%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/crypt.pyc

�
���^c@@s�dZddlmZmZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlZddlZddlZddlmZddlmZy&ddlmZmZmZeZWnek
r/eZnXer�y\ddl m!Z!m"Z"ddl#m$Z$dd	l%mZdd
l&m'Z'ddl(Z)eZ*Wnek
r�eZ*nXneo�e*r+yVddl+m!Z!m"Z"ddl,m$Z$dd	l-mZdd
l.m'Z'ddl/Z0Wnek
r'nXnddl1Z2ddl3Z2ddl4Z2ddl5Z2ddl6Z2ddl7Z2ddl8Z2ddl9Z2ddl:Z2ddl;Z2ddl<Z2ddl=Z2ddl>Z2ddl?Z2ddl@mAZAmBZBmCZCmDZDejEeF�ZGeHd�ZIeHeHd
�ZJe2jKjLjMd��ZNd�ZOd�ZPeHd�ZQd�ZReHd�ZSd�ZTd�ZUdeVfd��YZWdeXfd��YZYdeYfd��YZZdeXfd��YZ[dS(s�
The crypt module manages all of the cryptography functions for minions and
masters, encrypting and decrypting payloads, preparing messages, and
authenticating peers
i(tabsolute_importtprint_functionN(tzip(tsix(tRSAtEVPtBIO(tAESt
PKCS1_OAEP(tSHA(R(t
PKCS1_v1_5(tAuthenticationErrortSaltClientErrortSaltReqTimeoutErrort
MasterExitcC@sItjj|d�}tjjjd��tjd�tjj	|�r[tjd�dStjj	|�r�tj
|tj�r�tj|t
jt
jB�ntjjj|d��}|jd�WdQXtj|t
j�|r?y5ddl}|j|�j}tj||d	�Wq?ttttfk
r;q?XnWdQXdS(
sR
    Set an AES dropfile to request the master update the publish session key
    s.dfni�sRotating AES keys"AES key rotation already requestedNswb+tii����(tostpathtjointsalttutilstfilest	set_umasktlogtinfotisfiletaccesstW_OKtchmodtstattS_IRUSRtS_IWUSRtfopentwritetpwdtgetpwnamtpw_uidtchowntKeyErrortImportErrortOSErrortIOError(tcachedirtusertdfntfp_R"tuid((s./usr/lib/python2.7/site-packages/salt/crypt.pytdropfileRs$

(c@sFtjj||�}dj|�}dj|�}trTtj|dd��}n(tjj	j
�tjd|dd�}tjj|�r�|Stj
|tj�s�tdjtjj|�tj����ntjjjd���tr1�s|j|d	d�qk|j|d	d
d�fd��n:tjjj|d
�� }	|	j|jd���WdQXWdQXtr�|j|�n=tjjj|d
��#}	|	j|j�jd��WdQXtj|d�|rByHddl}
|
j|�j}tj ||d�tj ||d�WqBt!t"t#fk
r>qBXn|S(s
    Generate a RSA public keypair for use with salt

    :param str keydir: The directory to write the keypair to
    :param str keyname: The type of salt server for whom this key should be written. (i.e. 'master' or 'minion')
    :param int keysize: The number of bits in the key
    :param str user: The user on the system who should own this keypair
    :param str passphrase: The passphrase which should be used to encrypt the private key

