* [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex
@ 2024-02-06 10:09 Gabriel Goller
2024-02-08 17:22 ` [pbs-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Gabriel Goller @ 2024-02-06 10:09 UTC (permalink / raw)
To: pbs-devel
Allow more complex strings for the acr-value when using openid. The
openid documentation only specifies the acr-value *should* be an URI [0].
Implemented a regex that loosely disallows some of the reserved URI
characters specified in the RFC [1].
Currently values like:
- "urn:mace:incommon:iap:silver"
- "urn:comsolve.nl:idp:contract:rba:location"
do NOT work, although they are correct URI's and common acr tokens.
[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
v1 -> v2 changes:
* added more context, renamed variable
pbs-api-types/src/lib.rs | 5 +++++
pbs-api-types/src/openid.rs | 7 ++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 795ff2a6..88e8f44d 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -178,6 +178,11 @@ const_regex! {
/// any identifier command line tools work with.
pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
+ /// Regex that (loosely) matches URIs according to [RFC 2396](https://www.rfc-editor.org/rfc/rfc2396.txt)
+ /// This does not completely match a URI, but rather disallows all the prohibited characters
+ /// specified in the RFC.
+ pub GENERIC_URI_REGEX = r#"^[^\x00-\x1F\x7F <>#"]*$"#;
+
pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";
pub MULTI_LINE_COMMENT_REGEX = r"(?m)^([[:^cntrl:]]*)$";
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c7646a3..2c95c5c6 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -3,7 +3,8 @@ use serde::{Deserialize, Serialize};
use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema, Updater};
use super::{
- PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+ GENERIC_URI_REGEX, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA,
+ SINGLE_LINE_COMMENT_SCHEMA,
};
pub const OPENID_SCOPE_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
@@ -24,11 +25,11 @@ pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope Lis
.default(OPENID_DEFAILT_SCOPE_LIST)
.schema();
-pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&GENERIC_URI_REGEX);
pub const OPENID_ACR_SCHEMA: Schema =
StringSchema::new("OpenID Authentication Context Class Reference.")
- .format(&OPENID_SCOPE_FORMAT)
+ .format(&OPENID_ACR_FORMAT)
.schema();
pub const OPENID_ACR_ARRAY_SCHEMA: Schema =
--
2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex
2024-02-06 10:09 [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex Gabriel Goller
@ 2024-02-08 17:22 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-02-08 17:22 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Gabriel Goller
Am 06/02/2024 um 11:09 schrieb Gabriel Goller:
> Allow more complex strings for the acr-value when using openid. The
> openid documentation only specifies the acr-value *should* be an URI [0].
> Implemented a regex that loosely disallows some of the reserved URI
> characters specified in the RFC [1].
>
> Currently values like:
> - "urn:mace:incommon:iap:silver"
> - "urn:comsolve.nl:idp:contract:rba:location"
> do NOT work, although they are correct URI's and common acr tokens.
>
> [0]: https://openid.net/specs/openid-connect-core-1_0.html
> [1]: https://www.rfc-editor.org/rfc/rfc2396.txt
>
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
>
> v1 -> v2 changes:
> * added more context, renamed variable
>
> pbs-api-types/src/lib.rs | 5 +++++
> pbs-api-types/src/openid.rs | 7 ++++---
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
>
applied, reflowed the commit message to fit in < 70 characters per
line, as per our dev docs [0], and added a reference to the PVE
change (can only help), thanks!
[0]: https://pve.proxmox.com/wiki/Developer_Documentation#Commits_and_Commit_Messages
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-08 17:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 10:09 [pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex Gabriel Goller
2024-02-08 17:22 ` [pbs-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox