Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/208640
Change subject: Better handling for invalid cert names: ...................................................................... Better handling for invalid cert names: - Accept foo.bar.eqiad.wmflabs entries. Should support upcoming cert scheme. - Clean up invalid requests. Bug T95519 Change-Id: I6ea09a17d8222063f7fd6b0cd2b60292956bb89b --- M modules/puppetmaster/files/puppetsigner.py 1 file changed, 3 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/40/208640/1 diff --git a/modules/puppetmaster/files/puppetsigner.py b/modules/puppetmaster/files/puppetsigner.py index 5163c6c..b9bfa10 100755 --- a/modules/puppetmaster/files/puppetsigner.py +++ b/modules/puppetmaster/files/puppetsigner.py @@ -53,8 +53,9 @@ hostname = host[0].strip('"') # Skip pathological hostnames -- possible attack vector. - if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname): - sys.stderr.write('Invalid hostname %s' % hostname) + if not re.match(r'^[\.a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname): + sys.stderr.write('Invalid hostname %s\n' % hostname) + subprocess.check_call(['/usr/bin/puppet', 'cert', 'clean', hostname]) continue # Erase keys that don't correspond to ldap; sign those that do -- To view, visit https://gerrit.wikimedia.org/r/208640 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6ea09a17d8222063f7fd6b0cd2b60292956bb89b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits