Skip to content

Use upstream path segment name validation #12016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-bot merged 1 commit into from
Dec 4, 2016
Merged

Use upstream path segment name validation #12016

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 1 addition & 21 deletions pkg/api/helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,34 +2,14 @@ package api

import (
"fmt"
"strings"

"k8s.io/kubernetes/pkg/api/validation"
)

var NameMayNotBe = []string{".", ".."}
var NameMayNotContain = []string{"/", "%"}

func MinimalNameRequirements(name string, prefix bool) []string {
for _, illegalName := range NameMayNotBe {
if name == illegalName {
return []string{fmt.Sprintf(`name may not be %q`, illegalName)}
}
}

for _, illegalContent := range NameMayNotContain {
if strings.Contains(name, illegalContent) {
return []string{fmt.Sprintf(`name may not contain %q`, illegalContent)}
}
}

return nil
}

// GetNameValidationFunc returns a name validation function that includes the standard restrictions we want for all types
func GetNameValidationFunc(nameFunc validation.ValidateNameFunc) validation.ValidateNameFunc {
return func(name string, prefix bool) []string {
if reasons := MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down
23 changes: 11 additions & 12 deletions pkg/api/validation/validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ import (
ktypes "k8s.io/kubernetes/pkg/types"
"k8s.io/kubernetes/pkg/util/validation/field"

"github.com/openshift/origin/pkg/api"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
)

Expand Down Expand Up @@ -51,15 +50,15 @@ func TestNameFunc(t *testing.T) {
apiObjectMeta := apiValue.Elem().FieldByName("ObjectMeta")

// check for illegal names
for _, illegalName := range api.NameMayNotBe {
for _, illegalName := range []string{".", ".."} {
apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName}))

errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
reasons := api.MinimalNameRequirements(illegalName, false)
reasons := validation.ValidatePathSegmentName(illegalName, false)
requiredMessage := strings.Join(reasons, ", ")

if len(errList) == 0 {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add api.MinimalNameRequirements to your name validator..", illegalName, apiType.Elem(), errList)
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator..", illegalName, apiType.Elem(), errList)
continue
}

Expand All @@ -73,30 +72,30 @@ func TestNameFunc(t *testing.T) {
foundExpectedError = true
break
}
// this message is from a stock name validation method in kube that covers our requirements in MinimalNameRequirements
// this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName
if validationError.Detail == nameRulesMessage {
foundExpectedError = true
break
}
}

if !foundExpectedError {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add api.MinimalNameRequirements to your name validator.", illegalName, apiType.Elem(), errList)
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
}
}

// check for illegal contents
for _, illegalContent := range api.NameMayNotContain {
for _, illegalContent := range []string{"/", "%"} {
illegalName := "a" + illegalContent + "b"

apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName}))

errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
reasons := api.MinimalNameRequirements(illegalName, false)
reasons := validation.ValidatePathSegmentName(illegalName, false)
requiredMessage := strings.Join(reasons, ", ")

if len(errList) == 0 {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add api.MinimalNameRequirements to your name validator.", illegalName, apiType.Elem(), errList)
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
continue
}

Expand All @@ -111,15 +110,15 @@ func TestNameFunc(t *testing.T) {
foundExpectedError = true
break
}
// this message is from a stock name validation method in kube that covers our requirements in MinimalNameRequirements
// this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName
if validationError.Detail == nameRulesMessage {
foundExpectedError = true
break
}
}

if !foundExpectedError {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add api.MinimalNameRequirements to your name validator.", illegalName, apiType.Elem(), errList)
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
}
}
}
Expand All @@ -141,7 +140,7 @@ func TestObjectMeta(t *testing.T) {
}

errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
requiredErrors := validation.ValidateObjectMeta(apiObjectMeta.Addr().Interface().(*kapi.ObjectMeta), validationInfo.IsNamespaced, api.MinimalNameRequirements, field.NewPath("metadata"))
requiredErrors := validation.ValidateObjectMeta(apiObjectMeta.Addr().Interface().(*kapi.ObjectMeta), validationInfo.IsNamespaced, validation.ValidatePathSegmentName, field.NewPath("metadata"))

if len(errList) == 0 {
t.Errorf("expected errors %v in %v not found amongst %v. You probably need to call kube/validation.ValidateObjectMeta in your validator.", requiredErrors, apiType.Elem(), errList)
Expand Down
11 changes: 5 additions & 6 deletions pkg/authorization/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
kvalidation "k8s.io/kubernetes/pkg/util/validation"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
uservalidation "github.com/openshift/origin/pkg/user/api/validation"
)
Expand Down Expand Up @@ -81,7 +80,7 @@ func ValidateLocalResourceAccessReview(review *authorizationapi.LocalResourceAcc
}

