feat(IDN): add support for international domains

Utilize idna python package to support international domains
Requires router#76ea246

Author: HL70

rootfs/api/serializers.py

@@ -5,6 +5,7 @@
 import json
 import re
 import jsonschema
+import idna
 from urllib.parse import urlparse
 
 from django.contrib.auth.models import User
@@ -376,35 +377,47 @@ def validate_domain(self, value):
         """
         Check that the hostname is valid
         """
-        if len(value) > 255:
-            raise serializers.ValidationError('Hostname must be 255 characters or less.')
-
         if value[-1:] == ".":
             value = value[:-1]  # strip exactly one dot from the right, if present
 
+        if value == "*":
+            raise serializers.ValidationError("Hostname can't only be a wildcard")
+
         labels = value.split('.')
-        if 'xip.io' in value:
-            return value
 
         # Let wildcards through by not trying to validate it
-        if labels[0] == '*':
+        wildcard = True if labels[0] == '*' else False
+        if wildcard:
             labels.pop(0)
-            if len(labels) == 0:
-                raise serializers.ValidationError("Hostname can't only be a wildcard")
-
-        # TODO this doesn't support IDN domains
-        allowed = re.compile("^(?!-)[a-z0-9-]{1,63}(?<!-)$", re.IGNORECASE)
-        for label in labels:
-            match = allowed.match(label)
-            if not match or '--' in label or label.isdigit() or \
-               len(labels) == 1 and any(char.isdigit() for char in label):
-                raise serializers.ValidationError('Hostname does not look valid.')
-
-        if models.Domain.objects.filter(domain=value).exists():
+
+        try:
+            # IDN domain labels to ACE (IDNA2008)
+            def ToACE(x): return idna.alabel(x).decode("utf-8", "strict")
+            labels = list(map(ToACE, labels))
+        except idna.IDNAError as e:
+            raise serializers.ValidationError(
+               "Hostname does not look valid, could not convert to ACE {}: {}"
+               .format(value, e))
+
+        # TLD must not only contain digits according to RFC 3696
+        if labels[-1].isdigit():
+            raise serializers.ValidationError('Hostname does not look valid.')
+
+        # prepend wildcard 'label' again if removed before
+        if wildcard:
+            labels.insert(0, '*')
+
+        # recreate value using ACE'd labels
+        aceValue = '.'.join(labels)
+
+        if len(aceValue) > 253:
+            raise serializers.ValidationError('Hostname must be 253 characters or less.')
+
+        if models.Domain.objects.filter(domain=aceValue).exists():
             raise serializers.ValidationError(
-                "The domain {} is already in use by another app".format(value))
+               "The domain {} is already in use by another app".format(value))
 
-        return value
+        return aceValue
 
 
 class CertificateSerializer(serializers.ModelSerializer):

rootfs/api/tests/test_domain.py

@@ -13,6 +13,8 @@
 from api.models import Domain
 from scheduler import KubeException
 
+import idna
+
 
 class DomainTest(APITestCase):
 
@@ -73,18 +75,136 @@ def test_strip_dot(self):
         expected = [data['domain'] for data in response.data['results']]
         self.assertEqual([self.app_id, domain], expected, msg)
 
