o

�N�g��@sxdZd
dl
Z
d
dlZd
dlmZ
d
dlmZmZ
d
dlZ	d
dl
mZmZ
e
�
e�
Zdd�Zdd	�Zd
d�Zddd�
ZdS)a�
Pass Renderer for Salt
======================

pass_ is an encrypted on-disk password store.

.. _pass: https://www.passwordstore.org/

.. versionadded:: 2017.7.0

Setup
-----

*Note*: ``<user>`` needs to be replaced with the user salt-master will be
running as.

Have private gpg loaded into ``user``'s gpg keyring

.. code-block:: yaml

    load_private_gpg_key:
      cmd.run:
        - name: gpg --import <location_of_private_gpg_key>
        - unless: gpg --list-keys '<gpg_name>'

Said private key's public key should have been used when encrypting pass entries
that are of interest for pillar data.

Fetch and keep local pass git repo up-to-date

.. code-block:: yaml

        update_pass:
          git.latest:
            - force_reset: True
            - name: <git_repo>
            - target: /<user>/.password-store
            - identity: <location_of_ssh_private_key>
            - require:
              - cmd: load_private_gpg_key

Install pass binary

.. code-block:: yaml

        pass:
          pkg.installed

Salt master configuration options

.. code-block:: yaml

        # If the prefix is *not* set (default behavior), all template variables are
        # considered for fetching secrets from Pass. Those that cannot be resolved
        # to a secret are passed through.
        #
        # If the prefix is set, only the template variables with matching prefix are
        # considered for fetching the secrets, other variables are passed through.
        #
        # For ease of use it is recommended to set the following options as well:
        #       renderer: 'jinja|yaml|pass'
        #       pass_strict_fetch: true
        #
        pass_variable_prefix: 'pass:'

        # If set to 'true', error out when unable to fetch a secret for a template variable.
        pass_strict_fetch: true

        # Set GNUPGHOME env for Pass.
        # Defaults to: ~/.gnupg
        pass_gnupghome: <path>

        # Set PASSWORD_STORE_DIR env for Pass.
        # Defaults to: ~/.password-store
        pass_dir: <path>
�N)
�
expanduser)�PIPE�Popen)�SaltConfigurationError�SaltRenderErrorc
Cstj
j�d
�
}|r|Std�
�
)z6
    Return the pass executable or raise an error
    �passzpass unavailable)�salt�utils�path�whichr)
�	pass_exec�r
�G/opt/saltstack/salt/lib/python3.10/site-packages/salt/renderers/pass.py�_get_pass_execYs

rc

CsR
t�}
|}t
d
}|r|�|�
s|S|t|�
d�}t
d}|r(|s(d}t|�
�
|��}|
d|g}t�dd�|�
�
t	j
��}td�
|d	<t
d
}|rO||d<t
d}	|	rY|	|d
<zt
|tt|dd�}
|
��\}}|
j}
Wnttfy�
}
zdt|�
}}d}
WYd}~nd}~w
w|
s�|s�d|�d|��}|r�t|�
�
t�|�

|S|�d�
S)zx
    Fetch secret from pass based on pass_path. If there is
    any error, return back the original pass_path value
    Zpass_variable_prefixN�pass_strict_fetchzMThe 'pass_strict_fetch' option requires 'pass_variable_prefix' option enabledZshowzFetching secret: %s�
 �
~�HOME�pass_dirZPASSWORD_STORE_DIR�pass_gnupghomeZ	GNUPGHOMEzutf-8)�stdout�stderr�env�encoding��
zCould not fetch secret 'z' from the password store: z
)rZ__opts__�
startswith�lenr�strip�log�debug�join�os�environ�copyrrr�communicate�
returncode�OSError�UnicodeDecodeError�strr�warning�rstrip)�	pass_pathrZoriginal_pass_pathZpass_prefixr�msg�cmdrrr�procZ	pass_dataZ
pass_errorZpass_returncode�
er
r
r�
_fetch_secretdsL




















��






r1c
Csjt|t
�r	t|�
St|t�r|��D]
\}
}t|�
||
<q|St|t�r3t|�
D]
\}
}t|�
||
<q(|S)
zU
    Recursively try to find a pass path (string) that can be handed off to pass
    )�
isinstancer)r1�dict�items�_decrypt_object�list�	enumerate)�objZpass_keyr,r
r
rr5�s






�


r5�basercKst|�
S)
z3
    Fetch secret from pass based on pass_path
    )
r5)Z	pass_infoZsaltenvZslsZargline�kwargsr
r
r�render�sr;)r9rr)�__doc__�loggingr"Zos.pathr�
subprocessrrZsalt.utils.pathrZsalt.exceptionsrr�	getLogger�__name__rrr1r5r;r
r
r
r�<module>
sM




B