Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow globs within hostnames? #241

Open
mbp-stripe opened this issue Dec 23, 2024 · 0 comments
Open

Allow globs within hostnames? #241

mbp-stripe opened this issue Dec 23, 2024 · 0 comments

Comments

@mbp-stripe
Copy link

I would like to allowlist the pattern

access-analyzer.*.amazonaws.com

The second component of AWS endpoints is the region. It would be nice not to need to spell out every single region like access-analyzer.us-west-2.amazonaws.com, ... and in particular it would be nice not to need to update this or deal with breakage when new regions are added.

Today Smokescreen seems to intentionally deny globs other than as a single component at the start of a domain:

// Wildcards are valid only at the beginning of a domain glob, and only a single wildcard per glob
// pattern is allowed. Globs must include text after a wildcard.
//
// Domains must use their normalized form (e.g., Punycode)
func (*ACL) ValidateDomainGlob(svc string, glob string) error {
if glob == "" {
return fmt.Errorf("glob cannot be empty")
}
if glob == "*" || glob == "*." {
return fmt.Errorf("%v: %v: domain glob must not match everything", svc, glob)
}
if !strings.HasPrefix(glob, "*.") && strings.HasPrefix(glob, "*") {
return fmt.Errorf("%v: %v: domain glob must represent a full prefix (sub)domain", svc, glob)
}
domainToCheck := strings.TrimPrefix(glob, "*")
if strings.Contains(domainToCheck, "*") {
return fmt.Errorf("%v: %v: domain globs are only supported as prefix", svc, glob)
}
(At least it gives a clear error!)

I don't know why this was added, perhaps there was a concern that globs within a domain might be misused or confusing? But I think there are also legitimate cases, and it doesn't seem like it would be too hard to support technically.

I can also imagine people wanting to allow *.*.amazonaws.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant