gravitational · awly · Sep 29, 2020 · Sep 17, 2020 · Sep 17, 2020 · Sep 17, 2020
diff --git a/lib/services/role.go b/lib/services/role.go
@@ -385,12 +385,9 @@ func ApplyTraits(r Role, traits map[string][]string) Role {
 // at least one value in case if return value is nil
 func applyValueTraits(val string, traits map[string][]string) ([]string, error) {
 	// Extract the variable from the role variable.
-	variable, err := parse.RoleVariable(val)
+	variable, err := parse.NewExpression(val)
 	if err != nil {
-		if !trace.IsNotFound(err) {
-			return nil, trace.Wrap(err)
-		}
-		return []string{val}, nil
+		return nil, trace.Wrap(err)
 	}
 
 	// For internal traits, only internal.logins, internal.kubernetes_users and
@@ -690,7 +687,7 @@ func (r *RoleV3) CheckAndSetDefaults() error {
 	for _, condition := range []RoleConditionType{Allow, Deny} {
 		for _, login := range r.GetLogins(condition) {
 			if strings.Contains(login, "{{") || strings.Contains(login, "}}") {
-				_, err := parse.RoleVariable(login)
+				_, err := parse.NewExpression(login)
 				if err != nil {
 					return trace.BadParameter("invalid login found: %v", login)
 				}
@@ -1588,11 +1585,19 @@ func MatchLabels(selector Labels, target map[string]string) (bool, string, error
 		}
 
 		if !utils.SliceContainsStr(selectorValues, Wildcard) {
-			result, err := utils.SliceMatchesRegex(targetVal, selectorValues)
-			if err != nil {
-				return false, "", trace.Wrap(err)
-			} else if !result {
-				return false, fmt.Sprintf("no value match: got '%v' want: '%v'", targetVal, selectorValues), nil
+			matched := false
+			for _, expr := range selectorValues {
+				m, err := parse.NewMatcher(expr)
+				if err != nil {
+					return false, "", trace.Wrap(err)
+				}
+				if m.Match(targetVal) {
+					matched = true
+					break
+				}
+			}
+			if !matched {
+				return false, fmt.Sprintf("no value match: got %q want: %q", targetVal, selectorValues), nil
 			}
 		}
 	}

diff --git a/lib/services/role_test.go b/lib/services/role_test.go
@@ -749,6 +749,64 @@ func (s *RoleSuite) TestCheckAccess(c *C) {
 				{server: serverC2, login: "admin", hasAccess: true},
 			},
 		},
+		{
+			name: "role matches a regexp label",
+			roles: []RoleV3{
+				RoleV3{
+					Metadata: Metadata{
+						Name:      "name1",
+						Namespace: defaults.Namespace,
+					},
+					Spec: RoleSpecV3{
+						Options: RoleOptions{
+							MaxSessionTTL: Duration(20 * time.Hour),
+						},
+						Allow: RoleConditions{
+							Logins:     []string{"admin"},
+							NodeLabels: Labels{"role": []string{`{{regexp.match("worker.*")}}`}},
+							Namespaces: []string{defaults.Namespace, namespaceC},
+						},
+					},
+				},
+			},
+			checks: []check{
+				{server: serverA, login: "root", hasAccess: false},
+				{server: serverA, login: "admin", hasAccess: false},
+				{server: serverB, login: "root", hasAccess: false},
+				{server: serverB, login: "admin", hasAccess: true},
+				{server: serverC, login: "root", hasAccess: false},
+				{server: serverC, login: "admin", hasAccess: false},
+			},
+		},
+		{
+			name: "role matches a negative regexp label",
+			roles: []RoleV3{
+				RoleV3{
+					Metadata: Metadata{
+						Name:      "name1",
+						Namespace: defaults.Namespace,
+					},
+					Spec: RoleSpecV3{
+						Options: RoleOptions{
+							MaxSessionTTL: Duration(20 * time.Hour),
+						},
+						Allow: RoleConditions{
+							Logins:     []string{"admin"},
+							NodeLabels: Labels{"role": []string{`{{regexp.not_match("db.*")}}`}},
+							Namespaces: []string{defaults.Namespace, namespaceC},
+						},
+					},
+				},
+			},
+			checks: []check{
+				{server: serverA, login: "root", hasAccess: false},
+				{server: serverA, login: "admin", hasAccess: false},
+				{server: serverB, login: "root", hasAccess: false},
+				{server: serverB, login: "admin", hasAccess: true},
+				{server: serverC, login: "root", hasAccess: false},
+				{server: serverC, login: "admin", hasAccess: false},
+			},
+		},
 	}
 	for i, tc := range testCases {
 

diff --git a/lib/services/user.go b/lib/services/user.go
@@ -491,8 +491,8 @@ func (u *UserV1) Check() error {
 		return trace.BadParameter("user name cannot be empty")
 	}
 	for _, login := range u.AllowedLogins {
-		_, err := parse.RoleVariable(login)
-		if err == nil {
+		e, err := parse.NewExpression(login)
+		if err == nil && e.Namespace() != parse.LiteralNamespace {
 			return trace.BadParameter("role variables not allowed in allowed logins")
 		}
 	}