���}t�d|�|j	�
di�}|j	�
dd��rG|j|j|j
|j|jd|j|j|jd�	}|rQ|j|d	<|j|d
<g}g}	gd�}
g}t|t�re|��}n|dd�}|�r|�d�}
t|
�}|
|
v�r\|�r#|d
dkr�|
dvr�t�d|
�ggd�S|
dkr�|d
dvr�|�d�|�d�|�tt|���|�d�|	�d��nQ|
dkr�|�d��nF|
dkr�|�d��n;|
dkr�|�|
�|	�|
��n+|
dk�r|	r�|	d
dkr�t�d|�ggd�S|�|
�|	��|	�r|	d
dk�r|�d�|	��n�t�d|�ggd�S|
dk�rA|�d�|�tt|���|�d�|	�d�n�|
dk�rQ|�|
�|	�|
�n�t�d|
�ggd�S|�r�|d�r�d|dk�rzt|d|�}|�ry||}qk|�
|d�}|�s�t�d|d|
�ggd�S|dg}|dd v�r�|�|d!�p�d"�|�|�d#|dk�r�|�|�o�|d
dk�||�}|�tt|d$���|�|d%�|	�r�|	d
dk�r�|�d�|	��n$|�|
d&�}|�tt|d$���|	�r|	d
dk�r|�d�|	��|sn|�d'd(�|	D��d)�|�}t�d*|�ztt|��}||d�WSt�yFt�d+|�ggd�YSwt|�gd�S),zJ
        Return the minions found by looking via compound matcher
        z6Compound target that is neither string, list nor tuplerbzminions: %srVr0FN)	�G�P�I�J�L�N�S�E�Rr�r�rAr���r)rBrCz(Invalid beginning operator after "(": %srD)�&�|rr��-rBrCr�r
z8Invalid compound expr (unexpected right parenthesis): %sz#Unhandled oper in compound expr: %sz-Expression may begin with binary operator: %sr)r�r+z:Unrecognized target engine "%s" for target expression "%s")r�r�r�r�r*�:r�r1rcTcSsg|]}d�qS)r
r�r�itemrrrresz5CkMinions._check_compound_minions.<locals>.<listcomp>� z+Evaluating final compound matching expr: %szInvalid compound target: %s)rJrKr:rMr!rIrrfr"r=r6r�r�r�r�rkr�rn�_all_minionsr�rL�popr/rOrSrRrgr �evalr�)r[r_r*r`r�r1rV�ref�resultsZ	unmatchedr%rcr$rWZtarget_infoZ
decomposedr)Zengine_argsZ_resultsrrrr]�s�

�











�


�





�
�



�
�d
�z!CkMinions._check_compound_minionsNc	Cs�t�}|j�dd�r�|j�d�}|dur|Stjj�t	|jd��}|j�dd�r6|�
tjj�|jd��}d|vrL|�d�|�
ttjjjdd	���d
|vrb|�d
�|�
ttjjjdd	���|rf|}|D]_}z|j�d|��d�}Wn	tyYqhw|dur�qh|�d
i�}|�dg�D]}	|	|vr�|r�|�||	f�n|�|�nq�|�dg�D]}
|
|vr�|r�|�||
f�n|�|�nq�qh|S)zV
        Return a set of all connected minion ids, optionally within a subset
        r0Fr1NZpublish_portZdetect_remote_minionsZremote_minions_portz	127.0.0.1)Zinclude_loopbackz::1r2r3r4�ipv4�ipv6)rr=r6r8r:r7ryr�Zlocal_port_tcp�int�unionZremote_port_tcp�discard�updateZip_addrsZ	ip_addrs6r;rrN)r[ZsubsetZshow_ipr1�search�addrsr>r�r4r�r�rrr�
connected_idsrsV�

