saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch '3006.x' into merge/3007.x/3006.x

Browse source
This commit is contained in:
Daniel A. Wozniak 2024-10-16 18:03:43 -07:00
commit 9b157d732f
6 changed files with 151 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/nightly.yml vendored
View file

@ -538,7 +538,7 @@ jobs:
python-version: "3.10.15" python-version: "3.10.15"
source: "onedir" source: "onedir"
environment: nightly environment: nightly
sign-macos-packages: true sign-macos-packages: false
sign-windows-packages: false sign-windows-packages: false
secrets: inherit secrets: inherit
@ -556,7 +556,7 @@ jobs:
python-version: "3.10.15" python-version: "3.10.15"
source: "src" source: "src"
environment: nightly environment: nightly
sign-macos-packages: true sign-macos-packages: false
sign-windows-packages: false sign-windows-packages: false
secrets: inherit secrets: inherit
build-ci-deps: build-ci-deps:

4
.github/workflows/staging.yml vendored
View file

@ -520,7 +520,7 @@ jobs:
python-version: "3.10.15" python-version: "3.10.15"
source: "onedir" source: "onedir"
environment: staging environment: staging
sign-macos-packages: true sign-macos-packages: false
sign-windows-packages: ${{ inputs.sign-windows-packages }} sign-windows-packages: ${{ inputs.sign-windows-packages }}
secrets: inherit secrets: inherit
@ -538,7 +538,7 @@ jobs:
python-version: "3.10.15" python-version: "3.10.15"
source: "src" source: "src"
environment: staging environment: staging
sign-macos-packages: true sign-macos-packages: false
sign-windows-packages: ${{ inputs.sign-windows-packages }} sign-windows-packages: ${{ inputs.sign-windows-packages }}
secrets: inherit secrets: inherit
build-ci-deps: build-ci-deps:

2
.github/workflows/templates/build-packages.yml.jinja vendored
View file

@ -19,7 +19,7 @@
source: "<{ backend }>" source: "<{ backend }>"
<%- if gh_environment != "ci" %> <%- if gh_environment != "ci" %>
environment: <{ gh_environment }> environment: <{ gh_environment }>
sign-macos-packages: true sign-macos-packages: false
sign-windows-packages: <% if gh_environment == 'nightly' -%> false <%- else -%> ${{ inputs.sign-windows-packages }} <%- endif %> sign-windows-packages: <% if gh_environment == 'nightly' -%> false <%- else -%> ${{ inputs.sign-windows-packages }} <%- endif %>
secrets: inherit secrets: inherit
<%- endif %> <%- endif %>

1
changelog/66955.fixed.md Normal file
View file

@ -0,0 +1 @@
Allow for secure-boot efivars directory having SecureBoot-xxx files, not directories with a data file

25
salt/grains/extra.py
View file

@ -66,7 +66,10 @@ def config():
def __secure_boot(efivars_dir): def __secure_boot(efivars_dir):
"""Detect if secure-boot is enabled.""" """Detect if secure-boot is enabled."""
enabled = False enabled = False
sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data")) if "efivars" == os.path.basename(efivars_dir):
sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*"))
else:
sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data"))
if len(sboot) == 1: if len(sboot) == 1:
# The minion is usually running as a privileged user, but is # The minion is usually running as a privileged user, but is
# not the case for the master. Seems that the master can also # not the case for the master. Seems that the master can also
@ -79,6 +82,17 @@ def __secure_boot(efivars_dir):
return enabled return enabled
def get_secure_boot_path():
"""
Provide paths for secure boot directories and files
"""
efivars_path = next(
filter(os.path.exists, ["/sys/firmware/efi/efivars", "/sys/firmware/efi/vars"]),
None,
)
return efivars_path
def uefi(): def uefi():
"""Populate UEFI grains.""" """Populate UEFI grains."""
if salt.utils.platform.is_freebsd(): if salt.utils.platform.is_freebsd():
@ -89,18 +103,11 @@ def uefi():
"efi-secure-boot": False, "efi-secure-boot": False,
} }
else: else:
# Works on Linux and Apple ? efivars_dir = get_secure_boot_path()
efivars_dir = next(
filter(
os.path.exists, ["/sys/firmware/efi/efivars", "/sys/firmware/efi/vars"]
),
None,
)
grains = { grains = {
"efi": bool(efivars_dir), "efi": bool(efivars_dir),
"efi-secure-boot": __secure_boot(efivars_dir) if efivars_dir else False, "efi-secure-boot": __secure_boot(efivars_dir) if efivars_dir else False,
} }
return grains return grains

