Simplify sudoers rules

ssh_zone_handler/bind.py

@@ -7,7 +7,7 @@
 from typing import Final
 
 from .base import InvokeError, SshZoneCommand, SshZoneSudoers
-from .types import UserConf, ZoneHandlerConf
+from .types import ZoneHandlerConf
 
 
 class BindSudoers(SshZoneSudoers):
@@ -16,15 +16,11 @@ class BindSudoers(SshZoneSudoers):
     def _server_command_rules(self) -> list[str]:
         rules: list[str] = []
         for cmd in ["retransfer", "zonestatus"]:
-            user_conf: UserConf
-            for user_conf in self.config.users.values():
-                zone: str
-                for zone in user_conf.zones:
-                    rule = (
-                        f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
-                        + f"/usr/sbin/rndc {cmd} {zone}"
-                    )
-                    rules.append(rule)
+            rule = (
+                f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
+                + f"/usr/sbin/rndc {cmd} *"
+            )
+            rules.append(rule)
         return rules
 
 

ssh_zone_handler/knot.py

@@ -6,7 +6,7 @@
 from typing import Final
 
 from .base import SshZoneCommand, SshZoneSudoers
-from .types import UserConf, ZoneHandlerConf
+from .types import ZoneHandlerConf
 
 
 class KnotSudoers(SshZoneSudoers):
@@ -16,15 +16,11 @@ def _server_command_rules(self) -> list[str]:
         rules: list[str] = []
 
         for cmd in ["zone-read", "zone-retransfer"]:
-            user_conf: UserConf
-            for user_conf in self.config.users.values():
-                zone: str
-                for zone in user_conf.zones:
-                    rule = (
-                        f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
-                        + f"/usr/sbin/knotc {cmd} {zone}"
-                    )
-                    rules.append(rule)
+            rule = (
+                f"{self.login_user}\tALL=({self.service_user}) NOPASSWD: "
+                + f"/usr/sbin/knotc {cmd} *"
+            )
+            rules.append(rule)
         return rules
 
 

tests/test_ssh_zone_handler.py

@@ -124,12 +124,8 @@ def test_cli_zone_sudoers(caplog, capsys):
     assert captured_expected.out == "\n".join(
         [
             "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=named.service --since=-5days --utc",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.com",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.net",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer example.org",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.com",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.net",
-            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus example.org\n",
+            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc retransfer *",
+            "zones\tALL=(bind) NOPASSWD: /usr/sbin/rndc zonestatus *\n",
         ]
     )
 
@@ -140,12 +136,8 @@ def test_cli_zone_sudoers(caplog, capsys):
     assert captured_knot_expected.out == "\n".join(
         [
             "zones\tALL=(szh-logviewer) NOPASSWD: /usr/bin/journalctl --unit=knot.service --since=-5days --utc",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.com",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.net",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read example.org",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.com",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.net",
-            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer example.org\n",
+            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-read *",
+            "zones\tALL=(knot) NOPASSWD: /usr/sbin/knotc zone-retransfer *\n",
         ]
     )