Skip to content

Commit

Permalink
feat: Adding validation for psc endpoints (#1042)
Browse files Browse the repository at this point in the history 
* feat: Adding validation for psc endpoints

* adding more test cases

* adding more test cases

* escape dash in regex for consistency

Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
  • Loading branch information
@aeitzman @lsirac
aeitzman and lsirac committed Oct 6, 2022
1 parent 5a66ef6 commit b37a565
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 4 deletions.
2 changes: 2 additions & 0 deletions oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
View file
Expand Up @@ -583,6 +583,7 @@ static void validateTokenUrl(String tokenUrl) {
patterns.add(Pattern.compile("^sts\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));

if (!isValidUrl(patterns, tokenUrl)) {
throw new IllegalArgumentException("The provided token URL is invalid.");
Expand All @@ -595,6 +596,7 @@ static void validateServiceAccountImpersonationInfoUrl(String serviceAccountImpe
patterns.add(Pattern.compile("^iamcredentials\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$"));
patterns.add(Pattern.compile("^iamcredentials-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));

if (!isValidUrl(patterns, serviceAccountImpersonationUrl)) {
throw new IllegalArgumentException(
Expand Down
32 changes: 28 additions & 4 deletions oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java
View file
Expand Up @@ -965,7 +965,10 @@ public void validateTokenUrl_validUrls() {
"https://sts.US-WEST-1.googleapis.com",
"https://us-east-1-sts.googleapis.com",
"https://US-WEST-1-sts.googleapis.com",
"https://us-west-1-sts.googleapis.com/path?query");
"https://us-west-1-sts.googleapis.com/path?query",
"https://sts-xyz123.p.googleapis.com/path?query",
"https://sts-xyz123.p.googleapis.com",
"https://sts-xyz-123.p.googleapis.com");

for (String url : validUrls) {
ExternalAccountCredentials.validateTokenUrl(url);
Expand Down Expand Up @@ -995,7 +998,16 @@ public void validateTokenUrl_invalidUrls() {
"hhttps://us-east-1.sts.googleapis.com",
"https://us- -1.sts.googleapis.com",
"https://-sts.googleapis.com",
"https://us-east-1.sts.googleapis.com.evil.com");
"https://us-east-1.sts.googleapis.com.evil.com",
"https://sts.pgoogleapis.com",
"https://p.googleapis.com",
"https://sts.p.com",
"http://sts.p.googleapis.com",
"https://xyz-sts.p.googleapis.com",
"https://sts-xyz.123.p.googleapis.com",
"https://sts-xyz.p1.googleapis.com",
"https://sts-xyz.p.foo.com",
"https://sts-xyz.p.foo.googleapis.com");

for (String url : invalidUrls) {
try {
Expand All @@ -1018,7 +1030,10 @@ public void validateServiceAccountImpersonationUrls_validUrls() {
"https://iamcredentials.US-WEST-1.googleapis.com",
"https://us-east-1-iamcredentials.googleapis.com",
"https://US-WEST-1-iamcredentials.googleapis.com",
"https://us-west-1-iamcredentials.googleapis.com/path?query");
"https://us-west-1-iamcredentials.googleapis.com/path?query",
"https://iamcredentials-xyz123.p.googleapis.com/path?query",
"https://iamcredentials-xyz123.p.googleapis.com",
"https://iamcredentials-xyz-123.p.googleapis.com");

for (String url : validUrls) {
ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl(url);
Expand Down Expand Up @@ -1049,7 +1064,16 @@ public void validateServiceAccountImpersonationUrls_invalidUrls() {
"hhttps://us-east-1.iamcredentials.googleapis.com",
"https://us- -1.iamcredentials.googleapis.com",
"https://-iamcredentials.googleapis.com",
"https://us-east-1.iamcredentials.googleapis.com.evil.com");
"https://us-east-1.iamcredentials.googleapis.com.evil.com",
"https://iamcredentials.pgoogleapis.com",
"https://p.googleapis.com",
"https://iamcredentials.p.com",
"http://iamcredentials.p.googleapis.com",
"https://xyz-iamcredentials.p.googleapis.com",
"https://iamcredentials-xyz.123.p.googleapis.com",
"https://iamcredentials-xyz.p1.googleapis.com",
"https://iamcredentials-xyz.p.foo.com",
"https://iamcredentials-xyz.p.foo.googleapis.com");

for (String url : invalidUrls) {
try {
Expand Down

0 comments on commit b37a565

Please sign in to comment.