chore: add validation to user and role creation

nikhilsinhaparseable · nikhilsinhaparseable · commit 968b4083e9b8 · 2025-09-17T21:21:19.000-07:00
below validations are added to both user and role names at creation -

1. the length should be between 3-64 characters
2. the name should not be any of these -
   admin, user, role, null, undefined, none, empty, password, username
3. first and the last character must be alphanumeric
4. allow any of these special characters - `_, -,.`
5. no two consecutive characters should be special character
diff --git a/src/handlers/http/modal/query/querier_rbac.rs b/src/handlers/http/modal/query/querier_rbac.rs
@@ -44,10 +44,9 @@ pub async fn post_user(
     body: Option<web::Json<serde_json::Value>>,
 ) -> Result<impl Responder, RBACError> {
     let username = username.into_inner();
-
+    validator::user_role_name(&username)?;
     let mut metadata = get_metadata().await?;
 
-    validator::user_name(&username)?;
     let user_roles: HashSet<String> = if let Some(body) = body {
         serde_json::from_value(body.into_inner())?
     } else {
diff --git a/src/handlers/http/modal/query/querier_role.rs b/src/handlers/http/modal/query/querier_role.rs
@@ -33,6 +33,7 @@ use crate::{
         map::{mut_roles, mut_sessions, read_user_groups, users},
         role::model::DefaultPrivilege,
     },
+    validator,
 };
 
 // Handler for PUT /api/v1/role/{name}
@@ -42,6 +43,8 @@ pub async fn put(
     Json(privileges): Json<Vec<DefaultPrivilege>>,
 ) -> Result<impl Responder, RoleError> {
     let name = name.into_inner();
+    // validate the role name
+    validator::user_role_name(&name).map_err(|e| RoleError::Anyhow(e.into()))?;
     let mut metadata = get_metadata().await?;
     metadata.roles.insert(name.clone(), privileges.clone());
 
diff --git a/src/handlers/http/rbac.rs b/src/handlers/http/rbac.rs
@@ -101,10 +101,9 @@ pub async fn post_user(
     body: Option<web::Json<serde_json::Value>>,
 ) -> Result<impl Responder, RBACError> {
     let username = username.into_inner();
-
+    validator::user_role_name(&username)?;
     let mut metadata = get_metadata().await?;
 
-    validator::user_name(&username)?;
     let user_roles: HashSet<String> = if let Some(body) = body {
         serde_json::from_value(body.into_inner())?
     } else {
diff --git a/src/handlers/http/role.rs b/src/handlers/http/role.rs
@@ -32,6 +32,7 @@ use crate::{
         role::model::DefaultPrivilege,
     },
     storage::{self, ObjectStorageError, StorageMetadata},
+    validator,
 };
 
 // Handler for PUT /api/v1/role/{name}
@@ -41,6 +42,8 @@ pub async fn put(
     Json(privileges): Json<Vec<DefaultPrivilege>>,
 ) -> Result<impl Responder, RoleError> {
     let name = name.into_inner();
+    // validate the role name
+    validator::user_role_name(&name).map_err(|e| RoleError::Anyhow(e.into()))?;
     let mut metadata = get_metadata().await?;
     metadata.roles.insert(name.clone(), privileges.clone());
 
diff --git a/src/validator.rs b/src/validator.rs
@@ -16,7 +16,10 @@
  *
  */
 
+use std::collections::HashSet;
+
 use error::HotTierValidationError;
+use once_cell::sync::Lazy;
 
 use self::error::{StreamNameValidationError, UsernameValidationError};
 use crate::hottier::MIN_STREAM_HOT_TIER_SIZE_BYTES;
@@ -67,21 +70,72 @@ pub fn stream_name(
     Ok(())
 }
 
-// validate if username is valid
-// username should be between 3 and 64 characters long
-// username should contain only alphanumeric characters or underscores
-// username should be lowercase
-pub fn user_name(username: &str) -> Result<(), UsernameValidationError> {
-    // Check if the username meets the required criteria
-    if username.len() < 3 || username.len() > 64 {
+static RESERVED_NAMES: Lazy<HashSet<&'static str>> = Lazy::new(|| {
+    [
+        "admin",
+        "user",
+        "role",
+        "null",
+        "undefined",
+        "none",
+        "empty",
+        "password",
+        "username",
+    ]
+    .into_iter()
+    .collect()
+});
+
+pub fn user_role_name(name: &str) -> Result<(), UsernameValidationError> {
+    // Normalize username to lowercase for validation
+    let name = name.to_lowercase();
+
+    // Check length constraints
+    if name.len() < 3 || name.len() > 64 {
         return Err(UsernameValidationError::InvalidLength);
     }
-    // Username should contain only alphanumeric characters or underscores
-    if !username
-        .chars()
-        .all(|c| c.is_ascii_lowercase() || c.is_ascii_digit() || c == '_')
+
+    // Check if name is reserved
+    if RESERVED_NAMES.contains(name.as_str()) {
+        return Err(UsernameValidationError::ReservedName);
+    }
+
+    let chars: Vec<char> = name.chars().collect();
+
+    // Check first character (must be alphanumeric)
+    if let Some(first_char) = chars.first()
+        && !first_char.is_ascii_alphanumeric()
+    {
+        return Err(UsernameValidationError::InvalidStartChar);
+    }
+
+    // Check last character (must be alphanumeric)
+    if let Some(last_char) = chars.last()
+        && !last_char.is_ascii_alphanumeric()
     {
-        return Err(UsernameValidationError::SpecialChar);
+        return Err(UsernameValidationError::InvalidEndChar);
+    }
+
+    // Check all characters and consecutive special chars
+    let mut prev_was_special = false;
+    for &ch in &chars {
+        match ch {
+            // Allow alphanumeric
+            c if c.is_ascii_alphanumeric() => {
+                prev_was_special = false;
+            }
+            // Allow specific special characters
+            '_' | '-' | '.' => {
+                if prev_was_special {
+                    return Err(UsernameValidationError::ConsecutiveSpecialChars);
+                }
+                prev_was_special = true;
+            }
+            // Reject any other character
+            _ => {
+                return Err(UsernameValidationError::InvalidCharacter);
+            }
+        }
     }
 
     Ok(())
@@ -141,6 +195,18 @@ pub mod error {
             "Username contains invalid characters. Please use lowercase, alphanumeric or underscore"
         )]
         SpecialChar,
+        #[error("Username should start with an alphanumeric character")]
+        InvalidStartChar,
+        #[error("Username should end with an alphanumeric character")]
+        InvalidEndChar,
+        #[error(
+            "Username contains invalid characters. Only alphanumeric characters and _, -, . are allowed"
+        )]
+        InvalidCharacter,
+        #[error("Username contains consecutive special characters")]
+        ConsecutiveSpecialChars,
+        #[error("Username is reserved")]
+        ReservedName,
     }
 
     #[derive(Debug, thiserror::Error)]
