File fix-salt-ldap-auth-bsc-60493.patch of Package salt

Overview Repositories Revisions Requests Users Attributes Meta

File fix-salt-ldap-auth-bsc-60493.patch of Package salt

# This is a modified version of the upstream patch
# Stripped out test suite patches + resolved conflicts in salt/netapi/rest_cherrypy/app.py
# Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
From f1e18048a8062aa00d50dd554df2317de15bbafa Mon Sep 17 00:00:00 2001
From: Pedro Algarvio <pedro@algarvio.me>
Date: Wed, 14 Jul 2021 15:52:41 +0100
Subject: [PATCH 1/2] Factor out sum and sorting of permissions into separate
 functions.

Fixes #56495

Additionally, the same logic was applied to the rest_cherrypy netapi
---
 changelog/56495.fixed                         |   2 +
 salt/netapi/__init__.py                       |  34 ++
 salt/netapi/rest_cherrypy/app.py              |  14 +-
 salt/netapi/rest_tornado/saltnado.py          |  14 +-
 tests/filename_map.yml                        |  10 +-
 tests/pytests/functional/netapi/conftest.py   |   2 +-
 .../test_external_auth_syntax.py              | 299 +++++++++++++++++
 .../rest_tornado/test_external_auth_syntax.py | 307 ++++++++++++++++++
 8 files changed, 653 insertions(+), 29 deletions(-)
 create mode 100644 changelog/56495.fixed
 create mode 100644 tests/pytests/functional/netapi/rest_cherrypy/test_external_auth_syntax.py
 create mode 100644 tests/pytests/functional/netapi/rest_tornado/test_external_auth_syntax.py

diff --git a/changelog/56495.fixed b/changelog/56495.fixed
new file mode 100644
index 000000000000..ba43c84bcc75
--- /dev/null
+++ b/changelog/56495.fixed
@@ -0,0 +1,2 @@
+Factor out sum and sorting of permissions into separate functions.
+Additionally, the same logic was applied to the rest_cherrypy netapi
diff --git a/salt/netapi/__init__.py b/salt/netapi/__init__.py
index b54334561e21..7127dc2b3c8c 100644
--- a/salt/netapi/__init__.py
+++ b/salt/netapi/__init__.py
@@ -24,6 +24,40 @@
 log = logging.getLogger(__name__)
 
 
+def sorted_permissions(perms):
+    """
+    Return a sorted list of the passed in permissions, de-duplicating in the process
+    """
+    _str_perms = []
+    _non_str_perms = []
+    for entry in perms:
+        if isinstance(entry, str):
+            if entry in _str_perms:
+                continue
+            _str_perms.append(entry)
+            continue
+        if entry in _non_str_perms:
+            continue
+        _non_str_perms.append(entry)
+    return sorted(_str_perms) + sorted(_non_str_perms, key=repr)
+
+
+def sum_permissions(token, eauth):
+    """
+    Returns the sum of '*', user-specific and group specific permissions
+    """
+    perms = eauth.get(token["name"], [])
+    perms.extend(eauth.get("*", []))
+
+    if "groups" in token and token["groups"]:
+        user_groups = set(token["groups"])
+        eauth_groups = {i.rstrip("%") for i in eauth.keys() if i.endswith("%")}
+
+        for group in user_groups & eauth_groups:
+            perms.extend(eauth["{}%".format(group)])
+    return perms
+
+
 class NetapiClient:
     """
     Provide a uniform method of accessing the various client interfaces in Salt

--- a/salt/netapi/rest_cherrypy/app.py	2023-01-27 22:24:23.182466851 +0100
+++ b/salt/netapi/rest_cherrypy/app.py	2023-01-27 22:25:19.842774598 +0100
@@ -1888,18 +1888,8 @@
             if token["eauth"] == "django" and "^model" in eauth:
                 perms = token["auth_list"]
             else:
-                # Get sum of '*' perms, user-specific perms, and group-specific perms
-                perms = eauth.get(token["name"], [])
-                perms.extend(eauth.get("*", []))
-
-                if "groups" in token and token["groups"]:
-                    user_groups = set(token["groups"])
-                    eauth_groups = {
-                        i.rstrip("%") for i in eauth.keys() if i.endswith("%")
-                    }
-
-                    for group in user_groups & eauth_groups:
-                        perms.extend(eauth["{}%".format(group)])
+                perms = salt.netapi.sum_permissions(token, eauth)
+                perms = salt.netapi.sorted_permissions(perms)
 
             if not perms:
                 logger.debug("Eauth permission list not found.")

diff --git a/salt/netapi/rest_tornado/saltnado.py b/salt/netapi/rest_tornado/saltnado.py
index 7e9330c321d1..f6d6511f8104 100644
--- a/salt/netapi/rest_tornado/saltnado.py
+++ b/salt/netapi/rest_tornado/saltnado.py
@@ -756,18 +756,8 @@ def post(self):  # pylint: disable=arguments-differ
         # Grab eauth config for the current backend for the current user
         try:
             eauth = self.application.opts["external_auth"][token["eauth"]]
-            # Get sum of '*' perms, user-specific perms, and group-specific perms
-            perms = eauth.get(token["name"], [])
-            perms.extend(eauth.get("*", []))
-
-            if "groups" in token and token["groups"]:
-                user_groups = set(token["groups"])
-                eauth_groups = {i.rstrip("%") for i in eauth.keys() if i.endswith("%")}
-
-                for group in user_groups & eauth_groups:
-                    perms.extend(eauth["{}%".format(group)])
-
-            perms = sorted(list(set(perms)))
+            perms = salt.netapi.sum_permissions(token, eauth)
+            perms = salt.netapi.sorted_permissions(perms)
         # If we can't find the creds, then they aren't authorized
         except KeyError:
             self.send_error(401)

Places

File fix-salt-ldap-auth-bsc-60493.patch of Package salt

Places