google/externalaccount: validate tokenURL and ServiceAccountImpersonationURL

Change-Id: Iab70cc967fd97ac8e349a14760df0f8b02ddf074 GitHub-Last-Rev: ddf4dbd0b7096a0d34677047b9c3992bb6ed359b GitHub-Pull-Request: golang/oauth2#514 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/340569 Reviewed-by: Patrick Jones <ithuriel@google.com> Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Chris Broadfoot <cbro@golang.org> Trust: Cody Oss <codyoss@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org>
2021-08-12 22:59:38 +00:00
parent faf39c7919
commit 7df4dd6e12
11 changed files with 219 additions and 27 deletions
--- a/google/internal/externalaccount/basecredentials_test.go
+++ b/google/internal/externalaccount/basecredentials_test.go
@@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 )
@@ -95,3 +96,117 @@ func TestToken(t *testing.T) {
 	}

 }
+
+func TestValidateURLTokenURL(t *testing.T) {
+	var urlValidityTests = []struct {
+		tokURL        string
+		expectSuccess bool
+	}{
+		{"https://east.sts.googleapis.com", true},
+		{"https://sts.googleapis.com", true},
+		{"https://sts.asfeasfesef.googleapis.com", true},
+		{"https://us-east-1-sts.googleapis.com", true},
+		{"https://sts.googleapis.com/your/path/here", true},
+		{"https://.sts.googleapis.com", false},
+		{"https://badsts.googleapis.com", false},
+		{"https://sts.asfe.asfesef.googleapis.com", false},
+		{"https://sts..googleapis.com", false},
+		{"https://-sts.googleapis.com", false},
+		{"https://us-ea.st-1-sts.googleapis.com", false},
+		{"https://sts.googleapis.com.evil.com/whatever/path", false},
+		{"https://us-eas\\t-1.sts.googleapis.com", false},
+		{"https:/us-ea/st-1.sts.googleapis.com", false},
+		{"https:/us-east 1.sts.googleapis.com", false},
+		{"https://", false},
+		{"http://us-east-1.sts.googleapis.com", false},
+		{"https://us-east-1.sts.googleapis.comevil.com", false},
+	}
+	ctx := context.Background()
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = tt.tokURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+	for _, el := range urlValidityTests {
+		el.tokURL = strings.ToUpper(el.tokURL)
+	}
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = tt.tokURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+}
+
+func TestValidateURLImpersonateURL(t *testing.T) {
+	var urlValidityTests = []struct {
+		impURL        string
+		expectSuccess bool
+	}{
+		{"https://east.iamcredentials.googleapis.com", true},
+		{"https://iamcredentials.googleapis.com", true},
+		{"https://iamcredentials.asfeasfesef.googleapis.com", true},
+		{"https://us-east-1-iamcredentials.googleapis.com", true},
+		{"https://iamcredentials.googleapis.com/your/path/here", true},
+		{"https://.iamcredentials.googleapis.com", false},
+		{"https://badiamcredentials.googleapis.com", false},
+		{"https://iamcredentials.asfe.asfesef.googleapis.com", false},
+		{"https://iamcredentials..googleapis.com", false},
+		{"https://-iamcredentials.googleapis.com", false},
+		{"https://us-ea.st-1-iamcredentials.googleapis.com", false},
+		{"https://iamcredentials.googleapis.com.evil.com/whatever/path", false},
+		{"https://us-eas\\t-1.iamcredentials.googleapis.com", false},
+		{"https:/us-ea/st-1.iamcredentials.googleapis.com", false},
+		{"https:/us-east 1.iamcredentials.googleapis.com", false},
+		{"https://", false},
+		{"http://us-east-1.iamcredentials.googleapis.com", false},
+		{"https://us-east-1.iamcredentials.googleapis.comevil.com", false},
+	}
+	ctx := context.Background()
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
+			config.ServiceAccountImpersonationURL = tt.impURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+	for _, el := range urlValidityTests {
+		el.impURL = strings.ToUpper(el.impURL)
+	}
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
+			config.ServiceAccountImpersonationURL = tt.impURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+}