Validate exact pillar matches for publishes master-side

2024-11-09 01:36:48 +00:00 · 2014-11-06 18:16:15 -07:00 · 2014-11-06 18:16:15 -07:00 · 9d41b1fb39
commit 9d41b1fb39
parent 2d284fa1ff
3 changed files with 24 additions and 8 deletions
--- a/salt/daemons/masterapi.py
+++ b/salt/daemons/masterapi.py
@ -412,16 +412,12 @@ class RemoteFuncs(object):
            for arg in load['arg']:
                arg_.append(arg.split())
            load['arg'] = arg_
-        tgt_type = load.get('tgt_type', 'glob')
-        if tgt_type.lower() == 'pillar':
-            tgt_type = 'pillar_exact'
-        elif tgt_type.lower() == 'compound':
-            tgt_type = 'compound_pillar_exact'
        good = self.ckminions.auth_check(
                perms,
                load['fun'],
                load['tgt'],
-                tgt_type)
+                load.get('tgt_type', 'glob'),
+                publish_validate=True)
        if not good:
            return False
        return True
--- a/salt/master.py
+++ b/salt/master.py
@ -854,7 +854,8 @@ class AESFuncs(object):
            perms,
            clear_load['fun'],
            clear_load['tgt'],
-            clear_load.get('tgt_type', 'glob'))
+            clear_load.get('tgt_type', 'glob'),
+            publish_validate=True)

    def __verify_load(self, load, verify_keys):
        '''
--- a/salt/utils/minions.py
+++ b/salt/utils/minions.py
@ -572,13 +572,32 @@ class CkMinions(object):
                fun,
                form)

-    def auth_check(self, auth_list, funs, tgt, tgt_type='glob', groups=None):
+    def auth_check(self,
+                   auth_list,
+                   funs,
+                   tgt,
+                   tgt_type='glob',
+                   groups=None,
+                   publish_validate=False):
        '''
        Returns a bool which defines if the requested function is authorized.
        Used to evaluate the standard structure under external master
        authentication interfaces, like eauth, peer, peer_run, etc.
        '''
        # compound commands will come in a list so treat everything as a list
+        if publish_validate:
+            v_tgt_type = tgt_type
+            if tgt_type.lower() == 'pillar':
+                v_tgt_type = 'pillar_exact'
+            elif tgt_type.lower() == 'compound':
+                v_tgt_type = 'compound_pillar_exact'
+            v_minions = set(self.check_minions(tgt, v_tgt_type))
+            minions = set(self.check_minions(tgt, tgt_type))
+            mismatch = bool(minions.difference(v_minions))
+            # If the non-exact match gets more minions than the exact match
+            # then pillar globbing is being used, and we have a problem
+            if mismatch:
+                return False
        if not isinstance(funs, list):
            funs = [funs]
        try: