WWWWWW

Current Directory: /opt/saltstack/salt/lib/python3.10/site-packages/salt/runners
Viewing File: /opt/saltstack/salt/lib/python3.10/site-packages/salt/runners/manage.py
"""
General management functions for salt, tools like seeing what hosts are up
and what hosts are down
"""

import logging
import operator
import os
import re
import subprocess
import tempfile
import time
import urllib.request
import uuid

import salt.client
import salt.client.ssh
import salt.key
import salt.utils.compat
import salt.utils.files
import salt.utils.minions
import salt.utils.path
import salt.utils.versions
import salt.version
import salt.wheel
from salt.exceptions import SaltClientError, SaltSystemExit

FINGERPRINT_REGEX = re.compile(r"^([a-f0-9]{2}:){15}([a-f0-9]{2})$")

log = logging.getLogger(__name__)


def _ping(tgt, tgt_type, timeout, gather_job_timeout):
    with salt.client.get_local_client(__opts__["conf_file"]) as client:
        pub_data = client.run_job(
            tgt, "test.ping", (), tgt_type, "", timeout, "", listen=True
        )

        if not pub_data:
            return pub_data

        log.debug(
            "manage runner will ping the following minion(s): %s",
            ", ".join(sorted(pub_data["minions"])),
        )

        returned = set()
        for fn_ret in client.get_cli_event_returns(
            pub_data["jid"],
            pub_data["minions"],
            client._get_timeout(timeout),
            tgt,
            tgt_type,
            gather_job_timeout=gather_job_timeout,
        ):

            if fn_ret:
                for mid, _ in fn_ret.items():
                    log.debug("minion '%s' returned from ping", mid)
                    returned.add(mid)

        not_returned = sorted(set(pub_data["minions"]) - returned)
        returned = sorted(returned)

        return returned, not_returned


def status(
    output=True, tgt="*", tgt_type="glob", timeout=None, gather_job_timeout=None
):
    """
    .. versionchanged:: 2017.7.0

        The ``expr_form`` argument has been renamed to ``tgt_type``, earlier
        releases must use ``expr_form``.

    Print the status of all known salt minions

    CLI Example:

    .. code-block:: bash

        salt-run manage.status
        salt-run manage.status tgt="webservers" tgt_type="nodegroup"
        salt-run manage.status timeout=5 gather_job_timeout=10
    """
    ret = {}

    if not timeout:
        timeout = __opts__["timeout"]
    if not gather_job_timeout:
        gather_job_timeout = __opts__["gather_job_timeout"]

    res = _ping(tgt, tgt_type, timeout, gather_job_timeout)
    ret["up"], ret["down"] = ([], []) if not res else res
    return ret


def key_regen():
    """
    This routine is used to regenerate all keys in an environment. This is
    invasive! ALL KEYS IN THE SALT ENVIRONMENT WILL BE REGENERATED!!

    The key_regen routine sends a command out to minions to revoke the master
    key and remove all minion keys, it then removes all keys from the master
    and prompts the user to restart the master. The minions will all reconnect
    and keys will be placed in pending.

    After the master is restarted and minion keys are in the pending directory
    execute a salt-key -A command to accept the regenerated minion keys.

    The master *must* be restarted within 60 seconds of running this command or
    the minions will think there is something wrong with the keys and abort.

    Only Execute this runner after upgrading minions and master to 0.15.1 or
    higher!

    CLI Example:

    .. code-block:: bash

        salt-run manage.key_regen
    """
    client = salt.client.get_local_client(__opts__["conf_file"])
    try:
        client.cmd("*", "saltutil.regen_keys")
    except SaltClientError as client_error:
        print(client_error)
        return False

    for root, _, files in salt.utils.path.os_walk(__opts__["pki_dir"]):
        for fn_ in files:
            path = os.path.join(root, fn_)
            try:
                os.remove(path)
            except OSError:
                pass
    msg = (
        "The minion and master keys have been deleted.  Restart the Salt\n"
        "Master within the next 60 seconds!!!\n\n"
        "Wait for the minions to reconnect.  Once the minions reconnect\n"
        "the new keys will appear in pending and will need to be re-\n"
        "accepted by running:\n"
        "    salt-key -A\n\n"
        "Be advised that minions not currently connected to the master\n"
        "will not be able to reconnect and may require manual\n"
        "regeneration via a local call to\n"
        "    salt-call saltutil.regen_keys"
    )
    return msg


def down(
    removekeys=False, tgt="*", tgt_type="glob", timeout=None, gather_job_timeout=None
):
    """
    .. versionchanged:: 2017.7.0

        The ``expr_form`` argument has been renamed to ``tgt_type``, earlier
        releases must use ``expr_form``.

