HEX

File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/__pycache__/key.cpython-310.pyc
o

�N�g8}�@s�dZddlZddlZddlZddlZddlZddlZddlZddl	Zddl
ZddlZddlZddl
ZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZe�e�Zdd�ZGdd�d�ZGdd�d�ZdS)	z�
The Salt Key backend API and interface used by the CLI. The Key class can be
used to manage salt keys directly without interfacing with the CLI.
�NcCst|�S�N)�Key��opts�r�</opt/saltstack/salt/lib/python3.10/site-packages/salt/key.py�get_key"src@sbeZdZdZddddd�Zdd�Zd	d
�Zdd�Zddd�Zddd�Z	dd�Z
dd�Zdd�Zd
S)�KeyCLIz#
    Manage key CLI operations
    �list_status�
delete_key�gen_keys_signature�key_str)�list�delete�
gen_signature�printcCs:||_tj�|�|_t|_|�d�s|�|�|_d|_dS)N�eauth)	r�saltZwheelZWheelClient�clientr�key�get�auth)�selfrrrr�__init__2s

zKeyCLI.__init__cCs�dD]	}|j|rnq|�d�s^|dkrd|jd<n|�d�r&d|jd<n|j||jd<|�d�rF|jd	p<|jd
|jd
<d|jd<n,|�d
�r]|jd	pT|jd|jd<d|jd
<n|dkrr|jd|jd<|jd|jd<|�dd�|jd<dS)N)�gen_keysrr�list_allrZ	print_all�accept�
accept_all�reject�
reject_allr�
delete_all�finger�
finger_allrZgen_r�all�matchZ_all�*rZinclude_all�include_rejectedF�include_acceptedrr�gen_keys_dir�keydir�keyname��fun)r�
startswith�endswith�replace)r�cmdrrr�_update_opts;s.
�


�
�
�zKeyCLI._update_optscCsz|jrdSi}|jddk}|jdr�d|jvrVz-tjj�tj�|jdd�d��}tjj	�
|���|d<Wd�n1s?wYWntyU|jd|d<Ynwd|vr�d|vr�|jdr�tj�
|j�}|�|jd�}|jdr�|r�|�|jd|�}|r�|�dd�|d<|s�t�d	�iS|�|�|jd|d<ntjj��|d
<tjj�|d
|j|�|d<||_dS)Nrr+�token�cachedirz	.root_key�rrZmktokenzAuthentication failed�user)rrr�utils�files�fopen�os�path�join�stringutils�
to_unicode�readline�OSErrorZResolverZcliZ	token_clir�log�error�updater5Zget_specific_userZmasterZget_master_key)r�lowZskip_perm_errors�fp_Zresolver�res�tokrrr�
_init_authhsF

����

��
zKeyCLI._init_authNcCs�tjj�|�}|dur4g}|jr-t�t|j�t|jpd��D]\}}|�|j	�
||��q|ddd�}|jdur?i}||fStj�
||�\}}||fS)Nr���)rr6�argsZget_function_argspec�	itertools�zip_longest�reversed�defaults�appendrr�keywords�minionZload_args_and_kwargs)rr,rIZargspec�arg�default�kwargsrrr�_get_args_kwargs�s�
�zKeyCLI._get_args_kwargscCs|j�d�s7|j�||�}t|j|�}|�||�\}}||i|��}t|t�r5d|vr5|dvr5|�dd�|S|dvrI|durI|j�di��d�}d|��}|j	j
|}|�||�\}}|||d�}|��|�|j
�|j	�|�}|d	d
}t|t�r�d|vr�|dvr�|�dd�|S)Nr�local)r!r"�rrr�
match_dict�minionszkey.)r,rQ�kwarg�data�return)rr�CLI_KEY_MAP�getattrrrT�
isinstance�dict�poprZ	functionsrGrBrZcmd_sync)rr0rIr,rS�retZfstrrCrrr�_run_cmd�s<�
��zKeyCLI._run_cmdcCs�|�d�r|Si}|jj|vr||jj||jj<|jdr1t|�|jj��r1||jj||jj<|jdrIt|�|jj��rI||jj||jj<|jdrat|�|jj��ra||jj||jj<|S)Nrr'r&�include_denied)	r-r�PENDr�boolr�ACC�REJ�DEN)rr0ra�keysrrr�_filter_ret�s
zKeyCLI._filter_retcCs�dg}|jdr
|�d�|jdr|�d�|jdr!|�d�t|�dkr,|d	}nd
�d�|dd��|d�}d
|�d|�d�}t|�dS)NZ
unacceptedr'Zacceptedr&ZrejectedrcZdenied�rz{} or {}z, rHzThe key glob 'z' does not match any z keys.)rrN�len�formatr;r)rr0r$ZstatusesZstat_str�msgrrr�_print_no_match�s






