saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge forward 3004.2 (#62200)

Browse source 
* Check only ssh-rsa encyption for set_known_host

* Windows test fix

* Fix pre-commit

* add CentOS Stream to _OS_FAMILY_MAP, fix #59161

* added changelog and test

* fix syntax

* Use centosstream 8 for testing

* Use ? for matching spaces

Technically this isn't *quite* right as 'CentOSyStream' would also
match, but it's pretty reasonable:

- OS grains shouldn't ever be that kind of close
- This test is only swapping out spaces, and only for the os grain. That
  would mean there would have to be two OSes with grains that only
  differ by one having a space where another one has any other
  character.
- This test really isn't even about matching grains, we're just using
  compound matching and that's a reasonable one to use.

* Add centos stream when detecting package manager name

* Fix pre-commit

* Remove tests for fedora 32/33 EOL

* Remove tests for fedora 32/33 EOL

* Remove tests for fedora 33 EOL

* Use centosstream 8 for testing

* Use ? for matching spaces

Technically this isn't *quite* right as 'CentOSyStream' would also
match, but it's pretty reasonable:

- OS grains shouldn't ever be that kind of close
- This test is only swapping out spaces, and only for the os grain. That
  would mean there would have to be two OSes with grains that only
  differ by one having a space where another one has any other
  character.
- This test really isn't even about matching grains, we're just using
  compound matching and that's a reasonable one to use.

* 3002.9: Fix pre-commit

* 3003.5 Fix pre-commit

* [3002.9] Replace use of 'sl' with 'paper' for Arch tests, due to 'sl' having key issues

* Remove mojave testing

* Remove mojave and high sierra testing

* Remove mojave testing

* [3002.9] Fix cloud vultr size issue

* Update package name to aspnetcore-runtime-6.0 for redhat 8 pkg tests

* Update package name to aspnetcore-runtime-6.0 for redhat 8 pkg tests

* change amazon linux AMI

* Migrate `unit.modules.test_gpg` to PyTest

* Don't leave any `gpg-agent`'s running behind

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Start a background process to generate entropy.

Some tests have failed because of not enough entropy which then makes
the test timeout.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* A different approach at generating entropy

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Turn entropy generation into a helper

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* change amazon linux AMI

* change amazon linux AMI

* [3004.2] Fix cloud vultr size issue

* Fix cloud requirements

* Skip pam tests on windows

* Update ami to try to get the tests running

* Update amis to try to get the tests running

* Fixing test_publish_to_pubserv_ipc_tcp, moving the call to socket.socket into the while loop.

* Add static requirements for 3.8 and 3.9 on Windows

* Fix requirements

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* The whole CI process is already slower than GH Actions, no caches.

* Pre-commit must not run with ``PIP_EXTRA_INDEX_URL`` set.

* Lint fixes

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Compile cloud requirements

* Run add requirements files for 3.8 and 3.9

* Fix docs and cloud requirements

* [3003.5] Fix cloud vultr size issue

* Windows test fix

* Skip test if docker not running

* [3003.5] Fix pre-commit

* Update Markup and contextfunction imports for jinja versions >=3.1.

* update bootstrap to 2022.03.15

* update bootstrap to 2022.03.15

* skipping tests/pytests/integration/modules/test_virt.py on 3002.x and 3003.x branches.

* Windows test fix

* Skip PAM tests on Windows

Windows has no ctypes with the PAM bits, so we should go ahead and skip
on Windows.

* Skip PAM auth tests on Windows

Windows lacks the correct bits, so...

* Fix pre-commit

* Skipping tests since they're also skipped on the master branch

Fixes #403

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Skip test that only runs because the patch binary is now available.

The feature though, was only added in 3004.

Fixes #404

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Skip test which is only supposed to run in Linux

Fixes https://github.com/saltstack/salt-priv/issues/405

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* GPG tests do not work on windows yet

* Fix tests

* Fix pre-commit

* skip tests.integration.modules.test_mac_brew_pkg.BrewModuleTest.test_list_upgrades and tests.integration.modules.test_state.StateModuleTest.test_get_file_from_env_in_top_match on Mac OS.

* skip tests.integration.modules.test_mac_brew_pkg.BrewModuleTest.test_list_upgrades and tests.integration.modules.test_state.StateModuleTest.test_get_file_from_env_in_top_match on Mac OS.

* Removing skip, moving it to different PR.

* Skipping tests on 3002.9.

* test fix

* Do not run patch tests on 3003.5. Feature not added till 3004

* skipping tests/pytests/integration/modules/test_virt.py on 3002.x and 3003.x branches.

* Fix pre-commit

* [3004.2] Update freebsd ami

* Bump the git version for freebsd CI tests

* removing versions that are no longer available from the tests.pytests.scenarios.compat.test_with_versions tests.

* Skip tests on windows when NOT using static requirements

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* removing versions that are no longer available from the tests.pytests.scenarios.compat.test_with_versions tests.

* test_issue_36469_tcp causes a fatal python error when run on Mac OS, so skipping.

* Fix tests

* Fix pre-commit

* Do not run patch tests on 3003.5. Feature not added till 3004

* Skip archive tar tests on windows

* [3002.9] Skip archive tar tests on windows

* GPG tests do not work on windows yet

* Skip test which is only supposed to run in Linux

Fixes https://github.com/saltstack/salt-priv/issues/405

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Skip test that only runs because the patch binary is now available.

The feature though, was only added in 3004.

Fixes #404

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Skipping tests since they're also skipped on the master branch

Fixes #403

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Fix pre-commit

* Fix pre-commit

* Fix pre-commit

* Fix pre-commit

* retry sdb.get if it returns None

None is an entirely valid return - see EtcdClient.get in
salt/utils/etcd_util.py

* drop py2/six

* fix etcd sdb.set as well

* Fix etdcd-sdb test failure

If docker container is up and running, but etcd isn't responding yet
it's possible that we get some failing tests. This should wait a
reasonable amount of time for things to come up. Or just skip the test.