    Print a list of all the down or unresponsive salt minions
    Optionally remove keys of down minions

    CLI Example:

    .. code-block:: bash

        salt-run manage.down
        salt-run manage.down removekeys=True
        salt-run manage.down tgt="webservers" tgt_type="nodegroup"
    """
    ret = status(
        output=False,
        tgt=tgt,
        tgt_type=tgt_type,
        timeout=timeout,
        gather_job_timeout=gather_job_timeout,
    ).get("down", [])
    for minion in ret:
        if removekeys:
            wheel = salt.wheel.Wheel(__opts__)
            wheel.call_func("key.delete", match=minion)
    return ret


def up(
    tgt="*", tgt_type="glob", timeout=None, gather_job_timeout=None
):  # pylint: disable=C0103
    """
    .. versionchanged:: 2017.7.0

        The ``expr_form`` argument has been renamed to ``tgt_type``, earlier
        releases must use ``expr_form``.

    Print a list of all of the minions that are up

    CLI Example:

    .. code-block:: bash

        salt-run manage.up
        salt-run manage.up tgt="webservers" tgt_type="nodegroup"
        salt-run manage.up timeout=5 gather_job_timeout=10
    """
    ret = status(
        output=False,
        tgt=tgt,
        tgt_type=tgt_type,
        timeout=timeout,
        gather_job_timeout=gather_job_timeout,
    ).get("up", [])
    return ret


def list_state(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.list_state
    """
    # Always return 'present' for 0MQ for now
    # TODO: implement other states support for 0MQ
    ckminions = salt.utils.minions.CkMinions(__opts__)
    minions = ckminions.connected_ids(show_ip=show_ip, subset=subset)

    connected = dict(minions) if show_ip else sorted(minions)

    return connected


def list_not_state(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.list_not_state
    """
    connected = list_state(subset=None, show_ip=show_ip)

    with salt.key.get_key(__opts__) as key:
        keys = key.list_keys()

        not_connected = []
        for minion in keys[key.ACC]:
            if minion not in connected and (subset is None or minion in subset):
                not_connected.append(minion)

        return not_connected


def present(subset=None, show_ip=False):
    """
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.present
    """
    return list_state(subset=subset, show_ip=show_ip)


def not_present(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.5.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.not_present
    """
    return list_not_state(subset=subset, show_ip=show_ip)


def joined(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.joined
    """
    return list_state(subset=subset, show_ip=show_ip)


def not_joined(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.not_joined
    """
    return list_not_state(subset=subset, show_ip=show_ip)


def allowed(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.allowed
    """
    return list_state(subset=subset, show_ip=show_ip)


def not_allowed(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.not_allowed
    """
    return list_not_state(subset=subset, show_ip=show_ip)


def alived(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.alived
    """
    return list_state(subset=subset, show_ip=show_ip)


def not_alived(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.not_alived
    """
    return list_not_state(subset=subset, show_ip=show_ip)


def reaped(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are up according to Salt's presence
    detection (no commands will be sent to minions)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.reaped
    """
    return list_state(subset=subset, show_ip=show_ip)


def not_reaped(subset=None, show_ip=False):
    """
    .. versionadded:: 2015.8.0
    .. versionchanged:: 2019.2.0

    Print a list of all minions that are NOT up according to Salt's presence
    detection (no commands will be sent)

    subset : None
        Pass in a list of minion ids.

    show_ip : False
        Also show the IP address each minion is connecting from.

    CLI Example:

    .. code-block:: bash

        salt-run manage.not_reaped
    """
    return list_not_state(subset=subset, show_ip=show_ip)


def safe_accept(target, tgt_type="glob"):
    """
    .. versionchanged:: 2017.7.0

        The ``expr_form`` argument has been renamed to ``tgt_type``, earlier
        releases must use ``expr_form``.

