valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 17:09:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch '2018.3' into issue51158

Browse Source
This commit is contained in:
Shane Lee 2019-01-14 20:06:02 -07:00 committed by GitHub
commit 05836b3948
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 1889 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/ref/cli/_includes/output-options.rst
View File

@ -6,12 +6,9 @@ Output Options
Pass in an alternative outputter to display the return of data. This
outputter can be any of the available outputters:
``grains``, ``highstate``, ``json``, ``key``, ``overstatestage``, ``pprint``, ``raw``, ``txt``, ``yaml``
Some outputters are formatted only for data returned from specific
functions; for instance, the ``grains`` outputter will not work for non-grains
data.
``highstate``, ``json``, ``key``, ``overstatestage``, ``pprint``, ``raw``, ``txt``, ``yaml``, and :ref:`many others <all-salt.output>`.
Some outputters are formatted only for data returned from specific functions.
If an outputter is used that does not support the data passed into it, then
Salt will fall back on the ``pprint`` outputter and display the return data
using the Python ``pprint`` standard library module.

1
doc/ref/output/all/index.rst
View File

@ -22,6 +22,7 @@ Follow one of the below links for further information and examples
overstatestage
pony
pprint_out
profile
progress
raw
table_out

6
doc/ref/output/all/salt.output.profile.rst Normal file
View File

@ -0,0 +1,6 @@
===================
salt.output.profile
===================
.. automodule:: salt.output.profile
:members:

4
doc/topics/troubleshooting/master.rst
View File

@ -219,6 +219,10 @@ configuration file: ``/etc/salt/master`` and setting the ``timeout`` value to
change the default timeout for all commands, and then restarting the
salt-master service.
If a ``state.apply`` run takes too long, you can find a bottleneck by adding the
:py:mod:`--out=profile <salt.output.profile>` option.
Salt Master Auth Flooding
=========================

3
doc/topics/troubleshooting/minion.rst
View File

@ -152,3 +152,6 @@ salt-minion service.
Modifying the minion timeout value is not required when running commands
from a Salt Master. It is only required when running commands locally on
the minion.
If a ``state.apply`` run takes too long, you can find a bottleneck by adding the
:py:mod:`--out=profile <salt.output.profile>` option.

9
salt/grains/core.py
View File

@ -1003,10 +1003,11 @@ def _virtual(osdata):
if 'QEMU Virtual CPU' in model:
grains['virtual'] = 'kvm'
elif osdata['kernel'] == 'OpenBSD':
if osdata['manufacturer'] in ['QEMU', 'Red Hat']:
grains['virtual'] = 'kvm'
if osdata['manufacturer'] == 'OpenBSD':
grains['virtual'] = 'vmm'
if 'manufacturer' in osdata:
if osdata['manufacturer'] in ['QEMU', 'Red Hat', 'Joyent']:
grains['virtual'] = 'kvm'
if osdata['manufacturer'] == 'OpenBSD':
grains['virtual'] = 'vmm'
elif osdata['kernel'] == 'SunOS':
if grains['virtual'] == 'LDOM':
roles = []

2
salt/modules/debian_ip.py
View File

@ -1913,9 +1913,11 @@ def get_network_settings():
hostname = _parse_hostname()
domainname = _parse_domainname()
searchdomain = _parse_searchdomain()
settings['hostname'] = hostname
settings['domainname'] = domainname
settings['searchdomain'] = searchdomain
else:
settings = _parse_current_network_settings()

109
salt/modules/mysql.py
View File

@ -81,7 +81,11 @@ __grants__ = [
'ALL PRIVILEGES',
'ALTER',
'ALTER ROUTINE',
'BACKUP_ADMIN',
'BINLOG_ADMIN',
'CONNECTION_ADMIN',
'CREATE',
'CREATE ROLE',
'CREATE ROUTINE',
'CREATE TABLESPACE',
'CREATE TEMPORARY TABLES',
@ -89,26 +93,37 @@ __grants__ = [
'CREATE VIEW',
'DELETE',
'DROP',
'DROP ROLE',
'ENCRYPTION_KEY_ADMIN',
'EVENT',
'EXECUTE',
'FILE',
'GRANT OPTION',
'GROUP_REPLICATION_ADMIN',
'INDEX',
'INSERT',
'LOCK TABLES',
'PERSIST_RO_VARIABLES_ADMIN',
'PROCESS',
'REFERENCES',
'RELOAD',
'REPLICATION CLIENT',
'REPLICATION SLAVE',
'REPLICATION_SLAVE_ADMIN',
'RESOURCE_GROUP_ADMIN',
'RESOURCE_GROUP_USER',
'ROLE_ADMIN',
'SELECT',
'SET_USER_ID',
'SHOW DATABASES',
'SHOW VIEW',
'SHUTDOWN',
'SUPER',
'SYSTEM_VARIABLES_ADMIN',
'TRIGGER',
'UPDATE',
'USAGE'
'USAGE',
'XA_RECOVER_ADMIN'
]
__ssl_options_parameterized__ = [
@ -121,6 +136,52 @@ __ssl_options__ = __ssl_options_parameterized__ + [
'X509'
]
__all_privileges__ = [
'ALTER',
'ALTER ROUTINE',
'BACKUP_ADMIN',
'BINLOG_ADMIN',
'CONNECTION_ADMIN',
'CREATE',
'CREATE ROLE',
'CREATE ROUTINE',
'CREATE TABLESPACE',
'CREATE TEMPORARY TABLES',
'CREATE USER',
'CREATE VIEW',
'DELETE',
'DROP',
'DROP ROLE',
'ENCRYPTION_KEY_ADMIN',
'EVENT',
'EXECUTE',
'FILE',
'GROUP_REPLICATION_ADMIN',
'INDEX',
'INSERT',
'LOCK TABLES',
'PERSIST_RO_VARIABLES_ADMIN',
'PROCESS',
'REFERENCES',
'RELOAD',
'REPLICATION CLIENT',
'REPLICATION SLAVE',
'REPLICATION_SLAVE_ADMIN',
'RESOURCE_GROUP_ADMIN',
'RESOURCE_GROUP_USER',
'ROLE_ADMIN',
'SELECT',
'SET_USER_ID',
'SHOW DATABASES',
'SHOW VIEW',
'SHUTDOWN',
'SUPER',
'SYSTEM_VARIABLES_ADMIN',
'TRIGGER',
'UPDATE',
'XA_RECOVER_ADMIN'
]
r'''
DEVELOPER NOTE: ABOUT arguments management, escapes, formats, arguments and
security of SQL.
@ -810,7 +871,7 @@ def version(**connection_args):
return ''
try:
return cur.fetchone()[0]
return salt.utils.data.decode(cur.fetchone()[0])
except IndexError:
return ''
@ -1789,12 +1850,12 @@ def user_grants(user,
def grant_exists(grant,
database,
user,
host='localhost',
grant_option=False,
escape=True,
**connection_args):
database,
user,
host='localhost',
grant_option=False,
escape=True,
**connection_args):
'''
Checks to see if a grant exists in the database
@ -1805,6 +1866,14 @@ def grant_exists(grant,
salt '*' mysql.grant_exists \
'SELECT,INSERT,UPDATE,...' 'database.*' 'frank' 'localhost'
'''
server_version = version(**connection_args)
if 'ALL' in grant:
if salt.utils.versions.version_cmp(server_version, '8.0') >= 0:
grant = ','.join([i for i in __all_privileges__])
else:
grant = 'ALL PRIVILEGES'
try:
target = __grant_generate(
grant, database, user, host, grant_option, escape
@ -1820,15 +1889,27 @@ def grant_exists(grant,
'this could also indicate a connection error. Check your configuration.')
return False
target_tokens = None
# Combine grants that match the same database
_grants = {}
for grant in grants:
try:
if not target_tokens: # Avoid the overhead of re-calc in loop
target_tokens = _grant_to_tokens(target)
grant_tokens = _grant_to_tokens(grant)
grant_token = _grant_to_tokens(grant)
if grant_token['database'] not in _grants:
_grants[grant_token['database']] = {'user': grant_token['user'],
'database': grant_token['database'],
'host': grant_token['host'],
'grant': grant_token['grant']}
else:
_grants[grant_token['database']]['grant'].extend(grant_token['grant'])
target_tokens = _grant_to_tokens(target)
for database, grant_tokens in _grants.items():
try:
_grant_tokens = {}
_target_tokens = {}
_grant_matches = [True if i in grant_tokens['grant']
else False for i in target_tokens['grant']]
for item in ['user', 'database', 'host']:
_grant_tokens[item] = grant_tokens[item].replace('"', '').replace('\\', '').replace('`', '')
_target_tokens[item] = target_tokens[item].replace('"', '').replace('\\', '').replace('`', '')
@ -1836,7 +1917,7 @@ def grant_exists(grant,
if _grant_tokens['user'] == _target_tokens['user'] and \
_grant_tokens['database'] == _target_tokens['database'] and \
_grant_tokens['host'] == _target_tokens['host'] and \
set(grant_tokens['grant']) >= set(target_tokens['grant']):
all(_grant_matches):
return True
else:
log.debug('grants mismatch \'%s\'<>\'%s\'', grant_tokens, target_tokens)