* Fix etdcd-sdb test failure

If docker container is up and running, but etcd isn't responding yet
it's possible that we get some failing tests. This should wait a
reasonable amount of time for things to come up. Or just skip the test.

* Skip the tests from unit/transport/test_zero.py that are hanging on Mac.

* skip tests in tests/pytests/unit/states/test_archive.py for 3002.9

* 3002.9 Skipping  CA permissions tests on Windows, similar to 3003.5 and 3004.2

* change skipif to skip

* Rollback Windows AMIs to use Python 3.7

* Rollback AMI's to Python 3.7... fix tests

* Fix failing test_archive tests

* Build using pyenv

* Add symlinks to openssl and rpath

* Add shasum for zeromq 4.3.4

* Fix docs on scripts

* Build zeromq earlier, fix symlinks

* Bring 61446 to 3004.1 branch

* Add changelog and tests

* Fix schedule test flakiness

* Retry with new port if in use

* fixing failing tests, ensuring that the correct path is used.

* fixing failing tests, ensuring that the correct path is used.

* fixing failing tests, ensuring that the correct path is used.

* Re-enable tiamat-pip on windows

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

* Bump duration time for windwos for test_retry_option_success

* Skip test cauing hangs

* go go pylint disable

* more pre-commit

* oh lint

* so many weird hook failures

* Add unit tests for PAM auth CVE

We could add functional tests if it's important enough, but this is the
narrowest place to test.

* Fix PAM auth CVE

Credit to @ysf

Previously we weren't checking the result of PAM_ACCT_MGMT.

* pylint disable

* rewrite hook changes

* Skip PAM auth tests on Windows

Since Windows ends out lacking the correct bits, no need to run tests
there.

* pre-commit fixes

* docs 3004.2 release

* Fix bug in tcp transport

* Fix the test_zeromq_filtering test

* skip test_npm_install_url_referenced_package on centos 7 and 8.

* Swapping CentOS Linux-8 for CentOS Stream-8

* Update build scripts to use pyenv

* Fix tests on MacOS

* Fix bug in tcp transport

* Fix test failures

* Update release notes and man pages for 3003.5

* Add 3002.9 changelog, release notes, man pages

* Update doc/topics/releases/3002.9.rst

Co-authored-by: Megan Wilhite <mwilhite@vmware.com>

* Fix requirements

* Fix imports

* Test fixup

* Fix merge warts

* fix merge wart in changelog

* Fix merge warts in tests

Co-authored-by: krionbsd <krion@FreeBSD.org>
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
Co-authored-by: Alexander Kriventsov <akriventsov@nic.ru>
Co-authored-by: Megan Wilhite <mwilhite@vmware.com>
Co-authored-by: Wayne Werner <wwerner@vmware.com>
Co-authored-by: Gareth J. Greenaway <gareth@saltstack.com>
Co-authored-by: David Murphy < dmurphy@saltstack.com>
Co-authored-by: Twangboy <leesh@vmware.com>
Co-authored-by: MKLeb <calebb@vmware.com>
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: Pedro Algarvio <palgarvio@vmware.com>
Co-authored-by: Thomas Phipps <tphipps@vmware.com>
Co-authored-by: Frode Gundersen <frogunder@gmail.com>
Co-authored-by: Alyssa Rock <alyssa.rock@gmail.com>
Co-authored-by: Alyssa Rock <43180546+barbaricyawps@users.noreply.github.com>
This commit is contained in:
Daniel Wozniak 2022-06-29 09:10:06 -07:00 committed by GitHub
parent 29d66ecb60
commit d9343cca65
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
53 changed files with 601 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
CHANGELOG.md
View file

@ -7,6 +7,7 @@ Versions are `MAJOR.PATCH`.
# Changelog
Salt 3004.1 (2022-02-16)
========================
@ -207,6 +208,36 @@ Added
- Allow a user to use the aptpkg.py module without installing python-apt. (#60818)
Salt 3003.5 (2022-07-05)
========================
Fixed
-----
- Update Markup and contextfunction imports for jinja versions >=3.1. (#61848)
- Fix bug in tcp transport (#61865)
- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868)
Security
--------
- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967)
Salt 3003.4 (2022-02-25)
========================
Security
--------
- Sign authentication replies to prevent MiTM (cve-2022-22935)
- Prevent job and fileserver replays (cve-2022-22936)
- Sign pillar data to prevent MiTM attacks. (cve-2202-22934)
- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)
- Fix denial of service in junos ifconfig output parsing.
Salt 3003.3 (2021-08-20)
========================
@ -427,6 +458,37 @@ Added
metadata for a package by extracting library requirement information from the
binary ELF files in the package. (#59569)
Salt 3002.9 (2022-05-25)
========================
Fixed
-----
- Fixed an error when running on CentOS Stream 8. (#59161)
- Fix bug in tcp transport (#61865)
- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868)
Security
--------
- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967)
Salt 3002.8 (2022-02-25)
========================
Security
--------
- Sign authentication replies to prevent MiTM (cve-2020-22935)
- Sign pillar data to prevent MiTM attacks. (cve-2022-22934)
- Prevent job and fileserver replays (cve-2022-22936)
- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)
Salt 3002.7 (2021-08-20)
========================
@ -443,6 +505,7 @@ Security
Additionally, an audit and a tool was put in place, ``bandit``, to address similar issues througout the code base, and prevent them. (CVE-2021-31607)
- Ensure that sourced file is cached using its hash name (cve-2021-21996)
Salt 3002.6 (2021-03-10)
========================
@ -451,6 +514,7 @@ Changed
- Store git sha in salt/_version.py when installing from a tag so it can be found if needed later. (#59137)
Fixed
-----

2
doc/man/salt-api.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-API" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-API" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-api \- salt-api Command
.

