@@ -32,6 +32,17 @@ const RFC_1035_LABEL_ERROR_MSG: &str = "a DNS-1035 label must consist of lower c
32
32
// This is a label's max length in DNS (RFC 1035)
33
33
const RFC_1035_LABEL_MAX_LENGTH : usize = 63 ;
34
34
35
+ // Technically Kerberos allows more realm names
36
+ // (https://web.mit.edu/kerberos/krb5-1.21/doc/admin/realm_config.html#realm-name),
37
+ // however, these are embedded in a lot of configuration files and other strings,
38
+ // and will not always be quoted properly.
39
+ //
40
+ // Hence, restrict them to a reasonable subset. The convention is to use upper-case
41
+ // DNS hostnames, so allow all characters used there.
42
+ const KERBEROS_REALM_NAME_FMT : & str = "[-.a-zA-Z0-9]+" ;
43
+ const KERBEROS_REALM_NAME_ERROR_MSG : & str =
44
+ "Kerberos realm name must only contain alphanumeric characters, '-', and '.'" ;
45
+
35
46
// Lazily initialized regular expressions
36
47
pub ( crate ) static RFC_1123_SUBDOMAIN_REGEX : LazyLock < Regex > = LazyLock :: new ( || {
37
48
Regex :: new ( & format ! ( "^{RFC_1123_SUBDOMAIN_FMT}$" ) )
@@ -46,6 +57,11 @@ static RFC_1035_LABEL_REGEX: LazyLock<Regex> = LazyLock::new(|| {
46
57
Regex :: new ( & format ! ( "^{RFC_1035_LABEL_FMT}$" ) ) . expect ( "failed to compile RFC 1035 label regex" )
47
58
} ) ;
48
59
60
+ pub ( crate ) static KERBEROS_REALM_NAME_REGEX : LazyLock < Regex > = LazyLock :: new ( || {
61
+ Regex :: new ( & format ! ( "^{KERBEROS_REALM_NAME_FMT}$" ) )
62
+ . expect ( "failed to compile Kerberos realm name regex" )
63
+ } ) ;
64
+
49
65
#[ derive( Debug ) ]
50
66
pub struct ValidationErrors ( Vec < ValidationError > ) ;
51
67
@@ -195,6 +211,15 @@ pub fn is_rfc_1035_label(value: &str) -> Result<(), ValidationErrors> {
195
211
] )
196
212
}
197
213
214
+ pub fn is_kerberos_realm_name ( value : & str ) -> Result < ( ) , ValidationErrors > {
215
+ validate_all ( [ validate_str_regex (
216
+ value,
217
+ & KERBEROS_REALM_NAME_REGEX ,
218
+ KERBEROS_REALM_NAME_ERROR_MSG ,
219
+ & [ "EXAMPLE.COM" ] ,
220
+ ) ] )
221
+ }
222
+
198
223
// mask_trailing_dash replaces the final character of a string with a subdomain safe
199
224
// value if is a dash.
200
225
fn mask_trailing_dash ( mut name : String ) -> String {
0 commit comments