zKeyCLI._print_no_matchc
Cs&|��|jd}d}d}z�|dvr�|�d�}t|t�s)tjj|d|jd�|WS|�||�}|s=|�	||jd�WdSt
d�|�d	���tjj|d|jd�|j�
d
d�s|z|�d�rgtd
�}|sfd}ntd�}|sod}Wnty{td��w||jd<|j�dd�|}|dus�|���d�r�|�|�}|dvr�|dkr�|}|��D]}|D]
}t
d�||�d	���q�q�W|St|t�r�tjj|d|jd�W|Stjjd|id|jd�W|SW|Stjj�y}z"|�}|j�
dd��stj�|d|j�WYd}~|SWYd}~|Sd}~ww)z+
        Run the logic for saltkey
        r,NrV�
name_matchrrr$z(The following keys are going to be {}ed:�eZyesFrzProceed? [N/y] �nzProceed? [n/Y] �yz
Exiting on CTRL-crWzKey for minion {} {}ed.r[�quiet�nested)r1rrbr^r_r�outputZdisplay_outputrjrorrm�rstriprr-�input�KeyboardInterrupt�
SystemExitr`�lower�values�
exceptionsZ
SaltException)rr0ZveriraZlist_retrXrP�excrrr�run�s�


�
���


����
����
���z
KeyCLI.runr)
�__name__�
__module__�__qualname__�__doc__r\rr1rGrTrbrjrorrrrrr	&s�	-
(
*r	c@seZdZdZdZdZdZdZd>dd�Zd	d
�Z	dd�Z
d?d
d�Zdd�Z	d@dd�Z
d>dd�Zdd�ZdAdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Z	dBd(d)�Zd*d+�Z	dCd,d-�Zd.d/�Zd0d1�Z	dBd2d3�Zd4d5�Zd>d6d7�Zd>d8d9�Z d:d;�Z!d<d=�Z"dS)Drz6
    The object that encapsulates saltkey actions
    rX�minions_pre�minions_rejected�minions_deniedNcCs~||_|j�dd�}|tjjjvr d|�d�}t�|�t|��tjj	j
||d|d|d�|_	tjj�|j�d�|j�|_
dS)	NZ__roler+zInvalid application kind = 'z'.�sock_dirF)r�listen�io_loopZsigning_key_pass)rrrr6ZkindsZ
APPL_KINDSr@rA�
ValueError�eventZ	get_eventZsdbZsdb_get�
passphrase)rrr��kindZemsgrrrr6s 
�
�zKey.__init__cCsdtj�|jd|j�}tj�|jd|j�}tj�|jd|j�}tj�|jd|j�}||||fS)z8
        Return the minion keys directory paths
        �pki_dir)r9r:r;rrfrdrgrh)rZminions_acceptedr�r�r�rrr�_check_minions_directoriesIs
zKey._check_minions_directoriescCs\|sd|jvr
|jd}n|jd}|s!d|jvr|jd}nd}|s(|jd}||||fS)Nr(r�rrP�keysizer�rr)r*r�r5rrr�_get_key_attrsTs



