Make regex matching policy key stricter

There is a bug where this regex can match multiple lines if a policy contains ':'. Make this regex stricter by making sure the key doesn't end with a ':' within the quotes. Closes-Bug: #1968294 Change-Id: I4090d6831db8ddc4fba294f181085b657e2b3345
2022-04-08 18:42:20 +10:00 · 2022-04-08 18:42:20 +10:00 · 33fb90326f
commit 33fb90326f
parent 59c3e5b9fd
3 changed files with 18 additions and 4 deletions
--- a/manifests/policy/base.pp
+++ b/manifests/policy/base.pp
@ -92,7 +92,7 @@ define openstacklib::policy::base (
      file_line { "${file_path}-${key}" :
        path  => $file_path,
        line  => "'${key}': '${value_real}'",
-        match => "^['\"]?${key}['\"]?\\s*:.+"
+        match => "^['\"]?${key}(?!:)['\"]?\\s*:.+"
      }
      Openstacklib::Policy::Default<| title == $file_path |>
      -> File_line<| title == "${file_path}-${key}" |>
--- a/spec/acceptance/openstacklib_policy_base_spec.rb
+++ b/spec/acceptance/openstacklib_policy_base_spec.rb
@ -18,6 +18,18 @@ describe 'policy file management' do
        value       => 'role:member',
        file_format => 'yaml',
      }
+      openstacklib::policy::base { 'get_router':
+        file_path   => '/tmp/policy.yaml',
+        key         => 'get_router',
+        value       => 'rule:admin_or_owner',
+        file_format => 'yaml',
+      }
+      openstacklib::policy::base { 'get_router:distributed':
+        file_path   => '/tmp/policy.yaml',
+        key         => 'get_router:distributed',
+        value       => 'rule:admin_only',
+        file_format => 'yaml',
+      }

      EOS

@ -30,6 +42,8 @@ describe 'policy file management' do
      it { should exist }
      it { should contain("'is_admin': 'role:admin'") }
      it { should contain("'is_member': 'role:member'") }
+      it { should contain("'get_router': 'rule:admin_or_owner'") }
+      it { should contain("'get_router:distributed': 'rule:admin_only'") }
    end
  end

--- a/spec/defines/openstacklib_policy_base_spec.rb
+++ b/spec/defines/openstacklib_policy_base_spec.rb
@ -72,7 +72,7 @@ describe 'openstacklib::policy::base' do
      it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
        :path  => '/etc/nova/policy.yaml',
        :line  => '\'context_is_admin or owner\': \'foo:bar\'',
-        :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
+        :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
      ) }

      context 'with single-quotes in value' do
@ -85,7 +85,7 @@ describe 'openstacklib::policy::base' do
        it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
          :path  => '/etc/nova/policy.yaml',
          :line  => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'',
-          :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
+          :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
        ) }
      end

@ -99,7 +99,7 @@ describe 'openstacklib::policy::base' do
        it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
          :path  => '/etc/nova/policy.yaml',
          :line  => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'',
-          :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
+          :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
        ) }
      end
    end