From 119a768ddf6f865d94775bf813c9fa5a25c58956 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Mon, 4 Mar 2024 16:46:52 -0500
Subject: [PATCH] rgw: validate account user names

iam apis have specific requirements for the UserName field. enforce
these requirements for 'user create' and 'user modify' admin ops for
account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/driver/rados/rgw_user.cc | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/rgw/driver/rados/rgw_user.cc b/src/rgw/driver/rados/rgw_user.cc
index b7067ca9c3c..ff68f03ba6a 100644
--- a/src/rgw/driver/rados/rgw_user.cc
+++ b/src/rgw/driver/rados/rgw_user.cc
@@ -8,6 +8,7 @@
 #include "rgw_account.h"
 #include "rgw_bucket.h"
 #include "rgw_quota.h"
+#include "rgw_rest_iam.h" // validate_iam_user_name()
 
 #include "services/svc_user.h"
 #include "services/svc_meta.h"
@@ -1821,6 +1822,15 @@ int RGWUser::execute_add(const DoutPrefixProvider *dpp, RGWUserAdminOpState& op_
     user_info.type = TYPE_ROOT;
   }
 
+  if (!user_info.account_id.empty()) {
+    // validate user name according to iam api
+    std::string err;
+    if (!validate_iam_user_name(user_info.display_name, err)) {
+      set_err_msg(err_msg, err);
+      return -EINVAL;
+    }
+  }
+
   if (!op_state.path.empty()) {
     user_info.path = op_state.path;
   } else {
@@ -2155,6 +2165,15 @@ int RGWUser::execute_modify(const DoutPrefixProvider *dpp, RGWUserAdminOpState&
     user_info.type = op_state.account_root ? TYPE_ROOT : TYPE_RGW;
   }
 
+  if (!user_info.account_id.empty()) {
+    // validate user name according to iam api
+    std::string err;
+    if (!validate_iam_user_name(user_info.display_name, err)) {
+      set_err_msg(err_msg, err);
+      return -EINVAL;
+    }
+  }
+
   if (!op_state.path.empty()) {
     user_info.path = op_state.path;
   }