2
doc/man/salt-call.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CALL" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-CALL" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-call \- salt-call Documentation
.

2
doc/man/salt-cloud.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CLOUD" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-CLOUD" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-cloud \- Salt Cloud Command
.

2
doc/man/salt-cp.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CP" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-CP" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-cp \- salt-cp Documentation
.

2
doc/man/salt-key.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-KEY" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-KEY" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-key \- salt-key Documentation
.

2
doc/man/salt-master.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MASTER" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-MASTER" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-master \- salt-master Documentation
.

2
doc/man/salt-minion.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MINION" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-MINION" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-minion \- salt-minion Documentation
.

2
doc/man/salt-proxy.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-PROXY" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-PROXY" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-proxy \- salt-proxy Documentation
.

2
doc/man/salt-run.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-RUN" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-RUN" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-run \- salt-run Documentation
.

2
doc/man/salt-ssh.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SSH" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-SSH" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-ssh \- salt-ssh Documentation
.

2
doc/man/salt-syndic.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SYNDIC" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT-SYNDIC" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt-syndic \- salt-syndic Documentation
.

2
doc/man/salt.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt \- salt
.

2
doc/man/salt.7
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT" "7" "Feb 16, 2022" "3004.1" "Salt"
.TH "SALT" "7" "May 12, 2022" "3004.2" "Salt"
.SH NAME
salt \- Salt Documentation
.

2
doc/man/spm.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SPM" "1" "Feb 16, 2022" "3004.1" "Salt"
.TH "SPM" "1" "May 12, 2022" "3004.2" "Salt"
.SH NAME
spm \- Salt Package Manager Command
.

34
doc/topics/releases/3002.8.rst Normal file
View file

@ -0,0 +1,34 @@
.. _release-3002-8:
========================
Salt 3002.8 (2022-02-25)
========================
Version 3002.8 is a CVE security fix release for :ref:`3002 <release-3002>`.
Important notice about upgrading
--------------------------------
Version 3002.8 is a security release. 3002.8 minions are not able to
communicate with masters older than 3002.8. You must upgrade your masters
before upgrading minions.
Minion authentication security
------------------------------
Authentication between masters and minions rely on public/private key
encryption and message signing. To secure minion authentication before you must
pre-seed the master's public key on minions. To pre-seed the minions' master
key, place a copy of the master's public key in the minion's pki directory as
``minion_master.pub``.
Security
--------
- Sign authentication replies to prevent MiTM (cve-2020-22935)
- Sign pillar data to prevent MiTM attacks. (cve-2022-22934)
- Prevent job and fileserver replays (cve-2022-22936)
- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)

21
doc/topics/releases/3002.9.rst Normal file
View file

@ -0,0 +1,21 @@
.. _release-3002-9:
========================
Salt 3002.9 (2022-05-25)
========================
Version 3002.9 is a CVE security fix release for :ref:`3002 <release-3002>`.
Fixed
-----
- Fixed an error when running on CentOS Stream 8. (#59161)
- Fix bug in tcp transport (#61865)
- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868)
Security
--------
- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967)

35
doc/topics/releases/3003.4.rst Normal file
View file

@ -0,0 +1,35 @@
.. _release-3003-4:
========================
Salt 3003.4 (2022-02-25)
========================
Version 3003.4 is a CVE security fix release for :ref:`3003 <release-3003>`.
Important notice about upgrading
--------------------------------
Version 3003.4 is a security release. 3003.4 minions are not able to
communicate with masters older than 3003.4. You must upgrade your masters
before upgrading minions.
Minion authentication security
------------------------------
Authentication between masters and minions rely on public/private key
encryption and message signing. To secure minion authentication before you must
pre-seed the master's public key on minions. To pre-seed the minions' master
key, place a copy of the master's public key in the minion's pki directory as
``minion_master.pub``.
Security
--------
- Sign authentication replies to prevent MiTM (cve-2022-22935)
- Prevent job and fileserver replays (cve-2022-22936)
- Sign pillar data to prevent MiTM attacks. (cve-2202-22934)
- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)
- Fix denial of service in junos ifconfig output parsing.

21
doc/topics/releases/3003.5.rst Normal file
View file

@ -0,0 +1,21 @@
.. _release-3003-5:
========================
Salt 3003.5 (2022-07-05)
========================
Version 3003.5 is a CVE security fix release for :ref:`3003 <release-3003>`.
Fixed
-----
- Update Markup and contextfunction imports for jinja versions >=3.1. (#61848)
- Fix bug in tcp transport (#61865)
- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868)
Security
--------
- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967)

20
doc/topics/releases/3004.2.rst Normal file
View file

@ -0,0 +1,20 @@
.. _release-3004-2:
=========================
Salt 3004.2 Release Notes
=========================
Version 3004.2 is a CVE security fix release for :ref:`3004 <release-3004>`.
Fixed
-----
- Expand environment variables in the root_dir registry key (#61445)
- Update Markup and contextfunction imports for jinja versions >=3.1. (#61848)
- Fix bug in tcp transport (#61865)
- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868)
Security
--------
- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967)

1
pkg/osx/pkg-scripts/postinstall
View file

@ -29,6 +29,7 @@ BIN_DIR="$INSTALL_DIR/bin"
CONFIG_DIR="/etc/salt"
TEMP_DIR="/tmp"
SBIN_DIR="/usr/local/sbin"
PY_DOT_VERSION="3.7.12"
###############################################################################
# Set up logging and error handling

8
pkg/osx/sign_binaries.sh
View file

@ -78,6 +78,14 @@ install_name_tool $INSTALL_DIR/bin/python${PY_VERSION}m \
-add_rpath $INSTALL_DIR/.pyenv/versions/$PY_DOT_VERSION/lib \
-add_rpath $INSTALL_DIR/.pyenv/versions/$PY_DOT_VERSION/openssl/lib || echo "already present"
################################################################################
# Add rpath to the Python binaries before signing
################################################################################
echo "**** Setting rpath in binaries"
install_name_tool $INSTALL_DIR/bin/python3.7m \
-add_rpath $INSTALL_DIR/.pyenv/versions/3.7.12/lib \
-add_rpath $INSTALL_DIR/.pyenv/versions/3.7.12/openssl/lib || echo "already present"
################################################################################
# Sign python binaries in `bin` and `lib`
################################################################################

1
requirements/static/ci/py3.7/windows.txt
View file

@ -403,6 +403,7 @@ typing-extensions==3.10.0.0
# yarl
urllib3==1.26.6
# via
# -r requirements/windows.txt
# botocore
# kubernetes
# python-etcd

1
requirements/static/ci/py3.8/windows.txt
View file

@ -389,6 +389,7 @@ typing-extensions==4.2.0
# pytest-system-statistics
urllib3==1.26.6
# via
# -r requirements/windows.txt
# botocore
# kubernetes
# python-etcd

1
requirements/static/ci/py3.9/windows.txt
View file

@ -389,6 +389,7 @@ typing-extensions==4.2.0
# pytest-system-statistics
urllib3==1.26.6
# via
# -r requirements/windows.txt
# botocore
# kubernetes
# python-etcd

4
requirements/static/pkg/py3.7/windows.txt
View file

@ -130,7 +130,9 @@ typing-extensions==3.10.0.0
# gitpython
# importlib-metadata
urllib3==1.26.6
# via requests
# via
# -r requirements/windows.txt
# requests
wheel==0.36.2
# via -r requirements/windows.txt
wmi==1.5.1

4
requirements/static/pkg/py3.8/windows.txt
View file

@ -126,7 +126,9 @@ tempora==4.1.1
timelib==0.2.5
# via -r requirements/windows.txt
urllib3==1.26.6
# via requests
# via
# -r requirements/windows.txt
# requests
wheel==0.36.2
# via -r requirements/windows.txt
wmi==1.5.1

4
requirements/static/pkg/py3.9/windows.txt
View file

@ -126,7 +126,9 @@ tempora==4.1.1
timelib==0.2.5
# via -r requirements/windows.txt
urllib3==1.26.6
# via requests
# via
# -r requirements/windows.txt
# requests
wheel==0.36.2
# via -r requirements/windows.txt
wmi==1.5.1

1
requirements/windows.txt
View file

@ -27,6 +27,7 @@ python-gnupg>=0.4.7
requests>=2.25.1
setproctitle
timelib>=0.2.5
urllib3>=1.26.5
# Watchdog pulls in a GPL-3 package, argh, which cannot be shipped on the
# windows distribution package.
#

2
salt/auth/pam.py
View file

@ -209,7 +209,7 @@ def authenticate(username, password):
retval = PAM_AUTHENTICATE(handle, 0)
if retval == 0:
PAM_ACCT_MGMT(handle, 0)
retval = PAM_ACCT_MGMT(handle, 0)
PAM_END(handle, 0)
return retval == 0

3
salt/beacons/watchdog.py
View file

@ -13,9 +13,12 @@ import logging
import salt.utils.beacons
try:
# pylint: disable=no-name-in-module
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
# pylint: enable=no-name-in-module
HAS_WATCHDOG = True
except ImportError:
HAS_WATCHDOG = False

16
salt/channel/client.py
View file

@ -135,6 +135,9 @@ class AsyncReqChannel:
self.opts = dict(opts)
self.transport = transport
self.auth = auth
self.master_pubkey_path = None
if self.auth:
self.master_pubkey_path = os.path.join(self.opts["pki_dir"], self.auth.mpub)
self._closing = False
@property
@ -188,10 +191,7 @@ class AsyncReqChannel:
signed_msg = pcrypt.loads(ret[dictkey])
# Validate the master's signature.
master_pubkey_path = os.path.join(self.opts["pki_dir"], "minion_master.pub")
if not salt.crypt.verify_signature(
master_pubkey_path, signed_msg["data"], signed_msg["sig"]
):
if not self.verify_signature(signed_msg["data"], signed_msg["sig"]):
raise salt.crypt.AuthenticationError(
"Pillar payload signature failed to validate."
)
@ -206,6 +206,9 @@ class AsyncReqChannel:
raise salt.crypt.AuthenticationError("Pillar nonce verification failed.")
raise salt.ext.tornado.gen.Return(data["pillar"])
def verify_signature(self, data, sig):
return salt.crypt.verify_signature(self.master_pubkey_path, data, sig)
@salt.ext.tornado.gen.coroutine
def _crypted_transfer(self, load, timeout=60, raw=False):
"""
@ -367,6 +370,7 @@ class AsyncPubChannel:
self._closing = False
self._reconnected = False
self.event = salt.utils.event.get_event("minion", opts=self.opts, listen=False)
self.master_pubkey_path = os.path.join(self.opts["pki_dir"], self.auth.mpub)
@property
def crypt(self):
@ -379,6 +383,7 @@ class AsyncPubChannel:
"""
try:
if not self.auth.authenticated:
log.error("WTF %r %r", self.auth.authenticated, self.auth.authenticate)
yield self.auth.authenticate()
# if this is changed from the default, we assume it was intentional
if int(self.opts.get("publish_port", 4506)) != 4506:
@ -536,9 +541,8 @@ class AsyncPubChannel:
)
# Verify that the signature is valid
master_pubkey_path = os.path.join(self.opts["pki_dir"], "minion_master.pub")
if not salt.crypt.verify_signature(
master_pubkey_path, payload["load"], payload.get("sig")
self.master_pubkey_path, payload["load"], payload.get("sig")
):
raise salt.crypt.AuthenticationError(
"Message signature failed to validate."

