puppet-openstacklib

policy regex matches more than necessary

Bug #1968294 reported by Jake Yip
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-openstacklib
Fix Released
High
Jake Yip

Bug Description

The regex in https://github.com/openstack/puppet-openstacklib/blob/stable/yoga/manifests/policy/base.pp#L95 can match multiple policies if the policy contains ':'.

For example, a policy of 'get_router' can match both 'get_router' and
'get_router:distributed' lines.

This can be seen clearly by inputting the following into a regex checker like https://regex101.com/

regex expression:
 ^['"]?get_router['"]?\s*:.+

data:
'get_router': 'rule:admin_or_owner'
'get_router:distributed': 'rule:admin_only'

See original description
Jake Yip (waipengyip)
Changed in puppet-openstacklib:
assignee: nobody → Jake Yip (waipengyip)
Jake Yip (waipengyip)
description: updated
Revision history for this message
Jake Yip (waipengyip) wrote :

I did some further testing, and created the following test case

A test case is like this

# cat policy.pp
openstacklib::policy::base { 'is_member':
  file_path => '/tmp/policy.yaml',
  key => 'is_member',
  value => 'role:member',
  file_format => 'yaml',
}
openstacklib::policy::base { 'get_router':
  file_path => '/tmp/policy.yaml',
  key => 'get_router',
  value => "rule:admin_or_owner",
  file_format => 'yaml',
}
openstacklib::policy::base { 'get_router:distributed':
  file_path => '/tmp/policy.yaml',
  key => 'get_router:distributed',
  value => 'rule:admin_only',
  file_format => 'yaml',
}

This creates a file

# cat /tmp/policy.yaml
'is_member': 'role:member'
'get_router': 'rule:admin_or_owner'
'get_router:distributed': 'rule:admin_only'

However, if you change the 'get_router' rule slightly

'get_router': 'rule:admin_only'

and re-run puppet, you get

# puppet apply policy.pp
Notice: Compiled catalog for ubuntu2004 in environment production in 0.03 seconds
Error: More than one line in file '/tmp/policy.yaml' matches pattern '^['"]?get_router['"]?\s*:.+'
Error: /Stage[main]/Main/Openstacklib::Policy::Base[get_router]/File_line[/tmp/policy.yaml-get_router]/ensure: change from 'absent' to 'present' failed: More than one line in file '/tmp/policy.yaml' matches pattern '^['"]?get_router['"]?\s*:.+'
Notice: Applied catalog in 0.02 seconds

This happens because the defined file_line doesn't exist anymore, so puppet tries to find a line to replace, and the regex for the 'match' property matched more than one line.

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

This was fixed by https://review.opendev.org/c/openstack/puppet-openstacklib/+/837102

Changed in puppet-openstacklib:
importance: Undecided → High
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-openstacklib 17.4.1

This issue was fixed in the openstack/puppet-openstacklib 17.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-openstacklib 21.0.0

This issue was fixed in the openstack/puppet-openstacklib 21.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-openstacklib 18.5.1

This issue was fixed in the openstack/puppet-openstacklib 18.5.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-openstacklib 19.5.0

This issue was fixed in the openstack/puppet-openstacklib 19.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-openstacklib 20.3.1

This issue was fixed in the openstack/puppet-openstacklib 20.3.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.