From 9e10e80160916ea6a93c230a2f6e6d9726227b1a Mon Sep 17 00:00:00 2001 From: Jake Yip Date: Fri, 8 Apr 2022 18:42:20 +1000 Subject: [PATCH] Make regex matching policy key stricter There is a bug where this regex can match multiple lines if a policy contains ':'. Make this regex stricter by making sure the key doesn't end with a ':' within the quotes. Closes-Bug: #1968294 Change-Id: I4090d6831db8ddc4fba294f181085b657e2b3345 (cherry picked from commit 33fb90326fadd59759d4a65dae0ac873e34ee95b) --- manifests/policy/base.pp | 2 +- spec/acceptance/openstacklib_policy_base_spec.rb | 14 ++++++++++++++ spec/defines/openstacklib_policy_base_spec.rb | 6 +++--- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/manifests/policy/base.pp b/manifests/policy/base.pp index b2fefd45..92baebc4 100644 --- a/manifests/policy/base.pp +++ b/manifests/policy/base.pp @@ -92,7 +92,7 @@ define openstacklib::policy::base ( file_line { "${file_path}-${key}" : path => $file_path, line => "'${key}': '${value_real}'", - match => "^['\"]?${key}['\"]?\\s*:.+" + match => "^['\"]?${key}(?!:)['\"]?\\s*:.+" } Openstacklib::Policy::Default<| title == $file_path |> -> File_line<| title == "${file_path}-${key}" |> diff --git a/spec/acceptance/openstacklib_policy_base_spec.rb b/spec/acceptance/openstacklib_policy_base_spec.rb index 033484be..80e8df2a 100644 --- a/spec/acceptance/openstacklib_policy_base_spec.rb +++ b/spec/acceptance/openstacklib_policy_base_spec.rb @@ -18,6 +18,18 @@ describe 'policy file management' do value => 'role:member', file_format => 'yaml', } + openstacklib::policy::base { 'get_router': + file_path => '/tmp/policy.yaml', + key => 'get_router', + value => 'rule:admin_or_owner', + file_format => 'yaml', + } + openstacklib::policy::base { 'get_router:distributed': + file_path => '/tmp/policy.yaml', + key => 'get_router:distributed', + value => 'rule:admin_only', + file_format => 'yaml', + } EOS @@ -30,6 +42,8 @@ describe 'policy file management' do it { should exist } it { should contain("'is_admin': 'role:admin'") } it { should contain("'is_member': 'role:member'") } + it { should contain("'get_router': 'rule:admin_or_owner'") } + it { should contain("'get_router:distributed': 'rule:admin_only'") } end end diff --git a/spec/defines/openstacklib_policy_base_spec.rb b/spec/defines/openstacklib_policy_base_spec.rb index 75e34c29..5b0f7235 100644 --- a/spec/defines/openstacklib_policy_base_spec.rb +++ b/spec/defines/openstacklib_policy_base_spec.rb @@ -72,7 +72,7 @@ describe 'openstacklib::policy::base' do it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( :path => '/etc/nova/policy.yaml', :line => '\'context_is_admin or owner\': \'foo:bar\'', - :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' + :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+' ) } context 'with single-quotes in value' do @@ -85,7 +85,7 @@ describe 'openstacklib::policy::base' do it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( :path => '/etc/nova/policy.yaml', :line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'', - :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' + :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+' ) } end @@ -99,7 +99,7 @@ describe 'openstacklib::policy::base' do it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with( :path => '/etc/nova/policy.yaml', :line => '\'context_is_admin or owner\': \'foo:\'\'bar\'\'\'', - :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+' + :match => '^[\'"]?context_is_admin or owner(?!:)[\'"]?\s*:.+' ) } end end