Validate configuration file more strictly

andreaso · andreaso · commit f8ef5800076a · 2025-11-08T13:33:02.000+01:00
diff --git a/ssh_zone_handler/types.py b/ssh_zone_handler/types.py
@@ -1,9 +1,16 @@
 """Custom types"""
 
-from typing import Final, Literal
+from typing import Annotated, Final, Literal
 
 from pydantic import BaseModel, Field, ValidationInfo, field_validator
 
+SystemUser = Annotated[str, Field(pattern=r"^[a-z0-9_][a-z0-9_-]*[a-z0-9]$")]
+ServiceUnit = Annotated[str, Field(pattern=r"^[a-z0-9][a-z0-9_-]*[a-z0-9]\.service$")]
+FwdZone = Annotated[str, Field(pattern=r"^([a-z0-9][a-z0-9-]+[a-z0-9]\.)+[a-z]+$")]
+Ptr4Zone = Annotated[str, Field(pattern=r"^[0-9/]+\.([0-9]+\.)+in-addr\.arpa$")]
+Ptr6Zone = Annotated[str, Field(pattern=r"^([a-f0-9]\.)+ip6\.arpa$")]
+Zone = FwdZone | Ptr4Zone | Ptr6Zone
+
 SERVICE_DEFAULTS: Final[dict[str, dict[str, str]]] = {
     "bind": {
         "unit": "named.service",
@@ -16,17 +23,17 @@
 }
 
 
-class SystemConf(BaseModel):
+class SystemConf(BaseModel, extra="forbid", frozen=True):
     """
     Subset of ZoneHandlerConf
     """
 
-    log_access_user: str
+    log_access_user: SystemUser
     server_type: Literal["bind", "knot"]
-    server_user: str = Field(default="", validate_default=True)
-    systemd_unit: str = Field(default="", validate_default=True)
+    server_user: SystemUser = Field(default="", validate_default=True)
+    systemd_unit: ServiceUnit = Field(default="", validate_default=True)
 
-    @field_validator("server_user", mode="after")
+    @field_validator("server_user", mode="before")
     def _default_user(cls, user: str, values: ValidationInfo) -> str:
         if not user:
             try:
@@ -35,7 +42,7 @@ def _default_user(cls, user: str, values: ValidationInfo) -> str:
                 user = "nobody"
         return user
 
-    @field_validator("systemd_unit", mode="after")
+    @field_validator("systemd_unit", mode="before")
     def _default_unit(cls, systemd_unit: str, values: ValidationInfo) -> str:
         if not systemd_unit:
             try:
@@ -45,10 +52,10 @@ def _default_unit(cls, systemd_unit: str, values: ValidationInfo) -> str:
         return systemd_unit
 
 
-class ZoneHandlerConf(BaseModel):
+class ZoneHandlerConf(BaseModel, extra="forbid", frozen=True):
     """
-    zone-handler.json structure
+    zone-handler.yaml structure
     """
 
     system: SystemConf
-    zones: dict[str, list[str]]
+    zones: dict[str, list[Zone]]
diff --git a/tests/test_ssh_zone_handler.py b/tests/test_ssh_zone_handler.py
@@ -102,7 +102,7 @@ def test_cli_zone_sudoers(caplog, capsys):
         sudoers(Path("./tests/data/outdated-config.yaml"))
     captured_outdated = caplog.text
     assert (
-        "Invalid server side config file\n\n1 validation error for ZoneHandlerConf"
+        "Invalid server side config file\n\n2 validation errors for ZoneHandlerConf"
         in captured_outdated
     )
 

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ def test_cli_zone_sudoers(caplog, capsys):`
`102`	`102`	`sudoers(Path("./tests/data/outdated-config.yaml"))`
`103`	`103`	`captured_outdated = caplog.text`
`104`	`104`	`assert (`
`105`		`- "Invalid server side config file\n\n1 validation error for ZoneHandlerConf"`
	`105`	`+ "Invalid server side config file\n\n2 validation errors for ZoneHandlerConf"`
`106`	`106`	`in captured_outdated`
`107`	`107`	`)`
`108`	`108`