def mk_token(**load):
r'''
Create an eauth token using provided credentials
Non-root users may specify an expiration date -- if allowed via the
:conf_master:`token_expire_user_override` setting -- by passing an
additional ``token_expire`` param. This overrides the
:conf_master:`token_expire` setting of the same name in the Master config
and is how long a token should live in seconds.
CLI Example:
.. code-block:: shell
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto
# Create a token valid for three years.
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto \
token_expire=94670856
# Calculate the number of seconds using expr.
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto \
token_expire=$(expr \( 365 \* 24 \* 60 \* 60 \) \* 3)
'''
# This will hang if the master daemon is not running.
netapi = salt.netapi.NetapiClient(__opts__)
if not netapi._is_master_running():
raise salt.exceptions.SaltDaemonNotRunning(
'Salt Master must be running.')
auth = salt.auth.Resolver(__opts__)
return auth.mk_token(load)
def test_token(client, client_config, auth_creds, salt_auto_account):
"""
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
"""
auth = salt.auth.LoadAuth(client_config)
token = auth.mk_token(auth_creds)
ret = client.master_call(
**{
"client": "wheel",
"fun": "key.list_all",
"token": token["token"],
"print_event": False,
})
assert ret
assert "data" in ret
data = ret["data"]
assert data["success"] is True
assert data["user"] == salt_auto_account.username
assert data["fun"] == "wheel.key.list_all"
assert data["return"]
assert data["return"]["local"] == ["master.pem", "master.pub"]
def test_cve_2021_3244(tmp_path):
token_dir = tmp_path / "tokens"
token_dir.mkdir()
opts = {
"extension_modules": "",
"optimization_order": [0, 1, 2],
"token_expire": 1,
"keep_acl_in_token": False,
"eauth_tokens": "localfs",
"token_dir": str(token_dir),
"token_expire_user_override": True,
"external_auth": {
"auto": {
"foo": []
}
},
}
auth = salt.auth.LoadAuth(opts)
load = {
"eauth": "auto",
"username": "******",
"password": "******",
"token_expire": -1,
}
t_data = auth.mk_token(load)
assert t_data["expire"] < time.time()
token_file = token_dir / t_data["token"]
assert token_file.exists()
t_data = auth.get_tok(t_data["token"])
assert not t_data
assert not token_file.exists()
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
auth = salt.auth.LoadAuth(self.get_config('client_config'))
token = auth.mk_token(self.eauth_creds)
token = auth.mk_token({
'username': '******',
'password': '******',
'eauth': 'auto',
})
self.wheel.master_call(**{
'client': 'wheel',
'fun': 'key.list_all',
'token': token['token'],
})
def POST(self, **kwargs):
'''
Authenticate against Salt's eauth system. Returns a session id and
redirects on success.
.. http:post:: /login
**Example request**::
% curl -si localhost:8000/login \\
-H "Accept: application/json" \\
-d username='******' \\
-d password='******' \\
-d eauth='pam'
.. code-block:: http
POST / HTTP/1.1
Host: localhost:8000
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
username=saltuser&password=saltpass&eauth=pam
**Example response**:
.. code-block:: http
HTTP/1.1 302 Found
Content-Length: 97
Location: http://localhost:8000/
X-Auth-Token: 6d1b722e
Set-Cookie: session_id=6d1b722e; expires=Sat, 17 Nov 2012 03:23:52 GMT; Path=/
:form eauth: the eauth backend configured in your master config
:form username: username
:form password: password
:status 302: success
:status 406: requested Content-Type not available
'''
auth = salt.auth.LoadAuth(self.opts)
# the urlencoded_processor will wrap this in a list
if isinstance(cherrypy.serving.request.lowstate, list):
creds = cherrypy.serving.request.lowstate[0]
else:
creds = cherrypy.serving.request.lowstate
token = auth.mk_token(creds)
cherrypy.response.headers['X-Auth-Token'] = cherrypy.session.id
cherrypy.session['token'] = token['token']
cherrypy.session['timeout'] = (token['expire'] - token['start']) / 60
raise cherrypy.HTTPRedirect('/', 302)
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
auth = salt.auth.LoadAuth(dict(self.get_config('client_config')))
token = auth.mk_token(self.eauth_creds)
token = auth.mk_token({
'username': '******',
'password': '******',
'eauth': 'auto',
})
self.wheel.master_call(**{
'client': 'wheel',
