%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python2.7/site-packages/salt/auth/
Upload File :
Create Path :
Current File : //usr/lib/python2.7/site-packages/salt/auth/__init__.pyc

�
���^c@@s�dZddlmZmZmZddlZddlZddlZddlZddl	Z	ddl
mZddlm
Z
ddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZeje�Zedddd	d
ddd
dddg�Zde fd��YZ!de fd��YZ"de fd��YZ#de fd��YZ$dS(u�
Salt's pluggable authentication system

This system allows for authentication to be managed in a module pluggable way
so that any external authentication system can be used inside of Salt
i(tabsolute_importtprint_functiontunicode_literalsN(tinput(tsixuclientucmdueauthufunugather_job_timeoutukwargumatchumetadatauprint_eventurawuyield_pub_datatLoadAuthcB@s�eZdZdd�Zd�Zd�Zd�Zd�Zd�Z	d�Z
d�Zd	�Zd
�Z
d�Zd�Zd
�Zd�Zd�Zdd�Zded�ZRS(uH
    Wrap the authentication system to handle peripheral components
    cC@ss||_d|_tjj|�|_tjj|�|_tjj|�|_	|pitj
jj|�|_
dS(Ng�?(toptstmax_failtsalttpayloadtSerialtserialtloadertauthteauth_tokensttokenstutilstminionst	CkMinionst	ckminions(tselfRR((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt__init__=s		cC@sd|krdSdj|d�}||jkr6dSy0tjjj|j|�dd}||SWntk
rzdSXdS(u�
        Return the primary name associate with the load, if an empty string
        is returned then the load does not match the function
        ueauthuu{0}.authuargsiN(tformatR
RRtargst
arg_lookupt
IndexError(Rtloadtfstrt	pname_arg((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt	load_nameEs$
c@s�d|krtSdj|d�}||jkr6tSddddg��fd�|j�D�}tjjj|j||dt�}yAd|kr�|j||d	|d�S|j||d	�SWn$t	k
r�}t
jd
|�tSXdS(u�
        Return the token and set the cache data for use

        Do not call this directly! Use the time_auth method to overcome timing
        attacks
        ueauthu{0}.authuusernameupasswordutokenc@s+i|]!\}}|�kr||�qS(((t.0tkeytvalue(t_valid(s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pys
<dictcomp>ds	texpected_extra_kwsukwargsuargsuAuthentication module threw %sN(tFalseRR
titemsRRRtformat_calltAUTH_INTERNAL_KEYWORDSt	Exceptiontlogtdebug(RRRt_loadtfcallte((R!s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt__auth_callUs$
	cC@s�tj�}|j|�}|r%|Stj�|}||jkrP||_n|jd}tj�j|j||j|�}x'||tj�kr�tjd�q�WtS(uO
        Make sure that all failures happen in the same amount of time
        ig����MbP?(ttimet_LoadAuth__auth_callRtrandomtSystemRandomtuniformtsleepR#(RRtstarttrettf_timet	deviationtr_time((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt	time_authss

cC@s�d|krdS|jd}|s0|d}ndj|�}||jkrRdStjjj|j||dt�}y |j||d|d�SWn$t	k
r�}t
jd|�dSXdS(	u�
        Returns ACL for a specific user.
        Returns None if eauth doesn't provide any for the user. I. e. None means: use acl declared
        in master config.
        ueauthueauth_acl_moduleu{0}.aclR"uargsukwargsuAuthentication module threw %sN(tNoneRRR
RRRR%R&R'R(R)(RRtmodRR+R,((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt	__get_acl�s"


	 cC@s|d|kr|Sdj|d�}||jkr6|Sy|j|||j�SWn$tk
rw}tjd|�|SXdS(u�
        Allows eauth module to modify the access list right before it'll be applied to the request.
        For example ldap auth module expands entries
        ueauthu{0}.process_acluAuthentication module threw %sN(RR
RR'R(R)(RRt	auth_listRR,((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt
__process_acl�scC@s�d|krtSdj|d�}||jkr6tStjjj|j||dt�}y |j||d|d�SWn#tk
r�tSt	k
r�dSXdS(uw
        Read in a load and return the groups a user is a member of
        by asking the appropriate provider
        ueauthu
{0}.groupsR"uargsukwargsN(R#RR
RRRR%R&RR'R:(RRRR+((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt
get_groups�s
	 

