Skip to content

Commit

Permalink
Refactor and add some tests
Browse files Browse the repository at this point in the history 
Added the check to a few other places in channel server
  • Loading branch information
@twangboy
twangboy committed Feb 28, 2024
1 parent c669644 commit 453b76e
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 3 deletions.
16 changes: 13 additions & 3 deletions salt/channel/server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,16 @@ def factory(cls, opts, **kwargs):
transport = salt.transport.request_server(opts, **kwargs)
return cls(opts, transport)

@classmethod
def compare_keys(cls, key1, key2):
"""
Normalize and compare two keys
Returns:
bool: ``True`` if the keys match, otherwise ``False``
"""
return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)

def __init__(self, opts, transport):
self.opts = opts
self.transport = transport
Expand Down Expand Up @@ -371,7 +381,7 @@ def _auth(self, load, sign_messages=False):
elif os.path.isfile(pubfn):
# The key has been accepted, check it
with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != salt.crypt.clean_key(load["pub"])
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"keys did not match. This may be an attempt to compromise "
Expand Down Expand Up @@ -480,7 +490,7 @@ def _auth(self, load, sign_messages=False):
# case. Otherwise log the fact that the minion is still
# pending.
with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"key in pending did not match. This may be an "
Expand Down Expand Up @@ -536,7 +546,7 @@ def _auth(self, load, sign_messages=False):
# so, pass on doing anything here, and let it get automatically
# accepted below.
with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
if not self.compare_keys(pubfn_handle.read(), load["pub"]):
log.error(
"Authentication attempt from %s failed, the public "
"keys in pending did not match. This may be an "
Expand Down
Empty file added tests/pytests/unit/channel/__init__.py
View file
Empty file.
43 changes: 43 additions & 0 deletions tests/pytests/unit/channel/test_server.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
import pytest

import salt.channel.server as server


@pytest.fixture
def key_data():
return [
"-----BEGIN PUBLIC KEY-----",
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoe5QSDYRWKyknbVyRrIj",
"rm1ht5HgKzAVUber0x54+b/UgxTd1cqI6I+eDlx53LqZSH3G8Rd5cUh8LHoGedSa",
"E62vEiLAjgXa+RdgcGiQpYS8+Z2RvQJ8oIcZgO+2AzgBRHboNWHTYRRmJXCd3dKs",
"9tcwK6wxChR06HzGqaOTixAuQlegWbOTU+X4dXIbW7AnuQBt9MCib7SxHlscrqcS",
"cBrRvq51YP6cxPm/rZJdBqZhVrlghBvIpa45NApP5PherGi4AbEGYte4l+gC+fOA",
"osEBis1V27djPpIyQS4qk3XAPQg6CYQMDltHqA4Fdo0Nt7SMScxJhfH0r6zmBFAe",
"BQIDAQAB",
"-----END PUBLIC KEY-----",
]


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys(key_data, linesep):
src_key = linesep.join(key_data)
tgt_key = "\n".join(key_data)
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys_newline_src(key_data, linesep):
src_key = linesep.join(key_data) + linesep
tgt_key = "\n".join(key_data)
assert src_key.endswith(linesep)
assert not tgt_key.endswith("\n")
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True


@pytest.mark.parametrize("linesep", ["\r\n", "\r", "\n"])
def test_compare_keys_newline_tgt(key_data, linesep):
src_key = linesep.join(key_data)
tgt_key = "\n".join(key_data) + "\n"
assert not src_key.endswith(linesep)
assert tgt_key.endswith("\n")
assert server.ReqServerChannel.compare_keys(src_key, tgt_key) is True

0 comments on commit 453b76e

Please sign in to comment.