func ValidatePolicyName(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down Expand Up @@ -137,7 +136,7 @@ func ValidatePolicyUpdate(policy *authorizationapi.Policy, oldPolicy *authorizat

func PolicyBindingNameValidator(policyRefNamespace string) validation.ValidateNameFunc {
return func(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down Expand Up @@ -227,7 +226,7 @@ func ValidateRole(role *authorizationapi.Role, isNamespaced bool) field.ErrorLis
}

func validateRole(role *authorizationapi.Role, isNamespaced bool, fldPath *field.Path) field.ErrorList {
return validation.ValidateObjectMeta(&role.ObjectMeta, isNamespaced, oapi.MinimalNameRequirements, fldPath.Child("metadata"))
return validation.ValidateObjectMeta(&role.ObjectMeta, isNamespaced, validation.ValidatePathSegmentName, fldPath.Child("metadata"))
}

func ValidateRoleUpdate(role *authorizationapi.Role, oldRole *authorizationapi.Role, isNamespaced bool) field.ErrorList {
Expand Down Expand Up @@ -259,7 +258,7 @@ func ValidateRoleBinding(roleBinding *authorizationapi.RoleBinding, isNamespaced

func validateRoleBinding(roleBinding *authorizationapi.RoleBinding, isNamespaced bool, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, isNamespaced, oapi.MinimalNameRequirements, fldPath.Child("metadata"))...)
allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, isNamespaced, validation.ValidatePathSegmentName, fldPath.Child("metadata"))...)

// roleRef namespace is empty when referring to global policy.
if (len(roleBinding.RoleRef.Namespace) > 0) && len(kvalidation.IsDNS1123Subdomain(roleBinding.RoleRef.Namespace)) != 0 {
Expand All @@ -269,7 +268,7 @@ func validateRoleBinding(roleBinding *authorizationapi.RoleBinding, isNamespaced
if len(roleBinding.RoleRef.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("roleRef", "name"), ""))
} else {
if reasons := oapi.MinimalNameRequirements(roleBinding.RoleRef.Name, false); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(roleBinding.RoleRef.Name, false); len(reasons) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "name"), roleBinding.RoleRef.Name, strings.Join(reasons, ", ")))
}
}
Expand Down
3 changes: 1 addition & 2 deletions pkg/build/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import (
kvalidation "k8s.io/kubernetes/pkg/util/validation"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
buildapi "github.com/openshift/origin/pkg/build/api"
"github.com/openshift/origin/pkg/build/api/v1"
buildutil "github.com/openshift/origin/pkg/build/util"
Expand Down Expand Up @@ -162,7 +161,7 @@ func ValidateBuildConfigUpdate(config *buildapi.BuildConfig, older *buildapi.Bui

// ValidateBuildRequest validates a BuildRequest object
func ValidateBuildRequest(request *buildapi.BuildRequest) field.ErrorList {
return validation.ValidateObjectMeta(&request.ObjectMeta, true, oapi.MinimalNameRequirements, field.NewPath("metadata"))
return validation.ValidateObjectMeta(&request.ObjectMeta, true, validation.ValidatePathSegmentName, field.NewPath("metadata"))
}

func validateCommonSpec(spec *buildapi.CommonSpec, fldPath *field.Path) field.ErrorList {
Expand Down
11 changes: 5 additions & 6 deletions pkg/image/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"k8s.io/kubernetes/pkg/util/diff"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
"github.com/openshift/origin/pkg/image/api"
)

Expand All @@ -35,7 +34,7 @@ var RepositoryNameComponentAnchoredRegexp = regexp.MustCompile(`^` + RepositoryN
var RepositoryNameRegexp = regexp.MustCompile(`(?:` + RepositoryNameComponentRegexp.String() + `/)*` + RepositoryNameComponentRegexp.String())

func ValidateImageStreamName(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand All @@ -51,7 +50,7 @@ func ValidateImage(image *api.Image) field.ErrorList {
}

func validateImage(image *api.Image, fldPath *field.Path) field.ErrorList {
result := validation.ValidateObjectMeta(&image.ObjectMeta, false, oapi.MinimalNameRequirements, fldPath.Child("metadata"))
result := validation.ValidateObjectMeta(&image.ObjectMeta, false, validation.ValidatePathSegmentName, fldPath.Child("metadata"))

if len(image.DockerImageReference) == 0 {
result = append(result, field.Required(fldPath.Child("dockerImageReference"), ""))
Expand Down Expand Up @@ -81,7 +80,7 @@ func ValidateImageSignature(signature *api.ImageSignature) field.ErrorList {
}

func validateImageSignature(signature *api.ImageSignature, fldPath *field.Path) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&signature.ObjectMeta, false, oapi.MinimalNameRequirements, fldPath.Child("metadata"))
allErrs := validation.ValidateObjectMeta(&signature.ObjectMeta, false, validation.ValidatePathSegmentName, fldPath.Child("metadata"))
if len(signature.Labels) > 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("metadata").Child("labels"), "signature labels cannot be set"))
}
Expand Down Expand Up @@ -227,7 +226,7 @@ func ValidateImageStreamStatusUpdate(newStream, oldStream *api.ImageStream) fiel

