Add --zonemgr/--admin-mail validator

Do at least a basic validation of DNS zone manager mail address.

Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.

https://fedorahosted.org/freeipa/ticket/1966

2 files changed, 39 insertions, 0 deletions

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f6bbb3c4f..97eb6a6d4 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -26,6 +26,7 @@ from ipalib import Command
 from ipalib import Flag, Int, List, Str, StrEnum
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
+from ipalib.util import validate_zonemgr
 from ipapython import dnsclient
 from ipapython.ipautil import valid_ip
 from ldap import explode_dn
@@ -136,6 +137,13 @@ _record_attributes = [str('%srecord' % t.lower()) for t in _record_types]
 # supported DNS classes, IN = internet, rest is almost never used
 _record_classes = (u'IN', u'CS', u'CH', u'HS')
 
+def _rname_validator(ugettext, zonemgr):
+    try:
+        validate_zonemgr(zonemgr)
+    except ValueError, e:
+        return unicode(e)
+    return None
+
 # normalizer for admin email
 def _rname_normalizer(value):
     value = value.replace('@', '.')
@@ -323,6 +331,7 @@ class dnszone(LDAPObject):
             doc=_('Authoritative nameserver domain name'),
         ),
         Str('idnssoarname',
+            _rname_validator,
             cli_name='admin_email',
             label=_('Administrator e-mail address'),
             doc=_('Administrator e-mail address'),
diff --git a/ipalib/util.py b/ipalib/util.py
index cc887c348..fa93cc750 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -203,3 +203,33 @@ def check_writable_file(filename):
             fp.close()
     except (IOError, OSError), e:
         raise errors.FileError(reason=str(e))
+
+
+def validate_zonemgr(zonemgr):
+    """ See RFC 1033, 1035 """
+    regex_domain = re.compile(r'^[a-z0-9][a-z0-9-]*$', re.IGNORECASE)
+    regex_name = re.compile(r'^[a-z0-9][a-z0-9-_]*$', re.IGNORECASE)
+
+    if len(zonemgr) > 255:
+        raise ValueError(_('cannot be longer that 255 characters'))
+
+    if zonemgr.count('@') == 1:
+        name, dot, domain = zonemgr.partition('@')
+    elif zonemgr.count('@') > 1:
+        raise ValueError(_('too many \'@\' characters'))
+    else:
+        # address in SOA format already (without @)
+        name, dot, domain = zonemgr.partition('.')
+
+    if domain.endswith('.'):
+        domain = domain[:-1]
+
+    if '.' not in domain:
+        raise ValueError(_('address domain is not fully qualified ' \
+                          '("example.com" instead of just "example")'))
+
+    if not regex_name.match(name):
+        raise ValueError(_('mail account may only include letters, numbers, -, and _'))
+
+    if not all(regex_domain.match(part) for part in domain.split(".")):
+        raise ValueError(_('domain name may only include letters, numbers, and -'))