Merge pull request #3410 from KeyboardNerd/QUAY-1437

Validate service key name using regex
This commit is contained in:
Sida Chen 2019-03-14 15:48:11 -04:00 committed by GitHub
commit e1651b976e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 6 deletions

View file

@ -28,6 +28,7 @@ from endpoints.api.superuser_models_pre_oci import (pre_oci_model, ServiceKeyDoe
InvalidRepositoryBuildException) InvalidRepositoryBuildException)
from endpoints.api.logs import _validate_logs_arguments from endpoints.api.logs import _validate_logs_arguments
from util.useremails import send_confirmation_email, send_recovery_email from util.useremails import send_confirmation_email, send_recovery_email
from util.validation import validate_service_key_name
from _init import ROOT_DIR from _init import ROOT_DIR
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -611,6 +612,9 @@ class SuperUserServiceKeyManagement(ApiResource):
def post(self): def post(self):
if SuperUserPermission().can(): if SuperUserPermission().can():
body = request.get_json() body = request.get_json()
key_name = body.get('name', '')
if not validate_service_key_name(key_name):
raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
# Ensure we have a valid expiration date if specified. # Ensure we have a valid expiration date if specified.
expiration_date = body.get('expiration', None) expiration_date = body.get('expiration', None)
@ -635,7 +639,7 @@ class SuperUserServiceKeyManagement(ApiResource):
# Generate a key with a private key that we *never save*. # Generate a key with a private key that we *never save*.
(private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date, (private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
metadata=metadata, metadata=metadata,
name=body.get('name', '')) name=key_name)
# Auto-approve the service key. # Auto-approve the service key.
pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER, pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER,
notes=body.get('notes', '')) notes=body.get('notes', ''))
@ -645,7 +649,7 @@ class SuperUserServiceKeyManagement(ApiResource):
'kid': key_id, 'kid': key_id,
'preshared': True, 'preshared': True,
'service': body['service'], 'service': body['service'],
'name': body.get('name', ''), 'name': key_name,
'expiration_date': expiration_date, 'expiration_date': expiration_date,
'auto_approved': True, 'auto_approved': True,
} }
@ -655,7 +659,7 @@ class SuperUserServiceKeyManagement(ApiResource):
return jsonify({ return jsonify({
'kid': key_id, 'kid': key_id,
'name': body.get('name', ''), 'name': key_name,
'service': body['service'], 'service': body['service'],
'public_key': private_key.publickey().exportKey('PEM'), 'public_key': private_key.publickey().exportKey('PEM'),
'private_key': private_key.exportKey('PEM'), 'private_key': private_key.exportKey('PEM'),
@ -744,7 +748,11 @@ class SuperUserServiceKey(ApiResource):
pre_oci_model.set_key_expiration(kid, expiration_date) pre_oci_model.set_key_expiration(kid, expiration_date)
if 'name' in body or 'metadata' in body: if 'name' in body or 'metadata' in body:
pre_oci_model.update_service_key(kid, body.get('name'), body.get('metadata')) key_name = body.get('name')
if not validate_service_key_name(key_name):
raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
pre_oci_model.update_service_key(kid, key_name, body.get('metadata'))
log_action('service_key_modify', None, key_log_metadata) log_action('service_key_modify', None, key_log_metadata)
updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False) updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)

View file

@ -316,9 +316,9 @@
<tr> <tr>
<td><label for="create-key-name">Key Name:</label></td> <td><label for="create-key-name">Key Name:</label></td>
<td> <td>
<input class="form-control" name="create-key-name" type="text" ng-model="newKey.name" placeholder="Friendly Key Name" required> <input class="form-control" name="create-key-name" type="text" ng-model="newKey.name" placeholder="Friendly Key Name" ng-pattern="/^[\s a-zA-Z0-9\-_:/]*$/" required>
<span class="co-help-text"> <span class="co-help-text">
A friendly name for the key for later reference. A friendly name for the key for later reference. Must match ^[\s a-zA-Z0-9\-_:/]*$.
</span> </span>
</td> </td>
</tr> </tr>

View file

@ -102,6 +102,17 @@ angular.module('quay').directive('serviceKeysManager', function () {
'value': key.name || '', 'value': key.name || '',
'callback': function(value) { 'callback': function(value) {
if (value != null) { if (value != null) {
if (!value.match(/^[\s a-zA-Z0-9\-_:/]*$/)){
bootbox.alert({
'message': 'Invalid friendly name: input does not match <code>^[\\s a-zA-Z0-9\-_:/]*$</code>',
'callback': function(){
$scope.showChangeName(key)
}
});
return
}
var data = { var data = {
'name': value 'name': value
}; };

View file

@ -15,6 +15,7 @@ MAX_USERNAME_LENGTH = 255
VALID_LABEL_KEY_REGEX = r'^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$' VALID_LABEL_KEY_REGEX = r'^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$'
VALID_USERNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$' VALID_USERNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$'
VALID_SERVICE_KEY_NAME_REGEX = r'^[\s a-zA-Z0-9\-_:/]*$'
INVALID_USERNAME_CHARACTERS = r'[^a-z0-9_]' INVALID_USERNAME_CHARACTERS = r'[^a-z0-9_]'
@ -99,3 +100,7 @@ def validate_postgres_precondition(driver):
"pg_trgm" extension does not exists in the database. "pg_trgm" extension does not exists in the database.
Please run `CREATE EXTENSION IF NOT EXISTS pg_trgm;` as superuser on this database. Please run `CREATE EXTENSION IF NOT EXISTS pg_trgm;` as superuser on this database.
""") """)
def validate_service_key_name(name):
return name is None or bool(re.match(VALID_SERVICE_KEY_NAME_REGEX, name))