Regex support for user names in external_auth config.

2025-04-17 10:10:20 +00:00 · 2017-08-28 12:46:26 +03:00 · 2017-08-28 12:46:26 +03:00 · 9fe32f8b6e
commit 9fe32f8b6e
parent 078d5d17de
3 changed files with 40 additions and 37 deletions
--- a/salt/auth/init.py
+++ b/salt/auth/init.py
@ -377,46 +377,13 @@ class LoadAuth(object):
        eauth_config = self.opts['external_auth'][eauth]
        if not groups:
            groups = []
-        group_perm_keys = [item for item in eauth_config if item.endswith('%')]  # The configured auth groups
-
-        # First we need to know if the user is allowed to proceed via any of their group memberships.
-        group_auth_match = False
-        for group_config in group_perm_keys:
-            if group_config.rstrip('%') in groups:
-                group_auth_match = True
-                break
-        # If a group_auth_match is set it means only that we have a
-        # user which matches at least one or more of the groups defined
-        # in the configuration file.
-
-        external_auth_in_db = False
-        for entry in eauth_config:
-            if entry.startswith('^'):
-                external_auth_in_db = True
-                break
-
-        # If neither a catchall, a named membership or a group
-        # membership is found, there is no need to continue. Simply
-        # deny the user access.
-        if not ((name in eauth_config) |
-                ('*' in eauth_config) |
-                group_auth_match | external_auth_in_db):
-            # Auth successful, but no matching user found in config
-            log.warning('Authorization failure occurred.')
-            return None

        # We now have an authenticated session and it is time to determine
        # what the user has access to.
-        auth_list = []
-        if name in eauth_config:
-            auth_list = eauth_config[name]
-        elif '*' in eauth_config:
-            auth_list = eauth_config['*']
-        if group_auth_match:
-            auth_list = self.ckminions.fill_auth_list_from_groups(
-                    eauth_config,
-                    groups,
-                    auth_list)
+        auth_list = self.ckminions.fill_auth_list(
+                eauth_config,
+                name,
+                groups)

        auth_list = self.__process_acl(load, auth_list)

--- a/salt/config/init.py
+++ b/salt/config/init.py
@ -717,6 +717,10 @@ VALID_OPTS = {
    'fileserver_limit_traversal': bool,
    'fileserver_verify_config': bool,

+    # Optionally apply '*' permissioins to any user. By default '*' is a fallback case that is
+    # applied only if the user didn't matched by other matchers.
+    'permissive_acl': bool,
+
    # Optionally enables keeping the calculated user's auth list in the token file.
    'keep_acl_in_token': bool,

@ -1466,6 +1470,7 @@ DEFAULT_MASTER_OPTS = {
    'external_auth': {},
    'token_expire': 43200,
    'token_expire_user_override': False,
+    'permissive_acl': False,
    'keep_acl_in_token': False,
    'eauth_acl_module': '',
    'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),
--- a/salt/utils/minions.py
+++ b/salt/utils/minions.py
@ -985,10 +985,37 @@ class CkMinions(object):
                        auth_list.append(matcher)
        return auth_list

+    def fill_auth_list(self, auth_provider, name, groups, auth_list=None, permissive=None):
+        '''
+        Returns a list of authorisation matchers that a user is eligible for.
+        This list is a combination of the provided personal matchers plus the
+        matchers of any group the user is in.
+        '''
+        if auth_list is None:
+            auth_list = []
+        if permissive is None:
+            permissive = self.opts.get('permissive_acl')
+        name_matched = False
+        for match in auth_provider:
+            if match == '*' and not permissive:
+                continue
+            if match.endswith('%'):
+                if match.rstrip('%') in groups:
+                    auth_list.extend(auth_provider[match])
+            else:
+                if salt.utils.expr_match(match, name):
+                    name_matched = True
+                    auth_list.extend(auth_provider[match])
+        if not permissive and not name_matched and '*' in auth_provider:
+            auth_list.extend(auth_provider['*'])
+        return auth_list
+
    def wheel_check(self, auth_list, fun):
        '''
        Check special API permissions
        '''
+        if not auth_list:
+            return False
        comps = fun.split('.')
        if len(comps) != 2:
            return False
@ -1020,6 +1047,8 @@ class CkMinions(object):
        '''
        Check special API permissions
        '''
+        if not auth_list:
+            return False
        comps = fun.split('.')
        if len(comps) != 2:
            return False
@ -1051,6 +1080,8 @@ class CkMinions(object):
        '''
        Check special API permissions
        '''
+        if not auth_list:
+            return False
        if form != 'cloud':
            comps = fun.split('.')
            if len(comps) != 2: