Bug 2150217

Summary: [RFE] Descriptive error message in ipa user-add
Product: Red Hat Enterprise Linux 8 Reporter: Sunny Wu <suwu>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: Ganna Kaihorodova <gkaihoro>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.7CC: ebelko, gkaihoro, rcritten, rjeffman, sumenon, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ipa-4.9.12-2.module+el8.9.0+18921+013c0de2 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:32:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sunny Wu 2022-12-02 06:32:06 UTC 
Description of problem:

Run "ipa user-add" to add a username without a letter.

The error message is not very descriptive. In below examples, all input strings meet the requirements specified in error message. i.e. The strings contains numbers, -, _, . and/or $. (letter is absence in all provided strings).

The error message should clear indicates that username must contain at least a letter.

# ipa user-add '$_-1234567' --first=User --last=Last
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $

# ipa user-add '$_1234567' --first=User --last=Last
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $

# ipa user-add '$1234567' --first=User --last=Last
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $

# ipa user-add '1234567' --first=User --last=Last
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $

# ipa user-add '$_1234567.' --first=User --last=Last
ipa: ERROR: invalid 'login': may only include letters, numbers, _, -, . and $

Version-Release number of selected component (if applicable):
ipa-client-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64
ipa-client-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch
ipa-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch
ipa-healthcheck-0.7-10.module+el8.6.0+14292+18b36d36.noarch
ipa-healthcheck-core-0.7-10.module+el8.6.0+14292+18b36d36.noarch
ipa-selinux-4.9.8-8.module+el8.6.0+16878+6c033536.noarch
ipa-server-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64
ipa-server-common-4.9.8-8.module+el8.6.0+16878+6c033536.noarch
ipa-server-dns-4.9.8-8.module+el8.6.0+16878+6c033536.noarch
ipa-server-trust-ad-4.9.8-8.module+el8.6.0+16878+6c033536.x86_64
Comment 2 Sunny Wu 2022-12-02 06:59:53 UTC 
Criteria of username changed in https://bugzilla.redhat.com/show_bug.cgi?id=1562396, but the error message has not been updated to reflect the change.
Comment 3 Florence Blanc-Renaud 2022-12-05 16:22:22 UTC 
The login name must match the following python regexp: '(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
(from https://pagure.io/freeipa/blob/master/f/ipalib/constants.py PATTERN_GROUPUSER_NAME)

This translates into:
Cannot contain only numbers
Can start with letters numbers _ or .
Can contain letters numbers _ . or -
Can end with letters numbers _ . $ or -

The fix could describe all the rules in the help for "ipa user" + replace the current message with a reference to the help, for instance:
# ipa user-add _123@
ipa: ERROR: invalid 'login': refer to ipa help user for valid usernames

Currently we have:
----- 8< -----
# ipa help user
Users

Manage user entries. All users are POSIX users.

IPA supports a wide range of username formats, but you need to be aware of any
restrictions that may apply to your particular environment. For example,
usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
----- 8< -----
Comment 4 Sunny Wu 2022-12-07 04:02:51 UTC 
Is the same message used in "group_name"?

~~~
# ipa group-add 123
ipa: ERROR: invalid 'group_name': may only include letters, numbers, _, -, . and $
~~~
Comment 5 Florence Blanc-Renaud 2022-12-07 11:11:01 UTC 
(In reply to Sunny Wu from comment #4)
> Is the same message used in "group_name"?
> 
> ~~~
> # ipa group-add 123
> ipa: ERROR: invalid 'group_name': may only include letters, numbers, _, -, .
> and $
> ~~~

The same pattern check is applied and the same message is used.

For users: https://pagure.io/freeipa/blob/2a9919afbd782326580ab52494c917b51023a1c9/f/ipaserver/plugins/baseuser.py#_212-214
        Str('uid',
            pattern=constants.PATTERN_GROUPUSER_NAME,
            pattern_errmsg='may only include letters, numbers, _, -, . and $',

For groups: https://pagure.io/freeipa/blob/2a9919afbd782326580ab52494c917b51023a1c9/f/ipaserver/plugins/group.py#_331-333	
        Str('cn',
            pattern=PATTERN_GROUPUSER_NAME,
            pattern_errmsg='may only include letters, numbers, _, -, . and $',
Comment 7 Florence Blanc-Renaud 2023-05-11 08:56:00 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/9378
Comment 8 Florence Blanc-Renaud 2023-05-22 18:24:40 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7b0ad59feaf7ad017799c89010a95c2f6f55699d
Comment 9 Florence Blanc-Renaud 2023-05-23 18:55:58 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/f42a106e84c1fd609350da2540289ce945a7ecbd
Comment 10 Florence Blanc-Renaud 2023-05-23 19:00:05 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/7830ab96cc295e4151ad3d86cbbaf400a7ab2016
Comment 16 errata-xmlrpc 2023-11-14 15:32:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977