HEX
Server: Apache
System: Linux server2.voipitup.com.au 4.18.0-553.109.1.lve.el8.x86_64 #1 SMP Thu Mar 5 20:23:46 UTC 2026 x86_64
User: posscale (1027)
PHP: 8.2.30
Disabled: exec,passthru,shell_exec,system
Upload Files
File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/__pycache__/vault.cpython-310.pyc
o

�N�g.X�@s�dZddlZddlZddlZddlZddlZddlZddlZddlZ	ddl
Z	ddlZ	ddlZ	e�
e�Zdadd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Zdd�Z					d!dd�Zdd�Zdd�Zdd�Zd"dd�Zdd�Zdd �ZdS)#z�
:maintainer:    SaltStack
:maturity:      new
:platform:      all

Utilities supporting modules for Hashicorp Vault. Configuration instructions are
documented in the execution module docs.
�Nc
Csfztstj�t�at�d��tj�WdSWdSt	y2}zt
jd|dd�WYd}~dSd}~ww)N�requestsTzCould not load __salt__: %s)�exc_infoF)�__salt__�salt�loaderZminion_mods�__opts__�logging�	getLogger�setLevel�WARNING�	Exception�log�error)�e�r�D/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/vault.py�__virtual__s����rc	Cs�td}td}zt�di��di��dd�}t�di��di��dd�}Wnttfy5d}d}Ynwt�dd	�d	kra|�d
�}t�d|�t�t	j
�||��}tdd
||d||gd�}n"|�d�}t�d||�t�t	j
�||��}tdd
||d||d�}|s�t�
d�t	j�|��t|t�s�t�
d|�t	j�|��d|vr�t�
d|d�t	j�|��d|�dd�vr�t�d�itd<|d|d|�dd�|�d �|�dd!�|d"|d#d$�S)%z`
    Get a token with correct policies for the minion, and the url to the Vault
    service
    �id�pki_dir�vault�auth�usesN�ttl�__role�minionz/minion.pemz4Running on minion, signing token request with key %szpublish.runnerzvault.generate_tokenF)�argz/master.pemz;Running on master, signing token request for %s with key %szsaltutil.runnerT)�	minion_id�	signatureZimpersonated_by_masterrrz`Failed to get token from master! No result returned - is the peer publish configuration correct?z;Failed to get token from master! Response is not a dict: %srz:Failed to get token from master! An error was returned: %s�sessionZ
token_backendz+Using session storage for vault credentials�vault_secret_path_metadata�url�token�verify�	namespace��lease_duration�issued)r r!r"r#rr%r&)�
__grains__r�get�	TypeError�AttributeErrorr
�debug�base64�	b64encoderZcryptZsign_messagerr�
exceptions�CommandExecutionError�
isinstance�dict�__context__)rrrrZprivate_keyr�resultrrr�_get_token_and_url_from_master,sp �
�
���
�


�r4cCs�dd�}td�d�}|r&|dvrt�d�dS|dkr|�S|d	kr&t�SdtvrAt�d
d�d	krAdtvr>t�d
�t�S|�Stt�dd�t�dd�dkt�dd�dkf�r[|�St�d
�t�S)z
    Get the connection details for calling Vault, from local configuration if
    it exists, or from the master otherwise
    c
Sst�d�td�d�}z�tddddkr�td�dd�}t�r�t�d�d	�tdd
�}dtdddi}dtddvrLtddd|d<|dur_d
|i}tj||||dd�}n	tj|||dd�}|jdkrud}t	j
�|��|��ddtddd<tddddkr�td�dd�}t
�r�d�tdd
�}dtdddi}|dur�||d
<tj|||dd�}|jdkr�d}t	j
�|��|��ddtddd<tdd
|tdddtd�dd�ttt����dd�WSt�y}zd�|�}t	j
�|��d}~ww)Nz0Using Vault connection details from local configrr#r�methodZapproler"z#Vault token expired. Recreating onez{}/v1/auth/approle/loginr Zrole_idZ	secret_id�X-Vault-Namespace�x)�headers�jsonr"�timeout)r9r"r:��z4An error occurred while getting a token from approleZclient_tokenr!Z
wrapped_tokenz{}/v1/sys/wrapping/unwrap�
X-Vault-Token�r8r"r:z-An error occured while unwrapping vault tokeni)r r#r!r"r&rzEMinion has "vault" config section, but could not find key "{}" within)r
r+rr(�_selftoken_expired�formatr�post�status_coderr.r/r9�_wrapped_token_valid�int�round�time�KeyError)r#r"r �payloadr8�response�errmsg�errrrr�_use_local_configzsv

��

��

�
����z/get_vault_connection.<locals>._use_local_configrZconfig_location)�local�masterz.config_location must be either local or masterFrLrMrrrz.Contacting master for Vault connection detailsNZfile_clientZmaster_type�disable)rr(r
rr4r'r+�any)rKZconfigrrr�get_vault_connectionts0?