129
tests/pytests/unit/grains/test_secure_boot.py Normal file
View file

@ -0,0 +1,129 @@
"""
:codeauthor: :email:`David Murphy <david-dm.murphy@broadcom.com`
"""
import shutil
import pytest
import salt.grains.extra
from tests.support.mock import patch
pytestmark = [
pytest.mark.skip_unless_on_linux(reason="Only supported on Linux family"),
]
@pytest.mark.parametrize(
"setting_secure, extra_file, expected_enabled",
(
(True, False, True),
(True, True, False),
(False, False, False),
(False, True, False),
),
)
def test_secure_boot_efivars(tmp_path, setting_secure, extra_file, expected_enabled):
secure_boot_path = tmp_path / "secure-boot"
secure_boot_path_vars = secure_boot_path / "efivars"
secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
if setting_secure:
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
else:
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
if extra_file:
secure_boot_filepath2 = secure_boot_path_vars / "SecureBoot-kat"
if setting_secure:
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
else:
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
with patch(
"salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
):
grains = salt.grains.extra.uefi()
expected = {"efi": True, "efi-secure-boot": expected_enabled}
assert grains == expected
shutil.rmtree(secure_boot_path)
@pytest.mark.parametrize(
"setting_secure, extra_file, expected_enabled",
(
(True, False, True),
(True, True, False),
(False, False, False),
(False, True, False),
),
)
def test_secure_boot_vars(tmp_path, setting_secure, extra_file, expected_enabled):
secure_boot_path = tmp_path / "secure-boot"
secure_boot_path_vars = secure_boot_path / "vars" / "SecureBoot-dog"
secure_boot_path_vars1 = secure_boot_path_vars / "SecureBoot-dog"
secure_boot_path_vars1.mkdir(parents=True, exist_ok=True)
secure_boot_filepath = secure_boot_path_vars1 / "data"
if setting_secure:
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
else:
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
if extra_file:
secure_boot_path_vars2 = secure_boot_path_vars / "SecureBoot-kat"
secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
secure_boot_filepath2 = secure_boot_path_vars2 / "data"
if setting_secure:
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
else:
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
with patch(
"salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
):
grains = salt.grains.extra.uefi()
expected = {"efi": True, "efi-secure-boot": expected_enabled}
assert grains == expected
shutil.rmtree(secure_boot_path)
@pytest.mark.parametrize(
"setting_secure, expected_enabled",
(
(True, True),
(False, False),
(False, False),
(False, False),
),
)
def test_secure_boot_efivars_and_vars(tmp_path, setting_secure, expected_enabled):
secure_boot_path = tmp_path / "secure-boot"
secure_boot_path_vars = secure_boot_path / "efivars"
secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
secure_boot_path_vars2 = secure_boot_path / "vars" / "SecureBoot-kat"
secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
secure_boot_filepath2 = secure_boot_path_vars2 / "data"
if setting_secure:
# efivars True, vars / data False
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
else:
# efivars false, vars / data True
secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
with patch(
"salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
):
grains = salt.grains.extra.uefi()
expected = {"efi": True, "efi-secure-boot": expected_enabled}
assert grains == expected
shutil.rmtree(secure_boot_path)