2
salt/modules/nxos.py
View File

@ -59,7 +59,7 @@ def cmd(command, *args, **kwargs):
proxy_cmd = '.'.join([proxy_prefix, command])
if proxy_cmd not in __proxy__:
return False
for k in kwargs:
for k in list(kwargs):
if k.startswith('__pub_'):
kwargs.pop(k)
return __proxy__[proxy_cmd](*args, **kwargs)

8
salt/modules/shadow.py
View File

@ -349,8 +349,8 @@ def set_date(name, date):
salt '*' shadow.set_date username 0
'''
cmd = 'chage -d {0} {1}'.format(date, name)
return not __salt__['cmd.run'](cmd, python_shell=False)
cmd = ['chage', '-d', date, name]
return __salt__['cmd.retcode'](cmd, python_shell=False) == 0
def set_expire(name, expire):
@ -367,8 +367,8 @@ def set_expire(name, expire):
salt '*' shadow.set_expire username -1
'''
cmd = 'chage -E {0} {1}'.format(expire, name)
return not __salt__['cmd.run'](cmd, python_shell=False)
cmd = ['chage', '-E', expire, name]
return __salt__['cmd.retcode'](cmd, python_shell=False) == 0
def list_users():

3
salt/modules/vsphere.py
View File

@ -357,6 +357,9 @@ def gets_service_instance_via_proxy(fn):
local_service_instance = \
salt.utils.vmware.get_service_instance(
*connection_details)
# Tuples are immutable, so if we want to change what
# was passed in, we need to first convert to a list.
args = list(args)
args[idx] = local_service_instance
else:
# case 2: Not enough positional parameters so

179
salt/modules/win_auditpol.py Normal file
View File

@ -0,0 +1,179 @@
# -*- coding: utf-8 -*-
'''
A salt module for modifying the audit policies on the machine
Though this module does not set group policy for auditing, it displays how all
auditing configuration is applied on the machine, either set directly or via
local or domain group policy.
.. versionadded:: 2018.3.4
.. versionadded:: 2019.2.1
This module allows you to view and modify the audit settings as they are applied
on the machine. The audit settings are broken down into nine categories:
- Account Logon
- Account Management
- Detailed Tracking
- DS Access
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
The ``get_settings`` function will return the subcategories for all nine of
the above categories in one dictionary along with their auditing status.
To modify a setting you only need to specify the subcategory name and the value
you wish to set. Valid settings are:
- No Auditing
- Success
- Failure
- Success and Failure
CLI Example:
.. code-block:: bash
# Get current state of all audit settings
salt * auditpol.get_settings
# Get the current state of all audit settings in the "Account Logon"
# category
salt * auditpol.get_settings category="Account Logon"
# Get current state of the "Credential Validation" setting
salt * auditpol.get_setting name="Credential Validation"
# Set the state of the "Credential Validation" setting to Success and
# Failure
salt * auditpol.set_setting name="Credential Validation" value="Success and Failure"
# Set the state of the "Credential Validation" setting to No Auditing
salt * auditpol.set_setting name="Credential Validation" value="No Auditing"
'''
from __future__ import absolute_import, unicode_literals, print_function
# Import Salt libs
import salt.utils.platform
# Define the module's virtual name
__virtualname__ = 'auditpol'
def __virtual__():
'''
Only works on Windows systems
'''
if not salt.utils.platform.is_windows():
return False, "Module win_auditpol: module only available on Windows"
return __virtualname__
def get_settings(category='All'):
'''
Get the current configuration for all audit settings specified in the
category
Args:
category (str):
One of the nine categories to return. Can also be ``All`` to return
the settings for all categories. Valid options are:
- Account Logon
- Account Management
- Detailed Tracking
- DS Access
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
- All
Default value is ``All``
Returns:
dict: A dictionary containing all subcategories for the specified
category along with their current configuration
Raises:
KeyError: On invalid category
CommandExecutionError: If an error is encountered retrieving the settings
CLI Example:
.. code-block:: bash
# Get current state of all audit settings
salt * auditipol.get_settings
# Get the current state of all audit settings in the "Account Logon"
# category
salt * auditpol.get_settings "Account Logon"
'''
return __utils__['auditpol.get_settings'](category=category)
def get_setting(name):
'''
Get the current configuration for the named audit setting
Args:
name (str): The name of the setting to retrieve
Returns:
str: The current configuration for the named setting
Raises:
KeyError: On invalid setting name
CommandExecutionError: If an error is encountered retrieving the settings
CLI Example:
.. code-block:: bash
# Get current state of the "Credential Validation" setting
salt * auditpol.get_setting "Credential Validation"
'''
return __utils__['auditpol.get_setting'](name=name)
def set_setting(name, value):
'''
Set the configuration for the named audit setting
Args:
name (str):
The name of the setting to configure
value (str):
The configuration for the named value. Valid options are:
- No Auditing
- Success
- Failure
- Success and Failure
Returns:
bool: True if successful
Raises:
KeyError: On invalid ``name`` or ``value``
CommandExecutionError: If an error is encountered modifying the setting
CLI Example:
.. code-block:: bash
# Set the state of the "Credential Validation" setting to Success and
# Failure
salt * auditpol.set_setting "Credential Validation" "Success and Failure"
# Set the state of the "Credential Validation" setting to No Auditing
salt * auditpol.set_setting "Credential Validation" "No Auditing"
'''
return __utils__['auditpol.set_setting'](name=name, value=value)

906
salt/modules/win_lgpo.py
View File

@ -39,12 +39,14 @@ Current known limitations
'''
# Import Python libs
from __future__ import absolute_import, unicode_literals, print_function
import csv
import io
import os
import logging
import re
import locale
import ctypes
import tempfile
import time
# Import Salt libs
@ -280,6 +282,19 @@ class _policy_info(object):
netsh advfirewall>set help
netsh advfirewall>set domain help
AdvAudit Mechanism
------------------
The Advanced Audit Policies are configured using a combination of the
auditpol command-line utility and modifying the audit.csv file in two
locations. The value of this key is a dict with the following make-up:
====== ===================================
Key Value
====== ===================================
Option The Advanced Audit Policy to modify
====== ===================================
Transforms
----------
@ -310,6 +325,13 @@ class _policy_info(object):
'Not Defined': 'Not Defined',
None: 'Not Defined',
}
self.advanced_audit_lookup = {
0: 'No Auditing',
1: 'Success',
2: 'Failure',
3: 'Success and Failure',
None: 'Not Configured',
}
self.sc_removal_lookup = {
0: 'No Action',
1: 'Lock Workstation',
@ -372,6 +394,18 @@ class _policy_info(object):
'value_lookup': True,
},
}
self.advanced_audit_transform = {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.advanced_audit_lookup,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.advanced_audit_lookup,
'value_lookup': True,
},
}
self.enabled_one_disabled_zero_strings = {
'0': 'Disabled',
'1': 'Enabled',
@ -418,6 +452,13 @@ class _policy_info(object):
'Local Policies',
'Audit Policy'
]
self.advanced_audit_policy_gpedit_path = [
'Computer Configuration',
'Windows Settings',
'Security Settings',
'Advanced Audit Policy Configuration',
'System Audit Policies - Local Group Policy Object'
]
self.account_lockout_policy_gpedit_path = [
'Computer Configuration',
'Windows Settings',
@ -2603,6 +2644,11 @@ class _policy_info(object):
'Put': '_minutes_to_seconds'
},
},
########## LEGACY AUDIT POLICIES ##########
# To use these set the following policy to DISABLED
# "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
# or it's alias...
# SceNoApplyLegacyAuditPolicy
'AuditAccountLogon': {
'Policy': 'Audit account logon events',
'lgpo_section': self.audit_policy_gpedit_path,
@ -2693,6 +2739,557 @@ class _policy_info(object):
},
'Transform': self.audit_transform,
},
########## END OF LEGACY AUDIT POLICIES ##########
########## ADVANCED AUDIT POLICIES ##########
# Advanced Audit Policies
# To use these set the following policy to ENABLED
# "Audit: Force audit policy subcategory settings (Windows
# Vista or later) to override audit policy category
# settings"
# or it's alias...
# SceNoApplyLegacyAuditPolicy
# Account Logon Section
'AuditCredentialValidation': {
'Policy': 'Audit Credential Validation',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Credential Validation',
},
'Transform': self.advanced_audit_transform,
},
'AuditKerberosAuthenticationService': {
'Policy': 'Audit Kerberos Authentication Service',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Kerberos Authentication Service',
},
'Transform': self.advanced_audit_transform,
},
'AuditKerberosServiceTicketOperations': {
'Policy': 'Audit Kerberos Service Ticket Operations',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Kerberos Service Ticket Operations',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherAccountLogonEvents': {
'Policy': 'Audit Other Account Logon Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Account Logon Events',
},
'Transform': self.advanced_audit_transform,
},
# Account Management Section
'AuditApplicationGroupManagement': {
'Policy': 'Audit Application Group Management',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Application Group Management',
},
'Transform': self.advanced_audit_transform,
},
'AuditComputerAccountManagement': {
'Policy': 'Audit Computer Account Management',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Computer Account Management',
},
'Transform': self.advanced_audit_transform,
},
'AuditDistributionGroupManagement': {
'Policy': 'Audit Distribution Group Management',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Distribution Group Management',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherAccountManagementEvents': {
'Policy': 'Audit Other Account Management Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Account Management Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditSecurityGroupManagement': {
'Policy': 'Audit Security Group Management',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Security Group Management',
},
'Transform': self.advanced_audit_transform,
},
'AuditUserAccountManagement': {
'Policy': 'Audit User Account Management',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit User Account Management',
},
'Transform': self.advanced_audit_transform,
},
# Detailed Tracking Settings
'AuditDPAPIActivity': {
'Policy': 'Audit DPAPI Activity',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit DPAPI Activity',
},
'Transform': self.advanced_audit_transform,
},
'AuditPNPActivity': {
'Policy': 'Audit PNP Activity',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit PNP Activity',
},
'Transform': self.advanced_audit_transform,
},
'AuditProcessCreation': {
'Policy': 'Audit Process Creation',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Process Creation',
},
'Transform': self.advanced_audit_transform,
},
'AuditProcessTermination': {
'Policy': 'Audit Process Termination',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Process Termination',
},
'Transform': self.advanced_audit_transform,
},
'AuditRPCEvents': {
'Policy': 'Audit RPC Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit RPC Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditTokenRightAdjusted': {
'Policy': 'Audit Token Right Adjusted',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Token Right Adjusted',
},
'Transform': self.advanced_audit_transform,
},
# DS Access Section
'AuditDetailedDirectoryServiceReplication': {
'Policy': 'Audit Detailed Directory Service Replication',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Detailed Directory Service Replication',
},
'Transform': self.advanced_audit_transform,
},
'AuditDirectoryServiceAccess': {
'Policy': 'Audit Directory Service Access',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Directory Service Access',
},
'Transform': self.advanced_audit_transform,
},
'AuditDirectoryServiceChanges': {
'Policy': 'Audit Directory Service Changes',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Directory Service Changes',
},
'Transform': self.advanced_audit_transform,
},
'AuditDirectoryServiceReplication': {
'Policy': 'Audit Directory Service Replication',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Directory Service Replication',
},
'Transform': self.advanced_audit_transform,
},
# Logon/Logoff Section
'AuditAccountLockout': {
'Policy': 'Audit Account Lockout',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Account Lockout',
},
'Transform': self.advanced_audit_transform,
},
'AuditUserDeviceClaims': {
'Policy': 'Audit User / Device Claims',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit User / Device Claims',
},
'Transform': self.advanced_audit_transform,
},
'AuditGroupMembership': {
'Policy': 'Audit Group Membership',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Group Membership',
},
'Transform': self.advanced_audit_transform,
},
'AuditIPsecExtendedMode': {
'Policy': 'Audit IPsec Extended Mode',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit IPsec Extended Mode',
},
'Transform': self.advanced_audit_transform,
},
'AuditIPsecMainMode': {
'Policy': 'Audit IPsec Main Mode',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit IPsec Main Mode',
},
'Transform': self.advanced_audit_transform,
},
'AuditIPsecQuickMode': {
'Policy': 'Audit IPsec Quick Mode',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit IPsec Quick Mode',
},
'Transform': self.advanced_audit_transform,
},
'AuditLogoff': {
'Policy': 'Audit Logoff',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Logoff',
},
'Transform': self.advanced_audit_transform,
},
'AuditLogon': {
'Policy': 'Audit Logon',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Logon',
},
'Transform': self.advanced_audit_transform,
},
'AuditNetworkPolicyServer': {
'Policy': 'Audit Network Policy Server',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Network Policy Server',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherLogonLogoffEvents': {
'Policy': 'Audit Other Logon/Logoff Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Logon/Logoff Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditSpecialLogon': {
'Policy': 'Audit Special Logon',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Special Logon',
},
'Transform': self.advanced_audit_transform,
},
# Object Access Section
'AuditApplicationGenerated': {
'Policy': 'Audit Application Generated',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Application Generated',
},
'Transform': self.advanced_audit_transform,
},
'AuditCertificationServices': {
'Policy': 'Audit Certification Services',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Certification Services',
},
'Transform': self.advanced_audit_transform,
},
'AuditDetailedFileShare': {
'Policy': 'Audit Detailed File Share',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Detailed File Share',
},
'Transform': self.advanced_audit_transform,
},
'AuditFileShare': {
'Policy': 'Audit File Share',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit File Share',
},
'Transform': self.advanced_audit_transform,
},
'AuditFileSystem': {
'Policy': 'Audit File System',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit File System',
},
'Transform': self.advanced_audit_transform,
},
'AuditFilteringPlatformConnection': {
'Policy': 'Audit Filtering Platform Connection',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Filtering Platform Connection',
},
'Transform': self.advanced_audit_transform,
},
'AuditFilteringPlatformPacketDrop': {
'Policy': 'Audit Filtering Platform Packet Drop',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Filtering Platform Packet Drop',
},
'Transform': self.advanced_audit_transform,
},
'AuditHandleManipulation': {
'Policy': 'Audit Handle Manipulation',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Handle Manipulation',
},
'Transform': self.advanced_audit_transform,
},
'AuditKernelObject': {
'Policy': 'Audit Kernel Object',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Kernel Object',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherObjectAccessEvents': {
'Policy': 'Audit Other Object Access Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Object Access Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditRegistry': {
'Policy': 'Audit Registry',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Registry',
},
'Transform': self.advanced_audit_transform,
},
'AuditRemovableStorage': {
'Policy': 'Audit Removable Storage',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Removable Storage',
},
'Transform': self.advanced_audit_transform,
},
'AuditSAM': {
'Policy': 'Audit SAM',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit SAM',
},
'Transform': self.advanced_audit_transform,
},
'AuditCentralAccessPolicyStaging': {
'Policy': 'Audit Central Access Policy Staging',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Central Access Policy Staging',
},
'Transform': self.advanced_audit_transform,
},
# Policy Change Section
'AuditAuditPolicyChange': {
'Policy': 'Audit Audit Policy Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Audit Policy Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditAuthenticationPolicyChange': {
'Policy': 'Audit Authentication Policy Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Authentication Policy Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditAuthorizationPolicyChange': {
'Policy': 'Audit Authorization Policy Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Authorization Policy Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditFilteringPlatformPolicyChange': {
'Policy': 'Audit Filtering Platform Policy Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Filtering Platform Policy Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditMPSSVCRuleLevelPolicyChange': {
'Policy': 'Audit MPSSVC Rule-Level Policy Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit MPSSVC Rule-Level Policy Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherPolicyChangeEvents': {
