[pve-devel] [PATCH common 1/5] schema: add `ldap-dn` format for validating LDAP distinguished names
Christoph Heiss
c.heiss at proxmox.com
Wed Jul 19 17:51:50 CEST 2023
The Net::LDAP library conveniently provides a canonical_dn() function,
which can be used to (roughly) check if a DN is valid or not. This will
be used in future changes to replace the current dreaded regex to
validate DNs.
pve-common previously already (silently) depended on the Net::LDAP
library (see PVE::LDAP), but `libnet-ldap-perl` was missing in the
control file - fix it while at it.
Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
debian/control | 1 +
src/PVE/JSONSchema.pm | 12 ++++++++++++
2 files changed, 13 insertions(+)
diff --git a/debian/control b/debian/control
index ac4cd66..53cbb57 100644
--- a/debian/control
+++ b/debian/control
@@ -34,6 +34,7 @@ Depends: libanyevent-perl,
libmime-base32-perl,
libnet-dbus-perl,
libnet-ip-perl,
+ libnet-ldap-perl,
libnetaddr-ip-perl,
libproxmox-acme-perl,
libproxmox-rs-perl,
diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
index 7589bba..8238281 100644
--- a/src/PVE/JSONSchema.pm
+++ b/src/PVE/JSONSchema.pm
@@ -12,6 +12,7 @@ use PVE::Exception qw(raise);
use HTTP::Status qw(:constants);
use JSON;
use Net::IP qw(:PROC);
+use Net::LDAP::Util;
use Data::Dumper;
use base 'Exporter';
@@ -414,6 +415,17 @@ sub verify_ldap_simple_attr {
return undef;
}
+PVE::JSONSchema::register_format('ldap-dn', \&verify_ldap_dn);
+sub verify_ldap_dn {
+ my ($attr, $noerr) = @_;
+
+ # canonical_dn() considers emtpy strings as valid DNs, so reject them explicitly.
+ return $attr if $attr ne '' && defined(Net::LDAP::Util::canonical_dn($attr));
+
+ die "value '$attr' does not look like a valid LDAP distinguished name\n" if !$noerr;
+ return undef;
+}
+
my $ipv4_mask_hash = {
'0.0.0.0' => 0,
'128.0.0.0' => 1,
--
2.41.0
More information about the pve-devel
mailing list