o

�N�g.X�@s�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlZd
dlZ	d
dl
Z	d
dlZ	d
dlZ	e�
e�
Zdadd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Zdd�Z					d!dd�
Zdd�Zdd�Zdd�Zd"dd�
Zdd�Zdd �ZdS)#z�
:maintainer:    SaltStack
:maturity:      new
:platform:      all

Utilities supporting modules for Hashicorp Vault. Configuration instructions are
documented in the execution module docs.
�Nc

Csfztst
j�t�
at�d
�
�tj�

WdSWdSt	y2
}
zt
jd|dd�
WYd}~dSd}~w
w)N�requestsTzCould not load __salt__: %s)
�exc_infoF)�__salt__�salt�loaderZminion_mods�__opts__�logging�	getLogger�setLevel�WARNING�	Exception�log�error)
�
e�r�D/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/vault.py�__virtual__s



��

��rc	Cs�
td
}t
d}
zt
�di��di��dd�}t
�di��di��dd�}Wnttfy5


d}d}Yn
wt
�dd	�d	kra|
�d
�}t�d|�
t�t	j
�||��
}tdd
||d||gd�}n"|
�d�}t�d||�
t�t	j
�||��
}tdd
||d||d�}|s�t�
d�

t	j�|�
�
t|t�s�t�
d|�
t	j�|�
�
d|vr�t�
d|d�
t	j�|�
�
d|�dd�vr�t�d�

itd<|d|d|�dd�|�d �
|�dd!�|d"|d#d$�S)%z`
    Get a token with correct policies for the minion, and the url to the Vault
    service
    �id�pki_dir�vault�auth�usesN�ttl�__role�minionz/minion.pemz4Running on minion, signing token request with key %szpublish.runnerzvault.generate_tokenF)
�argz/master.pemz;Running on master, signing token request for %s with key %szsaltutil.runnerT)�	minion_id�	signatureZimpersonated_by_masterrrz`Failed to get token from master! No result returned - is the peer publish configuration correct?z;Failed to get token from master! Response is not a dict: %srz:Failed to get token from master! An error was returned: %s�sessionZ
token_backendz+Using session storage for vault credentials�vault_secret_path_metadata�url�token�verify�	namespace�
�lease_duration�issued)r r!r"r#rr%r&)�
__grains__r�get�	TypeError�AttributeErrorr
�debug�base64�	b64encoderZcryptZsign_messagerr�
exceptions�CommandExecutionError�
isinstance�dict�__context__)rrrrZprivate_keyr�resultrrr�_get_token_and_url_from_master,sp

 


�





�




�






�

�







�










�r4cCs�d
d�}td�
d�
}
|
r&|
dv
rt�d�

dS|
dkr|�S|
d	kr&t�SdtvrAt�
d
d�d	krAdtvr>t�d
�

t�S|�Stt�
dd�t�
dd�dkt�
dd�dkf�
r[|�St�d
�

t�S)z
    Get the connection details for calling Vault, from local configuration if
    it exists, or from the master otherwise
    c
Sst�
d
�

td�d�
}z�tddddkr�td�dd�}
t�r�t�
d�

d	�tdd
�
}dtdddi
}dtddvrLtddd|d<|du
r_d
|i
}tj||||
dd�}n	tj|||
dd�}|jdkrud}t	j
�|�
�
|��ddtddd<tddddkr�td�dd�}
t
�r�d�tdd
�
}dtdddi
}|du
r�||d
<tj|||
dd�}|jdkr�d}t	j
�|�
�
|��ddtddd<tdd
|tdddtd�dd�ttt���
�
dd�WSt�
y
}
zd�|�
}t	j
�|�
�
d}~w
w)Nz0Using Vault connection details from local configrr#r�methodZapproler"z#Vault token expired. Recreating onez{}/v1/auth/approle/loginr Zrole_idZ	secret_id�X-Vault-Namespace�x)�headers�jsonr"�timeout)r9r"r:��z4An error occurred while getting a token from approleZclient_tokenr!Z
wrapped_tokenz{}/v1/sys/wrapping/unwrap�
X-Vault-Token�r8r"r:z-An error occured while unwrapping vault tokeni)r r#r!r"r&rzEMinion has "vault" config section, but could not find key "{}" within)r
r+rr(�_selftoken_expired�formatr�post�status_coderr.r/r9�_wrapped_token_valid�int�round�time�KeyError)r#r"r �payloadr8�response�errmsg�errrrr�_use_local_configzsv


















�
�





�







�





�





�

���z/get_vault_connection.<locals>._use_local_configrZconfig_location)�local�masterz.config_location must be either local or masterFrLrMrrrz.Contacting master for Vault connection detailsNZfile_clientZmaster_type�disable)rr(r
rr4r'r+�any)rKZconfigrrr�get_vault_connectionts0?
