'Policy': 'Audit Other Policy Change Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Policy Change Events',
},
'Transform': self.advanced_audit_transform,
},
# Privilege Use Section
'AuditNonSensitivePrivilegeUse': {
'Policy': 'Audit Non Sensitive Privilege Use',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Non Sensitive Privilege Use',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherPrivilegeUseEvents': {
'Policy': 'Audit Other Privilege Use Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other Privilege Use Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditSensitivePrivilegeUse': {
'Policy': 'Audit Sensitive Privilege Use',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Sensitive Privilege Use',
},
'Transform': self.advanced_audit_transform,
},
# System Section
'AuditIPsecDriver': {
'Policy': 'Audit IPsec Driver',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit IPsec Driver',
},
'Transform': self.advanced_audit_transform,
},
'AuditOtherSystemEvents': {
'Policy': 'Audit Other System Events',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Other System Events',
},
'Transform': self.advanced_audit_transform,
},
'AuditSecurityStateChange': {
'Policy': 'Audit Security State Change',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Security State Change',
},
'Transform': self.advanced_audit_transform,
},
'AuditSecuritySystemExtension': {
'Policy': 'Audit Security System Extension',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit Security System Extension',
},
'Transform': self.advanced_audit_transform,
},
'AuditSystemIntegrity': {
'Policy': 'Audit System Integrity',
'lgpo_section': self.advanced_audit_policy_gpedit_path,
'Settings': self.advanced_audit_lookup.keys(),
'AdvAudit': {
'Option': 'Audit System Integrity',
},
'Transform': self.advanced_audit_transform,
},
########## END OF ADVANCED AUDIT POLICIES ##########
'SeTrustedCredManAccessPrivilege': {
'Policy': 'Access Credential Manager as a trusted '
'caller',
@ -4349,6 +4946,296 @@ def _buildElementNsmap(using_elements):
return thisMap
def _get_audit_defaults(option=None):
'''
Loads audit.csv defaults into a dict in __context__ called
'lgpo.audit_defaults'. The dictionary includes fieldnames and all
configurable policies as keys. The values are used to create/modify the
``audit.csv`` file. The first entry is `fieldnames` used to create the
header for the csv file. The rest of the entries are the audit policy names.
Sample data follows:
{
'fieldnames': ['Machine Name',
'Policy Target',
'Subcategory',
'Subcategory GUID',
'Inclusion Setting',
'Exclusion Setting',
'Setting Value'],
'Audit Sensitive Privilege Use': {'Auditpol Name': 'Sensitive Privilege Use',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit Sensitive Privilege Use',
'Subcategory GUID': '{0CCE9228-69AE-11D9-BED3-505054503030}'},
'Audit Special Logon': {'Auditpol Name': 'Special Logon',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit Special Logon',
'Subcategory GUID': '{0CCE921B-69AE-11D9-BED3-505054503030}'},
'Audit System Integrity': {'Auditpol Name': 'System Integrity',
'Exclusion Setting': '',
'Inclusion Setting': 'No Auditing',
'Machine Name': 'WIN-8FGT3E045SE',
'Policy Target': 'System',
'Setting Value': '0',
'Subcategory': u'Audit System Integrity',
'Subcategory GUID': '{0CCE9212-69AE-11D9-BED3-505054503030}'},
...
}
.. note::
`Auditpol Name` designates the value to use when setting the value with
the auditpol command
Args:
option (str): The item from the dictionary to return. If ``None`` the
entire dictionary is returned. Default is ``None``
Returns:
dict: If ``None`` or one of the audit settings is passed
list: If ``fieldnames`` is passed
'''
if 'lgpo.audit_defaults' not in __context__:
# Get available setting names and GUIDs
# This is used to get the fieldnames and GUIDs for individual policies
log.debug('Loading auditpol defaults into __context__')
dump = __utils__['auditpol.get_auditpol_dump']()
reader = csv.DictReader(dump)
audit_defaults = {'fieldnames': reader.fieldnames}
for row in reader:
row['Machine Name'] = ''
row['Auditpol Name'] = row['Subcategory']
# Special handling for snowflake scenarios where the audit.csv names
# don't match the auditpol names
if row['Subcategory'] == 'Central Policy Staging':
row['Subcategory'] = 'Audit Central Access Policy Staging'
elif row['Subcategory'] == 'Plug and Play Events':
row['Subcategory'] = 'Audit PNP Activity'
elif row['Subcategory'] == 'Token Right Adjusted Events':
row['Subcategory'] = 'Audit Token Right Adjusted'
else:
row['Subcategory'] = 'Audit {0}'.format(row['Subcategory'])
audit_defaults[row['Subcategory']] = row
__context__['lgpo.audit_defaults'] = audit_defaults
if option:
return __context__['lgpo.audit_defaults'][option]
else:
return __context__['lgpo.audit_defaults']
def _findOptionValueAdvAudit(option):
'''
Get the Advanced Auditing policy as configured in
``C:\\Windows\\Security\\Audit\\audit.csv``
Args:
option (str): The name of the setting as it appears in audit.csv
Returns:
bool: ``True`` if successful, otherwise ``False``
'''
if 'lgpo.adv_audit_data' not in __context__:
system_root = os.environ.get('SystemRoot', 'C:\\Windows')
f_audit = os.path.join(system_root, 'security', 'audit', 'audit.csv')
f_audit_gpo = os.path.join(system_root, 'System32', 'GroupPolicy',
'Machine', 'Microsoft', 'Windows NT',
'Audit', 'audit.csv')
# Make sure there is an existing audit.csv file on the machine
if not __salt__['file.file_exists'](f_audit):
if __salt__['file.file_exists'](f_audit_gpo):
# If the GPO audit.csv exists, we'll use that one
__salt__['file.copy'](f_audit_gpo, f_audit)
else:
field_names = _get_audit_defaults('fieldnames')
# If the file doesn't exist anywhere, create it with default
# fieldnames
__salt__['file.touch'](f_audit)
__salt__['file.append'](f_audit, ','.join(field_names))
audit_settings = {}
with salt.utils.files.fopen(f_audit, mode='r') as csv_file:
reader = csv.DictReader(csv_file)
for row in reader:
audit_settings.update(
{row['Subcategory']: row['Setting Value']})
__context__['lgpo.adv_audit_data'] = audit_settings
return __context__['lgpo.adv_audit_data'].get(option, None)
def _set_audit_file_data(option, value):
'''
Helper function that sets the Advanced Audit settings in the two .csv files
on Windows. Those files are located at:
C:\\Windows\\Security\\Audit\\audit.csv
C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit\\audit.csv
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
'''
# Set up some paths here
system_root = os.environ.get('SystemRoot', 'C:\\Windows')
f_audit = os.path.join(system_root, 'security', 'audit', 'audit.csv')
f_audit_gpo = os.path.join(system_root, 'System32', 'GroupPolicy',
'Machine', 'Microsoft', 'Windows NT',
'Audit', 'audit.csv')
f_temp = tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.csv',
prefix='audit')
# Lookup dict for "Inclusion Setting" field
auditpol_values = {'None': 'No Auditing',
'0': 'No Auditing',
'1': 'Success',
'2': 'Failure',
'3': 'Success and Failure'}
try:
# Open the existing audit.csv and load the csv `reader`
with salt.utils.files.fopen(f_audit, mode='r') as csv_file:
reader = csv.DictReader(csv_file)
# Open the temporary .csv and load the csv `writer`
with salt.utils.files.fopen(f_temp.name, mode='w') as tmp_file:
writer = csv.DictWriter(tmp_file, fieldnames=reader.fieldnames)
# Write the header values (labels)
writer.writeheader()
value_written = False
# Loop through the current audit.csv and write the changes to
# the temp csv file for existing settings
for row in reader:
# If the row matches the value we're setting, update it with
# the new value
if row['Subcategory'] == option:
if not value == 'None':
# The value is not None, make the change
row['Inclusion Setting'] = auditpol_values[value]
row['Setting Value'] = value
log.debug('LGPO: Setting {0} to {1}'
''.format(option, value))
writer.writerow(row)
else:
# value is None, remove it by not writing it to the
# temp file
log.debug('LGPO: Removing {0}'.format(option))
value_written = True
# If it's not the value we're setting, just write it
else:
writer.writerow(row)
# If a value was not written, it is a new setting not found in
# the existing audit.cvs file. Add the new setting with values
# from the defaults
if not value_written:
if not value == 'None':
# value is not None, write the new value
log.debug('LGPO: Setting {0} to {1}'
''.format(option, value))
defaults = _get_audit_defaults(option)
writer.writerow({
'Machine Name': defaults['Machine Name'],
'Policy Target': defaults['Policy Target'],
'Subcategory': defaults['Subcategory'],
'Subcategory GUID': defaults['Subcategory GUID'],
'Inclusion Setting': auditpol_values[value],
'Exclusion Setting': defaults['Exclusion Setting'],
'Setting Value': value})
value_written = True
if value_written:
# Copy the temporary csv file over the existing audit.csv in both
# locations if a value was written
__salt__['file.copy'](f_temp.name, f_audit, remove_existing=True)
__salt__['file.copy'](f_temp.name, f_audit_gpo, remove_existing=True)
finally:
f_temp.close()
__salt__['file.remove'](f_temp.name)
return value_written
def _set_auditpol_data(option, value):
'''
Helper function that updates the current applied settings to match what has
just been set in the audit.csv files. We're doing it this way instead of
running `gpupdate`
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
'''
auditpol_values = {'None': 'No Auditing',
'0': 'No Auditing',
'1': 'Success',
'2': 'Failure',
'3': 'Success and Failure'}
defaults = _get_audit_defaults(option)
return __utils__['auditpol.set_setting'](
name=defaults['Auditpol Name'],
value=auditpol_values[value])
def _setOptionValueAdvAudit(option, value):
'''
Helper function to update the Advanced Audit policy on the machine. This
function modifies the two ``audit.csv`` files in the following locations:
C:\\Windows\\Security\\Audit\\audit.csv
C:\\Windows\\System32\\GroupPolicy\\Machine\\Microsoft\\Windows NT\\Audit\\audit.csv
Then it applies those settings using ``auditpol``
After that, it updates ``__context__`` with the new setting
Args:
option (str): The name of the option to set
value (str): The value to set. ['None', '0', '1', '2', '3']
Returns:
bool: ``True`` if successful, otherwise ``False``
'''
# Set the values in both audit.csv files
if not _set_audit_file_data(option=option, value=value):
raise CommandExecutionError('Failed to set audit.csv option: {0}'
''.format(option))
# Apply the settings locally
if not _set_auditpol_data(option=option, value=value):
# Only log this error, it will be in effect the next time the machine
# updates its policy
log.debug('Failed to apply audit setting: {0}'.format(option))
# Update __context__
if value is None:
log.debug('LGPO: Removing Advanced Audit data: {0}'.format(option))
__context__['lgpo.adv_audit_data'].pop(option)
else:
log.debug('LGPO: Updating Advanced Audit data: {0}: {1}'
''.format(option, value))
__context__['lgpo.adv_audit_data'][option] = value
return True
def _findOptionValueNetSH(profile, option):
if 'lgpo.netsh_data' not in __context__:
__context__['lgpo.netsh_data'] = {}
@ -6770,7 +7657,10 @@ def get(policy_class=None, return_full_policy_names=True,
class_vals[policy_name] = _findOptionValueNetSH(
profile=_pol['NetSH']['Profile'],
option=_pol['NetSH']['Option'])
elif 'AdvAudit' in _pol:
# get value from auditpol
class_vals[policy_name] = _findOptionValueAdvAudit(
option=_pol['AdvAudit']['Option'])
elif 'NetUserModal' in _pol:
# get value from UserNetMod
if _pol['NetUserModal']['Modal'] not in modal_returns:
@ -6993,6 +7883,7 @@ def set_(computer_policy=None, user_policy=None,
for p_class in policies:
_secedits = {}
_netshs = {}
_advaudits = {}
_modal_sets = {}
_admTemplateData = {}
_regedits = {}
@ -7041,6 +7932,12 @@ def set_(computer_policy=None, user_policy=None,
'option': _pol['NetSH']['Option'],
'value': six.text_type(_value)
})
elif 'AdvAudit' in _pol:
# set value with advaudit
_advaudits.setdefault(policy_name, {
'option': _pol['AdvAudit']['Option'],
'value': six.text_type(_value)
})
elif 'NetUserModal' in _pol:
# set value via NetUserModal
log.debug('%s is a NetUserModal policy', policy_name)
@ -7237,6 +8134,13 @@ def set_(computer_policy=None, user_policy=None,
log.debug(_netshs[setting])
_setOptionValueNetSH(**_netshs[setting])
if _advaudits:
# We've got AdvAudit settings to make
for setting in _advaudits:
log.debug('Setting Advanced Audit policy: {0}'.format(setting))
log.debug(_advaudits[setting])
_setOptionValueAdvAudit(**_advaudits[setting])
if _modal_sets:
# we've got modalsets to make
log.debug(_modal_sets)