cC@s�|jjdt�}|tkr%tSt|tj�r~|j|dg�}t|tj�r~|jd�|kr{tSq~ntS(uP
        Return bool if requesting user is allowed to set custom expire
        utoken_expire_user_overrideueauthuusername(RtgetR#tTruet
isinstancetcollectionstMappingtIterable(RRtexpire_overridetexpire_whitelist((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt_allow_custom_expire�s
cC@s|j|�siS|j|�r>|jd|jd�}n|jdd�}|jd}itj�d6tj�|d6|j|�d6|dd6}|jdr�|j|�}||d<n|j|�}|r�||d<n|j	d	j
|jd
�|j|�S(uM
        Run time_auth and create a token. Return False or the token
        utoken_expireustartuexpireunameueauthukeep_acl_in_tokenu	auth_listugroupsu{0}.mk_tokenueauth_tokensN(tauthenticate_eauthRHtpopRR:R.Rt_LoadAuth__get_aclR?RR(RRttoken_expiret_ttdatatacl_rettgroups((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytmk_token�s"



cC@s�i}y-|jdj|jd�|j|�}Wn-tjjk
rbtjd|�t}nX|smiSt	}|j
dd�tj�kr�t}n|r�|j|�n|S(ug
        Return the name associated with the token, or False if the token is
        not valid
        u
{0}.get_tokenueauth_tokensu5Failed to load token %r - removing broken/empty file.uexpirei(
RRRRt
exceptionstSaltDeserializationErrorR(twarningRAR#R@R.trm_token(RttokRNtrm_tok((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytget_tok�s-
	cC@s$|jdj|jd�|j�S(u8
        List all tokens in eauth_tokn storage.
        u{0}.list_tokensueauth_tokens(RRR(R((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytlist_tokens
scC@s+|jdj|jd�|j|�dS(u<
        Remove the given token from token storage.
        u{0}.rm_tokenueauth_tokensN(RRR(RRV((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRUscC@sF|j|d�}|s1|d|jdkrBtjd�tS|S(u~
        Authenticate a user by the token specified in load.
        Return the token object or False if auth failed.
        utokenueauthu
external_authu0Authentication failure of type "token" occurred.(RXRR(RTR#(RRttoken((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytauthenticate_tokens

cC@s}d|krtjd�tS|d|jdkrYtjd|d�tjd�tS|j|�sytjd�tStS(u�
        Authenticate a user by the external auth module specified in load.
        Return True on success or False on failure.
        ueauthu0Authentication failure of type "eauth" occurred.u
external_authu$The eauth system "%s" is not enabled(R(RTR#RR)R9RA(RR((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRI's


cC@s�d}|jdd�}|dkr5tj|�tSd|kr�t|d�}|j�r�|||jjdd�kr�tj|�tS|j	�S|d|jjdd�ks�|ddkr�|||jjdd�kr�tj|�tSq�|j
�r2||j|d�kr�tj|�tSq�||jd�krJq�|d|kr�|||dkrtj|�tS|dStj|�tSn-||tjj
j�kr�tj|�tStS(u
        Authenticate a user by the key passed in load.
        Return the effective user id (name) if it's different from the specified one (for sudo).
        If the effective user id is the same as the passed one, return True on success or False on
        failure.
        u/Authentication failure of type "user" occurred.ukeyuuserurootN(RJR:R(RTR#tAuthUsertis_sudoRR@t	sudo_nametis_running_userRRtusertget_userRA(RRRt	error_msgtauth_keyt	auth_user((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytauthenticate_key=sB


/




cC@sK|r'|jdr'd|kr'|dS|j|�}|dk	rF|S|rV|dn|d}||jdkr�tjd|�tjd�dS|r�|d}|jd�}n|j|�}|j|�}|jd|}|s�tjd	|�n|s
g}n|j	j
|||�}|j||�}tjd
|�|S(u�
        Retrieve access list for the user specified in load.
        The list is built by eauth module or from master eauth configuration.
        Return None if current configuration doesn't provide any ACL for the user. Return an empty
        list if the user has no rights to execute anything on this master and returns non-empty list
        if user is allowed to execute particular functions.
        ukeep_acl_in_tokenu	auth_listueauthu
external_authu$The eauth system "%s" is not enableduAuthorization failure occurred.unameugroupsu!eauth "%s" configuration is emptyuCompiled auth_list: %sN(
RRKR:R(R)RTR@RR?Rtfill_auth_listt_LoadAuth__process_aclttrace(RRRZR=teauthtnameRPteauth_config((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt
get_auth_listls6	

			cC@s%g}|jdd�}i|d6|d6id6}|dkr�|j|�}|spidd6dd	6|d<|S|d}||d<|j|d
|�}n{|dkr�|j|�s�idd6d
j|�d	6|d<|S|j|�}n)|dkr�|j||�}	d}
|	sO|r3dj|
|�}
nidd6|
d	6|d<|S|	tk	r�t|d�j�r�|j	ds�|j	dr�t}	q�q�n|	tk	rddl
}|jjj
|j	d|	�}|s�idd6|
d	6|d<|Sqnidd6dd	6|d<|S||d<|S(u�
        .. versionadded:: 2018.3.0

        Go through various checks to see if the token/eauth/user can be authenticated.

