Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3006.x] Add some tests to #66140 #66153

Merged
merged 8 commits into from Feb 28, 2024
Merged

[3006.x] Add some tests to #66140 #66153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
daf0b55
fix: Older keys end with a newline, this breaks minion auth.
jzandbergen Feb 23, 2024
f69f4cd
fix: typo's
jzandbergen Feb 23, 2024
7469a70
Simply check against cleaned key from disk.
jzandbergen Feb 26, 2024
21b9aee
Merge branch '3006.x' into fix/keyauth-v3006.7
jzandbergen Feb 26, 2024
90a5ce0
Add changelog entry
jzandbergen Feb 26, 2024
9f47b32
Merge branch '3006.x' into fix/keyauth-v3006.7
jzandbergen Feb 26, 2024
c669644
Merge branch 'fix/keyauth-v3006.7' of https://github.com/jzandbergen/…
twangboy Feb 28, 2024
453b76e
Refactor and add some tests
twangboy Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelog/66126.fixed.md
View file
Open in desktop
@@ -0,0 +1,2 @@
Fixed a issue with server channel where a minion's public key
would be rejected if it contained a final newline character.
16 changes: 13 additions & 3 deletions salt/channel/server.py
View file
Open in desktop
Expand Up @@ -52,6 +52,16 @@ def factory(cls, opts, **kwargs):
transport = salt.transport.request_server(opts, **kwargs)
return cls(opts, transport)

@classmethod
def compare_keys(cls, key1, key2):
"""
Normalize and compare two keys

Returns:
bool: ``True`` if the keys match, otherwise ``False``
"""
return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)

def __init__(self, opts, transport):
self.opts = opts
self.transport = transport
Expand Down Expand Up @@ -371,7 +381,7 @@ def _auth(self, load, sign_messages=False):
elif os.path.isfile(pubfn):
# The key has been accepted, check it
with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"keys did not match. This may be an attempt to compromise "
Expand Down Expand Up @@ -480,7 +490,7 @@ def _auth(self, load, sign_messages=False):
# case. Otherwise log the fact that the minion is still
# pending.
with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"key in pending did not match. This may be an "
Expand Down Expand Up @@ -536,7 +546,7 @@ def _auth(self, load, sign_messages=False):
# so, pass on doing anything here, and let it get automatically
# accepted below.
with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"keys in pending did not match. This may be an "
Expand Down
Empty file added tests/pytests/unit/channel/__init__.py
View file
Open in desktop
Empty file.
43 changes: 43 additions & 0 deletions tests/pytests/unit/channel/test_server.py
View file
Open in desktop
@@ -0,0 +1,43 @@
import pytest

import salt.channel.server as server


@pytest.fixture
def key_data():
return [
"-----BEGIN PUBLIC KEY-----",
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoe5QSDYRWKyknbVyRrIj",
"rm1ht5HgKzAVUber0x54+b/UgxTd1cqI6I+eDlx53LqZSH3G8Rd5cUh8LHoGedSa",
"E62vEiLAjgXa+RdgcGiQpYS8+Z2RvQJ8oIcZgO+2AzgBRHboNWHTYRRmJXCd3dKs",
"9tcwK6wxChR06HzGqaOTixAuQlegWbOTU+X4dXIbW7AnuQBt9MCib7SxHlscrqcS",
"cBrRvq51YP6cxPm/rZJdBqZhVrlghBvIpa45NApP5PherGi4AbEGYte4l+gC+fOA",
"osEBis1V27djPpIyQS4qk3XAPQg6CYQMDltHqA4Fdo0Nt7SMScxJhfH0r6zmBFAe",
"BQIDAQAB",
"-----END PUBLIC KEY-----",
]


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys(key_data, linesep):
src_key = linesep.join(key_data)
tgt_key = "\n".join(key_data)
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys_newline_src(key_data, linesep):
src_key = linesep.join(key_data) + linesep
tgt_key = "\n".join(key_data)
assert src_key.endswith(linesep)
assert not tgt_key.endswith("\n")
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys_newline_tgt(key_data, linesep):
src_key = linesep.join(key_data)
tgt_key = "\n".join(key_data) + "\n"
assert not src_key.endswith(linesep)
assert tgt_key.endswith("\n")
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True