HEX

File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/__pycache__/server.cpython-310.pyc
o

�N�g|��@s�dZddlZddlZddlZddlZddlZddlZddlZddl	Zddl
ZddlZddlZddl
ZddlZddlZddlZddlZddlZddlmZmZddlmZe�e�ZGdd�d�ZGdd�d�ZdS)	z�
Encapsulate the different transports available to Salt.

This includes server side transport, for the ReqServer and the Publisher
�N)�SaltDeserializationError�UnsupportedAlgorithm)�CacheClic@s�eZdZdZedd��Zedd��Zdd�Zdd	�Zd
d�Z	e
jjj
jdd
��Zdde
jje
jjfdd�Zdd�Zdd�Zdd�Zddd�Zdd�ZdS)�ReqServerChannelzK
    ReqServerChannel handles request/reply messages from ReqChannels.
    cKs:d|vrd|vr|d|d<tjj|fi|��}|||�S)N�
master_uri)�salt�	transportZrequest_server)�cls�opts�kwargsr�r�G/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py�factory$s
zReqServerChannel.factorycCstj�|�tj�|�kS)z�
        Normalize and compare two keys

        Returns:
            bool: ``True`` if the keys match, otherwise ``False``
        )r�cryptZ	clean_key)r	Zkey1Zkey2rrr
�compare_keys+szReqServerChannel.compare_keyscCs||_||_d|_d|_dS�N)r
r�event�
master_key)�selfr
rrrr
�__init__5s
zReqServerChannel.__init__cCs t|jd�r|j�|�dSdS)z�
        Do anything necessary pre-fork. Since this is on the master side this will
        primarily be bind and listen (or the equivalent for your network library)
        �pre_forkN)�hasattrrr)r�process_managerrrr
r<s�zReqServerChannel.pre_forkcCsddl}|jdr |jj��s t�d|jd�t�|jd�||_	|j
�|j|jj
jddj�|_|jjj|j|jdd|d	�|_|jj�|j�|_|jd
rYt|j�|_nd|_|jj�|j�|_|j
�|j�|_||_t|j d�r�|j �!|j"|�dSdS)z�
        Do anything you need post-fork. This should handle all incoming payloads
        and call payload_handler. You will also be passed io_loop, for all of your
        asynchronous needs
        rN�pub_server_niceness�%setting Publish daemon niceness to %i�aes�secretZsock_dirF)�listen�io_loopZ	con_cache�	post_fork)#�salt.masterr
�utils�platform�
is_windows�log�info�os�nicerr�	Crypticle�master�SMaster�secrets�value�	crypticlerZget_master_eventZdaemonsZ	masterapiZAutoKey�auto_keyr�	cache_cli�minions�	CkMinions�	ckminions�
MasterKeysr�payload_handlerrrr�handle_message)rr4rrrrr
rDs0���
�zReqServerChannel.post_forkccs��z|�|�}Wn*ty2}zt|�j}|dkrt�d�nt�d||�tjj	j
�d��d}~wwt|t
�r@t|�d�t
�sRt�d||�d��tjj	j
�d��z|d�dd	�}d
|vrmt�d|�tjj	j
�d��Wnty�t�d
|�tjj	j
�d|�d���wd}d|vr�|d}d}|dkr�d}|ddkr�|�di��d�dkr�tjj	j
�|�|d|���d}|dkr�|d�dd�}z
|�|�V\}}	Wnty�}
ztjddd�tjj	j
�d��d}
~
ww|	�dd�}|dkr�tjj	j
�|��|dk�rtjj	j
�|j�||���|d k�r7tjj	j
�|�||	d!|	d"|||�d#tjj�|�d$tjj����t�d%|�tjj	j
�d&��)'N�AuthenticationErrorz�Minion failed to auth to master. Since the payload is encrypted, it is not known which minion failed to authenticate. It is likely that this is a transient failure due to the master rotating its public key.zBad load from minion: %s: %szbad load�loadz@payload and load must be a dict. Payload was: %s and load was %szpayload and load must be a dict�id��z+Payload contains an id with a null byte: %sz!bad load: id contains a null bytez"Payload contains non-string id: %sz
bad load: id z is not a stringr�versionF�T�enc�clear�cmd�_auth�noncez-Some exception handling a payload from minion)�exc_infoz&Some exception handling minion payloadZfun�sendZ
send_clearZsend_private�key�tgt�enc_algo�sig_algozUnknown req_fun %sz&Server-side exception handling payload)�_decode_payload�	Exception�type�__name__r$�debug�errorr�ext�tornado�gen�Return�
isinstance�dict�get�	TypeErrorr@�popr4r-�dumps�_encrypt_privater�	OAEP_SHA1�
PKCS1v15_SHA1)r�payload�exc�exc_type�id_r;�
sign_messagesrA�retZreq_opts�eZreq_funrrr
r5hs��
������"
���


