Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 31cfa53

Browse files
mattp-dwoz
mattp-
authored and
dwoz
committed
address review from @dwoz 
1 parent dba8608 commit 31cfa53

File tree

4 files changed

+45
-16
lines changed

4 files changed

+45
-16
lines changed

salt/cache/localfs_key.py

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
44
.. versionadded:: 3008.0
55
6-
The ``localfs_keys_backcompat`` is a shim driver meant to allow the salt.cache
6+
The ``localfs_key`` is a shim driver meant to allow the salt.cache
77
subsystem to interact with the existing master pki folder/file structure
88
without any migration from previous versions of salt. It is not meant for
99
general purpose use and should not be used outside of the master auth system.
@@ -123,7 +123,7 @@ def store(bank, key, data, cachedir, user, **kwargs):
123123
savefn = Path(cachedir) / base / key
124124
base = savefn.parent
125125

126-
if not clean_path(cachedir, savefn, subdir=True):
126+
if not clean_path(cachedir, str(savefn), subdir=True):
127127
raise SaltCacheError(f"key {key} is not a valid key path.")
128128

129129
try:
@@ -191,6 +191,9 @@ def fetch(bank, key, cachedir, **kwargs):
191191
]:
192192
keyfile = Path(cachedir, bank, key)
193193

194+
if not clean_path(cachedir, str(keyfile), subdir=True):
195+
raise SaltCacheError(f"key {key} is not a valid key path.")
196+
194197
if keyfile.is_file() and not keyfile.is_symlink():
195198
with salt.utils.files.fopen(keyfile, "r") as fh_:
196199
return {"state": state, "pub": fh_.read()}
@@ -200,6 +203,9 @@ def fetch(bank, key, cachedir, **kwargs):
200203
# with the filesystem, so return a list of 1
201204
pubfn_denied = os.path.join(cachedir, "minions_denied", key)
202205

206+
if not clean_path(cachedir, pubfn_denied, subdir=True):
207+
raise SaltCacheError(f"key {key} is not a valid key path.")
208+
203209
if os.path.isfile(pubfn_denied):
204210
with salt.utils.files.fopen(pubfn_denied, "r") as fh_:
205211
return [fh_.read()]
@@ -209,6 +215,9 @@ def fetch(bank, key, cachedir, **kwargs):
209215

210216
keyfile = Path(cachedir, key)
211217

218+
if not clean_path(cachedir, str(keyfile), subdir=True):
219+
raise SaltCacheError(f"key {key} is not a valid key path.")
220+
212221
if keyfile.is_file() and not keyfile.is_symlink():
213222
with salt.utils.files.fopen(keyfile, "r") as fh_:
214223
return fh_.read()
@@ -243,7 +252,7 @@ def updated(bank, key, cachedir, **kwargs):
243252
for dir in bases:
244253
keyfile = Path(cachedir, dir, key)
245254

246-
if not clean_path(cachedir, keyfile, subdir=True):
255+
if not clean_path(cachedir, str(keyfile), subdir=True):
247256
raise SaltCacheError(f"key {key} is not a valid key path.")
248257

249258
if keyfile.is_file() and not keyfile.is_symlink():
@@ -336,10 +345,13 @@ def list_(bank, cachedir, **kwargs):
336345
)
337346
for item in items:
338347
# salt foolishly dumps a file here for key cache, ignore it
339-
if bank in ["keys", "denied_keys"] and not valid_id(__opts__, item):
348+
keyfile = Path(cachedir, base, item)
349+
350+
if (
351+
bank in ["keys", "denied_keys"] and not valid_id(__opts__, item)
352+
) or not clean_path(cachedir, str(keyfile), subdir=True):
340353
log.error("saw invalid id %s, discarding", item)
341354

342-
keyfile = Path(cachedir, base, item)
343355
if keyfile.is_file() and not keyfile.is_symlink():
344356
ret.append(item)
345357
return ret
@@ -366,7 +378,7 @@ def contains(bank, key, cachedir, **kwargs):
366378
for base in bases:
367379
keyfile = Path(cachedir, base, key)
368380

