From d8c8a7c4c8ea5dac6db104747a3fa4fe6f146873 Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Tue, 20 Sep 2022 13:01:55 +0000 Subject: [PATCH] [installer]: add validation rules to blockNewUsers in config block --- install/installer/pkg/config/v1/config.go | 5 +-- install/installer/pkg/config/v1/validation.go | 33 +++++++++++++++++++ install/installer/pkg/config/validation.go | 2 ++ 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/install/installer/pkg/config/v1/config.go b/install/installer/pkg/config/v1/config.go index 51d99af1770322..2a181b6e631281 100644 --- a/install/installer/pkg/config/v1/config.go +++ b/install/installer/pkg/config/v1/config.go @@ -403,8 +403,9 @@ const ( ) type BlockNewUsers struct { - Enabled bool `json:"enabled"` - Passlist []string `json:"passlist"` + Enabled bool `json:"enabled"` + // Passlist []string `json:"passlist" validate:"min=1,unique,dive,fqdn"` + Passlist []string `json:"passlist" validate:"block_new_users_passlist"` } // AuthProviderConfigs this only contains what is necessary for validation diff --git a/install/installer/pkg/config/v1/validation.go b/install/installer/pkg/config/v1/validation.go index 3e3c00d5dec130..0a49bb45d37730 100644 --- a/install/installer/pkg/config/v1/validation.go +++ b/install/installer/pkg/config/v1/validation.go @@ -6,6 +6,7 @@ package config import ( "fmt" + "regexp" "github.com/gitpod-io/gitpod/installer/pkg/cluster" "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" @@ -65,6 +66,38 @@ func (v version) LoadValidationFuncs(validate *validator.Validate) error { _, ok := LogLevelList[LogLevel(fl.Field().String())] return ok }, + "block_new_users_passlist": func(fl validator.FieldLevel) bool { + if !fl.Parent().FieldByName("Enabled").Bool() { + // Not enabled - it's valid + return true + } + + if fl.Field().Len() == 0 { + // No exceptions + return false + } + + // Use same regex as "fqdn" + // @link https://github.com/go-playground/validator/blob/c7e0172e0fd176bdc521afb5186818a7db6b77ac/regexes.go#L52 + fqdnRegexStringRFC1123 := `^([a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62})(\.[a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62})*?(\.[a-zA-Z]{1}[a-zA-Z0-9]{0,62})\.?$` + fqdnRegexRFC1123 := regexp.MustCompile(fqdnRegexStringRFC1123) + + for i := 0; i < fl.Field().Len(); i++ { + val := fl.Field().Index(i).String() + + if val == "" { + // Empty value + return false + } + + // Check that it validates as a fully-qualified domain name + valid := fqdnRegexRFC1123.MatchString(val) + if !valid { + return false + } + } + return true + }, } for k, v := range experimental.ValidationChecks { diff --git a/install/installer/pkg/config/validation.go b/install/installer/pkg/config/validation.go index dad71af36cb981..476ae9ce3f2b35 100644 --- a/install/installer/pkg/config/validation.go +++ b/install/installer/pkg/config/validation.go @@ -55,6 +55,8 @@ func Validate(version ConfigVersion, cfg interface{}) (r *ValidationResult, err res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' is %s '%s'", v.Namespace(), tag, v.Param())) case "startswith": res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' must start with '%s'", v.Namespace(), v.Param())) + case "block_new_users_passlist": + res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' failed. If 'Enabled = true', there must be at least one fully-qualified domain name in the passlist", v.Namespace())) default: // General error message res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' failed %s validation", v.Namespace(), v.Tag()))