Verify that the master is the same one that was previously accepted. :param dict payload: The incoming payload. This is a dictionary which may have the following keys: 'aes': The shared AES key 'enc': The format of the message. ('clear', 'pub', etc)
(self, payload, master_pub=True)
| 1647 | return aes |
| 1648 | |
| 1649 | def verify_master(self, payload, master_pub=True): |
| 1650 | """ |
| 1651 | Verify that the master is the same one that was previously accepted. |
| 1652 | |
| 1653 | :param dict payload: The incoming payload. This is a dictionary which may have the following keys: |
| 1654 | 'aes': The shared AES key |
| 1655 | 'enc': The format of the message. ('clear', 'pub', etc) |
| 1656 | 'publish_port': The TCP port which published the message |
| 1657 | 'token': The encrypted token used to verify the message. |
| 1658 | 'pub_key': The RSA public key of the sender. |
| 1659 | :param bool master_pub: Operate as if minion had no master pubkey when it sent auth request, i.e. don't verify |
| 1660 | the minion signature |
| 1661 | |
| 1662 | :rtype: str |
| 1663 | :return: An empty string on verification failure. On success, the decrypted AES message in the payload. |
| 1664 | """ |
| 1665 | m_pub_fn = os.path.join(self.opts["pki_dir"], self.mpub) |
| 1666 | m_pub_exists = os.path.isfile(m_pub_fn) |
| 1667 | # Compare the master's pub_key against the cached copy using the same |
| 1668 | # normalization on both sides. Older masters (pre-clean_key) send the |
| 1669 | # raw file content with a trailing newline; without this normalization |
| 1670 | # the comparison spuriously fails and the minion is stuck rejecting |
| 1671 | # the master with "Invalid master key" until minion_master.pub is |
| 1672 | # manually deleted. See issue #68493. |
| 1673 | payload_pub_key = clean_key(payload["pub_key"]) |
| 1674 | if m_pub_exists and master_pub and not self.opts["open_mode"]: |
| 1675 | with salt.utils.files.fopen(m_pub_fn) as fp_: |
| 1676 | local_master_pub = clean_key(fp_.read()) |
| 1677 | |
| 1678 | if payload_pub_key != local_master_pub: |
| 1679 | if not self.check_auth_deps(payload): |
| 1680 | return "" |
| 1681 | |
| 1682 | if self.opts["verify_master_pubkey_sign"]: |
| 1683 | if self.verify_signing_master(payload): |
| 1684 | return self.extract_aes(payload, master_pub=False) |
| 1685 | else: |
| 1686 | return "" |
| 1687 | else: |
| 1688 | # This is not the last master we connected to |
| 1689 | log.error( |
| 1690 | "The master key has changed, the salt master could " |
| 1691 | "have been subverted, verify salt master's public " |
| 1692 | "key" |
| 1693 | ) |
| 1694 | return "" |
| 1695 | |
| 1696 | else: |
| 1697 | if not self.check_auth_deps(payload): |
| 1698 | return "" |
| 1699 | # verify the signature of the pubkey even if it has |
| 1700 | # not changed compared with the one we already have |
| 1701 | if self.opts["always_verify_signature"]: |
| 1702 | if self.verify_signing_master(payload): |
| 1703 | return self.extract_aes(payload) |
| 1704 | else: |
| 1705 | log.error( |
| 1706 | "The masters public could not be verified. Is the " |