Add kerberos realm name type

This used to use Hostname, but secret-op's Hostname had looser
validation constraints

Author: nightkr

crates/stackable-operator/src/commons/networking.rs

@@ -35,3 +35,36 @@ impl Deref for Hostname {
         &self.0
     }
 }
+
+/// A validated kerberos realm name type, for use in CRDs.
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
+#[serde(try_from = "String", into = "String")]
+pub struct KerberosRealmName(
+    #[validate(regex(path = "validation::KERBEROS_REALM_NAME_REGEX"))] String,
+);
+
+impl TryFrom<String> for KerberosRealmName {
+    type Error = ValidationErrors;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        validation::is_kerberos_realm_name(&value)?;
+        Ok(KerberosRealmName(value))
+    }
+}
+impl From<KerberosRealmName> for String {
+    fn from(value: KerberosRealmName) -> Self {
+        value.0
+    }
+}
+impl Display for KerberosRealmName {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(&self.0)
+    }
+}
+impl Deref for KerberosRealmName {
+    type Target = str;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}

crates/stackable-operator/src/validation.rs

@@ -32,6 +32,17 @@ const RFC_1035_LABEL_ERROR_MSG: &str = "a DNS-1035 label must consist of lower c
 // This is a label's max length in DNS (RFC 1035)
 const RFC_1035_LABEL_MAX_LENGTH: usize = 63;
 
+// Technically Kerberos allows more realm names
+// (https://web.mit.edu/kerberos/krb5-1.21/doc/admin/realm_config.html#realm-name),
+// however, these are embedded in a lot of configuration files and other strings,
+// and will not always be quoted properly.
+//
+// Hence, restrict them to a reasonable subset. The convention is to use upper-case
+// DNS hostnames, so allow all characters used there.
+const KERBEROS_REALM_NAME_FMT: &str = "[-.a-zA-Z0-9]+";
+const KERBEROS_REALM_NAME_ERROR_MSG: &str =
+    "Kerberos realm name must only contain alphanumeric characters, '-', and '.'";
+
 // Lazily initialized regular expressions
 pub(crate) static RFC_1123_SUBDOMAIN_REGEX: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!("^{RFC_1123_SUBDOMAIN_FMT}$"))
@@ -46,6 +57,11 @@ static RFC_1035_LABEL_REGEX: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(&format!("^{RFC_1035_LABEL_FMT}$")).expect("failed to compile RFC 1035 label regex")
 });
 
+pub(crate) static KERBEROS_REALM_NAME_REGEX: LazyLock<Regex> = LazyLock::new(|| {
+    Regex::new(&format!("^{KERBEROS_REALM_NAME_FMT}$"))
+        .expect("failed to compile Kerberos realm name regex")
+});
+
 #[derive(Debug)]
 pub struct ValidationErrors(Vec<ValidationError>);
 
@@ -195,6 +211,15 @@ pub fn is_rfc_1035_label(value: &str) -> Result<(), ValidationErrors> {
     ])
 }
 
+pub fn is_kerberos_realm_name(value: &str) -> Result<(), ValidationErrors> {
+    validate_all([validate_str_regex(
+        value,
+        &KERBEROS_REALM_NAME_REGEX,
+        KERBEROS_REALM_NAME_ERROR_MSG,
+        &["EXAMPLE.COM"],
+    )])
+}
+
 // mask_trailing_dash replaces the final character of a string with a subdomain safe
 // value if is a dash.
 fn mask_trailing_dash(mut name: String) -> String {