��zReqServerChannel.handle_messageNTc
Cs4tj�|jdd|�}tjj��}	tj�|j|	�}
ztj�|�}Wn#t	t
tfy3|j�
i�YStyDt�d�ddiYSwi}|�tjj�|	�|�|d<|durZi}|r�|durdddiStj�
|d||d	��}
tj�|jdd
�}|
tj�|�j|
|d�d�}|
�
|�||<|S|
�
|�||<|S)
zW
        The server equivalent of ReqChannel.crypted_transfer_decode_dictentry
        �pki_dirr0zAES key not foundrMrDFNzNonce not included in request)rDZpillarrA�
master.pem��	algorithm)�data�sig)r&�path�joinr
rrr(Zgenerate_key_string�	PublicKey�
ValueError�
IndexErrorrUr-rW�OSErrorr$rM�encryptr!�stringutils�to_bytesr[�
PrivateKey�sign)rr`Zdictkey�targetrAr_Zencryption_algorithmZsigning_algorithm�pubfnrDZpcrypt�pubZpret�tosign�master_pem_pathZ
signed_msgrrr
rX�sB
������z!ReqServerChannel._encrypt_privatecCsnz tj�|jdd�}tj�|�}d|tj�|�j	||d�d�WSt
y6t�d|�dddid	�YSw)
Nrbrcr>rd)r=r7rgzCMinion tried to authenticate with unsupported signing algorithm: %sr`zbad sig algo�r=r7)
r&rhrir
rr[rWrrqrrrr$r%)rr7rerwrvrrr
�
_clear_signed�s ����zReqServerChannel._clear_signedcCsNddl}|jjjddj|jjkr%|j�|j	|jjjddj�|_dSdS)zn
        Check to see if a fresh AES key is available and update the components
        of the worker
        rNrrTF)
r r)r*r+r,r-Z
key_stringrr(r
)rrrrr
�_update_aes�s��zReqServerChannel._update_aescCs�t|t�r
d|vs
d|vrtd��|ddkr@z
|j�|d�|d<W|Stjjy?|��s2�|j�|d�|d<Y|Sw|S)Nr=r7zbad load received on socket!r)	rRrSrr-�loadsrrr6rz)rr[rrr
rHs ���z ReqServerChannel._decode_payloadFc
Csvddl}|�d|jj�}|�d|jj�}|jj�|j|d�s;t	�
d|d�|r4|�d|dd	�|�Sd
ddid�St	�
d
|d�|jddkr�|jrS|j�
�}n|j��}t|�dkrct	�
d�t|�|jdks�|d|vr�t	�
d|jd|d�dd|d|dd�}|j�d�dur�|j�||jjjdd��|r�|�d|dd	�|�Sd
ddid�S|j�|d�}|j�|d|�dd��}	tj�|jdd|d�}
tj�|jdd|d�}tj�|jdd|d�}tj�|jdd|d�}
|jd�r�n�tj�|��rGt	�
d |d�d|d|dd!�}|j�d�du�r2|j�||jjjdd��|�r@|�d|dd	�|�Sd