    :rtype: str
    :return: Path on the filesystem to the RSA private key
    s{0}.pems{0}.pubicS@sdS(N(tNone(((s./usr/lib/python2.7/site-packages/salt/crypt.pyt<lambda>~stbitstes,Write access denied to "{0}" for user "{1}".i�tciphertdes_ede3_cbctcallbackc@stjjj��S(N(RRtstringutilstto_bytes(tx(t
passphrase(s./usr/lib/python2.7/site-packages/salt/crypt.pyR1�sswb+tPEMNiii����($RRRtformattHAS_M2Rtgen_keyRRtcryptt
reinit_cryptotgenerateRRRR)tabspathtgetpasstgetuserRRtsave_pemR0R R!t	exportKeytsave_pub_keyt	publickeyRR"R#R$R%R&R'R((tkeydirtkeynametkeysizeR+R:tbasetprivtpubtgentfR"R.((R:s./usr/lib/python2.7/site-packages/salt/crypt.pytgen_keyslsF
-%"c@sktjd�tr1tj|�fd��}n6tjjj|��}tj	|j
���}WdQX|S(s�
    Load a private key from disk.  `timestamp` above is intended to be the
    timestamp of the file's last modification. This fn is memoized so if it is
    called with the same path and timestamp (the file's last modified time) the
    second time the result is returned from the memoiziation.  If the file gets
    modified then the params are different and the key is loaded from disk.
    s3salt.crypt._get_key_with_evict: Loading private keyc@s
tj��S(N(Rtb(R9(R:(s./usr/lib/python2.7/site-packages/salt/crypt.pyR1�sN(RtdebugR=Rtload_keyRRRR t	importKeytread(Rt	timestampR:tkeyRP((R:s./usr/lib/python2.7/site-packages/salt/crypt.pyt_get_key_with_evict�s	
cC@s2tjd�t|tjtjj|��|�S(s=
    Read a private key off the disk.  Poor man's simple cache in effect here,
    we memoize the result of calling _get_rsa_with_evict.  This means the first
    time _get_key_with_evict is called with a path and a timestamp the result
    is cached.  If the file (the private key) does not change then its
    timestamp will not change and the next time the result is returned from the
    cache.  If the key DOES change the next time _get_rsa_with_evict is called
    it is called with different parameters and the fn is run fully to retrieve
    the key from disk.
    s+salt.crypt.get_rsa_key: Loading private key(RRSRYRt	text_typeRRtgetmtime(RR:((s./usr/lib/python2.7/site-packages/salt/crypt.pytget_rsa_key�s
cC@s�tjd�trmtjjj|d��}|j�jdd�}WdQXt	j
|�}tj|�}n3tjjj|��}tj
|j��}WdQX|S(s)
    Read a public key off the disk.
    s.salt.crypt.get_rsa_pub_key: Loading public keytrbsRSA RN(RRSR=RRRR RVtreplaceRtMemoryBufferRtload_pub_key_bioRU(RRPtdatatbioRX((s./usr/lib/python2.7/site-packages/salt/crypt.pytget_rsa_pub_key�s
cC@s�t||�}tjd�trftjd�}|jtjj	j
|��|j�}|j|�St
j|�}|jtjtjj	j
|���SdS(sS
    Use Crypto.Signature.PKCS1_v1_5 to sign a message. Returns the signature.
    s)salt.crypt.sign_message: Signing message.tsha1N(R\RRSR=Rt
MessageDigesttupdateRRR7R8tfinaltsignR
tnewR	(tprivkey_pathtmessageR:RXtmdtdigesttsigner((s./usr/lib/python2.7/site-packages/salt/crypt.pytsign_message�s

cC@s�tjd�t|�}tjd�trstjd�}|jtjj	j
|��|j�}|j||�St
j|�}|jtjtjj	j
|��|�SdS(su
    Use Crypto.Signature.PKCS1_v1_5 to verify the signature on a message.
    Returns True for valid signature.
    s/salt.crypt.verify_signature: Loading public keys0salt.crypt.verify_signature: Verifying signatureRdN(RRSRcR=RReRfRRR7R8RgtverifyR
RiR	(tpubkey_pathRkt	signaturetpubkeyRlRmtverifier((s./usr/lib/python2.7/site-packages/salt/crypt.pytverify_signature�s

c	C@stjjj|��}|j�}WdQXt|||�}tj|�}tj	j
|�ratStj
dtj	j|�tj	j|��tj	j
|�r�tj
d|�nMtjjj|d��#}|jtjjj|��WdQXtj
d|�tS(sp
    creates a signature for the given public-key with
    the given private key and writes it to sign_path
    Ns$Calculating signature for %s with %ssFSignature file %s already exists, please remove it first and try againswb+sWrote signature to %s(RRRR RVRotbinasciit
b2a_base64RRRtFalseRttracetbasenameR!R7R8tTrue(	t	priv_pathtpub_patht	sign_pathR:R-tmpub_64tmpub_sigtmpub_sig_64tsig_f((s./usr/lib/python2.7/site-packages/salt/crypt.pyt
gen_signature�s""
"cC@sNtr|j|tjjj�Stjjj|jd��}|j|�SdS(s
    Generate an M2Crypto-compatible signature

    :param Crypto.PublicKey.RSA._RSAobj key: The RSA key object
    :param str message: The message to sign
    :rtype: str
    :return: The signature, or an empty string if the signature operation failed
    R;N(	R=tprivate_encryptRRtrsax931tRSA_X931_PADDINGt
RSAX931SignerRFRh(RXRkRn((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�s	cC@sNtr|j|tjjj�Stjjj|jd��}|j|�SdS(s7
    Verify an M2Crypto-compatible signature

    :param Crypto.PublicKey.RSA._RSAobj key: The RSA public key object
    :param str message: The signed message to verify
    :rtype: str
    :return: The message (or digest) recovered from the signature, or an
        empty string if the verification failed
    R;N(	R=tpublic_decryptRRR�R�tRSAX931VerifierRFRp(RNRkRt((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�,s
t
MasterKeyscB@s_eZdZd�Zd�Zd�Zdd
d�Zdd�Zd�Z	d�Z
d	�ZRS(s�
    The Master Keys class is used to manage the RSA public key pair used for
    authentication by the master.