��

rPc
Cs\t�
d
�

dtvrtd=t�
d�

tj�tdd�}tj�|�
r't�|�

dSt�
d�

dS)z
    Delete cache
    zDeleting session cache�vault_tokenzDeleting cache file�cachedir�salt_vault_tokenz<Attempted to delete vault cache file, but it does not exist.N)	r
r+r2�os�path�joinr�exists�remove)
�
cache_filerrr�	del_cache�s





rZc
CsB
|�d
d�dkrd|v
rd|v
rt
�d�

|td<dSdtvr.d|v
r.t
�d	�

|td<dSdtvr4dStjtd
d�
\}
}tj�	td
d�}zGt
�d
�

|�d
�
dkrYd|d<nd|d<t
jjj
|ddd��}|�t
jj�|�
�

Wd�
n1s|w



Y
t�|
�

t�||�
WdSty�


t
jdtjd�
YdSw)z(
    Write the vault token to cache
    rNr$�unlimited_use_tokenrz"Not caching vault single use tokenrQTz#Storing token only for this sessionrR)
�dirrSzWriting vault cache filer
F�
wi�
)
�modez!Failed to cache vault information)
Zexc_info_on_loglevel)r(r
r+r2�tempfileZmkstemprrTrUrVr�utils�filesZfpopen�writer9�dumps�close�rename�OSErrorrr�DEBUG)�
connectionZtemp_fpZ	temp_filerYZfp_rrr�write_cache�s@


















�




��ricCspz,tj
�td
d�}tjj�|d��}
tjj�	|
�
Wd�
WS1s%w



Y
WdSt
y7


iYSw)z'
    Return contents of cache file
    rRrS�
rN)rTrUrVrrr`raZfopenr9�load�FileNotFoundError)rY�contentsrrr�_read_cache_file
s


(�
�rncCs�d
d�}t�}
|
r
d|
v
r|�Sd|
vr|
d}n|
d}|
d|d}t
tt���
�
}||kr>t�d||�
t�
|�St�d	||�
|
S)
z=
    Return connection information from vault cache file
    cSst�
d
�

t�}t|�
}
|S)NzRefreshing token)r
r+rPri)rhZwrite_statusrrr�_gen_new_connection(
s




z&get_cache.<locals>._gen_new_connectionr r%rr&�
z*Cached token has expired %s < %s: DELETINGzToken has not expired %s > %s)rnrCrDrEr
r+rZ)rorhrZttl10Zcur_timerrr�	get_cache#
s








rqFc	Ks�
d
tvr	td
}nt
�}|s|dn
|}|s|dn
|}|p"|�d�
}d|v
r@z
t�d�
�dd�|d<Wnttfy?


Yn
wd|v
rHd	|d<|�d
|
��}	t|�
dd�}
|du
r^||
d
<tj||	fd|
i
|�
�
}|j	s�|�
��dd�dg
kr�t�d�

t
�
|s�t�d�

t||
fd||dd�|�
�
}nt�d|j�
|S|j	s�t�d|j�
|Sd|vr�|�d�
s�|
�d�
s�t�d|
�
|dd8<|ddk
r�t�d�

d
tv
r�t
�
nt�d�

td
=nt�d|d�
t|�

|r�|||fS|S) z!
    Make a request to Vault
    rQr!r r#r"rNr:r7�
/zapplication/json)r<zContent-Typer6r8�errorszpermission deniedzPermission denied from vaultzRetrying with new credentialsT)r!�	vault_url�
get_token_url�retryz%Unable to connect to vault server: %szError from vault: %srr[zv1/sysz4Decrementing Vault uses on limited token for url: %sr$r
z#Cached token has no more uses left.zDeleting token from memoryzToken has %s uses left)r2rqr(rr)r*�strr�request�okr9r
�inforZr+�make_requestr�text�
startswithri)r5Zresourcer!rtr#rurv�argsrhr r8rHrrrr{E
s�








�






�
�
�








�


��





��










r{c
Cs�zItd
�
dd�}td
�
d�
}
d�td
d�
}dtd
dv
r$Wd	Sd
td
ddi
}|
du
r6|
|d<tj
|||dd
�}|jdkrGWd	SWdSty^
}
z	tj�d|���
�
d}~w
w)z>
    Validate the current token exists and is still valid
    rr"Nr#z{}/v1/auth/token/lookup-selfr r!rTr<r6r7r=r;Fz$Error while looking up self token : )	rr(r?rrArrr.r/�r"r#r r8rHrrrrr>�
�&














