google/internal/externalaccount: update serviceAccountImpersonationRE…

… to support universe domain Change-Id: Iafe35c293209bd88997c876341ebde7ac9ecda93 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/557195 TryBot-Bypass: Cody Oss <codyoss@google.com> Reviewed-by: Cody Oss <codyoss@google.com> Auto-Submit: Cody Oss <codyoss@google.com>
golang · Jan 19, 2024 · adffd94 · adffd94
1 parent deefa7e
commit adffd94
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/google/internal/externalaccount/executablecredsource.go b/google/internal/externalaccount/executablecredsource.go
@@ -19,7 +19,7 @@ import (
 	"time"
 )
 
-var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
+var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials\\..+/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
 
 const (
 	executableSupportedMaxVersion = 1

diff --git a/google/internal/externalaccount/executablecredsource_test.go b/google/internal/externalaccount/executablecredsource_test.go
@@ -1021,3 +1021,37 @@ func TestRetrieveOutputFileSubjectTokenJwt(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceAccountImpersonationRE(t *testing.T) {
+	tests := []struct {
+		name                           string
+		serviceAccountImpersonationURL string
+		want                           string
+	}{
+		{
+			name:                           "universe domain Google Default Universe (GDU) googleapis.com",
+			serviceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+		{
+			name:                           "email does not match",
+			serviceAccountImpersonationURL: "test@project.iam.gserviceaccount.com",
+			want:                           "",
+		},
+		{
+			name:                           "universe domain non-GDU",
+			serviceAccountImpersonationURL: "https://iamcredentials.apis-tpclp.goog/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
+			want:                           "test@project.iam.gserviceaccount.com",
+		},
+	}
+	for _, tt := range tests {
+		matches := serviceAccountImpersonationRE.FindStringSubmatch(tt.serviceAccountImpersonationURL)
+		if matches == nil {
+			if tt.want != "" {
+				t.Errorf("%q: got nil, want %q", tt.name, tt.want)
+			}
+		} else if matches[1] != tt.want {
+			t.Errorf("%q: got %q, want %q", tt.name, matches[1], tt.want)
+		}
+	}
+}