Merge pull request #33296 from whiteinge/auth-runner

Add an auth runner

conf/master

@@ -321,6 +321,18 @@
 #
 # Time (in seconds) for a newly generated token to live. Default: 12 hours
 #token_expire: 43200
+#
+# Allow eauth users to specify the expiry time of the tokens they generate.
+# A boolean applies to all users or a dictionary of whitelisted eauth backends
+# and usernames may be given.
+# token_expire_user_override:
+#   pam:
+#     - fred
+#     - tom
+#   ldap:
+#     - gary
+#
+#token_expire_user_override: False
 
 # Allow minions to push files to the master. This is disabled by default, for
 # security purposes.

doc/ref/configuration/master.rst

@@ -874,6 +874,27 @@ Default: 12 hours
 
     token_expire: 43200
 
+.. conf_master:: token_expire_user_override
+
+``token_expire_user_override``
+------------------------------
+
+Default: ``False``
+
+Allow eauth users to specify the expiry time of the tokens they generate.
+
+A boolean applies to all users or a dictionary of whitelisted eauth backends
+and usernames may be given:
+
+.. code-block:: yaml
+
+    token_expire_user_override:
+      pam:
+        - fred
+        - tom
+      ldap:
+        - gary
+
 .. conf_master:: file_recv
 
 ``file_recv``

salt/auth/__init__.py

@@ -18,6 +18,7 @@ from __future__ import absolute_import
 # Import python libs
 from __future__ import print_function
 import os
+import collections
 import hashlib
 import time
 import logging
@@ -137,6 +138,23 @@ class LoadAuth(object):
         except Exception:
             return None
 
+    def _allow_custom_expire(self, load):
+        '''
+        Return bool if requesting user is allowed to set custom expire
+        '''
+        expire_override = self.opts.get('token_expire_user_override', False)
+
+        if expire_override is True:
+            return True
+
+        if isinstance(expire_override, collections.Mapping):
+            expire_whitelist = expire_override.get(load['eauth'], [])
+            if isinstance(expire_whitelist, collections.Iterable):
+                if load.get('username') in expire_whitelist:
+                    return True
+
+        return False
+
     def mk_token(self, load):
         '''
         Run time_auth and create a token. Return False or the token
@@ -154,8 +172,15 @@ class LoadAuth(object):
         fcall = salt.utils.format_call(self.auth[fstr],
                                        load,
                                        expected_extra_kws=AUTH_INTERNAL_KEYWORDS)
+
+        if self._allow_custom_expire(load):
+            token_expire = load.pop('token_expire', self.opts['token_expire'])
+        else:
+            _ = load.pop('token_expire', None)
+            token_expire = self.opts['token_expire']
+
         tdata = {'start': time.time(),
-                 'expire': time.time() + self.opts['token_expire'],
+                 'expire': time.time() + token_expire,
                  'name': fcall['args'][0],
                  'eauth': load['eauth'],
                  'token': tok}

salt/config/__init__.py

@@ -571,6 +571,7 @@ VALID_OPTS = {
     'sudo_acl': bool,
     'external_auth': dict,
     'token_expire': int,
+    'token_expire_user_override': (bool, dict),
     'file_recv': bool,
     'file_recv_max_size': int,
     'file_ignore_regex': (list, string_types),
@@ -1179,6 +1180,7 @@ DEFAULT_MASTER_OPTS = {
     'sudo_acl': False,
     'external_auth': {},
     'token_expire': 43200,
+    'token_expire_user_override': False,
     'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),
     'file_recv': False,
     'file_recv_max_size': 100,

salt/runners/auth.py

@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+import os
+
+import salt.auth
+import salt.exceptions
+import salt.netapi
+
+
+def mk_token(**load):
+    '''
+    Create an eauth token using provided credentials
+
+    CLI Example:
+
+    .. code-block:: shell
+
+        salt-run auth.mk_token username=saltdev password=saltdev eauth=auto
+        salt-run auth.mk_token username=saltdev password=saltdev eauth=auto \\
+            token_expire=94670856
+    '''
+    # This will hang if the master daemon is not running.
+    netapi = salt.netapi.NetapiClient(__opts__)
+    if not netapi._is_master_running():
+        raise salt.exceptions.SaltDaemonNotRunning(
+                'Salt Master must be running.')
+
+    auth = salt.auth.Resolver(__opts__)
+    return auth.mk_token(load)
+
+
+def del_token(token):
+    '''
+    Delete an eauth token by name
+
+    CLI Example:
+
+    .. code-block:: shell
+
+        salt-run auth.del_token 6556760736e4077daa601baec2b67c24
+    '''
+    token_path = os.path.join(__opts__['token_dir'], token)
+    if os.path.exists(token_path):
+        return os.remove(token_path) is None
+    return False