+    def test_manage_idn_domain(self):
+        url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+        test_domains = [
+            'ドメイン.テスト',
+            'xn--eckwd4c7c.xn--zckzah',
+            'xn--80ahd1agd.ru',
+            'домена.ru',
+            '*.домена.испытание',
+            'täst.königsgäßchen.de',
+            'xn--tst-qla.xn--knigsgsschen-lcb0w.de',
+            'ドメイン.xn--zckzah',
+            'xn--eckwd4c7c.テスト',
+            'täst.xn--knigsgsschen-lcb0w.de',
+            '*.xn--tst-qla.königsgäßchen.de'
+        ]
+        for domain in test_domains:
+            msg = "failed on '{}'".format(domain)
+
+            # Generate ACE and Unicode variant for domain
+            if domain.startswith("*."):
+                ace_domain = "*." + idna.encode(domain[2:]).decode("utf-8", "strict")
+                unicode_domain = "*." + idna.decode(ace_domain[2:])
+            else:
+                ace_domain = idna.encode(domain).decode("utf-8", "strict")
+                unicode_domain = idna.decode(ace_domain)
+
+            # Create
+            response = self.client.post(url, {'domain': domain})
+            self.assertEqual(response.status_code, 201, msg)
+
+            # Fetch
+            url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+            response = self.client.get(url)
+            expected = [data['domain'] for data in response.data['results']]
+            self.assertEqual([self.app_id, ace_domain], expected, msg)
+
+            # Verify creation failure for same domain with different encoding
+            if ace_domain != domain:
+                response = self.client.post(url, {'domain': ace_domain})
+                self.assertEqual(response.status_code, 400, msg)
+
+            # Verify creation failure for same domain with different encoding
+            if unicode_domain != domain:
+                response = self.client.post(url, {'domain': unicode_domain})
+                self.assertEqual(response.status_code, 400, msg)
+
+            # Delete
+            url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=domain,
+                                                                app_id=self.app_id)
+            response = self.client.delete(url)
+            self.assertEqual(response.status_code, 204, msg)
+
+            # Verify removal
+            url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+            response = self.client.get(url)
+            self.assertEqual(1, response.data['count'], msg)
+
+            # verify only app domain is left
+            expected = [data['domain'] for data in response.data['results']]
+            self.assertEqual([self.app_id], expected, msg)
+
+            # Use different encoding for creating and deleting (ACE)
+            if ace_domain != domain:
+                # Create
+                response = self.client.post(url, {'domain': domain})
+                self.assertEqual(response.status_code, 201, msg)
+
+                # Fetch
+                url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+                response = self.client.get(url)
+                expected = [data['domain'] for data in response.data['results']]
+                self.assertEqual([self.app_id, ace_domain], expected, msg)
+
+                # Delete
+                url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=ace_domain,
+                                                                    app_id=self.app_id)
+                response = self.client.delete(url)
+                self.assertEqual(response.status_code, 204, msg)
+
+                # Verify removal
+                url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+                response = self.client.get(url)
+                self.assertEqual(1, response.data['count'], msg)
+
+                # verify only app domain is left
+                expected = [data['domain'] for data in response.data['results']]
+                self.assertEqual([self.app_id], expected, msg)
+
+            # Use different encoding for creating and deleting (Unicode)
+            if unicode_domain != domain:
+                # Create
+                response = self.client.post(url, {'domain': domain})
+                self.assertEqual(response.status_code, 201, msg)
+
+                # Fetch
+                url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+                response = self.client.get(url)
+                expected = [data['domain'] for data in response.data['results']]
+                self.assertEqual([self.app_id, ace_domain], expected, msg)
+
+                # Delete
+                url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=unicode_domain,
+                                                                    app_id=self.app_id)
+                response = self.client.delete(url)
+                self.assertEqual(response.status_code, 204, msg)
+
+                # Verify removal
+                url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
+                response = self.client.get(url)
+                self.assertEqual(1, response.data['count'], msg)
+
+                # verify only app domain is left
+                expected = [data['domain'] for data in response.data['results']]
+                self.assertEqual([self.app_id], expected, msg)
+
     def test_manage_domain(self):
         url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
         test_domains = [
             'test-domain.example.com',
             'django.paas-sandbox',
+            'django.paas--sandbox',
             'domain',
             'not.too.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong',
             '3com.com',
+            'domain1',
+            '3333.xyz',
             'w3.example.com',
             'MYDOMAIN.NET',
             'autotest.127.0.0.1.xip.io',
-            '*.deis.example.com',
+            '*.deis.example.com'
         ]
 
         for domain in test_domains:
@@ -161,13 +281,12 @@ def test_manage_domain_invalid_domain(self):
         test_domains = [
             'this_is_an.invalid.domain',
             'this-is-an.invalid.1',
-            'django.pass--sandbox',
-            'domain1',
-            '3333.com',
+            'django.pa--assandbox',
             'too.looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong',
             'foo.*.bar.com',
             '*',
-            'a' * 300
+            'a' * 300,
+            '.'.join(['a'] * 128)
         ]
         for domain in test_domains:
             msg = "failed on \"{}\"".format(domain)

rootfs/api/views.py

@@ -291,7 +291,17 @@ class DomainViewSet(AppResourceViewSet):
 
     def get_object(self, **kwargs):
         qs = self.get_queryset(**kwargs)
-        return get_object_or_404(qs, domain=self.kwargs['domain'])
+        domain = self.kwargs['domain']
+        # support IDN domains, i.e. accept Unicode encoding too
+        try:
+            import idna
+            if domain.startswith("*."):
+                ace_domain = "*." + idna.encode(domain[2:]).decode("utf-8", "strict")
+            else:
+                ace_domain = idna.encode(domain).decode("utf-8", "strict")
+        except:
+            ace_domain = domain
+        return get_object_or_404(qs, domain=ace_domain)
 
 
 class CertificateViewSet(BaseDeisViewSet):

rootfs/requirements.txt

@@ -17,3 +17,4 @@ requests==2.10.0
 requests-toolbelt==0.6.2
 simpleflock==0.0.3
 jsonschema==2.5.1
+idna==2.1