From 95f006db7dc7482dfd28c7b5192e6c93206c047d Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 19 Aug 2020 10:08:11 -0400
Subject: [PATCH] Salt ACL

---
 salt/common/tools/sbin/soup | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 6134a8900..f06b085b4 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -87,6 +87,28 @@ highstate() {
   salt-call state.highstate -l info
 }
 
+masterlock() {
+  # Lock the ACL to just the manager
+  cp -v /etc/salt/master /etc/salt/master.upgrade
+  echo "peer:" >> /etc/salt/master
+  echo "  *_manager:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+  echo "  *_standalone:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+  echo "  *_managersearch:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+  echo "  *_eval:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+  echo "  *_helix:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+  echo "  *_import:" >> /etc/salt/master
+  echo "    - .*" >> /etc/salt/master
+}
+
+masterunlock() {
+  mv /etc/salt/master.upgrade /etc/salt/master
+}
+
 pillar_changes() {
     # This function is to add any new pillar items if needed.
     echo "Checking to see if pillar changes are needed."
@@ -343,6 +365,19 @@ copy_new_files
 echo ""
 update_version
 
+echo ""
+echo "Locking down Salt Master for upgrade"
+masterlock
+
+echo ""
+echo "Starting Salt Master service."
+systemctl start salt-master
+
+echo ""
+echo "Stopping Salt Master to remove ACL"
+systemctl stop salt-master
+
+masterunlock
 
 echo ""
 echo "Starting Salt Master service."