From ab0c3713aec62a7e3cf445328a56cedc34794af7 Mon Sep 17 00:00:00 2001 From: Sai Sunder Srinivasan Date: Thu, 10 Nov 2022 01:10:41 +0000 Subject: [PATCH 1/4] fix: empty string check for aws url validation --- .../google/auth/oauth2/AwsCredentials.java | 2 +- .../auth/oauth2/AwsCredentialsTest.java | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java index 34aaa5835..03d4e9713 100644 --- a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java @@ -138,7 +138,7 @@ private void validateMetadataServerUrls() { } private static void validateMetadataServerUrlIfAny(String urlString, String nameInConfig) { - if (urlString != null) { + if (urlString != null && !urlString.isEmpty()) { try { URL url = new URL(urlString); String host = url.getHost(); diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java index 9c7cb3fa7..a4461952a 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java @@ -475,6 +475,40 @@ public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws .setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey") .setEnv("AWS_SESSION_TOKEN", "awsSessionToken"); + AwsCredentialSource credSource = new AwsCredentialSource( + new HashMap() { + { + put("environment_id", "aws1"); + put("region_url", ""); + put("url", ""); + put("regional_cred_verification_url", "regionalCredVerificationUrl"); + } + } + ); + + AwsCredentials testAwsCredentials = + (AwsCredentials) + AwsCredentials.newBuilder(AWS_CREDENTIAL) + .setEnvironmentProvider(environmentProvider) + .setCredentialSource(credSource) + .build(); + + AwsSecurityCredentials credentials = + testAwsCredentials.getAwsSecurityCredentials(EMPTY_METADATA_HEADERS); + + assertEquals("awsAccessKeyId", credentials.getAccessKeyId()); + assertEquals("awsSecretAccessKey", credentials.getSecretAccessKey()); + assertEquals("awsSessionToken", credentials.getToken()); + } + + @Test + public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerCall() throws IOException { + TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider(); + environmentProvider + .setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId") + .setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey") + .setEnv("AWS_SESSION_TOKEN", "awsSessionToken"); + AwsCredentials testAwsCredentials = (AwsCredentials) AwsCredentials.newBuilder(AWS_CREDENTIAL) From bc22daf4b63e288216267a1dd72f12aeb451904f Mon Sep 17 00:00:00 2001 From: Sai Sunder Srinivasan Date: Thu, 10 Nov 2022 03:29:43 +0000 Subject: [PATCH 2/4] lint --- .../auth/oauth2/AwsCredentialsTest.java | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java index a4461952a..37a85f9f2 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java @@ -475,16 +475,16 @@ public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws .setEnv("AWS_SECRET_ACCESS_KEY", "awsSecretAccessKey") .setEnv("AWS_SESSION_TOKEN", "awsSessionToken"); - AwsCredentialSource credSource = new AwsCredentialSource( - new HashMap() { - { - put("environment_id", "aws1"); - put("region_url", ""); - put("url", ""); - put("regional_cred_verification_url", "regionalCredVerificationUrl"); - } - } - ); + AwsCredentialSource credSource = + new AwsCredentialSource( + new HashMap() { + { + put("environment_id", "aws1"); + put("region_url", ""); + put("url", ""); + put("regional_cred_verification_url", "regionalCredVerificationUrl"); + } + }); AwsCredentials testAwsCredentials = (AwsCredentials) @@ -502,7 +502,8 @@ public void getAwsSecurityCredentials_fromEnvironmentVariablesWithToken() throws } @Test - public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerCall() throws IOException { + public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerCall() + throws IOException { TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider(); environmentProvider .setEnv("AWS_ACCESS_KEY_ID", "awsAccessKeyId") From 386fbbc5f0e381882558114d61d569a4ba7a3d88 Mon Sep 17 00:00:00 2001 From: Sai Sunder Srinivasan Date: Thu, 10 Nov 2022 20:32:09 +0000 Subject: [PATCH 3/4] add more unit tests --- .../google/auth/oauth2/AwsCredentials.java | 25 +++++++------ .../auth/oauth2/AwsCredentialsTest.java | 37 +++++++++++++++++++ 2 files changed, 51 insertions(+), 11 deletions(-) diff --git a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java index 03d4e9713..6bfe8ce88 100644 --- a/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/AwsCredentials.java @@ -137,18 +137,21 @@ private void validateMetadataServerUrls() { validateMetadataServerUrlIfAny(this.imdsv2SessionTokenUrl, "imdsv2_session_token_url"); } - private static void validateMetadataServerUrlIfAny(String urlString, String nameInConfig) { - if (urlString != null && !urlString.isEmpty()) { - try { - URL url = new URL(urlString); - String host = url.getHost(); - if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) { - throw new IllegalArgumentException( - String.format("Invalid host %s for %s.", host, nameInConfig)); - } - } catch (MalformedURLException malformedURLException) { - throw new IllegalArgumentException(malformedURLException); + @VisibleForTesting + static void validateMetadataServerUrlIfAny(String urlString, String nameInConfig) { + if (urlString == null || urlString.trim().length() == 0) { + return; + } + + try { + URL url = new URL(urlString); + String host = url.getHost(); + if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) { + throw new IllegalArgumentException( + String.format("Invalid host %s for %s.", host, nameInConfig)); } + } catch (MalformedURLException malformedURLException) { + throw new IllegalArgumentException(malformedURLException); } } } diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java index 37a85f9f2..a6d4c1dfe 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java @@ -524,6 +524,43 @@ public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerC assertEquals("awsSessionToken", credentials.getToken()); } + @Test + public void validateMetadataServerUrlIfAny_validUrls() { + String[] urls = { + "http://[fd00:ec2::254]/region", + "http://169.254.169.254", + "http://169.254.169.254/xyz", + " ", + "", + null + }; + for (String url : urls) { + AwsCredentialSource.validateMetadataServerUrlIfAny(url, "url"); + } + } + + @Test + public void validateMetadataServerUrlIfAny_invalidUrls() { + Map urls = new HashMap(); + urls.put("http://[fd00:ec2::255]/region", "[fd00:ec2::255]"); + urls.put("http://fake.com/region", "fake.com"); + urls.put("http://169.254.169.255", "169.254.169.255"); + + for (Map.Entry entry : urls.entrySet()) { + IllegalArgumentException e = + assertThrows( + IllegalArgumentException.class, + new ThrowingRunnable() { + @Override + public void run() throws Throwable { + AwsCredentialSource.validateMetadataServerUrlIfAny(entry.getKey(), "url"); + } + }); + + assertEquals(String.format("Invalid host %s for url.", entry.getValue()), e.getMessage()); + } + } + @Test public void getAwsSecurityCredentials_fromMetadataServer() throws IOException { MockExternalAccountCredentialsTransportFactory transportFactory = From fd4ab75233b2ef923baeb71f5c2e516400387af7 Mon Sep 17 00:00:00 2001 From: Sai Sunder Srinivasan Date: Fri, 11 Nov 2022 21:56:59 +0000 Subject: [PATCH 4/4] update test name --- .../javatests/com/google/auth/oauth2/AwsCredentialsTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java index a6d4c1dfe..0b0f5e3fc 100644 --- a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java +++ b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java @@ -525,7 +525,7 @@ public void getAwsSecurityCredentials_fromEnvironmentVariables_noMetadataServerC } @Test - public void validateMetadataServerUrlIfAny_validUrls() { + public void validateMetadataServerUrlIfAny_validOrEmptyUrls() { String[] urls = { "http://[fd00:ec2::254]/region", "http://169.254.169.254",