ddid�Stj�|
��r�|jj�|
d"��}|�|��|d��s�t	�d#|d�|jj�|
d$��}|� |d�Wd�n	1�s�wYd|dd%|dd&�}|j�d�du�r�|j�||jjjdd��|�r�|�d|dd	�|�Wd�Sd
ddid�Wd�SWd�n	1�s�wY�n�tj�|��s�tj�!|��r+t	�
d'|d�d|d|dd!�}|j�d�du�r|j�||jjjdd��|�r$|�d|dd	�|�Sd
ddid�S|�r=|}t	�
d(|d�d)}d}n|	�sO|}t	�
d*|d�d+}d}nd}|du�r�|jj�|d$��}|� |d�Wd�n	1�sqwY|||d|dd�}|j�d�du�r�|j�||jjjdd��|�r�|�||dd	�|�Sd
d|id�S�ntj�|��rz|�r	zt"�#||�Wn
t$�y�Ynwt	�
d,|d�dd)|d|dd�}|j�d�du�r�|j�||jjjdd��|�r|�d|dd	�|�Sd
ddid�S|	�s�|jj�|d"���}|�|��|d��s�t	�d-|d�|jj�|
d$��}|� |d�Wd�n	1�sCwYd|dd%|dd&�}|j�d�du�ri|j�||jjjdd��|�r~|�d|dd	�|�Wd�Sd
ddid�Wd�St	�
d.|d|d�dd+|d|dd�}|j�d�du�r�|j�||jjjdd��|�r�|�d|dd	�|�Wd�Sd
ddid�Wd�S1�s�wYn�|jj�|d"���}|�|��|d��sdt	�d/|d�|jj�|
d$��}|� |d�Wd�n	1�swYd|d|dd!�}|j�d�du�rA|j�||jjjdd��|�rV|�d|dd	�|�Wd�Sd
ddid�Wd�St�%|�Wd�n	1�stwYn:t	�&d0�d|d|dd!�}|j�d�du�r�|j�||jjjdd��|�r�|�d|dd	�|�Sd
ddid�St	�
d1|d�tj�|
��s�|jd�s�|jj�|
d$��}|� |d�Wd�n	1�s�wYn�|jd�rjd2}tj�|
��r|jj�|
d"��}|��}Wd�n	1�swY|d�rH|d|k�rHt	�'d3�|jj�|
d$��}|� |d�Wd�n	1�sBwYn"|d�sjt	�d4|d�|�rc|�d|dd	�|�Sd
ddid�Sd}|j�ry|j�(|dg�z|j�)|
�}Wn7|jj*�y�}z(t	�d5|
|�|�r�|�d|dd	�|�WYd}~Sd
ddid�WYd}~Sd}~wwd|j+�,�|jd6d7�}|jd8�r|j+�-��r�t	�'d9�t	�'|j+�-��|�.d:|j+�-�i�n,|jj/�0|jd;|j�}t	�'d<�|jj1|j+�2�d=|d>||d?�}|�.d:t3�4|�i�|jd@dAk�r�dB|v�rxz|j+j5�6|dB|�}dC�7|j8j9j:dDdEj;|�}WnEt<�y_}zt	�
dF|d|�d
ddGid�WYd}~Sd}~wt=�yw}zt	�&dH|�WYd}~nd}~ww|j8j9j:dDdEj;}|�>||�|dD<ngdB|v�r�z|j+j5�6|dB|�}|�>||�|dB<Wn;t<�y�}zt	�
dF|d|�d
ddGid�WYd}~Sd}~wt=�y�}zt	�&dI|�WYd}~nd}~ww|j8j9j:dDdEj;}|�>||�|dD<|jj?�@tA�B|��C��}|j�D|j+j5|�|dJ<ddK|d|dd�}|j�d�du�r*|j�||jjjdd��|�r9|d|d<|�||�S|S)La@
        Authenticate the client, use the sent public key to encrypt the AES key
        which was generated at start up.

