Make __pub_id available in custom runners called via the peer interface

[aplovich]

Is your feature request related to a problem? Please describe.
I'm looking to create a runner that signs x509 certs for minions. The minions will use the peer runner interface to request certs from the master. The flow for this involves calling an external API that does the signing, so the existing x509 state won't work because it requires access to a signing cert.

The master will render the minion's pillar to determine if its authorized to get the cert it requested. This means the custom runner needs to know who called it. So far I haven't found a way to get this information.

Describe the solution you'd like
Looking through the x509 module, I found that Salt populates **kwargs with information about who made the call:
https://github.com/saltstack/salt/blob/master/salt/modules/x509.py#L1047

It'd be nice if the same could be done inside a custom runner: add "**kwargs" to the runner function's signature, and Salt places __pub_id into it.

Describe alternatives you've considered
I've considered implementing this as an execution module, however I'd explicitly like to run this on the master, so using a runner seems like a better way to call this out.

[welcome[bot]]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[lkubb]

For the record, a workaround for this issue can be found in the vault modules. They sign the request with the minion key and check it on the master side, explicitly found here:

salt/salt/utils/vault.py

Lines 60 to 66 in b7f9c2f

	if __opts__.get("__role", "minion") == "minion":
	private_key = "{}/minion.pem".format(pki_dir)
	log.debug("Running on minion, signing token request with key %s", private_key)
	signature = base64.b64encode(salt.crypt.sign_message(private_key, minion_id))
	result = __salt__["publish.runner"](
	"vault.generate_token", arg=[minion_id, signature, False, ttl, uses]
	)

salt/salt/runners/vault.py

Lines 24 to 52 in b7f9c2f

	def generate_token(
	minion_id, signature, impersonated_by_master=False, ttl=None, uses=None
	):
	"""
	Generate a Vault token for minion minion_id
	minion_id
	The id of the minion that requests a token
	signature
	Cryptographic signature which validates that the request is indeed sent
	by the minion (or the master, see impersonated_by_master).
	impersonated_by_master
	If the master needs to create a token on behalf of the minion, this is
	True. This happens when the master generates minion pillars.
	ttl
	Ticket time to live in seconds, 1m minutes, or 2h hrs
	uses
	Number of times a token can be used
	"""
	log.debug(
	"Token generation request for %s (impersonated by master: %s)",
	minion_id,
	impersonated_by_master,
	)
	_validate_signature(minion_id, signature, impersonated_by_master)

salt/salt/runners/vault.py

Lines 181 to 198 in b7f9c2f

	def _validate_signature(minion_id, signature, impersonated_by_master):
	"""
	Validate that either minion with id minion_id, or the master, signed the
	request
	"""
	pki_dir = __opts__["pki_dir"]
	if impersonated_by_master:
	public_key = "{}/master.pub".format(pki_dir)
	else:
	public_key = "{}/minions/{}".format(pki_dir, minion_id)
	log.trace("Validating signature for %s", minion_id)
	signature = base64.b64decode(signature)
	if not salt.crypt.verify_signature(public_key, minion_id, signature):
	raise salt.exceptions.AuthenticationError(
	"Could not validate token request from {}".format(minion_id)
	)
	log.trace("Signature ok")