On Fri, 2011-10-14 at 14:11 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > Do at least a basic validation of DNS zone manager mail address. > > > > Do not require '@' to be in the mail address as it is not used > > in common DNS zone configuration (in bind for example) and people > > may be used to configure it that way. '@' is always removed by the > > installer before the DNS zone is created. > > > > https://fedorahosted.org/freeipa/ticket/1966 > > There is already a zonemgr_callback defined for this option, can the > verify_zonemgr call be either integrated or called from that? > > rob >
Right. Please, try this one. I also added a parser error when more than one '@' is in the checked value. Martin
>From aed3d75a44a58902394024def01c91b4be91d440 Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Fri, 14 Oct 2011 11:45:32 +0200 Subject: [PATCH] Add --zonemgr validator Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as it is not used in common DNS zone configuration (in bind for example) and people may be used to configure it that way. '@' is always removed by the installer before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966 --- install/tools/ipa-dns-install | 3 +- install/tools/ipa-server-install | 13 +---------- ipaserver/install/bindinstance.py | 42 +++++++++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 13 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index d81b6a2e804a815d5bece8426a286e3190f6dee3..7841c21dc89a02250d513ce3ebf5c5389aac98da 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -48,7 +48,8 @@ def parse_options(): parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") parser.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") - parser.add_option("--zonemgr", dest="zonemgr", + parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, + type="string", help="DNS zone manager e-mail address. Defaults to root") parser.add_option("--zone-notif", dest="zone_notif", action="store_true", default=False, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 76d5f2f5af656a1947da0a5d5d855a398e34ef37..d29b806da4807531f8907229eefa783f0d570f08 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,7 +58,6 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import sysrestore from ipapython.ipautil import * from ipalib import api, errors, util -from ipalib.parameters import IA5Str from ipapython.config import IPAOptionParser from ipalib.dn import DN from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file @@ -76,16 +75,6 @@ VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c', 'incorporationlocality', 'incorporationstate', 'incorporationcountry', 'businesscategory'] -def zonemgr_callback(option, opt_str, value, parser): - """ - Make sure the zonemgr is an IA5String. - """ - name = opt_str.replace('--','') - v = unicode(value, 'utf-8') - ia = IA5Str(name) - ia._convert_scalar(v) - parser.values.zonemgr = value - def subject_callback(option, opt_str, value, parser): """ Make sure the certificate subject base is a valid DN @@ -195,7 +184,7 @@ def parse_options(): dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") - dns_group.add_option("--zonemgr", action="callback", callback=zonemgr_callback, + dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to root") dns_group.add_option("--zone-notif", dest="zone_notif", diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index ddf5497708ab8598d9a01fa0e555dd1ced55953b..4d31d8e238f09f32a0d0a7a7d41d86cbf1ce2a20 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -22,6 +22,7 @@ import os import pwd import logging import netaddr +import re import installutils import ldap @@ -32,6 +33,7 @@ from ipaserver.install.installutils import resolve_host from ipapython import sysrestore from ipapython import ipautil from ipalib.constants import DNS_ZONE_REFRESH +from ipalib.parameters import IA5Str import ipalib from ipalib import api, util, errors @@ -286,6 +288,46 @@ def get_rr(zone, name, type): return [] +def verify_zonemgr(zonemgr): + regex = re.compile(r'^[a-z0-9][a-z0-9-]*$', re.IGNORECASE) + + if len(zonemgr) > 255: + raise ValueError('cannot be longer that 255 characters') + + if zonemgr.count('@') == 1: + name, dot, domain = zonemgr.partition('@') + + if not regex.match(name): + raise ValueError('name before @ may only contain letters, numbers and -') + + zonemgr = zonemgr.replace('@','.') + elif zonemgr.count('@') > 1: + raise ValueError('too many \'@\' characters') + + if zonemgr.endswith('.'): + zonemgr = zonemgr[:-1] + + if '.' not in zonemgr: + raise ValueError('address is not fully qualified') + + if not all(regex.match(name) for name in zonemgr.split(".")): + raise ValueError('address may only include letters, numbers, and -') + +def zonemgr_callback(option, opt_str, value, parser): + """ + Properly validate and convert --zonemgr Option to IA5String + """ + # validate the value first + try: + verify_zonemgr(value) + except ValueError, e: + parser.error("invalid zonemgr: " + str(e)) + + name = opt_str.replace('--','') + v = unicode(value, 'utf-8') + ia = IA5Str(name) + ia._convert_scalar(v) + parser.values.zonemgr = value class DnsBackup(object): def __init__(self, service): -- 1.7.6.4
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
