// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package acl
import (
"fmt"
"regexp"
"strings"
)
const (
ServiceIdentityNameMaxLength = 256
NodeIdentityNameMaxLength = 256
PolicyNameMaxLength = 128
)
var (
validServiceIdentityName = regexp . MustCompile ( ` ^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$ ` )
validNodeIdentityName = regexp . MustCompile ( ` ^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$ ` )
validPolicyName = regexp . MustCompile ( ` ^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$ ` )
validRoleName = regexp . MustCompile ( ` ^[A-Za-z0-9\-_] { 1,256}$ ` )
validAuthMethodName = regexp . MustCompile ( ` ^[A-Za-z0-9\-_] { 1,128}$ ` )
)
// IsValidServiceIdentityName returns true if the provided name can be used as
// an ACLServiceIdentity ServiceName. This is more restrictive than standard
// catalog registration, which basically takes the view that "everything is
// valid".
func IsValidServiceIdentityName ( name string ) bool {
if len ( name ) < 1 || len ( name ) > ServiceIdentityNameMaxLength {
return false
}
return validServiceIdentityName . MatchString ( name )
}
// IsValidNodeIdentityName returns true if the provided name can be used as
// an ACLNodeIdentity NodeName. This is more restrictive than standard
// catalog registration, which basically takes the view that "everything is
// valid".
func IsValidNodeIdentityName ( name string ) bool {
if len ( name ) < 1 || len ( name ) > NodeIdentityNameMaxLength {
return false
}
return validNodeIdentityName . MatchString ( name )
}
// ValidatePolicyName returns nil if the provided name can be used as an
// ACLPolicy Name otherwise a useful error is returned.
func ValidatePolicyName ( name string ) error {
if len ( name ) < 1 || len ( name ) > PolicyNameMaxLength {
return fmt . Errorf ( "Invalid Policy: invalid Name. Length must be greater than 0 and less than %d" , PolicyNameMaxLength )
}
if strings . HasPrefix ( name , "/" ) || strings . HasPrefix ( name , ReservedBuiltinPrefix ) {
return fmt . Errorf ( "Invalid Policy: invalid Name. Names cannot be prefixed with '/' or '%s'" , ReservedBuiltinPrefix )
}
if ! validPolicyName . MatchString ( name ) {
return fmt . Errorf ( "Invalid Policy: invalid Name. Only alphanumeric characters, a single '/', '-' and '_' are allowed" )
}
return nil
}
// IsValidRoleName returns true if the provided name can be used as an
// ACLRole Name.
func IsValidRoleName ( name string ) bool {
return validRoleName . MatchString ( name )
}
func IsValidPolicyName ( name string ) bool {
return ValidatePolicyName ( name ) == nil
}
// IsValidRoleName returns true if the provided name can be used as an
// ACLAuthMethod Name.
func IsValidAuthMethodName ( name string ) bool {
return validAuthMethodName . MatchString ( name )
}