File fix-multiple-security-issues-bsc-1197417.patch of Package salt.24048
From a5a3839eae2aed3e2fe98c314e770560eed2ed70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Wed, 23 Mar 2022 12:09:36 +0000
Subject: [PATCH] Fix multiple security issues (bsc#1197417)
* Sign authentication replies to prevent MiTM (CVE-2020-22935)
* Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
* Prevent job and fileserver replays (CVE-2022-22936)
* Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
---
salt/crypt.py | 275 +++--
salt/master.py | 57 +-
salt/minion.py | 1 +
salt/pillar/__init__.py | 4 +
salt/transport/mixins/auth.py | 115 +-
salt/transport/tcp.py | 103 +-
salt/transport/zeromq.py | 91 +-
salt/utils/minions.py | 19 +-
salt/utils/network.py | 4 +-
tests/integration/files/ssh/known_hosts | 2 +
tests/integration/modules/test_ssh.py | 9 +-
.../states/test_ssh_known_hosts.py | 3 +-
.../transport/server/test_req_channel.py | 16 +-
.../zeromq/test_pub_server_channel.py | 57 +-
tests/pytests/unit/test_crypt.py | 151 +++
tests/pytests/unit/test_minion.py | 1 +
tests/pytests/unit/transport/test_tcp.py | 20 +-
tests/pytests/unit/transport/test_zeromq.py | 1037 +++++++++++++++++
tests/pytests/unit/utils/test_minions.py | 59 +
tests/pytests/unit/utils/test_network.py | 8 +
tests/unit/transport/test_ipc.py | 2 +
21 files changed, 1779 insertions(+), 255 deletions(-)
create mode 100644 tests/pytests/unit/utils/test_network.py
diff --git a/salt/crypt.py b/salt/crypt.py
index 776ffaba58..76870216fd 100644
--- a/salt/crypt.py
+++ b/salt/crypt.py
@@ -17,6 +17,7 @@ import stat
import sys
import time
import traceback
+import uuid
import weakref
import salt.defaults.exitcodes
@@ -262,7 +263,11 @@ def verify_signature(pubkey_path, message, signature):
md = EVP.MessageDigest("sha1")
md.update(salt.utils.stringutils.to_bytes(message))
digest = md.final()
- return pubkey.verify(digest, signature)
+ try:
+ return pubkey.verify(digest, signature)
+ except RSA.RSAError as exc:
+ log.debug("Signature verification failed: %s", exc.args[0])
+ return False
else:
verifier = PKCS1_v1_5.new(pubkey)
return verifier.verify(
@@ -696,9 +701,17 @@ class AsyncAuth:
self._authenticate_future.set_exception(error)
else:
key = self.__key(self.opts)
- AsyncAuth.creds_map[key] = creds
- self._creds = creds
- self._crypticle = Crypticle(self.opts, creds["aes"])
+ if key not in AsyncAuth.creds_map:
+ log.debug("%s Got new master aes key.", self)
+ AsyncAuth.creds_map[key] = creds
+ self._creds = creds
+ self._crypticle = Crypticle(self.opts, creds["aes"])
+ elif self._creds["aes"] != creds["aes"]:
+ log.debug("%s The master's aes key has changed.", self)
+ AsyncAuth.creds_map[key] = creds
+ self._creds = creds
+ self._crypticle = Crypticle(self.opts, creds["aes"])
+
self._authenticate_future.set_result(
True
) # mark the sign-in as complete
@@ -729,7 +742,6 @@ class AsyncAuth:
with the publication port and the shared AES key.
"""
- auth = {}
auth_timeout = self.opts.get("auth_timeout", None)
if auth_timeout is not None:
@@ -741,10 +753,6 @@ class AsyncAuth:
if auth_tries is not None:
tries = auth_tries
- m_pub_fn = os.path.join(self.opts["pki_dir"], self.mpub)
-
- auth["master_uri"] = self.opts["master_uri"]
-
close_channel = False
if not channel:
close_channel = True
@@ -769,59 +777,85 @@ class AsyncAuth:
finally:
if close_channel:
channel.close()
+ ret = self.handle_signin_response(sign_in_payload, payload)
+ raise salt.ext.tornado.gen.Return(ret)
- if not isinstance(payload, dict):
+ def handle_signin_response(self, sign_in_payload, payload):
+ auth = {}
+ m_pub_fn = os.path.join(self.opts["pki_dir"], self.mpub)
+ auth["master_uri"] = self.opts["master_uri"]
+ if not isinstance(payload, dict) or "load" not in payload:
log.error("Sign-in attempt failed: %s", payload)
- raise salt.ext.tornado.gen.Return(False)
- if "load" in payload:
- if "ret" in payload["load"]:
- if not payload["load"]["ret"]:
- if self.opts["rejected_retry"]:
- log.error(
- "The Salt Master has rejected this minion's public "
- "key.\nTo repair this issue, delete the public key "
- "for this minion on the Salt Master.\nThe Salt "
- "Minion will attempt to to re-authenicate."
- )
- raise salt.ext.tornado.gen.Return("retry")
- else:
- log.critical(
- "The Salt Master has rejected this minion's public "
- "key!\nTo repair this issue, delete the public key "
- "for this minion on the Salt Master and restart this "
- "minion.\nOr restart the Salt Master in open mode to "
- "clean out the keys. The Salt Minion will now exit."
- )
- # Add a random sleep here for systems that are using a
- # a service manager to immediately restart the service
- # to avoid overloading the system
- time.sleep(random.randint(10, 20))
- sys.exit(salt.defaults.exitcodes.EX_NOPERM)
- # has the master returned that its maxed out with minions?
- elif payload["load"]["ret"] == "full":
- raise salt.ext.tornado.gen.Return("full")
- else:
+ return False
+
+ clear_signed_data = payload["load"]
+ clear_signature = payload["sig"]
+ payload = salt.payload.loads(clear_signed_data)
+
+ if "pub_key" in payload:
+ auth["aes"] = self.verify_master(
+ payload, master_pub="token" in sign_in_payload
+ )
+ if not auth["aes"]:
+ log.critical(
+ "The Salt Master server's public key did not authenticate!\n"
+ "The master may need to be updated if it is a version of Salt "
+ "lower than %s, or\n"
+ "If you are confident that you are connecting to a valid Salt "
+ "Master, then remove the master public key and restart the "
+ "Salt Minion.\nThe master public key can be found "
+ "at:\n%s",
+ salt.version.__version__,
+ m_pub_fn,
+ )
+ raise SaltClientError("Invalid master key")
+
+ master_pubkey_path = os.path.join(self.opts["pki_dir"], self.mpub)
+ if os.path.exists(master_pubkey_path) and not verify_signature(
+ master_pubkey_path, clear_signed_data, clear_signature
+ ):
+ log.critical("The payload signature did not validate.")
+ raise SaltClientError("Invalid signature")
+
+ if payload["nonce"] != sign_in_payload["nonce"]:
+ log.critical("The payload nonce did not validate.")
+ raise SaltClientError("Invalid nonce")
+
+ if "ret" in payload:
+ if not payload["ret"]:
+ if self.opts["rejected_retry"]:
log.error(
- "The Salt Master has cached the public key for this "
- "node, this salt minion will wait for %s seconds "
- "before attempting to re-authenticate",
- self.opts["acceptance_wait_time"],
+ "The Salt Master has rejected this minion's public "
+ "key.\nTo repair this issue, delete the public key "
+ "for this minion on the Salt Master.\nThe Salt "
+ "Minion will attempt to re-authenicate."
)
- raise salt.ext.tornado.gen.Return("retry")
- auth["aes"] = self.verify_master(payload, master_pub="token" in sign_in_payload)
- if not auth["aes"]:
- log.critical(
- "The Salt Master server's public key did not authenticate!\n"
- "The master may need to be updated if it is a version of Salt "
- "lower than %s, or\n"
- "If you are confident that you are connecting to a valid Salt "
- "Master, then remove the master public key and restart the "
- "Salt Minion.\nThe master public key can be found "
- "at:\n%s",
- salt.version.__version__,
- m_pub_fn,
- )
- raise SaltClientError("Invalid master key")
+ return "retry"
+ else:
+ log.critical(
+ "The Salt Master has rejected this minion's public "
+ "key!\nTo repair this issue, delete the public key "
+ "for this minion on the Salt Master and restart this "
+ "minion.\nOr restart the Salt Master in open mode to "
+ "clean out the keys. The Salt Minion will now exit."
+ )
+ # Add a random sleep here for systems that are using a
+ # a service manager to immediately restart the service
+ # to avoid overloading the system
+ time.sleep(random.randint(10, 20))
+ sys.exit(salt.defaults.exitcodes.EX_NOPERM)
+ # has the master returned that its maxed out with minions?
+ elif payload["ret"] == "full":
+ return "full"
+ else:
+ log.error(
+ "The Salt Master has cached the public key for this "
+ "node, this salt minion will wait for %s seconds "
+ "before attempting to re-authenticate",
+ self.opts["acceptance_wait_time"],
+ )
+ return "retry"
+
if self.opts.get("syndic_master", False): # Is syndic
syndic_finger = self.opts.get(
"syndic_finger", self.opts.get("master_finger", False)
@@ -843,8 +877,9 @@ class AsyncAuth:
!= self.opts["master_finger"]
):
self._finger_fail(self.opts["master_finger"], m_pub_fn)
+
auth["publish_port"] = payload["publish_port"]
- raise salt.ext.tornado.gen.Return(auth)
+ return auth
def get_keys(self):
"""
@@ -892,6 +927,7 @@ class AsyncAuth:
payload = {}
payload["cmd"] = "_auth"
payload["id"] = self.opts["id"]
+ payload["nonce"] = uuid.uuid4().hex
if "autosign_grains" in self.opts:
autosign_grains = {}
for grain in self.opts["autosign_grains"]:
@@ -1254,6 +1290,7 @@ class SAuth(AsyncAuth):
self.token = salt.utils.stringutils.to_bytes(Crypticle.generate_key_string())
self.pub_path = os.path.join(self.opts["pki_dir"], "minion.pub")
self.rsa_path = os.path.join(self.opts["pki_dir"], "minion.pem")
+ self._creds = None
if "syndic_master" in self.opts:
self.mpub = "syndic_master.pub"
elif "alert_master" in self.opts:
@@ -1323,8 +1360,14 @@ class SAuth(AsyncAuth):
)
continue
break
- self._creds = creds
- self._crypticle = Crypticle(self.opts, creds["aes"])
+ if self._creds is None:
+ log.error("%s Got new master aes key.", self)
+ self._creds = creds
+ self._crypticle = Crypticle(self.opts, creds["aes"])
+ elif self._creds["aes"] != creds["aes"]:
+ log.error("%s The master's aes key has changed.", self)
+ self._creds = creds
+ self._crypticle = Crypticle(self.opts, creds["aes"])
def sign_in(self, timeout=60, safe=True, tries=1, channel=None):
"""
@@ -1377,78 +1420,7 @@ class SAuth(AsyncAuth):
if close_channel:
channel.close()
- if "load" in payload:
- if "ret" in payload["load"]:
- if not payload["load"]["ret"]:
- if self.opts["rejected_retry"]:
- log.error(
- "The Salt Master has rejected this minion's public "
- "key.\nTo repair this issue, delete the public key "
- "for this minion on the Salt Master.\nThe Salt "
- "Minion will attempt to to re-authenicate."
- )
- return "retry"
- else:
- log.critical(
- "The Salt Master has rejected this minion's public "
- "key!\nTo repair this issue, delete the public key "
- "for this minion on the Salt Master and restart this "
- "minion.\nOr restart the Salt Master in open mode to "
- "clean out the keys. The Salt Minion will now exit."
- )
- sys.exit(salt.defaults.exitcodes.EX_NOPERM)
- # has the master returned that its maxed out with minions?
