Fix return of REST-returned permissions when auth_list is set

[Foorack]

⏭️ Continuation of #62027

What does this PR do?

salt-api: salt/netapi/rest_cherrypy/app.py
When the auth method is set to rest, the permission must be taken via token["auth_list"]. auth_list stores the data from acl method in rest.py.

Note: Per review feedback, this PR also forces keep_acl_in_token to True if rest is present under external_auth. This change has been properly documented in relevant places.

This PR compared to the now closed #62027 adds tests and changelog entry.

What issues does this PR fix or reference?

Fixes: #62022

Previous Behavior

It always takes * permission in configuration, and therefore fails including the ACL returned by REST during authentication.

New Behavior

Includes the permission returned by REST during authentication, by storing it in the token.

Note: Per review feedback, this PR also forces keep_acl_in_token to True if rest is present under external_auth. This change has been properly documented in relevant places.

Merge requirements satisfied?

• Docs
• Changelog
• Tests written/updated

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[Foorack]

It says CI is failing, but it looks like it's failing even before running? It fails in the pre-setup stage, failing to contact some python host. [Errno 101] Network is unreachable so don't think that's related to this PR.

[dwoz]

Please force keep_acl_in_token to true when eauth backend is rest and also document the change.

[Ch3LL]

ping @Foorack I would really like to get this in for 3006. We want to get everything tagged by next Friday. Would you be willing to push this one to completion based off of @dwoz feedback?

[Foorack]

ping @Foorack I would really like to get this in for 3006. We want to get everything tagged by next Friday. Would you be willing to push this one to completion based off of @dwoz feedback?

@Ch3LL Pong! 🙂 Thanks for patience with response, been busy with work.

However; Yes, I would love to have this merged in by 3006 as well. I will prioritize this task and look into forcing keep_acl_in_token to True when eauth backend is rest, and well as write documentation and test for this.

[Ch3LL]

Just following up here. We really want to get this in by tomorrow. Any luck with implementing the feedback? Anything I can help with?

[Foorack]

I've already implemented, just need to finish writing the test. Will push in a few hours. @Ch3LL

[Ch3LL]

Thank you so much! This is gonna be great to get in :)

[Foorack]

@Ch3LL

• keep_acl_in_token should now be forced to True if rest is present in external_auth
• Simple test to test the above
• Appended to Documentation everywhere I could

I am still getting familiar with the source code. Feedback/LMK if any changes and I can look at them immediately.

[Foorack]

PR description updated

[Foorack]

CI fails on test_aptpkg, which is completely unrelated to this PR.

[Ch3LL]

Yeah those are unrelated. We are fixing up some flakyness and test failures right now and I"ll rebase when they're passing. thanks this looks great. I'll just get @dwoz to re-review.

[welcome]

Congratulations on your first PR being merged! 🎉