// GetNameValidationFunc returns a name validation function that includes the standard restrictions we want for all types func GetNameValidationFunc(nameFunc validation.ValidateNameFunc) validation.ValidateNameFunc { return func(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } return nameFunc(name, prefix) } }
// NoNamespaceKeyFunc is the default function for constructing etcd paths to a resource relative to prefix without a namespace func NoNamespaceKeyFunc(ctx api.Context, prefix string, name string) (string, error) { if len(name) == 0 { return "", kubeerr.NewBadRequest("Name parameter required.") } if ok, msg := validation.ValidatePathSegmentName(name, false); !ok { return "", kubeerr.NewBadRequest(fmt.Sprintf("Name parameter invalid: %v.", msg)) } key := prefix + "/" + name return key, nil }
func ValidateImageStreamName(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } if !RepositoryNameComponentAnchoredRegexp.MatchString(name) { return []string{fmt.Sprintf("must match %q", RepositoryNameComponentRegexp.String())} } return nil }
func ValidateIdentityProviderName(name string) []string { if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 { return reasons } if strings.Contains(name, ":") { return []string{`may not contain ":"`} } return nil }
func ValidateTokenName(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } if len(name) < MinTokenLength { return []string{fmt.Sprintf("must be at least %d characters long", MinTokenLength)} } return nil }
func ValidatePolicyName(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } if name != authorizationapi.PolicyName { return []string{"name must be " + authorizationapi.PolicyName} } return nil }
func NoNamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) { meta, err := meta.Accessor(obj) if err != nil { return "", err } name := meta.Name() if ok, msg := validation.ValidatePathSegmentName(name, false); !ok { return "", fmt.Errorf("invalid name: %v", msg) } return prefix + "/" + meta.Name(), nil }
func ValidateClientAuthorizationName(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } lastColon := strings.Index(name, ":") if lastColon <= 0 || lastColon >= len(name)-1 { return []string{"must be in the format <userName>:<clientName>"} } return nil }
func PolicyBindingNameValidator(policyRefNamespace string) validation.ValidateNameFunc { return func(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } if name != authorizationapi.GetPolicyBindingName(policyRefNamespace) { return []string{"name must be " + authorizationapi.GetPolicyBindingName(policyRefNamespace)} } return nil } }
func ValidateGroupName(name string, _ bool) []string { if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 { return reasons } if strings.Contains(name, ":") { return []string{`may not contain ":"`} } if name == "~" { return []string{`may not equal "~"`} } return nil }
// NamespaceKeyFunc is the default function for constructing etcd paths to a resource relative to prefix enforcing namespace rules. // If no namespace is on context, it errors. func NamespaceKeyFunc(ctx api.Context, prefix string, name string) (string, error) { key := NamespaceKeyRootFunc(ctx, prefix) ns, ok := api.NamespaceFrom(ctx) if !ok || len(ns) == 0 { return "", kubeerr.NewBadRequest("Namespace parameter required.") } if len(name) == 0 { return "", kubeerr.NewBadRequest("Name parameter required.") } if ok, msg := validation.ValidatePathSegmentName(name, false); !ok { return "", kubeerr.NewBadRequest(fmt.Sprintf("Name parameter invalid: %v.", msg)) } key = key + "/" + name return key, nil }
func ValidateProjectName(name string, prefix bool) []string { if reasons := validation.ValidatePathSegmentName(name, prefix); len(reasons) != 0 { return reasons } if len(name) < 2 { return []string{"must be at least 2 characters long"} } if reasons := validation.ValidateNamespaceName(name, false); len(reasons) != 0 { return reasons } return nil }
func ValidateIdentityName(name string, _ bool) []string { if reasons := kvalidation.ValidatePathSegmentName(name, false); len(reasons) != 0 { return reasons } parts := strings.Split(name, ":") if len(parts) != 2 { return []string{`must be in the format <providerName>:<providerUserName>`} } if len(parts[0]) == 0 { return []string{`must be in the format <providerName>:<providerUserName> with a non-empty providerName`} } if len(parts[1]) == 0 { return []string{`must be in the format <providerName>:<providerUserName> with a non-empty providerUserName`} } return nil }
