Merge pull request #1299 from chef/sr/pool-589/fix-key-names

Fix keys for validating name fields
chef · Jun 12, 2017 · 583c53f · 583c53f
2 parents abdeb38 + 12be2c1
commit 583c53f
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 12 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -7,6 +7,19 @@ in the release. For a detailed list of changed components, refer to
 This document contains release notes for the current major release and all patches.
 For prior releases, see [PRIOR\_RELEASE\_NOTES.md](PRIOR_RELEASE_NOTES.md).
 
+## 12.15.X (TBD)
+
+* [Stricter validation of non-functional user record fields](https://github.com/chef/chef-server/pull/1294),
+  Chef Server now uses a regular expression to validate first, middle, and last name of a user
+  on creation. The regex used is `[[:word:][:digit:]!'. -]+` (UTF-8). This tries to accomodate
+  a wide range of names, while also strengthening Chef Server's role in preventing XSS attacks
+  in web-based API clients.
+* [Search user by email case-insensitively](https://github.com/chef/chef-server/pull/1283):
+  while technically only the host-part of an email address is to be treated case-insensitively,
+  most email providers treat the _entire_ email address as case-insensitive. Chef Server now
+  adopts that behaviour for _searching users_: querying for `user@host` (`GET /users?email=user%40host`)
+  will now also return users with the recorded email of `USER@HOST` etc.
+
 ## 12.15.7 (2017-05-16)
 
 * Fixed [regression](https://github.com/chef/chef-server/issues/1274) that prevented

diff --git a/src/oc_erchef/apps/chef_objects/src/chef_regex.erl b/src/oc_erchef/apps/chef_objects/src/chef_regex.erl
@@ -170,15 +170,15 @@ regex_for(policy_fully_qualified_recipe) ->
 regex_for(user_name) ->
    generate_regex_msg_tuple(?ANCHOR_REGEX(?USERNAME_REGEX),
                             <<"Malformed user name. Must only contain a-z, 0-9, _, or -">>);
-regex_for(firstname) ->
+regex_for(first_name) ->
    generate_regex_msg_tuple(?ANCHOR_REGEX(?HUMAN_NAME_REGEX),
-                            <<"Denied firstname. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
-regex_for(middlename) ->
+                            <<"Denied first_name. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
+regex_for(middle_name) ->
    generate_regex_msg_tuple(?ANCHOR_REGEX(?HUMAN_NAME_REGEX),
-                            <<"Denied middlename. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
-regex_for(lastname) ->
+                            <<"Denied middle_name. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
+regex_for(last_name) ->
    generate_regex_msg_tuple(?ANCHOR_REGEX(?HUMAN_NAME_REGEX),
-                            <<"Denied lastname. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
+                            <<"Denied last_name. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);
 regex_for(display_name) ->
    generate_regex_msg_tuple(?ANCHOR_REGEX(?HUMAN_NAME_REGEX),
                             <<"Denied display_name. Must only contain word characters, digits, ', or .">>, [unicode, ucp]);

diff --git a/src/oc_erchef/apps/chef_objects/src/chef_user.erl b/src/oc_erchef/apps/chef_objects/src/chef_user.erl
@@ -302,7 +302,7 @@ parse_binary_json(_ApiVersion, Bin, Operation, User) ->
 common_user_validation(EJ, User, Operation) ->
     validate_user_name(EJ),
     lists:map(fun(Field) -> validate_field(EJ, Field) end,
-              [firstname, middlename, lastname, display_name]),
+              [first_name, middle_name, last_name, display_name]),
     chef_object_base:validate_ejson(EJ, user_spec(common)),
     chef_object_base:validate_ejson(EJ, user_spec(Operation)),
 

diff --git a/src/oc_erchef/apps/chef_objects/test/chef_user_tests.erl b/src/oc_erchef/apps/chef_objects/test/chef_user_tests.erl
@@ -171,6 +171,7 @@ parse_binary_json_test_() ->
     chef_objects_test_utils:make_all_versions_tests(fun parse_binary_json_tests/1).
 
 parse_binary_json_tests(Version) ->
+    NonfunctionalFields = [<<"display_name">>, <<"first_name">>, <<"middle_name">>, <<"last_name">>],
     [{?VD("Can create user when all required fields are present"),
       fun() ->
                 MinValid = make_min_valid_create_user_ejson(),
@@ -299,21 +300,21 @@ parse_binary_json_tests(Version) ->
                            chef_user:parse_binary_json(Version, chef_json:encode(UserEJson1), create, undefined))
       end
      }
-     || Field <- [<<"display_name">>, <<"firstname">>, <<"middlename">>, <<"lastname">>]
+     || Field <- NonfunctionalFields
     ]
     ++
     [
      {?VD(lists:flatten(io_lib:format("Works with non-ASCII ~s", [Field]))),
       fun() ->
               %% "Maryam", #1 female name in the arab world as of 2015
-              Value = <<"مريم 1. O'Mara">>,
+              Value = <<"مريم 1. O'Mara"/utf8>>,
               UserEJson = {make_min_valid_create_user_ejson()},
               UserEJson1 = ej:set({Field}, UserEJson, Value),
-              ?assertMatch({ok, _},
-                           chef_user:parse_binary_json(Version, chef_json:encode(UserEJson1), create, undefined))
+              {ok, User} = chef_user:parse_binary_json(Version, chef_json:encode(UserEJson1), create, undefined),
+              ?assertEqual(ej:get({Field}, User), Value)
       end
      }
-     || Field <- [<<"display_name">>, <<"firstname">>, <<"middlename">>, <<"lastname">>]
+     || Field <- NonfunctionalFields
     ].
 
 parse_binary_json_non_deprecated_test_() ->