��
rPcCs\t�d�dtvrtd=t�d�tj�tdd�}tj�|�r't�|�dSt�d�dS)z
    Delete cache
    zDeleting session cache�vault_tokenzDeleting cache file�cachedir�salt_vault_tokenz<Attempted to delete vault cache file, but it does not exist.N)	r
r+r2�os�path�joinr�exists�remove)�
cache_filerrr�	del_cache�s

rZcCsB|�dd�dkrd|vrd|vrt�d�|td<dSdtvr.d|vr.t�d	�|td<dSdtvr4dStjtd
d�\}}tj�	td
d�}zGt�d
�|�d�dkrYd|d<nd|d<t
jjj
|ddd��}|�t
jj�|��Wd�n1s|wYt�|�t�||�WdSty�tjdtjd�YdSw)z(
    Write the vault token to cache
    rNr$�unlimited_use_tokenrz"Not caching vault single use tokenrQTz#Storing token only for this sessionrR)�dirrSzWriting vault cache filerF�wi�)�modez!Failed to cache vault information)Zexc_info_on_loglevel)r(r
r+r2�tempfileZmkstemprrTrUrVr�utils�filesZfpopen�writer9�dumps�close�rename�OSErrorrr�DEBUG)�
connectionZtemp_fpZ	temp_filerYZfp_rrr�write_cache�s@



�
��ricCspz,tj�tdd�}tjj�|d��}tjj�	|�Wd�WS1s%wYWdSt
y7iYSw)z'
    Return contents of cache file
    rRrS�rN)rTrUrVrrr`raZfopenr9�load�FileNotFoundError)rY�contentsrrr�_read_cache_files(��rncCs�dd�}t�}|r
d|vr|�Sd|vr|d}n|d}|d|d}ttt����}||kr>t�d||�t�|�St�d	||�|S)
z=
    Return connection information from vault cache file
    cSst�d�t�}t|�}|S)NzRefreshing token)r
r+rPri)rhZwrite_statusrrr�_gen_new_connection(s
z&get_cache.<locals>._gen_new_connectionr r%rr&�
z*Cached token has expired %s < %s: DELETINGzToken has not expired %s > %s)rnrCrDrEr
r+rZ)rorhrZttl10Zcur_timerrr�	get_cache#s
rqFc	Ks�dtvr	td}nt�}|s|dn|}|s|dn|}|p"|�d�}d|vr@z
t�d��dd�|d<Wnttfy?Ynwd|vrHd	|d<|�d
|��}	t|�dd�}
|dur^||
d
<tj||	fd|
i|��}|j	s�|�
��dd�dgkr�t�d�t
�|s�t�d�t||fd||dd�|��}nt�d|j�|S|j	s�t�d|j�|Sd|vr�|�d�s�|�d�s�t�d|�|dd8<|ddkr�t�d�dtvr�t
�nt�d�td=nt�d|d�t|�|r�|||fS|S) z!
    Make a request to Vault
    rQr!r r#r"rNr:r7�/zapplication/json)r<zContent-Typer6r8�errorszpermission deniedzPermission denied from vaultzRetrying with new credentialsT)r!�	vault_url�
get_token_url�retryz%Unable to connect to vault server: %szError from vault: %srr[zv1/sysz4Decrementing Vault uses on limited token for url: %sr$rz#Cached token has no more uses left.zDeleting token from memoryzToken has %s uses left)r2rqr(rr)r*�strr�request�okr9r
�inforZr+�make_requestr�text�
startswithri)r5Zresourcer!rtr#rurv�argsrhr r8rHrrrr{Es�
����

