From 8fabade99deef15c502b1a987e646a055fd8b625 Mon Sep 17 00:00:00 2001
From: Gabriel Goller <g.goller@proxmox.com>
Date: Tue, 6 Feb 2024 11:09:07 +0100
Subject: [PATCH] fix #5190: api: OIDC: accept generic URIs for the ACR value

Allow more complex strings for the acr-value when using openid. The
openid documentation only specifies the acr-value *should* be an URI
[0].  Implemented a regex that loosely disallows some of the reserved
URI characters specified in the RFC [1].

Currently values like:
- "urn:mace:incommon:iap:silver"
- "urn:comsolve.nl:idp:contract:rba:location"
do NOT work, although they are correct URI's and common acr tokens.

For Proxmox VE we had to actually make this more strict to align with
each other, as there we accepted any string.

[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
 pbs-api-types/src/lib.rs    | 5 +++++
 pbs-api-types/src/openid.rs | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 795ff2a6..88e8f44d 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -178,6 +178,11 @@ const_regex! {
     /// any identifier command line tools work with.
     pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
 
+    /// Regex that (loosely) matches URIs according to [RFC 2396](https://www.rfc-editor.org/rfc/rfc2396.txt)
+    /// This does not completely match a URI, but rather disallows all the prohibited characters
+    /// specified in the RFC.
+    pub GENERIC_URI_REGEX = r#"^[^\x00-\x1F\x7F <>#"]*$"#;
+
     pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";
 
     pub MULTI_LINE_COMMENT_REGEX = r"(?m)^([[:^cntrl:]]*)$";
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c7646a3..2c95c5c6 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -3,7 +3,8 @@ use serde::{Deserialize, Serialize};
 use proxmox_schema::{api, ApiStringFormat, ArraySchema, Schema, StringSchema, Updater};
 
 use super::{
-    PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+    GENERIC_URI_REGEX, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX, REALM_ID_SCHEMA,
+    SINGLE_LINE_COMMENT_SCHEMA,
 };
 
 pub const OPENID_SCOPE_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
@@ -24,11 +25,11 @@ pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope Lis
     .default(OPENID_DEFAILT_SCOPE_LIST)
     .schema();
 
-pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+pub const OPENID_ACR_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&GENERIC_URI_REGEX);
 
 pub const OPENID_ACR_SCHEMA: Schema =
     StringSchema::new("OpenID Authentication Context Class Reference.")
-        .format(&OPENID_SCOPE_FORMAT)
+        .format(&OPENID_ACR_FORMAT)
         .schema();
 
 pub const OPENID_ACR_ARRAY_SCHEMA: Schema =