�
�
��zCkMinions.connected_idscCsng}tjj�t�tj�|jd|j	���D]}|�
d�s1tj�tj�|jd|j	|��r1|�|�q|gd�S)z?
        Return a list of all minions that have auth'd
        rorrrb)
r7ryr3r}rsr~rtr r=rZrQrrO)r[r_r�r�rrrr��s��
�
zCkMinions._all_minions�globTc	Cs�z^|durd}t|d|�d�d�}|dvr||||�}n|||�}d|d<|j�dd�d	urVtd
t�rYtj�|j|j�dd��}|�||�}|r\|d
�	|�d	|d<W|SW|SW|SW|St
ytt�d||�ggd�}Y|Sw)a
        Check the passed regex against the available minions' public keys
        stored for authentication. This should return a set of ids which
        match the regex, this will then be used to parse the returns to
        make sure everyone has checked back in.
        Nr@Z_check_Z_minions)ZgrainZ
grain_pcrer5�pillar_pcrer��compound�compound_pillar_exactF�ssh_minionsZenable_ssh_minionsTr��rosterZflatr1z5Failed matching available minions with %s pattern: %srb)
�getattrr=r6rJrKr7r�ZRoster�targetsrRr�r!�	exception)	r[r_�tgt_typer*r`Z
check_func�_resr�r�rrr�
check_minions�s<


�
�
�
����zCkMinions.check_minionsc	Csnt|�|d��dg��}|dur|�||�}t|d�}nt|�}t|�|��}t|�t|�kr5|r5dS|S)ax
        Validate the target minions against the possible valid minions.

        If ``minions`` is provided, they will be compared against the valid
        minions. Otherwise, ``expr`` and ``tgt_type`` will be used to expand
        to a list of target minions.

        Return True if all of the requested minions are valid minions,
        otherwise return False.
        r�r1NT)rr�r6�bool�
differencerP)	r[�validr_r�r1Z	expr_form�	v_minionsr�Zd_boolrrr�validate_tgt�szCkMinions.validate_tgtc	Csng}t|t�r
|g}|D]$}zt�||�r|�d�n|�d�Wqty0t�d|�Yqw|o6t|�S)z�
        Validate a single regex to function comparison, the function argument
        can be a list of functions. It is all or nothing for a list of
        functions
        TFzInvalid regular expression: %s)	rJrKrrrOr�r!rI�all)r[Zregex�fun�vals�funcrrr�match_check�s

��zCkMinions.match_checkcCs�|}|��dvrd}n|��dkrd}|�||�}	t|	d�}
|�||�}	t|	d�}t|�|
��}|r8|r8dSt|t�sC|g}|g}t�}
i}|D]V}t|t�ra|D]}|�||�r_dSqSqJt|t	�rst
|�dkrst�d	|�qJ|
�
t|����|D]!}t|�|d��D]}||vr�||�||�q�||||<q�q~qJt�}|
D]
}|�
t|�|d���q�||r�dSz&|D] }g}t||�D]
\}}|�|�||��q�t|�s�WdSq�WdSty�YdSw)
N�r5r�r�r�r�r1FT�zMalformed ACL: %s)�lowerr�rr�r�rJr:rKr��dictrPr!�infor��keysrR�	enumeraterO�any�	TypeError)r[�	auth_list�funs�argsr�r��groups�publish_validate�
v_tgt_typer�r�r1�mismatchZallowed_minionsZauth_dictionaryZauth_list_entryr��keyrZallowed_minions_from_auth_listZ
next_entryr<r��numrrr�auth_check_expanded
sp+

�
�����zCkMinions.auth_check_expandedc
	Cs�|j�dd�r|�|||||||�S|rJ|}
|��dvrd}
n|��dkr'd}
|�||
�}t|d�}|�||�}t|d�}t|�|��}
|
rJdSt|t	�sU|g}|g}zwt
|�D]o\}}|	rh||	vrhWdS|D]^}t|t�r}|�||�r|WdSqjt|t
�r�t|�d	kr�qjtt|����}|j||||d
�r�||}|r�|dnd}t|t
�r�d
|vr�t	|�}|d=nd}|�|||||�r�WdSqjqZWdSty�YdSw)z�
        Returns a bool which defines if the requested function is authorized.
        Used to evaluate the standard structure under external master
        authentication interfaces, like eauth, peer, peer_run, etc.
        z"auth.enable_expanded_auth_matchingFr�r�r�r�r1Tr�rjr�NZ	__kwarg__)r=r6r�r�r�rr�r�rJr:r�rKr�r�rP�next�iterr�r��_CkMinions__fun_checkr�)r[r�r�r�r�r�r�r�r1Z	whitelistr�r�r�r�r�r��indr�Zfun_argsZ
fun_kwargsrrr�
auth_check�sf�


