Add name validation for projects (#3658)

This allows for simple alphanumeric and DNS names to be considered valid for projects. The intention is to be able to use `/` in the future as a separator to traverse project hierarchies and to simplify project naming conventions. Signed-off-by: Juan Antonio Osorio <[email protected]>
mindersec · Jun 19, 2024 · bd376ce · bd376ce
1 parent 6e6c00c
commit bd376ce
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 0 deletions.
diff --git a/internal/controlplane/handlers_projects.go b/internal/controlplane/handlers_projects.go
@@ -193,6 +193,10 @@ func (s *Server) CreateProject(
 		return nil, util.UserVisibleError(codes.InvalidArgument, "cannot create subproject of a subproject")
 	}
 
+	if err := projects.ValidateName(req.Name); err != nil {
+		return nil, util.UserVisibleError(codes.InvalidArgument, "invalid project name: %v", err)
+	}
+
 	subProject, err := qtx.CreateProject(ctx, db.CreateProjectParams{
 		Name: req.Name,
 		ParentID: uuid.NullUUID{

diff --git a/internal/projects/creator.go b/internal/projects/creator.go
@@ -110,6 +110,10 @@ func (p *projectCreator) ProvisionSelfEnrolledProject(
 	projectName string,
 	userSub string,
 ) (outproj *db.Project, projerr error) {
+	if ValidateName(projectName) != nil {
+		return nil, fmt.Errorf("invalid project name: %w", ErrValidationFailed)
+	}
+
 	projectmeta := NewSelfEnrolledMetadata(projectName)
 
 	jsonmeta, err := json.Marshal(&projectmeta)

diff --git a/internal/projects/meta.go b/internal/projects/meta.go
@@ -18,6 +18,9 @@ package projects
 
 import (
 	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
 
 	"github.com/stacklok/minder/internal/db"
 )
@@ -27,6 +30,11 @@ const (
 	MinderMetadataVersion = "v1alpha1"
 )
 
+var (
+	// ErrValidationFailed is returned when a project fails validation
+	ErrValidationFailed = fmt.Errorf("validation failed")
+)
+
 // Metadata contains metadata relevant for a project.
 type Metadata struct {
 	Version      string `json:"version"`
@@ -77,6 +85,35 @@ func ParseMetadata(proj *db.Project) (*Metadata, error) {
 	return &meta, nil
 }
 
+// ValidateName validates the given project name.
+func ValidateName(name string) error {
+	if name == "" {
+		return fmt.Errorf("%w: name cannot be empty", ErrValidationFailed)
+	}
+
+	if strings.Contains(name, "/") {
+		return fmt.Errorf("%w: name cannot contain '/'", ErrValidationFailed)
+	}
+
+	// Check if the name is too long.
+	if len(name) > 63 {
+		return fmt.Errorf("%w: name is too long", ErrValidationFailed)
+	}
+
+	// Attempt to match against alphanumeric characters only
+	alphanumr := regexp.MustCompile(`^[a-zA-Z0-9](?:[-_a-zA-Z0-9]{0,61}[a-zA-Z0-9])?$`)
+	if !alphanumr.MatchString(name) {
+		// Attempt to match against a valid DNS name
+		r := regexp.MustCompile(`^(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])$`)
+
+		if !r.MatchString(name) {
+			return fmt.Errorf("%w: name must be a valid DNS name or an alphanumeric sequence", ErrValidationFailed)
+		}
+	}
+
+	return nil
+}
+
 // SerializeMetadata serializes the given Metadata object into JSON.
 func SerializeMetadata(meta *Metadata) ([]byte, error) {
 	return json.Marshal(meta)

diff --git a/internal/projects/meta_test.go b/internal/projects/meta_test.go
@@ -0,0 +1,86 @@
+//
+// Copyright 2024 Stacklok, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package projects contains utilities for working with projects.
+package projects
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateName(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name:    "valid name",
+			args:    args{name: "valid-name"},
+			wantErr: false,
+		},
+		{
+			name:    "valid name with numbers",
+			args:    args{name: "valid-name-123"},
+			wantErr: false,
+		},
+		{
+			name:    "valid DNS name",
+			args:    args{name: "valid-name-123.stacklok.com"},
+			wantErr: false,
+		},
+		{
+			name:    "invalid name",
+			args:    args{name: "invalid name"},
+			wantErr: true,
+		},
+		{
+			name:    "empty name",
+			args:    args{name: ""},
+			wantErr: true,
+		},
+		{
+			name: "name too long",
+			// 65 characters
+			args:    args{name: strings.Repeat("a", 65)},
+			wantErr: true,
+		},
+		{
+			name:    "slash in the name",
+			args:    args{name: "name/with/slash"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := ValidateName(tt.args.name)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}