[pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex
@ 2024-02-06 10:09 Gabriel Goller
  2024-02-08 17:22 ` [pbs-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Gabriel Goller @ 2024-02-06 10:09 UTC (permalink / raw)
  To: pbs-devel

Allow more complex strings for the acr-value when using openid. The
openid documentation only specifies the acr-value *should* be an URI [0].
Implemented a regex that loosely disallows some of the reserved URI
characters specified in the RFC [1].

Currently values like:
- "urn:mace:incommon:iap:silver"
- "urn:comsolve.nl:idp:contract:rba:location"
do NOT work, although they are correct URI's and common acr tokens.

[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---

v1 -> v2 changes:
 * added more context, renamed variable

 pbs-api-types/src/lib.rs    | 5 +++++
 pbs-api-types/src/openid.rs | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 795ff2a6..88e8f44d 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -178,6 +178,11 @@ const_regex! {
     /// any identifier command line tools work with.
     pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
 
+    /// Regex that (loosely) matches URIs according to [RFC 2396](https://www.rfc-editor.org/rfc/rfc2396.txt)
+    /// This does not completely match a URI, but rather disallows all the prohibited characters
+    /// specified in the RFC.
+    pub GENERIC_URI_REGEX = r#"^[^\x00-\x1F\x7F <>#"]*$"#;
+
     pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";
 
     pub MULTI_LINE_COMMENT_REGEX = r"(?m)^([[:^cntrl:]]*)$";
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c7646a3..2c95c5c6 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -3,7 +3,8 @@ use serde::{Deserialize, Serialize};
 use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema, Updater};
 
 use super::{
-    PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+    GENERIC_URI_REGEX, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA,
+    SINGLE_LINE_COMMENT_SCHEMA,
 };
 
 pub const OPENID_SCOPE_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
@@ -24,11 +25,11 @@ pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope Lis
     .default(OPENID_DEFAILT_SCOPE_LIST)
     .schema();
 
-pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&GENERIC_URI_REGEX);
 
 pub const OPENID_ACR_SCHEMA: Schema =
     StringSchema::new("OpenID Authentication Context Class Reference.")
-        .format(&OPENID_SCOPE_FORMAT)
+        .format(&OPENID_ACR_FORMAT)
         .schema();
 
 pub const OPENID_ACR_ARRAY_SCHEMA: Schema =
-- 
2.43.0





^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex
  2024-02-06 10:09 [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex Gabriel Goller
@ 2024-02-08 17:22 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-02-08 17:22 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Gabriel Goller

Am 06/02/2024 um 11:09 schrieb Gabriel Goller:
> Allow more complex strings for the acr-value when using openid. The
> openid documentation only specifies the acr-value *should* be an URI [0].
> Implemented a regex that loosely disallows some of the reserved URI
> characters specified in the RFC [1].
> 
> Currently values like:
> - "urn:mace:incommon:iap:silver"
> - "urn:comsolve.nl:idp:contract:rba:location"
> do NOT work, although they are correct URI's and common acr tokens.
> 
> [0]: https://openid.net/specs/openid-connect-core-1_0.html
> [1]: https://www.rfc-editor.org/rfc/rfc2396.txt
> 
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> 
> v1 -> v2 changes:
>  * added more context, renamed variable
> 
>  pbs-api-types/src/lib.rs    | 5 +++++
>  pbs-api-types/src/openid.rs | 7 ++++---
>  2 files changed, 9 insertions(+), 3 deletions(-)
> 
>

applied, reflowed the commit message to fit in < 70 characters per
line, as per our dev docs [0], and added a reference to the PVE
change (can only help), thanks!

[0]: https://pve.proxmox.com/wiki/Developer_Documentation#Commits_and_Commit_Messages




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-02-08 17:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 10:09 [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex Gabriel Goller
2024-02-08 17:22 ` [pbs-devel] applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal