fix #5190: api: OIDC: accept generic URIs for the ACR value

Allow more complex strings for the acr-value when using openid. The openid documentation only specifies the acr-value *should* be an URI [0]. Implemented a regex that loosely disallows some of the reserved URI characters specified in the RFC [1]. Currently values like: - "urn:mace:incommon:iap:silver" - "urn:comsolve.nl:idp:contract:rba:location" do NOT work, although they are correct URI's and common acr tokens. For Proxmox VE we had to actually make this more strict to align with each other, as there we accepted any string. [0]: https://openid.net/specs/openid-connect-core-1_0.html [1]: https://www.rfc-editor.org/rfc/rfc2396.txt Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
2025-01-24 02:04:14 +03:00 · 2024-02-06 11:09:07 +01:00 · 2024-02-06 11:09:07 +01:00 · e0222ce83c
commit e0222ce83c
parent 24146067f0
2 changed files with 9 additions and 3 deletions
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@ -178,6 +178,11 @@ const_regex! {
    /// any identifier command line tools work with.
    pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");

+    /// Regex that (loosely) matches URIs according to [RFC 2396](https://www.rfc-editor.org/rfc/rfc2396.txt)
+    /// This does not completely match a URI, but rather disallows all the prohibited characters
+    /// specified in the RFC.
+    pub GENERIC_URI_REGEX = r#"^[^\x00-\x1F\x7F <>#"]*$"#;
+
    pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";

    pub MULTI_LINE_COMMENT_REGEX = r"(?m)^([[:^cntrl:]]*)$";
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@ -3,7 +3,8 @@ use serde::{Deserialize, Serialize};
 use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema, Updater};

 use super::{
-    PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+    GENERIC_URI_REGEX, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA,
+    SINGLE_LINE_COMMENT_SCHEMA,
 };

 pub const OPENID_SCOPE_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
@ -24,11 +25,11 @@ pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope Lis
    .default(OPENID_DEFAILT_SCOPE_LIST)
    .schema();

-pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&GENERIC_URI_REGEX);

 pub const OPENID_ACR_SCHEMA: Schema =
    StringSchema::new("OpenID Authentication Context Class Reference.")
-        .format(&OPENID_SCOPE_FORMAT)
+        .format(&OPENID_ACR_FORMAT)
        .schema();

 pub const OPENID_ACR_ARRAY_SCHEMA: Schema =