func validateRedirectReference(ref *api.RedirectReference) field.ErrorList { allErrs := field.ErrorList{} if len(ref.Name) == 0 { allErrs = append(allErrs, field.Required(field.NewPath("name"), "may not be empty")) } else { for _, msg := range validation.ValidatePathSegmentName(ref.Name, false) { allErrs = append(allErrs, field.Invalid(field.NewPath("name"), ref.Name, msg)) } } switch ref.Kind { case "": allErrs = append(allErrs, field.Required(field.NewPath("kind"), "may not be empty")) case "Route": // Valid, TODO add ingress once we support it and update error message default: allErrs = append(allErrs, field.Invalid(field.NewPath("kind"), ref.Kind, "must be Route")) } // TODO validate group once we start using it return allErrs }
func validateRoleBinding(roleBinding *authorizationapi.RoleBinding, isNamespaced bool, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, isNamespaced, validation.ValidatePathSegmentName, fldPath.Child("metadata"))...) // roleRef namespace is empty when referring to global policy. if (len(roleBinding.RoleRef.Namespace) > 0) && len(kvalidation.IsDNS1123Subdomain(roleBinding.RoleRef.Namespace)) != 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "namespace"), roleBinding.RoleRef.Namespace, "roleRef.namespace must be a valid subdomain")) } if len(roleBinding.RoleRef.Name) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("roleRef", "name"), "")) } else { if reasons := validation.ValidatePathSegmentName(roleBinding.RoleRef.Name, false); len(reasons) != 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "name"), roleBinding.RoleRef.Name, strings.Join(reasons, ", "))) } } subjectsPath := field.NewPath("subjects") for i, subject := range roleBinding.Subjects { allErrs = append(allErrs, validateRoleBindingSubject(subject, isNamespaced, subjectsPath.Index(i))...) } return allErrs }
func TestNameFunc(t *testing.T) { const nameRulesMessage = `must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')` for apiType, validationInfo := range Validator.typeToValidator { if !validationInfo.HasObjectMeta { continue } apiValue := reflect.New(apiType.Elem()) apiObjectMeta := apiValue.Elem().FieldByName("ObjectMeta") // check for illegal names for _, illegalName := range []string{".", ".."} { apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName})) errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object)) reasons := validation.ValidatePathSegmentName(illegalName, false) requiredMessage := strings.Join(reasons, ", ") if len(errList) == 0 { t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator..", illegalName, apiType.Elem(), errList) continue } foundExpectedError := false for _, err := range errList { validationError := err if validationError.Type != field.ErrorTypeInvalid || validationError.Field != "metadata.name" { continue } if validationError.Detail == requiredMessage { foundExpectedError = true break } // this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName if validationError.Detail == nameRulesMessage { foundExpectedError = true break } } if !foundExpectedError { t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList) } } // check for illegal contents for _, illegalContent := range []string{"/", "%"} { illegalName := "a" + illegalContent + "b" apiObjectMeta.Set(reflect.ValueOf(kapi.ObjectMeta{Name: illegalName})) errList := validationInfo.Validator.Validate(apiValue.Interface().(runtime.Object)) reasons := validation.ValidatePathSegmentName(illegalName, false) requiredMessage := strings.Join(reasons, ", ") if len(errList) == 0 { t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList) continue } foundExpectedError := false for _, err := range errList { validationError := err if validationError.Type != field.ErrorTypeInvalid || validationError.Field != "metadata.name" { continue } if validationError.Detail == requiredMessage { foundExpectedError = true break } // this message is from a stock name validation method in kube that covers our requirements in ValidatePathSegmentName if validationError.Detail == nameRulesMessage { foundExpectedError = true break } } if !foundExpectedError { t.Errorf("expected error for %v in %v not found amongst %v. You probably need to add validation.ValidatePathSegmentName to your name validator.", illegalName, apiType.Elem(), errList) } } } }