From d8bbfbdf8b503538fff01bff80c5e6e12bfb44b3 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 12 Nov 2013 23:48:25 +0100
Subject: Add probes.allowed_groups option to restrict group assignments.

---
 src/lib/Bcfg2/Options.py               | 17 ++++++++++++++++-
 src/lib/Bcfg2/Server/Plugins/Probes.py | 10 +++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

(limited to 'src/lib/Bcfg2')

diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py
index 95abe64ae..f9b6a998b 100644
--- a/src/lib/Bcfg2/Options.py
+++ b/src/lib/Bcfg2/Options.py
@@ -311,6 +311,14 @@ def list_split(c_string):
         return re.split(r'\s*,\s*', c_string)
     return []
 
+def list_split_anchored_regex(c_string):
+    """ like list_split but split on whitespace and compile each element as
+    anchored regex """
+    try:
+        return [re.compile('^' + x + '$') for x in re.split(r'\s+', c_string)]
+    except re.error:
+        raise ValueError("Not a list of regexes", c_string)
+
 
 def colon_split(c_string):
     """ split an option string on colons, returning a list """
@@ -641,6 +649,12 @@ SERVER_CHILDREN = \
            cf=('server', 'children'),
            cook=get_int,
            long_arg=True)
+SERVER_PROBE_ALLOWED_GROUPS = \
+    Option('Whitespace-separated list of group names (as regex) to which '
+           'probes can assign a client by writing "group:" to stdout.',
+           default=['.*'],
+           cf=('probes', 'allowed_groups'),
+           cook=list_split_anchored_regex)
 
 # database options
 DB_ENGINE = \
@@ -1225,7 +1239,8 @@ SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY,
                              perflog=LOG_PERFORMANCE,
                              perflog_interval=PERFLOG_INTERVAL,
                              children=SERVER_CHILDREN,
-                             client_timeout=CLIENT_TIMEOUT)
+                             client_timeout=CLIENT_TIMEOUT,
+                             probe_allowed_groups=SERVER_PROBE_ALLOWED_GROUPS)
 
 CRYPT_OPTIONS = dict(encrypt=ENCRYPT,
                      decrypt=DECRYPT,
diff --git a/src/lib/Bcfg2/Server/Plugins/Probes.py b/src/lib/Bcfg2/Server/Plugins/Probes.py
index 84e1638d6..59a73c4aa 100644
--- a/src/lib/Bcfg2/Server/Plugins/Probes.py
+++ b/src/lib/Bcfg2/Server/Plugins/Probes.py
@@ -204,6 +204,7 @@ class Probes(Bcfg2.Server.Plugin.Probing,
             err = sys.exc_info()[1]
             raise Bcfg2.Server.Plugin.PluginInitError(err)
 
+        self.allowed_cgroups = core.setup['probe_allowed_groups']
         self.probedata = dict()
         self.cgroups = dict()
         self.load_data()
@@ -391,11 +392,18 @@ class Probes(Bcfg2.Server.Plugin.Probing,
             if line.split(':')[0] == 'group':
                 newgroup = line.split(':')[1].strip()
                 if newgroup not in cgroups:
-                    cgroups.append(newgroup)
+                    if self._group_allowed(newgroup):
+                        cgroups.append(newgroup)
+                    else:
+                        self.logger.info("Disallowed group assignment %s from %s"
+                                         % (newgroup, client.hostname))
                 dlines.remove(line)
         dobj = ProbeData("\n".join(dlines))
         cprobedata[data.get('name')] = dobj
 
+    def _group_allowed(self, group):
+        return any(r.match(group) for r in self.allowed_cgroups)
+
     def get_additional_groups(self, meta):
         return self.cgroups.get(meta.hostname, list())
     get_additional_groups.__doc__ = \
-- 
cgit v1.2.3-1-g7c22