// GetNameValidationFunc returns a name validation function that includes the standard restrictions we want for all types
func GetNameValidationFunc(nameFunc validation.ValidateNameFunc) validation.ValidateNameFunc {
return func(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
return nameFunc(name, prefix)
}
}
// NoNamespaceKeyFunc is the default function for constructing etcd paths to a resource relative to prefix without a namespace
func NoNamespaceKeyFunc(ctx api.Context, prefix string, name string) (string, error) {
if len(name) == 0 {
return "", kubeerr.NewBadRequest("Name parameter required.")
}
if ok, msg := validation.ValidatePathSegmentName(name, false); !ok {
return "", kubeerr.NewBadRequest(fmt.Sprintf("Name parameter invalid: %v.", msg))
}
key := prefix + "/" + name
return key, nil
}
func ValidateImageStreamName(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
if !RepositoryNameComponentAnchoredRegexp.MatchString(name) {
return []string{fmt.Sprintf("must match %q", RepositoryNameComponentRegexp.String())}
}
return nil
}
func ValidateIdentityProviderName(name string) []string {
if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 {
return reasons
}
if strings.Contains(name, ":") {
return []string{`may not contain ":"`}
}
return nil
}
func ValidateTokenName(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
if len(name) < MinTokenLength {
return []string{fmt.Sprintf("must be at least %d characters long", MinTokenLength)}
}
return nil
}
func ValidatePolicyName(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
if name != authorizationapi.PolicyName {
return []string{"name must be " + authorizationapi.PolicyName}
}
return nil
}
func NoNamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) {
meta, err := meta.Accessor(obj)
if err != nil {
return "", err
}
name := meta.Name()
if ok, msg := validation.ValidatePathSegmentName(name, false); !ok {
return "", fmt.Errorf("invalid name: %v", msg)
}
return prefix + "/" + meta.Name(), nil
}
func ValidateClientAuthorizationName(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
lastColon := strings.Index(name, ":")
if lastColon <= 0 || lastColon >= len(name)-1 {
return []string{"must be in the format <userName>:<clientName>"}
}
return nil
}
func PolicyBindingNameValidator(policyRefNamespace string) validation.ValidateNameFunc {
return func(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
if name != authorizationapi.GetPolicyBindingName(policyRefNamespace) {
return []string{"name must be " + authorizationapi.GetPolicyBindingName(policyRefNamespace)}
}
return nil
}
}
func ValidateGroupName(name string, _ bool) []string {
if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 {
return reasons
}
if strings.Contains(name, ":") {
return []string{`may not contain ":"`}
}
if name == "~" {
return []string{`may not equal "~"`}
}
return nil
}
// NamespaceKeyFunc is the default function for constructing etcd paths to a resource relative to prefix enforcing namespace rules.
// If no namespace is on context, it errors.
func NamespaceKeyFunc(ctx api.Context, prefix string, name string) (string, error) {
key := NamespaceKeyRootFunc(ctx, prefix)
ns, ok := api.NamespaceFrom(ctx)
if !ok || len(ns) == 0 {
return "", kubeerr.NewBadRequest("Namespace parameter required.")
}
if len(name) == 0 {
return "", kubeerr.NewBadRequest("Name parameter required.")
