From 9e6e25cf586a010aa850d1b6cb271a927893f159 Mon Sep 17 00:00:00 2001
From: Seth Foster <sfoster@localhost.localdomain>
Date: Thu, 19 Sep 2019 20:10:01 -0400
Subject: [PATCH] Fix LDAPServerFieldURI number in domain

- API error if LDAPServerFieldURI contains a number in the top level domain
- Add custom regex in LDAPServerFieldURI class that is passed to django
  URLValidator
- The custom regex allows for numbers to be present in the top level domain
- Unit tests check that valid URIs pass through URLValidator, and that
  invalid URIs raise the correct exception
- Related to issue #3646
---
 awx/conf/fields.py                |  3 +++
 awx/sso/fields.py                 | 23 +++++++++++++++++++++++
 awx/sso/tests/unit/test_fields.py | 18 ++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/awx/conf/fields.py b/awx/conf/fields.py
index e48ef805062c..ca731de579d4 100644
--- a/awx/conf/fields.py
+++ b/awx/conf/fields.py
@@ -121,11 +121,14 @@ class URLField(CharField):
 
     def __init__(self, **kwargs):
         schemes = kwargs.pop('schemes', None)
+        regex = kwargs.pop('regex', None)
         self.allow_plain_hostname = kwargs.pop('allow_plain_hostname', False)
         super(URLField, self).__init__(**kwargs)
         validator_kwargs = dict(message=_('Enter a valid URL'))
         if schemes is not None:
             validator_kwargs['schemes'] = schemes
+        if regex is not None:
+            validator_kwargs['regex'] = regex
         self.validators.append(URLValidator(**validator_kwargs))
 
     def to_representation(self, value):
diff --git a/awx/sso/fields.py b/awx/sso/fields.py
index dddd1ee6a124..d3bf36164541 100644
--- a/awx/sso/fields.py
+++ b/awx/sso/fields.py
@@ -11,6 +11,7 @@
 # Django
 from django.utils import six
 from django.utils.translation import ugettext_lazy as _
+from django.core.validators import URLValidator, _lazy_re_compile
 
 # Django Auth LDAP
 import django_auth_ldap.config
@@ -233,12 +234,34 @@ def _default_from_required_settings(self):
 
 class LDAPServerURIField(fields.URLField):
 
+    tld_re = (
+        r'\.'                                              # dot
+        r'(?!-)'                                           # can't start with a dash
+        r'(?:[a-z' + URLValidator.ul + r'0-9' + '-]{2,63}' # domain label, this line was changed from the original URLValidator
+        r'|xn--[a-z0-9]{1,59})'                            # or punycode label
+        r'(?<!-)'                                          # can't end with a dash
+        r'\.?'                                             # may have a trailing dot
+    )
+
+    host_re = '(' + URLValidator.hostname_re + URLValidator.domain_re + tld_re + '|localhost)'
+
+    regex = _lazy_re_compile(
+        r'^(?:[a-z0-9\.\-\+]*)://'  # scheme is validated separately
+        r'(?:[^\s:@/]+(?::[^\s:@/]*)?@)?'  # user:pass authentication
+        r'(?:' + URLValidator.ipv4_re + '|' + URLValidator.ipv6_re + '|' + host_re + ')'
+        r'(?::\d{2,5})?'  # port
+        r'(?:[/?#][^\s]*)?'  # resource path
+        r'\Z', re.IGNORECASE)
+
     def __init__(self, **kwargs):
+
         kwargs.setdefault('schemes', ('ldap', 'ldaps'))
         kwargs.setdefault('allow_plain_hostname', True)
+        kwargs.setdefault('regex', LDAPServerURIField.regex)
         super(LDAPServerURIField, self).__init__(**kwargs)
 
     def run_validators(self, value):
+
         for url in filter(None, re.split(r'[, ]', (value or ''))):
             super(LDAPServerURIField, self).run_validators(url)
         return value
diff --git a/awx/sso/tests/unit/test_fields.py b/awx/sso/tests/unit/test_fields.py
index 95cd774b9877..c63e137776ff 100644
--- a/awx/sso/tests/unit/test_fields.py
+++ b/awx/sso/tests/unit/test_fields.py
@@ -8,6 +8,7 @@
     SAMLOrgAttrField,
     SAMLTeamAttrField,
     LDAPGroupTypeParamsField,
+    LDAPServerURIField
 )
 
 
@@ -114,3 +115,20 @@ def test_internal_value_invalid(self, group_type, data, expected):
         with pytest.raises(ValidationError) as e:
             field.to_internal_value(data)
         assert e.value.detail == expected
+
+
+class TestLDAPServerURIField():
+
+    @pytest.mark.parametrize("ldap_uri, exception, expected", [
+        (r'ldap://servername.com:444', None, r'ldap://servername.com:444'),
+        (r'ldap://servername.so3:444', None, r'ldap://servername.so3:444'),
+        (r'ldaps://servername3.s300:344', None, r'ldaps://servername3.s300:344'),
+        (r'ldap://servername.-so3:444', ValidationError, None),
+    ])
+    def test_run_validators_valid(self, ldap_uri, exception, expected):
+        field = LDAPServerURIField()
+        if exception is None:
+            assert field.run_validators(ldap_uri) == expected
+        else:
+            with pytest.raises(exception):
+                field.run_validators(ldap_uri)