From fb613b93cd32edf1f72c7644b5672d2760016221 Mon Sep 17 00:00:00 2001
From: kedy <zhao.kaiA@h3c.com>
Date: Thu, 23 Nov 2017 12:49:08 +0800
Subject: [PATCH] Fix allow the use of blank in user group name to access the
 share

Allows the use of blank in user group name, manila client also need to fix

Change-Id: I636e485992185ed8a766eddb6cba89daff0bd00e
Partial-Bug: #1733494
---
 manila/api/common.py                           | 18 ++++++++++++++++--
 manila/tests/api/test_common.py                |  5 ++++-
 manila/tests/api/v1/test_shares.py             | 10 +++++++---
 manila/tests/api/v2/test_shares.py             | 16 +++++++++++++---
 ...with-blank-access-fix-665b3e42bdc985ac.yaml |  4 ++++
 5 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/bug-1733494-allow-user-group-name-with-blank-access-fix-665b3e42bdc985ac.yaml

diff --git a/manila/api/common.py b/manila/api/common.py
index cda216fb7c..67234c75a1 100644
--- a/manila/api/common.py
+++ b/manila/api/common.py
@@ -309,14 +309,28 @@ def validate_common_name(access):
         exc_str = _('Invalid CN (common name). Must be 1-64 chars long.')
         raise webob.exc.HTTPBadRequest(explanation=exc_str)
 
+'''
+for the reference specification for AD usernames, reference below links:
+
+  1:https://msdn.microsoft.com/en-us/library/bb726984.aspx
+  2:https://technet.microsoft.com/en-us/library/cc733146.aspx
+'''
+
 
 def validate_username(access):
-    valid_username_re = '[\w\$\.\-_\`;\'\{\}\[\]\\\\]{4,255}$'
+    sole_periods_spaces_re = '[\s|\.]+$'
+    valid_username_re = '.[^\"\/\\\[\]\:\;\|\=\,\+\*\?\<\>]{3,254}$'
     username = access
+
+    if re.match(sole_periods_spaces_re, username):
+        exc_str = ('Invalid user or group name,cannot consist solely '
+                   'of periods or spaces.')
+        raise webob.exc.HTTPBadRequest(explanation=exc_str)
+
     if not re.match(valid_username_re, username):
         exc_str = ('Invalid user or group name. Must be 4-255 characters '
                    'and consist of alphanumeric characters and '
-                   'special characters $]{.-_\'`;}[\\')
+                   'exclude special characters "/\[]:;|=,+*?<>')
         raise webob.exc.HTTPBadRequest(explanation=exc_str)
 
