Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Thu, 2011-09-22 at 14:25 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> Alexander Bokovoy wrote:
> >>> On Tue, 13 Sep 2011, Jan Cholasta wrote:
> >> What about IDN hosts? With this change we would require them to be
> >> always in Punycode?
> >>
> >
> > Oh, hadn't considered that, I was just following the relevent RFCs. Is
> > there a way we can easily support those as well?
>
> The easiest way would probably be:
>
> normalizer=lambda value: unicode(value.encode('idna'))
> >>> That's one part. Another one is visualizing such content -- for both
> >>> Web UI and CLI we would need to run encodings.idna.ToUnicode().
> >>> Finally, make sure whatever we pass to external applications is
> >>> properly formatted as well -- all of them should be able to work with
> >>> xn- form.
> >>
> >> The UI also links the DNS hostname to the host entries so I'd think the
> >> names must be matchable in some way. If DNS can only store punycode
> >> names I think the regex will be fine.
> >
> > I think we're going to need a bit more time to get this right. What I
> > propose for the short term is to encode in puny code, do the validation,
> > and reject as required. We still store in full unicode.
> >
> > Note that special characters may not work that will now but validating
> > characters won't make it any worse.
> >
> > rob
>
> As it turns out Kerberos doesn't support this type of hostname so my
> original patch stands for now. We can't allow non-ascii hostnames. I'll
> open a 3.0 ticket to investigate further.
>
> rob
>
In that case, ACK. I tested the current patch and it works fine. Lets
deal with internationalized domains in ticket 1845 you created.
Pushed to master, ipa-2-1.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Rob Crittenden wrote:
Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Tue, 13 Sep 2011, Jan Cholasta wrote:
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
The easiest way would probably be:
normalizer=lambda value: unicode(value.encode('idna'))
That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn- form.
The UI also links the DNS hostname to the host entries so I'd think the
names must be matchable in some way. If DNS can only store punycode
names I think the regex will be fine.
I think we're going to need a bit more time to get this right. What I
propose for the short term is to encode in puny code, do the validation,
and reject as required. We still store in full unicode.
Note that special characters may not work that will now but validating
characters won't make it any worse.
rob
As it turns out Kerberos doesn't support this type of hostname so my
original patch stands for now. We can't allow non-ascii hostnames. I'll
open a 3.0 ticket to investigate further.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Tue, 13 Sep 2011, Jan Cholasta wrote:
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
The easiest way would probably be:
normalizer=lambda value: unicode(value.encode('idna'))
That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn- form.
The UI also links the DNS hostname to the host entries so I'd think the
names must be matchable in some way. If DNS can only store punycode
names I think the regex will be fine.
I think we're going to need a bit more time to get this right. What I
propose for the short term is to encode in puny code, do the validation,
and reject as required. We still store in full unicode.
Note that special characters may not work that will now but validating
characters won't make it any worse.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote:
On Tue, 13 Sep 2011, Jan Cholasta wrote:
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
The easiest way would probably be:
normalizer=lambda value: unicode(value.encode('idna'))
That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn- form.
The UI also links the DNS hostname to the host entries so I'd think the
names must be matchable in some way. If DNS can only store punycode
names I think the regex will be fine.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Tue, 13 Sep 2011, Jan Cholasta wrote:
> >>What about IDN hosts? With this change we would require them to be
> >>always in Punycode?
> >>
> >
> >Oh, hadn't considered that, I was just following the relevent RFCs. Is
> >there a way we can easily support those as well?
>
> The easiest way would probably be:
>
> normalizer=lambda value: unicode(value.encode('idna'))
That's one part. Another one is visualizing such content -- for both
Web UI and CLI we would need to run encodings.idna.ToUnicode().
Finally, make sure whatever we pass to external applications is
properly formatted as well -- all of them should be able to work with
xn- form.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On 12.9.2011 22:13, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Mon, 12 Sep 2011, Rob Crittenden wrote:
Limit hostnames to letters, digits and - with a max length of 255
takes_params = (
Str('fqdn', validate_host,
+ pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$',
+ pattern_errmsg='may only include letters, numbers, and -',
+ maxlength=255,
cli_name='hostname',
label=_('Host name'),
primary_key=True,
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
The easiest way would probably be:
normalizer=lambda value: unicode(value.encode('idna'))
rob
Honza
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Mon, 12 Sep 2011, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> >On Mon, 12 Sep 2011, Rob Crittenden wrote:
> >
> >>Limit hostnames to letters, digits and - with a max length of 255
> >>
> >> takes_params = (
> >> Str('fqdn', validate_host,
> >>+pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$',
> >>+pattern_errmsg='may only include letters, numbers, and -',
> >>+maxlength=255,
> >> cli_name='hostname',
> >> label=_('Host name'),
> >> primary_key=True,
> >
> >What about IDN hosts? With this change we would require them to be
> >always in Punycode?
> >
>
> Oh, hadn't considered that, I was just following the relevent RFCs.
> Is there a way we can easily support those as well?
IDN with Punycode-encoded names would already be supported by this
validator. I was wondering about being able to enter those names as it
is and if they fail the validator, convert them to IDN
(xn-- per name component) and use it forward.
However, we would need to make sure all of the comparisons would be
done properly...
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote:
On Mon, 12 Sep 2011, Rob Crittenden wrote:
Limit hostnames to letters, digits and - with a max length of 255
takes_params = (
Str('fqdn', validate_host,
+pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$',
+pattern_errmsg='may only include letters, numbers, and -',
+maxlength=255,
cli_name='hostname',
label=_('Host name'),
primary_key=True,
What about IDN hosts? With this change we would require them to be
always in Punycode?
Oh, hadn't considered that, I was just following the relevent RFCs. Is
there a way we can easily support those as well?
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Mon, 12 Sep 2011, Rob Crittenden wrote:
> Limit hostnames to letters, digits and - with a max length of 255
>
> takes_params = (
> Str('fqdn', validate_host,
> +pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$',
> +pattern_errmsg='may only include letters, numbers, and -',
> +maxlength=255,
> cli_name='hostname',
> label=_('Host name'),
> primary_key=True,
What about IDN hosts? With this change we would require them to be
always in Punycode?
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
