* fixessaltstack/salt#62372 unable to use random shuffle and sample functions as Jinja filters
* move random_shuffle and random_sample logic to utils
* static seed in tests seems to have shifted
* static seed in tests require hash module
* Change Tiamat to onedir in release notes
* Reinstate known issues
* Update release notes with onedir package support policy
* need to check the version of Netmiko python library and then import the exceptions from different locations depending on the result.
* Adding changelog.
* swap out if...else for double try...except.
* Remove extra fix we don't need anymore
* [Docs] include onedir system python note
* Update all platforms to use pycparser 2.21 or greater for Py 3.9 or higher, fixes fips fault with openssl v3.x
* Remove the PyObjC dependency
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Add "<tiamat> python" subcommand to allow execution or arbitrary scripts via bundled Python runtime
* Document usage of bundled Python runtime for Client API
* Use explicit locals for custom script execution, handle exception in similar fashion as Python
* Remove old __file__ replacement
* Apply suggestions from code review
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: nicholasmhughes <nicholasmhughes@gmail.com>
Co-authored-by: Alyssa Rock <alyssa.rock@gmail.com>
Co-authored-by: Gareth J. Greenaway <gareth@saltstack.com>
Co-authored-by: Twangboy <leesh@vmware.com>
Co-authored-by: David Murphy < dmurphy@saltstack.com>
Co-authored-by: Pedro Algarvio <palgarvio@vmware.com>
Co-authored-by: Lukas Raska <lukas@raska.me>
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
* Check only ssh-rsa encyption for set_known_host
* Windows test fix
* Fix pre-commit
* add CentOS Stream to _OS_FAMILY_MAP, fix#59161
* added changelog and test
* fix syntax
* Use centosstream 8 for testing
* Use ? for matching spaces
Technically this isn't *quite* right as 'CentOSyStream' would also
match, but it's pretty reasonable:
- OS grains shouldn't ever be that kind of close
- This test is only swapping out spaces, and only for the os grain. That
would mean there would have to be two OSes with grains that only
differ by one having a space where another one has any other
character.
- This test really isn't even about matching grains, we're just using
compound matching and that's a reasonable one to use.
* Add centos stream when detecting package manager name
* Fix pre-commit
* Remove tests for fedora 32/33 EOL
* Remove tests for fedora 32/33 EOL
* Remove tests for fedora 33 EOL
* Use centosstream 8 for testing
* Use ? for matching spaces
Technically this isn't *quite* right as 'CentOSyStream' would also
match, but it's pretty reasonable:
- OS grains shouldn't ever be that kind of close
- This test is only swapping out spaces, and only for the os grain. That
would mean there would have to be two OSes with grains that only
differ by one having a space where another one has any other
character.
- This test really isn't even about matching grains, we're just using
compound matching and that's a reasonable one to use.
* 3002.9: Fix pre-commit
* 3003.5 Fix pre-commit
* [3002.9] Replace use of 'sl' with 'paper' for Arch tests, due to 'sl' having key issues
* Remove mojave testing
* Remove mojave and high sierra testing
* Remove mojave testing
* [3002.9] Fix cloud vultr size issue
* Update package name to aspnetcore-runtime-6.0 for redhat 8 pkg tests
* Update package name to aspnetcore-runtime-6.0 for redhat 8 pkg tests
* change amazon linux AMI
* Migrate `unit.modules.test_gpg` to PyTest
* Don't leave any `gpg-agent`'s running behind
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Start a background process to generate entropy.
Some tests have failed because of not enough entropy which then makes
the test timeout.
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* A different approach at generating entropy
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Turn entropy generation into a helper
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* change amazon linux AMI
* change amazon linux AMI
* [3004.2] Fix cloud vultr size issue
* Fix cloud requirements
* Skip pam tests on windows
* Update ami to try to get the tests running
* Update amis to try to get the tests running
* Fixing test_publish_to_pubserv_ipc_tcp, moving the call to socket.socket into the while loop.