        Returns a dictionary containing the following keys:

        - auth_list
        - username
        - error

        If an error is encountered, return immediately with the relevant error dictionary
        as authentication has failed. Otherwise, return the username and valid auth_list.
        uusernameuUNKNOWNu	auth_listuerrorutokenuTokenAuthenticationErrorunameu0Authentication failure of type "token" occurred.umessageRZueauthuEauthAuthenticationErroru=Authentication failure of type "eauth" occurred for user {0}.uuseru.Authentication failure of type "user" occurredu{0} for user {1}.uUserAuthenticationErrorusudo_aclu
publisher_acliNuSaltInvocationErroru"Authentication type not supported.(R@R[RlRIRReRAR\R]Rtsalt.utils.masterRtmastertget_values_of_matching_keys(RRt	auth_typeRt
show_usernameR=tusernameR5RZtauth_rettmsgR((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytcheck_authentication�sZ








N(t__name__t
__module__t__doc__R:RRR/R9RKRgR?RHRQRXRYRUR[RIReRlR#Ru(((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR9s$														/1t	AuthorizecB@sPeZdZdd�Zed��Zd�Zd�Zdd�Z	d�Z
RS(u0
    The authorization engine used by EAUTH
    cC@s{tjjjdd�tjj|d�|_||_tjjj	|�|_
|dkrnt|�|_
n	||_
dS(NuNeonu�The 'Authorize' class has been deprecated. Please use the 'LoadAuth', 'Reslover', or 'AuthUser' classes instead. Support for the 'Authorze' class will be removed in Salt {version}.u	conf_file(RRtversionst
warn_untiltconfigt
master_configRRRRRR:Rtloadauth(RRRR~((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR�s	cC@s�|jd}|jd}d|krod|dkrotjjj�}tjjj||ddd|�}nd|kr�tj	d	t
�r�tjjj|d�|d<t
j|d�n|S(
u�
        Gather and create the authorization data sets

        We're looking at several constructs here.

        Standard eauth: allow jsmith to auth via pam, and execute any command
        on server web1
        external_auth:
          pam:
            jsmith:
              - web1:
                - .*

        Django eauth: Import the django library, dynamically load the Django
        model called 'model'.  That model returns a data structure that
        matches the above for standard eauth.  This is what determines
        who can do what to which machines

        django:
          ^model:
            <stuff returned from django>

        Active Directory Extended:

        Users in the AD group 'webadmins' can run any command on server1
        Users in the AD group 'webadmins' can run test.ping and service.restart
        on machines that have a computer object in the AD 'webservers' OU
        Users in the AD group 'webadmins' can run commands defined in the
        custom attribute (custom attribute not implemented yet, this is for
        future use)
          ldap:
             webadmins%:  <all users in the AD 'webadmins' group>
               - server1:
                   - .*
               - ldap(OU=webservers,dc=int,dc=bigcompany,dc=com):
                  - test.ping
                  - service.restart
               - ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com):
                 - allowed_fn_list_attribute^
        u
external_authupillar_merge_listsudjangou^modeltstrategyulisttmerge_listsuldapuauth.ldap.activedirectory(RRR
tdjangotretrieve_auth_entriesRt
dictupdatetmerget__opts__R@R#tldapt_Authorize__expand_ldap_entriesR(R)(Rt	auth_dataR�tauth_from_django((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR��s*

cc@s�y|jj|d�}Wn(tk
rD}tjd|�iVnX|s`tjd�iVnxx|D]p}x$|D]}|d|krtqtqtqtW|d||dkd||dkBs�qgni|d6|d6VqgWiVdS(	uF
        Determine if token auth is valid and yield the adata
        utokenu1Exception occurred when generating auth token: %su0Authentication failure of type "token" occurred.ueauthunameu*usub_authN(R~RXR'R(terrorRT(RtadataRRZtexctsub_autht	sub_adata((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRZ9s"	



cc@s�x�|gD]�}|d|kr&q
nyZ|jj|�}|||dkd||dkBsgw
n|jj|�sw
nWn&tk
r�}tjd|�q
nXi|d6|d6Vq
WiVdS(uK
        Determine if the given eauth is valid and yield the adata
        ueauthu*u+Exception occurred while authenticating: %susub_authunameN(R~RR9R'R(R�(RR�RR�RjR�((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRiOs
c	C@s�|jd�r ||d}n|jj|||krB||n|d|jdd
�|jdd
�|jdd
�|jdd��}t|t�r�tS|s�|jdd�d	kr�|Sn|S(uk
        Read in the access system to determine if the validated user has
        requested rights
        ueauthu*ufunuargutgtutgt_typeuglobuusaltutil.find_jobN(R@Rtany_authR:RBtdictR#(RtformR�RjRRitgood((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytrights_checkcs	cC@s|j}t}|jdt�r�xd|j|j|�D]M}|r7|j||j|dd|dd||dd�r�tSq7q7Wtjd�ns|jd�rxQ|j|j|�D]:}|r�|j||d|d||d�r�tSq�q�Wtjd�ntS(u
        Determine what type of authentication is being requested and pass
        authorization

