diff --git a/ssh_zone_handler/bind.py b/ssh_zone_handler/bind.py index c482808..3ce0538 100644 --- a/ssh_zone_handler/bind.py +++ b/ssh_zone_handler/bind.py @@ -7,7 +7,7 @@ from typing import Final from .base import InvokeError, SshZoneCommand, SshZoneSudoers -from .types import UserConf, ZoneHandlerConf +from .types import ZoneHandlerConf class BindSudoers(SshZoneSudoers): @@ -16,15 +16,11 @@ class BindSudoers(SshZoneSudoers): def _server_command_rules(self) -> list[str]: rules: list[str] = [] for cmd in ["retransfer", "zonestatus"]: - user_conf: UserConf - for user_conf in self.config.users.values(): - zone: str - for zone in user_conf.zones: - rule = ( - f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: " - + f"/usr/sbin/rndc {cmd} {zone}" - ) - rules.append(rule) + rule = ( + f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: " + + f"/usr/sbin/rndc {cmd} *" + ) + rules.append(rule) return rules diff --git a/ssh_zone_handler/knot.py b/ssh_zone_handler/knot.py index 6e4184d..b48439e 100644 --- a/ssh_zone_handler/knot.py +++ b/ssh_zone_handler/knot.py @@ -6,7 +6,7 @@ from typing import Final from .base import SshZoneCommand, SshZoneSudoers -from .types import UserConf, ZoneHandlerConf +from .types import ZoneHandlerConf class KnotSudoers(SshZoneSudoers): @@ -16,15 +16,11 @@ def _server_command_rules(self) -> list[str]: rules: list[str] = [] for cmd in ["zone-read", "zone-retransfer"]: - user_conf: UserConf - for user_conf in self.config.users.values(): - zone: str - for zone in user_conf.zones: - rule = ( - f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: " - + f"/usr/sbin/knotc {cmd} {zone}" - ) - rules.append(rule) + rule = ( + f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: " + + f"/usr/sbin/knotc {cmd} *" + ) + rules.append(rule) return rules diff --git a/tests/test_ssh_zone_handler.py b/tests/test_ssh_zone_handler.py index 4df1572..60a4de9 100644 --- a/tests/test_ssh_zone_handler.py +++ b/tests/test_ssh_zone_handler.py @@ -124,12 +124,8 @@ def test_cli_zone_sudoers(caplog, capsys): assert captured_expected.out == "\n".join( [ "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=named.service --since=-5days --utc", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.com", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.net", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.org", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.com", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.net", - "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.org\n", + "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer *", + "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus *\n", ] ) @@ -140,12 +136,8 @@ def test_cli_zone_sudoers(caplog, capsys): assert captured_knot_expected.out == "\n".join( [ "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=knot.service --since=-5days --utc", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.com", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.net", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.org", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.com", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.net", - "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.org\n", + "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read *", + "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer *\n", ] )