    It also generates a signing key-pair if enabled with master_sign_key_name.
    cC@stt|�j�||_tjj|jdd�|_tjj|jdd�|_t	j
jj|jd|j�}|j
d|�|_d|_|dr�|drrtjj|jd|d�|_tjj|j�rBt	j
jj|j��}|j�|_WdQXtjd	tjj|j�|jd�q�tjd
|j�tjd�tjd�q�t	j
jj|jd
|j�}tjj|jd|dd�|_tjj|jd|dd�|_|j
d|d�|_ndS(Ntpki_dirs
master.pubs
master.pemtkey_passR:tmaster_sign_pubkeytmaster_use_pubkey_signaturetmaster_pubkey_signaturesRead %s's signature from %ssmSigning the master.pub key with a signature is enabled but no signature file found at the defined location %ssgThe signature-file may be either named differently or has to be created with 'salt-key --gen-signature'itsigning_key_passtmaster_sign_key_names.pubs.pemtname(tsuperR�t__init__toptsRRRR}trsa_pathRRtsdbtsdb_gett_MasterKeys__get_keysRXR0t
pub_signaturetsig_pathRRR RVRRRzterrortsystexitt
pub_sign_patht
rsa_sign_pathtsign_key(tselfR�R�R-((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�Ds<	"	


"cC@s|j|d�dS(NR�(R�(R�tstate((s./usr/lib/python2.7/site-packages/salt/crypt.pyt__setstate__yscC@si|jd6S(NR�(R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyt__getstate__|stmastercC@s�tjj|jd|d�}tjj|�stjd||jd�t|jd||jd|jjd�|�nt	r�t
j}nt}yt
||�}Wn;|k
r�}dj|�}tj|�t|��nXtjd||�|S(s?
        Returns a key object for a key in the pki-dir
        R�s.pemsGenerating %s keys: %sRKR+s4Unable to read key: {0}; passphrase may be incorrectsLoaded %s key: %s(RRRR�texistsRRRQtgetR=RtRSAErrort
ValueErrorR\R<R�RRS(R�R�R:Rt	key_errorRXR3Rk((s./usr/lib/python2.7/site-packages/salt/crypt.pyt
__get_keyss(




cC@s�tjj|jd|d�}tjj|�s�|j�}trT|j|�q�tj	j
j|d��#}|j|j
�jd��WdQXntj	j
j|��}|j�SWdQXdS(s_
        Return the string representation of a public key
        in the pki-directory
        R�s.pubswb+R;N(RRRR�RR�R=RGRRRR R!RHRFRV(R�R�RRXtwfhtrfh((s./usr/lib/python2.7/site-packages/salt/crypt.pytget_pub_str�s
%cC@s|j|jfS(N(R}R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pytget_mkey_paths�scC@s|j|jfS(N(R�R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pytget_sign_paths�scC@s|jS(s�
        returns the base64 encoded signature from the signature file
        or None if the master has its own signing keys
        (R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pytpubkey_signature�sN(t__name__t
__module__t__doc__R�R�R�R0R�R�R�R�R�(((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�=s	5				t	AsyncAuthcB@s:eZdZej�ZiZdd�Ze	dd��Z
dd�Zdd�Zd�Z
ed��Zed��Zed��Zd	�Zdd
�Zejjd��Zejjded
dd��Zd�Zd�Zd�Zed�Zd�Zd�Zd�Z ed�Z!ed�Z"d�Z#RS(sP
    Set up an Async object to maintain authentication with the salt master
    cC@s�|ptjjj�}|tjkr=tj�tj|<ntj|}|j|�}|j	|�}|dkr�tjd|�t
j|�}|j|d|�|||<ntjd|�|S(sC
        Only create one instance of AsyncAuth per __key()
        s!Initializing new AsyncAuth for %stio_loopsRe-using AsyncAuth for %sN(ttornadotiolooptIOLooptcurrentR�tinstance_maptweakreftWeakValueDictionaryt_AsyncAuth__keyR�R0RRStobjectt__new__t__singleton_init__(tclsR�R�tloop_instance_mapRXtauth((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s

cC@s|d|d|dfS(NR�tidt
master_uri((R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyt__key�scC@sdS(N((R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��scC@s�||_tjr$tj�|_ntjjj	tj��|_tj
j|j�|_t
jj|jdd�|_t
jj|jdd�|_|jddkr�d|_n	d|_t
jj|j�s�|j�n|p�tjjj�|_tjjj�|j|j�}|tjkr�tj|}||_t|j|d�|_ tj!j"�|_#|j#j$t%�n
|j&�d	S(
s�
        Init an Auth instance

        :param dict opts: Options for this server
        :return: Auth instance
        :rtype: Auth
        R�s
minion.pubs
minion.pemt__roletsyndicssyndic_master.pubsminion_master.pubtaesN('R�RtPY2t	Crypticletgenerate_key_stringttokenRRR7R8tpayloadtSerialtserialRRRR}R�tmpubRtget_keysR�R�R�R�R�R?R@R�R�t	creds_mapt_credst
_crypticlet
concurrenttFuturet_authenticate_futuret
set_resultR{tauthenticate(R�R�R�RXtcreds((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s,			

	cC@s�|j}|j|tj|j|�dd�}||t|�<xF|jD];}|dkrbqJnt||tj|j||��qJW|S(NR�(R�(	t	__class__R�tcopytdeepcopyR�R0R�t__dict__tsetattr(R�tmemoR�tresultRX((s./usr/lib/python2.7/site-packages/salt/crypt.pyt__deepcopy__s	''cC@s|jS(N(R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�scC@s|jS(N(R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyt	crypticlescC@s1t|d�o0|jj�o0|jj�dkS(NR�(thasattrR�tdonet	exceptionR0(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyt
authenticated!scC@sD|jr@|`|j|j�}|tjkr@tj|=q@ndS(N(R�R�R�R�R�R�(R�RX((s./usr/lib/python2.7/site-packages/salt/crypt.pyt
invalidate's
	c@s�t�d�r+�jj�r+�j}n+tjj�}|�_�jj�j��dk	r���fd�}|j
|�n|S(s�
        Ask for this client to reconnect to the origin