���
��


r{c
Cs�zItd�dd�}td�d�}d�tdd�}dtddvr$Wd	Sd
tdddi}|dur6||d<tj|||dd
�}|jdkrGWd	SWdSty^}z	tj�d|����d}~ww)z>
    Validate the current token exists and is still valid
    rr"Nr#z{}/v1/auth/token/lookup-selfr r!rTr<r6r7r=r;Fz$Error while looking up self token : )	rr(r?rrArrr.r/�r"r#r r8rHrrrrr>��&
���r>c
Cs�zItd�dd�}td�d�}d�tdd�}dtddvr$Wd	Sd
tdddi}|dur6||d<tj|||dd
�}|jdkrGWd	SWdSty^}z	tj�	d|����d}~ww)z>
    Validate the wrapped token exists and is still valid
    rr"Nr#z{}/v1/sys/wrapping/lookupr r!rFr<r6r7r=r;Tz'Error while looking up wrapped token : )
rr(r?rr@rArrr.r/rrrrrB�r�rBcCs�d|||dd�}t|�}|s|S|�dd�|d<|ddkrW|ddurW|�di��dd�d	vrWd
|d<t||�d|��|d
<t||�d|�d�|d<t||�d|�d�|d<|S)z�
    Determines if a given secret path is kv version 1 or 2

    CLI Example:

    .. code-block:: bash

        salt '*' vault.is_v2 "secret/my/secret"
    FN)�v2�data�metadata�delete�typer�Zkv�options�version�1)�2Tr�rUr�r��destroy)�_get_secret_path_metadatar(�_v2_the_path)rU�retZ
path_metadatarrr�is_v2�s
�r�r�cCs�gd�}||vs
J�d�||�}|�d��d�}|�d��d�}|d|}|d|kr0|dn|d}|d|}|�|�rN|�||d�}d�|||�}n|�|�sed�||�||d��}|�||d�}t�|�|S)z�
    Given a path, a filter, and a path type, properly inject 'data' or 'metadata' into the path

    CLI Example:

    .. code-block:: python

        _v2_the_path('dev/secrets/fu/bar', 'dev/secrets', 'data') => 'dev/secrets/data/fu/bar'
    )r�r�r�zEPath {} already contains {} in the right place - saltstack duct tape?rrrr$z:Path is a "{}" type but "{}" type requested - Flipping: {}zConverting path to v2 {} => {})r?�rstrip�lstripr}�replacer
r+)rUZpfilter�ptypeZpossible_types�msgZtogetherZotype�otherrrrr��s.
��
�
�
r�c
sXd}|tvrt|}nt�}||vri||<d}��t||����r:t�d��t�fdd�||��D��}|St�d��zNd���}t	d|�}|j
rR|��|���
d	d
�r�t�d��|��d	}d|vr~|tvrst|}nt�}||vr~i||<|||�<t|�W|S|���ty�}zt�d
t|�j|�WYd}~|Sd}~ww)z�
    Given a path, query vault to determine mount point, type, and version

    CLI Example:

    .. code-block:: python

        _get_secret_path_metadata('dev/secrets/fu/bar')
    rNzFound cached metadata for %sc3s"�|]\}}��|�r|VqdS)N)r})�.0�k�v�rUrr�	<genexpr>#s� z,_get_secret_path_metadata.<locals>.<genexpr>zFetching metadata for %szv1/sys/internal/ui/mounts/ZGETr�FzGot metadata for %sr z$Failed to get secret metadata %s: %s)r2rnr}�tuple�keysr
r+�next�itemsr{ryZraise_for_statusr9r(rirrr��__name__)rUZckeyZ
cache_contentr�r rHrJrr�rr�sF

�



���r�c
s�g}t��}|���D]>\}}}}|durq|�|d|�\}}t|t�rId|�d����fdd�|D�}|D]}t|fi|��}	||	7}q6|Sq�gS)a�
    Expands the pattern for any list-valued mappings, such that for any list of
    length N in the mappings present in the pattern, N copies of the pattern are
    returned, each with an element of the list substituted.

    pattern:
        A pattern to expand, for example ``by-role/{grains[roles]}``

    mappings:
        A dictionary of variables that can be expanded into the pattern.

    Example: Given the pattern `` by-role/{grains[roles]}`` and the below grains

    .. code-block:: yaml

        grains:
            roles:
                - web
                - database

    This function will expand into two patterns,
    ``[by-role/web, by-role/database]``.

    Note that this method does not expand any non-list patterns.
    N�{�}csg|]
}���t|���qSr)r�rw)r��elem��patternr!rr�
<listcomp>jsz(expand_pattern_lists.<locals>.<listcomp>)�string�	Formatter�parse�	get_fieldr0�list�expand_pattern_lists)
r�ZmappingsZexpanded_patterns�f�_�
field_name�valueZexpandedZ
expanded_itemr3rr�rr�@s	

�r�)NNNFF)r�)�__doc__r,rrTr�r_rErZ
salt.cryptrZsalt.exceptionsZsalt.utils.jsonZsalt.utils.versionsr	r�r
rrr4rPrZrirnrqr{r>rBr�r�r�r�rrrr�<module>sB	

Hb0%
�Q
(4