4
salt/engines/docker_events.py
View file

@ -9,8 +9,8 @@ import salt.utils.event
import salt.utils.json
try:
import docker # pylint: disable=import-error
import docker.utils # pylint: disable=import-error
import docker # pylint: disable=import-error,no-name-in-module
import docker.utils # pylint: disable=import-error,no-name-in-module
HAS_DOCKER_PY = True
except ImportError:

5
salt/master.py
View file

@ -737,7 +737,10 @@ class Master(SMaster):
# must be after channels
log.info("Creating master maintenance process")
self.process_manager.add_process(
Maintenance, args=(self.opts,), name="Maintenance"
Maintenance,
args=(self.opts,),
kwargs={"master_secrets": SMaster.secrets},
name="Maintenance",
)
if self.opts.get("event_return"):

4
salt/modules/ddns.py
View file

@ -32,8 +32,8 @@ log = logging.getLogger(__name__)
try:
import dns.query
import dns.update
import dns.tsigkeyring
import dns.update # pylint: disable=no-name-in-module
import dns.tsigkeyring # pylint: disable=no-name-in-module
dns_support = True
except ImportError as e:

2
salt/modules/kubernetesmod.py
View file

@ -59,6 +59,7 @@ import salt.utils.templates
import salt.utils.yaml
from salt.exceptions import CommandExecutionError, TimeoutError
# pylint: disable=import-error,no-name-in-module
try:
import kubernetes # pylint: disable=import-self
import kubernetes.client
@ -78,6 +79,7 @@ try:
HAS_LIBS = True
except ImportError:
HAS_LIBS = False
# pylint: enable=import-error,no-name-in-module
log = logging.getLogger(__name__)

1
salt/modules/virt.py
View file

@ -5778,7 +5778,6 @@ def get_hypervisor():
def _is_bhyve_hyper():
sysctl_cmd = "sysctl hw.vmm.create"
vmm_enabled = False
try:
stdout = subprocess.Popen(

5
salt/runners/bgp.py
View file

@ -103,7 +103,10 @@ try:
from netaddr import IPNetwork
from netaddr import IPAddress
from napalm.base import helpers as napalm_helpers # pylint: disable=unused-import
# pylint: disable=unused-import,no-name-in-module
from napalm.base import helpers as napalm_helpers
# pylint: enable=unused-import,no-name-in-module
HAS_NAPALM = True
except ImportError:

4
salt/runners/ddns.py
View file

@ -19,8 +19,8 @@ import salt.utils.json
HAS_LIBS = False
try:
import dns.query
import dns.update
import dns.tsigkeyring
import dns.update # pylint: disable=no-name-in-module
import dns.tsigkeyring # pylint: disable=no-name-in-module
HAS_LIBS = True
except ImportError:

4
salt/runners/net.py
View file

@ -74,8 +74,12 @@ import salt.utils.network
try:
from netaddr import IPNetwork # netaddr is already required by napalm
from netaddr.core import AddrFormatError
# pylint: disable=no-name-in-module
from napalm.base import helpers as napalm_helpers
# pylint: enable=no-name-in-module
HAS_NAPALM = True
except ImportError:
HAS_NAPALM = False

2
salt/states/netntp.py
View file

@ -38,7 +38,7 @@ except ImportError:
HAS_NETADDR = False
try:
import dns.resolver
import dns.resolver # pylint: disable=no-name-in-module
HAS_DNSRESOLVER = True
except ImportError:

2
salt/utils/dns.py
View file

@ -33,7 +33,7 @@ from salt.utils.odict import OrderedDict
# Integrations
try:
import dns.resolver
import dns.resolver # pylint: disable=no-name-in-module
HAS_DNSPYTHON = True
except ImportError:

8
salt/utils/mako.py
View file

@ -3,10 +3,10 @@ Functions for working with Mako templates
"""
try:
from mako.lookup import (
TemplateCollection,
TemplateLookup,
) # pylint: disable=import-error,3rd-party-module-not-gated
# pylint: disable=import-error,3rd-party-module-not-gated,no-name-in-module
from mako.lookup import TemplateCollection, TemplateLookup
# pylint: enable=import-error,3rd-party-module-not-gated,no-name-in-module
HAS_MAKO = True
except ImportError:

5
salt/utils/verify.py
View file

@ -488,6 +488,11 @@ def _realpath_windows(path):
base = os.path.abspath(os.path.sep.join([base, part]))
else:
base = part
# Python 3.8 added support for directory junctions which prefixes the
# return with `\\?\`. We need to strip that off.
# https://docs.python.org/3/library/os.html#os.readlink
if base.startswith("\\\\?\\"):
base = base[4:]
return base