        This function will de-dupe all calls here and return a *single* future
        for the sign-in-- whis way callers can all assume there aren't others
        R�c@s#|j�}�jj�|�dS(N(R�R�tadd_callback(tfuturetresponse(R6R�(s./usr/lib/python2.7/site-packages/salt/crypt.pyt
handle_future>sN(R�R�R�R�R�R�R�R�t
_authenticateR0tadd_done_callback(R�R6R�R�((R6R�s./usr/lib/python2.7/site-packages/salt/crypt.pyR�.s	c	c@s|jd}|jd}|s)|}nd}tjjjj|jddd|j�}z�d}xtr�y|j	d|�V}Wnt
k
r�}|}PnX|dkr}|jjd�tkr�t
d	�}Pn|jjd
�r$|jjdd�r
t
d�}Pq$td�t
jd
�n|rNtjd|�tjj|�Vn||kre||7}tjd|�qeqenPqeWt|t�s�d|kr|jjd�tkr�t
d�}nytj|j|j�=Wntk
r�nX|st
d�}n|jj|�n�|j|j�}|tj|<||_t|j|d�|_|jj t�|jjd�tkr�tj!j"j#|jjd�d|jdt$�}|j%i|d6|d6tj!j"j&dddd��nWd|j'�XdS(s]
        Authenticate with the master, this method breaks the functional
        paradigm, it will update the master information from a fresh sign
        in, signing in can occur as often as needed to keep up with the
        revolving master AES key.

        :rtype: Crypticle
        :returns: A crypticle used for encryption operations
        tacceptance_wait_timetacceptance_wait_time_maxR?tclearR�tchanneltretrytdetect_modesDetect mode is ontcallert
local_masterssPMinion failed to authenticate with the master, has the minion key been accepted?is Waiting %s seconds before retry.sAuthentication wait time is %sR�s	-|RETRY|-s3Attempt to authenticate with the salt master failedtauth_eventsR�R�tlistenRXR�tprefixR�tsuffixN((R�R0Rt	transporttclienttAsyncReqChanneltfactoryR�R{tsign_inRR�tprintR�R�RRR�ROtsleepRSt
isinstancetdictR�R�R�R&R�t
set_exceptionR�R�R�R�Rteventt	get_eventRxt
fire_eventttagifytclose(	R�R�R�R�R�R�texcRXR((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�Esr

		





	0&i<icc@s.i}|jjdd�}|dk	r0|}n|jjdd�}|dk	rZ|}n|jjdd�}|dk	r�|}ntjj|jd|j�}	|jd|d<t}
|s�t}
t	j
jjj
|jddd|j�}n|j�}z�y |j|d	|d
|�V}Wnwtk
r�}
|r_tjd|
�tjjd��n|jjd
�tkr�tjjd��q�td��nXWd|
r�|j�nXt|t�s�tjd|�tjjt��nd|kr�d|dkr�|dds�|jdrAtjd�tjjd��q�tjd�tjtj dd��t!j"t	j#j$j%�q�|dddkr�tjjd��q�tjd|jd�tjjd��q�n|j&|dd|k�|d<|ds)tjdt	j'j(|	�td��n|jjd t�r�|jjd!|jjd"t��}|r
t	j)j*j+|	d#|jd$�|kr�|j,||	�q�q
na|jjd"t�r
t	j)j*j+|	d#|jd$�|jd"kr
|j,|jd"|	�q
n|d%|d%<tjj|��dS(&s�
        Send a sign in request to the master, sets the key information and
        returns a dict containing the master publish interface to bind to
        and the decrypted aes key for transport decryption.

        :param int timeout: Number of seconds to wait before timing out the sign-in request
        :param bool safe: If True, do not raise an exception on timeout. Retry instead.
        :param int tries: The number of times to try to authenticate before giving up.

