valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 08:58:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
33,677 Commits 24 Branches 182 Tags 341 MiB
fee4aa7c15
Commit Graph

33677 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Colton Myers
f11c5267b4 Merge pull request #13970 from techhat/pickles 
File extension should be .p, not .pp
 2014-07-03 12:49:04 -06:00
vs
6dcad5f65c lint fix and improved log message when switching masters 2014-07-03 11:06:11 -07:00
vs
ef9c517e76 add better error message when auth failed 2014-07-03 10:44:57 -07:00
vs
54a1eba6c9 fix spacing, do not auth on failed verification 2014-07-03 10:44:48 -07:00
vs
cee3aa4bc5 check for pub_sig in payload if its the first master the minion connects to 2014-07-03 10:44:40 -07:00
vs
90eb25154b check for existence of verification pubkey before trying to validate the signature 2014-07-03 10:44:30 -07:00
vs
9c1a15c43b minor update in the comments 2014-07-03 10:44:21 -07:00
vs
11711afb03 both sides have to either sign (master) or verify (minion) 
it shall not be possible, to have the master sign its auth-replies without
having the minion verify the signature and vice versa.
 2014-07-03 10:44:07 -07:00
vs
e99c002fde verifying the signature does not mean its always a new key 2014-07-03 10:43:58 -07:00
vs
d9b934a5d3 add switch to always verify the masters pubkey 
for the paranoid among us, this makes it possible to always verify
the masters auth-replies, even if the public key has not changed
 2014-07-03 10:43:48 -07:00
vs
a82207b148 if not already present, auto-generate a signing key-pair or use pre-computed signature 
if signing the pubkey is enabled, the master will either generate a new signing key-pair
on the fly (if none is found) or use the pre-computed pubkey-signature. if the pre-computed
signature is enabled but not present, the master will complain and exit.
 2014-07-03 10:42:42 -07:00
vs
77853b64d5 switch between signing with own key-pair of usage of pre-computed signature only 
if signing the pubkey is enabled, the master will switch between signing the pubkey
on the fly or just adding the pre-computed pubkeys signature to the reply.
 2014-07-03 10:41:11 -07:00
vs
7b2754255b set sensible default values to ease configuration 
signing key-pair settings
master_sign_key_name - name of the signing key-pair, without suffix
master_sign_pubkey - enable/disable signing the public key

signing signature settings
master_pubkey_signature - the pre-computed signature of master.pub + <sign_key>.pem
master_use_pubkey_signature - enable/disable usage of the pre-computed signature

verify_master_pub_sig - enable pubkey signature checking on the minion
 2014-07-03 10:38:45 -07:00
vs
bf49622f4b correctly check for verify_master_pub_sign when no key accepted before 2014-07-03 10:38:34 -07:00
vs
df7b1b34f4 pylinting, better log messages, docstrings, no logic changes 2014-07-03 10:38:06 -07:00
vs
e6f8f02b14 remove unneeded re import 2014-07-03 10:34:13 -07:00
vs
7fb83386d3 fix event-cal to be correct dict 2014-07-03 10:34:01 -07:00
vs
a485b1934e track connected status and re-init subsystems on new master 
keep track of self.connected and re-init the zmq-context, poller and
socket, if connecting to a new master
 2014-07-03 10:33:52 -07:00
vs
e67c35fa04 make function more flexible and work with different master-ips and status 2014-07-03 10:33:42 -07:00
vs
1d91adb1bc cleanup old sreqs if the master changed 
Jumping back and forth between different masters will over time add more
and more sreqs to the sreq_cache. That might be ok in MultiMaster, with
signed master-pubkeys, we only want one single master sreq we re-use and
remove all the others.
 2014-07-03 10:33:33 -07:00
vs
66d1d0f770 verify master pubkey signature on first pubkey connection 
previously the minion would take any master pubkey for granted and
write it to minion_master.pub.
 2014-07-03 10:33:23 -07:00
vs
b3966cbe0c fix path to signing pubkey 2014-07-03 10:32:35 -07:00
vs
c4fca17e40 cleanup and add some more comments 2014-07-03 10:32:23 -07:00
vs
52cb280883 add verification of signed master pubkeys 
Adds the verification of the master pubkey by checking the pubkey
signature in payload['pub_sig'] with the signing keypairs pubkey.
 2014-07-03 10:32:11 -07:00
vs
e1c8aa0458 Add optional signing of the master pubkey if enabled in config. 
Uses salt.crypt.sign_message() to create a signature of the pubkey
and adds that signature to the payload send to authenticated minions.
 2014-07-03 10:31:35 -07:00
vs
7b7045d10b add settings for master and minion to sign the public / verify pubkey signature 
Add a setting for the master to generate a new signing key-pair for signing purposes
and use the key-pair to sign the masters public key that is send to authenticated
minions.

