URL: https://github.com/freeipa/freeipa/pull/82 Author: mbasti-rh Title: #82: Fix regexp in user/group name Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/82/head:pr82 git checkout pr82
From 15f781fdda2a09fa361342e0c9e7f8470e0e1e0b Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 14 Sep 2016 12:55:01 +0200 Subject: [PATCH 1/2] Fix regexp patterns in parameters to not enforce length Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 --- ipaserver/plugins/baseuser.py | 2 +- ipaserver/plugins/group.py | 2 +- ipaserver/plugins/idviews.py | 4 ++-- ipaserver/plugins/servicedelegation.py | 2 +- ipaserver/plugins/topology.py | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 5e36a66..608e2d4 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -172,7 +172,7 @@ class baseuser(LDAPObject): takes_params = ( Str('uid', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='login', diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index dcd4a91..5f0e9af 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -260,7 +260,7 @@ class group(LDAPObject): takes_params = ( Str('cn', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name', diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py index 92d47f5..371e092 100644 --- a/ipaserver/plugins/idviews.py +++ b/ipaserver/plugins/idviews.py @@ -841,7 +841,7 @@ class idoverrideuser(baseidoverride): takes_params = baseidoverride.takes_params + ( Str('uid?', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='login', @@ -944,7 +944,7 @@ class idoverridegroup(baseidoverride): takes_params = baseidoverride.takes_params + ( Str('cn?', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name', diff --git a/ipaserver/plugins/servicedelegation.py b/ipaserver/plugins/servicedelegation.py index 6f38c36..c8052e9 100644 --- a/ipaserver/plugins/servicedelegation.py +++ b/ipaserver/plugins/servicedelegation.py @@ -143,7 +143,7 @@ class servicedelegation(LDAPObject): takes_params = ( Str( 'cn', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_ .-]{0,253}[a-zA-Z0-9_.-]?$', + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_ .-]*[a-zA-Z0-9_.-]?$', pattern_errmsg='may only include letters, numbers, _, -, ., ' 'and a space inside', maxlength=255, diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py index 0cccf90..7e3891c 100644 --- a/ipaserver/plugins/topology.py +++ b/ipaserver/plugins/topology.py @@ -129,7 +129,7 @@ class topologysegment(LDAPObject): ), Str( 'iparepltoposegmentleftnode', - pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', + pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]*[a-zA-Z0-9.$-]?$', pattern_errmsg='may only include letters, numbers, -, . and $', maxlength=255, cli_name='leftnode', @@ -140,7 +140,7 @@ class topologysegment(LDAPObject): ), Str( 'iparepltoposegmentrightnode', - pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', + pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]*[a-zA-Z0-9.$-]?$', pattern_errmsg='may only include letters, numbers, -, . and $', maxlength=255, cli_name='rightnode', From e6bec66a3fe2fbed6948f043272ccfe1176a4cd0 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 20 Sep 2016 13:00:53 +0200 Subject: [PATCH 2/2] Use constant for user and group patterns User and groups regexp are the same and constant should be used to avoid any future misconfigurations. https://fedorahosted.org/freeipa/ticket/5822 --- ipalib/constants.py | 3 +++ ipaserver/plugins/baseuser.py | 3 ++- ipaserver/plugins/group.py | 3 ++- ipaserver/plugins/idviews.py | 10 +++++++--- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 04515dc..c423117 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -276,3 +276,6 @@ IPA_CA_RECORD = "ipa-ca" IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' + +# regexp definitions +PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 608e2d4..4c7e9f0 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -33,6 +33,7 @@ validate_certificate, validate_realm, normalize_principal) from ipalib.request import context from ipalib import _ +from ipalib.constants import PATTERN_GROUPUSER_NAME from ipapython import kerberos from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN from ipapython.ipavalidate import Email @@ -172,7 +173,7 @@ class baseuser(LDAPObject): takes_params = ( Str('uid', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', + pattern=PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='login', diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index 5f0e9af..6677634 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -22,6 +22,7 @@ from ipalib import api from ipalib import Int, Str, Flag +from ipalib.constants import PATTERN_GROUPUSER_NAME from ipalib.plugable import Registry from .baseldap import ( add_external_post_callback, @@ -260,7 +261,7 @@ class group(LDAPObject): takes_params = ( Str('cn', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', + pattern=PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name', diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py index 371e092..1d7cba2 100644 --- a/ipaserver/plugins/idviews.py +++ b/ipaserver/plugins/idviews.py @@ -29,7 +29,11 @@ from .hostgroup import get_complete_hostgroup_member_list from .service import validate_certificate from ipalib import api, Str, Int, Bytes, Flag, _, ngettext, errors, output -from ipalib.constants import IPA_ANCHOR_PREFIX, SID_ANCHOR_PREFIX +from ipalib.constants import ( + IPA_ANCHOR_PREFIX, + SID_ANCHOR_PREFIX, + PATTERN_GROUPUSER_NAME, +) from ipalib.plugable import Registry from ipalib.util import (normalize_sshpubkey, validate_sshpubkey, convert_sshpubkey_post) @@ -841,7 +845,7 @@ class idoverrideuser(baseidoverride): takes_params = baseidoverride.takes_params + ( Str('uid?', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', + pattern=PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='login', @@ -944,7 +948,7 @@ class idoverridegroup(baseidoverride): takes_params = baseidoverride.takes_params + ( Str('cn?', - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$', + pattern=PATTERN_GROUPUSER_NAME, pattern_errmsg='may only include letters, numbers, _, -, . and $', maxlength=255, cli_name='group_name',
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code