[pbs-devel] [PATCH proxmox-backup v2] fix #5190: api-types: openid acr format regex

[Gabriel Goller]

Allow more complex strings for the acr-value when using openid. The
openid documentation only specifies the acr-value *should* be an URI [0].
Implemented a regex that loosely disallows some of the reserved URI
characters specified in the RFC [1].

Currently values like:
- "urn:mace:incommon:iap:silver"
- "urn:comsolve.nl:idp:contract:rba:location"
do NOT work, although they are correct URI's and common acr tokens.

[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt

Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---

v1 -> v2 changes:
 * added more context, renamed variable

 pbs-api-types/src/lib.rs    | 5 +++++
 pbs-api-types/src/openid.rs | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 795ff2a6..88e8f44d 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -178,6 +178,11 @@ const_regex! {
     /// any identifier command line tools work with.
     pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
 
+    /// Regex that (loosely) matches URIs according to [RFC 2396](https://www.rfc-editor.org/rfc/rfc2396.txt)
+    /// This does not completely match a URI, but rather disallows all the prohibited characters
+    /// specified in the RFC.
+    pub GENERIC_URI_REGEX = r#"^[^\x00-\x1F\x7F <>#"]*$"#;
+
     pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";
 
     pub MULTI_LINE_COMMENT_REGEX = r"(?m)^([[:^cntrl:]]*)$";
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c7646a3..2c95c5c6 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -3,7 +3,8 @@ use serde::{Deserialize, Serialize};
 use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema, Updater};
 
 use super::{
-    PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+    GENERIC_URI_REGEX, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA,
+    SINGLE_LINE_COMMENT_SCHEMA,
 };
 
 pub const OPENID_SCOPE_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
@@ -24,11 +25,11 @@ pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope Lis
     .default(OPENID_DEFAILT_SCOPE_LIST)
     .schema();
 
-pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&GENERIC_URI_REGEX);
 
 pub const OPENID_ACR_SCHEMA: Schema =
     StringSchema::new("OpenID Authentication Context Class Reference.")
-        .format(&OPENID_SCOPE_FORMAT)
+        .format(&OPENID_ACR_FORMAT)
         .schema();
 
 pub const OPENID_ACR_ARRAY_SCHEMA: Schema =
-- 
2.43.0