Authenticate the client, use the sent public key to encrypt the AES key which was generated at start up. This method fires an event over the master event manager. The event is tagged "auth" and returns a dict with information about the auth event
(self, load, sign_messages=False, version=0)
| 3187 | ).add(1, attributes={"result": result}) |
| 3188 | |
| 3189 | def _auth_impl(self, load, sign_messages=False, version=0): |
| 3190 | """ |
| 3191 | Authenticate the client, use the sent public key to encrypt the AES key |
| 3192 | which was generated at start up. |
| 3193 | |
| 3194 | This method fires an event over the master event manager. The event is |
| 3195 | tagged "auth" and returns a dict with information about the auth |
| 3196 | event |
| 3197 | |
| 3198 | - Verify that the key we are receiving matches the stored key |
| 3199 | - Store the key if it is not there |
| 3200 | - Make an RSA key with the pub key |
| 3201 | - Encrypt the AES key as an encrypted salt.payload |
| 3202 | - Package the return and return it |
| 3203 | """ |
| 3204 | enc_algo = load.get("enc_algo", salt.crypt.OAEP_SHA1) |
| 3205 | sig_algo = load.get("sig_algo", salt.crypt.PKCS1v15_SHA1) |
| 3206 | |
| 3207 | if not salt.utils.verify.valid_id(self.opts, load["id"]): |
| 3208 | log.info("Authentication request from invalid id %s", load["id"]) |
| 3209 | if sign_messages: |
| 3210 | return self._clear_signed( |
| 3211 | {"ret": False, "nonce": load["nonce"]}, sig_algo |
| 3212 | ) |
| 3213 | else: |
| 3214 | return {"enc": "clear", "load": {"ret": False}} |
| 3215 | log.info("Authentication request from %s", load["id"]) |
| 3216 | # remove any trailing whitespace |
| 3217 | load["pub"] = load["pub"].strip() |
| 3218 | |
| 3219 | # 0 is default which should be 'unlimited' |
| 3220 | if self.opts["max_minions"] > 0: |
| 3221 | # use the ConCache if enabled, else use the minion utils |
| 3222 | if self.cache_cli: |
| 3223 | minions = self.cache_cli.get_cached() |
| 3224 | else: |
| 3225 | minions = self.ckminions.connected_ids() |
| 3226 | if len(minions) > 1000: |
| 3227 | log.info( |
| 3228 | "With large numbers of minions it is advised " |
| 3229 | "to enable the ConCache with 'con_cache: True' " |
| 3230 | "in the masters configuration file." |
| 3231 | ) |
| 3232 | |
| 3233 | if not len(minions) <= self.opts["max_minions"]: |
| 3234 | # we reject new minions, minions that are already |
| 3235 | # connected must be allowed for the mine, highstate, etc. |
| 3236 | if load["id"] not in minions: |
| 3237 | log.info( |
| 3238 | "Too many minions connected (max_minions=%s). " |
| 3239 | "Rejecting connection from id %s", |
| 3240 | self.opts["max_minions"], |
| 3241 | load["id"], |
| 3242 | ) |
| 3243 | |
| 3244 | if self.opts.get("auth_events") is True: |
| 3245 | eload = { |
| 3246 | "result": False, |
no test coverage detected