    Accept a minion's public key after checking the fingerprint over salt-ssh

    CLI Example:

    .. code-block:: bash

        salt-run manage.safe_accept my_minion
        salt-run manage.safe_accept minion1,minion2 tgt_type=list
    """
    ssh_client = salt.client.ssh.client.SSHClient()
    ret = ssh_client.cmd(target, "key.finger", tgt_type=tgt_type)

    failures = {}
    for minion, finger in ret.items():
        if not FINGERPRINT_REGEX.match(finger):
            failures[minion] = finger
        else:
            with salt.key.Key(__opts__) as salt_key:
                fingerprints = salt_key.finger(minion)
            accepted = fingerprints.get("minions", {})
            pending = fingerprints.get("minions_pre", {})
            if minion in accepted:
                del ret[minion]
                continue
            elif minion not in pending:
                failures[minion] = f"Minion key {minion} not found by salt-key"
            elif pending[minion] != finger:
                failures[minion] = (
                    "Minion key {} does not match the key in salt-key: {}".format(
                        finger, pending[minion]
                    )
                )
            else:
                subprocess.call(["salt-key", "-qya", minion])

        if minion in failures:
            del ret[minion]

    if failures:
        print("safe_accept failed on the following minions:")
        for minion, message in failures.items():
            print(minion)
            print("-" * len(minion))
            print(message)
            print("")

    __jid_event__.fire_event({"message": f"Accepted {len(ret):d} keys"}, "progress")
    return ret, failures


def versions():
    """
    Check the version of active minions

    CLI Example:

    .. code-block:: bash

        salt-run manage.versions
    """
    ret = {}
    client = salt.client.get_local_client(__opts__["conf_file"])
    try:
        minions = client.cmd(
            "*", "test.version", full_return=True, timeout=__opts__["timeout"]
        )
    except SaltClientError as client_error:
        print(client_error)
        return ret

    labels = {
        -2: "Minion offline",
        -1: "Minion requires update",
        0: "Up to date",
        1: "Minion newer than master",
        2: "Master",
    }

    version_status = {}

    master_version = salt.version.__saltstack_version__

    for minion in minions:
        if not minions[minion] or minions[minion]["retcode"]:
            minion_version = False
            ver_diff = -2
        else:
            minion_version = salt.version.SaltStackVersion.parse(minions[minion]["ret"])
            ver_diff = salt.utils.compat.cmp(minion_version, master_version)

        if ver_diff not in version_status:
            version_status[ver_diff] = {}
        if minion_version:
            version_status[ver_diff][minion] = minion_version.string
        else:
            version_status[ver_diff][minion] = minion_version

    # Add version of Master to output
    version_status[2] = master_version.string

    for key in version_status:
        if key == 2:
            ret[labels[key]] = version_status[2]
        else:
            for minion in sorted(version_status[key]):
                ret.setdefault(labels[key], {})[minion] = version_status[key][minion]
    return ret


def bootstrap(
    version="develop",
    script="https://github.com/saltstack/salt-bootstrap/releases/latest/download/bootstrap-salt.sh",
    hosts="",
    script_args="",
    roster="flat",
    ssh_user=None,
    ssh_password=None,
    ssh_priv_key=None,
    tmp_dir="/tmp/.bootstrap",
    http_backend="tornado",
):
    """
    Bootstrap minions with salt-bootstrap

    version : develop
        Git tag of version to install

    script : https://github.com/saltstack/salt-bootstrap/releases/latest/download/bootstrap-salt.sh
        URL containing the script to execute

    hosts
        Comma-separated hosts [example: hosts='host1.local,host2.local']. These
        hosts need to exist in the specified roster.

    script_args
        Any additional arguments that you want to pass to the script.

        .. versionadded:: 2016.11.0

    roster : flat
        The roster to use for Salt SSH. More information about roster files can
        be found in :ref:`Salt's Roster Documentation <ssh-roster>`.

        A full list of roster types, see the :ref:`builtin roster modules <all-salt.roster>`
        documentation.