40
tests/pytests/functional/states/test_pkgrepo.py Normal file
View file

@ -0,0 +1,40 @@
import platform
import pytest
import salt.utils.files
@pytest.mark.skipif(
not any([x for x in ["ubuntu", "debian"] if x in platform.platform()]),
reason="Test only for debian based platforms",
)
def test_adding_repo_file(states, tmp_path):
"""
test adding a repo file using pkgrepo.managed
"""
repo_file = str(tmp_path / "stable-binary.list")
repo_content = "deb http://www.deb-multimedia.org stable main"
ret = states.pkgrepo.managed(name=repo_content, file=repo_file, clean_file=True)
with salt.utils.files.fopen(repo_file, "r") as fp:
file_content = fp.read()
assert file_content.strip() == repo_content
@pytest.mark.skipif(
not any([x for x in ["ubuntu", "debian"] if x in platform.platform()]),
reason="Test only for debian based platforms",
)
def test_adding_repo_file_arch(states, tmp_path):
"""
test adding a repo file using pkgrepo.managed
and setting architecture
"""
repo_file = str(tmp_path / "stable-binary.list")
repo_content = "deb [arch=amd64 ] http://www.deb-multimedia.org stable main"
ret = states.pkgrepo.managed(name=repo_content, file=repo_file, clean_file=True)
with salt.utils.files.fopen(repo_file, "r") as fp:
file_content = fp.read()
assert (
file_content.strip()
== "deb [arch=amd64] http://www.deb-multimedia.org stable main"
)

1
tests/pytests/functional/transport/server/test_req_channel.py
View file

@ -8,6 +8,7 @@ import salt.channel.server
import salt.config
import salt.exceptions
import salt.ext.tornado.gen
import salt.log.setup
import salt.master
import salt.transport.client
import salt.transport.server

181
tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
View file

@ -1,6 +1,7 @@
import ctypes
import logging
import multiprocessing
import socket
import time
from concurrent.futures.thread import ThreadPoolExecutor
@ -11,8 +12,14 @@ import salt.config
import salt.exceptions
import salt.ext.tornado.gen
import salt.ext.tornado.ioloop
import salt.log.setup
import salt.master
import salt.transport.client
import salt.transport.server
import salt.transport.tcp
import salt.transport.zeromq
import salt.utils.msgpack
import salt.utils.platform
import salt.utils.process
import salt.utils.stringutils
import zmq
@ -29,13 +36,22 @@ pytestmark = [
]
class RecvError(Exception):
"""
Raised by the Collector's _recv method when there is a problem
getting publishes from to the publisher.
"""
class Collector(salt.utils.process.SignalHandlingProcess):
def __init__(
self, minion_config, pub_uri, aes_key, timeout=30, zmq_filtering=False
self, minion_config, interface, port, aes_key, timeout=300, zmq_filtering=False
):
super().__init__()
self.minion_config = minion_config
self.pub_uri = pub_uri
self.interface = interface
self.port = port
self.aes_key = aes_key
self.timeout = timeout
self.aes_key = aes_key
self.hard_timeout = time.time() + timeout + 30
@ -45,6 +61,16 @@ class Collector(salt.utils.process.SignalHandlingProcess):
self.stopped = multiprocessing.Event()
self.started = multiprocessing.Event()
self.running = multiprocessing.Event()
if salt.utils.msgpack.version >= (0, 5, 2):
# Under Py2 we still want raw to be set to True
msgpack_kwargs = {"raw": False}
else:
msgpack_kwargs = {"encoding": "utf-8"}
self.unpacker = salt.utils.msgpack.Unpacker(**msgpack_kwargs)
@property
def transport(self):
return self.minion_config["transport"]
def _rotate_secrets(self, now=None):
salt.master.SMaster.secrets["aes"] = {
@ -61,46 +87,101 @@ class Collector(salt.utils.process.SignalHandlingProcess):
"rotate_master_key": self._rotate_secrets,
}
def _setup_listener(self):
if self.transport == "zeromq":
ctx = zmq.Context()
self.sock = ctx.socket(zmq.SUB)
self.sock.setsockopt(zmq.LINGER, -1)
self.sock.setsockopt(zmq.SUBSCRIBE, b"")
pub_uri = "tcp://{}:{}".format(self.interface, self.port)
self.sock.connect(pub_uri)
else:
end = time.time() + 60
while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((self.interface, self.port))
except ConnectionRefusedError:
if time.time() >= end:
raise
time.sleep(1)
else:
break
self.sock = salt.ext.tornado.iostream.IOStream(sock)
@salt.ext.tornado.gen.coroutine
def _recv(self):
if self.transport == "zeromq":
# test_zeromq_filtering requires catching the
# SaltDeserializationError in order to pass.
try:
payload = self.sock.recv(zmq.NOBLOCK)
serial_payload = salt.payload.loads(payload)
raise salt.ext.tornado.gen.Return(serial_payload)
except (zmq.ZMQError, salt.exceptions.SaltDeserializationError):
raise RecvError("ZMQ Error")
else:
for msg in self.unpacker:
raise salt.ext.tornado.gen.Return(msg["body"])
byts = yield self.sock.read_bytes(8096, partial=True)
self.unpacker.feed(byts)
for msg in self.unpacker:
raise salt.ext.tornado.gen.Return(msg["body"])
raise RecvError("TCP Error")
@salt.ext.tornado.gen.coroutine
def _run(self, loop):
try:
self._setup_listener()
except Exception: # pylint: disable=broad-except
self.started.set()
log.exception("Failed to start listening")
return
self.started.set()
last_msg = time.time()
serial = salt.payload.Serial(self.minion_config)
crypticle = salt.crypt.Crypticle(self.minion_config, self.aes_key)
while True:
curr_time = time.time()
if time.time() > self.hard_timeout:
log.error("Hard timeout reaced in test collector!")
break
if curr_time - last_msg >= self.timeout:
log.error("Receive timeout reaced in test collector!")
break
try:
payload = yield self._recv()
except RecvError:
time.sleep(0.01)
else:
try:
payload = crypticle.loads(payload["load"])
if not payload:
continue
if "start" in payload:
log.info("Collector started")
self.running.set()
continue
if "stop" in payload:
log.info("Collector stopped")
break
last_msg = time.time()
self.results.append(payload["jid"])
except salt.exceptions.SaltDeserializationError:
log.error("Deserializer Error")
if not self.zmq_filtering:
log.exception("Failed to deserialize...")
break
loop.stop()
def run(self):
"""
Gather results until then number of seconds specified by timeout passes
without receiving a message
"""
ctx = zmq.Context()
sock = ctx.socket(zmq.SUB)
sock.setsockopt(zmq.LINGER, -1)
sock.setsockopt(zmq.SUBSCRIBE, b"")
sock.connect(self.pub_uri)
last_msg = time.time()
crypticle = salt.crypt.Crypticle(self.minion_config, self.aes_key)
self.started.set()
while True:
curr_time = time.time()
if time.time() > self.hard_timeout:
break
if curr_time - last_msg >= self.timeout:
break
try:
payload = sock.recv(zmq.NOBLOCK)
except zmq.ZMQError:
time.sleep(0.1)
else:
try:
serial_payload = salt.payload.loads(payload)
payload = crypticle.loads(serial_payload["load"])
if not payload:
continue
if "start" in payload:
self.running.set()
continue
if "stop" in payload:
break
last_msg = time.time()
self.results.append(payload["jid"])
except salt.exceptions.SaltDeserializationError:
if not self.zmq_filtering:
log.exception("Failed to deserialize...")
break
loop = salt.ext.tornado.ioloop.IOLoop()
loop.add_callback(self._run, loop)
loop.start()
def __enter__(self):
self.manager.__enter__()
@ -152,7 +233,11 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
self.queue = multiprocessing.Queue()
self.stopped = multiprocessing.Event()
self.collector = Collector(
self.minion_config, self.pub_uri, self.aes_key, **self.collector_kwargs
self.minion_config,
self.master_config["interface"],
self.master_config["publish_port"],
self.aes_key,
**self.collector_kwargs
)
def run(self):
@ -179,7 +264,8 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
if self.process_manager is None:
return
self.process_manager.terminate()
self.pub_server_channel.close()
if hasattr(self.pub_server_channel, "pub_close"):
self.pub_server_channel.pub_close()
# Really terminate any process still left behind
for pid in self.process_manager._process_map:
terminate_process(pid=pid, kill_children=True, slow_stop=False)
@ -191,7 +277,7 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
def __enter__(self):
self.start()
self.collector.__enter__()
attempts = 30
attempts = 300
while attempts > 0:
self.publish({"tgt_type": "glob", "tgt": "*", "jid": -1, "start": True})
if self.collector.running.wait(1) is True:
@ -218,16 +304,24 @@ class PubServerChannelProcess(salt.utils.process.SignalHandlingProcess):
log.info("The PubServerChannelProcess has terminated")
@pytest.fixture(params=["tcp", "zeromq"])
def transport(request):
yield request.param
@pytest.mark.skip_on_windows
@pytest.mark.slow_test
def test_publish_to_pubserv_ipc(salt_master, salt_minion):
def test_publish_to_pubserv_ipc(salt_master, salt_minion, transport):
"""
Test sending 10K messags to ZeroMQPubServerChannel using IPC transport
ZMQ's ipc transport not supported on Windows
"""
opts = dict(salt_master.config.copy(), ipc_mode="ipc", pub_hwm=0)
with PubServerChannelProcess(opts, salt_minion.config.copy()) as server_channel:
opts = dict(
salt_master.config.copy(), ipc_mode="ipc", pub_hwm=0, transport=transport
)
minion_opts = dict(salt_minion.config.copy(), transport=transport)
with PubServerChannelProcess(opts, minion_opts) as server_channel:
send_num = 10000
expect = []
for idx in range(send_num):
@ -269,7 +363,6 @@ def test_issue_36469_tcp(salt_master, salt_minion):
}
server_channel.publish(load)
time.sleep(0.3)
time.sleep(3)
server_channel.close_pub()
opts = dict(salt_master.config.copy(), ipc_mode="tcp", pub_hwm=0)

