mgr/dashboard: validate username while creation

When creating a user the username is not checked if
it's valid from the Ceph perspective (`CephString`).
The commit adds a decorator to check if the input
values in the API are valid from the Ceph perspective
by calling the `valid()` method of the Ceph-defined
datatypes (`ceph_argparse.py`).

Fixes: https://tracker.ceph.com/issues/46548
Signed-off-by: Tatjana Dehler <tdehler@suse.com>

qa/tasks/mgr/dashboard/test_user.py

@@ -169,6 +169,16 @@ class UserTest(DashboardTestCase):
         self.assertError(code='role_does_not_exist',
                          component='user')
 
+    def test_create_user_invalid_chars_in_name(self):
+        self._create_user(username='userö',
+                          password='mypassword10#',
+                          name='administrator',
+                          email='my@email.com',
+                          roles=['administrator'])
+        self.assertStatus(400)
+        self.assertError(code='ceph_type_not_valid',
+                         component='user')
+
     def test_delete_user_does_not_exist(self):
         self._delete('/api/user/user2')
         self.assertStatus(404)

src/pybind/mgr/dashboard/controllers/__init__.py

@@ -16,10 +16,12 @@ from urllib.parse import unquote
 
 # pylint: disable=wrong-import-position
 import cherrypy
+# pylint: disable=import-error
+from ceph_argparse import ArgumentFormat  # type: ignore
 
 from .. import DEFAULT_VERSION
 from ..api.doc import SchemaInput, SchemaType
-from ..exceptions import PermissionNotValid, ScopeNotValid
+from ..exceptions import DashboardException, PermissionNotValid, ScopeNotValid
 from ..plugins import PLUGIN_MANAGER
 from ..security import Permission, Scope
 from ..services.auth import AuthManager, JwtManager
@@ -1008,3 +1010,20 @@ def allow_empty_body(func):  # noqa: N802
     except (AttributeError, KeyError):
         func._cp_config = {'tools.json_in.force': False}
     return func
+
+
+def validate_ceph_type(validations, component=''):
+    def decorator(func):
+        @wraps(func)
+        def validate_args(*args, **kwargs):
+            input_values = kwargs
+            for key, ceph_type in validations:
+                try:
+                    ceph_type.valid(input_values[key])
+                except ArgumentFormat as e:
+                    raise DashboardException(msg=e,
+                                             code='ceph_type_not_valid',
+                                             component=component)
+            return func(*args, **kwargs)
+        return validate_args
+    return decorator

src/pybind/mgr/dashboard/controllers/user.py

@@ -5,6 +5,7 @@ import time
 from datetime import datetime
 
 import cherrypy
+from ceph_argparse import CephString  # pylint: disable=import-error
 
 from .. import mgr
 from ..exceptions import DashboardException, PasswordPolicyException, \
@@ -13,7 +14,7 @@ from ..security import Scope
 from ..services.access_control import SYSTEM_ROLES, PasswordPolicy
 from ..services.auth import JwtManager
 from . import ApiController, BaseController, ControllerDoc, Endpoint, \
-    EndpointDoc, RESTController, allow_empty_body
+    EndpointDoc, RESTController, allow_empty_body, validate_ceph_type
 
 USER_SCHEMA = ([{
     "username": (str, 'Username of the user'),
@@ -81,6 +82,7 @@ class User(RESTController):
             raise cherrypy.HTTPError(404)
         return User._user_to_dict(user)
 
+    @validate_ceph_type([('username', CephString())], 'user')
     def create(self, username=None, password=None, name=None, email=None,
                roles=None, enabled=True, pwdExpirationDate=None, pwdUpdateRequired=True):
         if not username:

src/pybind/mgr/dashboard/tox.ini

@@ -168,7 +168,7 @@ passenv =
     PYTHONPATH
 setenv =
     UNITTEST = true
-    PYTHONPATH=$PYTHONPATH:..
+    PYTHONPATH=$PYTHONPATH:..:../..
     OPENAPI_FILE=openapi.yaml
     check: OPENAPI_FILE_TMP={envtmpdir}/{env:OPENAPI_FILE}
 commands =