        Note: this will check that the user has at least one right that will let
        the user execute "load", this does not deal with conflicting rules
        utokenueauthunameu0Authentication failure of type "token" occurred.usub_authu0Authentication failure of type "eauth" occurred.(	R�R#R@RZR�RAR(RTRi(RR�RR�R�R�((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytrights�s6		


N(RvRwRxR:RtpropertyR�RZRiR�R�(((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRy�s>		tResolvercB@sDeZdZd�Zd�Zd�Zd�Zd�Zd�ZRS(uk
    The class used to resolve options for the command line and for generic
    interactive interfaces
    cC@s"||_tjj|�|_dS(N(RRRR
(RR((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR�s	cC@s�|jdd
krdtjjj|jd�dtj|jd�}tjjj	j
|jdd	d
|�}|j|�S|jddkr�tjjj	j
|j�}d|_
|j|�SdS(Nu	transportuzeromqutcputcp://u	interfaceu:uret_porttcryptucleart
master_uriuraetu	local_cmd(uzeromqutcp(NNu	local_cmd(RRRtzeromqt
ip_bracketRt	text_typet	transporttclientt
ReqChanneltfactorytsendR:tdst(RRR�tchannel((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt_send_token_request�s8	
	cC@s�i}|std�|Sdj|�}||jkrwtdj|��tdjdj|jjj����|Stjjj	|j|�}x||dD]p}||j
kr�|j
|||<q�|jd�r�tjdj|��||<q�t
dj|��||<q�Wxct|d	j��D]K\}}||j
krX|j
||d
<q)t
dj||��||<q)Wd|kr�|dr�tjjj�|d<n|S(
uo
        Execute the CLI options to fill in the extra data needed for the
        defined eauth system
        u5External authentication system has not been specifiedu{0}.authuCThe specified external authentication system "{0}" is not availableuAvailable eauth types: {0}u, uargsupassu{0}: ukwargsukwargu{0} [{1}]: uusername(tprintRR
tjointfile_mappingtkeysRRRRRt
startswithtgetpassRtlistR$R`Ra(RRiR5RRtargtkwargtdefault((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pytcli�s0
	
(# cC@s�d|d<||d<|j|�}d|kr3|SyYtjjjd��>tjjj|jdd��}|j|d�WdQXWdQXWntt	fk
r�nX|S(	u�
        Create the token from the CLI and request the correct data to
        authenticate via the passed authentication mechanism
        umk_tokenucmdueauthutokeniu
token_fileuw+N(
R�RRtfilest	set_umasktfopenRtwritetIOErrortOSError(RRiRRNtfp_((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt	token_cli�s

"!cC@sd|d<|j|�}|S(u1
        Request a token from the master
        umk_tokenucmd(R�(RRRN((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyRQ�s
cC@s-i}||d<d|d<|j|�}|S(u1
        Request a token from the master
        utokenu	get_tokenucmd(R�(RRZRRN((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt	get_token�s


(	RvRwRxRR�R�R�RQR�(((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR��s			$		R\cB@s2eZdZd�Zd�Zd�Zd�ZRS(uH
    Represents a user requesting authentication to the salt master
    cC@s
||_dS(ua
        Instantiate an AuthUser object.

        Takes a user to reprsent, as a string.
        N(R`(RR`((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR
scC@s|jjd�S(u�
        Determines if the user is running with sudo

        Returns True if the user is running with sudo and False if the
        user is not running with sudo
        usudo_(R`R�(R((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR]scC@s|jtjjj�kS(u�
        Determines if the user is the same user as the one running
        this process

        Returns True if the user is the same user as the one running
        this process and False if not.
        (R`RRRa(R((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR_scC@s|jjdd�dS(uh
        Returns the username of the sudoer, i.e. self.user without the
        'sudo_' prefix.
        u_ii����(R`tsplit(R((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR^(s(RvRwRxRR]R_R^(((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyR\s
				
(%Rxt
__future__RRRRCR.tloggingR0R�tsalt.ext.six.movesRtsalt.extRtsalt.configRtsalt.exceptionstsalt.loadertsalt.payloadtsalt.transport.clienttsalt.utils.argstsalt.utils.dictupdatetsalt.utils.filestsalt.utils.minionstsalt.utils.usertsalt.utils.versionstsalt.utils.zeromqt	getLoggerRvR(t	frozensetR&tobjectRRyR�R\(((s6/usr/lib/python2.7/site-packages/salt/auth/__init__.pyt<module>sL
���`

Zerion Mini Shell 1.0