- elif payload["load"]["ret"] == "full":
- return "full"
- else:
- log.error(
- "The Salt Master has cached the public key for this "
- "node. If this is the first time connecting to this "
- "master then this key may need to be accepted using "
- "'salt-key -a %s' on the salt master. This salt "
- "minion will wait for %s seconds before attempting "
- "to re-authenticate.",
- self.opts["id"],
- self.opts["acceptance_wait_time"],
- )
- return "retry"
- auth["aes"] = self.verify_master(payload, master_pub="token" in sign_in_payload)
- if not auth["aes"]:
- log.critical(
- "The Salt Master server's public key did not authenticate!\n"
- "The master may need to be updated if it is a version of Salt "
- "lower than %s, or\n"
- "If you are confident that you are connecting to a valid Salt "
- "Master, then remove the master public key and restart the "
- "Salt Minion.\nThe master public key can be found "
- "at:\n%s",
- salt.version.__version__,
- m_pub_fn,
- )
- sys.exit(42)
- if self.opts.get("syndic_master", False): # Is syndic
- syndic_finger = self.opts.get(
- "syndic_finger", self.opts.get("master_finger", False)
- )
- if syndic_finger:
- if (
- salt.utils.crypt.pem_finger(
- m_pub_fn, sum_type=self.opts["hash_type"]
- )
- != syndic_finger
- ):
- self._finger_fail(syndic_finger, m_pub_fn)
- else:
- if self.opts.get("master_finger", False):
- if (
- salt.utils.crypt.pem_finger(
- m_pub_fn, sum_type=self.opts["hash_type"]
- )
- != self.opts["master_finger"]
- ):
- self._finger_fail(self.opts["master_finger"], m_pub_fn)
- auth["publish_port"] = payload["publish_port"]
- return auth
+ return self.handle_signin_response(sign_in_payload, payload)
class Crypticle:
@@ -1463,10 +1435,11 @@ class Crypticle:
AES_BLOCK_SIZE = 16
SIG_SIZE = hashlib.sha256().digest_size
- def __init__(self, opts, key_string, key_size=192):
+ def __init__(self, opts, key_string, key_size=192, serial=0):
self.key_string = key_string
self.keys = self.extract_keys(self.key_string, key_size)
self.key_size = key_size
+ self.serial = serial
@classmethod
def generate_key_string(cls, key_size=192):
@@ -1536,13 +1509,17 @@ class Crypticle:
data = cypher.decrypt(data)
return data[: -data[-1]]
- def dumps(self, obj):
+ def dumps(self, obj, nonce=None):
"""
Serialize and encrypt a python object
"""
- return self.encrypt(self.PICKLE_PAD + salt.payload.dumps(obj))
+ if nonce:
+ toencrypt = self.PICKLE_PAD + nonce.encode() + salt.payload.dumps(obj)
+ else:
+ toencrypt = self.PICKLE_PAD + salt.payload.dumps(obj)
+ return self.encrypt(toencrypt)
- def loads(self, data, raw=False):
+ def loads(self, data, raw=False, nonce=None):
"""
Decrypt and un-serialize a python object
"""
@@ -1550,5 +1527,25 @@ class Crypticle:
# simple integrity check to verify that we got meaningful data
if not data.startswith(self.PICKLE_PAD):
return {}
- load = salt.payload.loads(data[len(self.PICKLE_PAD) :], raw=raw)
- return load
+ data = data[len(self.PICKLE_PAD) :]
+ if nonce:
+ ret_nonce = data[:32].decode()
+ data = data[32:]
+ if ret_nonce != nonce:
+ raise SaltClientError("Nonce verification error")
+ payload = salt.payload.loads(data, raw=raw)
+ if isinstance(payload, dict):
+ if "serial" in payload:
+ serial = payload.pop("serial")
+ if serial <= self.serial:
+ log.critical(
+ "A message with an invalid serial was received.\n"
+ "this serial: %d\n"
+ "last serial: %d\n"
+ "The minion will not honor this request.",
+ serial,
+ self.serial,
+ )
+ return {}
+ self.serial = serial
+ return payload
diff --git a/salt/master.py b/salt/master.py
index ee33bd8171..65b526c019 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -129,6 +129,44 @@ class SMaster:
"""
return salt.daemons.masterapi.access_keys(self.opts)
+ @classmethod
+ def get_serial(cls, opts=None, event=None):
+ with cls.secrets["aes"]["secret"].get_lock():
+ if cls.secrets["aes"]["serial"].value == sys.maxsize:
+ cls.rotate_secrets(opts, event, use_lock=False)
+ else:
+ cls.secrets["aes"]["serial"].value += 1
+ return cls.secrets["aes"]["serial"].value
+
+ @classmethod
+ def rotate_secrets(cls, opts=None, event=None, use_lock=True):
+ log.info("Rotating master AES key")
+ if opts is None:
+ opts = {}
+
+ for secret_key, secret_map in cls.secrets.items():
+ # should be unnecessary-- since no one else should be modifying
+ if use_lock:
+ with secret_map["secret"].get_lock():
+ secret_map["secret"].value = salt.utils.stringutils.to_bytes(
+ secret_map["reload"]()
+ )
+ if "serial" in secret_map:
+ secret_map["serial"].value = 0
+ else:
+ secret_map["secret"].value = salt.utils.stringutils.to_bytes(
+ secret_map["reload"]()
+ )
+ if "serial" in secret_map:
+ secret_map["serial"].value = 0
+ if event:
+ event.fire_event({"rotate_{}_key".format(secret_key): True}, tag="key")
+
+ if opts.get("ping_on_rotate"):
+ # Ping all minions to get them to pick up the new key
+ log.debug("Pinging all connected minions due to key rotation")
+ salt.utils.master.ping_all_connected_minions(opts)
+
class Maintenance(salt.utils.process.SignalHandlingProcess):
"""
@@ -281,21 +319,8 @@ class Maintenance(salt.utils.process.SignalHandlingProcess):
to_rotate = True
if to_rotate:
- log.info("Rotating master AES key")
- for secret_key, secret_map in SMaster.secrets.items():
- # should be unnecessary-- since no one else should be modifying
- with secret_map["secret"].get_lock():
- secret_map["secret"].value = salt.utils.stringutils.to_bytes(
- secret_map["reload"]()
- )
- self.event.fire_event(
- {"rotate_{}_key".format(secret_key): True}, tag="key"
- )
+ SMaster.rotate_secrets(self.opts, self.event)
self.rotate = now
- if self.opts.get("ping_on_rotate"):
- # Ping all minions to get them to pick up the new key
- log.debug("Pinging all connected minions due to key rotation")
- salt.utils.master.ping_all_connected_minions(self.opts)
def handle_git_pillar(self):
"""
@@ -671,8 +696,12 @@ class Master(SMaster):
salt.crypt.Crypticle.generate_key_string()
),
),
+ "serial": multiprocessing.Value(
+ ctypes.c_longlong, lock=False # We'll use the lock from 'secret'
+ ),
"reload": salt.crypt.Crypticle.generate_key_string,
}
+
log.info("Creating master process manager")
# Since there are children having their own ProcessManager we should wait for kill more time.
self.process_manager = salt.utils.process.ProcessManager(wait_for_kill=5)
diff --git a/salt/minion.py b/salt/minion.py
index dbce3986ab..de3ad50b5c 100644
--- a/salt/minion.py
+++ b/salt/minion.py
@@ -1691,6 +1691,7 @@ class Minion(MinionBase):
Override this method if you wish to handle the decoded data
differently.
"""
+
# Ensure payload is unicode. Disregard failure to decode binary blobs.
if "user" in data:
log.info(
diff --git a/salt/pillar/__init__.py b/salt/pillar/__init__.py
index 22f5c3a0a9..e595b3fb1b 100644
--- a/salt/pillar/__init__.py
+++ b/salt/pillar/__init__.py
@@ -9,6 +9,7 @@ import logging
import os
import sys
import traceback
+import uuid
import salt.ext.tornado.gen
import salt.fileclient
@@ -240,6 +241,9 @@ class AsyncRemotePillar(RemotePillarMixin):
load,
dictkey="pillar",
)
+ except salt.crypt.AuthenticationError as exc:
+ log.error(exc.message)
+ raise SaltClientError("Exception getting pillar.")
except Exception: # pylint: disable=broad-except
log.exception("Exception getting pillar:")
raise SaltClientError("Exception getting pillar.")
diff --git a/salt/transport/mixins/auth.py b/salt/transport/mixins/auth.py
index 90197fb506..1e2e8e6b7b 100644
--- a/salt/transport/mixins/auth.py
+++ b/salt/transport/mixins/auth.py
@@ -112,7 +112,7 @@ class AESReqServerMixin:
self.master_key = salt.crypt.MasterKeys(self.opts)
- def _encrypt_private(self, ret, dictkey, target):
+ def _encrypt_private(self, ret, dictkey, target, nonce=None, sign_messages=True):
"""
The server equivalent of ReqChannel.crypted_transfer_decode_dictentry
"""
@@ -127,7 +127,6 @@ class AESReqServerMixin:
except OSError:
log.error("AES key not found")
return {"error": "AES key not found"}
-
pret = {}
key = salt.utils.stringutils.to_bytes(key)
if HAS_M2:
@@ -135,9 +134,33 @@ class AESReqServerMixin:
else:
cipher = PKCS1_OAEP.new(pub)
pret["key"] = cipher.encrypt(key)
- pret[dictkey] = pcrypt.dumps(ret if ret is not False else {})
+ if ret is False:
+ ret = {}
+ if sign_messages:
+ if nonce is None:
+ return {"error": "Nonce not included in request"}
+ tosign = salt.payload.dumps(
+ {"key": pret["key"], "pillar": ret, "nonce": nonce}
+ )
+ master_pem_path = os.path.join(self.opts["pki_dir"], "master.pem")
+ signed_msg = {
+ "data": tosign,
+ "sig": salt.crypt.sign_message(master_pem_path, tosign),
+ }
+ pret[dictkey] = pcrypt.dumps(signed_msg)
+ else:
+ pret[dictkey] = pcrypt.dumps(ret)
return pret
+ def _clear_signed(self, load):
+ master_pem_path = os.path.join(self.opts["pki_dir"], "master.pem")
+ tosign = salt.payload.dumps(load)
+ return {
+ "enc": "clear",
+ "load": tosign,
+ "sig": salt.crypt.sign_message(master_pem_path, tosign),
+ }
+
def _update_aes(self):
"""
Check to see if a fresh AES key is available and update the components
@@ -164,7 +187,7 @@ class AESReqServerMixin:
payload["load"] = self.crypticle.loads(payload["load"])
return payload
- def _auth(self, load):
+ def _auth(self, load, sign_messages=False):
"""
Authenticate the client, use the sent public key to encrypt the AES key
which was generated at start up.
@@ -182,7 +205,10 @@ class AESReqServerMixin:
if not salt.utils.verify.valid_id(self.opts, load["id"]):
log.info("Authentication request from invalid id %s", load["id"])
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
log.info("Authentication request from %s", load["id"])
# 0 is default which should be 'unlimited'
@@ -220,7 +246,12 @@ class AESReqServerMixin:
self.event.fire_event(
eload, salt.utils.event.tagify(prefix="auth")
)
- return {"enc": "clear", "load": {"ret": "full"}}
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": "full", "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": "full"}}
# Check if key is configured to be auto-rejected/signed
auto_reject = self.auto_key.check_autoreject(load["id"])
@@ -247,8 +278,10 @@ class AESReqServerMixin:
eload = {"result": False, "id": load["id"], "pub": load["pub"]}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
- return {"enc": "clear", "load": {"ret": False}}
-
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
elif os.path.isfile(pubfn):
# The key has been accepted, check it
with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
@@ -272,7 +305,12 @@ class AESReqServerMixin:
self.event.fire_event(
eload, salt.utils.event.tagify(prefix="auth")
)
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": False, "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
elif not os.path.isfile(pubfn_pend):
# The key has not been accepted, this is a new minion
@@ -282,7 +320,10 @@ class AESReqServerMixin:
eload = {"result": False, "id": load["id"], "pub": load["pub"]}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
if auto_reject:
key_path = pubfn_rejected
@@ -305,7 +346,6 @@ class AESReqServerMixin:
# Write the key to the appropriate location
with salt.utils.files.fopen(key_path, "w+") as fp_:
fp_.write(load["pub"])
- ret = {"enc": "clear", "load": {"ret": key_result}}
eload = {
"result": key_result,
"act": key_act,
@@ -314,7 +354,12 @@ class AESReqServerMixin:
}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
- return ret
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": key_result, "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": key_result}}
elif os.path.isfile(pubfn_pend):
# This key is in the pending dir and is awaiting acceptance
@@ -330,7 +375,6 @@ class AESReqServerMixin:
"Pending public key for %s rejected via autoreject_file",
load["id"],
)
- ret = {"enc": "clear", "load": {"ret": False}}
eload = {
"result": False,
"act": "reject",
@@ -339,7 +383,10 @@ class AESReqServerMixin:
}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
- return ret
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
elif not auto_sign:
# This key is in the pending dir and is not being auto-signed.
@@ -367,7 +414,12 @@ class AESReqServerMixin:
self.event.fire_event(
eload, salt.utils.event.tagify(prefix="auth")
)
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": False, "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
else:
log.info(
"Authentication failed from host %s, the key is in "
@@ -386,7 +438,12 @@ class AESReqServerMixin:
self.event.fire_event(
eload, salt.utils.event.tagify(prefix="auth")
)
- return {"enc": "clear", "load": {"ret": True}}
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": True, "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": True}}
else:
# This key is in pending and has been configured to be
# auto-signed. Check to see if it is the same key, and if
@@ -408,7 +465,12 @@ class AESReqServerMixin:
self.event.fire_event(
eload, salt.utils.event.tagify(prefix="auth")
)
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed(
+ {"ret": False, "nonce": load["nonce"]}
+ )
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
else:
os.remove(pubfn_pend)
@@ -418,7 +480,10 @@ class AESReqServerMixin:
eload = {"result": False, "id": load["id"], "pub": load["pub"]}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
log.info("Authentication accepted from %s", load["id"])
# only write to disk if you are adding the file, and in open mode,
@@ -437,7 +502,10 @@ class AESReqServerMixin:
fp_.write(load["pub"])
elif not load["pub"]:
log.error("Public key is empty: %s", load["id"])
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
pub = None
@@ -451,7 +519,10 @@ class AESReqServerMixin:
pub = salt.crypt.get_rsa_pub_key(pubfn)
except salt.crypt.InvalidKeyError as err:
log.error('Corrupt public key "%s": %s', pubfn, err)
- return {"enc": "clear", "load": {"ret": False}}
+ if sign_messages:
+ return self._clear_signed({"ret": False, "nonce": load["nonce"]})
+ else:
+ return {"enc": "clear", "load": {"ret": False}}
if not HAS_M2:
cipher = PKCS1_OAEP.new(pub)
@@ -532,10 +603,14 @@ class AESReqServerMixin:
ret["aes"] = pub.public_encrypt(aes, RSA.pkcs1_oaep_padding)
else:
ret["aes"] = cipher.encrypt(aes)
+
# Be aggressive about the signature
digest = salt.utils.stringutils.to_bytes(hashlib.sha256(aes).hexdigest())
ret["sig"] = salt.crypt.private_encrypt(self.master_key.key, digest)
eload = {"result": True, "act": "accept", "id": load["id"], "pub": load["pub"]}
if self.opts.get("auth_events") is True:
self.event.fire_event(eload, salt.utils.event.tagify(prefix="auth"))
+ if sign_messages:
+ ret["nonce"] = load["nonce"]
+ return self._clear_signed(ret)
return ret
diff --git a/salt/transport/tcp.py b/salt/transport/tcp.py
index f8f51eab66..f00b3c40eb 100644
--- a/salt/transport/tcp.py
+++ b/salt/transport/tcp.py
@@ -13,6 +13,7 @@ import threading
import time
import traceback
import urllib.parse
+import uuid
import salt.crypt
import salt.exceptions
@@ -266,12 +267,15 @@ class AsyncTCPReqChannel(salt.transport.client.ReqChannel):
return {
"enc": self.crypt,
"load": load,
+ "version": 2,
}
@salt.ext.tornado.gen.coroutine
def crypted_transfer_decode_dictentry(
self, load, dictkey=None, tries=3, timeout=60
):
+ nonce = uuid.uuid4().hex
+ load["nonce"] = nonce
if not self.auth.authenticated:
yield self.auth.authenticate()
ret = yield self.message_client.send(
@@ -285,10 +289,29 @@ class AsyncTCPReqChannel(salt.transport.client.ReqChannel):
else:
cipher = PKCS1_OAEP.new(key)
aes = cipher.decrypt(ret["key"])
+
+ # Decrypt using the public key.
pcrypt = salt.crypt.Crypticle(self.opts, aes)
- data = pcrypt.loads(ret[dictkey])
- data = salt.transport.frame.decode_embedded_strs(data)
- raise salt.ext.tornado.gen.Return(data)
+ signed_msg = pcrypt.loads(ret[dictkey])
+
+ # Validate the master's signature.
+ master_pubkey_path = os.path.join(self.opts["pki_dir"], "minion_master.pub")
+ if not salt.crypt.verify_signature(
+ master_pubkey_path, signed_msg["data"], signed_msg["sig"]
+ ):
+ raise salt.crypt.AuthenticationError(
+ "Pillar payload signature failed to validate."