* Add static requirements for 3.8 and 3.9 on Windows
* Fix requirements
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* The whole CI process is already slower than GH Actions, no caches.
* Pre-commit must not run with ``PIP_EXTRA_INDEX_URL`` set.
* Lint fixes
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Compile cloud requirements
* Run add requirements files for 3.8 and 3.9
* Fix docs and cloud requirements
* [3003.5] Fix cloud vultr size issue
* Windows test fix
* Skip test if docker not running
* [3003.5] Fix pre-commit
* Update Markup and contextfunction imports for jinja versions >=3.1.
* update bootstrap to 2022.03.15
* update bootstrap to 2022.03.15
* skipping tests/pytests/integration/modules/test_virt.py on 3002.x and 3003.x branches.
* Windows test fix
* Skip PAM tests on Windows
Windows has no ctypes with the PAM bits, so we should go ahead and skip
on Windows.
* Skip PAM auth tests on Windows
Windows lacks the correct bits, so...
* Fix pre-commit
* Skipping tests since they're also skipped on the master branch
Fixes#403
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Skip test that only runs because the patch binary is now available.
The feature though, was only added in 3004.
Fixes#404
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Skip test which is only supposed to run in Linux
Fixes https://github.com/saltstack/salt-priv/issues/405
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* GPG tests do not work on windows yet
* Fix tests
* Fix pre-commit
* skip tests.integration.modules.test_mac_brew_pkg.BrewModuleTest.test_list_upgrades and tests.integration.modules.test_state.StateModuleTest.test_get_file_from_env_in_top_match on Mac OS.
* skip tests.integration.modules.test_mac_brew_pkg.BrewModuleTest.test_list_upgrades and tests.integration.modules.test_state.StateModuleTest.test_get_file_from_env_in_top_match on Mac OS.
* Removing skip, moving it to different PR.
* Skipping tests on 3002.9.
* test fix
* Do not run patch tests on 3003.5. Feature not added till 3004
* skipping tests/pytests/integration/modules/test_virt.py on 3002.x and 3003.x branches.
* Fix pre-commit
* [3004.2] Update freebsd ami
* Bump the git version for freebsd CI tests
* removing versions that are no longer available from the tests.pytests.scenarios.compat.test_with_versions tests.
* Skip tests on windows when NOT using static requirements
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* removing versions that are no longer available from the tests.pytests.scenarios.compat.test_with_versions tests.
* test_issue_36469_tcp causes a fatal python error when run on Mac OS, so skipping.
* Fix tests
* Fix pre-commit
* Do not run patch tests on 3003.5. Feature not added till 3004
* Skip archive tar tests on windows
* [3002.9] Skip archive tar tests on windows
* GPG tests do not work on windows yet
* Skip test which is only supposed to run in Linux
Fixes https://github.com/saltstack/salt-priv/issues/405
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Skip test that only runs because the patch binary is now available.
The feature though, was only added in 3004.
Fixes#404
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Skipping tests since they're also skipped on the master branch
Fixes#403
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Fix pre-commit
* Fix pre-commit
* Fix pre-commit
* Fix pre-commit
* retry sdb.get if it returns None
None is an entirely valid return - see EtcdClient.get in
salt/utils/etcd_util.py
* drop py2/six
* fix etcd sdb.set as well
* Fix etdcd-sdb test failure
If docker container is up and running, but etcd isn't responding yet
it's possible that we get some failing tests. This should wait a
reasonable amount of time for things to come up. Or just skip the test.
* Fix etdcd-sdb test failure
If docker container is up and running, but etcd isn't responding yet
it's possible that we get some failing tests. This should wait a
reasonable amount of time for things to come up. Or just skip the test.
* Skip the tests from unit/transport/test_zero.py that are hanging on Mac.
