Provide token storage using the salt.cache interface

mattp- · mattp- · commit 53fb6df35a11 · 2025-05-28T12:20:32.000-04:00
Rather than implement custom drivers for tokens, the existing cache
drivers can be leveraged for token management. This also moves token
expiry responsibility to the token(cache) implementation with a naive
fallback.

Implicitly the default token backend will move to either what the global
'cache' is set to, or, if overridden, the eauth_tokens.cache_driver
opt. This means on upgrade, tokens will be invalidated. The only other
token driver is 'rediscluster', which I've added a deprecation for,
since cache.redis_cache provides the same functionality.
diff --git a/changelog/68039.changed.md b/changelog/68039.changed.md
@@ -0,0 +1 @@
+Provide token storage using the salt.cache interface
diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py
@@ -13,18 +13,18 @@
 # 6. Interface to verify tokens
 
 import getpass
+import hashlib
 import logging
+import os
 import random
 import time
 from collections.abc import Iterable, Mapping
 
+import salt.cache
 import salt.channel.client
-import salt.config
 import salt.exceptions
 import salt.loader
-import salt.payload
 import salt.utils.args
-import salt.utils.dictupdate
 import salt.utils.files
 import salt.utils.minions
 import salt.utils.network
@@ -60,6 +60,7 @@ def __init__(self, opts, ckminions=None):
         self.max_fail = 1.0
         self.auth = salt.loader.auth(opts)
         self.tokens = salt.loader.eauth_tokens(opts)
+        self.cache = salt.cache.factory(opts, driver=opts["eauth_tokens.cache_driver"])
         self.ckminions = ckminions or salt.utils.minions.CkMinions(opts)
 
     def load_name(self, load):
@@ -230,54 +231,168 @@ def mk_token(self, load):
         if groups:
             tdata["groups"] = groups
 
-        return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])](
-            self.opts, tdata
-        )
+        if self.opts["eauth_tokens.cache_driver"] == "rediscluster":
+            salt.utils.versions.warn_until(
+                3009,
+                "The 'rediscluster' token backend has been deprecated, and will be removed "
+                "in the Potassium release. Please use the 'redis_cache' cache backend instead.",
+            )
+            return self.tokens["{}.mk_token".format(self.opts["eauth_tokens"])](
+                self.opts, tdata
+            )
+        else:
+            hash_type = getattr(hashlib, self.opts.get("hash_type", "md5"))
+            new_token = str(hash_type(os.urandom(512)).hexdigest())
+            tdata["token"] = new_token
+            try:
+                self.cache.store("tokens", new_token, tdata, expires=tdata["expire"])
+            except salt.exceptions.SaltCacheError as err:
+                log.error(
+                    "Cannot mk_token from tokens cache using %s: %s",
+                    self.opts["eauth_tokens.cache_driver"],
+                    err,
+                )
+                return {}
+
+            return tdata
 
     def get_tok(self, tok):
         """
         Return the name associated with the token, or False if the token is
         not valid
         """
-        tdata = {}
-        try:
-            tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])](
-                self.opts, tok
+        if self.opts["eauth_tokens.cache_driver"] == "rediscluster":
+            salt.utils.versions.warn_until(
+                3009,
+                "The 'rediscluster' token backend has been deprecated, and will be removed "
+                "in the Potassium release. Please use the 'redis_cache' cache backend instead.",
             )
-        except salt.exceptions.SaltDeserializationError:
-            log.warning("Failed to load token %r - removing broken/empty file.", tok)
-            rm_tok = True
-        else:
-            if not tdata:
+
+            tdata = {}
+            try:
+                tdata = self.tokens["{}.get_token".format(self.opts["eauth_tokens"])](
+                    self.opts, tok
+                )
+            except salt.exceptions.SaltDeserializationError:
+                log.warning(
+                    "Failed to load token %r - removing broken/empty file.", tok
+                )
+                rm_tok = True
+            else:
+                if not tdata:
+                    return {}
+                rm_tok = False
+
+            if tdata.get("expire", 0) < time.time():
+                # If expire isn't present in the token it's invalid and needs
+                # to be removed. Also, if it's present and has expired - in
+                # other words, the expiration is before right now, it should
+                # be removed.
+                rm_tok = True
+
+            if rm_tok:
+                self.rm_token(tok)
                 return {}
-            rm_tok = False
 
