diff options
| author | Siim Põder <siim.poder@skype.net> | 2011-01-21 14:26:37 +0200 |
|---|---|---|
| committer | Josh Cooper <josh@puppetlabs.com> | 2011-05-31 09:12:15 -0700 |
| commit | c02126df4804b42ecaca2cdff675be9c4e24aa54 (patch) | |
| tree | 70aa53510b6660fedf0ae445b57581f6359bee04 /lib/puppet | |
| parent | d0592fabd27472ba0f5586393eff20e536f8766a (diff) | |
| download | puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.gz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.tar.xz puppet-c02126df4804b42ecaca2cdff675be9c4e24aa54.zip | |
(#5966) Add support for hostname regular expressions in auth.conf
When hosting multiple applications (especially with different security levels),
you may not want to allow every client to read all the files required for
every other client. Currently it is possible to do this when your host and
domain names reasonably reflect that grouping, ex: hostXYZ.someapp.domain.com.
However, if you have a more flat naming convention, it is difficult to write
these ACLs. This patch adds support for matching hostnames with regular
expressions, thus extending the ACLs to allow:
path /file_content/secrets/appserver
allow /appserver[0-9]+.example.com$/
path /file_content/secrets/otherservice
allow /^(test-)crazy[0-9]+.pattern.(com|net)$/
Signed-off-by: Josh Cooper <josh@puppetlabs.com>
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
Diffstat (limited to 'lib/puppet')
| -rwxr-xr-x | lib/puppet/network/authstore.rb | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb index 4ddd14feb..51fd34138 100755 --- a/lib/puppet/network/authstore.rb +++ b/lib/puppet/network/authstore.rb @@ -182,9 +182,11 @@ module Puppet # we'll return a pattern of puppet.reductivelabs.com def interpolate(match) clone = dup - clone.pattern = clone.pattern.reverse.collect do |p| - p.gsub(/\$(\d)/) { |m| match[$1.to_i] } - end.join(".") + if @name == :dynamic + clone.pattern = clone.pattern.reverse.collect do |p| + p.gsub(/\$(\d)/) { |m| match[$1.to_i] } + end.join(".") + end clone end @@ -199,8 +201,13 @@ module Puppet # Does the name match our pattern? def matchname?(name) - name = munge_name(name) - (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n }) + case @name + when :domain, :dynamic, :opaque + name = munge_name(name) + (pattern == name) or (not exact? and pattern.zip(name).all? { |p,n| p == n }) + when :regex + Regexp.new(pattern.slice(1..-2)).match(name) + end end # Convert the name to a common pattern. @@ -240,6 +247,8 @@ module Puppet [:dynamic,:exact,nil,munge_name(value)] when /^\w[-.@\w]*$/ # ? Just like a host name but allow '@'s and ending '.'s [:opaque,:exact,nil,[value]] + when /^\/.*\/$/ # a regular expression + [:regex,:inexact,nil,value] else raise AuthStoreError, "Invalid pattern #{value}" end |