PNG  IHDRX cHRMz&u0`:pQ<bKGD pHYsodtIME MeqIDATxw]Wug^Qd˶ 6`!N:!@xI~)%7%@Bh&`lnjVF29gΨ4E$|>cɚ{gk= %,a KX%,a KX%,a KX%,a KX%,a KX%,a KX%, b` ǟzeאfp]<!SJmɤY޲ڿ,%c ~ع9VH.!Ͳz&QynֺTkRR.BLHi٪:l;@(!MԴ=žI,:o&N'Kù\vRmJ雵֫AWic H@" !: Cé||]k-Ha oݜ:y F())u]aG7*JV@J415p=sZH!=!DRʯvɱh~V\}v/GKY$n]"X"}t@ xS76^[bw4dsce)2dU0 CkMa-U5tvLƀ~mlMwfGE/-]7XAƟ`׮g ewxwC4\[~7@O-Q( a*XGƒ{ ՟}$_y3tĐƤatgvێi|K=uVyrŲlLӪuܿzwk$m87k( `múcE)"@rK( z4$D; 2kW=Xb$V[Ru819קR~qloѱDyįݎ*mxw]y5e4K@ЃI0A D@"BDk_)N\8͜9dz"fK0zɿvM /.:2O{ Nb=M=7>??Zuo32 DLD@D| &+֎C #B8ַ`bOb $D#ͮҪtx]%`ES`Ru[=¾!@Od37LJ0!OIR4m]GZRJu$‡c=%~s@6SKy?CeIh:[vR@Lh | (BhAMy=݃  G"'wzn޺~8ԽSh ~T*A:xR[ܹ?X[uKL_=fDȊ؂p0}7=D$Ekq!/t.*2ʼnDbŞ}DijYaȲ(""6HA;:LzxQ‘(SQQ}*PL*fc\s `/d'QXW, e`#kPGZuŞuO{{wm[&NBTiiI0bukcA9<4@SӊH*؎4U/'2U5.(9JuDfrޱtycU%j(:RUbArLֺN)udA':uGQN"-"Is.*+k@ `Ojs@yU/ H:l;@yyTn}_yw!VkRJ4P)~y#)r,D =ě"Q]ci'%HI4ZL0"MJy 8A{ aN<8D"1#IJi >XjX֔#@>-{vN!8tRݻ^)N_╗FJEk]CT՟ YP:_|H1@ CBk]yKYp|og?*dGvzنzӴzjֺNkC~AbZƷ`.H)=!QͷVTT(| u78y֮}|[8-Vjp%2JPk[}ԉaH8Wpqhwr:vWª<}l77_~{s۴V+RCģ%WRZ\AqHifɤL36: #F:p]Bq/z{0CU6ݳEv_^k7'>sq*+kH%a`0ԣisqにtү04gVgW΂iJiS'3w.w}l6MC2uԯ|>JF5`fV5m`Y**Db1FKNttu]4ccsQNnex/87+}xaUW9y>ͯ骵G{䩓Գ3+vU}~jJ.NFRD7<aJDB1#ҳgSb,+CS?/ VG J?|?,2#M9}B)MiE+G`-wo߫V`fio(}S^4e~V4bHOYb"b#E)dda:'?}׮4繏`{7Z"uny-?ǹ;0MKx{:_pÚmFמ:F " .LFQLG)Q8qN q¯¯3wOvxDb\. BKD9_NN &L:4D{mm o^tֽ:q!ƥ}K+<"m78N< ywsard5+Š²z~mnG)=}lYݧNj'QJS{S :UYS-952?&O-:W}(!6Mk4+>A>j+i|<<|;ر^߉=HE|V#F)Emm#}/"y GII웻Jі94+v뾧xu~5C95~ūH>c@덉pʃ1/4-A2G%7>m;–Y,cyyaln" ?ƻ!ʪ<{~h~i y.zZB̃/,雋SiC/JFMmBH&&FAbϓO^tubbb_hZ{_QZ-sύodFgO(6]TJA˯#`۶ɟ( %$&+V'~hiYy>922 Wp74Zkq+Ovn錄c>8~GqܲcWꂎz@"1A.}T)uiW4="jJ2W7mU/N0gcqܗOO}?9/wìXžΏ0 >֩(V^Rh32!Hj5`;O28؇2#ݕf3 ?sJd8NJ@7O0 b־?lldщ̡&|9C.8RTWwxWy46ah嘦mh٤&l zCy!PY?: CJyв]dm4ǜҐR޻RլhX{FƯanшQI@x' ao(kUUuxW_Ñ줮[w8 FRJ(8˼)_mQ _!RJhm=!cVmm ?sFOnll6Qk}alY}; "baӌ~M0w,Ggw2W:G/k2%R,_=u`WU R.9T"v,<\Ik޽/2110Ӿxc0gyC&Ny޽JҢrV6N ``یeA16"J³+Rj*;BϜkZPJaÍ<Jyw:NP8/D$ 011z֊Ⱳ3ι֘k1V_"h!JPIΣ'ɜ* aEAd:ݺ>y<}Lp&PlRfTb1]o .2EW\ͮ]38؋rTJsǏP@芎sF\> P^+dYJLbJ C-xϐn> ι$nj,;Ǖa FU *择|h ~izť3ᤓ`K'-f tL7JK+vf2)V'-sFuB4i+m+@My=O҈0"|Yxoj,3]:cо3 $#uŘ%Y"y죯LebqtҢVzq¼X)~>4L׶m~[1_k?kxֺQ`\ |ٛY4Ѯr!)N9{56(iNq}O()Em]=F&u?$HypWUeB\k]JɩSع9 Zqg4ZĊo oMcjZBU]B\TUd34ݝ~:7ڶSUsB0Z3srx 7`:5xcx !qZA!;%͚7&P H<WL!džOb5kF)xor^aujƍ7 Ǡ8/p^(L>ὴ-B,{ۇWzֺ^k]3\EE@7>lYBȝR.oHnXO/}sB|.i@ɥDB4tcm,@ӣgdtJ!lH$_vN166L__'Z)y&kH;:,Y7=J 9cG) V\hjiE;gya~%ks_nC~Er er)muuMg2;֫R)Md) ,¶ 2-wr#F7<-BBn~_(o=KO㭇[Xv eN_SMgSҐ BS헃D%g_N:/pe -wkG*9yYSZS.9cREL !k}<4_Xs#FmҶ:7R$i,fi!~' # !6/S6y@kZkZcX)%5V4P]VGYq%H1!;e1MV<!ϐHO021Dp= HMs~~a)ަu7G^];git!Frl]H/L$=AeUvZE4P\.,xi {-~p?2b#amXAHq)MWǾI_r`S Hz&|{ +ʖ_= (YS(_g0a03M`I&'9vl?MM+m~}*xT۲(fY*V4x@29s{DaY"toGNTO+xCAO~4Ϳ;p`Ѫ:>Ҵ7K 3}+0 387x\)a"/E>qpWB=1 ¨"MP(\xp߫́A3+J] n[ʼnӼaTbZUWb={~2ooKױӰp(CS\S筐R*JغV&&"FA}J>G֐p1ٸbk7 ŘH$JoN <8s^yk_[;gy-;߉DV{c B yce% aJhDȶ 2IdйIB/^n0tNtџdcKj4϶v~- CBcgqx9= PJ) dMsjpYB] GD4RDWX +h{y`,3ꊕ$`zj*N^TP4L:Iz9~6s) Ga:?y*J~?OrMwP\](21sZUD ?ܟQ5Q%ggW6QdO+\@ ̪X'GxN @'4=ˋ+*VwN ne_|(/BDfj5(Dq<*tNt1х!MV.C0 32b#?n0pzj#!38}޴o1KovCJ`8ŗ_"]] rDUy޲@ Ȗ-;xџ'^Y`zEd?0„ DAL18IS]VGq\4o !swV7ˣι%4FѮ~}6)OgS[~Q vcYbL!wG3 7띸*E Pql8=jT\꘿I(z<[6OrR8ºC~ډ]=rNl[g|v TMTղb-o}OrP^Q]<98S¤!k)G(Vkwyqyr޽Nv`N/e p/~NAOk \I:G6]4+K;j$R:Mi #*[AȚT,ʰ,;N{HZTGMoּy) ]%dHء9Պ䠬|<45,\=[bƟ8QXeB3- &dҩ^{>/86bXmZ]]yޚN[(WAHL$YAgDKp=5GHjU&99v簪C0vygln*P)9^͞}lMuiH!̍#DoRBn9l@ xA/_v=ȺT{7Yt2N"4!YN`ae >Q<XMydEB`VU}u]嫇.%e^ánE87Mu\t`cP=AD/G)sI"@MP;)]%fH9'FNsj1pVhY&9=0pfuJ&gޤx+k:!r˭wkl03׼Ku C &ѓYt{.O.zҏ z}/tf_wEp2gvX)GN#I ݭ߽v/ .& и(ZF{e"=V!{zW`, ]+LGz"(UJp|j( #V4, 8B 0 9OkRrlɱl94)'VH9=9W|>PS['G(*I1==C<5"Pg+x'K5EMd؞Af8lG ?D FtoB[je?{k3zQ vZ;%Ɠ,]E>KZ+T/ EJxOZ1i #T<@ I}q9/t'zi(EMqw`mYkU6;[t4DPeckeM;H}_g pMww}k6#H㶏+b8雡Sxp)&C $@'b,fPߑt$RbJ'vznuS ~8='72_`{q纶|Q)Xk}cPz9p7O:'|G~8wx(a 0QCko|0ASD>Ip=4Q, d|F8RcU"/KM opKle M3#i0c%<7׿p&pZq[TR"BpqauIp$ 8~Ĩ!8Սx\ւdT>>Z40ks7 z2IQ}ItԀ<-%S⍤};zIb$I 5K}Q͙D8UguWE$Jh )cu4N tZl+[]M4k8֦Zeq֮M7uIqG 1==tLtR,ƜSrHYt&QP윯Lg' I,3@P'}'R˪e/%-Auv·ñ\> vDJzlӾNv5:|K/Jb6KI9)Zh*ZAi`?S {aiVDԲuy5W7pWeQJk֤#5&V<̺@/GH?