25
salt/modules/x509.py
View File

@ -671,7 +671,7 @@ def read_crl(crl):
text = get_pem_entry(text, pem_type='X509 CRL')
crltempfile = tempfile.NamedTemporaryFile()
crltempfile.write(text)
crltempfile.write(salt.utils.stringutils.to_str(text))
crltempfile.flush()
crlparsed = _parse_openssl_crl(crltempfile.name)
crltempfile.close()
@ -776,21 +776,22 @@ def write_pem(text, path, overwrite=True, pem_type=None):
text = get_pem_entry(text, pem_type=pem_type)
_dhparams = ''
_private_key = ''
if pem_type and pem_type == 'CERTIFICATE' and os.path.isfile(path) and \
not overwrite:
if pem_type and pem_type == 'CERTIFICATE' and os.path.isfile(path) and not overwrite:
_filecontents = _text_or_file(path)
try:
_dhparams = get_pem_entry(_filecontents, 'DH PARAMETERS')
except salt.exceptions.SaltInvocationError:
pass
except salt.exceptions.SaltInvocationError as err:
log.debug("Error when getting DH PARAMETERS: %s", err)
log.trace(err, exc_info=err)
try:
_private_key = get_pem_entry(_filecontents, '(?:RSA )?PRIVATE KEY')
except salt.exceptions.SaltInvocationError:
pass
except salt.exceptions.SaltInvocationError as err:
log.debug("Error when getting PRIVATE KEY: %s", err)
log.trace(err, exc_info=err)
with salt.utils.files.fopen(path, 'w') as _fp:
if pem_type and pem_type == 'CERTIFICATE' and _private_key:
_fp.write(salt.utils.stringutils.to_str(_private_key))
_fp.write(text)
_fp.write(salt.utils.stringutils.to_str(text))
if pem_type and pem_type == 'CERTIFICATE' and _dhparams:
_fp.write(salt.utils.stringutils.to_str(_dhparams))
return 'PEM written to {0}'.format(path)
@ -1375,9 +1376,9 @@ def create_certificate(
pem_type='CERTIFICATE REQUEST').replace('\n', '')
if 'public_key' in kwargs:
# Strip newlines to make passing through as cli functions easier
kwargs['public_key'] = get_public_key(
kwargs['public_key'] = salt.utils.stringutils.to_str(get_public_key(
kwargs['public_key'],
passphrase=kwargs['public_key_passphrase']).replace('\n', '')
passphrase=kwargs['public_key_passphrase'])).replace('\n', '')
# Remove system entries in kwargs
# Including listen_in and preqreuired because they are not included
@ -1778,13 +1779,13 @@ def verify_crl(crl, cert):
crltext = _text_or_file(crl)
crltext = get_pem_entry(crltext, pem_type='X509 CRL')
crltempfile = tempfile.NamedTemporaryFile()
crltempfile.write(crltext)
crltempfile.write(salt.utils.stringutils.to_str(crltext))
crltempfile.flush()
certtext = _text_or_file(cert)
certtext = get_pem_entry(certtext, pem_type='CERTIFICATE')
certtempfile = tempfile.NamedTemporaryFile()
certtempfile.write(certtext)
certtempfile.write(salt.utils.stringutils.to_str(certtext))
certtempfile.flush()
cmd = ('openssl crl -noout -in {0} -CAfile {1}'.format(