 
diff --git a/manila/tests/api/test_common.py b/manila/tests/api/test_common.py
index fb3205bb0a..f5255aa273 100644
--- a/manila/tests/api/test_common.py
+++ b/manila/tests/api/test_common.py
@@ -258,6 +258,8 @@ class MiscFunctionsTest(test.TestCase):
     @ddt.data(['ip', '1.1.1.1', False, False], ['user', 'alice', False, False],
               ['cert', 'alice', False, False], ['cephx', 'alice', True, False],
               ['user', 'alice$', False, False],
+              ['user', 'test group name', False, False],
+              ['user', 'group$.-_\'`{}', False, False],
               ['ip', '172.24.41.0/24', False, False],
               ['ip', '1001::1001', False, True],
               ['ip', '1001::1000/120', False, True])
@@ -270,7 +272,8 @@ class MiscFunctionsTest(test.TestCase):
               ['ip', '255.255.255.265', False], ['ip', '1.1.1.0/34', False],
               ['cert', '', False], ['cephx', 'client.alice', True],
               ['group', 'alice', True], ['cephx', 'alice', False],
-              ['cephx', '', True], ['user', 'bob', False],
+              ['cephx', '', True], ['user', 'bob/', False],
+              ['user', 'group<>', False], ['user', '+=*?group', False],
               ['ip', '1001::1001/256', False],
               ['ip', '1001:1001/256', False],)
     @ddt.unpack
diff --git a/manila/tests/api/v1/test_shares.py b/manila/tests/api/v1/test_shares.py
index ffaa2f30cd..12b2c10723 100644
--- a/manila/tests/api/v1/test_shares.py
+++ b/manila/tests/api/v1/test_shares.py
@@ -787,8 +787,10 @@ class ShareActionsTest(test.TestCase):
         {'access_type': 'ip', 'access_to': '127.0.0.1'},
         {'access_type': 'user', 'access_to': '1' * 4},
         {'access_type': 'user', 'access_to': '1' * 255},
-        {'access_type': 'user', 'access_to': 'fake\\]{.-_\'`;}['},
-        {'access_type': 'user', 'access_to': 'MYDOMAIN\\Administrator'},
+        {'access_type': 'user', 'access_to': 'fake{.-_\'`}'},
+        {'access_type': 'user', 'access_to': 'MYDOMAIN-Administrator'},
+        {'access_type': 'user', 'access_to': 'test group name'},
+        {'access_type': 'user', 'access_to': 'group$.-_\'`{}'},
         {'access_type': 'cert', 'access_to': 'x'},
         {'access_type': 'cert', 'access_to': 'tenant.example.com'},
         {'access_type': 'cert', 'access_to': 'x' * 64},
@@ -821,7 +823,9 @@ class ShareActionsTest(test.TestCase):
         {'access_type': 'user', 'access_to': '1'},
         {'access_type': 'user', 'access_to': '1' * 3},
         {'access_type': 'user', 'access_to': '1' * 256},
-        {'access_type': 'user', 'access_to': 'root^'},
+        {'access_type': 'user', 'access_to': 'root<>'},
+        {'access_type': 'user', 'access_to': 'group\\'},
+        {'access_type': 'user', 'access_to': '+=*?group'},
         {'access_type': 'cert', 'access_to': ''},
         {'access_type': 'cert', 'access_to': ' '},
         {'access_type': 'cert', 'access_to': 'x' * 65},
diff --git a/manila/tests/api/v2/test_shares.py b/manila/tests/api/v2/test_shares.py
index 0d837cdb20..e4eb4853ae 100644
--- a/manila/tests/api/v2/test_shares.py
+++ b/manila/tests/api/v2/test_shares.py
@@ -1922,10 +1922,16 @@ class ShareActionsTest(test.TestCase):
          "version": "2.7"},
         {"access": {'access_type': 'user', 'access_to': '1' * 255},
          "version": "2.7"},
-        {"access": {'access_type': 'user', 'access_to': 'fake\\]{.-_\'`;}['},
+        {"access": {'access_type': 'user', 'access_to': 'fake{.-_\'`}'},
          "version": "2.7"},
         {"access": {'access_type': 'user',
-                    'access_to': 'MYDOMAIN\\Administrator'},
+                    'access_to': 'MYDOMAIN-Administrator'},
+         "version": "2.7"},
+        {"access": {'access_type': 'user',
+                    'access_to': 'test group name'},
+         "version": "2.7"},
+        {"access": {'access_type': 'user',
+                    'access_to': 'group$.-_\'`{}'},
          "version": "2.7"},
         {"access": {'access_type': 'cert', 'access_to': 'x'},
          "version": "2.7"},
@@ -1980,7 +1986,11 @@ class ShareActionsTest(test.TestCase):
          "version": "2.7"},
         {"access": {'access_type': 'user', 'access_to': '1' * 256},
          "version": "2.7"},
-        {"access": {'access_type': 'user', 'access_to': 'root^'},
+        {"access": {'access_type': 'user', 'access_to': 'root<>'},
+         "version": "2.7"},
+        {"access": {'access_type': 'user', 'access_to': 'group\\'},
+         "version": "2.7"},
+        {"access": {'access_type': 'user', 'access_to': '+=*?group'},
          "version": "2.7"},
         {"access": {'access_type': 'cert', 'access_to': ''},
          "version": "2.7"},
diff --git a/releasenotes/notes/bug-1733494-allow-user-group-name-with-blank-access-fix-665b3e42bdc985ac.yaml b/releasenotes/notes/bug-1733494-allow-user-group-name-with-blank-access-fix-665b3e42bdc985ac.yaml
new file mode 100644
index 0000000000..d3843fb9e0
--- /dev/null
+++ b/releasenotes/notes/bug-1733494-allow-user-group-name-with-blank-access-fix-665b3e42bdc985ac.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - Allows the use of blank in user group name, since
+    the AD allow user group name to include blank.