^τZL|IJNvI:'P=Ϛt"¨=cud S Q.Ki0 !cJy;LJR;G{BJy޺[^8fK6)=yʊ+(k|&xQ2`L?Ȓ2@Mf 0C`6-%pKpm')c$׻K5[J*U[/#hH!6acB JA _|uMvDyk y)6OPYjœ50VT K}cǻP[ $:]4MEA.y)|B)cf-A?(e|lɉ#P9V)[9t.EiQPDѠ3ϴ;E:+Օ t ȥ~|_N2,ZJLt4! %ա]u {+=p.GhNcŞQI?Nd'yeh n7zi1DB)1S | S#ًZs2|Ɛy$F SxeX{7Vl.Src3E℃Q>b6G ўYCmtկ~=K0f(=LrAS GN'ɹ9<\!a`)֕y[uՍ[09` 9 +57ts6}b4{oqd+J5fa/,97J#6yν99mRWxJyѡyu_TJc`~W>l^q#Ts#2"nD1%fS)FU w{ܯ R{ ˎ󅃏џDsZSQS;LV;7 Od1&1n$ N /.q3~eNɪ]E#oM~}v֯FڦwyZ=<<>Xo稯lfMFV6p02|*=tV!c~]fa5Y^Q_WN|Vs 0ҘދU97OI'N2'8N֭fgg-}V%y]U4 峧p*91#9U kCac_AFңĪy뚇Y_AiuYyTTYЗ-(!JFLt›17uTozc. S;7A&&<ԋ5y;Ro+:' *eYJkWR[@F %SHWP 72k4 qLd'J "zB6{AC0ƁA6U.'F3:Ȅ(9ΜL;D]m8ڥ9}dU "v!;*13Rg^fJyShyy5auA?ɩGHRjo^]׽S)Fm\toy 4WQS@mE#%5ʈfFYDX ~D5Ϡ9tE9So_aU4?Ѽm%&c{n>.KW1Tlb}:j uGi(JgcYj0qn+>) %\!4{LaJso d||u//P_y7iRJ߬nHOy) l+@$($VFIQ9%EeKʈU. ia&FY̒mZ=)+qqoQn >L!qCiDB;Y<%} OgBxB!ØuG)WG9y(Ą{_yesuZmZZey'Wg#C~1Cev@0D $a@˲(.._GimA:uyw֬%;@!JkQVM_Ow:P.s\)ot- ˹"`B,e CRtaEUP<0'}r3[>?G8xU~Nqu;Wm8\RIkբ^5@k+5(By'L&'gBJ3ݶ!/㮻w҅ yqPWUg<e"Qy*167΃sJ\oz]T*UQ<\FԎ`HaNmڜ6DysCask8wP8y9``GJ9lF\G g's Nn͵MLN֪u$| /|7=]O)6s !ĴAKh]q_ap $HH'\1jB^s\|- W1:=6lJBqjY^LsPk""`]w)󭃈,(HC ?䔨Y$Sʣ{4Z+0NvQkhol6C.婧/u]FwiVjZka&%6\F*Ny#8O,22+|Db~d ~Çwc N:FuuCe&oZ(l;@ee-+Wn`44AMK➝2BRՈt7g*1gph9N) *"TF*R(#'88pm=}X]u[i7bEc|\~EMn}P瘊J)K.0i1M6=7'_\kaZ(Th{K*GJyytw"IO-PWJk)..axӝ47"89Cc7ĐBiZx 7m!fy|ϿF9CbȩV 9V-՛^pV̌ɄS#Bv4-@]Vxt-Z, &ֺ*diؠ2^VXbs֔Ìl.jQ]Y[47gj=幽ex)A0ip׳ W2[ᎇhuE^~q흙L} #-b۸oFJ_QP3r6jr+"nfzRJTUqoaۍ /$d8Mx'ݓ= OՃ| )$2mcM*cЙj}f };n YG w0Ia!1Q.oYfr]DyISaP}"dIӗթO67jqR ҊƐƈaɤGG|h;t]䗖oSv|iZqX)oalv;۩meEJ\!8=$4QU4Xo&VEĊ YS^E#d,yX_> ۘ-e\ "Wa6uLĜZi`aD9.% w~mB(02G[6y.773a7 /=o7D)$Z 66 $bY^\CuP. (x'"J60׿Y:Oi;F{w佩b+\Yi`TDWa~|VH)8q/=9!g߆2Y)?ND)%?Ǐ`k/sn:;O299yB=a[Ng 3˲N}vLNy;*?x?~L&=xyӴ~}q{qE*IQ^^ͧvü{Huu=R|>JyUlZV, B~/YF!Y\u_ݼF{_C)LD]m {H 0ihhadd nUkf3oٺCvE\)QJi+֥@tDJkB$1!Đr0XQ|q?d2) Ӣ_}qv-< FŊ߫%roppVBwü~JidY4:}L6M7f٬F "?71<2#?Jyy4뷢<_a7_=Q E=S1И/9{+93֮E{ǂw{))?maÆm(uLE#lïZ  ~d];+]h j?!|$F}*"4(v'8s<ŏUkm7^7no1w2ؗ}TrͿEk>p'8OB7d7R(A 9.*Mi^ͳ; eeUwS+C)uO@ =Sy]` }l8^ZzRXj[^iUɺ$tj))<sbDJfg=Pk_{xaKo1:-uyG0M ԃ\0Lvuy'ȱc2Ji AdyVgVh!{]/&}}ċJ#%d !+87<;qN޼Nفl|1N:8ya  8}k¾+-$4FiZYÔXk*I&'@iI99)HSh4+2G:tGhS^繿 Kتm0 вDk}֚+QT4;sC}rՅE,8CX-e~>G&'9xpW,%Fh,Ry56Y–hW-(v_,? ; qrBk4-V7HQ;ˇ^Gv1JVV%,ik;D_W!))+BoS4QsTM;gt+ndS-~:11Sgv!0qRVh!"Ȋ(̦Yl.]PQWgٳE'`%W1{ndΗBk|Ž7ʒR~,lnoa&:ü$ 3<a[CBݮwt"o\ePJ=Hz"_c^Z.#ˆ*x z̝grY]tdkP*:97YľXyBkD4N.C_[;F9`8& !AMO c `@BA& Ost\-\NX+Xp < !bj3C&QL+*&kAQ=04}cC!9~820G'PC9xa!w&bo_1 Sw"ܱ V )Yl3+ס2KoXOx]"`^WOy :3GO0g;%Yv㐫(R/r (s } u B &FeYZh0y> =2<Ϟc/ -u= c&׭,.0"g"7 6T!vl#sc>{u/Oh Bᾈ)۴74]x7 gMӒ"d]U)}" v4co[ ɡs 5Gg=XR14?5A}D "b{0$L .\4y{_fe:kVS\\O]c^W52LSBDM! C3Dhr̦RtArx4&agaN3Cf<Ԉp4~ B'"1@.b_/xQ} _߃҉/gٓ2Qkqp0շpZ2fԫYz< 4L.Cyυι1t@鎫Fe sYfsF}^ V}N<_`p)alٶ "(XEAVZ<)2},:Ir*#m_YӼ R%a||EƼIJ,,+f"96r/}0jE/)s)cjW#w'Sʯ5<66lj$a~3Kʛy 2:cZ:Yh))+a߭K::N,Q F'qB]={.]h85C9cr=}*rk?vwV렵ٸW Rs%}rNAkDv|uFLBkWY YkX מ|)1!$#3%y?pF<@<Rr0}: }\J [5FRxY<9"SQdE(Q*Qʻ)q1E0B_O24[U'],lOb ]~WjHޏTQ5Syu wq)xnw8~)c 쫬gٲߠ H% k5dƝk> kEj,0% b"vi2Wس_CuK)K{n|>t{P1򨾜j>'kEkƗBg*H%'_aY6Bn!TL&ɌOb{c`'d^{t\i^[uɐ[}q0lM˕G:‚4kb祔c^:?bpg… +37stH:0}en6x˟%/<]BL&* 5&fK9Mq)/iyqtA%kUe[ڛKN]Ě^,"`/ s[EQQm?|XJ߅92m]G.E΃ח U*Cn.j_)Tѧj̿30ڇ!A0=͜ar I3$C^-9#|pk!)?7.x9 @OO;WƝZBFU keZ75F6Tc6"ZȚs2y/1 ʵ:u4xa`C>6Rb/Yм)^=+~uRd`/|_8xbB0?Ft||Z\##|K 0>>zxv8۴吅q 8ĥ)"6>~\8:qM}#͚'ĉ#p\׶ l#bA?)|g g9|8jP(cr,BwV (WliVxxᡁ@0Okn;ɥh$_ckCgriv}>=wGzβ KkBɛ[˪ !J)h&k2%07δt}!d<9;I&0wV/ v 0<H}L&8ob%Hi|޶o&h1L|u֦y~󛱢8fٲUsւ)0oiFx2}X[zVYr_;N(w]_4B@OanC?gĦx>мgx>ΛToZoOMp>40>V Oy V9iq!4 LN,ˢu{jsz]|"R޻&'ƚ{53ўFu(<٪9:΋]B;)B>1::8;~)Yt|0(pw2N%&X,URBK)3\zz&}ax4;ǟ(tLNg{N|Ǽ\G#C9g$^\}p?556]/RP.90 k,U8/u776s ʪ_01چ|\N 0VV*3H鴃J7iI!wG_^ypl}r*jɤSR 5QN@ iZ#1ٰy;_\3\BQQ x:WJv츟ٯ$"@6 S#qe딇(/P( Dy~TOϻ<4:-+F`0||;Xl-"uw$Цi󼕝mKʩorz"mϺ$F:~E'ҐvD\y?Rr8_He@ e~O,T.(ފR*cY^m|cVR[8 JҡSm!ΆԨb)RHG{?MpqrmN>߶Y)\p,d#xۆWY*,l6]v0h15M˙MS8+EdI='LBJIH7_9{Caз*Lq,dt >+~ّeʏ?xԕ4bBAŚjﵫ!'\Ը$WNvKO}ӽmSşذqsOy?\[,d@'73'j%kOe`1.g2"e =YIzS2|zŐƄa\U,dP;jhhhaxǶ?КZ՚.q SE+XrbOu%\GتX(H,N^~]JyEZQKceTQ]VGYqnah;y$cQahT&QPZ*iZ8UQQM.qo/T\7X"u?Mttl2Xq(IoW{R^ ux*SYJ! 4S.Jy~ BROS[V|žKNɛP(L6V^|cR7i7nZW1Fd@ Ara{詑|(T*dN]Ko?s=@ |_EvF]׍kR)eBJc" MUUbY6`~V޴dJKß&~'d3i WWWWWW

F1l3 Manager

Current Directory: /opt/saltstack/salt/lib/python3.10/site-packages/salt
/opt/saltstack/salt/lib/python3.10/site-packages/salt/
Viewing File: /opt/saltstack/salt/lib/python3.10/site-packages/salt/key.py
""" The Salt Key backend API and interface used by the CLI. The Key class can be used to manage salt keys directly without interfacing with the CLI. """ import fnmatch import itertools import logging import os import shutil import sys import salt.cache import salt.client import salt.crypt import salt.daemons.masterapi import salt.exceptions import salt.minion import salt.utils.args import salt.utils.crypt import salt.utils.data import salt.utils.event import salt.utils.files import salt.utils.json import salt.utils.kinds import salt.utils.master import salt.utils.sdb import salt.utils.stringutils import salt.utils.user log = logging.getLogger(__name__) def get_key(opts): return Key(opts) class KeyCLI: """ Manage key CLI operations """ CLI_KEY_MAP = { "list": "list_status", "delete": "delete_key", "gen_signature": "gen_keys_signature", "print": "key_str", } def __init__(self, opts): self.opts = opts self.client = salt.wheel.WheelClient(opts) self.key = Key # instantiate the key object for masterless mode if not opts.get("eauth"): self.key = self.key(opts) self.auth = None def _update_opts(self): # get the key command for cmd in ( "gen_keys", "gen_signature", "list", "list_all", "print", "print_all", "accept", "accept_all", "reject", "reject_all", "delete", "delete_all", "finger", "finger_all", "list_all", ): # last is default if self.opts[cmd]: break # set match if needed if not cmd.startswith("gen_"): if cmd == "list_all": self.opts["match"] = "all" elif cmd.endswith("_all"): self.opts["match"] = "*" else: self.opts["match"] = self.opts[cmd] if cmd.startswith("accept"): self.opts["include_rejected"] = ( self.opts["include_all"] or self.opts["include_rejected"] ) self.opts["include_accepted"] = False elif cmd.startswith("reject"): self.opts["include_accepted"] = ( self.opts["include_all"] or self.opts["include_accepted"] ) self.opts["include_rejected"] = False elif cmd == "gen_keys": self.opts["keydir"] = self.opts["gen_keys_dir"] self.opts["keyname"] = self.opts["gen_keys"] # match is set to opts, now we can forget about *_all commands self.opts["fun"] = cmd.replace("_all", "") def _init_auth(self): if self.auth: return low = {} skip_perm_errors = self.opts["eauth"] != "" if self.opts["eauth"]: if "token" in self.opts: try: with salt.utils.files.fopen( os.path.join(self.opts["cachedir"], ".root_key"), "r" ) as fp_: low["key"] = salt.utils.stringutils.to_unicode(fp_.readline()) except OSError: low["token"] = self.opts["token"] # # If using eauth and a token hasn't already been loaded into # low, prompt the user to enter auth credentials if "token" not in low and "key" not in low and self.opts["eauth"]: # This is expensive. Don't do it unless we need to. resolver = salt.auth.Resolver(self.opts) res = resolver.cli(self.opts["eauth"]) if self.opts["mktoken"] and res: tok = resolver.token_cli(self.opts["eauth"], res) if tok: low["token"] = tok.get("token", "") if not res: log.error("Authentication failed") return {} low.update(res) low["eauth"] = self.opts["eauth"] else: low["user"] = salt.utils.user.get_specific_user() low["key"] = salt.utils.master.get_master_key( low["user"], self.opts, skip_perm_errors ) self.auth = low def _get_args_kwargs(self, fun, args=None): argspec = salt.utils.args.get_function_argspec(fun) if args is None: args = [] if argspec.args: # Iterate in reverse order to ensure we get the correct default # value for the positional argument. for arg, default in itertools.zip_longest( reversed(argspec.args), reversed(argspec.defaults or ()) ): args.append(self.opts.get(arg, default)) # Reverse the args so that they are in the correct order args = args[::-1] if argspec.keywords is None: kwargs = {} else: args, kwargs = salt.minion.load_args_and_kwargs(fun, args) return args, kwargs def _run_cmd(self, cmd, args=None): if not self.opts.get("eauth"): cmd = self.CLI_KEY_MAP.get(cmd, cmd) fun = getattr(self.key, cmd) args, kwargs = self._get_args_kwargs(fun, args) ret = fun(*args, **kwargs) if ( isinstance(ret, dict) and "local" in ret and cmd not in ("finger", "finger_all") ): ret.pop("local", None) return ret if cmd in ("accept", "reject", "delete") and args is None: args = self.opts.get("match_dict", {}).get("minions") fstr = f"key.{cmd}" fun = self.client.functions[fstr] args, kwargs = self._get_args_kwargs(fun, args) low = { "fun": fstr, "arg": args, "kwarg": kwargs, } self._init_auth() low.update(self.auth) # Execute the key request! ret = self.client.cmd_sync(low) ret = ret["data"]["return"] if ( isinstance(ret, dict) and "local" in ret and cmd not in ("finger", "finger_all") ): ret.pop("local", None) return ret def _filter_ret(self, cmd, ret): if cmd.startswith("delete"): return ret keys = {} if self.key.PEND in ret: keys[self.key.PEND] = ret[self.key.PEND] if self.opts["include_accepted"] and bool(ret.get(self.key.ACC)): keys[self.key.ACC] = ret[self.key.ACC] if self.opts["include_rejected"] and bool(ret.get(self.key.REJ)): keys[self.key.REJ] = ret[self.key.REJ] if self.opts["include_denied"] and bool(ret.get(self.key.DEN)): keys[self.key.DEN] = ret[self.key.DEN] return keys def _print_no_match(self, cmd, match): statuses = ["unaccepted"] if self.opts["include_accepted"]: statuses.append("accepted") if self.opts["include_rejected"]: statuses.append("rejected") if self.opts["include_denied"]: statuses.append("denied") if len(statuses) == 1: stat_str = statuses[0] else: stat_str = "{} or {}".format(", ".join(statuses[:-1]), statuses[-1]) msg = f"The key glob '{match}' does not match any {stat_str} keys." print(msg) def run(self): """ Run the logic for saltkey """ self._update_opts() cmd = self.opts["fun"] veri = None ret = None try: if cmd in ("accept", "reject", "delete"): ret = self._run_cmd("name_match") if not isinstance(ret, dict): salt.output.display_output(ret, "key", opts=self.opts) return ret ret = self._filter_ret(cmd, ret) if not ret: self._print_no_match(cmd, self.opts["match"]) return print( "The following keys are going to be {}ed:".format(cmd.rstrip("e")) ) salt.output.display_output(ret, "key", opts=self.opts) if not self.opts.get("yes", False): try: if cmd.startswith("delete"): veri = input("Proceed? [N/y] ") if not veri: veri = "n" else: veri = input("Proceed? [n/Y] ") if not veri: veri = "y" except KeyboardInterrupt: raise SystemExit("\nExiting on CTRL-c") # accept/reject/delete the same keys we're printed to the user self.opts["match_dict"] = ret self.opts.pop("match", None) list_ret = ret if veri is None or veri.lower().startswith("y"): ret = self._run_cmd(cmd) if cmd in ("accept", "reject", "delete"): if cmd == "delete": ret = list_ret for minions in ret.values(): for minion in minions: print( "Key for minion {} {}ed.".format( minion, cmd.rstrip("e") ) ) elif isinstance(ret, dict): salt.output.display_output(ret, "key", opts=self.opts) else: salt.output.display_output({"return": ret}, "key", opts=self.opts) except salt.exceptions.SaltException as exc: ret = f"{exc}" if not