fix(serializers): validate tags properly as k8s labels

Author: mboersma

rootfs/api/serializers.py

@@ -14,8 +14,7 @@
 PROCTYPE_MATCH = re.compile(r'^(?P<type>[a-z]+)')
 MEMLIMIT_MATCH = re.compile(r'^(?P<mem>[0-9]+(MB|KB|GB|[BKMG]))$', re.IGNORECASE)
 CPUSHARE_MATCH = re.compile(r'^(?P<cpu>[0-9.]+[m]{0,1})$')
-TAGKEY_MATCH = re.compile(r'^[a-z]+$')
-TAGVAL_MATCH = re.compile(r'^\w+$')
+TAGVAL_MATCH = re.compile(r'^(?:[a-zA-Z\d][-\.\w]{0,61})?[a-zA-Z\d]$')
 CONFIGKEY_MATCH = re.compile(r'^[a-z_]+[a-z0-9_]*$', re.IGNORECASE)
 
 
@@ -181,11 +180,31 @@ def validate_tags(self, data):
             if value is None:  # use NoneType to unset an item
                 continue
 
-            if not re.match(TAGKEY_MATCH, key):
-                raise serializers.ValidationError("Tag keys can only contain [a-z]")
+            # split key into a prefix and name
+            if '/' in key:
+                prefix, name = key.split('/')
+            else:
+                prefix, name = None, key
+
+            # validate optional prefix
+            if prefix:
+                if len(prefix) > 253:
+                    raise serializers.ValidationError(
+                        "Tag key prefixes must 253 characters or less.")
+                for part in prefix.split('/'):
+                    if not re.match(TAGVAL_MATCH, part):
+                        raise serializers.ValidationError(
+                            "Tag key prefixes must be DNS subdomains.")
+
+            # validate required name
+            if not re.match(TAGVAL_MATCH, name):
+                raise serializers.ValidationError(
+                    "Tag keys must be alphanumeric or \"-_.\", and 1-63 characters.")
 
-            if not re.match(TAGVAL_MATCH, str(value)):
-                raise serializers.ValidationError("Invalid tag data")
+            # validate value if it isn't empty
+            if value and not re.match(TAGVAL_MATCH, str(value)):
+                raise serializers.ValidationError(
+                    "Tag values must be alphanumeric or \"-_.\", and 1-63 characters.")
 
         return data
 

rootfs/api/tests/test_config.py

@@ -509,12 +509,33 @@ def test_tags(self):
         tags4 = response.data
         self.assertNotEqual(tags3['uuid'], tags4['uuid'])
         self.assertNotIn('rack', json.dumps(response.data['tags']))
+        # set valid values
+        body = {'tags': json.dumps({'kubernetes.io/hostname': 'valid'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
+        body = {'tags': json.dumps({'is.valid': 'is-also_valid'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
+        body = {'tags': json.dumps({'host.the-name.com/is.valid': 'valid'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
         # set invalid values
         body = {'tags': json.dumps({'valid': 'in\nvalid'})}
         response = self.client.post(url, json.dumps(body), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 400)
-        body = {'tags': json.dumps({'in.valid': 'valid'})}
+        body = {'tags': json.dumps({'host.name.com/notvalid-': 'valid'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 400)
+        body = {'tags': json.dumps({'valid': 'invalid.'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 400)
+        body = {'tags': json.dumps({'host.name.com/,not.valid': 'valid'})}
         response = self.client.post(url, json.dumps(body), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 400)