From c92ff12404c7870d50b7ccd96c6269d7b3967ac2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Foorack=20/=20Max=20Fax=C3=A4lv?= <max@foorack.com>
Date: Thu, 8 Dec 2022 23:00:47 +0100
Subject: [PATCH] Force `keep_acl_in_token` to True when `rest` external_auth
 is used

---
 conf/master                      |  5 +++++
 conf/suse/master                 |  5 +++++
 doc/ref/configuration/master.rst |  5 +++++
 salt/config/__init__.py          | 12 ++++++++++++
 tests/unit/test_config.py        |  6 ++++++
 5 files changed, 33 insertions(+)

diff --git a/conf/master b/conf/master
index 4cb3542dd1c..d655e93d45f 100644
--- a/conf/master
+++ b/conf/master
@@ -424,6 +424,11 @@
 # Set to True to enable keeping the calculated user's auth list in the token
 # file. This is disabled by default and the auth list is calculated or requested
 # from the eauth driver each time.
+#
+# Note: `keep_acl_in_token` will be forced to True when using external authentication
+# for REST API (`rest` is present under `external_auth`). This is because the REST API
+# does not store the password, and can therefore not retroactively fetch the ACL, so
+# the ACL must be stored in the token.
 #keep_acl_in_token: False
 
 # Auth subsystem module to use to get authorized access list for a user. By default it's
diff --git a/conf/suse/master b/conf/suse/master
index 2e9eca060f6..24c38973163 100644
--- a/conf/suse/master
+++ b/conf/suse/master
@@ -376,6 +376,11 @@ syndic_user: salt
 # Set to True to enable keeping the calculated user's auth list in the token
 # file. This is disabled by default and the auth list is calculated or requested
 # from the eauth driver each time.
+#
+# Note: `keep_acl_in_token` will be forced to True when using external authentication
+# for REST API (`rest` is present under `external_auth`). This is because the REST API
+# does not store the password, and can therefore not retroactively fetch the ACL, so
+# the ACL must be stored in the token.
 #keep_acl_in_token: False
 
 # Auth subsystem module to use to get authorized access list for a user. By default it's
diff --git a/doc/ref/configuration/master.rst b/doc/ref/configuration/master.rst
index f596cc0d707..2e2086e0e78 100644
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@@ -1868,6 +1868,11 @@ Set to True to enable keeping the calculated user's auth list in the token
 file. This is disabled by default and the auth list is calculated or requested
 from the eauth driver each time.
 
+Note: `keep_acl_in_token` will be forced to True when using external authentication
+for REST API (`rest` is present under `external_auth`). This is because the REST API
+does not store the password, and can therefore not retroactively fetch the ACL, so
+the ACL must be stored in the token.
+
 .. code-block:: yaml
 
     keep_acl_in_token: False
diff --git a/salt/config/__init__.py b/salt/config/__init__.py
index 7b6946751a3..372555969d2 100644
--- a/salt/config/__init__.py
+++ b/salt/config/__init__.py
@@ -3917,6 +3917,18 @@ def apply_master_config(overrides=None, defaults=None):
     _adjust_log_file_override(overrides, defaults["log_file"])
     if overrides:
         opts.update(overrides)
+    # `keep_acl_in_token` will be forced to True when using external authentication
+    # for REST API (`rest` is present under `external_auth`). This is because the REST API
+    # does not store the password, and can therefore not retroactively fetch the ACL, so
+    # the ACL must be stored in the token.
+    if "rest" in opts.get("external_auth", {}):
+        # Check current value and print out warning
+        if opts["keep_acl_in_token"] is False:
+            log.warning(
+                "The 'rest' external_auth backend requires 'keep_acl_in_token' to be True. "
+                "Setting 'keep_acl_in_token' to True."
+            )
+        opts["keep_acl_in_token"] = True
 
     opts["__cli"] = salt.utils.stringutils.to_unicode(os.path.basename(sys.argv[0]))
 
diff --git a/tests/unit/test_config.py b/tests/unit/test_config.py
index 9c1f3332fff..5cc58c273d0 100644
--- a/tests/unit/test_config.py
+++ b/tests/unit/test_config.py
@@ -1846,6 +1846,12 @@ class ConfigTestCase(TestCase, AdaptedConfigurationTestCaseMixin):
             self.assertNotIn("environment", ret)
             self.assertEqual(ret["saltenv"], "foo")
 
+            # Test config to verify that `keep_acl_in_token` is forced to True
+            # when `rest` is present as driver in the `external_auth` config.
+            overrides = {"external_auth": {"rest": {"^url": "http://test_url/rest"}}}
+            ret = salt.config.apply_master_config(overrides=overrides)
+            self.assertTrue(ret["keep_acl_in_token"])
+
             # MINION CONFIG
 
             # Ensure that environment overrides saltenv when saltenv not