Add Validations and Sanitize for Inputs (#357)

* loadbalancer validations and sanitizing

Signed-off-by: Matt Siwiec <[email protected]>

* validation for rest of resources, fix Makefile

Signed-off-by: Stephen Hwang <[email protected]>

* make generate

Signed-off-by: Stephen Hwang <[email protected]>

* fix tests

Signed-off-by: Stephen Hwang <[email protected]>

* remove comment

Signed-off-by: Stephen Hwang <[email protected]>

---------

Signed-off-by: Matt Siwiec <[email protected]>
Signed-off-by: Stephen Hwang <[email protected]>
Co-authored-by: Matt Siwiec <[email protected]>

Author: sthwang-metal

internal/ent/generated/port/port.go

@@ -14,6 +14,7 @@ import (
 
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/audit"
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/softdelete"
+	"go.infratographer.com/load-balancer-api/internal/ent/schema/validations"
 	"go.infratographer.com/load-balancer-api/x/pubsubinfo"
 )
 
@@ -44,7 +45,7 @@ func (LoadBalancer) Fields() []ent.Field {
 				entgql.OrderField("ID"),
 			),
 		field.Text("name").
-			NotEmpty().
+			Validate(validations.NameField).
 			Comment("The name of the load balancer.").
 			Annotations(
 				entgql.OrderField("NAME"),

internal/ent/generated/port_create.go

@@ -42,7 +42,7 @@ func (Origin) Fields() []ent.Field {
 			Unique().
 			Immutable(),
 		field.String("name").
-			NotEmpty().
+			Validate(validations.NameField).
 			Annotations(
 				entgql.OrderField("name"),
 			),

internal/ent/generated/port_update.go

@@ -13,6 +13,7 @@ import (
 
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/audit"
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/softdelete"
+	"go.infratographer.com/load-balancer-api/internal/ent/schema/validations"
 	"go.infratographer.com/load-balancer-api/x/pubsubinfo"
 )
 
@@ -39,7 +40,7 @@ func (Pool) Fields() []ent.Field {
 			Unique().
 			Immutable(),
 		field.String("name").
-			NotEmpty().
+			Validate(validations.NameField).
 			Annotations(
 				entgql.OrderField("name"),
 			),

internal/ent/generated/runtime/runtime.go

@@ -52,6 +52,7 @@ func (Port) Fields() []ent.Field {
 				entgql.OrderField("number"),
 			),
 		field.String("name").
+			Validate(validations.OptionalNameField).
 			Annotations(
 				entgql.OrderField("name"),
 			).

internal/ent/schema/loadbalancer.go

@@ -12,6 +12,7 @@ import (
 
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/audit"
 	"go.infratographer.com/load-balancer-api/internal/ent/schema/softdelete"
+	"go.infratographer.com/load-balancer-api/internal/ent/schema/validations"
 	"go.infratographer.com/load-balancer-api/x/pubsubinfo"
 )
 
@@ -42,7 +43,7 @@ func (Provider) Fields() []ent.Field {
 				entgql.OrderField("ID"),
 			),
 		field.String("name").
-			NotEmpty().
+			Validate(validations.NameField).
 			Comment("The name of the load balancer provider.").
 			Annotations(
 				entgql.OrderField("NAME"),

internal/ent/schema/origin.go

@@ -1,9 +1,14 @@
 package validations
 
-import "errors"
+import (
+	"errors"
+)
 
 // ErrInvalidIPAddress is returned when the given string is not a valid IP address
 var ErrInvalidIPAddress = errors.New("invalid ip address")
 
 // ErrRestrictedPort is returned when the given port is restricted
 var ErrRestrictedPort = errors.New("port number restricted")
+
+// ErrFieldEmpty is returned when a field is empty
+var ErrFieldEmpty = errors.New("must not be empty")

internal/ent/schema/pool.go

@@ -2,13 +2,23 @@
 package validations
 
 import (
+	"fmt"
 	"net"
+	"regexp"
+	"strings"
 
 	"go.infratographer.com/load-balancer-api/internal/config"
 
 	"golang.org/x/exp/slices"
 )
 
+const (
+	// maxNameLength is the maximum length of a name field
+	maxNameLength = 64
+	// unallowedChars is a string containing the unallowed characters in a string for a name field
+	unallowedChars = `<>&'"`
+)
+
 // IPAddress validates if the given string is a valid IP address
 func IPAddress(ip string) error {
 	if net.ParseIP(ip) == nil {
@@ -26,3 +36,44 @@ func RestrictedPorts(port int) error {
 
 	return nil
 }
+
+// NameField validates the name field
+func NameField(name string) error {
+	if len(strings.TrimSpace(name)) == 0 {
+		return ErrFieldEmpty
+	}
+
+	if len(name) > maxNameLength {
+		return fmt.Errorf("must not be longer than %d characters", maxNameLength) // nolint: goerr113
+	}
+
+	if containsUnallowedChars(name) {
+		return fmt.Errorf("must not contain the following characters: %s", unallowedChars) // nolint: goerr113
+	}
+
+	return nil
+}
+
+// OptionalNameField validates the name field when optional
+func OptionalNameField(name string) error {
+	if len(name) > maxNameLength {
+		return fmt.Errorf("must not be longer than %d characters", maxNameLength) // nolint: goerr113
+	}
+
+	if containsUnallowedChars(name) {
+		return fmt.Errorf("must not contain the following characters: %s", unallowedChars) // nolint: goerr113
+	}
+
+	return nil
+}
+
+func containsUnallowedChars(s string) bool {
+	// Define the regular expression pattern to match the unallowed characters
+	pattern := "[" + unallowedChars + "]"
+
+	// Compile the regular expression pattern
+	regex := regexp.MustCompile(pattern)
+
+	// Check if the pattern matches any part of the string
+	return regex.MatchString(s)
+}

internal/ent/schema/port.go

@@ -1,6 +1,9 @@
 package graphapi
 
-import "errors"
+import (
+	"errors"
+	"fmt"
+)
 
 var (
 	// ErrPortNumberInUse is returned when a port number is already in use.
@@ -20,4 +23,25 @@ var (
 
 	// ErrLoadBalancerLimitReached is returned when the load balancer limit has been reached for an owner.
 	ErrLoadBalancerLimitReached = errors.New("load balancer limit reached")
+
+	// ErrFieldEmpty is returned when a required field is empty.
+	ErrFieldEmpty = errors.New("must not be empty")
+
+	// ErrInvalidCharacters is returned when an invalid input is provided
+	ErrInvalidCharacters = errors.New("valid characters are A-Z a-z 0-9 _ -")
 )
+
+// ErrInvalidField is returned when an invalid input is provided.
+type ErrInvalidField struct {
+	field string
+	err   error
+}
+
+// Error implements the error interface.
+func (e *ErrInvalidField) Error() string {
+	return fmt.Sprintf("%s: %v", e.field, e.err)
+}
+
+func newInvalidFieldError(field string, err error) *ErrInvalidField {
+	return &ErrInvalidField{field: field, err: err}
+}