'fun': 'key.list_all',
'token': token['token'],
})
def test_token(self):
"""
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
"""
auth = salt.auth.LoadAuth(dict(self.get_config("client_config")))
token = auth.mk_token(self.eauth_creds)
token = auth.mk_token({
"username": "******",
"password": "******",
"eauth": "auto"
})
self.wheel.master_call(
**{
"client": "wheel",
"fun": "key.list_all",
"token": token["token"],
"print_event": False,
})
def test_token(self):
"""
Test executing master_call with lowdata
The choice of using error.error for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
"""
import salt.auth
auth = salt.auth.LoadAuth(self.get_config("client_config"))
token = auth.mk_token(self.eauth_creds)
self.runner.master_call(
**{"client": "runner", "fun": "error.error", "token": token["token"]}
)
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using error.error for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
import salt.auth
auth = salt.auth.LoadAuth(self.get_config('client_config'))
token = auth.mk_token(self.eauth_creds)
self.runner.master_call(**{
'client': 'runner',
'fun': 'error.error',
'token': token['token'],
})
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using error.error for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
import salt.auth
auth = salt.auth.LoadAuth(self.get_config('client_config'))
token = auth.mk_token(self.eauth_creds)
self.runner.master_call(**{
'client': 'runner',
'fun': 'error.error',
'token': token['token'],
})
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using error.error for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
import salt.auth
opts = self.get_opts()
self.mkdir_p(os.path.join(opts['root_dir'], 'cache', 'tokens'))
auth = salt.auth.LoadAuth(opts)
token = auth.mk_token(self.eauth_creds)
self.runner.master_call(**{
'client': 'runner',
'fun': 'error.error',
'token': token['token'],
})
def mk_token(**load):
'''
Create an eauth token using provided credentials
CLI Example:
.. code-block:: shell
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto \\
token_expire=94670856
'''
# This will hang if the master daemon is not running.
netapi = salt.netapi.NetapiClient(__opts__)
if not netapi._is_master_running():
raise salt.exceptions.SaltDaemonNotRunning(
'Salt Master must be running.')
auth = salt.auth.Resolver(__opts__)
return auth.mk_token(load)
def test_token(client, client_config, auth_creds):
"""
Test executing master_call with lowdata
The choice of using error.error for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
"""
auth = salt.auth.LoadAuth(client_config)
token = auth.mk_token(auth_creds)
low = {
"client": "runner",
"fun": "error.error",
"token": token["token"],
}
ret = client.master_call(**low)
assert ret
assert "jid" in ret
assert "tag" in ret
assert ret["tag"] == "salt/run/{}".format(ret["jid"])
def mk_token(**load):
'''
Create an eauth token using provided credentials
CLI Example:
.. code-block:: shell
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto
salt-run auth.mk_token username=saltdev password=saltdev eauth=auto \\
token_expire=94670856
'''
# This will hang if the master daemon is not running.
netapi = salt.netapi.NetapiClient(__opts__)
if not netapi._is_master_running():
raise salt.exceptions.SaltDaemonNotRunning(
'Salt Master must be running.')
auth = salt.auth.Resolver(__opts__)
return auth.mk_token(load)
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
import salt.auth
opts = self.get_opts()
self.mkdir_p(os.path.join(opts['root_dir'], 'cache', 'tokens'))
auth = salt.auth.LoadAuth(opts)
token = auth.mk_token({
'username': '******',
'password': '******',
'eauth': 'auto',
})
self.wheel.master_call(**{
'client': 'wheel',
'fun': 'key.list_all',
'token': token['token'],
})
def test_token(self):
'''
Test executing master_call with lowdata
The choice of using key.list_all for this is arbitrary and should be
changed to some mocked function that is more testing friendly.
'''
import salt.auth
opts = self.get_opts()
self.mkdir_p(os.path.join(opts['root_dir'], 'cache', 'tokens'))
auth = salt.auth.LoadAuth(opts)
token = auth.mk_token({
'username': '******',
'password': '******',
'eauth': 'auto',
})
self.wheel.master_call(**{
'client': 'wheel',
'fun': 'key.list_all',
'token': token['token'],
})