* skip tests in tests/pytests/unit/states/test_archive.py for 3002.9
* 3002.9 Skipping CA permissions tests on Windows, similar to 3003.5 and 3004.2
* change skipif to skip
* Rollback Windows AMIs to use Python 3.7
* Rollback AMI's to Python 3.7... fix tests
* Fix failing test_archive tests
* Build using pyenv
* Add symlinks to openssl and rpath
* Add shasum for zeromq 4.3.4
* Fix docs on scripts
* Build zeromq earlier, fix symlinks
* Bring 61446 to 3004.1 branch
* Add changelog and tests
* Fix schedule test flakiness
* Retry with new port if in use
* fixing failing tests, ensuring that the correct path is used.
* fixing failing tests, ensuring that the correct path is used.
* fixing failing tests, ensuring that the correct path is used.
* Re-enable tiamat-pip on windows
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
* Bump duration time for windwos for test_retry_option_success
* Skip test cauing hangs
* go go pylint disable
* more pre-commit
* oh lint
* so many weird hook failures
* Add unit tests for PAM auth CVE
We could add functional tests if it's important enough, but this is the
narrowest place to test.
* Fix PAM auth CVE
Credit to @ysf
Previously we weren't checking the result of PAM_ACCT_MGMT.
* pylint disable
* rewrite hook changes
* Skip PAM auth tests on Windows
Since Windows ends out lacking the correct bits, no need to run tests
there.
* pre-commit fixes
* docs 3004.2 release
* Fix bug in tcp transport
* Fix the test_zeromq_filtering test
* skip test_npm_install_url_referenced_package on centos 7 and 8.
* Swapping CentOS Linux-8 for CentOS Stream-8
* Update build scripts to use pyenv
* Fix tests on MacOS
* Fix bug in tcp transport
* Fix test failures
* Update release notes and man pages for 3003.5
* Add 3002.9 changelog, release notes, man pages
* Update doc/topics/releases/3002.9.rst
Co-authored-by: Megan Wilhite <mwilhite@vmware.com>
* Fix requirements
* Fix imports
* Test fixup
* Fix merge warts
* fix merge wart in changelog
* Fix merge warts in tests
Co-authored-by: krionbsd <krion@FreeBSD.org>
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
Co-authored-by: Alexander Kriventsov <akriventsov@nic.ru>
Co-authored-by: Megan Wilhite <mwilhite@vmware.com>
Co-authored-by: Wayne Werner <wwerner@vmware.com>
Co-authored-by: Gareth J. Greenaway <gareth@saltstack.com>
Co-authored-by: David Murphy < dmurphy@saltstack.com>
Co-authored-by: Twangboy <leesh@vmware.com>
Co-authored-by: MKLeb <calebb@vmware.com>
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: Pedro Algarvio <palgarvio@vmware.com>
Co-authored-by: Thomas Phipps <tphipps@vmware.com>
Co-authored-by: Frode Gundersen <frogunder@gmail.com>
Co-authored-by: Alyssa Rock <alyssa.rock@gmail.com>
Co-authored-by: Alyssa Rock <43180546+barbaricyawps@users.noreply.github.com>
Use use the packaging requirements as version constraints to all other
requirements files which should include Salt's base requirements.
The nox sessions now don't install the base requirements since the "top"
requirements file includes the base requirements.
All of this, ensuring that the same versions are used on all of them.
Jinja2
------
CVE-2020-28493
moderate severity
Vulnerable versions: < 2.11.3
Patched version: 2.11.3
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
lxml
----
CVE-2021-28957
moderate severity
Vulnerable versions: < 4.6.3
Patched version: 4.6.3
An XSS vulnerability was discovered in the python lxml clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
* Merge 3002.6 bugfix changes (#59822)
* Pass `CI_RUN` as an environment variable to the test run.
This allows us to know if we're running the test suite under a CI
environment or not and adapt/adjust if needed
* Migrate `unit.setup` to PyTest
* Backport ae36b15 just for test_install.py
* Only skip tests on CI runs
* Always store git sha in _version.py during installation
* Fix PEP440 compliance.
