When hosting multiple applications (especially with different security levels), you may not want to allow every client to read all the files required for every other client. Currently it is possible to do this when your host and domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com.
However, if you have a more flat naming convention, it is difficult to write these ACLs. This patch adds support for matching hostnames with regular expressions, thus extending the ACLs to allow: path /file_content/secrets/appserver allow /appserver[0-9]+.example.com$/ path /file_content/secrets/otherservice allow /^(test-)crazy[0-9]+.pattern.(com|net)$/ Signed-off-by: Siim Pőder <[email protected]> --- lib/puppet/network/authstore.rb | 19 ++++++++++++++----- test/network/authstore.rb | 16 ++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb index 4ddd14f..51fd341 100755 --- a/lib/puppet/network/authstore.rb +++ b/lib/puppet/network/authstore.rb @@ -182,9 +182,11 @@ module Puppet # we'll return a pattern of puppet.reductivelabs.com def interpolate(match) clone = dup - clone.pattern = clone.pattern.reverse.collect do |p| - p.gsub(/\$(\d)/) { |m| match[$1.to_i] } - end.join(".") + if @name == :dynamic + clone.pattern = clone.pattern.reverse.collect do |p| + p.gsub(/\$(\d)/) { |m| match[$1.to_i] } + end.join(".") + end clone end @@ -199,8 +201,13 @@ module Puppet # Does the name match our pattern? def matchname?(name) - name = munge_name(name) - (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n }) + case @name + when :domain, :dynamic, :opaque + name = munge_name(name) + (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n }) + when :regex + Regexp.new(pattern.slice(1..-2)).match(name) + end end # Convert the name to a common pattern. @@ -240,6 +247,8 @@ module Puppet [:dynamic,:exact,nil,munge_name(value)] when /^\w[-.@\w]*$/ # ? Just like a host name but allow '@'s and ending '.'s [:opaque,:exact,nil,[value]] + when /^\/.*\/$/ # a regular expression + [:regex,:inexact,nil,value] else raise AuthStoreError, "Invalid pattern #{value}" end diff --git a/test/network/authstore.rb b/test/network/authstore.rb index e3c1853..32eabf5 100755 --- a/test/network/authstore.rb +++ b/test/network/authstore.rb @@ -257,6 +257,22 @@ class TestAuthStore < Test::Unit::TestCase } end + def test_regex + assert_nothing_raised("Failed to @store regexes") { + @store.allow("/some-domain\.com/") + @store.allow("/^(test-)?host[0-9]+\.other-domain\.(com|org|net)$/") + } + + %w{ + some-domain.com + prefix.some-domain.com.suffix + host5.other-domain.com + test-host12.other-domain.net + }.each { |name| + assert(@store.allowed?(name, "192.168.0.1"), "Host #{name} not allowed") + } + end + # #531 def test_case_insensitivity @store.allow("hostname.com") -- 1.7.1 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
