Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/208640
Change subject: Better handling for invalid cert names:
......................................................................
Better handling for invalid cert names:
- Accept foo.bar.eqiad.wmflabs entries. Should support upcoming cert scheme.
- Clean up invalid requests.
Bug T95519
Change-Id: I6ea09a17d8222063f7fd6b0cd2b60292956bb89b
---
M modules/puppetmaster/files/puppetsigner.py
1 file changed, 3 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/40/208640/1
diff --git a/modules/puppetmaster/files/puppetsigner.py
b/modules/puppetmaster/files/puppetsigner.py
index 5163c6c..b9bfa10 100755
--- a/modules/puppetmaster/files/puppetsigner.py
+++ b/modules/puppetmaster/files/puppetsigner.py
@@ -53,8 +53,9 @@
hostname = host[0].strip('"')
# Skip pathological hostnames -- possible attack vector.
- if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname):
- sys.stderr.write('Invalid hostname %s' % hostname)
+ if not re.match(r'^[\.a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname):
+ sys.stderr.write('Invalid hostname %s\n' % hostname)
+ subprocess.check_call(['/usr/bin/puppet', 'cert', 'clean',
hostname])
continue
# Erase keys that don't correspond to ldap; sign those that do
--
To view, visit https://gerrit.wikimedia.org/r/208640
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I6ea09a17d8222063f7fd6b0cd2b60292956bb89b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