+ )
+
+ # Make sure the signed key matches the key we used to decrypt the data.
+ data = salt.payload.loads(signed_msg["data"])
+ if data["key"] != ret["key"]:
+ raise salt.crypt.AuthenticationError("Key verification failed.")
+
+ # Validate the nonce.
+ if data["nonce"] != nonce:
+ raise salt.crypt.AuthenticationError("Pillar nonce verification failed.")
+ raise salt.ext.tornado.gen.Return(data["pillar"])
@salt.ext.tornado.gen.coroutine
def _crypted_transfer(self, load, tries=3, timeout=60):
@@ -298,6 +321,9 @@ class AsyncTCPReqChannel(salt.transport.client.ReqChannel):
Indeed, we can fail too early in case of a master restart during a
minion state execution call
"""
+ nonce = uuid.uuid4().hex
+ if load and isinstance(load, dict):
+ load["nonce"] = nonce
@salt.ext.tornado.gen.coroutine
def _do_transfer():
@@ -311,7 +337,7 @@ class AsyncTCPReqChannel(salt.transport.client.ReqChannel):
# communication, we do not subscribe to return events, we just
# upload the results to the master
if data:
- data = self.auth.crypticle.loads(data)
+ data = self.auth.crypticle.loads(data, nonce=nonce)
data = salt.transport.frame.decode_embedded_strs(data)
raise salt.ext.tornado.gen.Return(data)
@@ -395,6 +421,7 @@ class AsyncTCPPubChannel(
return {
"enc": self.crypt,
"load": load,
+ "version": 2,
}
@salt.ext.tornado.gen.coroutine
@@ -696,6 +723,14 @@ class TCPReqServerChannel(
)
raise salt.ext.tornado.gen.Return()
+ version = 0
+ if "version" in payload:
+ version = payload["version"]
+
+ sign_messages = False
+ if version > 1:
+ sign_messages = True
+
# intercept the "_auth" commands, since the main daemon shouldn't know
# anything about our key auth
if (
@@ -704,11 +739,15 @@ class TCPReqServerChannel(
):
yield stream.write(
salt.transport.frame.frame_msg(
- self._auth(payload["load"]), header=header
+ self._auth(payload["load"], sign_messages), header=header
)
)
raise salt.ext.tornado.gen.Return()
+ nonce = None
+ if version > 1:
+ nonce = payload["load"].pop("nonce", None)
+
# TODO: test
try:
ret, req_opts = yield self.payload_handler(payload)
@@ -727,7 +766,7 @@ class TCPReqServerChannel(
elif req_fun == "send":
stream.write(
salt.transport.frame.frame_msg(
- self.crypticle.dumps(ret), header=header
+ self.crypticle.dumps(ret, nonce), header=header
)
)
elif req_fun == "send_private":
@@ -737,6 +776,8 @@ class TCPReqServerChannel(
ret,
req_opts["key"],
req_opts["tgt"],
+ nonce,
+ sign_messages,
),
header=header,
)
@@ -1381,7 +1422,7 @@ class PubServer(salt.ext.tornado.tcpserver.TCPServer):
TCP publisher
"""
- def __init__(self, opts, io_loop=None):
+ def __init__(self, opts, io_loop=None, pack_publish=lambda _: _):
super().__init__(ssl_options=opts.get("ssl"))
self.io_loop = io_loop
self.opts = opts
@@ -1408,6 +1449,10 @@ class PubServer(salt.ext.tornado.tcpserver.TCPServer):
)
else:
self.event = None
+ self._pack_publish = pack_publish
+
+ def pack_publish(self, load):
+ return self._pack_publish(load)
def close(self):
if self._closing:
@@ -1516,6 +1561,7 @@ class PubServer(salt.ext.tornado.tcpserver.TCPServer):
@salt.ext.tornado.gen.coroutine
def publish_payload(self, package, _):
log.debug("TCP PubServer sending payload: %s", package)
+ payload = self.pack_publish(package)
payload = salt.transport.frame.frame_msg(package["payload"])
to_remove = []
@@ -1591,7 +1637,9 @@ class TCPPubServerChannel(salt.transport.server.PubServerChannel):
self.io_loop = salt.ext.tornado.ioloop.IOLoop.current()
# Spin up the publisher
- pub_server = PubServer(self.opts, io_loop=self.io_loop)
+ pub_server = PubServer(
+ self.opts, io_loop=self.io_loop, pack_publish=self.pack_publish
+ )
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
_set_tcp_keepalive(sock, self.opts)
@@ -1634,12 +1682,9 @@ class TCPPubServerChannel(salt.transport.server.PubServerChannel):
"""
process_manager.add_process(self._publish_daemon, kwargs=kwargs)
- def publish(self, load):
- """
- Publish "load" to minions
- """
+ def pack_publish(self, load):
payload = {"enc": "aes"}
-
+ load["serial"] = salt.master.SMaster.get_serial()
crypticle = salt.crypt.Crypticle(
self.opts, salt.master.SMaster.secrets["aes"]["secret"].value
)
@@ -1648,20 +1693,6 @@ class TCPPubServerChannel(salt.transport.server.PubServerChannel):
master_pem_path = os.path.join(self.opts["pki_dir"], "master.pem")
log.debug("Signing data packet")
payload["sig"] = salt.crypt.sign_message(master_pem_path, payload["load"])
- # Use the Salt IPC server
- if self.opts.get("ipc_mode", "") == "tcp":
- pull_uri = int(self.opts.get("tcp_master_publish_pull", 4514))
- else:
- pull_uri = os.path.join(self.opts["sock_dir"], "publish_pull.ipc")
- # TODO: switch to the actual asynchronous interface
- # pub_sock = salt.transport.ipc.IPCMessageClient(self.opts, io_loop=self.io_loop)
- pub_sock = salt.utils.asynchronous.SyncWrapper(
- salt.transport.ipc.IPCMessageClient,
- (pull_uri,),
- loop_kwarg="io_loop",
- )
- pub_sock.connect()
-
int_payload = {"payload": salt.payload.dumps(payload)}
# add some targeting stuff for lists only (for now)
@@ -1678,5 +1709,21 @@ class TCPPubServerChannel(salt.transport.server.PubServerChannel):
int_payload["topic_lst"] = match_ids
else:
int_payload["topic_lst"] = load["tgt"]
+ return int_payload
+
+ def publish(self, load):
+ """
+ Publish "load" to minions
+ """
# Send it over IPC!
- pub_sock.send(int_payload)
+ if self.opts.get("ipc_mode", "") == "tcp":
+ pull_uri = int(self.opts.get("tcp_master_publish_pull", 4514))
+ else:
+ pull_uri = os.path.join(self.opts["sock_dir"], "publish_pull.ipc")
+ pub_sock = salt.utils.asynchronous.SyncWrapper(
+ salt.transport.ipc.IPCMessageClient,
+ (pull_uri,),
+ loop_kwarg="io_loop",
+ )
+ pub_sock.connect()
+ pub_sock.send(load)
diff --git a/salt/transport/zeromq.py b/salt/transport/zeromq.py
index 357fb08553..9e61b23255 100644
--- a/salt/transport/zeromq.py
+++ b/salt/transport/zeromq.py
@@ -8,6 +8,7 @@ import os
import signal
import sys
import threading
+import uuid
from random import randint
import salt.auth
@@ -55,6 +56,7 @@ except ImportError:
except ImportError:
from Crypto.Cipher import PKCS1_OAEP # nosec
+
log = logging.getLogger(__name__)
@@ -66,12 +68,12 @@ def _get_master_uri(master_ip, master_port, source_ip=None, source_port=None):
rc = zmq_connect(socket, "tcp://192.168.1.17:5555;192.168.1.1:5555"); assert (rc == 0);
Source: http://api.zeromq.org/4-1:zmq-tcp
"""
+
from salt.utils.zeromq import ip_bracket
master_uri = "tcp://{master_ip}:{master_port}".format(
master_ip=ip_bracket(master_ip), master_port=master_port
)
-
if source_ip or source_port:
if LIBZMQ_VERSION_INFO >= (4, 1, 6) and ZMQ_VERSION_INFO >= (16, 0, 1):
# The source:port syntax for ZeroMQ has been added in libzmq 4.1.6
@@ -211,22 +213,27 @@ class AsyncZeroMQReqChannel(salt.transport.client.ReqChannel):
return {
"enc": self.crypt,
"load": load,
+ "version": 2,
}
@salt.ext.tornado.gen.coroutine
def crypted_transfer_decode_dictentry(
self, load, dictkey=None, tries=3, timeout=60
):
+ nonce = uuid.uuid4().hex
+ load["nonce"] = nonce
if not self.auth.authenticated:
# Return control back to the caller, continue when authentication succeeds
yield self.auth.authenticate()
- # Return control to the caller. When send() completes, resume by populating ret with the Future.result
+
+ # Return control to the caller. When send() completes, resume by
+ # populating ret with the Future.result
ret = yield self.message_client.send(
self._package_load(self.auth.crypticle.dumps(load)),
timeout=timeout,
tries=tries,
)
- key = self.auth.get_keys()
+
if "key" not in ret:
# Reauth in the case our key is deleted on the master side.
yield self.auth.authenticate()
@@ -235,15 +242,36 @@ class AsyncZeroMQReqChannel(salt.transport.client.ReqChannel):
timeout=timeout,
tries=tries,
)
+
+ key = self.auth.get_keys()
if HAS_M2:
aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
else:
cipher = PKCS1_OAEP.new(key)
aes = cipher.decrypt(ret["key"])
+
+ # Decrypt using the public key.
pcrypt = salt.crypt.Crypticle(self.opts, aes)
- data = pcrypt.loads(ret[dictkey])
- data = salt.transport.frame.decode_embedded_strs(data)
- raise salt.ext.tornado.gen.Return(data)
+ signed_msg = pcrypt.loads(ret[dictkey])
+
+ # Validate the master's signature.
+ master_pubkey_path = os.path.join(self.opts["pki_dir"], "minion_master.pub")
+ if not salt.crypt.verify_signature(
+ master_pubkey_path, signed_msg["data"], signed_msg["sig"]
+ ):
+ raise salt.crypt.AuthenticationError(
+ "Pillar payload signature failed to validate."
+ )
+
+ # Make sure the signed key matches the key we used to decrypt the data.
+ data = salt.payload.loads(signed_msg["data"])
+ if data["key"] != ret["key"]:
+ raise salt.crypt.AuthenticationError("Key verification failed.")
+
+ # Validate the nonce.
+ if data["nonce"] != nonce:
+ raise salt.crypt.AuthenticationError("Pillar nonce verification failed.")
+ raise salt.ext.tornado.gen.Return(data["pillar"])
@salt.ext.tornado.gen.coroutine
def _crypted_transfer(self, load, tries=3, timeout=60, raw=False):
@@ -260,6 +288,9 @@ class AsyncZeroMQReqChannel(salt.transport.client.ReqChannel):
:param int tries: The number of times to make before failure
:param int timeout: The number of seconds on a response before failing
"""
+ nonce = uuid.uuid4().hex
+ if load and isinstance(load, dict):
+ load["nonce"] = nonce
@salt.ext.tornado.gen.coroutine
def _do_transfer():
@@ -274,7 +305,7 @@ class AsyncZeroMQReqChannel(salt.transport.client.ReqChannel):
# communication, we do not subscribe to return events, we just
# upload the results to the master
if data:
- data = self.auth.crypticle.loads(data, raw)
+ data = self.auth.crypticle.loads(data, raw, nonce)
if not raw:
data = salt.transport.frame.decode_embedded_strs(data)
raise salt.ext.tornado.gen.Return(data)
@@ -735,12 +766,24 @@ class ZeroMQReqServerChannel(
)
raise salt.ext.tornado.gen.Return()
+ version = 0
+ if "version" in payload:
+ version = payload["version"]
+
+ sign_messages = False
+ if version > 1:
+ sign_messages = True
+
# intercept the "_auth" commands, since the main daemon shouldn't know
# anything about our key auth
if payload["enc"] == "clear" and payload.get("load", {}).get("cmd") == "_auth":
- stream.send(salt.payload.dumps(self._auth(payload["load"])))
+ stream.send(salt.payload.dumps(self._auth(payload["load"], sign_messages)))
raise salt.ext.tornado.gen.Return()
+ nonce = None
+ if version > 1:
+ nonce = payload["load"].pop("nonce", None)
+
# TODO: test
try:
# Take the payload_handler function that was registered when we created the channel
@@ -756,7 +799,7 @@ class ZeroMQReqServerChannel(
if req_fun == "send_clear":
stream.send(salt.payload.dumps(ret))
elif req_fun == "send":
- stream.send(salt.payload.dumps(self.crypticle.dumps(ret)))
+ stream.send(salt.payload.dumps(self.crypticle.dumps(ret, nonce)))
elif req_fun == "send_private":
stream.send(
salt.payload.dumps(
@@ -764,6 +807,8 @@ class ZeroMQReqServerChannel(
ret,
req_opts["key"],
req_opts["tgt"],
+ nonce,
+ sign_messages,
)
)
)
@@ -894,6 +939,8 @@ class ZeroMQPubServerChannel(salt.transport.server.PubServerChannel):
try:
log.debug("Publish daemon getting data from puller %s", pull_uri)
package = pull_sock.recv()
+ package = salt.payload.loads(package)
+ package = self.pack_publish(package)
log.debug("Publish daemon received payload. size=%d", len(package))
unpacked_package = salt.payload.unpackage(package)
@@ -986,8 +1033,8 @@ class ZeroMQPubServerChannel(salt.transport.server.PubServerChannel):
"""
if self.pub_sock:
self.pub_close()
- ctx = zmq.Context.instance()
- self._sock_data.sock = ctx.socket(zmq.PUSH)
+ self._sock_data._ctx = zmq.Context()
+ self._sock_data.sock = self._sock_data._ctx.socket(zmq.PUSH)
self.pub_sock.setsockopt(zmq.LINGER, -1)
if self.opts.get("ipc_mode", "") == "tcp":
pull_uri = "tcp://127.0.0.1:{}".format(
@@ -1009,15 +1056,12 @@ class ZeroMQPubServerChannel(salt.transport.server.PubServerChannel):
if hasattr(self._sock_data, "sock"):
self._sock_data.sock.close()
delattr(self._sock_data, "sock")
+ if hasattr(self._sock_data, "_ctx"):
+ self._sock_data._ctx.destroy()
- def publish(self, load):
- """
- Publish "load" to minions. This send the load to the publisher daemon
- process with does the actual sending to minions.
-
- :param dict load: A load to be sent across the wire to minions
- """
+ def pack_publish(self, load):
payload = {"enc": "aes"}
+ load["serial"] = salt.master.SMaster.get_serial()
crypticle = salt.crypt.Crypticle(
self.opts, salt.master.SMaster.secrets["aes"]["secret"].value
)
@@ -1048,9 +1092,18 @@ class ZeroMQPubServerChannel(salt.transport.server.PubServerChannel):
load.get("jid", None),
len(payload),
)
+ return payload
+
+ def publish(self, load):
+ """
+ Publish "load" to minions. This send the load to the publisher daemon
+ process with does the actual sending to minions.
+
+ :param dict load: A load to be sent across the wire to minions
+ """
if not self.pub_sock:
self.pub_connect()
- self.pub_sock.send(payload)
+ self.pub_sock.send(salt.payload.dumps(load))
log.debug("Sent payload to publish daemon.")
diff --git a/salt/utils/minions.py b/salt/utils/minions.py
index a639bbb513..3e2f448db6 100644
--- a/salt/utils/minions.py
+++ b/salt/utils/minions.py
@@ -736,20 +736,27 @@ class CkMinions:
def validate_tgt(self, valid, expr, tgt_type, minions=None, expr_form=None):
"""
- Return a Bool. This function returns if the expression sent in is
- within the scope of the valid expression
+ Validate the target minions against the possible valid minions.
+
+ If ``minions`` is provided, they will be compared against the valid
+ minions. Otherwise, ``expr`` and ``tgt_type`` will be used to expand
+ to a list of target minions.
+
+ Return True if all of the requested minions are valid minions,
+ otherwise return False.
"""
v_minions = set(self.check_minions(valid, "compound").get("minions", []))
+ if not v_minions:
+ # There are no valid minions, so it doesn't matter what we are
+ # targeting - this is a fail.
+ return False
if minions is None:
_res = self.check_minions(expr, tgt_type)
minions = set(_res["minions"])
else:
minions = set(minions)
- d_bool = not bool(minions.difference(v_minions))
- if len(v_minions) == len(minions) and d_bool:
- return True
- return d_bool
+ return minions.issubset(v_minions)
def match_check(self, regex, fun):
"""
diff --git a/salt/utils/network.py b/salt/utils/network.py
index 349cfb6fce..90be389a59 100644
--- a/salt/utils/network.py
+++ b/salt/utils/network.py
@@ -1003,10 +1003,10 @@ def _junos_interfaces_ifconfig(out):
pip = re.compile(
r".*?inet\s*(primary)*\s+mtu"
- r" (\d+)\s+local=[^\d]*(.*?)\s+dest=[^\d]*(.*?)\/([\d]*)\s+bcast=((?:[0-9]{1,3}\.){3}[0-9]{1,3})"
+ r" (\d+)\s+local=[^\d]*(.*?)\s{0,40}dest=[^\d]*(.*?)\/([\d]*)\s{0,40}bcast=((?:[0-9]{1,3}\.){3}[0-9]{1,3})"
)
pip6 = re.compile(
- r".*?inet6 mtu [^\d]+\s+local=([0-9a-f:]+)%([a-zA-Z0-9]*)/([\d]*)\s"
+ r".*?inet6 mtu [^\d]+\s{0,40}local=([0-9a-f:]+)%([a-zA-Z0-9]*)/([\d]*)\s"
)
pupdown = re.compile("UP")
diff --git a/tests/integration/files/ssh/known_hosts b/tests/integration/files/ssh/known_hosts
index b46ae35a6b..aa02480ca8 100644
--- a/tests/integration/files/ssh/known_hosts
+++ b/tests/integration/files/ssh/known_hosts
@@ -1 +1,3 @@
|1|muzcBqgq7+ByUY7aLICytOff8UI=|rZ1JBNlIOqRnwwsJl9yP+xMxgf8= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
diff --git a/tests/integration/modules/test_ssh.py b/tests/integration/modules/test_ssh.py
index 4bae9c1019..ffa052402e 100644
--- a/tests/integration/modules/test_ssh.py
+++ b/tests/integration/modules/test_ssh.py
@@ -132,7 +132,9 @@ class SSHModuleTest(ModuleCase):
"""
Check that known host information is returned from remote host
"""
- ret = self.run_function("ssh.recv_known_host_entries", ["github.com"])
+ ret = self.run_function(
+ "ssh.recv_known_host_entries", ["github.com"], enc="ssh-rsa"
+ )
try:
self.assertNotEqual(ret, None)
self.assertEqual(ret[0]["enc"], "ssh-rsa")
@@ -219,7 +221,10 @@ class SSHModuleTest(ModuleCase):
"""
# add item
ret = self.run_function(
- "ssh.set_known_host", ["root", "github.com"], config=self.known_hosts
+ "ssh.set_known_host",
+ ["root", "github.com"],
+ enc="ssh-rsa",
+ config=self.known_hosts,
)
try:
self.assertEqual(ret["status"], "updated")
diff --git a/tests/integration/states/test_ssh_known_hosts.py b/tests/integration/states/test_ssh_known_hosts.py
index beeb0342bd..cb4b40d3a0 100644
--- a/tests/integration/states/test_ssh_known_hosts.py
+++ b/tests/integration/states/test_ssh_known_hosts.py
@@ -11,7 +11,7 @@ from tests.support.mixins import SaltReturnAssertsMixin
from tests.support.runtests import RUNTIME_VARS
GITHUB_FINGERPRINT = "9d:38:5b:83:a9:17:52:92:56:1a:5e:c4:d4:81:8e:0a:ca:51:a2:64:f1:74:20:11:2e:f8:8a:c3:a1:39:49:8f"
-GITHUB_IP = "192.30.253.113"
+GITHUB_IP = "140.82.121.4"
@pytest.mark.skip_if_binaries_missing("ssh", "ssh-keygen", check_all=True)
@@ -37,6 +37,7 @@ class SSHKnownHostsStateTest(ModuleCase, SaltReturnAssertsMixin):
kwargs = {
"name": "github.com",
"user": "root",
+ "enc": "ssh-rsa",
"fingerprint": GITHUB_FINGERPRINT,
"config": self.known_hosts,
}
diff --git a/tests/pytests/functional/transport/server/test_req_channel.py b/tests/pytests/functional/transport/server/test_req_channel.py
index 7a392cd758..17d8861ccf 100644
--- a/tests/pytests/functional/transport/server/test_req_channel.py
+++ b/tests/pytests/functional/transport/server/test_req_channel.py
@@ -1,3 +1,4 @@
+import ctypes
import logging
import multiprocessing
@@ -6,6 +7,7 @@ import salt.config
import salt.exceptions
import salt.ext.tornado.gen
import salt.log.setup
+import salt.master
import salt.transport.client
import salt.transport.server
import salt.utils.platform
@@ -33,6 +35,18 @@ class ReqServerChannelProcess(salt.utils.process.SignalHandlingProcess):
self.running = multiprocessing.Event()
def run(self):
+ salt.master.SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(
+ salt.crypt.Crypticle.generate_key_string()
+ ),
+ ),
+ "serial": multiprocessing.Value(
+ ctypes.c_longlong, lock=False # We'll use the lock from 'secret'
+ ),
+ }
+
self.io_loop = salt.ext.tornado.ioloop.IOLoop()
self.io_loop.make_current()
self.req_server_channel.post_fork(self._handle_payload, io_loop=self.io_loop)
@@ -121,7 +135,7 @@ def test_basic(req_channel):
{"baz": "qux", "list": [1, 2, 3]},
]
for msg in msgs:
- ret = req_channel.send(msg, timeout=5, tries=1)
+ ret = req_channel.send(dict(msg), timeout=5, tries=1)
assert ret["load"] == msg
diff --git a/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py b/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
index 9e183c11e0..e7033f810a 100644
--- a/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
+++ b/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
@@ -10,6 +10,7 @@ import salt.exceptions
import salt.ext.tornado.gen
import salt.ext.tornado.ioloop
import salt.log.setup
+import salt.master
import salt.transport.client
import salt.transport.server
import salt.transport.zeromq
@@ -40,6 +41,21 @@ class Collector(salt.utils.process.SignalHandlingProcess):
self.started = multiprocessing.Event()
self.running = multiprocessing.Event()
+ def _rotate_secrets(self, now=None):
+ salt.master.SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(
+ salt.crypt.Crypticle.generate_key_string()
+ ),
+ ),
+ "serial": multiprocessing.Value(
+ ctypes.c_longlong, lock=False # We'll use the lock from 'secret'
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ "rotate_master_key": self._rotate_secrets,
+ }
+
def run(self):
"""
Gather results until then number of seconds specified by timeout passes
@@ -67,6 +83,8 @@ class Collector(salt.utils.process.SignalHandlingProcess):
try:
serial_payload = salt.payload.loads(payload)
payload = crypticle.loads(serial_payload["load"])
+ if not payload:
+ continue
if "start" in payload:
self.running.set()
continue
@@ -108,10 +126,16 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
self.master_config = master_config
self.minion_config = minion_config
self.collector_kwargs = collector_kwargs
- self.aes_key = multiprocessing.Array(
- ctypes.c_char,
- salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
- )
+ self.aes_key = salt.crypt.Crypticle.generate_key_string()
+ salt.master.SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(self.aes_key),
+ ),
+ "serial": multiprocessing.Value(
+ ctypes.c_longlong, lock=False # We'll use the lock from 'secret'
+ ),
+ }
self.process_manager = salt.utils.process.ProcessManager(
name="ZMQ-PubServer-ProcessManager"
)
@@ -126,14 +150,10 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
self.queue = multiprocessing.Queue()
self.stopped = multiprocessing.Event()
self.collector = Collector(
- self.minion_config,
- self.pub_uri,
- self.aes_key.value,
- **self.collector_kwargs
+ self.minion_config, self.pub_uri, self.aes_key, **self.collector_kwargs
)
def run(self):
- salt.master.SMaster.secrets["aes"] = {"secret": self.aes_key}
try:
while True:
payload = self.queue.get()
@@ -227,12 +247,16 @@ def test_issue_36469_tcp(salt_master, salt_minion):
https://github.com/saltstack/salt/issues/36469
"""
- def _send_small(server_channel, sid, num=10):
+ def _send_small(opts, sid, num=10):
+ server_channel = salt.transport.zeromq.ZeroMQPubServerChannel(opts)
for idx in range(num):
load = {"tgt_type": "glob", "tgt": "*", "jid": "{}-s{}".format(sid, idx)}
server_channel.publish(load)
+ time.sleep(0.3)
+ server_channel.close_pub()
- def _send_large(server_channel, sid, num=10, size=250000 * 3):
+ def _send_large(opts, sid, num=10, size=250000 * 3):
+ server_channel = salt.transport.zeromq.ZeroMQPubServerChannel(opts)
for idx in range(num):
load = {
"tgt_type": "glob",
@@ -241,16 +265,19 @@ def test_issue_36469_tcp(salt_master, salt_minion):
"xdata": "0" * size,
}
server_channel.publish(load)
+ time.sleep(0.3)
+ server_channel.close_pub()
opts = dict(salt_master.config.copy(), ipc_mode="tcp", pub_hwm=0)
send_num = 10 * 4
expect = []
with PubServerChannelProcess(opts, salt_minion.config.copy()) as server_channel:
+ assert "aes" in salt.master.SMaster.secrets
with ThreadPoolExecutor(max_workers=4) as executor:
- executor.submit(_send_small, server_channel, 1)
- executor.submit(_send_large, server_channel, 2)
- executor.submit(_send_small, server_channel, 3)
- executor.submit(_send_large, server_channel, 4)
+ executor.submit(_send_small, opts, 1)
+ executor.submit(_send_large, opts, 2)
+ executor.submit(_send_small, opts, 3)
+ executor.submit(_send_large, opts, 4)
expect.extend(["{}-s{}".format(a, b) for a in range(10) for b in (1, 3)])
expect.extend(["{}-l{}".format(a, b) for a in range(10) for b in (2, 4)])
results = server_channel.collector.results
diff --git a/tests/pytests/unit/test_crypt.py b/tests/pytests/unit/test_crypt.py
index aa8f439b8c..a40c34b9d5 100644
--- a/tests/pytests/unit/test_crypt.py
+++ b/tests/pytests/unit/test_crypt.py
@@ -4,10 +4,100 @@ tests.pytests.unit.test_crypt
Unit tests for salt's crypt module
"""
+
+import uuid
+
import pytest
import salt.crypt
+import salt.master
import salt.utils.files
+PRIV_KEY = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAoAsMPt+4kuIG6vKyw9r3+OuZrVBee/2vDdVetW+Js5dTlgrJ
+aghWWn3doGmKlEjqh7E4UTa+t2Jd6w8RSLnyHNJ/HpVhMG0M07MF6FMfILtDrrt8
+ZX7eDVt8sx5gCEpYI+XG8Y07Ga9i3Hiczt+fu6HYwu96HggmG2pqkOrn3iGfqBvV
+YVFJzSZYe7e4c1PeEs0xYcrA4k+apyGsMtpef8vRUrNicRLc7dAcvfhtgt2DXEZ2
+d72t/CR4ygtUvPXzisaTPW0G7OWAheCloqvTIIPQIjR8htFxGTz02STVXfnhnJ0Z
+k8KhqKF2v1SQvIYxsZU7jaDgl5i3zpeh58cYOwIDAQABAoIBABZUJEO7Y91+UnfC
+H6XKrZEZkcnH7j6/UIaOD9YhdyVKxhsnax1zh1S9vceNIgv5NltzIsfV6vrb6v2K
+Dx/F7Z0O0zR5o+MlO8ZncjoNKskex10gBEWG00Uqz/WPlddiQ/TSMJTv3uCBAzp+
+S2Zjdb4wYPUlgzSgb2ygxrhsRahMcSMG9PoX6klxMXFKMD1JxiY8QfAHahPzQXy9
+F7COZ0fCVo6BE+MqNuQ8tZeIxu8mOULQCCkLFwXmkz1FpfK/kNRmhIyhxwvCS+z4
+JuErW3uXfE64RLERiLp1bSxlDdpvRO2R41HAoNELTsKXJOEt4JANRHm/CeyA5wsh
+NpscufUCgYEAxhgPfcMDy2v3nL6KtkgYjdcOyRvsAF50QRbEa8ldO+87IoMDD/Oe
+osFERJ5hhyyEO78QnaLVegnykiw5DWEF02RKMhD/4XU+1UYVhY0wJjKQIBadsufB
+2dnaKjvwzUhPh5BrBqNHl/FXwNCRDiYqXa79eWCPC9OFbZcUWWq70s8CgYEAztOI
+61zRfmXJ7f70GgYbHg+GA7IrsAcsGRITsFR82Ho0lqdFFCxz7oK8QfL6bwMCGKyk
+nzk+twh6hhj5UNp18KN8wktlo02zTgzgemHwaLa2cd6xKgmAyuPiTgcgnzt5LVNG
+FOjIWkLwSlpkDTl7ZzY2QSy7t+mq5d750fpIrtUCgYBWXZUbcpPL88WgDB7z/Bjg
+dlvW6JqLSqMK4b8/cyp4AARbNp12LfQC55o5BIhm48y/M70tzRmfvIiKnEc/gwaE
+NJx4mZrGFFURrR2i/Xx5mt/lbZbRsmN89JM+iKWjCpzJ8PgIi9Wh9DIbOZOUhKVB
+9RJEAgo70LvCnPTdS0CaVwKBgDJW3BllAvw/rBFIH4OB/vGnF5gosmdqp3oGo1Ik
+jipmPAx6895AH4tquIVYrUl9svHsezjhxvjnkGK5C115foEuWXw0u60uiTiy+6Pt
+2IS0C93VNMulenpnUrppE7CN2iWFAiaura0CY9fE/lsVpYpucHAWgi32Kok+ZxGL
+WEttAoGAN9Ehsz4LeQxEj3x8wVeEMHF6OsznpwYsI2oVh6VxpS4AjgKYqeLVcnNi
+TlZFsuQcqgod8OgzA91tdB+Rp86NygmWD5WzeKXpCOg9uA+y/YL+0sgZZHsuvbK6
+PllUgXdYxqClk/hdBFB7v9AQoaj7K9Ga22v32msftYDQRJ94xOI=
+-----END RSA PRIVATE KEY-----
+"""
+
+
+PUB_KEY = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAsMPt+4kuIG6vKyw9r3
++OuZrVBee/2vDdVetW+Js5dTlgrJaghWWn3doGmKlEjqh7E4UTa+t2Jd6w8RSLny
+HNJ/HpVhMG0M07MF6FMfILtDrrt8ZX7eDVt8sx5gCEpYI+XG8Y07Ga9i3Hiczt+f
+u6HYwu96HggmG2pqkOrn3iGfqBvVYVFJzSZYe7e4c1PeEs0xYcrA4k+apyGsMtpe
+f8vRUrNicRLc7dAcvfhtgt2DXEZ2d72t/CR4ygtUvPXzisaTPW0G7OWAheCloqvT
+IIPQIjR8htFxGTz02STVXfnhnJ0Zk8KhqKF2v1SQvIYxsZU7jaDgl5i3zpeh58cY
+OwIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+PRIV_KEY2 = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAp+8cTxguO6Vg+YO92VfHgNld3Zy8aM3JbZvpJcjTnis+YFJ7
+Zlkcc647yPRRwY9nYBNywahnt5kIeuT1rTvTsMBZWvmUoEVUj1Xg8XXQkBvb9Ozy
+Gqy/G/p8KDDpzMP/U+XCnUeHiXTZrgnqgBIc2cKeCVvWFqDi0GRFGzyaXLaX3PPm
+M7DJ0MIPL1qgmcDq6+7Ze0gJ9SrDYFAeLmbuT1OqDfufXWQl/82JXeiwU2cOpqWq
+7n5fvPOWim7l1tzQ+dSiMRRm0xa6uNexCJww3oJSwvMbAmgzvOhqqhlqv+K7u0u7
+FrFFojESsL36Gq4GBrISnvu2tk7u4GGNTYYQbQIDAQABAoIBAADrqWDQnd5DVZEA
+lR+WINiWuHJAy/KaIC7K4kAMBgbxrz2ZbiY9Ok/zBk5fcnxIZDVtXd1sZicmPlro
+GuWodIxdPZAnWpZ3UtOXUayZK/vCP1YsH1agmEqXuKsCu6Fc+K8VzReOHxLUkmXn
+FYM+tixGahXcjEOi/aNNTWitEB6OemRM1UeLJFzRcfyXiqzHpHCIZwBpTUAsmzcG
+QiVDkMTKubwo/m+PVXburX2CGibUydctgbrYIc7EJvyx/cpRiPZXo1PhHQWdu4Y1
+SOaC66WLsP/wqvtHo58JQ6EN/gjSsbAgGGVkZ1xMo66nR+pLpR27coS7o03xCks6
+DY/0mukCgYEAuLIGgBnqoh7YsOBLd/Bc1UTfDMxJhNseo+hZemtkSXz2Jn51322F
+Zw/FVN4ArXgluH+XsOhvG/MFFpojwZSrb0Qq5b1MRdo9qycq8lGqNtlN1WHqosDQ
+zW29kpL0tlRrSDpww3wRESsN9rH5XIrJ1b3ZXuO7asR+KBVQMy/+NcUCgYEA6MSC
+c+fywltKPgmPl5j0DPoDe5SXE/6JQy7w/vVGrGfWGf/zEJmhzS2R+CcfTTEqaT0T
+Yw8+XbFgKAqsxwtE9MUXLTVLI3sSUyE4g7blCYscOqhZ8ItCUKDXWkSpt++rG0Um
+1+cEJP/0oCazG6MWqvBC4NpQ1nzh46QpjWqMwokCgYAKDLXJ1p8rvx3vUeUJW6zR
+dfPlEGCXuAyMwqHLxXgpf4EtSwhC5gSyPOtx2LqUtcrnpRmt6JfTH4ARYMW9TMef
+QEhNQ+WYj213mKP/l235mg1gJPnNbUxvQR9lkFV8bk+AGJ32JRQQqRUTbU+yN2MQ
+HEptnVqfTp3GtJIultfwOQKBgG+RyYmu8wBP650izg33BXu21raEeYne5oIqXN+I
+R5DZ0JjzwtkBGroTDrVoYyuH1nFNEh7YLqeQHqvyufBKKYo9cid8NQDTu+vWr5UK
+tGvHnwdKrJmM1oN5JOAiq0r7+QMAOWchVy449VNSWWV03aeftB685iR5BXkstbIQ
+EVopAoGAfcGBTAhmceK/4Q83H/FXBWy0PAa1kZGg/q8+Z0KY76AqyxOVl0/CU/rB
+3tO3sKhaMTHPME/MiQjQQGoaK1JgPY6JHYvly2KomrJ8QTugqNGyMzdVJkXAK2AM
+GAwC8ivAkHf8CHrHa1W7l8t2IqBjW1aRt7mOW92nfG88Hck0Mbo=
+-----END RSA PRIVATE KEY-----
+"""
+
+
+PUB_KEY2 = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp+8cTxguO6Vg+YO92VfH
+gNld3Zy8aM3JbZvpJcjTnis+YFJ7Zlkcc647yPRRwY9nYBNywahnt5kIeuT1rTvT
+sMBZWvmUoEVUj1Xg8XXQkBvb9OzyGqy/G/p8KDDpzMP/U+XCnUeHiXTZrgnqgBIc
+2cKeCVvWFqDi0GRFGzyaXLaX3PPmM7DJ0MIPL1qgmcDq6+7Ze0gJ9SrDYFAeLmbu
+T1OqDfufXWQl/82JXeiwU2cOpqWq7n5fvPOWim7l1tzQ+dSiMRRm0xa6uNexCJww
+3oJSwvMbAmgzvOhqqhlqv+K7u0u7FrFFojESsL36Gq4GBrISnvu2tk7u4GGNTYYQ
+bQIDAQAB
+-----END PUBLIC KEY-----
+"""
+
def test_get_rsa_pub_key_bad_key(tmp_path):
"""
@@ -18,3 +108,64 @@ def test_get_rsa_pub_key_bad_key(tmp_path):
fp.write("")
with pytest.raises(salt.crypt.InvalidKeyError):
salt.crypt.get_rsa_pub_key(key_path)
+
+
+def test_cryptical_dumps_no_nonce():
+ master_crypt = salt.crypt.Crypticle({}, salt.crypt.Crypticle.generate_key_string())
+ data = {"foo": "bar"}
+ ret = master_crypt.dumps(data)
+
+ # Validate message structure
+ assert isinstance(ret, bytes)
+ une = master_crypt.decrypt(ret)
+ une.startswith(master_crypt.PICKLE_PAD)
+ assert salt.payload.loads(une[len(master_crypt.PICKLE_PAD) :]) == data
+
+ # Validate load back to orig data
+ assert master_crypt.loads(ret) == data
+
+
+def test_cryptical_dumps_valid_nonce():
+ nonce = uuid.uuid4().hex
+ master_crypt = salt.crypt.Crypticle({}, salt.crypt.Crypticle.generate_key_string())
+ data = {"foo": "bar"}
+ ret = master_crypt.dumps(data, nonce=nonce)
+
+ assert isinstance(ret, bytes)
+ une = master_crypt.decrypt(ret)
+ une.startswith(master_crypt.PICKLE_PAD)
+ nonce_and_data = une[len(master_crypt.PICKLE_PAD) :]
+ assert nonce_and_data.startswith(nonce.encode())
+ assert salt.payload.loads(nonce_and_data[len(nonce) :]) == data
+
+ assert master_crypt.loads(ret, nonce=nonce) == data
+
+
+def test_cryptical_dumps_invalid_nonce():
+ nonce = uuid.uuid4().hex
+ master_crypt = salt.crypt.Crypticle({}, salt.crypt.Crypticle.generate_key_string())
+ data = {"foo": "bar"}
+ ret = master_crypt.dumps(data, nonce=nonce)
+ assert isinstance(ret, bytes)
+ with pytest.raises(salt.crypt.SaltClientError, match="Nonce verification error"):
+ assert master_crypt.loads(ret, nonce="abcde")
+
+
+def test_verify_signature(tmpdir):
+ tmpdir.join("foo.pem").write(PRIV_KEY.strip())
+ tmpdir.join("foo.pub").write(PUB_KEY.strip())
+ tmpdir.join("bar.pem").write(PRIV_KEY2.strip())
+ tmpdir.join("bar.pub").write(PUB_KEY2.strip())
+ msg = b"foo bar"
+ sig = salt.crypt.sign_message(str(tmpdir.join("foo.pem")), msg)
+ assert salt.crypt.verify_signature(str(tmpdir.join("foo.pub")), msg, sig)
+
+
+def test_verify_signature_bad_sig(tmpdir):
+ tmpdir.join("foo.pem").write(PRIV_KEY.strip())
+ tmpdir.join("foo.pub").write(PUB_KEY.strip())
+ tmpdir.join("bar.pem").write(PRIV_KEY2.strip())
+ tmpdir.join("bar.pub").write(PUB_KEY2.strip())
+ msg = b"foo bar"
+ sig = salt.crypt.sign_message(str(tmpdir.join("foo.pem")), msg)
+ assert not salt.crypt.verify_signature(str(tmpdir.join("bar.pub")), msg, sig)
diff --git a/tests/pytests/unit/test_minion.py b/tests/pytests/unit/test_minion.py
index 7de60c49e3..985ec99276 100644
--- a/tests/pytests/unit/test_minion.py
+++ b/tests/pytests/unit/test_minion.py
@@ -10,6 +10,7 @@ import salt.minion
import salt.syspaths
import salt.utils.crypt
import salt.utils.event as event
+import salt.utils.jid
import salt.utils.platform
import salt.utils.process
from salt._compat import ipaddress
diff --git a/tests/pytests/unit/transport/test_tcp.py b/tests/pytests/unit/transport/test_tcp.py
index d003797d29..3b6e175472 100644
--- a/tests/pytests/unit/transport/test_tcp.py
+++ b/tests/pytests/unit/transport/test_tcp.py
@@ -210,15 +210,17 @@ def test_tcp_pub_server_channel_publish_filtering(temp_salt_master):
SyncWrapper.return_value = wrap
# try simple publish with glob tgt_type
- channel.publish({"test": "value", "tgt_type": "glob", "tgt": "*"})
- payload = wrap.send.call_args[0][0]
+ payload = channel.pack_publish(
+ {"test": "value", "tgt_type": "glob", "tgt": "*"}
+ )
# verify we send it without any specific topic
assert "topic_lst" not in payload
# try simple publish with list tgt_type
- channel.publish({"test": "value", "tgt_type": "list", "tgt": ["minion01"]})
- payload = wrap.send.call_args[0][0]
+ payload = channel.pack_publish(
+ {"test": "value", "tgt_type": "list", "tgt": ["minion01"]}
+ )
# verify we send it with correct topic
assert "topic_lst" in payload