4
tests/pytests/integration/ssh/test_state.py
View file

@ -121,8 +121,8 @@ def test_state_with_import_from_dir(salt_ssh_cli, nested_state_tree):
ret = salt_ssh_cli.run(
"--extra-filerefs=salt://foo/map.jinja", "state.apply", "foo"
)
assert ret.returncode == 0
assert ret.data
assert ret.exitcode == 0
assert ret.json
@pytest.mark.slow_test

16
tests/pytests/scenarios/compat/conftest.py
View file

@ -15,14 +15,16 @@ from saltfactories.utils import random_string
from tests.support.runtests import RUNTIME_VARS
from tests.support.sminion import create_sminion
try:
import docker
from docker.errors import DockerException
except ImportError:
docker = None
docker = pytest.importorskip("docker")
# pylint: disable=3rd-party-module-not-gated,no-name-in-module
from docker.errors import DockerException # isort:skip
class DockerException(Exception):
pass
# pylint: enable=3rd-party-module-not-gated,no-name-in-module
pytestmark = [
pytest.mark.slow_test,
pytest.mark.skip_if_binaries_missing("docker"),
]
log = logging.getLogger(__name__)

36
tests/pytests/unit/auth/test_pam.py Normal file
View file

@ -0,0 +1,36 @@
import pytest
import salt.auth.pam
from tests.support.mock import patch
pytestmark = [
pytest.mark.skip_on_windows,
]
@pytest.fixture
def configure_loader_modules():
return {salt.auth.pam: {}}
@pytest.fixture
def mock_pam():
with patch("salt.auth.pam.CALLOC", autospec=True), patch(
"salt.auth.pam.pointer", autospec=True
), patch("salt.auth.pam.PamHandle", autospec=True), patch(
"salt.auth.pam.PAM_START", autospec=True, return_value=0
), patch(
"salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0
), patch(
"salt.auth.pam.PAM_END", autospec=True
):
yield
def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam):
with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42):
assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False
def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam):
with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0):
assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True

