-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Fix auth config oidc scope regex #20483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix auth config oidc scope regex #20483
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #20483 +/- ##
===========================================
+ Coverage 45.36% 66.09% +20.72%
===========================================
Files 244 1049 +805
Lines 13333 114649 +101316
Branches 2719 2867 +148
===========================================
+ Hits 6049 75776 +69727
- Misses 6983 34730 +27747
- Partials 301 4143 +3842
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It's compatible with the previous regex. This just further extends the list of allowed characters. @Vad1mo Previously we had \w. Which represents a-zA-Z0-9_ In the new one we extend this list with all ascii characters between space ( ) and tilde (~). Only exception is double quote ("), backslash (), and space ( ). You can see the tests here: https://regex101.com/r/IrNM6D/1 |
love the test comparison here https://regex101.com/r/IrNM6D/1, attaching it here for history purposes. |
I see the Prettier test failed. I'll update the PR later today/tomorrow. @Vad1mo |
@rlacko58 can you take a look into the issues? there are some linter errors. |
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days. |
@rlacko58 |
aef8455
to
63dd026
Compare
@reasonerjt Thanks for the reminder. It should be good to go now. I've put the change to a separate commit to make the review easier |
@rlacko58 Thanks for the update. There're still some lint errors. Could you check? |
https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 scope = scope-token *( SP scope-token ) scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) A scope is composed of one or more scope-tokens separated by spaces, and each scope-token must consist of one or more characters defined by NQCHAR. https://datatracker.ietf.org/doc/html/rfc6749#appendix-A NQCHAR = %x21 / %x23-5B / %x5D-7E NQCHAR includes all printable ASCII characters except double quote ("), backslash (\), and space ( ). Signed-off-by: Laszlo Rafael <[email protected]>
63dd026
to
3eeffa0
Compare
@reasonerjt Now it should be finally good to go |
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days. |
Did someone tested that @goharbor/all-maintainers ? I think we can merge that |
Comprehensive Summary of your change
This PR fixes the OIDC Auth scopes validation on the auth config page to comply with RFC standards.
Example scopes that are not compatible currently with Harbor's validation:
RFC:
https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4
scope = scope-token ( SP scope-token )
scope-token = 1( %x21 / %x23-5B / %x5D-7E )
A scope is composed of one or more scope-tokens separated by spaces, and each scope-token must consist of one or more characters defined by NQCHAR.
https://datatracker.ietf.org/doc/html/rfc6749#appendix-A
NQCHAR = %x21 / %x23-5B / %x5D-7E
NQCHAR includes all printable ASCII characters except
double quote ("), backslash (), and space ( ).
Breakdown of changes:
[\w.]
((?!["\\ ])[ -~])
[ -~]
- Match all ASCII characters between space ( ) and tilde (~)(?!["\\ ])
- Negative lookahead ignore double quote ("), backslash (), and space ( )Tests of this regex: https://regex101.com/r/IrNM6D/1
Please indicate you've done the following: