define Classes
67 views
Skip to first unread message
thierry thunot
May 14, 2021, 2:36:39 AM5/14/21
to help-cfengine
Good morning all,
I'm trying to simplify the use of multi environments and I have a problem with class definition.
my goal is to only put the MD5 keys in a single file and not have to add them to the promises.cf manually
my def.json:
{
"vars":
{
"vars":
{
"env_pc_tthunot_prod_acces":{
"path":"$(sys.masterdir)/env_pc_tthunot_prod",
"handle":"server_access_grant_pc_tthunot_prod",
"shortcut":"masterfile_env_pc_tthunot_prod",
"comment":"Promises pour les environnements pc tthunot de prod",
"admit_keys": [
"MD5=9a3daa83c8e5ca54bcee87a71",
"MD5=5501fd97c0a2cdd6e2e486dc3f",
"MD5=b0e59f83b82931a7048d8fe1a0c",
"MD5=65f877fb2dfcaade421b8d270a",
"MD5=ebeccffdb4b23131d9a6c7f3f53d",
"MD5=65f80bfdafb2dfcaade421b8d270a",
"MD5=e7df0693fd20ede7fbc13ac8e5d8d5",
"MD5=a312e43c410f587320d845ee98b7",
]
}
"path":"$(sys.masterdir)/env_pc_tthunot_prod",
"handle":"server_access_grant_pc_tthunot_prod",
"shortcut":"masterfile_env_pc_tthunot_prod",
"comment":"Promises pour les environnements pc tthunot de prod",
"admit_keys": [
"MD5=9a3daa83c8e5ca54bcee87a71",
"MD5=5501fd97c0a2cdd6e2e486dc3f",
"MD5=b0e59f83b82931a7048d8fe1a0c",
"MD5=65f877fb2dfcaade421b8d270a",
"MD5=ebeccffdb4b23131d9a6c7f3f53d",
"MD5=65f80bfdafb2dfcaade421b8d270a",
"MD5=e7df0693fd20ede7fbc13ac8e5d8d5",
"MD5=a312e43c410f587320d845ee98b7",
]
}
........
}
my access definition
bundle server regles_controle_acces
{
access:
any::
.....
"$(def.env_pc_tthunot_prod_acces[path])"
handle => "$(def.env_pc_tthunot_prod_acces[handle])",
shortcut => "$(def.env_pc_tthunot_prod_acces[shortcut])",
comment => "$(def.env_pc_tthunot_prod_acces[comment])",
admit_keys => { "$(def.env_pc_tthunot_prod_acces[admit_keys])"};
{
access:
any::
.....
"$(def.env_pc_tthunot_prod_acces[path])"
handle => "$(def.env_pc_tthunot_prod_acces[handle])",
shortcut => "$(def.env_pc_tthunot_prod_acces[shortcut])",
comment => "$(def.env_pc_tthunot_prod_acces[comment])",
admit_keys => { "$(def.env_pc_tthunot_prod_acces[admit_keys])"};
....
}
and a part of my promises.cf where i declare classes for environment(NB: it's ok when i declare classes with slist of hostname)
....
classes:
"env_pc_tthunot_preprod" or => {"@(def.env_pc_tthunot_preprod_acces[admit_keys])",};
"env_pc_tthunot_prod" or => {"@(def.env_pc_tthunot_prod_acces[admit_keys])", };
"env_pc_tthunot_prod" or => {"@(def.env_pc_tthunot_prod_acces[admit_keys])", };
when i try to run cf-agent i have this error :
In attribute 'or', Context string is invalid/out of range. Given attribute value 'MD5=9a3d49c8e5ca54bcee87a71'
i try to replace @ by $ but the result is the same....
how can i do?
Thanks for your help
rco...@eticainc.com
May 17, 2021, 10:36:57 AM5/17/21
to help-cfengine
One thing I noticed when looking at this, the class for the MD5/SHA keys begin with "PK_" so you would probably need to include that in the match including the canonify/classify. If you are adding the keys in the code, you could just prepend each line to force the match.