zKey._get_key_attrscCsJ|�||||�\}}}}tj�|||||j�tjj�tj�	||d��S)z4
        Generate minion RSA public keypair
        �.pub)
r�r�cryptrr�r6�
pem_fingerr9r:r;r�rrrrcs
�zKey.gen_keyscCstj�||||j�S)�6
        Generate master public-key-signature
        )rr�rr�)rZprivkeyZpubkeyZsig_pathrrrrmszKey.gen_signatureFc
Csj|rtj�|�sd|�d�Sn|jddd}tj�|�r |}|r/tj�|�s.d|�d�Sn|jddd}tj�|�r@|}|s||rzt�d|jd	|jd�tj�|jd|jd	|pb|jd
|j�	d�|j
�|jdd|jd	d}nd
S|s�dSt�d|�t�d|�|r�tj�|�s�t�d|�n|jd}|d|jd}t|j�}	|	�
|||�S)r�zPublic-key z does not existr��/z
master.pubzPrivate-key zmaster_sign.pemz+Generating new signing key-pair .%s.* in %sZmaster_sign_key_namer�r5�.pemzNo usable private-key foundzNo usable public-key foundzUsing public-key %szUsing private-key %sz"target directory %s does not existZmaster_pubkey_signature)r9r:�isfilerr@�debugrr�rrr��isdirrr)
rZprivZpubZsignature_pathZauto_creater�ZmpubZmprivZ	sign_pathZskeyrrrrssb���
�	�����

zKey.gen_keys_signaturecCs*|durg}|��}g}|��D]	\}}|�|�q|j�dd�s�tj�|jd|j�}tj�	|�rht�
|�D]0}||vrg||vrgzt�tj�||��Wq7t
yf}z
t�d||�WYd}~q7d}~wwq7tj�|j�}	|	�|j�}
|
r�|
D]}||vr�||vr�|	�|j�d|���qydSdSdS)z�
        Check the minion cache to make sure that old minion data is cleared

        Optionally, pass in a list of minions which should have their caches
        preserved. To preserve all caches, set __opts__['preserve_minion_cache']
        NZpreserve_minion_cacheFr3z2Key: Delete cache for %s got OSError/IOError: %s 
r�)�	list_keys�items�extendrrr9r:r;rfr��listdir�shutil�rmtreer?r@�warningr�cache�factoryr�flush)r�preserve_minionsrirXr�valZm_cacherP�exr�Zclistrrr�check_minion_cache�sB������zKey.check_minion_cachecCs$tj�tj�|jdd��sdSdS)z~
        Log if the master is not running

        :rtype: bool
        :return: Whether or not the master is running
        r�zpublish_pull.ipcFT)r9r:�existsr;r�rrrr�check_master�szKey.check_masterc	Cs�|r|��}n|��}i}d|vrt|t�r|�d�}|��D]C\}}tjj�	|�D]7}t|t
�rL|D]}t�||�rJ||vrCg||<||�|�q3q*t�||�ra||vrZg||<||�|�q*q|S)zY
        Accept a glob which to match the of a key and return the key's location
        �,)
�all_keysr�r^�str�splitr�rr6rZ�sorted_ignorecaser�fnmatchrN)	rr$�full�matchesra�statusrirZ
match_itemrrrrp�s.


����zKey.name_matchc	Cszi}|��}|��D]0\}}tjj�|�D]$}|j|j|j|j	fD]}|r8t
�|�|g�|�r8|�
|g��|�q!qq
|S)zh
        Accept a dictionary of keys and return the current state of the
        specified keys
        )r�r�rr6rZr�rfrdrgrhr��filterr�
setdefaultrN)rrWraZcur_keysr�rirr)rrr�
dict_match�s���zKey.dict_matchcCsndgi}tjj�t�|jd��D]#}|�d�s|�d�r4tj�	|jd|�}tj�
|�r4|d�|�q|S)z-
        Return a dict of local keys
        rUr�r�r�)rr6rZr�r9r�rr.r:r;r�rN)rra�fn_r:rrr�
local_keyss�zKey.local_keysc	Cs�|��}i}|D]G}|durqg|tj�|�<z/tjj�t�|��D]"}|�	d�sDtj�
tj�||��rD|tj�|��tjj
�|��q"WqtyOYqw|S)zK
        Return a dict of managed keys and what the key status are
        N�.)r�r9r:�basenamerr6rZr�r�r-r�r;rNr<r=r?)rZkey_dirsraZdir_r�rrrr�s&
����z
Key.list_keyscCs|��}|�|���|S)z4
        Merge managed keys with local keys
        )r�rBr�)rrirrrr�/szKey.all_keyscCs�|��\}}}}i}|�d�rAg|tj�|�<tjj�t�	|��D]}|�d�s>tj�
tj�||��r>|tj�|��|�q!|S|�d�sK|�d�r}g|tj�|�<tjj�t�	|��D]}|�d�sztj�
tj�||��rz|tj�|��|�q]|S|�d�r�g|tj�|�<tjj�t�	|��D]}|�d�s�tj�
tj�||��r�|tj�|��|�q�|S|�d�r�|dur�g|tj�|�<tjj�t�	|��D]}|�d�s�tj�
tj�||��r�|tj�|��|�q�|S|�d�r�|�
�S|S)	zD
        Return a dict of managed keys under a named status
        �accr��preZun�rej�denNr#)r�r-r9r:r�rr6rZr�r�r�r;rNr�)rr$r�r�r�r�rar�rrrr
7sJ