The wheel metadata version 1.2 states that the package version MUST be
PEP440 compliant.
This means that instead of `3002.2-511-g033c53eccb`, the salt version
string should look like `3002.2+511.g033c53eccb`, a post release of
`3002.2` ahead by 511 commits with the git sha `033c53eccb`
* Fix and migrate `tests/unit/test_version.py` to PyTest
* Skip test if `easy_install` is not available
* We also need to be PEP440 compliant when there's no git history
* Allow extra_filerefs as sanitized kwargs for SSH client
* Fix regression on cmd.run when passing tuples as cmd
Co-authored-by: Alexander Graul <agraul@suse.com>
* Add unit tests to ensure cmd.run accepts tuples
* Add unit test to check for extra_filerefs on SSH opts
* Add changelog file
* Fix comment for test case
* Fix unit test to avoid failing on Windows
* Skip failing test on windows
* Fix test to work on Windows
* Add all ssh kwargs to sanitize_kwargs method
* Run pre-commit
* Fix pylint
* Fix cmdmod loglevel and module_names tests
* Fix pre-commit
* Skip ssh tests if binary does not exist
* Use setup_loader for cmdmod test
* Prevent argument injection in restartcheck
* Add changelog for restartcheck fix
* docs_3002.6
* Add back tests removed in merge
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
Co-authored-by: Bryce Larson <brycel@vmware.com>
Co-authored-by: Pablo Suárez Hernández <psuarezhernandez@suse.com>
Co-authored-by: Alexander Graul <agraul@suse.com>
Co-authored-by: Frode Gundersen <fgundersen@saltstack.com>
* Remove glance state module in favor of glance_image
* update wording in changelog
* bump deprecation warning to Silicon.
* Updating warnutil version to Phosphorous.
* Update salt/modules/keystone.py
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
* Check $HOMEBREW_PREFIX when linking against libcrypto
When loading `libcrypto`, Salt checks for a Homebrew installation of `openssl`
at Homebrew's default prefix of `/usr/local`. However, on Apple Silicon Macs,
Homebrew's default installation prefix is `/opt/homebrew`. On all platforms,
the prefix is configurable. If Salt doesn't find one of those `libcrypto`s,
it will fall back on the un-versioned `/usr/lib/libcrypto.dylib`, which will
cause the following crash:
Application Specific Information:
/usr/lib/libcrypto.dylib
abort() called
Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.
This commit checks $HOMEBREW_PREFIX instead of hard-coding `/usr/local`.
* Add test case
* Add changelog for 59808
* Add changelog entry
* Make _find_libcrypto fail on Big Sur if it can't find a library
Right now, if `_find_libcrypto` can't find any externally-managed versions of
libcrypto, it will fall back on the pre-Catalina un-versioned system libcrypto.
This does not exist on Big Sur and it would be better to raise an exception
here rather than crashing later when trying to open it.
* Update _find_libcrypto tests
This commit simplifies the unit tests for _find_libcrypto by mocking out the
host's filesystem and testing the common libcrypto installations (brew, ports,
etc.) on Big Sur. It simplifies the tests for falling back on system versions
of libcrypto on previous versions of macOS.
* Fix description of test_find_libcrypto_with_system_before_catalina
* Patch sys.platform for test_rsax931 tests
* modules/match: add missing "minion_id" in Pillar example
The documented Pillar example for `match.filter_by` lacks the `minion_id` parameter. Without it, the assignment won't work as expected.
- fix documentation
- add tests:
- to prove the misbehavior of the documented example
- to prove the proper behaviour when supplying `minion_id`
- to ensure some misbehaviour observed with compound matchers doesn't occur
* Fix for issue #59773
- When instantiating the loader grab values of grains and pillars if
they are NamedLoaderContext instances.
- The loader uses a copy of opts.
- Impliment deepcopy on NamedLoaderContext instances.