        .. versionadded:: 2016.11.0

    ssh_user
        If ``user`` isn't found in the ``roster``, a default SSH user can be set here.
        Keep in mind that ``ssh_user`` will not override the roster ``user`` value if
        it is already defined.

        .. versionadded:: 2016.11.0

    ssh_password
        If ``passwd`` isn't found in the ``roster``, a default SSH password can be set
        here. Keep in mind that ``ssh_password`` will not override the roster ``passwd``
        value if it is already defined.

        .. versionadded:: 2016.11.0

    ssh_privkey
        If ``priv`` isn't found in the ``roster``, a default SSH private key can be set
        here. Keep in mind that ``ssh_password`` will not override the roster ``passwd``
        value if it is already defined.

        .. versionadded:: 2016.11.0

    tmp_dir : /tmp/.bootstrap
        The temporary directory to download the bootstrap script in. This
        directory will have ``-<uuid4>`` appended to it. For example:
        ``/tmp/.bootstrap-a19a728e-d40a-4801-aba9-d00655c143a7/``

        .. versionadded:: 2016.11.0

    http_backend : tornado
        The backend library to use to download the script. If you need to use
        a ``file:///`` URL, then you should set this to ``urllib2``.

        .. versionadded:: 2016.11.0

    CLI Example:

    .. code-block:: bash

        salt-run manage.bootstrap hosts='host1,host2'
        salt-run manage.bootstrap hosts='host1,host2' version='v3006.2'
        salt-run manage.bootstrap hosts='host1,host2' version='v3006.2' script='https://github.com/saltstack/salt-bootstrap/develop'
    """

    client_opts = __opts__.copy()
    if roster is not None:
        client_opts["roster"] = roster

    if ssh_user is not None:
        client_opts["ssh_user"] = ssh_user

    if ssh_password is not None:
        client_opts["ssh_passwd"] = ssh_password

    if ssh_priv_key is not None:
        client_opts["ssh_priv"] = ssh_priv_key

    for host in hosts.split(","):
        client_opts["tgt"] = host
        client_opts["selected_target_option"] = "glob"
        tmp_dir = "{}-{}/".format(tmp_dir.rstrip("/"), uuid.uuid4())
        deploy_command = os.path.join(tmp_dir, "deploy.sh")
        try:
            client_opts["argv"] = ["file.makedirs", tmp_dir, "mode=0700"]
            salt.client.ssh.SSH(client_opts).run()
            client_opts["argv"] = [
                "http.query",
                script,
                f"backend={http_backend}",
                f"text_out={deploy_command}",
            ]
            salt.client.ssh.SSH(client_opts).run()
            client_opts["argv"] = [
                "cmd.run",
                " ".join(["sh", deploy_command, script_args]),
                "python_shell=False",
            ]
            salt.client.ssh.SSH(client_opts).run()
            client_opts["argv"] = ["file.remove", tmp_dir]
            salt.client.ssh.SSH(client_opts).run()
        except SaltSystemExit as exc:
            log.error(str(exc))


def bootstrap_psexec(
    hosts="",
    master=None,
    version=None,
    arch="win32",
    installer_url=None,
    username=None,
    password=None,
):
    """
    Bootstrap Windows minions via PsExec.

    hosts
        Comma separated list of hosts to deploy the Windows Salt minion.

    master
        Address of the Salt master passed as an argument to the installer.

    version
        Point release of installer to download. Defaults to the most recent.

    arch
        Architecture of installer to download. Defaults to win32.

    installer_url
        URL of minion installer executable. Defaults to the latest version from
        https://packages.broadcom.com/artifactory/saltproject-generic/windows/

    username
        Optional user name for login on remote computer.

    password
        Password for optional username. If omitted, PsExec will prompt for one
        to be entered for each host.

