Add regexp.replace support in role templates #7152
Conversation
|
@stevenGravy Can you verify this solves the customers issue, I think they are using |
There was a problem hiding this comment.
@nklaassen looks good UX-wise, but need docs in this PR please
@klizhentas sure, https://goteleport.com/docs/access-controls/guides/role-templates/#interpolation-rules seems like a good place to add an example, I'll do that. @klizhentas @russjones what should the behaviour be when the expression does not match at all? As-is it will just pass the value through unchanged, but I'm realizing that may not be what we want. I'm thinking of a case like |
|
In the latest commit, all values which do not match the regular expression at all are filtered out |
|
@nklaassen Once this is merged, please backport to |
| func (r regexpReplaceTransformer) transform(in string) (string, error) { | ||
| // filter out inputs which to not match the regexp at all | ||
| if !r.re.MatchString(in) { | ||
| return "", nil |
There was a problem hiding this comment.
Shouldn't this return in unmodified?
There was a problem hiding this comment.
I'm filtering out inputs which do not match the regex, that seems to be more useful and the behaviour people actually want. Empty strings are removed from the output set in Interpolate.
|
@nklaassen filtering out non matching values is a good default for both allow and deny expressions |
Closes #3374
This PR adds support for
{{regexp.replace(namespace.variable, expression, replacement)}}syntax in role templates.See the updated tests for some examples.