���r>c
Cs�zItd
�
dd�}td
�
d�
}
d�td
d�
}dtd
dv
r$Wd	Sd
td
ddi
}|
du
r6|
|d<tj|||dd
�}|jdkrGWd	SWdSty^
}
z	tj�	d|���
�
d}~w
w)z>
    Validate the wrapped token exists and is still valid
    rr"Nr#z{}/v1/sys/wrapping/lookupr r!rFr<r6r7r=r;Tz'Error while looking up wrapped token : )
rr(r?rr@rArrr.r/rrrrrB�
r�rBc
Cs�d
|||dd�}
t|�
}|s|
S|�
dd�|
d<|
ddkrW|ddu
rW|�
di��
dd�d	vrWd
|
d<t||�
d|��|
d
<t||�
d|�d�|
d<t||�
d|�d�|
d<|
S)z�
    Determines if a given secret path is kv version 1 or 2

    CLI Example:

    .. code-block:: bash

        salt '*' vault.is_v2 "secret/my/secret"
    FN)�v2�data�metadata�delete�typer�Zkv�options�version�
1)
�
2Tr�rUr�r��destroy)�_get_secret_path_metadatar(�_v2_the_path)rU�retZ
path_metadatarrr�is_v2�
s








�
r�r�cCs�gd
�
}||vs
J�
d�||�}|�
d�
�d�
}|
�
d�
�d�
}
|
d|}|d|kr0|dn|d}|
d|}|�|�
rN|�||d�}d�|||�}n|�|�
sed�||�|
|d��}|�|
|d�}t�|�

|S)z�
    Given a path, a filter, and a path type, properly inject 'data' or 'metadata' into the path

    CLI Example:

    .. code-block:: python

        _v2_the_path('dev/secrets/fu/bar', 'dev/secrets', 'data') => 'dev/secrets/data/fu/bar'
    )r�r�r�zEPath {} already contains {} in the right place - saltstack duct tape?rrr
r$z:Path is a "{}" type but "{}" type requested - Flipping: {}zConverting path to v2 {} => {})r?�rstrip�lstripr}�replacer
r+)rUZpfilter�ptypeZpossible_types�msgZtogetherZotype�otherrrrr��
s.


��






�


�

r�c

sX
d
}
|
tvrt|
}nt
�}|
|v
ri||
<d}��t||
���
�
r:t�d��
t�f
dd�||
��D�
�
}|St�d��
zNd���}t	d|�}|j
rR|��
|���
d	d
�r�t�d��
|��d	}d|v
r~|
tvrst|
}nt
�}|
|v
r~i||
<|||
�<t|�

W|S|���
ty�
}
zt�d
t|�
j|�
WYd}~|Sd}~w
w)z�
    Given a path, query vault to determine mount point, type, and version

    CLI Example:

    .. code-block:: python

        _get_secret_path_metadata('dev/secrets/fu/bar')
    rNzFound cached metadata for %sc
3s"�|]\}
}��|
�
r|V
qdS)
N)
r})�.0�
k�
v�
rUrr�	<genexpr>#s� z,_get_secret_path_metadata.<locals>.<genexpr>zFetching metadata for %szv1/sys/internal/ui/mounts/ZGETr�FzGot metadata for %sr z$Failed to get secret metadata %s: %s)r2rnr}�tuple�keysr
r+�next�itemsr{ryZraise_for_statusr9r(rirrr��__name__)rUZckeyZ
cache_contentr�r rHrJrr�rr�sF







�

















�


��r�c

s�g}t�
�}|���
D]>\}}}}|d
urq|�|d
|
�\}}t|t�rId|�d��
��
fdd�|D�
}|D]}t|f
i|
�
�
}	||	7}q6|
Sq�g
S)a�
    Expands the pattern for any list-valued mappings, such that for any list of
    length N in the mappings present in the pattern, N copies of the pattern are
    returned, each with an element of the list substituted.

    pattern:
        A pattern to expand, for example ``by-role/{grains[roles]}``

    mappings:
        A dictionary of variables that can be expanded into the pattern.

    Example: Given the pattern `` by-role/{grains[roles]}`` and the below grains

    .. code-block:: yaml

        grains:
            roles:
                - web
                - database

    This function will expand into two patterns,
    ``[by-role/web, by-role/database]``.

    Note that this method does not expand any non-list patterns.
    N�
{�
}c
sg|]
}
���
t
|
�
��qSr)r�rw)r��elem��patternr!rr�
<listcomp>jsz(expand_pattern_lists.<locals>.<listcomp>)�string�	Formatter�parse�	get_fieldr0�list�expand_pattern_lists)
r�ZmappingsZexpanded_patterns�
f�
_�
field_name�valueZexpandedZ
expanded_itemr3rr�rr�@s
	











�r�)NNNFF)
r�)�__doc__r,rrTr�r_rErZ
salt.cryptrZsalt.exceptionsZsalt.utils.jsonZsalt.utils.versionsr	r�r
rrr4rPrZrirnrqr{r>rBr�r�r�r�rrrr�<module>
sB	









Hb0%




�Q
(4