Skip to content

Commit b159bee

Browse files
aeitzmanlsirac
aeitzman
and
lsirac
authored
feat: Adding validation for psc endpoints (#1042)
* feat: Adding validation for psc endpoints * adding more test cases * adding more test cases * escape dash in regex for consistency Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
1 parent 1f948e1 commit b159bee

2 files changed

Lines changed: 30 additions & 4 deletions

File tree

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,6 +583,7 @@ static void validateTokenUrl(String tokenUrl) {
583583
patterns.add(Pattern.compile("^sts\\.googleapis\\.com$"));
584584
patterns.add(Pattern.compile("^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
585585
patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$"));
586+
patterns.add(Pattern.compile("^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));
586587

587588
if (!isValidUrl(patterns, tokenUrl)) {
588589
throw new IllegalArgumentException("The provided token URL is invalid.");
@@ -595,6 +596,7 @@ static void validateServiceAccountImpersonationInfoUrl(String serviceAccountImpe
595596
patterns.add(Pattern.compile("^iamcredentials\\.googleapis\\.com$"));
596597
patterns.add(Pattern.compile("^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"));
597598
patterns.add(Pattern.compile("^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$"));
599+
patterns.add(Pattern.compile("^iamcredentials-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$"));
598600

599601
if (!isValidUrl(patterns, serviceAccountImpersonationUrl)) {
600602
throw new IllegalArgumentException(

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ExternalAccountCredentialsTest.java

Lines changed: 28 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -965,7 +965,10 @@ public void validateTokenUrl_validUrls() {
965965
"https://sts.US-WEST-1.googleapis.com",
966966
"https://us-east-1-sts.googleapis.com",
967967
"https://US-WEST-1-sts.googleapis.com",
968-
"https://us-west-1-sts.googleapis.com/path?query");
968+
"https://us-west-1-sts.googleapis.com/path?query",
969+
"https://sts-xyz123.p.googleapis.com/path?query",
970+
"https://sts-xyz123.p.googleapis.com",
971+
"https://sts-xyz-123.p.googleapis.com");
969972

970973
for (String url : validUrls) {
971974
ExternalAccountCredentials.validateTokenUrl(url);
@@ -995,7 +998,16 @@ public void validateTokenUrl_invalidUrls() {
995998
"hhttps://us-east-1.sts.googleapis.com",
996999
"https://us- -1.sts.googleapis.com",
9971000
"https://-sts.googleapis.com",
998-
"https://us-east-1.sts.googleapis.com.evil.com");
1001+
"https://us-east-1.sts.googleapis.com.evil.com",
1002+
"https://sts.pgoogleapis.com",
1003+
"https://p.googleapis.com",
1004+
"https://sts.p.com",
1005+
"http://sts.p.googleapis.com",
1006+
"https://xyz-sts.p.googleapis.com",
1007+
"https://sts-xyz.123.p.googleapis.com",
1008+
"https://sts-xyz.p1.googleapis.com",
1009+
"https://sts-xyz.p.foo.com",
1010+
"https://sts-xyz.p.foo.googleapis.com");
9991011

10001012
for (String url : invalidUrls) {
10011013
try {
@@ -1018,7 +1030,10 @@ public void validateServiceAccountImpersonationUrls_validUrls() {
10181030
"https://iamcredentials.US-WEST-1.googleapis.com",
10191031
"https://us-east-1-iamcredentials.googleapis.com",
10201032
"https://US-WEST-1-iamcredentials.googleapis.com",
1021-
"https://us-west-1-iamcredentials.googleapis.com/path?query");
1033+
"https://us-west-1-iamcredentials.googleapis.com/path?query",
1034+
"https://iamcredentials-xyz123.p.googleapis.com/path?query",
1035+
"https://iamcredentials-xyz123.p.googleapis.com",
1036+
"https://iamcredentials-xyz-123.p.googleapis.com");
10221037

10231038
for (String url : validUrls) {
10241039
ExternalAccountCredentials.validateServiceAccountImpersonationInfoUrl(url);
@@ -1049,7 +1064,16 @@ public void validateServiceAccountImpersonationUrls_invalidUrls() {
10491064
"hhttps://us-east-1.iamcredentials.googleapis.com",
10501065
"https://us- -1.iamcredentials.googleapis.com",
10511066
"https://-iamcredentials.googleapis.com",
1052-
"https://us-east-1.iamcredentials.googleapis.com.evil.com");
1067+
"https://us-east-1.iamcredentials.googleapis.com.evil.com",
1068+
"https://iamcredentials.pgoogleapis.com",
1069+
"https://p.googleapis.com",
1070+
"https://iamcredentials.p.com",
1071+
"http://iamcredentials.p.googleapis.com",
1072+
"https://xyz-iamcredentials.p.googleapis.com",
1073+
"https://iamcredentials-xyz.123.p.googleapis.com",
1074+
"https://iamcredentials-xyz.p1.googleapis.com",
1075+
"https://iamcredentials-xyz.p.foo.com",
1076+
"https://iamcredentials-xyz.p.foo.googleapis.com");
10531077

10541078
for (String url : invalidUrls) {
10551079
try {

0 commit comments

Comments
 (0)