saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #31567 from cachedout/issue_28585

Browse source 
Restore FIPS compliance when using master_finger
This commit is contained in:
Nicole Thomas 2016-03-01 12:50:02 -07:00
commit 068807558a
5 changed files with 13 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
salt/cloud/__init__.py
View file

@ -2048,7 +2048,7 @@ class Map(Cloud):
master_temp_pub = salt.utils.mkstemp()
with salt.utils.fopen(master_temp_pub, 'w') as mtp:
mtp.write(pub)
master_finger = salt.utils.pem_finger(master_temp_pub)
master_finger = salt.utils.pem_finger(master_temp_pub, sum_type=self.opts['hash_type'])
os.unlink(master_temp_pub)
if master_profile.get('make_minion', True) is True:
@ -2133,7 +2133,7 @@ class Map(Cloud):
# mitigate man-in-the-middle attacks
master_pub = os.path.join(self.opts['pki_dir'], 'master.pub')
if os.path.isfile(master_pub):
master_finger = salt.utils.pem_finger(master_pub)
master_finger = salt.utils.pem_finger(master_pub, sum_type=self.opts['hash_type'])
opts = self.opts.copy()
if self.opts['parallel']:

6
salt/crypt.py
View file

@ -1071,11 +1071,11 @@ class SAuth(AsyncAuth):
if self.opts.get('syndic_master', False): # Is syndic
syndic_finger = self.opts.get('syndic_finger', self.opts.get('master_finger', False))
if syndic_finger:
if salt.utils.pem_finger(m_pub_fn) != syndic_finger:
if salt.utils.pem_finger(m_pub_fn, sum_type=self.opts['hash_type']) != syndic_finger:
self._finger_fail(syndic_finger, m_pub_fn)
else:
if self.opts.get('master_finger', False):
if salt.utils.pem_finger(m_pub_fn) != self.opts['master_finger']:
if salt.utils.pem_finger(m_pub_fn, sum_type=self.opts['hash_type']) != self.opts['master_finger']:
self._finger_fail(self.opts['master_finger'], m_pub_fn)
auth['publish_port'] = payload['publish_port']
return auth
@ -1089,7 +1089,7 @@ class SAuth(AsyncAuth):
'this minion is not subject to a man-in-the-middle attack.'
.format(
finger,
salt.utils.pem_finger(master_key)
salt.utils.pem_finger(master_key, sum_type=self.opts['hash_type'])
)
)
sys.exit(42)

4
salt/key.py
View file

@ -933,7 +933,7 @@ class Key(object):
path = os.path.join(self.opts['pki_dir'], key)
else:
path = os.path.join(self.opts['pki_dir'], status, key)
ret[status][key] = salt.utils.pem_finger(path)
ret[status][key] = salt.utils.pem_finger(path, sum_type=self.opts['hash_type'])
return ret
def finger_all(self):
@ -948,7 +948,7 @@ class Key(object):
path = os.path.join(self.opts['pki_dir'], key)
else:
path = os.path.join(self.opts['pki_dir'], status, key)
ret[status][key] = salt.utils.pem_finger(path)
ret[status][key] = salt.utils.pem_finger(path, sum_type=self.opts['hash_type'])
return ret

6
salt/modules/key.py
View file

@ -22,7 +22,8 @@ def finger():
salt '*' key.finger
'''
return salt.utils.pem_finger(
os.path.join(__opts__['pki_dir'], 'minion.pub')
os.path.join(__opts__['pki_dir'], 'minion.pub'),
sum_type=__opts__['hash_type']
)
@ -37,5 +38,6 @@ def finger_master():
salt '*' key.finger_master
'''
return salt.utils.pem_finger(
os.path.join(__opts__['pki_dir'], 'minion_master.pub')
os.path.join(__opts__['pki_dir'], 'minion_master.pub'),
sum_type=__opts__['hash_type']
)

4
tests/unit/modules/key_test.py
View file

@ -37,7 +37,7 @@ class KeyTestCase(TestCase):
with patch.object(salt.utils,
'pem_finger', return_value='A'):
with patch.dict(key.__opts__,
{'pki_dir': MagicMock(return_value='A')}):
{'pki_dir': MagicMock(return_value='A'), 'hash_type': 'sha256'}):
self.assertEqual(key.finger(), 'A')
def test_finger_master(self):
@ -48,7 +48,7 @@ class KeyTestCase(TestCase):
with patch.object(salt.utils,
'pem_finger', return_value='A'):
with patch.dict(key.__opts__,
{'pki_dir': 'A'}):
{'pki_dir': 'A', 'hash_type': 'sha256'}):
self.assertEqual(key.finger_master(), 'A')