From: Avan Thakkar <athakkar@redhat.com>
Date: Mon, 24 Nov 2025 10:58:43 +0000 (+0530)
Subject: mgr/smb: relax name length validation to support KMIP/GKLM aliases
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b747e17484284487c6b5b2753e8965999d747bc8;p=ceph.git

mgr/smb: relax name length validation to support KMIP/GKLM aliases

Introduce new regex for mem/kmip key names to allow up to 63 characters, which
matches the maximum permitted DNS label length (RFC 1035).

Signed-off-by: Avan Thakkar <athakkar@redhat.com>
---

diff --git a/src/pybind/mgr/smb/resources.py b/src/pybind/mgr/smb/resources.py
index 41bf2b651644..fec79e8b1022 100644
--- a/src/pybind/mgr/smb/resources.py
+++ b/src/pybind/mgr/smb/resources.py
@@ -252,7 +252,7 @@ class FSCryptKeySelector(_RBase):
 
     def validate(self) -> None:
         self.scope_identity()  # raises value error if scope invalid
-        validation.check_id(self.name)
+        validation.check_fscrypt_key_name(self.name)
 
 
 @resourcelib.component()
diff --git a/src/pybind/mgr/smb/tests/test_validation.py b/src/pybind/mgr/smb/tests/test_validation.py
index cc0c6cdb301d..51e46ea1f62d 100644
--- a/src/pybind/mgr/smb/tests/test_validation.py
+++ b/src/pybind/mgr/smb/tests/test_validation.py
@@ -52,6 +52,31 @@ def test_valid_share_name(value, valid):
             smb.validation.check_share_name(value)
 
 
+@pytest.mark.parametrize(
+    "value,valid",
+    [
+        ("x", True),
+        ("aa", True),
+        ("test-key-1", True),
+        ("mem-scope-key", True),
+        ("kmip0123456789", True),
+        ("A" * 63, True),  # max allowed
+        ("A" * 64, False),  # invalid >63
+        ("-bad", False),
+        ("bad-", False),
+        ("", False),
+        ("bad$key", False),
+    ],
+)
+def test_valid_fscrypt_key_name(value, valid):
+    assert smb.validation.valid_fscrypt_key_name(value) == valid
+    if valid:
+        smb.validation.check_fscrypt_key_name(value)
+    else:
+        with pytest.raises(ValueError):
+            smb.validation.check_fscrypt_key_name(value)
+
+
 @pytest.mark.parametrize(
     "value,valid",
     [
diff --git a/src/pybind/mgr/smb/validation.py b/src/pybind/mgr/smb/validation.py
index 18166205375c..6c4cd5e782b8 100644
--- a/src/pybind/mgr/smb/validation.py
+++ b/src/pybind/mgr/smb/validation.py
@@ -19,6 +19,10 @@ _name_re = re.compile('^[a-zA-Z0-9]($|[a-zA-Z0-9-]{,16}[a-zA-Z0-9]$)')
 # but as above it's easier to start strict.
 _share_re = re.compile('^[a-zA-Z0-9_][a-zA-Z0-9. _-]{,63}$')
 
+_fscrypt_key_name_re = re.compile(
+    '^[a-zA-Z0-9]($|[a-zA-Z0-9-]{,61}[a-zA-Z0-9]$)'
+)
+
 
 def valid_id(value: str) -> bool:
     """Return true if value is a valid (cluster|share|etc) ID."""
@@ -42,6 +46,17 @@ def check_share_name(value: str) -> None:
         raise ValueError(f"{value!r} is not a valid share name")
 
 
+def valid_fscrypt_key_name(value: str) -> bool:
+    """Return true if value is a valid fscrypt key name."""
+    return bool(_fscrypt_key_name_re.match(value))
+
+
+def check_fscrypt_key_name(value: str) -> None:
+    """Raise ValueError if value is not a valid fscrypt key name."""
+    if not valid_fscrypt_key_name(value):
+        raise ValueError(f"{value!r} is not a valid fscrypt key name")
+
+
 # alias for normpath so other smb libs can just import validation module
 normalize_path = posixpath.normpath