Be more strict about versionlock strings

This commit locks down the versionlock defined type using a more comprehensive regular expression, storing the Pattern in a type alias. Previously two simple regular expressions were used, but they allowed for invalid inputs with wildcards that spanned multiple fields-- wildcards are only permitted within an individual field.
voxpupuli · Jan 20, 2017 · 967c274 · 967c274
1 parent e0c156b
commit 967c274
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/manifests/versionlock.pp b/manifests/versionlock.pp
@@ -28,16 +28,10 @@
 ) {
   include ::yum::plugin::versionlock
 
-  unless $name.is_a(Pattern[/^[0-9]+:.+\*$/, /^[0-9]+:.+-.+-.+\./]) {
+  unless $name.is_a(Yum::VersionlockString) {
     fail('Package name must be formated as %{EPOCH}:%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}. See Yum::Versionlock documentation for details.')
   }
 
-  $line = $name ? {
-    /^[0-9]+:.+\*$/      => $name,
-    /^[0-9]+:.+-.+-.+\./ => "${name}*",
-    default              =>  $name,
-  }
-
   $line_prefix = $ensure ? {
     'exclude' => '!',
     default => '',
@@ -46,7 +40,7 @@
   case $ensure {
     'present', 'exclude', default: {
       concat::fragment { "yum-versionlock-${name}":
-        content => "${line_prefix}${line}\n",
+        content => "${line_prefix}${name}\n",
         target  => $yum::plugin::versionlock::path,
       }
     }

diff --git a/spec/defines/versionlock_spec.rb b/spec/defines/versionlock_spec.rb
@@ -9,7 +9,7 @@
     context 'and no parameters' do
       it { is_expected.to compile.with_all_deps }
       it 'contains a well-formed Concat::Fragment' do
-        is_expected.to contain_concat__fragment("yum-versionlock-#{title}").with_content("#{title}*\n")
+        is_expected.to contain_concat__fragment("yum-versionlock-#{title}").with_content("#{title}\n")
       end
     end
 
@@ -18,7 +18,7 @@
 
       it { is_expected.to compile.with_all_deps }
       it 'contains a well-formed Concat::Fragment' do
-        is_expected.to contain_concat__fragment("yum-versionlock-#{title}").with_content("#{title}*\n")
+        is_expected.to contain_concat__fragment("yum-versionlock-#{title}").with_content("#{title}\n")
       end
     end
 
@@ -41,9 +41,23 @@
     end
   end
 
+  context 'with a complex wildcard title' do
+    let(:title) { '0:bash-4.*-*.el6' }
+
+    it 'contains a well-formed Concat::Fragment' do
+      is_expected.to contain_concat__fragment("yum-versionlock-#{title}").with_content("#{title}\n")
+    end
+  end
+
   context 'with an invalid title' do
     let(:title) { 'bash-4.1.2' }
 
     it { is_expected.to raise_error(Puppet::PreformattedError, %r(%\{EPOCH\}:%\{NAME\}-%\{VERSION\}-%\{RELEASE\}\.%\{ARCH\})) }
   end
+
+  context 'with an invalid wildcard pattern' do
+    let(:title) { '0:bash-4.1.2*' }
+
+    it { is_expected.to raise_error(Puppet::PreformattedError, %r(%\{EPOCH\}:%\{NAME\}-%\{VERSION\}-%\{RELEASE\}\.%\{ARCH\})) }
+  end
 end
diff --git a/types/versionlockstring.pp b/types/versionlockstring.pp
@@ -0,0 +1 @@
+type Yum::VersionlockString = Pattern[/^([0-9\*]+):([0-9a-zA-Z\._\+%\{\}\*-]+)-([^-]+)-([0-9\*]+)\.(([0-9a-zZ-Z_\*]+)(?:\.(noarch|x86_64|i386|arm|ppc64|ppc64le|sparc64|ia64|alpha|ip|m68k|mips|mipsel|mk68k|mint|ppc|rs6000|s390|s390x|sh|sparc|xtensa|\*))?)$/]