// ValidateImageStreamMapping tests required fields for an ImageStreamMapping.
func ValidateImageStreamMapping(mapping *api.ImageStreamMapping) field.ErrorList {
result := validation.ValidateObjectMeta(&mapping.ObjectMeta, true, oapi.MinimalNameRequirements, field.NewPath("metadata"))
result := validation.ValidateObjectMeta(&mapping.ObjectMeta, true, validation.ValidatePathSegmentName, field.NewPath("metadata"))

hasRepository := len(mapping.DockerImageRepository) != 0
hasName := len(mapping.Name) != 0
Expand Down Expand Up @@ -256,7 +255,7 @@ func ValidateImageStreamMapping(mapping *api.ImageStreamMapping) field.ErrorList

// ValidateImageStreamTag validates a mutation of an image stream tag, which can happen on PUT
func ValidateImageStreamTag(ist *api.ImageStreamTag) field.ErrorList {
result := validation.ValidateObjectMeta(&ist.ObjectMeta, true, oapi.MinimalNameRequirements, field.NewPath("metadata"))
result := validation.ValidateObjectMeta(&ist.ObjectMeta, true, validation.ValidatePathSegmentName, field.NewPath("metadata"))
if ist.Tag != nil {
result = append(result, ValidateImageStreamTagReference(*ist.Tag, field.NewPath("tag"))...)
if ist.Tag.Annotations != nil && !kapi.Semantic.DeepEqual(ist.Tag.Annotations, ist.ObjectMeta.Annotations) {
Expand Down
8 changes: 4 additions & 4 deletions pkg/image/api/validation/validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,14 +380,14 @@ func TestValidateImageStream(t *testing.T) {
namespace: "foo",
name: "foo/bar",
expected: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "foo/bar", `name may not contain "/"`),
field.Invalid(field.NewPath("metadata", "name"), "foo/bar", `may not contain '/'`),
},
},
"no percent in Name": {
namespace: "foo",
name: "foo%%bar",
expected: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "foo%%bar", `name may not contain "%"`),
field.Invalid(field.NewPath("metadata", "name"), "foo%%bar", `may not contain '%'`),
},
},
"other invalid name": {
Expand Down Expand Up @@ -689,13 +689,13 @@ func TestValidateImageStreamImport(t *testing.T) {
"no slash in Name": {
isi: &api.ImageStreamImport{ObjectMeta: kapi.ObjectMeta{Namespace: "foo", Name: "foo/bar"}, Spec: validSpec},
expected: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "foo/bar", `name may not contain "/"`),
field.Invalid(field.NewPath("metadata", "name"), "foo/bar", `may not contain '/'`),
},
},
"no percent in Name": {
isi: &api.ImageStreamImport{ObjectMeta: kapi.ObjectMeta{Namespace: "foo", Name: "foo%%bar"}, Spec: validSpec},
expected: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "foo%%bar", `name may not contain "%"`),
field.Invalid(field.NewPath("metadata", "name"), "foo%%bar", `may not contain '%'`),
},
},
"other invalid name": {
Expand Down
9 changes: 4 additions & 5 deletions pkg/oauth/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
authorizerscopes "github.com/openshift/origin/pkg/authorization/authorizer/scope"
"github.com/openshift/origin/pkg/oauth/api"
uservalidation "github.com/openshift/origin/pkg/user/api/validation"
Expand All @@ -28,7 +27,7 @@ const (
var CodeChallengeMethodsSupported = []string{codeChallengeMethodPlain, codeChallengeMethodSHA256}

func ValidateTokenName(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down Expand Up @@ -187,7 +186,7 @@ func ValidateClientUpdate(client *api.OAuthClient, oldClient *api.OAuthClient) f
}

func ValidateClientAuthorizationName(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down Expand Up @@ -305,7 +304,7 @@ func ValidateScopes(scopes []string, fldPath *field.Path) field.ErrorList {
}

func ValidateOAuthRedirectReference(sref *api.OAuthRedirectReference) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&sref.ObjectMeta, true, oapi.MinimalNameRequirements, field.NewPath("metadata"))
allErrs := validation.ValidateObjectMeta(&sref.ObjectMeta, true, validation.ValidatePathSegmentName, field.NewPath("metadata"))
return append(allErrs, validateRedirectReference(&sref.Reference)...)
}