* Add changelog for #59773
* _get_initial_pillar function returns pillar
* Fix linter issues
* Clean up test
* Bump deprecation release for neutron
* Uncomment Sulfur release name
* Removing the _ext_nodes deprecation warning and alias.
* Adding changelog.
* Renaming changelog file.
* Update 59804.removed
* Initial pass at fips_mode config option
* Fix pre-commit
* Fix tests and add changelog
* update docs 3003
* update docs 3003 - newline
* Fix warts in changelog
* update releasenotes 3003
* add ubuntu-2004-amd64 m2crypto pycryptodome and tcp tests
* add distro_arch
* changing the cloud platforms file missed in 1a9b7be0e2
* Update __utils__ calls to import utils in azure
* Add changelog for 59744
* Fix azure unit tests and move to pytest
* Use contextvars from site-packages for thin
If a contextvars package exists one of the site-packages locations use
it for the generated thin tarball. This overrides python's builtin
contextvars and allows salt-ssh to work with python <=3.6 even when the
master's python is >3.6 (Fixes#59942)
* Add regression test for #59942
* Add changelog for #59942
* Update filemap to include test_py_versions
* Fix broken thin tests
* Always install the `contextvars` backport, even on Py3.7+
Without this change, salt-ssh cannot target systems with Python <= 3.6
* Use salt-factories to handle the container. Don't override default roster
* Fix thin tests on windows
* No need to use warn log level here
* Fix getsitepackages for old virtualenv versions
* Add explicit pyobjc reqs
* Add back the passthrough stuff
* Remove a line so pre-commit will run
* Bugfix release docs
* Bugfix release docs
* Removing pip-compile log files
* Fix failing test tests.unit.grains.test_core.CoreGrainsTestCase.test_xen_virtual
* Fix pre-commit for docs.txt reqs
Co-authored-by: Daniel Wozniak <dwozniak@saltstack.com>
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: Bryce Larson <brycel@vmware.com>
Co-authored-by: Pablo Suárez Hernández <psuarezhernandez@suse.com>
Co-authored-by: Alexander Graul <agraul@suse.com>
Co-authored-by: Frode Gundersen <fgundersen@saltstack.com>
Co-authored-by: Gareth J. Greenaway <gareth@saltstack.com>
Co-authored-by: Gareth J. Greenaway <gareth@wiked.org>
Co-authored-by: Hoa-Long Tam <hoalong@apple.com>
Co-authored-by: krionbsd <krion@freebsd.org>
Co-authored-by: Elias Probst <e.probst@ssc-services.de>
Co-authored-by: Daniel A. Wozniak <dwozniak@vmware.com>
Co-authored-by: Frode Gundersen <frogunder@gmail.com>
Co-authored-by: twangboy <slee@saltstack.com>
Co-authored-by: twangboy <leesh@vmware.com>
Co-authored-by: ScriptAutomate <derek@icanteven.io>
Vulnerable versions: >= 3.1, < 3.3.2
Patched version: 3.3.2
Impact: When certain sequences of update() calls with large values (multiple GBs) for symetric encryption or decryption occur, it's possible for an integer overflow to happen, leading to mishandling of buffers.
References:
- pyca/cryptography#5615
For Py3.5 requirements we dropped `cryptography` to version 3.0 which is not vulnerable to the CVE in question.
This decision was made consciously because the Salt Project creates packages for the supported distributions which still use Py3.5 and those even rely on an even older version of `cryptography`.
Upgrading to the latest version was not possible because the `cryptography` project dropped Py3.5 support.
CVE-2020-27783
moderate severity
Vulnerable versions: < 4.6.2
Patched version: 4.6.2
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Details:
```
GHSA-hggm-jpg3-v476
moderate severity
Vulnerable versions: < 3.2
Patched version: 3.2
Impact
RSA decryption was vulnerable to Bleichenbacher timing vulnerabilities, which would impact people using RSA decryption in online scenarios.
Patches
This is fixed in cryptography 3.2. pyca/cryptography@58494b4 is the resolving commit.
```
Closes#58827