self.opts.get("quiet", False): salt.output.display_output(ret, "nested", self.opts) return ret class Key: """ The object that encapsulates saltkey actions """ ACC = "minions" PEND = "minions_pre" REJ = "minions_rejected" DEN = "minions_denied" def __init__(self, opts, io_loop=None): self.opts = opts kind = self.opts.get("__role", "") # application kind if kind not in salt.utils.kinds.APPL_KINDS: emsg = f"Invalid application kind = '{kind}'." log.error(emsg) raise ValueError(emsg) self.event = salt.utils.event.get_event( kind, opts["sock_dir"], opts=opts, listen=False, io_loop=io_loop, ) self.passphrase = salt.utils.sdb.sdb_get( self.opts.get("signing_key_pass"), self.opts ) def _check_minions_directories(self): """ Return the minion keys directory paths """ minions_accepted = os.path.join(self.opts["pki_dir"], self.ACC) minions_pre = os.path.join(self.opts["pki_dir"], self.PEND) minions_rejected = os.path.join(self.opts["pki_dir"], self.REJ) minions_denied = os.path.join(self.opts["pki_dir"], self.DEN) return minions_accepted, minions_pre, minions_rejected, minions_denied def _get_key_attrs(self, keydir, keyname, keysize, user): if not keydir: if "gen_keys_dir" in self.opts: keydir = self.opts["gen_keys_dir"] else: keydir = self.opts["pki_dir"] if not keyname: if "gen_keys" in self.opts: keyname = self.opts["gen_keys"] else: keyname = "minion" if not keysize: keysize = self.opts["keysize"] return keydir, keyname, keysize, user def gen_keys(self, keydir=None, keyname=None, keysize=None, user=None): """ Generate minion RSA public keypair """ keydir, keyname, keysize, user = self._get_key_attrs( keydir, keyname, keysize, user ) salt.crypt.gen_keys(keydir, keyname, keysize, user, self.passphrase) return salt.utils.crypt.pem_finger(os.path.join(keydir, keyname + ".pub")) def gen_signature(self, privkey, pubkey, sig_path): """ Generate master public-key-signature """ return salt.crypt.gen_signature(privkey, pubkey, sig_path, self.passphrase) def gen_keys_signature( self, priv, pub, signature_path, auto_create=False, keysize=None ): """ Generate master public-key-signature """ # check given pub-key if pub: if not os.path.isfile(pub): return f"Public-key {pub} does not exist" # default to master.pub else: mpub = self.opts["pki_dir"] + "/" + "master.pub" if os.path.isfile(mpub): pub = mpub # check given priv-key if priv: if not os.path.isfile(priv): return f"Private-key {priv} does not exist" # default to master_sign.pem else: mpriv = self.opts["pki_dir"] + "/" + "master_sign.pem" if os.path.isfile(mpriv): priv = mpriv if not priv: if auto_create: log.debug( "Generating new signing key-pair .%s.* in %s", self.opts["master_sign_key_name"], self.opts["pki_dir"], ) salt.crypt.gen_keys( self.opts["pki_dir"], self.opts["master_sign_key_name"], keysize or self.opts["keysize"], self.opts.get("user"), self.passphrase, ) priv = ( self.opts["pki_dir"] + "/" + self.opts["master_sign_key_name"] + ".pem" ) else: return "No usable private-key found" if not pub: return "No usable public-key found" log.debug("Using public-key %s", pub) log.debug("Using private-key %s", priv) if signature_path: if not os.path.isdir(signature_path): log.debug("target directory %s does not exist", signature_path) else: signature_path = self.opts["pki_dir"] sign_path = signature_path + "/" + self.opts["master_pubkey_signature"] skey = get_key(self.opts) return skey.gen_signature(priv, pub, sign_path) def check_minion_cache(self, preserve_minions=None): """ Check the minion cache to make sure that old minion data is cleared Optionally, pass in a list of minions which should have their caches preserved. To preserve all caches, set __opts__['preserve_minion_cache'] """ if preserve_minions is None: preserve_minions = [] keys = self.list_keys() minions = [] for key, val in keys.items(): minions.extend(val) if not self.opts.get("preserve_minion_cache", False): m_cache = os.path.join(self.opts["cachedir"], self.ACC) if os.path.isdir(m_cache): for minion in os.listdir(m_cache): if minion not in minions and minion not in preserve_minions: try: shutil.rmtree(os.path.join(m_cache, minion)) except OSError as ex: log.warning( "Key: Delete cache for %s got OSError/IOError: %s \n", minion, ex, ) continue cache = salt.cache.factory(self.opts) clist = cache.list(self.ACC) if clist: for minion in clist: if minion not in minions and minion not in preserve_minions: cache.flush(f"{self.ACC}/{minion}") def check_master(self): """ Log if the master is not running :rtype: bool :return: Whether or not the master is running """ if not os.path.exists(os.path.join(self.opts["sock_dir"], "publish_pull.ipc")): return False return True def name_match(self, match, full=False): """ Accept a glob which to match the of a key and return the key's location """ if full: matches = self.all_keys() else: matches = self.list_keys() ret = {} if "," in match and isinstance(match, str): match = match.split(",") for status, keys in matches.items(): for key in salt.utils.data.sorted_ignorecase(keys): if isinstance(match, list): for match_item in match: if fnmatch.fnmatch(key, match_item): if status not in ret: ret[status] = [] ret[status].append(key) else: if fnmatch.fnmatch(key, match): if status not in ret: ret[status] = [] ret[status].append(key) return ret def dict_match(self, match_dict): """ Accept a dictionary of keys and return the current state of the specified keys """ ret = {} cur_keys = self.list_keys() for status, keys in match_dict.items(): for key in salt.utils.data.sorted_ignorecase(keys): for keydir in (self.ACC, self.PEND, self.REJ, self.DEN): if keydir and fnmatch.filter(cur_keys.get(keydir, []), key): ret.setdefault(keydir, []).append(key) return ret def local_keys(self): """ Return a dict of local keys """ ret = {"local": []} for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(self.opts["pki_dir"])): if fn_.endswith(".pub") or fn_.endswith(".pem"): path = os.path.join(self.opts["pki_dir"], fn_) if os.path.isfile(path): ret["local"].append(fn_) return ret def list_keys(self): """ Return a dict of managed keys and what the key status are """ key_dirs = self._check_minions_directories() ret = {} for dir_ in key_dirs: if dir_ is None: continue ret[os.path.basename(dir_)] = [] try: for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(dir_)): if not fn_.startswith("."): if os.path.isfile(os.path.join(dir_, fn_)): ret[os.path.basename(dir_)].append( salt.utils.stringutils.to_unicode(fn_) ) except OSError: # key dir kind is not created yet, just skip continue return ret def all_keys(self): """ Merge managed keys with local keys """ keys = self.list_keys() keys.update(self.local_keys()) return keys def list_status(self, match): """ Return a dict of managed keys under a named status """ acc, pre, rej, den = self._check_minions_directories() ret = {} if match.startswith("acc"): ret[os.path.basename(acc)] = [] for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(acc)): if not fn_.startswith("."): if os.path.isfile(os.path.join(acc, fn_)): ret[os.path.basename(acc)].append(fn_) elif match.startswith("pre") or match.startswith("un"): ret[os.path.basename(pre)] = [] for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(pre)): if not fn_.startswith("."): if os.path.isfile(os.path.join(pre, fn_)): ret[os.path.basename(pre)].append(fn_) elif match.startswith("rej"): ret[os.path.basename(rej)] = [] for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(rej)): if not fn_.startswith("."): if os.path.isfile(os.path.join(rej, fn_)): ret[os.path.basename(rej)].append(fn_) elif