369-
if not clean_path(cachedir, keyfile, subdir=True):
381+
if not clean_path(cachedir, str(keyfile), subdir=True):
370382
raise SaltCacheError(f"key {key} is not a valid key path.")
371383

372384
if keyfile.is_file() and not keyfile.is_symlink():

salt/crypt.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -230,7 +230,7 @@ def parse_hash(algorithm):
230230
class PrivateKey(BaseKey):
231231

232232
def __init__(self, key_bytes, passphrase=None):
233-
log.debug("salt.crypt.get_rsa_key: Loading private key")
233+
log.debug("Loading private key")
234234
if passphrase:
235235
password = passphrase.encode()
236236
else:
@@ -279,7 +279,7 @@ def public_key(self):
279279

280280
class PublicKey(BaseKey):
281281
def __init__(self, key_bytes):
282-
log.debug("salt.crypt.get_rsa_pub_key: Loading public key")
282+
log.debug("Loading public key")
283283
try:
284284
self.key = serialization.load_pem_public_key(key_bytes)
285285
except ValueError:
@@ -349,13 +349,13 @@ def sign_message(privkey_path, message, passphrase=None, algorithm=PKCS1v15_SHA1
349349
return PrivateKey.from_file(privkey_path, passphrase).sign(message, algorithm)
350350

351351

352-
def verify_signature(key, message, signature, algorithm=PKCS1v15_SHA1):
352+
def verify_signature(pubkey_path, message, signature, algorithm=PKCS1v15_SHA1):
353353
"""
354354
Use Crypto.Signature.PKCS1_v1_5 to verify the signature on a message.
355355
Returns True for valid signature.
356356
"""
357-
log.debug("salt.crypt.verify_signature: Loading public key")
358-
return PublicKey.from_file(key).verify(message, signature, algorithm)
357+
log.debug("Loading public key")
358+
return PublicKey.from_file(pubkey_path).verify(message, signature, algorithm)
359359

360360

361361
def pwdata_decrypt(rsa_key, pwdata):

salt/master.py

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1874,10 +1874,15 @@ def _return(self, load):
18741874
sig = load.pop("sig")
18751875
this_minion_pubkey = self.key_cache.fetch("keys", load["id"])
18761876
serialized_load = salt.serializers.msgpack.serialize(load)
1877-
if not salt.crypt.verify_signature(
1878-
this_minion_pubkey, serialized_load, sig
1877+
if not this_minion_pubkey or not this_minion_pubkey.verify(
1878+
serialized_load, sig
18791879
):
1880-
log.info("Failed to verify event signature from minion %s.", load["id"])
1880+
if not this_minion_pubkey:
1881+
log.error("Failed to fetch pub key for minion %s.", load["id"])
1882+
else:
1883+
log.info(
1884+
"Failed to verify event signature from minion %s.", load["id"]
1885+
)
18811886
if self.opts["drop_messages_signature_fail"]:
18821887
log.critical(
18831888
"drop_messages_signature_fail is enabled, dropping "

salt/wheel/key.py

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,10 @@
3333
import salt.crypt
3434
import salt.key
3535
import salt.utils.crypt
36-
import salt.utils.files
36+
import salt.utils.versions
3737
from salt.utils.sanitizers import clean
3838

39-
__func_alias__ = {"list_": "list", "key_str": "print", "name_match": "glob_match"}
39+
__func_alias__ = {"list_": "list", "key_str": "print"}
4040

4141
log = logging.getLogger(__name__)
4242

@@ -77,6 +77,18 @@ def list_all():
7777
return skey.all_keys()
7878

7979

80+
def name_match(match):
81+
"""
82+
Alias to glob_match
83+
"""
84+
salt.utils.versions.warn_until(
85+
3010,
86+
"'wheel.key.name_match' has been renamed to 'wheel.key.glob_match', and will be removed in the Calcium release."
87+
"Please update your workflows to use glob_match instead.",
88+
)
89+
return glob_match(match)
90+
91+
8092
def glob_match(match):
8193
"""
8294
List all the keys based on a glob match

0 commit comments

Comments
 (0)