}
if ok, msg := validation.ValidatePathSegmentName(name, false); !ok {
return "", kubeerr.NewBadRequest(fmt.Sprintf("Name parameter invalid: %v.", msg))
}
key = key + "/" + name
return key, nil
}
func ValidateProjectName(name string, prefix bool) []string {
if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 {
return reasons
}
if len(name) < 2 {
return []string{"must be at least 2 characters long"}
}
if reasons := validation.ValidateNamespaceName(name, false); len(reasons) != 0 {
return reasons
}
return nil
}
func ValidateIdentityName(name string, _ bool) []string {
if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 {
return reasons
}
parts := strings.Split(name, ":")
if len(parts) != 2 {
return []string{`must be in the format <providerName>:<providerUserName>`}
}
if len(parts[0]) == 0 {
return []string{`must be in the format <providerName>:<providerUserName> with a non-empty providerName`}
}
if len(parts[1]) == 0 {
return []string{`must be in the format <providerName>:<providerUserName> with a non-empty providerUserName`}
}
return nil
}
func validateRedirectReference(ref *api.RedirectReference) field.ErrorList {
allErrs := field.ErrorList{}
if len(ref.Name) == 0 {
allErrs = append(allErrs, field.Required(field.NewPath("name"), "may not be empty"))
} else {
for _, msg := range validation.ValidatePathSegmentName(ref.Name, false) {
allErrs = append(allErrs, field.Invalid(field.NewPath("name"), ref.Name, msg))
}
}
switch ref.Kind {
case "":
allErrs = append(allErrs, field.Required(field.NewPath("kind"), "may not be empty"))
case "Route":
// Valid, TODO add ingress once we support it and update error message
default:
allErrs = append(allErrs, field.Invalid(field.NewPath("kind"), ref.Kind, "must be Route"))
}
// TODO validate group once we start using it
return allErrs
}
func validateRoleBinding(roleBinding *authorizationapi.RoleBinding, isNamespaced bool, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, isNamespaced, validation.ValidatePathSegmentName, fldPath.Child("metadata"))...)
// roleRef namespace is empty when referring to global policy.
if (len(roleBinding.RoleRef.Namespace) > 0) && len(kvalidation.IsDNS1123Subdomain(roleBinding.RoleRef.Namespace)) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "namespace"), roleBinding.RoleRef.Namespace, "roleRef.namespace must be a valid subdomain"))
}
if len(roleBinding.RoleRef.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("roleRef", "name"), ""))
} else {
if reasons := validation.ValidatePathSegmentName(roleBinding.RoleRef.Name, false); len(reasons) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "name"), roleBinding.RoleRef.Name, strings.Join(reasons, ", ")))
}
}
subjectsPath := field.NewPath("subjects")
for i, subject := range roleBinding.Subjects {
allErrs = append(allErrs, validateRoleBindingSubject(subject, isNamespaced, subjectsPath.Index(i))...)
}
return allErrs
}
func TestNameFunc(t *testing.T) {
const nameRulesMessage = `must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`
for apiType, validationInfo := range Validator.typeToValidator {
if !validationInfo.HasObjectMeta {
continue
}
apiValue := reflect.New(apiType.Elem())
apiObjectMeta := apiValue.Elem().FieldByName("ObjectMeta")
// check for illegal names
for _, illegalName := range []string{".", ".."} {
apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName}))
errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
reasons := validation.ValidatePathSegmentName(illegalName, false)
requiredMessage := strings.Join(reasons, ", ")
if len(errList) == 0 {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator..", illegalName, apiType.Elem(), errList)
continue
}
foundExpectedError := false
for _, err := range errList {
validationError := err
if validationError.Type != field.ErrorTypeInvalid || validationError.Field != "metadata.name" {
continue
}
if validationError.Detail == requiredMessage {
foundExpectedError = true
break
}
// this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName
if validationError.Detail == nameRulesMessage {
foundExpectedError = true
break
}
}
if !foundExpectedError {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
}
}
// check for illegal contents
for _, illegalContent := range []string{"/", "%"} {
illegalName := "a" + illegalContent + "b"
apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName}))
errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object))
reasons := validation.ValidatePathSegmentName(illegalName, false)
requiredMessage := strings.Join(reasons, ", ")
if len(errList) == 0 {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
continue
}
foundExpectedError := false
for _, err := range errList {
validationError := err
if validationError.Type != field.ErrorTypeInvalid || validationError.Field != "metadata.name" {
continue
}
if validationError.Detail == requiredMessage {
foundExpectedError = true
break
}
// this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName
if validationError.Detail == nameRulesMessage {
foundExpectedError = true
break
}
}
if !foundExpectedError {
t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList)
}
}
}
}
