Validate LDAP userSearch/groupSearch fields are well formed and contain a `{}` placeholder.

[mattmoyer]

Scenario: malformed userSearch
Given I have the Supervisor installed
When I create a LDAPIdentityProvider with a malformed `userSearch` field
And I look at the status of my LDAPIdentityProvider
Then I see a status condition telling me my `userSearch` is invalid

Scenario: malformed groupSearch
Given I have the Supervisor installed
When I create a LDAPIdentityProvider with a malformed `groupSearch` field
And I look at the status of my LDAPIdentityProvider
Then I see a status condition telling me my `groupSearch` is invalid

Notes

We could try to parse the queries to make sure they are syntactically correct, and that they contain at least one {} placeholder.

Maybe there are other fields with LDAP queries (base?) that we can validate as well?

Original comment

Hi @anjaltelang,

Is the suggestion that we add a new validation which, upon loading of any LDAPIdentityProvider resource, complains loudly and does not allow the upstream LDAP IDP to be used if the spec.userSearch.filter does not contain any '{}' in the string (when a non-empty string was provided)?

We could consider the same validation for the LDAPIdentityProvider's spec.groupSearch.filter.

Validation errors could be written to the LDAPIdentityProvider's status.

Originally posted by @cfryanr in https://github.com/vmware-tanzu/pinniped/issues/710#issuecomment-879370805