| 606 | return {"opts": self.opts} |
| 607 | |
| 608 | def _setup_keys(self): |
| 609 | # it's important to init this even if cluster_id is enabled so that on |
| 610 | # initial start the master's non cluster key is generated |
| 611 | key_pass = salt.utils.sdb.sdb_get(self.opts["key_pass"], self.opts) |
| 612 | |
| 613 | if self.cache.contains("master_keys", f"{self.master_id}.pem"): |
| 614 | self.master_key = self.key = self.find_or_create_keys( |
| 615 | name=self.master_id, passphrase=key_pass |
| 616 | ) |
| 617 | else: |
| 618 | self.master_key = self.key = self.find_or_create_keys( |
| 619 | name="master", passphrase=key_pass |
| 620 | ) |
| 621 | |
| 622 | # facilitate migrating to pem named off the master id instead of master.pem |
| 623 | if not self.cache.contains("master_keys", f"{self.master_id}.pem"): |
| 624 | priv = self.cache.fetch("master_keys", "master.pem") |
| 625 | pub = self.cache.fetch("master_keys", "master.pub") |
| 626 | self.cache.store("master_keys", f"{self.master_id}.pem", priv) |
| 627 | self.cache.store("master_keys", f"{self.master_id}.pub", pub) |
| 628 | self.cache.flush("master_keys", "master.pem") |
| 629 | self.cache.flush("master_keys", "master.pub") |
| 630 | |
| 631 | # lets create symlinks in case a user downgrades back to a previous version |
| 632 | if self.opts["keys.cache_driver"] == "localfs_key": |
| 633 | os.symlink( |
| 634 | os.path.join(self.opts["pki_dir"], f"{self.master_id}.pem"), |
| 635 | os.path.join(self.opts["pki_dir"], "master.pem"), |
| 636 | ) |
| 637 | os.symlink( |
| 638 | os.path.join(self.opts["pki_dir"], f"{self.master_id}.pub"), |
| 639 | os.path.join(self.opts["pki_dir"], "master.pub"), |
| 640 | ) |
| 641 | |
| 642 | if self.opts["cluster_id"]: |
| 643 | self.check_master_shared_pub() |
| 644 | key_pass = salt.utils.sdb.sdb_get(self.opts["cluster_key_pass"], self.opts) |
| 645 | self.cluster_key = self.key = self.find_or_create_keys( |
| 646 | name="cluster", |
| 647 | passphrase=key_pass, |
| 648 | ) |
| 649 | |
| 650 | if self.opts["master_sign_pubkey"]: |
| 651 | # if only the signature is available, use that |
| 652 | if self.opts["master_use_pubkey_signature"]: |
| 653 | if self.opts["keys.cache_driver"] == "localfs_key": |
| 654 | sig_path = os.path.join( |
| 655 | self.opts["pki_dir"], self.master_pubkey_signature |
| 656 | ) |
| 657 | else: |
| 658 | sig_path = f"{self.opts['keys.cache_driver']}:master_keys/{self.master_pubkey_signature}" |
| 659 | |
| 660 | if self.cache.contains("master_keys", self.master_pubkey_signature): |
| 661 | self.pubkey_signature = clean_key( |
| 662 | self.cache.fetch("master_keys", self.master_pubkey_signature) |
| 663 | ) |
| 664 | log.info( |
| 665 | "Read %s's signature from %s", |