From 8d177fb1f42cb80ffbf678669cd726d40f26f123 Mon Sep 17 00:00:00 2001
From: Timo Weingärtner <timo@tiwe.de>
Date: Fri, 4 Jan 2013 21:16:37 +0100
Subject: implement hostname filtering

Fixes GH-1.
---
 README                     | 15 +++++++++++++++
 examples/curl.filter       |  9 +++++++++
 update-openssh-known-hosts | 27 ++++++++++++++++++++++++++-
 3 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 examples/curl.filter

diff --git a/README b/README
index 54c06ca..1953dd1 100644
--- a/README
+++ b/README
@@ -13,6 +13,21 @@ The rest of the variables is plugin-specific.
 
 For examples see /usr/share/doc/openssh-known-hosts/examples/*.
 
+Writing a hostname filter:
+==========================
+
+Place a file $source.filter next to your $source in
+/etc/openssh-known-hosts/sources.
+
+Each line shall contain a rule consisting of an action, a space and a pattern.
+The first rule with a matching pattern decides: If the action starts with a,
+o, p or y (for accept, admit, allow, ok, pass, permit, print, yes, ...) the
+hostname will be used, otherwise it is discarded. If a key has no hostnames
+left it is discarded as a whole.
+
+An example filter can be found in
+/usr/share/doc/openssh-known-hosts/examples/curl.filter.
+
 Writing a plugin:
 =================
 
diff --git a/examples/curl.filter b/examples/curl.filter
new file mode 100644
index 0000000..ff7f71b
--- /dev/null
+++ b/examples/curl.filter
@@ -0,0 +1,9 @@
+# example filter file, can be used with any plugin
+# deny some subareas first
+# in most cases you won't need that
+deny sub\.example\.com$
+deny ^2001:db8:f00:
+# then allow what we are downloading the keys for
+allow \.example\.com$
+allow ^2001:db8:
+allow ^192\.0\.2\.
diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts
index 8b77aee..e191f92 100755
--- a/update-openssh-known-hosts
+++ b/update-openssh-known-hosts
@@ -82,7 +82,32 @@ run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do
 		mv ${source}/new ${source}/current
 	fi
 	if [ -e ${source}/current ]; then
-		sort -u ${source}/current >&3
+		if [ -e "${sourcefile}.filter" ]; then
+			mapfile -t filter < "${sourcefile}.filter"
+			for i in ${!filter[@]}; do
+				if [[ ${filter[$i]} =~ ^($|#) ]]; then
+					unset filter[$i]
+				fi
+			done
+			while read hostlist rest; do
+				IFS=, read -a hostarray <<<$hostlist
+				new_hostlist=''
+				for host in ${hostarray[@]}; do
+					for rule in "${filter[@]}"; do
+						if [[ ${host} =~ ${rule#* } ]]; then
+							if [[ ${rule%% *} =~ ^[aopy] ]]; then
+								new_hostlist="${new_hostlist}${host},"
+							fi
+							break
+						fi
+					done
+				done
+				[ "$new_hostlist" ] || continue
+				echo "${new_hostlist%,} ${rest}"
+			done < ${source}/current | sort -u >&3
+		else
+			sort -u ${source}/current >&3
+		fi
 	fi
 done 3>| "${OUTFILE}.new"
 
-- 
cgit v1.2.3