@@ -226,8 +228,9 @@ def test_tcp_pub_server_channel_publish_filtering(temp_salt_master):
# try with syndic settings
opts["order_masters"] = True
- channel.publish({"test": "value", "tgt_type": "list", "tgt": ["minion01"]})
- payload = wrap.send.call_args[0][0]
+ payload = channel.pack_publish(
+ {"test": "value", "tgt_type": "list", "tgt": ["minion01"]}
+ )
# verify we send it without topic for syndics
assert "topic_lst" not in payload
@@ -257,8 +260,9 @@ def test_tcp_pub_server_channel_publish_filtering_str_list(temp_salt_master):
check_minions.return_value = {"minions": ["minion02"]}
# try simple publish with list tgt_type
- channel.publish({"test": "value", "tgt_type": "list", "tgt": "minion02"})
- payload = wrap.send.call_args[0][0]
+ payload = channel.pack_publish(
+ {"test": "value", "tgt_type": "list", "tgt": "minion02"}
+ )
# verify we send it with correct topic
assert "topic_lst" in payload
diff --git a/tests/pytests/unit/transport/test_zeromq.py b/tests/pytests/unit/transport/test_zeromq.py
index 44f38ee998..1f0515c91a 100644
--- a/tests/pytests/unit/transport/test_zeromq.py
+++ b/tests/pytests/unit/transport/test_zeromq.py
@@ -2,9 +2,16 @@
:codeauthor: Thomas Jackson <jacksontj.89@gmail.com>
"""
+import ctypes
import hashlib
+import logging
+import multiprocessing
+import os
+import uuid
+import pytest
import salt.config
+import salt.crypt
import salt.exceptions
import salt.ext.tornado.gen
import salt.ext.tornado.ioloop
@@ -14,9 +21,236 @@ import salt.transport.server
import salt.utils.platform
import salt.utils.process
import salt.utils.stringutils
+from salt.master import SMaster
from salt.transport.zeromq import AsyncReqMessageClientPool
from tests.support.mock import MagicMock, patch
+try:
+ from M2Crypto import RSA
+
+ HAS_M2 = True
+except ImportError:
+ HAS_M2 = False
+ try:
+ from Cryptodome.Cipher import PKCS1_OAEP
+ except ImportError:
+ from Crypto.Cipher import PKCS1_OAEP # nosec
+
+log = logging.getLogger(__name__)
+
+MASTER_PRIV_KEY = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAoAsMPt+4kuIG6vKyw9r3+OuZrVBee/2vDdVetW+Js5dTlgrJ
+aghWWn3doGmKlEjqh7E4UTa+t2Jd6w8RSLnyHNJ/HpVhMG0M07MF6FMfILtDrrt8
+ZX7eDVt8sx5gCEpYI+XG8Y07Ga9i3Hiczt+fu6HYwu96HggmG2pqkOrn3iGfqBvV
+YVFJzSZYe7e4c1PeEs0xYcrA4k+apyGsMtpef8vRUrNicRLc7dAcvfhtgt2DXEZ2
+d72t/CR4ygtUvPXzisaTPW0G7OWAheCloqvTIIPQIjR8htFxGTz02STVXfnhnJ0Z
+k8KhqKF2v1SQvIYxsZU7jaDgl5i3zpeh58cYOwIDAQABAoIBABZUJEO7Y91+UnfC
+H6XKrZEZkcnH7j6/UIaOD9YhdyVKxhsnax1zh1S9vceNIgv5NltzIsfV6vrb6v2K
+Dx/F7Z0O0zR5o+MlO8ZncjoNKskex10gBEWG00Uqz/WPlddiQ/TSMJTv3uCBAzp+
+S2Zjdb4wYPUlgzSgb2ygxrhsRahMcSMG9PoX6klxMXFKMD1JxiY8QfAHahPzQXy9
+F7COZ0fCVo6BE+MqNuQ8tZeIxu8mOULQCCkLFwXmkz1FpfK/kNRmhIyhxwvCS+z4
+JuErW3uXfE64RLERiLp1bSxlDdpvRO2R41HAoNELTsKXJOEt4JANRHm/CeyA5wsh
+NpscufUCgYEAxhgPfcMDy2v3nL6KtkgYjdcOyRvsAF50QRbEa8ldO+87IoMDD/Oe
+osFERJ5hhyyEO78QnaLVegnykiw5DWEF02RKMhD/4XU+1UYVhY0wJjKQIBadsufB
+2dnaKjvwzUhPh5BrBqNHl/FXwNCRDiYqXa79eWCPC9OFbZcUWWq70s8CgYEAztOI
+61zRfmXJ7f70GgYbHg+GA7IrsAcsGRITsFR82Ho0lqdFFCxz7oK8QfL6bwMCGKyk
+nzk+twh6hhj5UNp18KN8wktlo02zTgzgemHwaLa2cd6xKgmAyuPiTgcgnzt5LVNG
+FOjIWkLwSlpkDTl7ZzY2QSy7t+mq5d750fpIrtUCgYBWXZUbcpPL88WgDB7z/Bjg
+dlvW6JqLSqMK4b8/cyp4AARbNp12LfQC55o5BIhm48y/M70tzRmfvIiKnEc/gwaE
+NJx4mZrGFFURrR2i/Xx5mt/lbZbRsmN89JM+iKWjCpzJ8PgIi9Wh9DIbOZOUhKVB
+9RJEAgo70LvCnPTdS0CaVwKBgDJW3BllAvw/rBFIH4OB/vGnF5gosmdqp3oGo1Ik
+jipmPAx6895AH4tquIVYrUl9svHsezjhxvjnkGK5C115foEuWXw0u60uiTiy+6Pt
+2IS0C93VNMulenpnUrppE7CN2iWFAiaura0CY9fE/lsVpYpucHAWgi32Kok+ZxGL
+WEttAoGAN9Ehsz4LeQxEj3x8wVeEMHF6OsznpwYsI2oVh6VxpS4AjgKYqeLVcnNi
+TlZFsuQcqgod8OgzA91tdB+Rp86NygmWD5WzeKXpCOg9uA+y/YL+0sgZZHsuvbK6
+PllUgXdYxqClk/hdBFB7v9AQoaj7K9Ga22v32msftYDQRJ94xOI=
+-----END RSA PRIVATE KEY-----
+"""
+
+
+MASTER_PUB_KEY = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAsMPt+4kuIG6vKyw9r3
++OuZrVBee/2vDdVetW+Js5dTlgrJaghWWn3doGmKlEjqh7E4UTa+t2Jd6w8RSLny
+HNJ/HpVhMG0M07MF6FMfILtDrrt8ZX7eDVt8sx5gCEpYI+XG8Y07Ga9i3Hiczt+f
+u6HYwu96HggmG2pqkOrn3iGfqBvVYVFJzSZYe7e4c1PeEs0xYcrA4k+apyGsMtpe
+f8vRUrNicRLc7dAcvfhtgt2DXEZ2d72t/CR4ygtUvPXzisaTPW0G7OWAheCloqvT
+IIPQIjR8htFxGTz02STVXfnhnJ0Zk8KhqKF2v1SQvIYxsZU7jaDgl5i3zpeh58cY
+OwIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+MASTER2_PRIV_KEY = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAp+8cTxguO6Vg+YO92VfHgNld3Zy8aM3JbZvpJcjTnis+YFJ7
+Zlkcc647yPRRwY9nYBNywahnt5kIeuT1rTvTsMBZWvmUoEVUj1Xg8XXQkBvb9Ozy
+Gqy/G/p8KDDpzMP/U+XCnUeHiXTZrgnqgBIc2cKeCVvWFqDi0GRFGzyaXLaX3PPm
+M7DJ0MIPL1qgmcDq6+7Ze0gJ9SrDYFAeLmbuT1OqDfufXWQl/82JXeiwU2cOpqWq
+7n5fvPOWim7l1tzQ+dSiMRRm0xa6uNexCJww3oJSwvMbAmgzvOhqqhlqv+K7u0u7
+FrFFojESsL36Gq4GBrISnvu2tk7u4GGNTYYQbQIDAQABAoIBAADrqWDQnd5DVZEA
+lR+WINiWuHJAy/KaIC7K4kAMBgbxrz2ZbiY9Ok/zBk5fcnxIZDVtXd1sZicmPlro
+GuWodIxdPZAnWpZ3UtOXUayZK/vCP1YsH1agmEqXuKsCu6Fc+K8VzReOHxLUkmXn
+FYM+tixGahXcjEOi/aNNTWitEB6OemRM1UeLJFzRcfyXiqzHpHCIZwBpTUAsmzcG
+QiVDkMTKubwo/m+PVXburX2CGibUydctgbrYIc7EJvyx/cpRiPZXo1PhHQWdu4Y1
+SOaC66WLsP/wqvtHo58JQ6EN/gjSsbAgGGVkZ1xMo66nR+pLpR27coS7o03xCks6
+DY/0mukCgYEAuLIGgBnqoh7YsOBLd/Bc1UTfDMxJhNseo+hZemtkSXz2Jn51322F
+Zw/FVN4ArXgluH+XsOhvG/MFFpojwZSrb0Qq5b1MRdo9qycq8lGqNtlN1WHqosDQ
+zW29kpL0tlRrSDpww3wRESsN9rH5XIrJ1b3ZXuO7asR+KBVQMy/+NcUCgYEA6MSC
+c+fywltKPgmPl5j0DPoDe5SXE/6JQy7w/vVGrGfWGf/zEJmhzS2R+CcfTTEqaT0T
+Yw8+XbFgKAqsxwtE9MUXLTVLI3sSUyE4g7blCYscOqhZ8ItCUKDXWkSpt++rG0Um
+1+cEJP/0oCazG6MWqvBC4NpQ1nzh46QpjWqMwokCgYAKDLXJ1p8rvx3vUeUJW6zR
+dfPlEGCXuAyMwqHLxXgpf4EtSwhC5gSyPOtx2LqUtcrnpRmt6JfTH4ARYMW9TMef
+QEhNQ+WYj213mKP/l235mg1gJPnNbUxvQR9lkFV8bk+AGJ32JRQQqRUTbU+yN2MQ
+HEptnVqfTp3GtJIultfwOQKBgG+RyYmu8wBP650izg33BXu21raEeYne5oIqXN+I
+R5DZ0JjzwtkBGroTDrVoYyuH1nFNEh7YLqeQHqvyufBKKYo9cid8NQDTu+vWr5UK
+tGvHnwdKrJmM1oN5JOAiq0r7+QMAOWchVy449VNSWWV03aeftB685iR5BXkstbIQ
+EVopAoGAfcGBTAhmceK/4Q83H/FXBWy0PAa1kZGg/q8+Z0KY76AqyxOVl0/CU/rB
+3tO3sKhaMTHPME/MiQjQQGoaK1JgPY6JHYvly2KomrJ8QTugqNGyMzdVJkXAK2AM
+GAwC8ivAkHf8CHrHa1W7l8t2IqBjW1aRt7mOW92nfG88Hck0Mbo=
+-----END RSA PRIVATE KEY-----
+"""
+
+
+MASTER2_PUB_KEY = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp+8cTxguO6Vg+YO92VfH
+gNld3Zy8aM3JbZvpJcjTnis+YFJ7Zlkcc647yPRRwY9nYBNywahnt5kIeuT1rTvT
+sMBZWvmUoEVUj1Xg8XXQkBvb9OzyGqy/G/p8KDDpzMP/U+XCnUeHiXTZrgnqgBIc
+2cKeCVvWFqDi0GRFGzyaXLaX3PPmM7DJ0MIPL1qgmcDq6+7Ze0gJ9SrDYFAeLmbu
+T1OqDfufXWQl/82JXeiwU2cOpqWq7n5fvPOWim7l1tzQ+dSiMRRm0xa6uNexCJww
+3oJSwvMbAmgzvOhqqhlqv+K7u0u7FrFFojESsL36Gq4GBrISnvu2tk7u4GGNTYYQ
+bQIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+
+MASTER_SIGNING_PRIV = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtieqrBMTM0MSIbhPKkDcozHqyXKyL/+bXYYw+iVPsns7c7bJ
+zBqenLQlWoRVyrVyBFrrwQSrKu/0Mqn3l639iOGPlUoR3I7aZKIpyEdDkqd3xGIC
+e+BtNNDqhUai67L63hEdG+iYAchi8UZw3LZGtcGpJ3FkBH4cYFX9EOam2QjbD7WY
+EO7m1+j6XEYIOTCmAP9dGAvBbU0Jblc+wYxG3qNr+2dBWsK76QXWEqib2VSOGP+z
+gjJa8tqY7PXXdOJpalQXNphmD/4o4pHKR4Euy0yL/1oMkpacmrV61LWB8Trnx9nS
+9gdVrUteQF/cL1KAGwOsdVmiLpHfvqLLRqSAAQIDAQABAoIBABjB+HEN4Kixf4fk
+wKHKEhL+SF6b/7sFX00NXZ/KLXRhSnnWSMQ8g/1hgMg2P2DfW4FbCDsCUu9xkLvI
+HTZY+CJAIh9U42uaYPWXkt09TmJi76TZ+2Nx4/XvRUjbCm7Fs1I2ekHeUbbAUS5g
++BsPjTnL+h05zLHNoDa5yT0gVGIgFsQcX/w38arZCe8Rjp9le7PXUB5IIqASsDiw
+t8zJvdyWToeXd0WswCHTQu5coHvKo5MCjIZZ1Ink1yJcCCc3rKDc+q3jB2z9T9oW
+cUsKzJ4VuleiYj1eRxFITBmXbjKrb/GPRRUkeqCQbs68Hyj2d3UtOFDPeF4vng/3
+jGsHPq8CgYEA0AHAbwykVC6NMa37BTvEqcKoxbjTtErxR+yczlmVDfma9vkwtZvx
+FJdbS/+WGA/ucDby5x5b2T5k1J9ueMR86xukb+HnyS0WKsZ94Ie8WnJAcbp+38M6
+7LD0u74Cgk93oagDAzUHqdLq9cXxv/ppBpxVB1Uvu8DfVMHj+wt6ie8CgYEA4C7u
+u+6b8EmbGqEdtlPpScKG0WFstJEDGXRARDCRiVP2w6wm25v8UssCPvWcwf8U1Hoq
+lhMY+H6a5dnRRiNYql1MGQAsqMi7VeJNYb0B1uxi7X8MPM+SvXoAglX7wm1z0cVy
+O4CE5sEKbBg6aQabx1x9tzdrm80SKuSsLc5HRQ8CgYEAp/mCKSuQWNru8ruJBwTp
+IB4upN1JOUN77ZVKW+lD0XFMjz1U9JPl77b65ziTQQM8jioRpkqB6cHVM088qxIh
+vssn06Iex/s893YrmPKETJYPLMhqRNEn+JQ+To53ADykY0uGg0SD18SYMbmULHBP
++CKvF6jXT0vGDnA1ZzoxzskCgYEA2nQhYrRS9EVlhP93KpJ+A8gxA5tCCHo+YPFt
+JoWFbCKLlYUNoHZR3IPCPoOsK0Zbj+kz0mXtsUf9vPkR+py669haLQqEejyQgFIz
+QYiiYEKc6/0feapzvXtDP751w7JQaBtVAzJrT0jQ1SCO2oT8C7rPLlgs3fdpOq72
+MPSPcnUCgYBWHm6bn4HvaoUSr0v2hyD9fHZS/wDTnlXVe5c1XXgyKlJemo5dvycf
+HUCmN/xIuO6AsiMdqIzv+arNJdboz+O+bNtS43LkTJfEH3xj2/DdUogdvOgG/iPM
+u9KBT1h+euws7PqC5qt4vqLwCTTCZXmUS8Riv+62RCC3kZ5AbpT3ZA==
+-----END RSA PRIVATE KEY-----
+"""
+
+MASTER_SIGNING_PUB = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtieqrBMTM0MSIbhPKkDc
+ozHqyXKyL/+bXYYw+iVPsns7c7bJzBqenLQlWoRVyrVyBFrrwQSrKu/0Mqn3l639
+iOGPlUoR3I7aZKIpyEdDkqd3xGICe+BtNNDqhUai67L63hEdG+iYAchi8UZw3LZG
+tcGpJ3FkBH4cYFX9EOam2QjbD7WYEO7m1+j6XEYIOTCmAP9dGAvBbU0Jblc+wYxG
+3qNr+2dBWsK76QXWEqib2VSOGP+zgjJa8tqY7PXXdOJpalQXNphmD/4o4pHKR4Eu
+y0yL/1oMkpacmrV61LWB8Trnx9nS9gdVrUteQF/cL1KAGwOsdVmiLpHfvqLLRqSA
+AQIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+MINION_PRIV_KEY = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsT6TwnlI0L7urjXu6D5E11tFJ/NglQ45jW/WN9tAUNvphq6Q
+cjJCd/aWmdqlqe7ix8y9M/8rgwghRQsnPXblVBvPwFcUEXhMRnOGzqbq/0zyQX01
+KecT0plBhlDt2lTyCLU6E4XCqyLbPfOxgXzsVqM0/TnzRtpVvGNy+5N4eFGylrjb
+cJhPxKt2G9TDOCM/hYacDs5RVIYQQmcYb8LJq7G3++FfWpYRDaxdKoHNFDspEynd
+jzr67hgThnwzc388OKNJx/7B2atwPTunPb3YBjgwDyRO/01OKK4gUHdw5KoctFgp
+kDCDjwjemlyXV+MYODRTIdtOlAP83ZkntEuLoQIDAQABAoIBAAJOKNtvFGfF2l9H
+S4CXZSUGU0a+JaCkR+wmnjsPwPn/dXDpAe8nGpidpNicPWqRm6WABjeQHaxda+fB
+lpSrRtEdo3zoi2957xQJ5wddDtI1pmXJQrdbm0H/K39oIg/Xtv/IZT769TM6OtVg
+paUxG/aftmeGXDtGfIL8w1jkuPABRBLOakWQA9uVdeG19KTU0Ag8ilpJdEX64uFJ
+W75bpVjT+KO/6aV1inuCntQSP097aYvUWajRwuiYVJOxoBZHme3IObcE6mdnYXeQ
+wblyWBpJUHrOS4MP4HCODV2pHKZ2rr7Nwhh8lMNw/eY9OP0ifz2AcAqe3sUMQOKP
+T0qRC6ECgYEAyeU5JvUPOpxXvvChYh6gJ8pYTIh1ueDP0O5e4t3vhz6lfy9DKtRN
+ROJLUorHvw/yVXMR72nT07a0z2VswcrUSw8ov3sI53F0NkLGEafQ35lVhTGs4vTl