��
�
�
�	�
�
�zKey.list_statusc
Cs�i}|�|���D]B\}}i||<tjj�|�D]2}tj�|j	d||�}tjj
�|d��}tjj�
|���|||<Wd�n1sEwYqq	|S)zI
        Return the specified public key or keys based on a glob
        r�r4N)rpr�rr6rZr�r9r:r;rr7r8r<r=�read)rr$rar�rirr:rDrrrr
Ys���zKey.key_strc
Cs�i}|����D]B\}}i||<tjj�|�D]2}tj�|j	d||�}tjj
�|d��}tjj�
|���|||<Wd�n1sDwYqq|S)z0
        Return all managed key strings
        r�r4N)r�r�rr6rZr�r9r:r;rr7r8r<r=r�)rrar�rirr:rDrrr�key_str_allfs���zKey.key_str_allc
Csx|dur
|�|�}n|durt|t�r|}ni}|jg}|r$|�|j�|r,|�|j�g}|D]e}|�|g�D]\}	tj	�
|jd||	�}
ztj
�|
�Wntjjyet�d|	�|�||	f�Yq8wz%t�|
tj	�
|jd|j|	��dd|	d�}|j�|tjjjdd��Wq8ty�Yq8wq0|D]\}}	||�|	�tj�d	|	�d
��q�|dur�|�|�S|�|�S)z�
        Accept public keys. If "match" is passed, it is evaluated as a glob.
        Pre-gathered matches can also be passed via "match_dict".
        Nr�zInvalid RSA public key: %sTr��resultZact�idr��prefixz!Unable to accept invalid key for z.
) rpr^r_rdrNrgrhrr9r:r;rrr�Zget_rsa_pub_keyr}ZInvalidKeyErrorr@rAr��moverfr��
fire_eventr6�tagifyr?�remove�sys�stderr�writer�)rr$rWr&rcr��keydirsZinvalid_keysr)rZkey_path�eloadrrrrssH����z
Key.acceptc	Cs�|��}||jD]:}z/t�tj�|jd|j|�tj�|jd|j|��dd|d�}|j	�
|tjj	j
dd��Wq	tyCYq	w|��S)z(
        Accept all keys in pre
        r�Trr�rr�)r�rdr�r�r9r:r;rrfr�r�rr6r�r?�rrirr�rrrr�s��zKey.accept_allcCs�|dur
|�|�}n|durt|t�r|}ni}tjj|jd��l}|��D]_\}}|D]X}	zM|rX|j�d�dur=t	d�nz|�
|	d�WntjjyWt	d�
|	��Ynwt�tj�|jd||	��d	d
|	d�}
|j�|
tjjjdd
��Wq+ty�Yq+wq%Wd�n1s�wY|j�d�d	ur�|j|�dg�d�n|��|j�d�r�tj�|jd|jd�|dur�|�|�S|�|�S)z�
        Delete public keys. If "match" is passed, it is evaluated as a glob.
        Pre-gathered matches can also be passed via "match_dict".