Expand All @@ -314,7 +313,7 @@ func validateRedirectReference(ref *api.RedirectReference) field.ErrorList {
if len(ref.Name) == 0 {
allErrs = append(allErrs, field.Required(field.NewPath("name"), "may not be empty"))
} else {
for _, msg := range oapi.MinimalNameRequirements(ref.Name, false) {
for _, msg := range validation.ValidatePathSegmentName(ref.Name, false) {
allErrs = append(allErrs, field.Invalid(field.NewPath("name"), ref.Name, msg))
}
}
Expand Down
3 changes: 1 addition & 2 deletions pkg/project/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ import (
"k8s.io/kubernetes/pkg/api/validation"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
"github.com/openshift/origin/pkg/project/api"
projectapi "github.com/openshift/origin/pkg/project/api"
"github.com/openshift/origin/pkg/util/labelselector"
)

func ValidateProjectName(name string, prefix bool) []string {
if reasons := oapi.MinimalNameRequirements(name, prefix); len(reasons) != 0 {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}

Expand Down
9 changes: 4 additions & 5 deletions pkg/sdn/api/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,12 @@ import (
"k8s.io/kubernetes/pkg/api/validation"
"k8s.io/kubernetes/pkg/util/validation/field"

oapi "github.com/openshift/origin/pkg/api"
sdnapi "github.com/openshift/origin/pkg/sdn/api"
)

// ValidateClusterNetwork tests if required fields in the ClusterNetwork are set.
func ValidateClusterNetwork(clusterNet *sdnapi.ClusterNetwork) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&clusterNet.ObjectMeta, false, oapi.MinimalNameRequirements, field.NewPath("metadata"))
allErrs := validation.ValidateObjectMeta(&clusterNet.ObjectMeta, false, validation.ValidatePathSegmentName, field.NewPath("metadata"))

clusterIP, clusterIPNet, err := net.ParseCIDR(clusterNet.Network)
if err != nil {
Expand Down Expand Up @@ -83,7 +82,7 @@ func ValidateClusterNetworkUpdate(obj *sdnapi.ClusterNetwork, old *sdnapi.Cluste
// ValidateHostSubnet tests fields for the host subnet, the host should be a network resolvable string,
// and subnet should be a valid CIDR
func ValidateHostSubnet(hs *sdnapi.HostSubnet) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&hs.ObjectMeta, false, oapi.MinimalNameRequirements, field.NewPath("metadata"))
allErrs := validation.ValidateObjectMeta(&hs.ObjectMeta, false, validation.ValidatePathSegmentName, field.NewPath("metadata"))

if hs.Subnet == "" {
// check if annotation exists, then let the Subnet field be empty
Expand Down Expand Up @@ -115,7 +114,7 @@ func ValidateHostSubnetUpdate(obj *sdnapi.HostSubnet, old *sdnapi.HostSubnet) fi

// ValidateNetNamespace tests fields for a greater-than-zero NetID
func ValidateNetNamespace(netnamespace *sdnapi.NetNamespace) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&netnamespace.ObjectMeta, false, oapi.MinimalNameRequirements, field.NewPath("metadata"))
allErrs := validation.ValidateObjectMeta(&netnamespace.ObjectMeta, false, validation.ValidatePathSegmentName, field.NewPath("metadata"))

if err := sdnapi.ValidVNID(netnamespace.NetID); err != nil {
allErrs = append(allErrs, field.Invalid(field.NewPath("netID"), netnamespace.NetID, err.Error()))
Expand All @@ -131,7 +130,7 @@ func ValidateNetNamespaceUpdate(obj *sdnapi.NetNamespace, old *sdnapi.NetNamespa

// ValidateEgressNetworkPolicy tests if required fields in the EgressNetworkPolicy are set.
func ValidateEgressNetworkPolicy(policy *sdnapi.EgressNetworkPolicy) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&policy.ObjectMeta, true, oapi.MinimalNameRequirements, field.NewPath("metadata"))
allErrs := validation.ValidateObjectMeta(&policy.ObjectMeta, true, validation.ValidatePathSegmentName, field.NewPath("metadata"))

for i, rule := range policy.Spec.Egress {
if rule.Type != sdnapi.EgressNetworkPolicyRuleAllow && rule.Type != sdnapi.EgressNetworkPolicyRuleDeny {
Expand Down
Loading