        :raises SaltReqTimeoutError: If the sign-in request has timed out and :param safe: is not set

        :return: Return a string on failure indicating the reason for failure. On success, return a dictionary
        with the publication port and the shared AES key.

        tauth_timeoutt
auth_safemodet
auth_triesR�R�R?R�R�ttriesttimeoutsSaltReqTimeoutError: %sR�R�sFAttempt to authenticate with the salt master failed with timeout errorNsSign-in attempt failed: %stloadtrettrejected_retrys�The Salt Master has rejected this minion's public key.
To repair this issue, delete the public key for this minion on the Salt Master.
The Salt Minion will attempt to to re-authenicate.s�The Salt Master has rejected this minion's public key!
To repair this issue, delete the public key for this minion on the Salt Master and restart this minion.
Or restart the Salt Master in open mode to clean out the keys. The Salt Minion will now exit.i
itfulls�The Salt Master has cached the public key for this node, this salt minion will wait for %s seconds before attempting to re-authenticateR�t
master_pubR�R�s6The Salt Master server's public key did not authenticate!
The master may need to be updated if it is a version of Salt lower than %s, or
If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
The master public key can be found at:
%ssInvalid master keyt
syndic_mastert
syndic_fingert
master_fingertsum_typet	hash_typetpublish_port(-R�R�R0RRRR�RxR{RR�R�RRR�tminion_sign_in_payloadtsendR
RtwarningR�ROtReturnRRRRR�tcriticalttimeRtrandomtrandintR�R�tdefaultst	exitcodest	EX_NOPERMt
verify_mastertversiont__version__RR?t
pem_fingert_finger_fail(R�RtsafeRR�R�RRRtm_pub_fnt
close_channeltsign_in_payloadR�R3R((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�s�			
	
$(/cC@s�|jjdd�}tjjj|jd|�tjj|j	�s�t
jd|jd�t|jdd|jd|jjd��nt
|j	d�}t
jd|j	�|S(	s�
        Return keypair object for the minion.

        :rtype: Crypto.PublicKey.RSA._RSAobj
        :return: The RSA keypair
        R+trootR�sGenerating keys: %stminionRKsLoaded minion key: %sN(R�R�RRRptcheck_path_traversalRRR�R�RRRQR\R0RS(R�R+RX((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�s

cC@st|j�|�S(s�
        Encrypt a string with the minion private key to verify identity
        with the master.

        :param str clear_tok: A plaintext token to encrypt
        :return: Encrypted token
        :rtype: str
        (R�R�(R�t	clear_tok((s./usr/lib/python2.7/site-packages/salt/crypt.pyt	gen_token%s	cC@s:i}d|d<|jd|d<d|jkrxi}x2|jdD]#}|jdj|d	�||<qDW||d<nyytjj|jd|j�}t|�}tr�|j	|j
tj�|d<n%t
j|�}|j|j
�|d<Wntk
rnXtjjj|j��}|j�|d<Wd	QX|S(
s
        Generates the payload used to authenticate with the master
        server. This payload consists of the passed in id_ and the ssh
        public key to encrypt the AES key sent back from the master.

        :return: Payload dictionary
        :rtype: dict
        t_authtcmdR�tautosign_grainstgrainsR�R�RNN(R�R�R0RRRR�RcR=tpublic_encryptR�Rtpkcs1_oaep_paddingRRitencryptt	ExceptionRRRR R}RV(R�R�R9tgrainRqRNR4RP((s./usr/lib/python2.7/site-packages/salt/crypt.pyR0s(	
!

cC@s|jjdt�r7tjddjtj���n
tjd�|j	�}t
rr|j|dtj
�}n"tj|�}|j|d�}d|krwtjj|jd|j�}tjj|�r{yt|�}Wntk
r�d
SXtj|�j�}tjr,tjjj|�}nt
rHt ||d�}	nt |j!�|d�}	|	|krtdSq{ndStjr�tjjj"|�}nd|kr�|j#d�Sd	|krt
r�|j|d	tj
�}
n|j|d	�}
||
fS|s|dfSd
S(sf
        This function is used to decrypt the AES seed phrase returned from
        the master server. The seed phrase is decrypted with the SSH RSA
        host key.

        Pass in the encrypted AES key.
        Returns the decrypted AES seed key, a string

        :param dict payload: The incoming payload. This is a dictionary which may have the following keys:
            'aes': The shared AES key
            'enc': The format of the message. ('clear', 'pub', etc)
            'sig': The message signature
            'publish_port': The TCP port which published the message
            'token': The encrypted token used to verify the message.
            'pub_key': The public key of the sender.

        :rtype: str
        :return: The decrypted token that was provided, with padding.

        :rtype: str
        :return: The decrypted AES seed key
        tauth_trbsAuth Called: %sRs%Decrypting the current master AES keyR�tsigR�s_|-R�(RR(RR(RR(RR($R�R�RxRR Rt	tracebacktformat_stackRSR�R=tprivate_decryptRR<RRitdecryptRRR�R�RcR>thashlibtsha256t	hexdigestRtPY3RRR7R8R�RHtto_strtsplit(R�R�RRXtkey_strR4tm_pathtmkeyRmtm_digestR�((s./usr/lib/python2.7/site-packages/salt/crypt.pytdecrypt_aesOsL"


	
	



cC@s�|jdr�tjj|jd|jdd�}tjj|�rdt||tj|��}n tj	dtjj
|��tS|r�tjd|jdd�t
Stjd�tSntj	d�tSdS(	s�
        Wraps the verify_signature method so we have
        additional checks.