96
tests/pytests/unit/transport/test_tcp.py
View file

@ -1,3 +1,4 @@
import os
import socket
import attr
@ -7,7 +8,45 @@ import salt.exceptions
import salt.ext.tornado
import salt.transport.tcp
from pytestshellutils.utils import ports
from tests.support.mock import MagicMock, patch
from tests.support.mock import MagicMock, PropertyMock, patch
@pytest.fixture
def fake_keys():
with patch("salt.crypt.AsyncAuth.get_keys", autospec=True):
yield
@pytest.fixture
def fake_crypto():
with patch("salt.transport.tcp.PKCS1_OAEP", create=True) as fake_crypto:
yield fake_crypto
@pytest.fixture
def fake_authd():
@salt.ext.tornado.gen.coroutine
def return_nothing():
raise salt.ext.tornado.gen.Return()
with patch(
"salt.crypt.AsyncAuth.authenticated", new_callable=PropertyMock
) as mock_authed, patch(
"salt.crypt.AsyncAuth.authenticate",
autospec=True,
return_value=return_nothing(),
), patch(
"salt.crypt.AsyncAuth.gen_token", autospec=True, return_value=42
):
mock_authed.return_value = False
yield
@pytest.fixture
def fake_crypticle():
with patch("salt.crypt.Crypticle") as fake_crypticle:
fake_crypticle.generate_key_string.return_value = "fakey fake"
yield fake_crypticle
@attr.s(frozen=True, slots=True)
@ -335,3 +374,58 @@ def xtest_client_reconnect_backoff(client_socket):
client.io_loop.run_sync(client.connect)
finally:
client.close()
async def test_when_async_req_channel_with_syndic_role_should_use_syndic_master_pub_file_to_verify_master_sig(
fake_keys, fake_crypto, fake_crypticle
):
# Syndics use the minion pki dir, but they also create a syndic_master.pub
# file for comms with the Salt master
expected_pubkey_path = os.path.join("/etc/salt/pki/minion", "syndic_master.pub")
fake_crypto.new.return_value.decrypt.return_value = "decrypted_return_value"
mockloop = MagicMock()
opts = {
"master_uri": "tcp://127.0.0.1:4506",
"interface": "127.0.0.1",
"ret_port": 4506,
"ipv6": False,
"sock_dir": ".",
"pki_dir": "/etc/salt/pki/minion",
"id": "syndic",
"__role": "syndic",
"keysize": 4096,
"transport": "tcp",
"acceptance_wait_time": 30,
"acceptance_wait_time_max": 30,
}
client = salt.channel.client.ReqChannel.factory(opts, io_loop=mockloop)
assert client.master_pubkey_path == expected_pubkey_path
with patch("salt.crypt.verify_signature") as mock:
client.verify_signature("mockdata", "mocksig")
assert mock.call_args_list[0][0][0] == expected_pubkey_path
async def test_mixin_should_use_correct_path_when_syndic(
fake_keys, fake_authd, fake_crypticle
):
mockloop = MagicMock()
expected_pubkey_path = os.path.join("/etc/salt/pki/minion", "syndic_master.pub")
opts = {
"master_uri": "tcp://127.0.0.1:4506",
"interface": "127.0.0.1",
"ret_port": 4506,
"ipv6": False,
"sock_dir": ".",
"pki_dir": "/etc/salt/pki/minion",
"id": "syndic",
"__role": "syndic",
"keysize": 4096,
"sign_pub_messages": True,
"transport": "tcp",
}
client = salt.channel.client.AsyncPubChannel.factory(opts, io_loop=mockloop)
client.master_pubkey_path = expected_pubkey_path
payload = {"sig": "abc", "load": {"foo": "bar"}}
with patch("salt.crypt.verify_signature") as mock:
client._verify_master_signature(payload)
assert mock.call_args_list[0][0][0] == expected_pubkey_path

4
tests/pytests/unit/transport/test_zeromq.py
View file

@ -708,6 +708,7 @@ async def test_req_chan_decode_data_dict_entry_v2(pki_dir):
auth = client.auth
auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
client.auth = MagicMock()
client.auth.mpub = auth.mpub
client.auth.authenticated = True
client.auth.get_keys = auth.get_keys
client.auth.crypticle.dumps = auth.crypticle.dumps
@ -772,6 +773,7 @@ async def test_req_chan_decode_data_dict_entry_v2_bad_nonce(pki_dir):
auth = client.auth
auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
client.auth = MagicMock()
client.auth.mpub = auth.mpub
client.auth.authenticated = True
client.auth.get_keys = auth.get_keys
client.auth.crypticle.dumps = auth.crypticle.dumps
@ -835,6 +837,7 @@ async def test_req_chan_decode_data_dict_entry_v2_bad_signature(pki_dir):
auth = client.auth
auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
client.auth = MagicMock()
client.auth.mpub = auth.mpub
client.auth.authenticated = True
client.auth.get_keys = auth.get_keys
client.auth.crypticle.dumps = auth.crypticle.dumps
@ -914,6 +917,7 @@ async def test_req_chan_decode_data_dict_entry_v2_bad_key(pki_dir):
auth = client.auth
auth._crypticle = salt.crypt.Crypticle(opts, AES_KEY)
client.auth = MagicMock()
client.auth.mpub = auth.mpub
client.auth.authenticated = True
client.auth.get_keys = auth.get_keys
client.auth.crypticle.dumps = auth.crypticle.dumps

1
tests/support/case.py
View file

@ -737,6 +737,7 @@ class ModuleCase(TestCase, SaltClientTestCaseMixin):
"time.sleep",
"grains.delkey",
"grains.delval",
"sdb.get",
)
if "f_arg" in kwargs:
kwargs["arg"] = kwargs.pop("f_arg")