50
salt/output/profile.py
View File

@ -1,4 +1,31 @@
# -*- coding: utf-8 -*-
'''
Display profiling data in a table format
========================================
Show profile data for returners that would normally show a highstate output.
salt MINION state.apply something --out=profile
Attempt to output the returns of state.sls and state.highstate as a table of
names, modules and durations that looks somewhat like the following::
name mod.fun duration (ms)
--------------------------------------------------------
I-fail-unless-stmt other.function -1.0000
old-minion-config grains.list_present 1.1200
salt-data group.present 48.3800
/etc/salt/minion file.managed 63.1450
To get the above appearance, use settings something like these::
out.table.separate_rows: False
out.table.justify: left
out.table.delim: ' '
out.table.prefix: ''
out.table.suffix: ''
'''
from __future__ import absolute_import, print_function, unicode_literals
import salt.output.table_out as table_out
@ -39,28 +66,7 @@ def _find_durations(data, name_max=60):
def output(data, **kwargs):
'''
Show profile data for returners that would normally show a highstate output.
salt globhere state.sls something --out=profile
Attempt to output the returns of state.sls and state.highstate as a table of
names, modules and durations that looks somewhat like the following:
name mod.fun duration (ms)
--------------------------------------------------------
I-fail-unless-stmt other.function -1.0000
old-minion-config grains.list_present 1.1200
salt-data group.present 48.3800
/etc/salt/minion file.managed 63.1450
To get the above appearance, use settings something like these:
out.table.separate_rows: False
out.table.justify: left
out.table.delim: ' '
out.table.prefix: ''
out.table.suffix: ''
Display the profiling data in a table format.
'''
rows = _find_durations(data)

4
salt/states/elasticsearch.py
View File

@ -234,7 +234,7 @@ def index_template_absent(name):
def index_template_present(name, definition, check_definition=False):
'''
Ensure that the named index templat eis present.
Ensure that the named index template is present.
name
Name of the index to add
@ -248,7 +248,7 @@ def index_template_present(name, definition, check_definition=False):
.. code-block:: yaml
mytestindex2_template:
elasticsearch_index_template.present:
elasticsearch.index_template_present:
- definition:
template: logstash-*
order: 1

18
salt/utils/network.py
View File

@ -137,7 +137,23 @@ def _generate_minion_id():
def first(self):
return self and self[0] or None
hosts = DistinctList().append(socket.getfqdn()).append(platform.node()).append(socket.gethostname())
hosts = DistinctList([])
try:
hosts.append(socket.getfqdn())
except ValueError:
pass
try:
hosts.append(platform.node())
except ValueError:
pass
try:
hosts.append(socket.gethostname())
except ValueError:
pass
if not hosts:
try:
for a_nfo in socket.getaddrinfo(hosts.first() or 'localhost', None, socket.AF_INET,

2
salt/utils/vt.py
View File

@ -686,7 +686,7 @@ class Terminal(object):
stdout = None
else:
if self.stream_stdout:
self.stream_stdout.write(salt.utils.data.encode(stdout))
self.stream_stdout.write(salt.utils.stringutils.to_str(stdout))
self.stream_stdout.flush()
if self.stdout_logger:

307
salt/utils/win_lgpo_auditpol.py Normal file
View File

@ -0,0 +1,307 @@
# -*- coding: utf-8 -*-
r'''
A salt util for modifying the audit policies on the machine. This util is used
by the ``win_auditpol`` and ``win_lgpo`` modules.
Though this utility does not set group policy for auditing, it displays how all
auditing configuration is applied on the machine, either set directly or via
local or domain group policy.
.. versionadded:: 2018.3.4
.. versionadded:: 2019.2.1
This util allows you to view and modify the audit settings as they are applied
on the machine. The audit settings are broken down into nine categories:
- Account Logon
- Account Management
- Detailed Tracking
- DS Access
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
The ``get_settings`` function will return the subcategories for all nine of
the above categories in one dictionary along with their auditing status.
To modify a setting you only need to specify the subcategory name and the value
you wish to set. Valid settings are:
- No Auditing
- Success
- Failure
- Success and Failure
Usage:
.. code-block:: python
import salt.utils.win_lgpo_auditpol
# Get current state of all audit settings
salt.utils.win_lgpo_auditpol.get_settings()
# Get the current state of all audit settings in the "Account Logon"
# category
salt.utils.win_lgpo_auditpol.get_settings(category="Account Logon")
# Get current state of the "Credential Validation" setting
salt.utils.win_lgpo_auditpol.get_setting(name='Credential Validation')
# Set the state of the "Credential Validation" setting to Success and
# Failure
salt.utils.win_lgpo_auditpol.set_setting(name='Credential Validation',
value='Success and Failure')
# Set the state of the "Credential Validation" setting to No Auditing
salt.utils.win_lgpo_auditpol.set_setting(name='Credential Validation',
value='No Auditing')
'''
# Import Python libs
from __future__ import absolute_import, unicode_literals, print_function
import logging
import re
import tempfile
# Import Salt libs
import salt.utils.files
import salt.utils.platform
from salt.exceptions import CommandExecutionError
# Import 3rd Party libs
from salt.ext.six.moves import zip
log = logging.getLogger(__name__)
__virtualname__ = 'auditpol'
categories = ['Account Logon',
'Account Management',
'Detailed Tracking',
'DS Access',
'Logon/Logoff',
'Object Access',
'Policy Change',
'Privilege Use',
'System']
settings = {'No Auditing': '/success:disable /failure:disable',
'Success': '/success:enable /failure:disable',
'Failure': '/success:disable /failure:enable',
'Success and Failure': '/success:enable /failure:enable'}
# Although utils are often directly imported, it is also possible to use the
# loader.
def __virtual__():
'''
Only load if on a Windows system
'''
if not salt.utils.platform.is_windows():
return False, 'This utility only available on Windows'
return __virtualname__
def _auditpol_cmd(cmd):
'''
Helper function for running the auditpol command
Args:
cmd (str): the auditpol command to run
Returns:
list: A list containing each line of the return (splitlines)
Raises:
CommandExecutionError: If the command encounters an error
'''
ret = __salt__['cmd.run_all'](cmd='auditpol {0}'.format(cmd),
python_shell=True)
if ret['retcode'] == 0:
return ret['stdout'].splitlines()
msg = 'Error executing auditpol command: {0}\n'.format(cmd)
msg += '\n'.join(ret['stdout'])
raise CommandExecutionError(msg)
def get_settings(category='All'):
'''
Get the current configuration for all audit settings specified in the
category
Args:
category (str):
One of the nine categories to return. Can also be ``All`` to return
the settings for all categories. Valid options are:
- Account Logon
- Account Management
- Detailed Tracking
- DS Access
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
- All
Default value is ``All``
Returns:
dict: A dictionary containing all subcategories for the specified
category along with their current configuration
Raises:
KeyError: On invalid category
CommandExecutionError: If an error is encountered retrieving the settings
Usage:
.. code-block:: python
import salt.utils.win_lgpo_auditpol
# Get current state of all audit settings
salt.utils.win_lgpo_auditpol.get_settings()
# Get the current state of all audit settings in the "Account Logon"
# category
salt.utils.win_lgpo_auditpol.get_settings(category="Account Logon")
'''
# Parameter validation
if category.lower() in ['all', '*']:
category = '*'
elif category.lower() not in [x.lower() for x in categories]:
raise KeyError('Invalid category: "{0}"'.format(category))
cmd = '/get /category:"{0}"'.format(category)
results = _auditpol_cmd(cmd)
ret = {}
# Skip the first 2 lines
for line in results[3:]:
if ' ' in line.strip():
ret.update(dict(list(zip(*[iter(re.split(r"\s{2,}", line.strip()))]*2))))
return ret
def get_setting(name):
'''
Get the current configuration for the named audit setting
Args:
name (str): The name of the setting to retrieve
Returns:
str: The current configuration for the named setting
Raises:
KeyError: On invalid setting name
CommandExecutionError: If an error is encountered retrieving the settings
Usage:
.. code-block:: python
import salt.utils.win_lgpo_auditpol
# Get current state of the "Credential Validation" setting
salt.utils.win_lgpo_auditpol.get_setting(name='Credential Validation')
'''
current_settings = get_settings(category='All')
for setting in current_settings:
if name.lower() == setting.lower():
return current_settings[setting]
raise KeyError('Invalid name: {0}'.format(name))
def _get_valid_names():
if 'auditpol.valid_names' not in __context__:
settings = get_settings(category='All')
__context__['auditpol.valid_names'] = [k.lower() for k in settings]
return __context__['auditpol.valid_names']
def set_setting(name, value):
'''
Set the configuration for the named audit setting
Args:
name (str):
The name of the setting to configure
value (str):
The configuration for the named value. Valid options are:
- No Auditing
- Success
- Failure
- Success and Failure
Returns:
bool: True if successful
Raises:
KeyError: On invalid ``name`` or ``value``
CommandExecutionError: If an error is encountered modifying the setting
Usage:
.. code-block:: python
import salt.utils.win_lgpo_auditpol
# Set the state of the "Credential Validation" setting to Success and
# Failure
salt.utils.win_lgpo_auditpol.set_setting(name='Credential Validation',
value='Success and Failure')
# Set the state of the "Credential Validation" setting to No Auditing
salt.utils.win_lgpo_auditpol.set_setting(name='Credential Validation',
value='No Auditing')
'''
# Input validation
if name.lower() not in _get_valid_names():
raise KeyError('Invalid name: {0}'.format(name))
for setting in settings:
if value.lower() == setting.lower():
cmd = '/set /subcategory:"{0}" {1}'.format(name, settings[setting])
break
else:
raise KeyError('Invalid setting value: {0}'.format(value))
_auditpol_cmd(cmd)
return True
def get_auditpol_dump():
'''
Gets the contents of an auditpol /backup. Used by the LGPO module to get
fieldnames and GUIDs for Advanced Audit policies.
Returns:
list: A list of lines form the backup file
Usage:
.. code-block:: python
import salt.utils.win_lgpo_auditpol
dump = salt.utils.win_lgpo_auditpol.get_auditpol_dump()
'''
# Just get a temporary file name
# NamedTemporaryFile will delete the file it creates by default on Windows
with tempfile.NamedTemporaryFile(suffix='.csv') as tmp_file:
csv_file = tmp_file.name
cmd = '/backup /file:{0}'.format(csv_file)
_auditpol_cmd(cmd)
with salt.utils.files.fopen(csv_file) as fp:
return fp.readlines()

