Merge pull request #24740 from rallytime/bp-24720

Backport #24720 to 2015.5
2025-04-17 10:10:20 +00:00 · 2015-06-17 09:43:37 -07:00 · 2015-06-17 09:43:37 -07:00 · 3d53d79476
commit 3d53d79476
parent ac2851be55 a9bcdb5b77
1 changed files with 22 additions and 10 deletions
--- a/salt/master.py
+++ b/salt/master.py
@ -1893,11 +1893,17 @@ class ClearFuncs(object):

        check_fun = getattr(self.ckminions,
                            '{auth}_check'.format(auth=auth_type))
-        good = check_fun(
-            self.opts['external_auth'][token['eauth']][token['name']]
-            if token['name'] in self.opts['external_auth'][token['eauth']]
-            else self.opts['external_auth'][token['eauth']]['*'],
-            fun)
+        if token['name'] in self.opts['external_auth'][token['eauth']]:
+            good = check_fun(self.opts['external_auth'][token['eauth']][token['name']], fun)
+        elif any(key.endswith('%') for key in self.opts['external_auth'][token['eauth']]):
+            for group in self.opts['external_auth'][token['eauth']]:
+                if group.endswith('%'):
+                    for group in self.opts['external_auth'][token['eauth']]:
+                        good = check_fun(self.opts['external_auth'][token['eauth']][group], fun)
+                        if good:
+                            break
+        else:
+            good = check_fun(self.opts['external_auth'][token['eauth']]['*'], fun)
        if not good:
            msg = ('Authentication failure of type "token" occurred for '
                   'user {0}.').format(token['name'])
@ -1941,13 +1947,19 @@ class ClearFuncs(object):
            log.warning(msg)
            return dict(error=dict(name='EauthAuthenticationError',
                                   message=msg))
+
        check_fun = getattr(self.ckminions,
                            '{auth}_check'.format(auth=auth_type))
-        good = check_fun(
-            self.opts['external_auth'][clear_load['eauth']][name]
-            if name in self.opts['external_auth'][clear_load['eauth']]
-            else self.opts['external_auth'][clear_load['eauth']]['*'],
-            clear_load['fun'])
+        if name in self.opts['external_auth'][clear_load['eauth']]:
+            good = check_fun(self.opts['external_auth'][clear_load['eauth']][name], clear_load['fun'])
+        elif any(key.endswith('%') for key in self.opts['external_auth'][clear_load['eauth']]):
+            for group in self.opts['external_auth'][clear_load['eauth']]:
+                if group.endswith('%'):
+                    good = check_fun(self.opts['external_auth'][clear_load['eauth']][group], clear_load['fun'])
+                    if good:
+                        break
+        else:
+            good = check_fun(self.opts['external_auth'][clear_load['eauth']]['*'], clear_load['fun'])
        if not good:
            msg = ('Authentication failure of type "eauth" occurred for '
                   'user {0}.').format(clear_load.get('username', 'UNKNOWN'))