+CFoQCuAKPsxeUl4AIbfbpkDsLGQqzW1diFArK7YeQkpGuGaGodXl480CgYEA4L40
+x5cUXnAhTPsybo7sbcpiwFHoGblmdkvpYvHA2QxtNSi2iHHdqGo8qP1YsZjKQn58
+371NhtqidrJ6i/8EBFP1dy+y/jr9qYlZNNGcQeBi+lshrEOIf1ct56KePG79s8lm
+DmD1OY8tO2R37+Py46Nq1n6viT/ST4NjLQI3GyUCgYEAiOswSDA3ZLs0cqRD/gPg
+/zsliLmehTFmHj4aEWcLkz+0Ar3tojUaNdX12QOPFQ7efH6uMhwl8NVeZ6xUBlTk
+hgbAzqLE1hjGBCpiowSZDZqyOcMHiV8ll/VkHcv0hsQYT2m6UyOaDXTH9g70TB6Y
+KOKddGZsvO4cad/1+/jQkB0CgYAzDEEkzLY9tS57M9uCrUgasAu6L2CO50PUvu1m
+Ig9xvZbYqkS7vVFhva/FmrYYsOHQNLbcgz0m0mZwm52mSuh4qzFoPxdjE7cmWSJA
+ExRxCiyxPR3q6PQKKJ0urgtPIs7RlX9u6KsKxfC6OtnbTWWQO0A7NE9e13ZHxUoz
+oPsvWQKBgCa0+Fb2lzUeiQz9bV1CBkWneDZUXuZHmabAZomokX+h/bq+GcJFzZjW
+3kAHwYkIy9IAy3SyO/6CP0V3vAye1p+XbotiwsQ/XZnr0pflSQL3J1l1CyN3aopg
+Niv7k/zBn15B72aK73R/CpUSk9W/eJGqk1NcNwf8hJHsboRYx6BR
+-----END RSA PRIVATE KEY-----
+"""
+
+
+MINION_PUB_KEY = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsT6TwnlI0L7urjXu6D5E
+11tFJ/NglQ45jW/WN9tAUNvphq6QcjJCd/aWmdqlqe7ix8y9M/8rgwghRQsnPXbl
+VBvPwFcUEXhMRnOGzqbq/0zyQX01KecT0plBhlDt2lTyCLU6E4XCqyLbPfOxgXzs
+VqM0/TnzRtpVvGNy+5N4eFGylrjbcJhPxKt2G9TDOCM/hYacDs5RVIYQQmcYb8LJ
+q7G3++FfWpYRDaxdKoHNFDspEyndjzr67hgThnwzc388OKNJx/7B2atwPTunPb3Y
+BjgwDyRO/01OKK4gUHdw5KoctFgpkDCDjwjemlyXV+MYODRTIdtOlAP83ZkntEuL
+oQIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+AES_KEY = "8wxWlOaMMQ4d3yT74LL4+hGrGTf65w8VgrcNjLJeLRQ2Q6zMa8ItY2EQUgMKKDb7JY+RnPUxbB0="
+
+
+@pytest.fixture
+def pki_dir(tmpdir):
+ madir = tmpdir.mkdir("master")
+
+ mapriv = madir.join("master.pem")
+ mapriv.write(MASTER_PRIV_KEY.strip())
+ mapub = madir.join("master.pub")
+ mapub.write(MASTER_PUB_KEY.strip())
+
+ maspriv = madir.join("master_sign.pem")
+ maspriv.write(MASTER_SIGNING_PRIV.strip())
+ maspub = madir.join("master_sign.pub")
+ maspub.write(MASTER_SIGNING_PUB.strip())
+
+ mipub = madir.mkdir("minions").join("minion")
+ mipub.write(MINION_PUB_KEY.strip())
+ for sdir in [
+ "minions_autosign",
+ "minions_denied",
+ "minions_pre",
+ "minions_rejected",
+ ]:
+ madir.mkdir(sdir)
+
+ midir = tmpdir.mkdir("minion")
+ mipub = midir.join("minion.pub")
+ mipub.write(MINION_PUB_KEY.strip())
+ mipriv = midir.join("minion.pem")
+ mipriv.write(MINION_PRIV_KEY.strip())
+ mimapriv = midir.join("minion_master.pub")
+ mimapriv.write(MASTER_PUB_KEY.strip())
+ mimaspriv = midir.join("master_sign.pub")
+ mimaspriv.write(MASTER_SIGNING_PUB.strip())
+ try:
+ yield tmpdir
+ finally:
+ tmpdir.remove()
+
def test_master_uri():
"""
@@ -236,3 +470,806 @@ def test_zeromq_async_pub_channel_filtering_decode_message(
res = channel._decode_messages(message)
assert res.result()["enc"] == "aes"
+
+
+def test_req_server_chan_encrypt_v2(pki_dir):
+ loop = salt.ext.tornado.ioloop.IOLoop.current()
+ opts = {
+ "worker_threads": 1,
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "zmq_monitor": False,
+ "mworker_queue_niceness": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("master")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(opts)
+ dictkey = "pillar"
+ nonce = "abcdefg"
+ pillar_data = {"pillar1": "meh"}
+ ret = server._encrypt_private(pillar_data, dictkey, "minion", nonce)
+ assert "key" in ret
+ assert dictkey in ret
+
+ key = salt.crypt.get_rsa_key(str(pki_dir.join("minion", "minion.pem")), None)
+ if HAS_M2:
+ aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(key)
+ aes = cipher.decrypt(ret["key"])
+ pcrypt = salt.crypt.Crypticle(opts, aes)
+ signed_msg = pcrypt.loads(ret[dictkey])
+
+ assert "sig" in signed_msg
+ assert "data" in signed_msg
+ data = salt.payload.loads(signed_msg["data"])
+ assert "key" in data
+ assert data["key"] == ret["key"]
+ assert "key" in data
+ assert data["nonce"] == nonce
+ assert "pillar" in data
+ assert data["pillar"] == pillar_data
+
+
+def test_req_server_chan_encrypt_v1(pki_dir):
+ loop = salt.ext.tornado.ioloop.IOLoop.current()
+ opts = {
+ "worker_threads": 1,
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "zmq_monitor": False,
+ "mworker_queue_niceness": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("master")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(opts)
+ dictkey = "pillar"
+ nonce = "abcdefg"
+ pillar_data = {"pillar1": "meh"}
+ ret = server._encrypt_private(pillar_data, dictkey, "minion", sign_messages=False)
+
+ assert "key" in ret
+ assert dictkey in ret
+
+ key = salt.crypt.get_rsa_key(str(pki_dir.join("minion", "minion.pem")), None)
+ if HAS_M2:
+ aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(key)
+ aes = cipher.decrypt(ret["key"])
+ pcrypt = salt.crypt.Crypticle(opts, aes)
+ data = pcrypt.loads(ret[dictkey])
+ assert data == pillar_data
+
+
+def test_req_chan_decode_data_dict_entry_v1(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=mockloop)
+ dictkey = "pillar"
+ target = "minion"
+ pillar_data = {"pillar1": "meh"}
+ ret = server._encrypt_private(pillar_data, dictkey, target, sign_messages=False)
+ key = client.auth.get_keys()
+ if HAS_M2:
+ aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(key)
+ aes = cipher.decrypt(ret["key"])
+ pcrypt = salt.crypt.Crypticle(client.opts, aes)
+ ret_pillar_data = pcrypt.loads(ret[dictkey])
+ assert ret_pillar_data == pillar_data
+
+
+async def test_req_chan_decode_data_dict_entry_v2(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=mockloop)
+
+ dictkey = "pillar"
+ target = "minion"
+ pillar_data = {"pillar1": "meh"}
+
+ # Mock auth and message client.
+ auth = client.auth
+ auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
+ client.auth = MagicMock()
+ client.auth.authenticated = True
+ client.auth.get_keys = auth.get_keys
+ client.auth.crypticle.dumps = auth.crypticle.dumps
+ client.auth.crypticle.loads = auth.crypticle.loads
+ client.message_client = MagicMock()
+
+ @salt.ext.tornado.gen.coroutine
+ def mocksend(msg, timeout=60, tries=3):
+ client.message_client.msg = msg
+ load = client.auth.crypticle.loads(msg["load"])
+ ret = server._encrypt_private(
+ pillar_data, dictkey, target, nonce=load["nonce"], sign_messages=True
+ )
+ raise salt.ext.tornado.gen.Return(ret)
+
+ client.message_client.send = mocksend
+
+ # Note the 'ver' value in 'load' does not represent the the 'version' sent
+ # in the top level of the transport's message.
+ load = {
+ "id": target,
+ "grains": {},
+ "saltenv": "base",
+ "pillarenv": "base",
+ "pillar_override": True,
+ "extra_minion_data": {},
+ "ver": "2",
+ "cmd": "_pillar",
+ }
+ ret = await client.crypted_transfer_decode_dictentry(
+ load,
+ dictkey="pillar",
+ )
+ assert "version" in client.message_client.msg
+ assert client.message_client.msg["version"] == 2
+ assert ret == {"pillar1": "meh"}
+
+
+async def test_req_chan_decode_data_dict_entry_v2_bad_nonce(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=mockloop)
+
+ dictkey = "pillar"
+ badnonce = "abcdefg"
+ target = "minion"
+ pillar_data = {"pillar1": "meh"}
+
+ # Mock auth and message client.
+ auth = client.auth
+ auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
+ client.auth = MagicMock()
+ client.auth.authenticated = True
+ client.auth.get_keys = auth.get_keys
+ client.auth.crypticle.dumps = auth.crypticle.dumps
+ client.auth.crypticle.loads = auth.crypticle.loads
+ client.message_client = MagicMock()
+ ret = server._encrypt_private(
+ pillar_data, dictkey, target, nonce=badnonce, sign_messages=True
+ )
+
+ @salt.ext.tornado.gen.coroutine
+ def mocksend(msg, timeout=60, tries=3):
+ client.message_client.msg = msg
+ raise salt.ext.tornado.gen.Return(ret)
+
+ client.message_client.send = mocksend
+
+ # Note the 'ver' value in 'load' does not represent the the 'version' sent
+ # in the top level of the transport's message.
+ load = {
+ "id": target,
+ "grains": {},
+ "saltenv": "base",
+ "pillarenv": "base",
+ "pillar_override": True,
+ "extra_minion_data": {},
+ "ver": "2",
+ "cmd": "_pillar",
+ }
+
+ with pytest.raises(salt.crypt.AuthenticationError) as excinfo:
+ ret = await client.crypted_transfer_decode_dictentry(
+ load,
+ dictkey="pillar",
+ )
+ assert "Pillar nonce verification failed." == excinfo.value.message
+
+
+async def test_req_chan_decode_data_dict_entry_v2_bad_signature(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=mockloop)
+
+ dictkey = "pillar"
+ badnonce = "abcdefg"
+ target = "minion"
+ pillar_data = {"pillar1": "meh"}
+
+ # Mock auth and message client.
+ auth = client.auth
+ auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
+ client.auth = MagicMock()
+ client.auth.authenticated = True
+ client.auth.get_keys = auth.get_keys
+ client.auth.crypticle.dumps = auth.crypticle.dumps
+ client.auth.crypticle.loads = auth.crypticle.loads
+ client.message_client = MagicMock()
+
+ @salt.ext.tornado.gen.coroutine
+ def mocksend(msg, timeout=60, tries=3):
+ client.message_client.msg = msg
+ load = client.auth.crypticle.loads(msg["load"])
+ ret = server._encrypt_private(
+ pillar_data, dictkey, target, nonce=load["nonce"], sign_messages=True
+ )
+
+ key = client.auth.get_keys()
+ if HAS_M2:
+ aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(key)
+ aes = cipher.decrypt(ret["key"])
+ pcrypt = salt.crypt.Crypticle(client.opts, aes)
+ signed_msg = pcrypt.loads(ret[dictkey])
+ # Changing the pillar data will cause the signature verification to
+ # fail.
+ data = salt.payload.loads(signed_msg["data"])
+ data["pillar"] = {"pillar1": "bar"}
+ signed_msg["data"] = salt.payload.dumps(data)
+ ret[dictkey] = pcrypt.dumps(signed_msg)
+ raise salt.ext.tornado.gen.Return(ret)
+
+ client.message_client.send = mocksend
+
+ # Note the 'ver' value in 'load' does not represent the the 'version' sent
+ # in the top level of the transport's message.