        This method fires an event over the master event manager. The event is
        tagged "auth" and returns a dict with information about the auth
        event

            - Verify that the key we are receiving matches the stored key
            - Store the key if it is not there
            - Make an RSA key with the pub key
            - Encrypt the AES key as an encrypted salt.payload
            - Package the return and return it
        rNrFrGr8z)Authentication request from invalid id %sFrA)r`rAr>r`rxzAuthentication request from %sZmax_minionsi�z|With large numbers of minions it is advised to enable the ConCache with 'con_cache: True' in the masters configuration file.zLToo many minions connected (max_minions=%s). Rejecting connection from id %s�fullru)�result�actr8ruZauth_eventsTZauth)�prefixZautosign_grainsrbr0Zminions_preZminions_rejectedZminions_deniedZ	open_modez@Public key rejected for %s. Key is present in rejection key dir.)r}r8ru�rz|Authentication attempt from %s failed, the public keys did not match. This may be an attempt to compromise the Salt cluster.zw+Zdenied)r}r8r~ruz New public key %s is a directoryz2New public key for %s rejected via autoreject_fileZrejectz'New public key for %s placed in pendingZpendz6Pending public key for %s rejected via autoreject_filez�Authentication attempt from %s failed, the public key in pending did not match. This may be an attempt to compromise the Salt cluster.zfAuthentication failed from host %s, the key is in pending and needs to be accepted with salt-key -a %sz�Authentication attempt from %s failed, the public keys in pending did not match. This may be an attempt to compromise the Salt cluster.z&Unaccounted for authentication failurezAuthentication accepted from %sr9z&Host key change detected in open mode.zPublic key is empty: %szCorrupt public key "%s": %s�publish_port)r=�pub_keyr�Zmaster_sign_pubkeyz%Adding pubkey signature to auth-replyZpub_sigZsigning_key_passz(Signing master public key before sendingr<r�rdZ	auth_mode��tokenz{}_|-{}rrzIMinion %s tried to authenticate with unsupported encryption algorithm: %szbad enc algozToken failed to decrypt %szToken failed to decrypt: %rrg�accept)Er rTrrYrZr!ZverifyZvalid_idr
r$r%ryr/Z
get_cachedr2Z
connected_ids�lenr�
fire_event�tagifyr.Zcheck_autorejectZcheck_autosignr&rhri�isfile�filesZfopenr�readrM�write�isdir�shutil�moverm�remove�warningrLZ	put_cacherjZInvalidKeyErrorrZget_pub_strZpubkey_signature�updateZsdbZsdb_getZsign_messageZget_sign_paths�binascii�
b2a_base64rDZdecrypt�formatr)r*r+r,rrIrnrorp�hashlib�sha256�	hexdigestZprivate_encrypt)rr7r_rrFrGr0ZeloadZauto_rejectZ	auto_signrtZ
pubfn_pendZpubfn_rejectedZpubfn_deniedZpubfn_handleZfp_Zkey_pathZkey_actZ
key_resultZdisk_keyru�errr`Zkey_passZpub_signZmtokenrr\�digestrrr
r@$s��
��������������������
��������������������2$�8��������
���
�
��
����
�
�
�
�����
����zReqServerChannel._authcCs&|j��|jdur|j��dSdSr)r�closer�destroy�rrrr
r��s

�zReqServerChannel.close�F)rK�
__module__�__qualname__�__doc__�classmethodrrrrrrrNrOrP�	coroutiner5rrYrZrXryrzrHr@r�rrrr
rs0

	
$
Y
�0
;rc@s�eZdZdZedd��Zd dd�Zdd�Zd	d
�Zdd�Z	d!dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zejjjjdd��Zdd�Zdd�Zd
S)"�PubServerChannelzQ
    Factory class to create subscription channels to the master's Publisher
    cKs~d|vrd|vr|d|d<d}|�dd�r.d}tjj�|�D]
\}}|dkr)d}q|r.d}tjj|fi|��}||||d�S)NrF�presence_eventsTZtcp)r�)rTrr!ZchannelZiter_transport_optsrZpublish_server)r	r
rr�Ztcp_onlyr�_rrr
r�s�zPubServerChannel.factoryFcCsV||_tjj�|j�|_||_tj�|j�|_	i|_
||_tjjj
d|jdd�|_dS)Nr)F�r
r)r
rr!r0r1r2rr)ZAESFuncs�	aes_funcs�presentr�r�	get_event)rr
rr�rrr
r�szPubServerChannel.__init__cCs|j|j|jd�S)N�r
rr�r�r�rrr
�__getstate__s�zPubServerChannel.__getstate__cCsR|d|_|d|_|d|_tjjjd|jdd�|_tjj�|j�|_	i|_
dS)Nr
r�rr)Fr�)r
�staterrr!rr�r0r1r2r�)rr�rrr
�__setstate__	s



zPubServerChannel.__setstate__cCsF|j��|jdur|j��d|_|jdur!|j��d|_dSdSr)rr�rr�r�r�rrr
r�s





�zPubServerChannel.closeNcCs$t|jd�r|j|j|d�dSdS)a.
        Do anything necessary pre-fork. Since this is on the master side this will
        primarily be used to create IPC channels and create our daemon process to
        do the actual publishing