�
�
�����zCkMinions.auth_checkcCsFdd�|D�}|r!|D]}|�d�|vr ||D]}|�|�qq|S)��
        Returns a list of authorisation matchers that a user is eligible for.
        This list is a combination of the provided personal matchers plus the
        matchers of any group the user is in.
        cSsg|]	}|�d�r|�qS)�%)�endswithr�rrrr�rmz8CkMinions.fill_auth_list_from_groups.<locals>.<listcomp>r�)�rstriprO)r[�
auth_providerZuser_groupsr�Zgroup_namesZ
group_name�matcherrrr�fill_auth_list_from_groups�s�z$CkMinions.fill_auth_list_from_groupscCs�|durg}|dur|j�d�}d}|D].}|dkr|sq|�d�r1|�d�|vr0|�||�qtjj�||�rBd}|�||�q|sR|sRd|vrR|�|d�|S)r�NZpermissive_aclFrr�T)	r=r6r�r�rRr7ryZstringutilsZ
expr_match)r[r��namer�r�Z
permissiveZname_matchedrrrr�fill_auth_list�s&
��zCkMinions.fill_auth_listcCr�)�/
        Check special API permissions
        Zwheel��
spec_check�r[r�r�r�rrr�wheel_check�r�zCkMinions.wheel_checkcCr�)rZrunnerrrrrr�runner_check�r�zCkMinions.runner_checkc
	CsZ|sdS|dkr#|�d�}t|�dkrdddd�iS|d	}|d
}n|}}|D]�}t|t�rR|d	dkrQ|d
d�|ksN|d
d�|ksN|d|�d
�krQdSq)t|t�r�t|�d
kr^q)tt|����}	|	d	dkr�|	d
d�|kr�|�||	||�	d�|�	d��r�dS|	d
d�|ks�|	d|�d
�kr�|�||	||�	d�|�	d��r�dSq)dS)rFZcloudrrrFrIZSaltInvocationErrorz2A command invocation error occurred: Check syntax.)r��messagerr��@N�sT�arg�kwarg)
rLrPrJrKr�r�r�r�r�r6)
r[r�r�r�Zform�comps�mod_nameZfun_namer�r�rrrrsH
��

0�
� ��zCkMinions.spec_checkcCs�t|t�s|g}|D]7}t|t�r|�||�rdSq
t|t�rAt|�dkr'q
tt|����}|�||�rA|�	||||�rAdSq
dS)zn
        Check the given function name (fun) and its arguments (args) against the list of conditions.
        Tr�F)
rJr:rKr�r�rPr�r�r��_CkMinions__args_check)r[r�r�r��kwargs�condZ
fname_condrrrZ__fun_check.s$

�
��zCkMinions.__fun_checkcCs�t|t�s|g}|D]p}t|t�sq
|�dg�}d}t|�D]%\}}|dus,t|�|kr0d}n|dur5q|�|t||��sCd}nq|sGq
|�di�}	|	��D]#\}
}|dus]|
|vrad}n|durfqQ|�|t||
��std}nqQ|rzdSq
dS)z]
        valid is a dicts: {'args': [...], 'kwargs': {...}} or a list of such dicts.
        r�TNFr)	rJr:r�r6r�rPr�rK�items)r[r�r�rrZ	cond_argsZgood�iZcond_argZcond_kwargs�k�vrrrZ__args_checkFsD

���zCkMinions.__args_check)F)FF)NF)N)NN)r�NF)r�NFNN)#�__name__�
__module__�__qualname__�__doc__r\rargrkrnrfr�r�r�r�r�r�r�r�r�r]r�r�rr�r�r�r�r�r�rrrrr�rrrrrrX�s\		
�
 
�86	
�

4
�
,
�}
�L
�
,rX)NT)$rrd�loggingrsrZ
salt.cacher7Zsalt.payloadZsalt.rosterZsalt.transportZsalt.utils.dataZsalt.utils.filesZsalt.utils.networkZsalt.utils.stringutilsZsalt.utils.versionsZsalt._compatrZ
salt.defaultsrZsalt.exceptionsrrr�Z
seco.ranger��ImportError�	getLoggerrr!rr,r(r/r?rSrXrrrr�<module>sB�
�#
N