Skip to content

Allow globs within hostnames? #241

New issue
New issue
Open
#258
Open
Allow globs within hostnames?#241
#258
@mbp-stripe

Description

@mbp-stripe
mbp-stripe
opened on Dec 23, 2024

I would like to allowlist the pattern

access-analyzer.*.amazonaws.com

The second component of AWS endpoints is the region. It would be nice not to need to spell out every single region like access-analyzer.us-west-2.amazonaws.com, ... and in particular it would be nice not to need to update this or deal with breakage when new regions are added.

Today Smokescreen seems to intentionally deny globs other than as a single component at the start of a domain:

smokescreen/pkg/smokescreen/acl/v1/acl.go

Lines 246 to 266 in bffe947

// Wildcards are valid only at the beginning of a domain glob, and only a single wildcard per glob
// pattern is allowed. Globs must include text after a wildcard.
//
// Domains must use their normalized form (e.g., Punycode)
func (*ACL) ValidateDomainGlob(svc string, glob string) error {
if glob == "" {
return fmt.Errorf("glob cannot be empty")
}
if glob == "*" || glob == "*." {
return fmt.Errorf("%v: %v: domain glob must not match everything", svc, glob)
}
if !strings.HasPrefix(glob, "*.") && strings.HasPrefix(glob, "*") {
return fmt.Errorf("%v: %v: domain glob must represent a full prefix (sub)domain", svc, glob)
}
domainToCheck := strings.TrimPrefix(glob, "*")
if strings.Contains(domainToCheck, "*") {
return fmt.Errorf("%v: %v: domain globs are only supported as prefix", svc, glob)
}
(At least it gives a clear error!)

I don't know why this was added, perhaps there was a concern that globs within a domain might be misused or confusing? But I think there are also legitimate cases, and it doesn't seem like it would be too hard to support technically.

I can also imagine people wanting to allow *.*.amazonaws.com.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions