Skip to content

feat: add $HOSTNAME substitution in privilege policy #1360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kevinl03 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add $HOSTNAME substitution in privilege policy #1360

kevinl03 wants to merge 3 commits into from

Conversation

@kevinl03
Copy link

@kevinl03 kevinl03 commented Jan 20, 2026

Fixes #1037

Implements $HOSTNAME variable substitution in the Client administrators
policy, similar to Windows %COMPUTERNAME% behavior. This allows GPOs to
use hostname-specific group names like secLocalAdmin-$HOSTNAME@domain.com.

The substitution happens before processing the entry value, affecting
both sudoers and polkit configuration files (both old and new formats).

Changes:

  • Added hostname retrieval and substitution in ApplyPolicy
  • Added test case for HOSTNAME substitution
  • Added golden files for the new test case

@kevinl03
feat: add $HOSTNAME substitution in privilege policy
b60ce4d 
Implement $HOSTNAME variable substitution in the Client administrators
policy, similar to Windows %COMPUTERNAME% behavior. This allows GPOs to
use hostname-specific group names like secLocalAdmin-$HOSTNAME@domain.com.

The substitution happens before processing the entry value, affecting
both sudoers and polkit configuration files (both old and new formats).

Fixes: ubuntu#1037
@kevinl03
test: add golden file for HOSTNAME substitution test
c54efd2
@kevinl03 kevinl03 requested a review from a team as a code owner January 20, 2026 23:36
@kevinl03 kevinl03 closed this Jan 21, 2026
@kevinl03 kevinl03 reopened this Jan 21, 2026
@kevinl03
feat: add $HOSTNAME substitution in privilege policy
3cc2a71 
- Add TestHostname field to Manager for deterministic testing
- Implement $HOSTNAME substitution in client-admins policy entries
- Add comprehensive test cases for single, multiple, and group HOSTNAME substitutions
- Use normalized test hostname in golden files to ensure machine-independent test outputs

Fixes ubuntu#1037
@codecov-commenter
Copy link

codecov-commenter commented Jan 26, 2026

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.68%. Comparing base (2d2a5e1) to head (3cc2a71).
⚠️ Report is 335 commits behind head on main.

Files with missing lines Patch % Lines
internal/policies/privilege/privilege.go 90.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1360      +/-   ##
==========================================
+ Coverage   91.45%   93.68%   +2.22%     
==========================================
  Files          79       79              
  Lines        9074     7048    -2026     
==========================================
- Hits         8299     6603    -1696     
+ Misses        765      435     -330     
  Partials       10       10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

denisonbarbosa
denisonbarbosa requested changes Jan 26, 2026
View reviewed changes
Copy link
Member

@denisonbarbosa denisonbarbosa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, @kevinl03! Thanks for taking the time to contribute to this project. We appreciate it!

Overall, nicely done! However, I think we can improve the hostname substitution part of the PR (well spotted requirement, btw).

internal/policies/privilege/privilege.go
Comment on lines 89 to 141
@@ -126,7 +127,20 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer

log.Debugf(ctx, "Applying privilege policy to %s", objectName)

// We don’t create empty files if there is no entries. Still remove any previous version.
// Get hostname for variable substitution
var hostname string
if m.TestHostname != "" {
// Use test hostname if provided (for testing)
hostname = m.TestHostname
} else {
var hostnameErr error
hostname, hostnameErr = os.Hostname()
if hostnameErr != nil {
return fmt.Errorf("can't get hostname: %w", hostnameErr)
}
}
Copy link
Member

@denisonbarbosa denisonbarbosa Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a public field only for testing to the struct is not recommended. Let's talk about some possible outs for this:

  1. You could replace the default os.Hostname function with a mock one using optional functions, similar to what we do in the internal/authorizer package (look here: 1, 2, 3)

  2. You could replace the hostname right before updating the golden files in the tests (around here). It's pretty much just replacing the specific hostname with a generic one in the files that were generated.

Number 1 is more elegant but more complex to implement, and since we don't need it for many tests, I'd go with number 2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denisonbarbosa denisonbarbosa denisonbarbosa requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: enviroment variables $HOSTNAME usable in GPOs

3 participants

@kevinl03 @codecov-commenter @denisonbarbosa