"admit_keys": [
"PK_MD5=9a3daa83c8e5ca54bcee87a71",
"PK_MD5=5501fd97c0a2cdd6e2e486dc3f",
"PK_MD5=b0e59f83b82931a7048d8fe1a0c",
"PK_MD5=65f877fb2dfcaade421b8d270a",
"PK_MD5=ebeccffdb4b23131d9a6c7f3f53d",
"PK_MD5=65f80bfdafb2dfcaade421b8d270a",
"PK_MD5=e7df0693fd20ede7fbc13ac8e5d8d5",
"PK_MD5=a312e43c410f587320d845ee98b7",
]
Nick Anderson
May 17, 2021, 11:19:36 AM5/17/21
to thierry thunot, help-cfengine
thierry thunot <tth...@gmail.com> writes:
Hi,
I see a few things here.
In your access promise, admit_keys looks to be iterating ( note the use of $( ), so, if it were working, I would only expect the last key in the list to be authorized.
bundle server regles_controle_acces { access: any::
# .....
"$(def.env_pc_tthunot_prod_acces[path])"
handle => "$(def.env_pc_tthunot_prod_acces[handle])",
shortcut => "$(def.env_pc_tthunot_prod_acces[shortcut])",
comment => "$(def.env_pc_tthunot_prod_acces[comment])",
admit_keys => { "$(def.env_pc_tthunot_prod_acces[admit_keys])"};
# .... }
I would try to use the @( notation, but I am unsure if that will work directly. It's possible that you would need to extract it into a list and reference that.
bundle server regles_controle_acces { access: any::
# .....
"$(def.env_pc_tthunot_prod_acces[path])"
handle => "$(def.env_pc_tthunot_prod_acces[handle])",
shortcut => "$(def.env_pc_tthunot_prod_acces[shortcut])",
comment => "$(def.env_pc_tthunot_prod_acces[comment])",
admit_keys => { "@(def.env_pc_tthunot_prod_acces[admit_keys])"};
# ....
}
Perhaps:
bundle server regles_controle_acces { vars: "my_keys_allowed_to_access" slist => getvalues( "def.env_pc_tthunot_prod_acces[admit_keys]" ); access: any:: # .....
"$(def.env_pc_tthunot_prod_acces[path])"
handle => "$(def.env_pc_tthunot_prod_acces[handle])",
shortcut => "$(def.env_pc_tthunot_prod_acces[shortcut])",
comment => "$(def.env_pc_tthunot_prod_acces[comment])",
admit_keys => { "@(my_keys_allowed_to_access)"};
# ....
}
With your policy to set a class for the environment:
classes: "env_pc_tthunot_preprod" or => {"@(def.env_pc_tthunot_preprod_acces[admit_keys])",}; "env_pc_tthunot_prod" or => {"@(def.env_pc_tthunot_prod_acces[admit_keys])", };
@(def.env_pc_tthunot_prod_acces[admit_keys]) should resolve to a list of strings for your host IDs, e.g, "MD5=e7df0693fd20ede7fbc13ac8e5d8d5", "MD5=a312e43c410f587320d845ee98b7". Note, = is not a valid character in class names, also even canonified, I would not expect there to be a class matching MD5_a312e43c410f587320d845ee98b7 by default. There should be a class that is prefixed with PK_ followed by the canonified key digest, e.g. PK_MD5_a312e43c410f587320d845ee98b7.
A couple options come to mind:
- Use
some()to search the list based on regular expression for an entry matching the host, e.g.some("$(sys.key_digest)", "def.env_pc_tthunot_prepod_access[admit_keys]") - Use
maplist()to transform the list on the fly from a list of Key IDs to the list of class names that correlate to the keys (prefixing withPK_and canonifying the key digest.
thierry thunot
May 20, 2021, 6:06:52 AM5/20/21
to help-cfengine
Thank's it's ok!!!!
Reply all
Reply to author
Forward
0 new messages