user or group name: explain the supported format

The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2023-05-11 10:53:58 +02:00
parent edcdcf8345
commit 7830ab96cc
9 changed files with 38 additions and 11 deletions

View File

@ -319,6 +319,11 @@ MAXHOSTFQDNLEN = 253
PATTERN_GROUPUSER_NAME = (
'(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
)
ERRMSG_GROUPUSER_NAME = (
'may only include letters, numbers, _, -, . and $'
', refer to \'ipa help {}\' for complete format '
'description'
)
# Kerberos Anonymous principal name
ANON_USER = 'WELLKNOWN/ANONYMOUS'

View File

@ -211,7 +211,7 @@ class baseuser(LDAPObject):
takes_params = (
Str('uid',
pattern=constants.PATTERN_GROUPUSER_NAME,
pattern_errmsg='may only include letters, numbers, _, -, . and $',
pattern_errmsg=constants.ERRMSG_GROUPUSER_NAME.format('user'),
maxlength=255,
cli_name='login',
label=_('User login'),

View File

@ -24,7 +24,7 @@ import logging
from ipalib import api
from ipalib import Int, Str, Flag
from ipalib.constants import PATTERN_GROUPUSER_NAME
from ipalib.constants import PATTERN_GROUPUSER_NAME, ERRMSG_GROUPUSER_NAME
from ipalib.plugable import Registry
from .baseldap import (
add_external_post_callback,
@ -70,6 +70,12 @@ converted to non-POSIX groups.
Every group must have a description.
The group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
POSIX groups must have a Group ID (GID) number. Changing a GID is
supported but can have an impact on your file permissions. It is not necessary
to supply a GID when creating a group. IPA will generate one automatically
@ -330,7 +336,7 @@ class group(LDAPObject):
takes_params = (
Str('cn',
pattern=PATTERN_GROUPUSER_NAME,
pattern_errmsg='may only include letters, numbers, _, -, . and $',
pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
maxlength=255,
cli_name='group_name',
label=_('Group name'),

View File

@ -37,6 +37,7 @@ from ipalib.constants import (
IPA_ANCHOR_PREFIX,
SID_ANCHOR_PREFIX,
PATTERN_GROUPUSER_NAME,
ERRMSG_GROUPUSER_NAME
)
from ipalib.plugable import Registry
from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
@ -1025,7 +1026,7 @@ class idoverrideuser(baseidoverride):
takes_params = baseidoverride.takes_params + (
Str('uid?',
pattern=PATTERN_GROUPUSER_NAME,
pattern_errmsg='may only include letters, numbers, _, -, . and $',
pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('user'),
maxlength=255,
cli_name='login',
label=_('User login'),
@ -1128,7 +1129,7 @@ class idoverridegroup(baseidoverride):
takes_params = baseidoverride.takes_params + (
Str('cn?',
pattern=PATTERN_GROUPUSER_NAME,
pattern_errmsg='may only include letters, numbers, _, -, . and $',
pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
maxlength=255,
cli_name='group_name',
label=_('Group name'),

View File

@ -94,6 +94,12 @@ usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
Use 'ipa config-mod' to change the username format allowed by IPA tools.
The user name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
EXAMPLES:

View File

@ -88,6 +88,12 @@ usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
Use 'ipa config-mod' to change the username format allowed by IPA tools.
The user name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
Disabling a user account prevents that user from obtaining new Kerberos
credentials. It does not invalidate any credentials that have already
been issued.

View File

@ -25,6 +25,7 @@ Test the `ipaserver/plugins/group.py` module.
import pytest
from ipalib import errors
from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.xmlrpc_test import (
fuzzy_digits, fuzzy_uuid, fuzzy_set_ci,
@ -169,7 +170,7 @@ class TestGroup(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='group_name',
error=u'may only include letters, numbers, _, -, . and $')):
error=ERRMSG_GROUPUSER_NAME.format('group'))):
command()
def test_create_with_name_starting_with_numeric(self):
@ -188,7 +189,7 @@ class TestGroup(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='group_name',
error=u'may only include letters, numbers, _, -, . and $',
error=ERRMSG_GROUPUSER_NAME.format('group'),
)):
testgroup.create()

View File

@ -12,6 +12,7 @@ import six
from collections import OrderedDict
from ipalib import api, errors
from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipaplatform.constants import constants as platformconstants
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
@ -357,7 +358,7 @@ class TestCreateInvalidAttributes(XMLRPC_test):
command = invalid.make_create_command()
with raises_exact(errors.ValidationError(
name='login',
error=u"may only include letters, numbers, _, -, . and $")):
error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_create_long_uid(self):

View File

@ -31,6 +31,7 @@ import ldap
import re
from ipalib import api, errors
from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipaplatform.constants import constants as platformconstants
from ipapython import ipautil
from ipatests.test_xmlrpc import objectclasses
@ -502,7 +503,7 @@ class TestUpdate(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='rename',
error=u'may only include letters, numbers, _, -, . and $')):
error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_add_radius_username(self, user):
@ -556,7 +557,7 @@ class TestCreate(XMLRPC_test):
command = testuser.make_create_command()
with raises_exact(errors.ValidationError(
name=u'login',
error=u'may only include letters, numbers, _, -, . and $')):
error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_create_with_too_long_login(self):
@ -730,7 +731,7 @@ class TestCreate(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name=u'login',
error=u'may only include letters, numbers, _, -, . and $',
error=ERRMSG_GROUPUSER_NAME.format('user'),
)):
testuser.create()