-        if tdata.get("expire", 0) < time.time():
-            # If expire isn't present in the token it's invalid and needs
-            # to be removed. Also, if it's present and has expired - in
-            # other words, the expiration is before right now, it should
-            # be removed.
-            rm_tok = True
+            return tdata
+        else:
+            try:
+                tdata = self.cache.fetch("tokens", tok)
 
-        if rm_tok:
-            self.rm_token(tok)
-            return {}
+                if tdata.get("expire", 0) < time.time():
+                    raise salt.exceptions.TokenExpiredError
 
-        return tdata
+                return tdata
+            except (
+                salt.exceptions.SaltDeserializationError,
+                salt.exceptions.TokenExpiredError,
+            ):
+                log.warning(
+                    "Failed to load token %r - removing broken/empty file.", tok
+                )
+                self.rm_token(tok)
+            except salt.exceptions.SaltCacheError as err:
+                log.error(
+                    "Cannot get token %s from tokens cache using %s: %s",
+                    tok,
+                    self.opts["eauth_tokens.cache_driver"],
+                    err,
+                )
+            return {}
 
     def list_tokens(self):
         """
         List all tokens in eauth_tokens storage.
         """
-        return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])](
-            self.opts
-        )
+        if self.opts["eauth_tokens.cache_driver"] == "rediscluster":
+            salt.utils.versions.warn_until(
+                3009,
+                "The 'rediscluster' token backend has been deprecated, and will be removed "
+                "in the Potassium release. Please use the 'redis_cache' cache backend instead.",
+            )
+
+            return self.tokens["{}.list_tokens".format(self.opts["eauth_tokens"])](
+                self.opts
+            )
+        else:
+            try:
+                return self.cache.list("tokens")
+            except salt.exceptions.SaltCacheError as err:
+                log.error(
+                    "Cannot list tokens from tokens cache using %s: %s",
+                    self.opts["eauth_tokens.cache_driver"],
+                    err,
+                )
+                return []
 
     def rm_token(self, tok):
         """
         Remove the given token from token storage.
         """
-        self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
+        if self.opts["eauth_tokens.cache_driver"] == "rediscluster":
+            salt.utils.versions.warn_until(
+                3009,
+                "The 'rediscluster' token backend has been deprecated, and will be removed "
+                "in the Potassium release. Please use the 'redis_cache' cache backend instead.",
+            )
+
+            self.tokens["{}.rm_token".format(self.opts["eauth_tokens"])](self.opts, tok)
+        else:
+            try:
+                return self.cache.flush("tokens", tok)
+            except salt.exceptions.SaltCacheError as err:
+                log.error(
+                    "Cannot rm token %s from tokens cache using %s: %s",
+                    tok,
+                    self.opts["eauth_tokens.cache_driver"],
+                    err,
+                )
+            return {}
+
+    def clean_expired_tokens(self):
+        """
+        Clean expired tokens
+        """
+        if self.opts["eauth_tokens.cache_driver"] == "rediscluster":
+            salt.utils.versions.warn_until(
+                3009,
+                "The 'rediscluster' token backend has been deprecated, and will be removed "
+                "in the Potassium release. Please use the 'redis_cache' cache backend instead.",
+            )
+            log.debug(
+                "cleaning expired tokens using token driver: {}".format(
+                    self.opts["eauth_tokens"]
+                )
+            )
+            for token in self.list_tokens():
+                token_data = self.get_tok(token)
+                if (
+                    "expire" not in token_data
+                    or token_data.get("expire", 0) < time.time()
+                ):
+                    self.rm_token(token)
+        else:
+            self.cache.clean_expired("tokens")
 
     def authenticate_token(self, load):
         """
@@ -604,6 +719,15 @@ def get_token(self, token):
         tdata = self._send_token_request(load)
         return tdata
 
+    def rm_token(self, token):
+        """
+        Delete a token from the master
+        """
+        load = {}
+        load["token"] = token
+        load["cmd"] = "rm_token"
+        self._send_token_request(load)
+
 
 class AuthUser:
     """
diff --git a/salt/cache/__init__.py b/salt/cache/__init__.py
@@ -288,6 +288,32 @@ def contains(self, bank, key=None):
         fun = f"{self.driver}.contains"
         return self.modules[fun](bank, key, **self._kwargs)
 
+    def clean_expired(self, bank, *args, **kwargs):
+        """
+        Clean expired keys
+
+        :param bank:
+            The name of the location inside the cache which will hold the key
+            and its associated data.
+
+        :raises SaltCacheError:
+            Raises an exception if cache driver detected an error accessing data
+            in the cache backend (auth, permissions, etc).
+        """
+        # If the cache driver has a clean_expired() func, call it to clean up
+        # expired keys.
+        clean_expired = f"{self.driver}.clean_expired"
+        if clean_expired in self.modules:
+            self.modules[clean_expired](bank, *args, **kwargs)
+        else:
+            list_ = f"{self.driver}.list"
+            updated = f"{self.driver}.updated"
+            flush = f"{self.driver}.flush"
+            for key in self.modules[list_](bank, **self._kwargs):
+                ts = self.modules[updated](bank, key, **self._kwargs)
+                if ts is not None and ts <= time.time():
+                    self.modules[flush](bank, key, **self._kwargs)
+
 
 class MemCache(Cache):
     """
diff --git a/salt/config/__init__.py b/salt/config/__init__.py
@@ -1018,6 +1018,8 @@ def _gather_buffer_space():
         "publish_signing_algorithm": str,
         # optional cache driver for pillar cache
         "pillar.cache_driver": (type(None), str),
+        # optional cache driver for eauth_tokens cache
+        "eauth_tokens.cache_driver": (type(None), str),
     }
 )
 
@@ -1683,6 +1685,7 @@ def _gather_buffer_space():
         "features": {},
         "publish_signing_algorithm": "PKCS1v15-SHA1",
         "pillar.cache_driver": None,
+        "eauth_tokens.cache_driver": None,
     }
 )
 
diff --git a/salt/daemons/masterapi.py b/salt/daemons/masterapi.py
@@ -120,10 +120,7 @@ def clean_expired_tokens(opts):
     Clean expired tokens from the master
     """
     loadauth = salt.auth.LoadAuth(opts)
-    for tok in loadauth.list_tokens():
-        token_data = loadauth.get_tok(tok)
-        if "expire" not in token_data or token_data.get("expire", 0) < time.time():
-            loadauth.rm_token(tok)
+    loadauth.clean_expired_tokens()
 
 
 def clean_pub_auth(opts):
diff --git a/salt/exceptions.py b/salt/exceptions.py
@@ -350,6 +350,12 @@ class TokenAuthenticationError(SaltException):
     """
 
 
+class TokenExpiredError(SaltException):
+    """
+    Thrown when token is expired
+    """
+
+
 class SaltDeserializationError(SaltException):
     """
     Thrown when salt cannot deserialize data.
diff --git a/tests/pytests/unit/auth/test_auth.py b/tests/pytests/unit/auth/test_auth.py
diff --git a/tests/pytests/unit/test_auth.py b/tests/pytests/unit/test_auth.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Provide token storage using the salt.cache interface`
Original file line number	Diff line number	Diff line change
`@@ -1018,6 +1018,8 @@ def _gather_buffer_space():`
`1018`	`1018`	`"publish_signing_algorithm": str,`
`1019`	`1019`	`# optional cache driver for pillar cache`
`1020`	`1020`	`"pillar.cache_driver": (type(None), str),`
	`1021`	`+ # optional cache driver for eauth_tokens cache`
	`1022`	`+ "eauth_tokens.cache_driver": (type(None), str),`
`1021`	`1023`	`}`
`1022`	`1024`	`)`
`1023`	`1025`
`@@ -1683,6 +1685,7 @@ def _gather_buffer_space():`
`1683`	`1685`	`"features": {},`
`1684`	`1686`	`"publish_signing_algorithm": "PKCS1v15-SHA1",`
`1685`	`1687`	`"pillar.cache_driver": None,`
	`1688`	`+ "eauth_tokens.cache_driver": None,`
`1686`	`1689`	`}`
`1687`	`1690`	`)`
`1688`	`1691`