13
salt/utils/win_lgpo_netsh.py
View File

@ -81,6 +81,19 @@ from salt.ext.six.moves import zip
log = logging.getLogger(__name__)
__hostname__ = socket.gethostname()
__virtualname__ = 'netsh'
# Although utils are often directly imported, it is also possible to use the
# loader.
def __virtual__():
'''
Only load if on a Windows system
'''
if not salt.utils.platform.is_windows():
return False, 'This utility only available on Windows'
return __virtualname__
def _netsh_file(content):

11
tests/unit/modules/test_debian_ip.py
View File

@ -474,14 +474,17 @@ class DebianIpTestCase(TestCase, LoaderModuleMockMixin):
patch('salt.modules.debian_ip._parse_hostname',
MagicMock(return_value='SaltStack')), \
patch('salt.modules.debian_ip._parse_domainname',
MagicMock(return_value='saltstack.com')):
MagicMock(return_value='saltstack.com')), \
patch('salt.modules.debian_ip._parse_searchdomain',
MagicMock(return_value='test.saltstack.com')):
mock_avai = MagicMock(return_value=True)
with patch.dict(debian_ip.__salt__, {'service.available': mock_avai,
'service.status': mock_avai}):
self.assertEqual(debian_ip.get_network_settings(),
['NETWORKING=yes\n',
'HOSTNAME=SaltStack\n',
'DOMAIN=saltstack.com\n'])
[u'NETWORKING=yes\n',
u'HOSTNAME=SaltStack\n',
u'DOMAIN=saltstack.com\n',
u'SEARCH=test.saltstack.com\n'])
mock = MagicMock(side_effect=jinja2.exceptions.TemplateNotFound
('error'))

115
tests/unit/modules/test_mysql.py
View File

@ -24,6 +24,52 @@ try:
except Exception:
NO_MYSQL = True
__all_privileges__ = [
'ALTER',
'ALTER ROUTINE',
'BACKUP_ADMIN',
'BINLOG_ADMIN',
'CONNECTION_ADMIN',
'CREATE',
'CREATE ROLE',
'CREATE ROUTINE',
'CREATE TABLESPACE',
'CREATE TEMPORARY TABLES',
'CREATE USER',
'CREATE VIEW',
'DELETE',
'DROP',
'DROP ROLE',
'ENCRYPTION_KEY_ADMIN',
'EVENT',
'EXECUTE',
'FILE',
'GROUP_REPLICATION_ADMIN',
'INDEX',
'INSERT',
'LOCK TABLES',
'PERSIST_RO_VARIABLES_ADMIN',
'PROCESS',
'REFERENCES',
'RELOAD',
'REPLICATION CLIENT',
'REPLICATION SLAVE',
'REPLICATION_SLAVE_ADMIN',
'RESOURCE_GROUP_ADMIN',
'RESOURCE_GROUP_USER',
'ROLE_ADMIN',
'SELECT',
'SET_USER_ID',
'SHOW DATABASES',
'SHOW VIEW',
'SHUTDOWN',
'SUPER',
'SYSTEM_VARIABLES_ADMIN',
'TRIGGER',
'UPDATE',
'XA_RECOVER_ADMIN'
]
@skipIf(NO_MOCK, NO_MOCK_REASON)
@skipIf(NO_MYSQL, 'Install MySQL bindings before running MySQL unit tests.')
@ -256,15 +302,16 @@ class MySQLTestCase(TestCase, LoaderModuleMockMixin):
"GRANT SELECT ON `testdb`.`testtabletwo` TO 'testuer'@'%'",
"GRANT SELECT ON `testdb`.`testtablethree` TO 'testuser'@'%'",
]
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'SELECT, INSERT, UPDATE',
'testdb.testtableone',
'testuser',
'%'
)
self.assertEqual(ret, True)
with patch.object(mysql, 'version', return_value='5.6.41'):
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'SELECT, INSERT, UPDATE',
'testdb.testtableone',
'testuser',
'%'
)
self.assertEqual(ret, True)
def test_grant_exists_false(self):
'''
@ -275,15 +322,47 @@ class MySQLTestCase(TestCase, LoaderModuleMockMixin):
"GRANT SELECT, INSERT, UPDATE ON `testdb`.`testtableone` TO 'testuser'@'%'",
"GRANT SELECT ON `testdb`.`testtablethree` TO 'testuser'@'%'",
]
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'SELECT',
'testdb.testtabletwo',
'testuser',
'%'
)
self.assertEqual(ret, False)
with patch.object(mysql, 'version', return_value='5.6.41'):
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'SELECT',
'testdb.testtabletwo',
'testuser',
'%'
)
self.assertEqual(ret, False)
def test_grant_exists_all(self):
'''
Test to ensure that we can find a grant that exists
'''
mock_grants = [
"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON testdb.testtableone TO `testuser`@`%`",
"GRANT BACKUP_ADMIN,BINLOG_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON testdb.testtableone TO `testuser`@`%`"
]
with patch.object(mysql, 'version', return_value='8.0.10'):
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'ALL',
'testdb.testtableone',
'testuser',
'%'
)
self.assertEqual(ret, True)
mock_grants = ["GRANT ALL PRIVILEGES ON testdb.testtableone TO `testuser`@`%`"]
with patch.object(mysql, 'version', return_value='5.6.41'):
mock = MagicMock(return_value=mock_grants)
with patch.object(mysql, 'user_grants', return_value=mock_grants) as mock_user_grants:
ret = mysql.grant_exists(
'ALL PRIVILEGES',
'testdb.testtableone',
'testuser',
'%'
)
self.assertEqual(ret, True)
@skipIf(True, 'TODO: Mock up user_grants()')
def test_grant_add(self):

84
tests/unit/states/test_git.py Normal file
View File

@ -0,0 +1,84 @@
# -*- coding: utf-8 -*-
'''
:codeauthor: Erik Johnson <erik@saltstack.com>
'''
# Import Python libs
from __future__ import absolute_import
import logging
import os
# Import Salt Testing Libs
from tests.support.helpers import with_tempdir
from tests.support.mixins import LoaderModuleMockMixin
from tests.support.unit import TestCase, skipIf
from tests.support.mock import (
Mock,
MagicMock,
patch,
DEFAULT,
NO_MOCK,
NO_MOCK_REASON,
)
# Import Salt Libs
import salt.states.git as git_state # Don't potentially shadow GitPython
log = logging.getLogger(__name__)
@skipIf(NO_MOCK, NO_MOCK_REASON)
class GitTestCase(TestCase, LoaderModuleMockMixin):
'''
Test cases for salt.states.git
'''
def setup_loader_modules(self):
return {
git_state: {
'__env__': 'base',
'__opts__': {'test': False},
'__salt__': {},
}
}
@with_tempdir()
def test_latest_no_diff_for_bare_repo(self, target):
'''
This test ensures that we don't attempt to diff when cloning a repo
using either bare=True or mirror=True.
'''
name = 'https://foo.com/bar/baz.git'
gitdir = os.path.join(target, 'refs')
isdir_mock = MagicMock(
side_effect=lambda path: DEFAULT if path != gitdir else True)
branches = ['foo', 'bar', 'baz']
tags = ['v1.1.0', 'v.1.1.1', 'v1.2.0']
local_head = 'b9ef06ab6b7524eb7c27d740dbbd5109c6d75ee4'
remote_head = 'eef672c1ec9b8e613905dbcd22a4612e31162807'
git_diff = Mock()
dunder_salt = {
'git.current_branch': MagicMock(return_value=branches[0]),
'git.diff': git_diff,
'git.fetch': MagicMock(return_value={}),
'git.is_worktree': MagicMock(return_value=False),
'git.list_branches': MagicMock(return_value=branches),
'git.list_tags': MagicMock(return_value=tags),
'git.remote_refs': MagicMock(return_value={'HEAD': remote_head}),
'git.remotes': MagicMock(return_value={
'origin': {'fetch': name, 'push': name},
}),
'git.rev_parse': MagicMock(side_effect=git_state.CommandExecutionError()),
'git.revision': MagicMock(return_value=local_head),
'git.version': MagicMock(return_value='1.8.3.1'),
}
with patch('os.path.isdir', isdir_mock), \
patch.dict(git_state.__salt__, dunder_salt):
result = git_state.latest(
name=name,
target=target,
mirror=True, # mirror=True implies bare=True
)
assert result['result'] is True, result
git_diff.assert_not_called()

1
tests/unit/states/test_user.py
View File

@ -240,6 +240,7 @@ class UserTestCase(TestCase, LoaderModuleMockMixin):
'shadow.default_hash': shadow_hash,
'file.group_to_gid': MagicMock(side_effect=['foo']),
'file.gid_to_group': MagicMock(side_effect=[5000])}
def mock_exists(*args):
return True

2
tests/unit/test_crypt.py
View File

@ -8,7 +8,7 @@ import shutil
# salt testing libs
from tests.support.unit import TestCase, skipIf
from tests.support.mock import(
from tests.support.mock import (
patch,
mock_open,
NO_MOCK,

9
tests/unit/utils/test_network.py
View File

@ -181,6 +181,15 @@ class NetworkTestCase(TestCase):
with patch('salt.utils.files.fopen', fopen_mock):
assert 'thisismyhostname' in network._generate_minion_id()
def test_generate_minion_id_with_long_hostname(self):
'''
Test that hostnames longer than 63 characters do not raise
an exception when generating the minion ID
'''
with patch('socket.gethostbyaddr') as mock_gethostbyname:
mock_gethostbyname.side_effect = UnicodeError('encoding with \'idna\' codec failed')
self.assertTrue(network.generate_minion_id())
def test_is_ip(self):
self.assertTrue(network.is_ip('10.10.0.3'))
self.assertFalse(network.is_ip('0.9.800.1000'))

99
tests/unit/utils/test_win_lgpo_auditpol.py Normal file
View File

@ -0,0 +1,99 @@
# -*- coding: utf-8 -*-
# Import Python Libs
from __future__ import absolute_import, unicode_literals, print_function
import random
# Import Salt Testing Libs
from tests.support.mixins import LoaderModuleMockMixin
from tests.support.mock import NO_MOCK, NO_MOCK_REASON, patch, MagicMock
from tests.support.unit import TestCase, skipIf
# Import Salt Libs
import salt.modules.cmdmod
import salt.utils.platform
import salt.utils.win_lgpo_auditpol as win_lgpo_auditpol
settings = ['No Auditing', 'Success', 'Failure', 'Success and Failure']
@skipIf(NO_MOCK, NO_MOCK_REASON)
@skipIf(not salt.utils.platform.is_windows(), 'System is not Windows')
class WinLgpoAuditpolTestCase(TestCase, LoaderModuleMockMixin):
def setup_loader_modules(self):
return {
win_lgpo_auditpol: {
'__context__': {},
'__salt__': {
'cmd.run_all': salt.modules.cmdmod.run_all
}}}
def test_get_settings(self):
names = win_lgpo_auditpol._get_valid_names()
ret = win_lgpo_auditpol.get_settings(category='All')
for name in names:
self.assertIn(name, [k.lower() for k in ret])
def test_get_settings_invalid_category(self):
self.assertRaises(
KeyError,
win_lgpo_auditpol.get_settings,
category='Fake Category')
def test_get_setting(self):
names = win_lgpo_auditpol._get_valid_names()
for name in names:
ret = win_lgpo_auditpol.get_setting(name)
self.assertIn(ret, settings)
def test_get_setting_invalid_name(self):
self.assertRaises(
KeyError,
win_lgpo_auditpol.get_setting,
name='Fake Name')
def test_set_setting(self):
names = ['Credential Validation', 'IPsec Driver', 'File System', 'SAM']
mock_set = MagicMock(return_value={'retcode': 0, 'stdout': 'Success'})
with patch.dict(win_lgpo_auditpol.__salt__, {'cmd.run_all': mock_set}):
with patch.object(win_lgpo_auditpol, '_get_valid_names',
return_value=[k.lower() for k in names]):
for name in names:
value = random.choice(settings)
win_lgpo_auditpol.set_setting(name=name, value=value)
switches = win_lgpo_auditpol.settings[value]
cmd = 'auditpol /set /subcategory:"{0}" {1}' \
''.format(name, switches)
mock_set.assert_called_once_with(cmd=cmd, python_shell=True)
mock_set.reset_mock()
def test_set_setting_invalid_setting(self):
names = ['Credential Validation', 'IPsec Driver', 'File System']
with patch.object(win_lgpo_auditpol, '_get_valid_names',
return_value=[k.lower() for k in names]):
self.assertRaises(
KeyError,
win_lgpo_auditpol.set_setting,
name='Fake Name',
value='No Auditing')
def test_set_setting_invalid_value(self):
names = ['Credential Validation', 'IPsec Driver', 'File System']
with patch.object(win_lgpo_auditpol, '_get_valid_names',
return_value=[k.lower() for k in names]):
self.assertRaises(
KeyError,
win_lgpo_auditpol.set_setting,
name='Credential Validation',
value='Fake Value')
def test_get_auditpol_dump(self):
names = win_lgpo_auditpol._get_valid_names()
dump = win_lgpo_auditpol.get_auditpol_dump()
for name in names:
found = False
for line in dump:
if name.lower() in line.lower():
found = True
break
self.assertTrue(found)