Merge pull request #24720 from TheScriptSage/develop

Issue 24621 - AD/LDAP Group Auth Issue
2024-11-08 01:18:58 +00:00 · 2015-06-17 09:43:08 -07:00 · 2015-06-17 09:43:08 -07:00 · f51bb58b83
commit f51bb58b83
parent 4e63e571e2 f76339503d
1 changed files with 22 additions and 10 deletions
--- a/salt/master.py
+++ b/salt/master.py
@ -1443,11 +1443,17 @@ class ClearFuncs(object):

        check_fun = getattr(self.ckminions,
                            '{auth}_check'.format(auth=auth_type))
-        good = check_fun(
-            self.opts['external_auth'][token['eauth']][token['name']]
-            if token['name'] in self.opts['external_auth'][token['eauth']]
-            else self.opts['external_auth'][token['eauth']]['*'],
-            fun)
+        if token['name'] in self.opts['external_auth'][token['eauth']]:
+            good = check_fun(self.opts['external_auth'][token['eauth']][token['name']], fun)
+        elif any(key.endswith('%') for key in self.opts['external_auth'][token['eauth']]):
+            for group in self.opts['external_auth'][token['eauth']]:
+                if group.endswith('%'):
+                    for group in self.opts['external_auth'][token['eauth']]:
+                        good = check_fun(self.opts['external_auth'][token['eauth']][group], fun)
+                        if good:
+                            break
+        else:
+            good = check_fun(self.opts['external_auth'][token['eauth']]['*'], fun)
        if not good:
            msg = ('Authentication failure of type "token" occurred for '
                   'user {0}.').format(token['name'])
@ -1491,13 +1497,19 @@ class ClearFuncs(object):
            log.warning(msg)
            return dict(error=dict(name='EauthAuthenticationError',
                                   message=msg))
+
        check_fun = getattr(self.ckminions,
                            '{auth}_check'.format(auth=auth_type))
-        good = check_fun(
-            self.opts['external_auth'][clear_load['eauth']][name]
-            if name in self.opts['external_auth'][clear_load['eauth']]
-            else self.opts['external_auth'][clear_load['eauth']]['*'],
-            clear_load['fun'])
+        if name in self.opts['external_auth'][clear_load['eauth']]:
+            good = check_fun(self.opts['external_auth'][clear_load['eauth']][name], clear_load['fun'])
+        elif any(key.endswith('%') for key in self.opts['external_auth'][clear_load['eauth']]):
+            for group in self.opts['external_auth'][clear_load['eauth']]:
+                if group.endswith('%'):
+                    good = check_fun(self.opts['external_auth'][clear_load['eauth']][group], clear_load['fun'])
+                    if good:
+                        break
+        else:
+            good = check_fun(self.opts['external_auth'][clear_load['eauth']]['*'], clear_load['fun'])
        if not good:
            msg = ('Authentication failure of type "eauth" occurred for '
                   'user {0}.').format(clear_load.get('username', 'UNKNOWN'))