identifiers: use common package for identifier validation

A few days ago, we added validation for namespaces. We've decided to
expand these naming rules to include containers. To facilitate this, a
common package `identifiers` now provides a common validation area.
These rules will be extended to apply to task identifiers, snapshot keys
and other areas where user-provided identifiers may be used.

Signed-off-by: Stephen J Day <stephen.day@docker.com>

identifiers/validate.go

@@ -0,0 +1,58 @@
+// Package identifiers provides common validation for identifiers, keys and ids
+// across containerd.
+//
+// To allow such identifiers to be used across various contexts safely, the character
+// set has been restricted to that defined for domains in RFC 1035, section
+// 2.3.1. This will make identifiers safe for use across networks, filesystems
+// and other media.
+//
+// While the character set may expand in the future, we guarantee that the
+// identifiers will be safe for use as filesystem path components.
+package identifiers
+
+import (
+	"regexp"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	label = `[A-Za-z][A-Za-z0-9]+(?:[-]+[A-Za-z0-9]+)*`
+)
+
+var (
+	// identifierRe validates that a identifier matches valid identifiers.
+	//
+	// Rules for domains, defined in RFC 1035, section 2.3.1, are used for
+	// identifiers.
+	identifierRe = regexp.MustCompile(reAnchor(label + reGroup("[.]"+reGroup(label)) + "*"))
+
+	errIdentifierInvalid = errors.Errorf("invalid, must match %v", identifierRe)
+)
+
+// IsInvalid return true if the error was due to an invalid identifer.
+func IsInvalid(err error) bool {
+	return errors.Cause(err) == errIdentifierInvalid
+}
+
+// Validate return nil if the string s is a valid identifier.
+//
+// identifiers must be valid domain identifiers according to RFC 1035, section 2.3.1.  To
+// enforce case insensitvity, all characters must be lower case.
+//
+// In general, identifiers that pass this validation, should be safe for use as
+// a domain identifier or filesystem path component.
+func Validate(s string) error {
+	if !identifierRe.MatchString(s) {
+		return errors.Wrapf(errIdentifierInvalid, "identifier %q", s)
+	}
+	return nil
+}
+
+func reGroup(s string) string {
+	return `(?:` + s + `)`
+}
+
+func reAnchor(s string) string {
+	return `^` + s + `$`
+}

identifiers/validate_test.go

@@ -0,0 +1,47 @@
+package identifiers
+
+import (
+	"testing"
+)
+
+func TestValidIdentifiers(t *testing.T) {
+	for _, input := range []string{
+		"default",
+		"Default",
+		t.Name(),
+		"default-default",
+		"default--default",
+		"containerd.io",
+		"foo.boo",
+		"swarmkit.docker.io",
+		"zn--e9.org", // or something like it!
+	} {
+		t.Run(input, func(t *testing.T) {
+			if err := Validate(input); err != nil {
+				t.Fatalf("unexpected error: %v != nil", err)
+			}
+		})
+	}
+}
+
+func TestInvalidIdentifiers(t *testing.T) {
+	for _, input := range []string{
+		".foo..foo",
+		"foo/foo",
+		"foo/..",
+		"foo..foo",
+		"foo.-boo",
+		"-foo.boo",
+		"foo.boo-",
+		"foo_foo.boo_underscores", // boo-urns?
+	} {
+
+		t.Run(input, func(t *testing.T) {
+			if err := Validate(input); err == nil {
+				t.Fatal("expected invalid error")
+			} else if !IsInvalid(err) {
+				t.Fatal("error should be an invalid identifier error")
+			}
+		})
+	}
+}