        To preserve the master caches of minions who are matched, set preserve_minions
        N)Zmopts�rotate_aes_keyFz�Immediate auth revocation specified but AES key rotation not allowed. Minion will not be disconnected until the master AES key is rotated.zsaltutil.revoke_authz�Cannot contact Salt master. Connection for {} will remain up until master AES key is rotated or auth is revoked with 'saltutil.revoke_auth'.r�Trr�rr�r�rX)r�r3r5)rpr^r_rrZget_local_clientrr�rrZ	cmd_asyncr}ZSaltClientErrorrmr9r�r:r;r�r�r6r�r?r�r��dropfiler�)rr$rWr�Zrevoke_authr�rr�rirr�rrrr�sN	��������zKey.delete_keyc
Cs�|��}|����D]8\}}||jD].}z#t�tj�|jd||��dd|d�}|j�	|t
jjjdd��Wqt
yAYqwq
|��|��S)z(
        Delete all denied keys
        r�Trr�rr�)r�r�rhr9r�r:r;rr�r�rr6r�r?r�)rrir�rr�rrr�
delete_den�s��zKey.delete_denc
Cs�|����D]5\}}|D].}z#t�tj�|jd||��dd|d�}|j�|t	j
jjdd��Wqty:Yqwq|�
�|j�d�rSt	j�|jd|jd	�|��S)
z!
        Delete all keys
        r�Trr�rr�r�r3r5)r�r�r9r�r:r;rr�r�rr6r�r?r�rr�r�)rr�rirr�rrrr �s��zKey.delete_allc

Cs,|dur
|�|�}n|durt|t�r|}ni}|jg}|r$|�|j�|r,|�|j�|D]B}|�|g�D]9}z.t�	t
j�|j
d||�t
j�|j
d|j|��dd|d�}	|j�|	tjjjdd��Wq6tyoYq6wq.|��|j
�d�r�tj�|j
d	|j
d
�|dur�|�|�S|�|�S)z�
        Reject public keys. If "match" is passed, it is evaluated as a glob.
        Pre-gathered matches can also be passed via "match_dict".
        Nr�Trr�rr�r�r3r5)rpr^r_rdrNrfrhrr�r�r9r:r;rrgr�r�rr6r�r?r�r�r�r�)
rr$rWr'rcr�r�r)rr�rrrrs6���
z
Key.rejectc	Cs�|��}||jD]:}z/t�tj�|jd|j|�tj�|jd|j|��dd|d�}|j	�
|tjj	j
dd��Wq	tyCYq	w|��|j�d�r[tj�|jd|jd	�|��S)
z(
        Reject all keys in pre
        r�Trr�rr�r�r3r5)r�rdr�r�r9r:r;rrgr�r�rr6r�r?r�rr�r�r�rrrr$s ��zKey.reject_allc	Cs�|durtd}|�|d�}i}|��D]4\}}i||<|D])}|dkr/tj�|jd|�}ntj�|jd||�}tjj	j
||d�|||<qq|S)z<
        Return the fingerprint for a specified key
        N�	hash_typeTrUr��Zsum_type)�__opts__rpr�r9r:r;rrr6r�r�)	rr$r�r�rar�rirr:rrrr!8s�z
Key.fingercCs�|durtd}i}|����D]4\}}i||<|D])}|dkr+tj�|jd|�}ntj�|jd||�}tjj	j
||d�|||<qq|S)z2
        Return fingerprints for all keys
        Nr�rUr�r�)r�r�r�r9r:r;rrr6r�r�)rr�rar�rirr:rrrr"Ks�zKey.finger_allcCs|Srrr�rrr�	__enter__]sz
Key.__enter__cGs|j��dSr)r�Zdestroy)rrIrrr�__exit__`szKey.__exit__r)NNNN)FN)F)NNFF)NNNF)#r�r�r�r�rfrdrgrhrr�r�rrrr�r�rpr�r�r�r�r
r
r�rrrr�r rrr!r"r�r�rrrrr,sJ



�
C"
"

�*
�3
�"

r)r�r�rJ�loggingr9r�r�Z
salt.cacherZsalt.clientZ
salt.cryptZsalt.daemons.masterapiZsalt.exceptionsZsalt.minionZsalt.utils.argsZsalt.utils.cryptZsalt.utils.dataZsalt.utils.eventZsalt.utils.filesZsalt.utils.jsonZsalt.utils.kindsZsalt.utils.masterZsalt.utils.sdbZsalt.utils.stringutilsZsalt.utils.user�	getLoggerr�r@rr	rrrrr�<module>s<