Validate service key name on server side
All requests to post or update service key name are enforced to match: ^[\s a-zA-Z0-9\-_:/]*$
This commit is contained in:
Sida Chen
parent
689c26659a
commit
2a1d226684
2 changed files with 17 additions and 4 deletions
|
|
@ -28,6 +28,7 @@ from endpoints.api.superuser_models_pre_oci import (pre_oci_model, ServiceKeyDoe
|
||||||
InvalidRepositoryBuildException)
|
InvalidRepositoryBuildException)
|
||||||
from endpoints.api.logs import _validate_logs_arguments
|
from endpoints.api.logs import _validate_logs_arguments
|
||||||
from util.useremails import send_confirmation_email, send_recovery_email
|
from util.useremails import send_confirmation_email, send_recovery_email
|
||||||
|
from util.validation import validate_service_key_name
|
||||||
from _init import ROOT_DIR
|
from _init import ROOT_DIR
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
@ -611,6 +612,9 @@ class SuperUserServiceKeyManagement(ApiResource):
|
||||||
def post(self):
|
def post(self):
|
||||||
if SuperUserPermission().can():
|
if SuperUserPermission().can():
|
||||||
body = request.get_json()
|
body = request.get_json()
|
||||||
|
key_name = body.get('name', '')
|
||||||
|
if not validate_service_key_name(key_name):
|
||||||
|
raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
|
||||||
|
|
||||||
# Ensure we have a valid expiration date if specified.
|
# Ensure we have a valid expiration date if specified.
|
||||||
expiration_date = body.get('expiration', None)
|
expiration_date = body.get('expiration', None)
|
||||||
|
|
@ -635,7 +639,7 @@ class SuperUserServiceKeyManagement(ApiResource):
|
||||||
# Generate a key with a private key that we *never save*.
|
# Generate a key with a private key that we *never save*.
|
||||||
(private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
|
(private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
|
||||||
metadata=metadata,
|
metadata=metadata,
|
||||||
name=body.get('name', ''))
|
name=key_name)
|
||||||
# Auto-approve the service key.
|
# Auto-approve the service key.
|
||||||
pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER,
|
pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER,
|
||||||
notes=body.get('notes', ''))
|
notes=body.get('notes', ''))
|
||||||
|
|
@ -645,7 +649,7 @@ class SuperUserServiceKeyManagement(ApiResource):
|
||||||
'kid': key_id,
|
'kid': key_id,
|
||||||
'preshared': True,
|
'preshared': True,
|
||||||
'service': body['service'],
|
'service': body['service'],
|
||||||
'name': body.get('name', ''),
|
'name': key_name,
|
||||||
'expiration_date': expiration_date,
|
'expiration_date': expiration_date,
|
||||||
'auto_approved': True,
|
'auto_approved': True,
|
||||||
}
|
}
|
||||||
|
|
@ -655,7 +659,7 @@ class SuperUserServiceKeyManagement(ApiResource):
|
||||||
|
|
||||||
return jsonify({
|
return jsonify({
|
||||||
'kid': key_id,
|
'kid': key_id,
|
||||||
'name': body.get('name', ''),
|
'name': key_name,
|
||||||
'service': body['service'],
|
'service': body['service'],
|
||||||
'public_key': private_key.publickey().exportKey('PEM'),
|
'public_key': private_key.publickey().exportKey('PEM'),
|
||||||
'private_key': private_key.exportKey('PEM'),
|
'private_key': private_key.exportKey('PEM'),
|
||||||
|
|
@ -744,7 +748,11 @@ class SuperUserServiceKey(ApiResource):
|
||||||
pre_oci_model.set_key_expiration(kid, expiration_date)
|
pre_oci_model.set_key_expiration(kid, expiration_date)
|
||||||
|
|
||||||
if 'name' in body or 'metadata' in body:
|
if 'name' in body or 'metadata' in body:
|
||||||
pre_oci_model.update_service_key(kid, body.get('name'), body.get('metadata'))
|
key_name = body.get('name')
|
||||||
|
if not validate_service_key_name(key_name):
|
||||||
|
raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
|
||||||
|
|
||||||
|
pre_oci_model.update_service_key(kid, key_name, body.get('metadata'))
|
||||||
log_action('service_key_modify', None, key_log_metadata)
|
log_action('service_key_modify', None, key_log_metadata)
|
||||||
|
|
||||||
updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
|
updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ MAX_USERNAME_LENGTH = 255
|
||||||
|
|
||||||
VALID_LABEL_KEY_REGEX = r'^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$'
|
VALID_LABEL_KEY_REGEX = r'^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$'
|
||||||
VALID_USERNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$'
|
VALID_USERNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$'
|
||||||
|
VALID_SERVICE_KEY_NAME_REGEX = r'^[\s a-zA-Z0-9\-_:/]*$'
|
||||||
|
|
||||||
INVALID_USERNAME_CHARACTERS = r'[^a-z0-9_]'
|
INVALID_USERNAME_CHARACTERS = r'[^a-z0-9_]'
|
||||||
|
|
||||||
|
|
@ -99,3 +100,7 @@ def validate_postgres_precondition(driver):
|
||||||
"pg_trgm" extension does not exists in the database.
|
"pg_trgm" extension does not exists in the database.
|
||||||
Please run `CREATE EXTENSION IF NOT EXISTS pg_trgm;` as superuser on this database.
|
Please run `CREATE EXTENSION IF NOT EXISTS pg_trgm;` as superuser on this database.
|
||||||
""")
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
def validate_service_key_name(name):
|
||||||
|
return name is None or bool(re.match(VALID_SERVICE_KEY_NAME_REGEX, name))
|
||||||
|
|
|
||||||
Reference in a new issue