Make regex matching policy key stricter

There is a bug where this regex can match multiple lines if a policy
contains ':'.

Make this regex stricter by making sure the key doesn't end with a ':'
within the quotes.

Closes-Bug: #1968294

Change-Id: I4090d6831db8ddc4fba294f181085b657e2b3345
This commit is contained in:
Jake Yip 2022-04-08 18:42:20 +10:00
parent 59c3e5b9fd
commit 33fb90326f
3 changed files with 18 additions and 4 deletions

View File

@ -92,7 +92,7 @@ define openstacklib::policy::base (
file_line { "${file_path}-${key}" : file_line { "${file_path}-${key}" :
path => $file_path, path => $file_path,
line => "'${key}': '${value_real}'", line => "'${key}': '${value_real}'",
match => "^['\"]?${key}['\"]?\\s*:.+" match => "^['\"]?${key}(?!:)['\"]?\\s*:.+"
} }
Openstacklib::Policy::Default<| title == $file_path |> Openstacklib::Policy::Default<| title == $file_path |>
-> File_line<| title == "${file_path}-${key}" |> -> File_line<| title == "${file_path}-${key}" |>

View File

@ -18,6 +18,18 @@ describe 'policy file management' do
value => 'role:member', value => 'role:member',
file_format => 'yaml', file_format => 'yaml',
} }
openstacklib::policy::base { 'get_router':
file_path => '/tmp/policy.yaml',
key => 'get_router',
value => 'rule:admin_or_owner',
file_format => 'yaml',
}
openstacklib::policy::base { 'get_router:distributed':
file_path => '/tmp/policy.yaml',
key => 'get_router:distributed',
value => 'rule:admin_only',
file_format => 'yaml',
}
EOS EOS
@ -30,6 +42,8 @@ describe 'policy file management' do
it { should exist } it { should exist }
it { should contain("'is_admin': 'role:admin'") } it { should contain("'is_admin': 'role:admin'") }
it { should contain("'is_member': 'role:member'") } it { should contain("'is_member': 'role:member'") }
it { should contain("'get_router': 'rule:admin_or_owner'") }
it { should contain("'get_router:distributed': 'rule:admin_only'") }
end end
end end

View File

@ -72,7 +72,7 @@ describe 'openstacklib::policy::base' do
it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
:path => '/etc/nova/policy.yaml', :path => '/etc/nova/policy.yaml',
:line => '\'context_is_admin or owner\': \'foo:bar\'', :line => '\'context_is_admin or owner\': \'foo:bar\'',
:match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
) } ) }
context 'with single-quotes in value' do context 'with single-quotes in value' do
@ -85,7 +85,7 @@ describe 'openstacklib::policy::base' do
it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
:path => '/etc/nova/policy.yaml', :path => '/etc/nova/policy.yaml',
:line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'', :line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'',
:match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
) } ) }
end end
@ -99,7 +99,7 @@ describe 'openstacklib::policy::base' do
it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
:path => '/etc/nova/policy.yaml', :path => '/etc/nova/policy.yaml',
:line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'', :line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'',
:match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+'
) } ) }
end end
end end