From 435271f8e41ec1348120f9ac783af0369e3fe683 Mon Sep 17 00:00:00 2001
From: Andreas Olsson <andreas@arrakis.se>
Date: Mon, 17 Nov 2025 21:14:57 +0100
Subject: [PATCH] Simplify sudoers rules

With the 2562b1a change to one shared login user it doesn't make as
much sense to have individual per zone sudoers rules. Also, the rndc
and knotc subcommands are narrow enough that I really don't see any
real room for wildcard abuse.

On the upside, this simplification takes away the need to rerun the
_szh-sudoers_ command any time a zones gets added to the
_zone-handler.yaml_ config file.
---
 ssh_zone_handler/bind.py       | 16 ++++++----------
 ssh_zone_handler/knot.py       | 16 ++++++----------
 tests/test_ssh_zone_handler.py | 16 ++++------------
 3 files changed, 16 insertions(+), 32 deletions(-)

diff --git a/ssh_zone_handler/bind.py b/ssh_zone_handler/bind.py
index c482808..3ce0538 100644
--- a/ssh_zone_handler/bind.py
+++ b/ssh_zone_handler/bind.py
@@ -7,7 +7,7 @@
 from typing import Final
 
 from .base import InvokeError, SshZoneCommand, SshZoneSudoers
-from .types import UserConf, ZoneHandlerConf
+from .types import ZoneHandlerConf
 
 
 class BindSudoers(SshZoneSudoers):
@@ -16,15 +16,11 @@ class BindSudoers(SshZoneSudoers):
     def _server_command_rules(self) -> list[str]:
         rules: list[str] = []
         for cmd in ["retransfer", "zonestatus"]:
-            user_conf: UserConf
-            for user_conf in self.config.users.values():
-                zone: str
-                for zone in user_conf.zones:
-                    rule = (
-                        f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
-                        + f"/usr/sbin/rndc {cmd} {zone}"
-                    )
-                    rules.append(rule)
+            rule = (
+                f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
+                + f"/usr/sbin/rndc {cmd} *"
+            )
+            rules.append(rule)
         return rules
 
 
diff --git a/ssh_zone_handler/knot.py b/ssh_zone_handler/knot.py
index 6e4184d..b48439e 100644
--- a/ssh_zone_handler/knot.py
+++ b/ssh_zone_handler/knot.py
@@ -6,7 +6,7 @@
 from typing import Final
 
 from .base import SshZoneCommand, SshZoneSudoers
-from .types import UserConf, ZoneHandlerConf
+from .types import ZoneHandlerConf
 
 
 class KnotSudoers(SshZoneSudoers):
@@ -16,15 +16,11 @@ def _server_command_rules(self) -> list[str]:
         rules: list[str] = []
 
         for cmd in ["zone-read", "zone-retransfer"]:
-            user_conf: UserConf
-            for user_conf in self.config.users.values():
-                zone: str
-                for zone in user_conf.zones:
-                    rule = (
-                        f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
-                        + f"/usr/sbin/knotc {cmd} {zone}"
-                    )
-                    rules.append(rule)
+            rule = (
+                f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
+                + f"/usr/sbin/knotc {cmd} *"
+            )
+            rules.append(rule)
         return rules
 
 
diff --git a/tests/test_ssh_zone_handler.py b/tests/test_ssh_zone_handler.py
index 4df1572..60a4de9 100644
--- a/tests/test_ssh_zone_handler.py
+++ b/tests/test_ssh_zone_handler.py
@@ -124,12 +124,8 @@ def test_cli_zone_sudoers(caplog, capsys):
     assert captured_expected.out == "\n".join(
         [
             "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=named.service --since=-5days --utc",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.com",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.net",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.org",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.com",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.net",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.org\n",
+            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer *",
+            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus *\n",
         ]
     )
 
@@ -140,12 +136,8 @@ def test_cli_zone_sudoers(caplog, capsys):
     assert captured_knot_expected.out == "\n".join(
         [
             "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=knot.service --since=-5days --utc",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.com",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.net",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.org",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.com",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.net",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.org\n",
+            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read *",
+            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer *\n",
         ]
     )