Add a setting for the minion to verify the signature of a public key received from
the master. Requires to have the signing key-pair from the master on the minion.
 2014-07-03 10:29:02 -07:00
vs
1efd8a6025 add key name to logging output 2014-07-03 10:28:47 -07:00
vs
2d590aa4b7 fix join()'s to form the correct file names 2014-07-03 10:28:33 -07:00
Joseph Hall
2e090cfb18 File extension should be .p, not .pp 2014-07-03 11:28:29 -06:00
vs
4850de0f1f make MasterKeys() more flexible by allowing different key-names. 
MasterKeys() should be able to handle more than one hardcoded key.
The default is still to just handle master.* files but can also generate
new key-pairs with different names and return the pub-key.
 2014-07-03 10:28:23 -07:00
vs
0226b988f3 add master_sign_key_name and generation of the actual sign-key-files if activated 2014-07-03 10:27:29 -07:00
Mathieu Le Marec - Pasquet
15c6aa829c tls additions: 
- cacert_path can be customized more easily
    - add a new get_ca function to get the cacert path or content
 2014-07-03 19:24:21 +02:00
Samuel Smith
b139f9a160 Merge pull request #13967 from SmithSamuelM/sam_raet_50 
Now using new raet.nacling.uuid function to generate the yard names this...
 2014-07-03 10:47:53 -06:00
Samuel M Smith
c6e3775e1a Now using new raet.nacling.uuid function to generate the yard names this should prevent 
any race conditions in yard names that were occuring with the old way of using gen_jid which was only microsecond rsolution
and therefore might generate two yards with the same name.

Needs RAET v 0.1.01
 2014-07-03 10:39:55 -06:00
Nitin Madhok
36f164db21 Adding test ability in pull, push and built state functions 2014-07-03 11:55:25 -04:00
Joseph Hall
afba55e3b4 Merge pull request #13955 from terminalmage/docs 
Add reactor example for updating fileserver on git push
 2014-07-02 20:12:56 -06:00
Erik Johnson
1b1eb26587 Add reactor example for updating fileserver on git push 2014-07-02 21:03:09 -05:00
Thomas S Hatch
07f55489b8 Merge pull request #13942 from cachedout/call_test_fix 
Fix broken test.
 2014-07-02 17:10:16 -06:00
Thomas S Hatch
e1ed7a0eee Merge pull request #13939 from nmadhok/fix-pylint 
Fixing lint
 2014-07-02 17:09:24 -06:00
Thomas S Hatch
f9dc61b8be Merge pull request #13936 from cachedout/mine_raet 
Mine over raet
 2014-07-02 17:08:15 -06:00
Colton Myers
b3331dfa91 Merge pull request #13950 from basepi/2014.1.6release 
Add newest cherry-pick to 2014.1.6 release notes
 2014-07-02 16:39:09 -06:00
Colton Myers
9537ada5d2 Add newest cherry-pick to 2014.1.6 release notes 2014-07-02 16:38:40 -06:00
Colton Myers
2d32d54407 Merge pull request #13948 from basepi/filedirctorydoc13866 
Improve file.directory documentation around `recurse`
 2014-07-02 16:06:03 -06:00
Colton Myers
400a8ab351 Improve file.directory documentation around `recurse 2014-07-02 16:05:18 -06:00
Samuel Smith
f316c64d08 Merge pull request #13947 from SmithSamuelM/sam_raet_49 
Used get. for some reason opts['id'] not always available
 2014-07-02 16:02:00 -06:00
Samuel M Smith
b2526492fd Merge remote-tracking branch 'upstream/develop' into sam_raet_49 2014-07-02 15:59:44 -06:00
Samuel M Smith
d556ba8ee7 use get incase id not in opts 2014-07-02 15:59:09 -06:00
Mike Place
51e3089a7c Fix broken test. 2014-07-02 14:40:08 -06:00
Nitin Madhok
bd51c3305f Fixing lint in salt/modules/tls.py 2014-07-02 16:12:51 -04:00
Nitin Madhok
900021a820 Fixing lint in tests/integration/shell/auth.py 2014-07-02 16:11:49 -04:00