        :rtype: bool
        :return: Success or failure of public key verification
        R�R�s.pubskVerification public key %s does not exist. You need to copy it from the master to the minions pki directorysTSuccessfully verified signature of master public key with verification public key %ss(Failed to verify signature of public keys�Failed to verify the signature of the message because the verification key-pairs name is not defined. Please make sure that master_sign_key_name is defined.N(R�RRRRRuRvt
a2b_base64RR�RzRxRSR{(R�RkRARtres((s./usr/lib/python2.7/site-packages/salt/crypt.pytverify_pubkey_sig�s*

cC@sy�|j|d|d�r�tjd|jd�tjj|jd|j�}tj	j
j|jjdd��}tj	jj|dd|��'}|jtj	jj|d��WdQXtStjd	|jd�tSWn,tk
r}tjd
�t|��nXdS(Ntpub_keytpub_sigs9Received signed and verified master pubkey from master %sR�R�R+swb+R.sLReceived signed public-key from master %s but signature verification failed!sCThere was an error while verifying the masters public-key signature(RSRRR�RRRR�RRR+tget_uidR�R0RtfpopenR!R7R8R{R�RxR>(R�R�R/R.R�tsign_exc((s./usr/lib/python2.7/site-packages/salt/crypt.pytverify_signing_master�s&

$!&cC@s�d|kr|jdrtSd|kr;|jdr;tSd|krf|jdrftjd�tSd|kr�|jdr�tjd�tSdS(s%
        Checks if both master and minion either sign (master) and
        verify (minion). If one side does not, it should fail.

        :param dict payload: The incoming payload. This is a dictionary which may have the following keys:
            'aes': The shared AES key
            'enc': The format of the message. ('clear', 'pub', 'aes')
            'publish_port': The TCP port which published the message
            'token': The encrypted token used to verify the message.
            'pub_key': The RSA public key of the sender.
        RUtverify_master_pubkey_signs�The masters sent its public-key signature, but signature verification is not enabled on the minion. Either enable signature verification on the minion or disable signing the public key on the master!s�The master did not send its public-key signature, but signature verification is enabled on the minion. Either disable signature verification on the minion or enable signing the public on the master!N(R�R{RR�Rx(R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pytcheck_auth_deps�s


cC@s�|rhy<|j||�\}}||jkrAtjd�dSWntk
rctjd�dSX|S|j||�\}}|SdS(sg
        Return the AES key received from the master after the minion has been
        successfully authenticated.

        :param dict payload: The incoming payload. This is a dictionary which may have the following keys:
            'aes': The shared AES key
            'enc': The format of the message. ('clear', 'pub', etc)
            'publish_port': The TCP port which published the message
            'token': The encrypted token used to verify the message.
            'pub_key': The RSA public key of the sender.

        :rtype: str
        :return: The shared AES key received from the master.
        s4The master failed to decrypt the random minion tokenRN(RPR�RR�R>(R�R�RR�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pytextract_aes�s
c
C@s*tjj|jd|j�}tjj|�}|r�|r�|jdr�tjjj	|��}|j
�}WdQX|djdd�jdd�|jdd�jdd�kr|j|�s�dS|jdr�|j
|�r�|j|d	t�SdSq}tjd
�dSq&|j|�s%dS|jdrp|j
|�rN|j|�Stjd|jd
d�dSq&|j|�Sn�|j|�s�dS|jdr�|j
|�r�|j|d	t�SdSn]|stjjj	|d��'}|jtjjj|d��WdQXn|j|d	t�SdS(s
        Verify that the master is the same one that was previously accepted.

        :param dict payload: The incoming payload. This is a dictionary which may have the following keys:
            'aes': The shared AES key
            'enc': The format of the message. ('clear', 'pub', etc)
            'publish_port': The TCP port which published the message
            'token': The encrypted token used to verify the message.
            'pub_key': The RSA public key of the sender.
        :param bool master_pub: Operate as if minion had no master pubkey when it sent auth request, i.e. don't verify
        the minion signature

        :rtype: str
        :return: An empty string on verification failure. On success, the decrypted AES message in the payload.
        R�t	open_modeNRTs
Rs
RZRsfThe master key has changed, the salt master could have been subverted, verify salt master's public keytalways_verify_signaturesSThe masters public could not be verified. Is the verification pubkey %s up to date?R�s.pubswb+(RRRR�R�RRRRR RVR^R[RYR\RxRR�R!R7R8(R�R�RR/tm_pub_existsR-tlocal_master_pub((s./usr/lib/python2.7/site-packages/salt/crypt.pyR)sH!



