[pmg-devel] [PATCH pmg-api v2] utils: user schema: explicitly forbid @ in user-names

[Stoiko Ivanov]

PMGs terms are:
* 'userid' consists of 'username'@'realm'

without this patch it was possible to create a user through the api,
with @ in the username ('foo at bar@pmg'), and it got written to the
user-conf.
Reading that entry was not possible, as the verification on read was
stricter.

This patch forbids '@' in usernames, and additionally drops the
maxLength of 64, as 60 are already enforced by the regex pattern match
(leaving 4 as minimal length for '@pmg'/'@pam').

Potential for regression should be minimal (the users could not be
read-back from the config).

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
minimally tested on top of latest master
- 128 character username
- a at a@pmg
both failing
- 60 character username at pmg - succeeds
 src/PMG/Utils.pm | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index c187f93..70e8317 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -49,7 +49,7 @@ postgres_admin_cmd
 try_decode_utf8
 );
 
-my $user_regex = qr![^\s:/]+!;
+my $user_regex = qr![^\s:@/]+!;
 
 PVE::JSONSchema::register_standard_option('pmg-starttime', {
     description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",
@@ -103,7 +103,6 @@ PVE::JSONSchema::register_standard_option('username', {
     description => "Username (without realm)",
     type => 'string',
     pattern => '[^\s:\/\@]{1,60}',
-    maxLength => 64,
 });
 
 PVE::JSONSchema::register_standard_option('pmg-email-address', {
-- 
2.39.5