+ load = {
+ "id": target,
+ "grains": {},
+ "saltenv": "base",
+ "pillarenv": "base",
+ "pillar_override": True,
+ "extra_minion_data": {},
+ "ver": "2",
+ "cmd": "_pillar",
+ }
+
+ with pytest.raises(salt.crypt.AuthenticationError) as excinfo:
+ ret = await client.crypted_transfer_decode_dictentry(
+ load,
+ dictkey="pillar",
+ )
+ assert "Pillar payload signature failed to validate." == excinfo.value.message
+
+
+async def test_req_chan_decode_data_dict_entry_v2_bad_key(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=mockloop)
+
+ dictkey = "pillar"
+ badnonce = "abcdefg"
+ target = "minion"
+ pillar_data = {"pillar1": "meh"}
+
+ # Mock auth and message client.
+ auth = client.auth
+ auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
+ client.auth = MagicMock()
+ client.auth.authenticated = True
+ client.auth.get_keys = auth.get_keys
+ client.auth.crypticle.dumps = auth.crypticle.dumps
+ client.auth.crypticle.loads = auth.crypticle.loads
+ client.message_client = MagicMock()
+
+ @salt.ext.tornado.gen.coroutine
+ def mocksend(msg, timeout=60, tries=3):
+ client.message_client.msg = msg
+ load = client.auth.crypticle.loads(msg["load"])
+ ret = server._encrypt_private(
+ pillar_data, dictkey, target, nonce=load["nonce"], sign_messages=True
+ )
+
+ key = client.auth.get_keys()
+ if HAS_M2:
+ aes = key.private_decrypt(ret["key"], RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(key)
+ aes = cipher.decrypt(ret["key"])
+ pcrypt = salt.crypt.Crypticle(client.opts, aes)
+ signed_msg = pcrypt.loads(ret[dictkey])
+
+ # Now encrypt with a different key
+ key = salt.crypt.Crypticle.generate_key_string()
+ pcrypt = salt.crypt.Crypticle(opts, key)
+ pubfn = os.path.join(master_opts["pki_dir"], "minions", "minion")
+ pub = salt.crypt.get_rsa_pub_key(pubfn)
+ ret[dictkey] = pcrypt.dumps(signed_msg)
+ key = salt.utils.stringutils.to_bytes(key)
+ if HAS_M2:
+ ret["key"] = pub.public_encrypt(key, RSA.pkcs1_oaep_padding)
+ else:
+ cipher = PKCS1_OAEP.new(pub)
+ ret["key"] = cipher.encrypt(key)
+ raise salt.ext.tornado.gen.Return(ret)
+
+ client.message_client.send = mocksend
+
+ # Note the 'ver' value in 'load' does not represent the the 'version' sent
+ # in the top level of the transport's message.
+ load = {
+ "id": target,
+ "grains": {},
+ "saltenv": "base",
+ "pillarenv": "base",
+ "pillar_override": True,
+ "extra_minion_data": {},
+ "ver": "2",
+ "cmd": "_pillar",
+ }
+
+ with pytest.raises(salt.crypt.AuthenticationError) as excinfo:
+ ret = await client.crypted_transfer_decode_dictentry(
+ load,
+ dictkey="pillar",
+ )
+ assert "Key verification failed." == excinfo.value.message
+
+
+async def test_req_serv_auth_v1(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "master_sign_pubkey": False,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+
+ pub = salt.crypt.get_rsa_pub_key(str(pki_dir.join("minion", "minion.pub")))
+ token = salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string())
+ nonce = uuid.uuid4().hex
+
+ # We need to read the public key with fopen otherwise the newlines might
+ # not match on windows.
+ with salt.utils.files.fopen(str(pki_dir.join("minion", "minion.pub")), "r") as fp:
+ pub_key = fp.read()
+
+ load = {
+ "cmd": "_auth",
+ "id": "minion",
+ "token": token,
+ "pub": pub_key,
+ }
+ ret = server._auth(load, sign_messages=False)
+ assert "load" not in ret
+
+
+async def test_req_serv_auth_v2(pki_dir):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "master_sign_pubkey": False,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+
+ pub = salt.crypt.get_rsa_pub_key(str(pki_dir.join("minion", "minion.pub")))
+ token = salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string())
+ nonce = uuid.uuid4().hex
+
+ # We need to read the public key with fopen otherwise the newlines might
+ # not match on windows.
+ with salt.utils.files.fopen(str(pki_dir.join("minion", "minion.pub")), "r") as fp:
+ pub_key = fp.read()
+
+ load = {
+ "cmd": "_auth",
+ "id": "minion",
+ "nonce": nonce,
+ "token": token,
+ "pub": pub_key,
+ }
+ ret = server._auth(load, sign_messages=True)
+ assert "sig" in ret
+ assert "load" in ret
+
+
+async def test_req_chan_auth_v2(pki_dir, io_loop):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ master_opts["master_sign_pubkey"] = False
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+ opts["verify_master_pubkey_sign"] = False
+ opts["always_verify_signature"] = False
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=io_loop)
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ assert "version" in pload
+ assert pload["version"] == 2
+
+ ret = server._auth(pload["load"], sign_messages=True)
+ assert "sig" in ret
+ ret = client.auth.handle_signin_response(signin_payload, ret)
+ assert "aes" in ret
+ assert "master_uri" in ret
+ assert "publish_port" in ret
+
+
+async def test_req_chan_auth_v2_with_master_signing(pki_dir, io_loop):
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ master_opts["master_sign_pubkey"] = True
+ master_opts["master_use_pubkey_signature"] = False
+ master_opts["signing_key_pass"] = True
+ master_opts["master_sign_key_name"] = "master_sign"
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+ opts["verify_master_pubkey_sign"] = True
+ opts["always_verify_signature"] = True
+ opts["master_sign_key_name"] = "master_sign"
+ opts["master"] = "master"
+
+ assert (
+ pki_dir.join("minion", "minion_master.pub").read()
+ == pki_dir.join("master", "master.pub").read()
+ )
+
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=io_loop)
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ assert "version" in pload
+ assert pload["version"] == 2
+
+ server_reply = server._auth(pload["load"], sign_messages=True)
+ # With version 2 we always get a clear signed response
+ assert "enc" in server_reply
+ assert server_reply["enc"] == "clear"
+ assert "sig" in server_reply
+ assert "load" in server_reply
+ ret = client.auth.handle_signin_response(signin_payload, server_reply)
+ assert "aes" in ret
+ assert "master_uri" in ret
+ assert "publish_port" in ret
+
+ # Now create a new master key pair and try auth with it.
+ mapriv = pki_dir.join("master", "master.pem")
+ mapriv.remove()
+ mapriv.write(MASTER2_PRIV_KEY.strip())
+ mapub = pki_dir.join("master", "master.pub")
+ mapub.remove()
+ mapub.write(MASTER2_PUB_KEY.strip())
+
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ server_reply = server._auth(pload["load"], sign_messages=True)
+ ret = client.auth.handle_signin_response(signin_payload, server_reply)
+
+ assert "aes" in ret
+ assert "master_uri" in ret
+ assert "publish_port" in ret
+
+ assert (
+ pki_dir.join("minion", "minion_master.pub").read()
+ == pki_dir.join("master", "master.pub").read()
+ )
+
+
+async def test_req_chan_auth_v2_new_minion_with_master_pub(pki_dir, io_loop):
+
+ pki_dir.join("master", "minions", "minion").remove()
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ "acceptance_wait_time": 3,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ master_opts["master_sign_pubkey"] = False
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+ opts["verify_master_pubkey_sign"] = False
+ opts["always_verify_signature"] = False
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=io_loop)
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ assert "version" in pload
+ assert pload["version"] == 2
+
+ ret = server._auth(pload["load"], sign_messages=True)
+ assert "sig" in ret
+ ret = client.auth.handle_signin_response(signin_payload, ret)
+ assert ret == "retry"
+
+
+async def test_req_chan_auth_v2_new_minion_with_master_pub_bad_sig(pki_dir, io_loop):
+
+ pki_dir.join("master", "minions", "minion").remove()
+
+ # Give the master a different key than the minion has.
+ mapriv = pki_dir.join("master", "master.pem")
+ mapriv.remove()
+ mapriv.write(MASTER2_PRIV_KEY.strip())
+ mapub = pki_dir.join("master", "master.pub")
+ mapub.remove()
+ mapub.write(MASTER2_PUB_KEY.strip())
+
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ "acceptance_wait_time": 3,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ master_opts["master_sign_pubkey"] = False
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+ opts["verify_master_pubkey_sign"] = False
+ opts["always_verify_signature"] = False
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=io_loop)
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ assert "version" in pload
+ assert pload["version"] == 2
+
+ ret = server._auth(pload["load"], sign_messages=True)
+ assert "sig" in ret
+ with pytest.raises(salt.crypt.SaltClientError, match="Invalid signature"):
+ ret = client.auth.handle_signin_response(signin_payload, ret)
+
+
+async def test_req_chan_auth_v2_new_minion_without_master_pub(pki_dir, io_loop):
+
+ pki_dir.join("master", "minions", "minion").remove()
+ pki_dir.join("minion", "minion_master.pub").remove()
+ mockloop = MagicMock()
+ opts = {
+ "master_uri": "tcp://127.0.0.1:4506",
+ "interface": "127.0.0.1",
+ "ret_port": 4506,
+ "ipv6": False,
+ "sock_dir": ".",
+ "pki_dir": str(pki_dir.join("minion")),
+ "id": "minion",
+ "__role": "minion",
+ "keysize": 4096,
+ "max_minions": 0,
+ "auto_accept": False,
+ "open_mode": False,
+ "key_pass": None,
+ "publish_port": 4505,
+ "auth_mode": 1,
+ "acceptance_wait_time": 3,
+ }
+ SMaster.secrets["aes"] = {
+ "secret": multiprocessing.Array(
+ ctypes.c_char,
+ salt.utils.stringutils.to_bytes(salt.crypt.Crypticle.generate_key_string()),
+ ),
+ "reload": salt.crypt.Crypticle.generate_key_string,
+ }
+ master_opts = dict(opts, pki_dir=str(pki_dir.join("master")))
+ master_opts["master_sign_pubkey"] = False
+ server = salt.transport.zeromq.ZeroMQReqServerChannel(master_opts)
+ server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
+ server.cache_cli = False
+ server.master_key = salt.crypt.MasterKeys(server.opts)
+ opts["verify_master_pubkey_sign"] = False
+ opts["always_verify_signature"] = False
+ client = salt.transport.zeromq.AsyncZeroMQReqChannel(opts, io_loop=io_loop)
+ signin_payload = client.auth.minion_sign_in_payload()
+ pload = client._package_load(signin_payload)
+ assert "version" in pload
+ assert pload["version"] == 2
+
+ ret = server._auth(pload["load"], sign_messages=True)
+ assert "sig" in ret
+ ret = client.auth.handle_signin_response(signin_payload, ret)
+ assert ret == "retry"
diff --git a/tests/pytests/unit/utils/test_minions.py b/tests/pytests/unit/utils/test_minions.py
index 6bc6c80bbd..2e0fa5a653 100644
--- a/tests/pytests/unit/utils/test_minions.py
+++ b/tests/pytests/unit/utils/test_minions.py
@@ -1,3 +1,4 @@
+import pytest
import salt.utils.minions
import salt.utils.network
from tests.support.mock import patch
@@ -53,3 +54,61 @@ def test_connected_ids_remote_minions():
with patch_net, patch_list, patch_fetch, patch_remote_net:
ret = ckminions.connected_ids()
assert ret == {minion2, minion}
+
+
+# These validate_tgt tests make the assumption that CkMinions.check_minions is
+# correct. In other words, these tests are only worthwhile if check_minions is
+# also correct.
+def test_validate_tgt_should_return_false_when_no_valid_minions_have_been_found():
+ ckminions = salt.utils.minions.CkMinions(opts={})
+ with patch(
+ "salt.utils.minions.CkMinions.check_minions", autospec=True, return_value={}
+ ):
+ result = ckminions.validate_tgt("fnord", "fnord", "fnord", minions=[])
+ assert result is False
+
+
+@pytest.mark.parametrize(
+ "valid_minions, target_minions",
+ [
+ (["one", "two", "three"], ["one", "two", "five"]),
+ (["one"], ["one", "two"]),
+ (["one", "two", "three", "four"], ["five"]),
+ ],
+)
+def test_validate_tgt_should_return_false_when_minions_have_minions_not_in_valid_minions(
+ valid_minions, target_minions
+):
+ ckminions = salt.utils.minions.CkMinions(opts={})
+ with patch(
+ "salt.utils.minions.CkMinions.check_minions",
+ autospec=True,
+ return_value={"minions": valid_minions},
+ ):
+ result = ckminions.validate_tgt(
+ "fnord", "fnord", "fnord", minions=target_minions
+ )
+ assert result is False
+
+
+@pytest.mark.parametrize(
+ "valid_minions, target_minions",
+ [
+ (["one", "two", "three", "five"], ["one", "two", "five"]),
+ (["one"], ["one"]),
+ (["one", "two", "three", "four", "five"], ["five"]),
+ ],
+)
+def test_validate_tgt_should_return_true_when_all_minions_are_found_in_valid_minions(
+ valid_minions, target_minions
+):
+ ckminions = salt.utils.minions.CkMinions(opts={})
+ with patch(
+ "salt.utils.minions.CkMinions.check_minions",
+ autospec=True,
+ return_value={"minions": valid_minions},
+ ):
+ result = ckminions.validate_tgt(
+ "fnord", "fnord", "fnord", minions=target_minions
+ )
+ assert result is True
diff --git a/tests/pytests/unit/utils/test_network.py b/tests/pytests/unit/utils/test_network.py
new file mode 100644
index 0000000000..c5f976f674
--- /dev/null
+++ b/tests/pytests/unit/utils/test_network.py
@@ -0,0 +1,8 @@
+import salt.utils.network
+
+
+def test_junos_ifconfig_output_parsing():
+ ret = salt.utils.network._junos_interfaces_ifconfig(
+ "inet mtu 0 local=" + " " * 3456
+ )
+ assert ret == {"inet": {"up": False}}
diff --git a/tests/unit/transport/test_ipc.py b/tests/unit/transport/test_ipc.py
index 9d84f59320..7177b7f6c4 100644
--- a/tests/unit/transport/test_ipc.py
+++ b/tests/unit/transport/test_ipc.py
@@ -40,6 +40,8 @@ class IPCMessagePubSubCase(salt.ext.tornado.testing.AsyncTestCase):
def setUp(self):
super().setUp()
self.opts = {"ipc_write_buffer": 0}
+ if not os.path.exists(RUNTIME_VARS.TMP):
+ os.mkdir(RUNTIME_VARS.TMP)
self.socket_path = os.path.join(RUNTIME_VARS.TMP, "ipc_test.ipc")
self.pub_channel = self._get_pub_channel()
self.sub_channel = self._get_sub_channel()
--
2.35.1