)cC@s@tjd|tjjj|d|jd��tjd�dS(Ns	The specified fingerprint in the master configuration file:
%s
Does not match the authenticating master's key:
%s
Verify that the configured fingerprint matches the fingerprint of the correct master and that this minion is not subject to a man-in-the-middle attack.RRi*(	RR"RRR?R,R�R�R�(R�tfingert
master_key((s./usr/lib/python2.7/site-packages/salt/crypt.pyR-is
#N($R�R�R�R�tWeakKeyDictionaryR�R�R0R�tclassmethodR�R�R�R�tpropertyR�R�R�R�R�R�ROt	coroutineR�R{RR�R6RRPRSRYR[R\R)R-(((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s6%	
	R	x			F	)		"!NtSAuthcB@s�eZdZej�Zdd�Zedd��Z	dd�Z
dd�Zed��Z
ed��Zdd�Zded	dd
�ZRS(sJ
    Set up an object to maintain authentication with the salt master
    cC@s}|j|�}tjj|�}|dkritjd|�tj|�}|j	|�|tj|<ntjd|�|S(s?
        Only create one instance of SAuth per __key()
        sInitializing new SAuth for %ssRe-using SAuth for %sN(
t_SAuth__keyRgt	instancesR�R0RRSR�R�R�(R�R�R�RXR�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�~s
cC@s|d|d|dfS(NR�R�R�((R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��scC@s tt|�j|d|�dS(NR�(R�RgR�(R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��scC@s�||_tjr$tj�|_ntjjj	tj��|_tj
j|j�|_t
jj|jdd�|_t
jj|jdd�|_d|jkr�d|_n$d|jkr�d|_n	d|_t
jj|j�s�|j�nd	S(
s�
        Init an Auth instance

        :param dict opts: Options for this server
        :return: Auth instance
        :rtype: Auth
        R�s
minion.pubs
minion.pemRssyndic_master.pubtalert_mastersmonitor_master.pubsminion_master.pubN(R�RR�R�R�R�RRR7R8R�R�R�RRRR}R�R�RR�(R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s			cC@s#t|d�s|j�n|jS(NR�(R�R�R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s
cC@s#t|d�s|j�n|jS(NR�(R�R�R�(R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s
cC@sT|jd}|jd}tjjjj|jdd�}|sJ|}nz�x�tr|jd|�}|dkr|jjd�r�|jjdd�r�t
d	�}Pq�td	�tj
d
�n|r�tjd|�tj|�n||krP||7}tjd|�qPqPnPqPW||_t|j|d
�|_Wd|j�XdS(s]
        Authenticate with the master, this method breaks the functional
        paradigm, it will update the master information from a fresh sign
        in, signing in can occur as often as needed to keep up with the
        revolving master AES key.

        :rtype: Crypticle
        :returns: A crypticle used for encryption operations
        R�R�R?R�R�R�R�R�sPMinion failed to authenticate with the master, has the minion key been accepted?is Waiting %s seconds before retry.sAuthentication wait time is %sR�N(R�RR�R�t
ReqChannelRR{RR�R0RRR�R�RRR#RRSR�R�R�R(R�t_R�R�R�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s4


!		

	i<icC@sbi}|jjdd
�}|d
k	r0|}n|jjdd
�}|d
k	rZ|}n|jjdd
�}|d
k	r�|}ntjj|jd|j�}	|jd|d<t}
|s�t}
t	j
jjj
|jdd�}n|j�}z_y|j|d|d	|�}Wn9tk
rS}
|rDtjd
|
�dStd��nXWd
|
rk|j�nXd|krd|dkr|dds�|jdr�tjd�dStjd�tjt	jjj�q|dddkr�dStjd|jd|jd�dSqn|j|dd|k�|d<|dsotjdt	jj|	�tjd�n|jjdt�r�|jjd|jjdt��}|rPt	jj j!|	d|jd �|kr�|j"||	�q�qPna|jjdt�rPt	jj j!|	d|jd �|jdkrP|j"|jd|	�qPn|d!|d!<|S("s�
        Send a sign in request to the master, sets the key information and
        returns a dict containing the master publish interface to bind to
        and the decrypted aes key for transport decryption.

        :param int timeout: Number of seconds to wait before timing out the sign-in request
        :param bool safe: If True, do not raise an exception on timeout. Retry instead.
        :param int tries: The number of times to try to authenticate before giving up.

        :raises SaltReqTimeoutError: If the sign-in request has timed out and :param safe: is not set

        :return: Return a string on failure indicating the reason for failure. On success, return a dictionary
        with the publication port and the shared AES key.

        RRRR�R�R?R�RRsSaltReqTimeoutError: %sR�sFAttempt to authenticate with the salt master failed with timeout errorNRRRs�The Salt Master has rejected this minion's public key.
To repair this issue, delete the public key for this minion on the Salt Master.
The Salt Minion will attempt to to re-authenicate.s�The Salt Master has rejected this minion's public key!
To repair this issue, delete the public key for this minion on the Salt Master and restart this minion.
Or restart the Salt Master in open mode to clean out the keys. The Salt Minion will now exit.Rs
The Salt Master has cached the public key for this node. If this is the first time connecting to this master then this key may need to be accepted using 'salt-key -a %s' on the salt master. This salt minion will wait for %s seconds before attempting to re-authenticate.R�R�RR�R�s6The Salt Master server's public key did not authenticate!
The master may need to be updated if it is a version of Salt lower than %s, or
If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
The master public key can be found at:
%si*RRRRRR(#R�R�R0RRRR�RxR{RR�R�RkRRRR
RR RRR�R"R�R�R&R'R(R)R*R+RR?R,R-(R�RR.RR�R�RRRR/R0R1R�R3R((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�s|			$