    CLI Example:

    .. code-block:: bash

        salt-run manage.bootstrap_psexec hosts='host1,host2'
        salt-run manage.bootstrap_psexec hosts='host1,host2' version='0.17' username='DOMAIN\\Administrator'
        salt-run manage.bootstrap_psexec hosts='host1,host2' installer_url='http://exampledomain/salt-installer.exe'
    """

    # TODO: Need to make this gets the latest version from the new repo location
    # TODO: Similar to tests/support/win_installer.py
    # TODO: Maybe need to move that ^^^^ to a salt util
    if not installer_url:
        base_url = "https://repo.saltproject.io/windows/"
        source = urllib.request.urlopen(base_url).read()
        salty_rx = re.compile(
            '>(Salt-Minion-(.+?)-(.+)-Setup.exe)</a></td><td align="right">(.*?)\\s*<'
        )
        source_list = sorted(
            (
                [path, ver, plat, time.strptime(date, "%d-%b-%Y %H:%M")]
                for path, ver, plat, date in salty_rx.findall(source)
            ),
            key=operator.itemgetter(3),
            reverse=True,
        )
        if version:
            source_list = [s for s in source_list if s[1] == version]
        if arch:
            source_list = [s for s in source_list if s[2] == arch]

        if not source_list:
            return -1

        version = source_list[0][1]
        arch = source_list[0][2]
        installer_url = base_url + source_list[0][0]

    # It's no secret that Windows is notoriously command-line hostile.
    # Win 7 and newer can use PowerShell out of the box, but to reach
    # all those XP and 2K3 machines we must suppress our gag-reflex
    # and use VB!

    # The following script was borrowed from an informative article about
    # downloading exploit payloads for malware. Nope, no irony here.
    # http://www.greyhathacker.net/?p=500
    vb_script = """strFileURL = "{0}"
strHDLocation = "{1}"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("{1}{2}")"""

    vb_saltexec = "saltinstall.exe"
    vb_saltexec_args = " /S /minion-name=%COMPUTERNAME%"
    if master:
        vb_saltexec_args += f" /master={master}"

    # One further thing we need to do; the Windows Salt minion is pretty
    # self-contained, except for the Microsoft Visual C++ 2008 runtime.
    # It's tiny, so the bootstrap will attempt a silent install.
    vb_vcrunexec = "vcredist.exe"
    if arch == "AMD64":
        vb_vcrun = vb_script.format(
            "http://download.microsoft.com/download/d/2/4/d242c3fb-da5a-4542-ad66-f9661d0a8d19/vcredist_x64.exe",
            vb_vcrunexec,
            " /q",
        )
    else:
        vb_vcrun = vb_script.format(
            "http://download.microsoft.com/download/d/d/9/dd9a82d0-52ef-40db-8dab-795376989c03/vcredist_x86.exe",
            vb_vcrunexec,
            " /q",
        )

    vb_salt = vb_script.format(installer_url, vb_saltexec, vb_saltexec_args)

    # PsExec doesn't like extra long arguments; save the instructions as a batch
    # file so we can fire it over for execution.

    # First off, change to the local temp directory, stop salt-minion (if
    # running), and remove the master's public key.
    # This is to accommodate for reinstalling Salt over an old or broken build,
    # e.g. if the master address is changed, the salt-minion process will fail
    # to authenticate and quit; which means infinite restarts under Windows.
    batch = (
        "cd /d %TEMP%\nnet stop salt-minion\ndel"
        " c:\\salt\\conf\\pki\\minion\\minion_master.pub\n"
    )

    # Speaking of command-line hostile, cscript only supports reading a script
    # from a file. Glue it together line by line.
    for x, y in ((vb_vcrunexec, vb_vcrun), (vb_saltexec, vb_salt)):
        vb_lines = y.split("\n")
        batch += (
            "\ndel "
            + x
            + "\n@echo "
            + vb_lines[0]
            + "  >"
            + x
            + ".vbs\n@echo "
            + ("  >>" + x + ".vbs\n@echo ").join(vb_lines[1:])
            + "  >>"
            + x
            + ".vbs\ncscript.exe /NoLogo "
            + x
            + ".vbs"
        )

    batch_path = tempfile.mkstemp(suffix=".bat")[1]
    with salt.utils.files.fopen(batch_path, "wb") as batch_file:
        batch_file.write(batch)

    for host in hosts.split(","):
        argv = ["psexec", "\\\\" + host]
        if username:
            argv += ["-u", username]
            if password:
                argv += ["-p", password]
        argv += ["-h", "-c", batch_path]
        subprocess.call(argv)
F1l3 Manager