match.startswith("den") and den is not None: ret[os.path.basename(den)] = [] for fn_ in salt.utils.data.sorted_ignorecase(os.listdir(den)): if not fn_.startswith("."): if os.path.isfile(os.path.join(den, fn_)): ret[os.path.basename(den)].append(fn_) elif match.startswith("all"): return self.all_keys() return ret def key_str(self, match): """ Return the specified public key or keys based on a glob """ ret = {} for status, keys in self.name_match(match).items(): ret[status] = {} for key in salt.utils.data.sorted_ignorecase(keys): path = os.path.join(self.opts["pki_dir"], status, key) with salt.utils.files.fopen(path, "r") as fp_: ret[status][key] = salt.utils.stringutils.to_unicode(fp_.read()) return ret def key_str_all(self): """ Return all managed key strings """ ret = {} for status, keys in self.list_keys().items(): ret[status] = {} for key in salt.utils.data.sorted_ignorecase(keys): path = os.path.join(self.opts["pki_dir"], status, key) with salt.utils.files.fopen(path, "r") as fp_: ret[status][key] = salt.utils.stringutils.to_unicode(fp_.read()) return ret def accept( self, match=None, match_dict=None, include_rejected=False, include_denied=False ): """ Accept public keys. If "match" is passed, it is evaluated as a glob. Pre-gathered matches can also be passed via "match_dict". """ if match is not None: matches = self.name_match(match) elif match_dict is not None and isinstance(match_dict, dict): matches = match_dict else: matches = {} keydirs = [self.PEND] if include_rejected: keydirs.append(self.REJ) if include_denied: keydirs.append(self.DEN) invalid_keys = [] for keydir in keydirs: for key in matches.get(keydir, []): key_path = os.path.join(self.opts["pki_dir"], keydir, key) try: salt.crypt.get_rsa_pub_key(key_path) except salt.exceptions.InvalidKeyError: log.error("Invalid RSA public key: %s", key) invalid_keys.append((keydir, key)) continue try: shutil.move( key_path, os.path.join(self.opts["pki_dir"], self.ACC, key), ) eload = {"result": True, "act": "accept", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass for keydir, key in invalid_keys: matches[keydir].remove(key) sys.stderr.write(f"Unable to accept invalid key for {key}.\n") return self.name_match(match) if match is not None else self.dict_match(matches) def accept_all(self): """ Accept all keys in pre """ keys = self.list_keys() for key in keys[self.PEND]: try: shutil.move( os.path.join(self.opts["pki_dir"], self.PEND, key), os.path.join(self.opts["pki_dir"], self.ACC, key), ) eload = {"result": True, "act": "accept", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass return self.list_keys() def delete_key( self, match=None, match_dict=None, preserve_minions=None, revoke_auth=False ): """ Delete public keys. If "match" is passed, it is evaluated as a glob. Pre-gathered matches can also be passed via "match_dict". To preserve the master caches of minions who are matched, set preserve_minions """ if match is not None: matches = self.name_match(match) elif match_dict is not None and isinstance(match_dict, dict): matches = match_dict else: matches = {} with salt.client.get_local_client(mopts=self.opts) as client: for status, keys in matches.items(): for key in keys: try: if revoke_auth: if self.opts.get("rotate_aes_key") is False: print( "Immediate auth revocation specified but AES key" " rotation not allowed. Minion will not be" " disconnected until the master AES key is rotated." ) else: try: client.cmd_async(key, "saltutil.revoke_auth") except salt.exceptions.SaltClientError: print( "Cannot contact Salt master. " "Connection for {} will remain up until " "master AES key is rotated or auth is revoked " "with 'saltutil.revoke_auth'.".format(key) ) os.remove(os.path.join(self.opts["pki_dir"], status, key)) eload = {"result": True, "act": "delete", "id": key} self.event.fire_event( eload, salt.utils.event.tagify(prefix="key") ) except OSError: pass if self.opts.get("preserve_minions") is True: self.check_minion_cache(preserve_minions=matches.get("minions", [])) else: self.check_minion_cache() if self.opts.get("rotate_aes_key"): salt.crypt.dropfile(self.opts["cachedir"], self.opts["user"]) return self.name_match(match) if match is not None else self.dict_match(matches) def delete_den(self): """ Delete all denied keys """ keys = self.list_keys() for status, keys in self.list_keys().items(): for key in keys[self.DEN]: try: os.remove(os.path.join(self.opts["pki_dir"], status, key)) eload = {"result": True, "act": "delete", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass self.check_minion_cache() return self.list_keys() def delete_all(self): """ Delete all keys """ for status, keys in self.list_keys().items(): for key in keys: try: os.remove(os.path.join(self.opts["pki_dir"], status, key)) eload = {"result": True, "act": "delete", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass self.check_minion_cache() if self.opts.get("rotate_aes_key"): salt.crypt.dropfile(self.opts["cachedir"], self.opts["user"]) return self.list_keys() def reject( self, match=None, match_dict=None, include_accepted=False, include_denied=False ): """ Reject public keys. If "match" is passed, it is evaluated as a glob. Pre-gathered matches can also be passed via "match_dict". """ if match is not None: matches = self.name_match(match) elif match_dict is not None and isinstance(match_dict, dict): matches = match_dict else: matches = {} keydirs = [self.PEND] if include_accepted: keydirs.append(self.ACC) if include_denied: keydirs.append(self.DEN) for keydir in keydirs: for key in matches.get(keydir, []): try: shutil.move( os.path.join(self.opts["pki_dir"], keydir, key), os.path.join(self.opts["pki_dir"], self.REJ, key), ) eload = {"result": True, "act": "reject", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass self.check_minion_cache() if self.opts.get("rotate_aes_key"): salt.crypt.dropfile(self.opts["cachedir"], self.opts["user"]) return self.name_match(match) if match is not None else self.dict_match(matches) def reject_all(self): """ Reject all keys in pre """ keys = self.list_keys() for key in keys[self.PEND]: try: shutil.move( os.path.join(self.opts["pki_dir"], self.PEND, key), os.path.join(self.opts["pki_dir"], self.REJ, key), ) eload = {"result": True, "act": "reject", "id": key} self.event.fire_event(eload, salt.utils.event.tagify(prefix="key")) except OSError: pass self.check_minion_cache() if self.opts.get("rotate_aes_key"): salt.crypt.dropfile(self.opts["cachedir"], self.opts["user"]) return self.list_keys() def finger(self, match, hash_type=None): """ Return the fingerprint for a specified key """ if hash_type is None: hash_type = __opts__["hash_type"] matches = self.name_match(match, True) ret = {} for status, keys in matches.items(): ret[status] = {} for key in keys: if status == "local": path = os.path.join(self.opts["pki_dir"], key) else: path = os.path.join(self.opts["pki_dir"], status, key) ret[status][key] = salt.utils.crypt.pem_finger(path, sum_type=hash_type) return ret def finger_all(self, hash_type=None): """ Return fingerprints for all keys """ if hash_type is None: hash_type = __opts__["hash_type"] ret = {} for status, keys in self.all_keys().items(): ret[status] = {} for key in keys: if status == "local": path = os.path.join(self.opts["pki_dir"], key) else: path = os.path.join(self.opts["pki_dir"], status, key) ret[status][key] = salt.utils.crypt.pem_finger(path, sum_type=hash_type) return ret def __enter__(self): return self def __exit__(self, *args): self.event.destroy()
webs 1.0 - Enhanced UI