fix: empty string check for aws url validation (#1089)

* fix: empty string check for aws url validation * lint * add more unit tests * update test name
googleapis · Nov 14, 2022 · 6f177a1 · 6f177a1
1 parent bfe7d93
commit 6f177a1
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 11 deletions.
diff --git a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java
@@ -137,18 +137,21 @@ private void validateMetadataServerUrls() {
       validateMetadataServerUrlIfAny(this.imdsv2SessionTokenUrl, "imdsv2_session_token_url");
     }
 
-    private static void validateMetadataServerUrlIfAny(String urlString, String nameInConfig) {
-      if (urlString != null) {
-        try {
-          URL url = new URL(urlString);
-          String host = url.getHost();
-          if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) {
-            throw new IllegalArgumentException(
-                String.format("Invalid host %s for %s.", host, nameInConfig));
-          }
-        } catch (MalformedURLException malformedURLException) {
-          throw new IllegalArgumentException(malformedURLException);
+    @VisibleForTesting
+    static void validateMetadataServerUrlIfAny(String urlString, String nameInConfig) {
+      if (urlString == null || urlString.trim().length() == 0) {
+        return;
+      }
+
+      try {
+        URL url = new URL(urlString);
+        String host = url.getHost();
+        if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) {
+          throw new IllegalArgumentException(
+              String.format("Invalid host %s for %s.", host, nameInConfig));
         }
+      } catch (MalformedURLException malformedURLException) {
+        throw new IllegalArgumentException(malformedURLException);
       }
     }
   }

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
@@ -475,10 +475,22 @@ public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws
         .setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey")
         .setEnv("AWS_SESSION_TOKEN", "awsSessionToken");
 
+    AwsCredentialSource credSource =
+        new AwsCredentialSource(
+            new HashMap<String, Object>() {
+              {
+                put("environment_id", "aws1");
+                put("region_url", "");
+                put("url", "");
+                put("regional_cred_verification_url", "regionalCredVerificationUrl");
+              }
+            });
+
     AwsCredentials testAwsCredentials =
         (AwsCredentials)
             AwsCredentials.newBuilder(AWS_CREDENTIAL)
                 .setEnvironmentProvider(environmentProvider)
+                .setCredentialSource(credSource)
                 .build();
 
     AwsSecurityCredentials credentials =
@@ -489,6 +501,66 @@ public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws
     assertEquals("awsSessionToken", credentials.getToken());
   }
 
+  @Test
+  public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerCall()
+      throws IOException {
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    environmentProvider
+        .setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId")
+        .setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey")
+        .setEnv("AWS_SESSION_TOKEN", "awsSessionToken");
+
+    AwsCredentials testAwsCredentials =
+        (AwsCredentials)
+            AwsCredentials.newBuilder(AWS_CREDENTIAL)
+                .setEnvironmentProvider(environmentProvider)
+                .build();
+
+    AwsSecurityCredentials credentials =
+        testAwsCredentials.getAwsSecurityCredentials(EMPTY_METADATA_HEADERS);
+
+    assertEquals("awsAccessKeyId", credentials.getAccessKeyId());
+    assertEquals("awsSecretAccessKey", credentials.getSecretAccessKey());
+    assertEquals("awsSessionToken", credentials.getToken());
+  }
+
+  @Test
+  public void validateMetadataServerUrlIfAny_validOrEmptyUrls() {
+    String[] urls = {
+      "http://[fd00:ec2::254]/region",
+      "http://169.254.169.254",
+      "http://169.254.169.254/xyz",
+      " ",
+      "",
+      null
+    };
+    for (String url : urls) {
+      AwsCredentialSource.validateMetadataServerUrlIfAny(url, "url");
+    }
+  }
+
+  @Test
+  public void validateMetadataServerUrlIfAny_invalidUrls() {
+    Map<String, String> urls = new HashMap<String, String>();
+    urls.put("http://[fd00:ec2::255]/region", "[fd00:ec2::255]");
+    urls.put("http://fake.com/region", "fake.com");
+    urls.put("http://169.254.169.255", "169.254.169.255");
+
+    for (Map.Entry<String, String> entry : urls.entrySet()) {
+      IllegalArgumentException e =
+          assertThrows(
+              IllegalArgumentException.class,
+              new ThrowingRunnable() {
+                @Override
+                public void run() throws Throwable {
+                  AwsCredentialSource.validateMetadataServerUrlIfAny(entry.getKey(), "url");
+                }
+              });
+
+      assertEquals(String.format("Invalid host %s for url.", entry.getValue()), e.getMessage());
+    }
+  }
+
   @Test
   public void getAwsSecurityCredentials_fromMetadataServer() throws IOException {
     MockExternalAccountCredentialsTransportFactory transportFactory =