$(/N(R�R�R�R�R�RiR0R�RdRhR�R�ReR�R�R�R{R(((s./usr/lib/python2.7/site-packages/salt/crypt.pyRgws,R�cB@s}eZdZdZdZej�jZdd�Z	e
dd��Ze
d��Zd�Z
d�Zd	�Zed
�ZRS(sn
    Authenticated encryption class

    Encryption algorithm: AES-CBC
    Signing algorithm: HMAC-SHA256
    spickle::ii�cC@sC||_|j|j|�|_||_tjj|�|_dS(N(t
key_stringtextract_keystkeystkey_sizeRR�R�R�(R�R�RmRp((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�fs		cC@sTtj|d|j�}tj|�}tjrD|jd�}n|jdd�S(Nisutf-8s
R(	RturandomtSIG_SIZEtbase64t	b64encodeRRItdecodeR^(R�RpRXtb64key((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�ls
	cC@s|tjr|jd�}ntjjjtj|��}t	|�|d|j
ksbtd��||j
 ||j
fS(NRsisinvalid key(RR�RuRRR7R8Rst	b64decodetlenRrtAssertionError(R�RmRpRX((s./usr/lib/python2.7/site-packages/salt/crypt.pyRnus
	)c	C@s'|j\}}|jt|�|j}tjrI||t|�}n#|tjjj	|t|��}t
j|j�}tr�t
jddd|d|dddt�}|j|�}||j�7}n'tj|tj|�}|j|�}||}tj||tj�j�}||S(sH
        encrypt data with AES-CBC and sign it with HMAC-SHA256
        talgtaes_192_cbcRXtivtopitpadding(RotAES_BLOCK_SIZERxRR�tchrRRR7R8RRqR=RtCipherRxRfRgRRitMODE_CBCR=thmacRFRGRm(	R�Rataes_keythmac_keytpadtiv_bytestcyphertencrRA((s./usr/lib/python2.7/site-packages/salt/crypt.pyR=~s	#*
cC@s|j\}}||j}||j }tjr\t|t�r\tjjj	|�}nt
j||tj
�j�}t|�t|�kr�tjd�td��nd}tjr�xht||�D]&\}}|t|�t|�AO}q�Wn.x+t||�D]\}}|||AO}q
W|dkrPtjd�td��n||j }	||j}tr�tjddd|d|	ddd	t�}
|
j|�}||
j�}n'tj|tj|	�}
|
j|�}tjr�|t|d
� S||d
 SdS(sL
        verify HMAC-SHA256 signature and decrypt data with AES-CBC
        sFailed to authenticate messagesmessage authentication failediRzR{RXR|R}R~i����N( RoRrRRIRtbytesRRR7R8R�RiRFRGRmRxRRSRR�RtordRR=RR�RxRfRgRR�RE(R�RaR�R�RAt	mac_bytesR�tzipped_xtzipped_yR�R�R�((s./usr/lib/python2.7/site-packages/salt/crypt.pyRE�s:
	!


*	cC@s |j|j|jj|��S(s7
        Serialize and encrypt a python object
        (R=t
PICKLE_PADR�tdumps(R�tobj((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��scC@sN|j|�}|j|j�s%iS|jj|t|j�d|�}|S(s:
        Decrypt and un-serialize a python object
        traw(REt
startswithR�R�tloadsRx(R�RaR�R((s./usr/lib/python2.7/site-packages/salt/crypt.pyR��s
%(R�R�R�R�RRFRGtdigest_sizeRrR�RdR�RnR=RER�RxR�(((s./usr/lib/python2.7/site-packages/salt/crypt.pyR�Zs			&	(\R�t
__future__RRRR$R�R�R#R�RsRFtloggingRRBRvR�RCttornado.genR�tsalt.ext.six.movesRtsalt.extRtM2CryptoRRRR{R=R'RxtCryptodome.CipherRRtCryptodome.HashR	tCryptodome.PublicKeytCryptodome.SignatureR
tCryptodome.Randomt
Cryptodomet	HAS_CDOMEt
Crypto.CiphertCrypto.HashtCrypto.PublicKeytCrypto.Signaturet
Crypto.RandomtCryptotsalt.defaults.exitcodesRtsalt.payloadtsalt.transport.clienttsalt.transport.frametsalt.utils.crypttsalt.utils.decoratorstsalt.utils.eventtsalt.utils.filestsalt.utils.rsax931tsalt.utils.sdbtsalt.utils.stringutilstsalt.utils.usertsalt.utils.verifytsalt.versiontsalt.exceptionsRRR
Rt	getLoggerR�RR0R/RQRt
decoratorstmemoizeRYR\RcRoRuR�R�R�RR�R�R�RgR�(((s./usr/lib/python2.7/site-packages/salt/crypt.pyt<module>s�






"?					{����

Zerion Mini Shell 1.0