[pve-devel] [PATCH common v2 1/5] schema: add `ldap-dn` format for validating LDAP distinguished names

[Christoph Heiss]

The Net::LDAP library conveniently provides a canonical_dn() function,
which can be used to (roughly) check if a DN is valid or not. This will
be used in future changes to replace the current dreaded regex to
validate DNs.

pve-common previously already (silently) depended on the Net::LDAP
library (see PVE::LDAP), but `libnet-ldap-perl` was missing in the
control file - fix it while at it.

Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
Changes v1 -> v2:
  * No changes

 debian/control        |  1 +
 src/PVE/JSONSchema.pm | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/debian/control b/debian/control
index ac4cd66..53cbb57 100644
--- a/debian/control
+++ b/debian/control
@@ -34,6 +34,7 @@ Depends: libanyevent-perl,
          libmime-base32-perl,
          libnet-dbus-perl,
          libnet-ip-perl,
+         libnet-ldap-perl,
          libnetaddr-ip-perl,
          libproxmox-acme-perl,
          libproxmox-rs-perl,
diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
index 7589bba..8238281 100644
--- a/src/PVE/JSONSchema.pm
+++ b/src/PVE/JSONSchema.pm
@@ -12,6 +12,7 @@ use PVE::Exception qw(raise);
 use HTTP::Status qw(:constants);
 use JSON;
 use Net::IP qw(:PROC);
+use Net::LDAP::Util;
 use Data::Dumper;

 use base 'Exporter';
@@ -414,6 +415,17 @@ sub verify_ldap_simple_attr {
     return undef;
 }

+PVE::JSONSchema::register_format('ldap-dn', \&verify_ldap_dn);
+sub verify_ldap_dn {
+    my ($attr, $noerr) = @_;
+
+    # canonical_dn() considers emtpy strings as valid DNs, so reject them explicitly.
+    return $attr if $attr ne '' && defined(Net::LDAP::Util::canonical_dn($attr));
+
+    die "value '$attr' does not look like a valid LDAP distinguished name\n" if !$noerr;
+    return undef;
+}
+
 my $ipv4_mask_hash = {
     '0.0.0.0' => 0,
     '128.0.0.0' => 1,
--
2.41.0