        :param func process_manager: A ProcessManager, from salt.utils.process.ProcessManager
        �publish_daemon)rN)rrZadd_process�_publish_daemon)rrrrrr
rs�zPubServerChannel.pre_forkcKs�|jdrtjj��st�d|jd�t�|jd�|�	dd�}|dur+|tj
j_tj
�|j�|_|j�|j|j|j�dS)Nrrr+)r
rr!r"r#r$r%r&r'rTr)r*r+rr3rrr��publish_payload�presence_callback�remove_presence_callback)rrr+rrr
r�%s�
�z PubServerChannel._publish_daemoncCs~|ddkrdStj�|jtjjjddj�}|�|d�}tj	j
�|�}|j�
|d|d�s3dS|d|_|�|�dS)Nr=rrr7r8�tok)rrr(r
r)r*r+r,r{r�frameZdecode_embedded_strsr�Z
verify_minionr^�_add_client_present)r�
subscriber�msgr-r7rrr
r�4s�
z"PubServerChannel.presence_callbackcCs|�|�dSr)�_remove_client_present)rr�rrr
r�Bsz)PubServerChannel.remove_presence_callbackcCs�|j}||jvr|j|}|�|�dS|h|j|<|jrH|ggd�}|j�|tjj�dd��dt	|j�
��i}|j�|tjj�dd��dSdS)N��newZlost�change�presencer�)r^r��addr�rr�rr!r��list�keys�r�clientr^Zclientsrfrrr
r�Es

���z$PubServerChannel._add_client_presentcCs�|j}|dus||jvrdS|j|}||vrdS|�|�t|�dkrV|j|=|jrXg|gd�}|j�|tjj�	dd��dt
|j���i}|j�|tjj�	dd��dSdSdS)Nrr�r�r�r�)r^r�r�r�r�rr�rr!r�r�r�r�rrr
r�Vs(

���z'PubServerChannel._remove_client_presentcgs~�|�|�}z
tj�|d�}Wntyt�d|��wd|vr0|d}|j�||�V}n|j�|�V}tj	j
j�|��)Nr[zInvalid package %r�	topic_lst)
�wrap_payloadrr[r{�KeyErrorr$rMrr�rNrOrPrQ)rr7�argsZunpacked_packager[Z
topic_listr`rrr
r�rs�
�z PubServerChannel.publish_payloadc	Cs<ddi}tjj��|d<tj�|jtjjjddj�}|�	|�|d<|jdrQt
j�|jdd�}t
�d	�|jd
|d<tj�|jj��|d|jd
�|d<d
tj�	|�i}gd�}|jjr�|d|vr�|ddkrs|d|d<t|dt�r�|jj|d|dd�}|d}t
�d|�||d<|S|d|d<|S)Nr=r�serialrr7Zsign_pub_messagesrbrczSigning data packetZpublish_signing_algorithmrGrgr[)Zpcre�globr��tgt_typer�rEr�)r�r0zPublish Side Match: %s)rr)r*Z
get_serialrr(r
r+r,rWr&rhrir$rLrqrZrsa_pathrrr[rZ
topic_supportrR�strr2Z
check_minions)	rr7r[r-rwZint_payloadZ
match_targetsZ_resZ	match_idsrrr
r��s<�

����zPubServerChannel.wrap_payloadcCs2t�d|�dd�t|�dd��|j�|�dS)z+
        Publish "load" to minions
        z1Sending payload to publish daemon. jid=%s load=%sZjidN�()r$rLrT�reprr�publish)rr7rrr
r��s
�zPubServerChannel.publishr�r)rKr�r�r�r�rrr�r�r�rr�r�r�r�r�rrNrOrPr�r�r�r�rrrr
r��s$

	
	

%r�)r�r�r��loggingr&r�Z
salt.cryptrZsalt.ext.tornado.genr Zsalt.payloadZsalt.transport.frameZsalt.utils.channelZsalt.utils.eventZsalt.utils.filesZsalt.utils.minionsZsalt.utils.platformZsalt.utils.stringutilsZsalt.utils.verifyZsalt.exceptionsrrZsalt.utils.cacher�	getLoggerrKr$rr�rrrr
�<module>s8
H