(#5966) Add support for hostname regular expressions in auth.conf

When hosting multiple applications (especially with different security levels), you may not want to allow every client to read all the files required for every other client. Currently it is possible to do this when your host and domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com. However, if you have a more flat naming convention, it is difficult to write these ACLs. This patch adds support for matching hostnames with regular expressions, thus extending the ACLs to allow: path /file_content/secrets/appserver allow /appserver[0-9]+.example.com$/ path /file_content/secrets/otherservice allow /^(test-)crazy[0-9]+.pattern.(com|net)$/ Signed-off-by: Josh Cooper <josh@puppetlabs.com> Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
author: Siim Põder <siim.poder@skype.net> 2011-01-21 14:26:37 +0200
committer: Josh Cooper <josh@puppetlabs.com> 2011-05-31 09:12:15 -0700
commit: c02126df4804b42ecaca2cdff675be9c4e24aa54 (patch)
tree: 70aa53510b6660fedf0ae445b57581f6359bee04
parent: d0592fabd27472ba0f5586393eff20e536f8766a (diff)
download: puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.gz
puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.xz
puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.zip
2 files changed, 49 insertions, 9 deletions
diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb
index 4ddd14feb..51fd34138 100755
--- a/lib/puppet/network/authstore.rb
+++ b/lib/puppet/network/authstore.rb
@@ -182,9 +182,11 @@ module Puppet
       # we'll return a pattern of puppet.reductivelabs.com
       def interpolate(match)
         clone = dup
-        clone.pattern = clone.pattern.reverse.collect do |p|
-          p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
-        end.join(".")
+        if @name == :dynamic
+          clone.pattern = clone.pattern.reverse.collect do |p|
+            p.gsub(/\$(\d)/) { |m| match[$1.to_i] }
+          end.join(".")
+        end
         clone
       end
 
@@ -199,8 +201,13 @@ module Puppet
 
       # Does the name match our pattern?
       def matchname?(name)
-        name = munge_name(name)
-        (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n })
+        case @name
+          when :domain, :dynamic, :opaque
+            name = munge_name(name)
+            (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n })
+          when :regex
+            Regexp.new(pattern.slice(1..-2)).match(name)
+        end
       end
 
       # Convert the name to a common pattern.
@@ -240,6 +247,8 @@ module Puppet
           [:dynamic,:exact,nil,munge_name(value)]
         when /^\w[-.@\w]*$/                                       # ? Just like a host name but allow '@'s and ending '.'s
           [:opaque,:exact,nil,[value]]
+        when /^\/.*\/$/                                           # a regular expression
+          [:regex,:inexact,nil,value]
         else
           raise AuthStoreError, "Invalid pattern #{value}"
         end
diff --git a/spec/unit/network/authstore_spec.rb b/spec/unit/network/authstore_spec.rb
index d62c8abaa..d5ff42d6e 100755
--- a/spec/unit/network/authstore_spec.rb
+++ b/spec/unit/network/authstore_spec.rb
@@ -4,11 +4,11 @@ require 'spec_helper'
 require 'puppet/network/authconfig'
 
 describe Puppet::Network::AuthStore do
-  describe "when checking if the acl has some entries" do
-    before :each do
-      @authstore = Puppet::Network::AuthStore.new
-    end
+  before :each do
+    @authstore = Puppet::Network::AuthStore.new
+  end
 
+  describe "when checking if the acl has some entries" do
     it "should be empty if no ACE have been entered" do
       @authstore.should be_empty
     end
@@ -31,6 +31,37 @@ describe Puppet::Network::AuthStore do
       @authstore.should_not be_empty
     end
   end
+
+  describe "when checking global allow" do
+    it "should not be enabled by default" do
+      @authstore.should_not be_globalallow
+      @authstore.should_not be_allowed('foo.bar.com', '192.168.1.1')
+    end
+
+    it "should always allow when enabled" do
+      @authstore.allow('*')
+
+      @authstore.should be_globalallow
+      @authstore.should be_allowed('foo.bar.com', '192.168.1.1')
+    end
+  end
+
+  describe "when checking a regex type of allow" do
+    before :each do
+      @authstore.allow('/^(test-)?host[0-9]+\.other-domain\.(com|org|net)$|some-domain\.com/')
+      @ip = '192.168.1.1'
+    end
+    ['host5.other-domain.com', 'test-host12.other-domain.net', 'foo.some-domain.com'].each { |name|
+      it "should allow the host #{name}" do
+        @authstore.should be_allowed(name, @ip)
+      end
+    }
+    ['host0.some-other-domain.com',''].each { |name|
+      it "should not allow the host #{name}" do
+        @authstore.should_not be_allowed(name, @ip)
+      end
+    }
+  end
 end
 
 describe Puppet::Network::AuthStore::Declaration do
author	Siim Põder <siim.poder@skype.net>	2011-01-21 14:26:37 +0200
committer	Josh Cooper <josh@puppetlabs.com>	2011-05-31 09:12:15 -0700
commit	c02126df4804b42ecaca2cdff675be9c4e24aa54 (patch)
tree	70aa53510b6660fedf0ae445b57581f6359bee04
parent	d0592fabd27472ba0f5586393eff20e536f8766a (diff)
download	puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.gz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.xz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.zip