Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Thu, 2011-09-22 at 14:25 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Alexander Bokovoy wrote: > >>> On Tue, 13 Sep 2011, Jan Cholasta wrote: > >> What about IDN hosts? With this change we would require them to be > >> always in Punycode? > >> > > > > Oh, hadn't considered that, I was just following the relevent RFCs. Is > > there a way we can easily support those as well? > > The easiest way would probably be: > > normalizer=lambda value: unicode(value.encode('idna')) > >>> That's one part. Another one is visualizing such content -- for both > >>> Web UI and CLI we would need to run encodings.idna.ToUnicode(). > >>> Finally, make sure whatever we pass to external applications is > >>> properly formatted as well -- all of them should be able to work with > >>> xn- form. > >> > >> The UI also links the DNS hostname to the host entries so I'd think the > >> names must be matchable in some way. If DNS can only store punycode > >> names I think the regex will be fine. > > > > I think we're going to need a bit more time to get this right. What I > > propose for the short term is to encode in puny code, do the validation, > > and reject as required. We still store in full unicode. > > > > Note that special characters may not work that will now but validating > > characters won't make it any worse. > > > > rob > > As it turns out Kerberos doesn't support this type of hostname so my > original patch stands for now. We can't allow non-ascii hostnames. I'll > open a 3.0 ticket to investigate further. > > rob > In that case, ACK. I tested the current patch and it works fine. Lets deal with internationalized domains in ticket 1845 you created. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 13 Sep 2011, Jan Cholasta wrote: What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. The UI also links the DNS hostname to the host entries so I'd think the names must be matchable in some way. If DNS can only store punycode names I think the regex will be fine. I think we're going to need a bit more time to get this right. What I propose for the short term is to encode in puny code, do the validation, and reject as required. We still store in full unicode. Note that special characters may not work that will now but validating characters won't make it any worse. rob As it turns out Kerberos doesn't support this type of hostname so my original patch stands for now. We can't allow non-ascii hostnames. I'll open a 3.0 ticket to investigate further. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 13 Sep 2011, Jan Cholasta wrote: What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. The UI also links the DNS hostname to the host entries so I'd think the names must be matchable in some way. If DNS can only store punycode names I think the regex will be fine. I think we're going to need a bit more time to get this right. What I propose for the short term is to encode in puny code, do the validation, and reject as required. We still store in full unicode. Note that special characters may not work that will now but validating characters won't make it any worse. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote: On Tue, 13 Sep 2011, Jan Cholasta wrote: What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. The UI also links the DNS hostname to the host entries so I'd think the names must be matchable in some way. If DNS can only store punycode names I think the regex will be fine. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Tue, 13 Sep 2011, Jan Cholasta wrote: > >>What about IDN hosts? With this change we would require them to be > >>always in Punycode? > >> > > > >Oh, hadn't considered that, I was just following the relevent RFCs. Is > >there a way we can easily support those as well? > > The easiest way would probably be: > > normalizer=lambda value: unicode(value.encode('idna')) That's one part. Another one is visualizing such content -- for both Web UI and CLI we would need to run encodings.idna.ToUnicode(). Finally, make sure whatever we pass to external applications is properly formatted as well -- all of them should be able to work with xn- form. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On 12.9.2011 22:13, Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 12 Sep 2011, Rob Crittenden wrote: Limit hostnames to letters, digits and - with a max length of 255 takes_params = ( Str('fqdn', validate_host, + pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', + pattern_errmsg='may only include letters, numbers, and -', + maxlength=255, cli_name='hostname', label=_('Host name'), primary_key=True, What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? The easiest way would probably be: normalizer=lambda value: unicode(value.encode('idna')) rob Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Mon, 12 Sep 2011, Rob Crittenden wrote: > Alexander Bokovoy wrote: > >On Mon, 12 Sep 2011, Rob Crittenden wrote: > > > >>Limit hostnames to letters, digits and - with a max length of 255 > >> > >> takes_params = ( > >> Str('fqdn', validate_host, > >>+pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', > >>+pattern_errmsg='may only include letters, numbers, and -', > >>+maxlength=255, > >> cli_name='hostname', > >> label=_('Host name'), > >> primary_key=True, > > > >What about IDN hosts? With this change we would require them to be > >always in Punycode? > > > > Oh, hadn't considered that, I was just following the relevent RFCs. > Is there a way we can easily support those as well? IDN with Punycode-encoded names would already be supported by this validator. I was wondering about being able to enter those names as it is and if they fail the validator, convert them to IDN (xn-- per name component) and use it forward. However, we would need to make sure all of the comparisons would be done properly... -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
Alexander Bokovoy wrote: On Mon, 12 Sep 2011, Rob Crittenden wrote: Limit hostnames to letters, digits and - with a max length of 255 takes_params = ( Str('fqdn', validate_host, +pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', +pattern_errmsg='may only include letters, numbers, and -', +maxlength=255, cli_name='hostname', label=_('Host name'), primary_key=True, What about IDN hosts? With this change we would require them to be always in Punycode? Oh, hadn't considered that, I was just following the relevent RFCs. Is there a way we can easily support those as well? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 871 add hostname regex
On Mon, 12 Sep 2011, Rob Crittenden wrote: > Limit hostnames to letters, digits and - with a max length of 255 > > takes_params = ( > Str('fqdn', validate_host, > +pattern='^[a-zA-Z0-9][a-zA-Z0-9-\.]{0,254}$', > +pattern_errmsg='may only include letters, numbers, and -', > +maxlength=255, > cli_name='hostname', > label=_('Host name'), > primary_key=True, What about IDN hosts? With this change we would require them to be always in Punycode? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel