google/internal/externalaccount: Removed URL validation for google URLs in ADC files
Removes URL validation for token_url, service_account_impersonation_url to allow for TPC urls and adds line to the docs to warn users. See https://github.com/googleapis/google-auth-library-nodejs/pull/1517 for same change in node.js library. Change-Id: I85fa67ee0b99deed2adb75668a1b5501851c499c GitHub-Last-Rev: 15d7759884817d0f835768bdb5e5b3fa86e8fdbf GitHub-Pull-Request: golang/oauth2#627 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/465696 Reviewed-by: Cody Oss <codyoss@google.com> Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Leo Siracusa <leosiracusa@google.com>
This commit is contained in:
aeitzman
@@ -9,7 +9,6 @@ import (
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
@@ -208,140 +207,6 @@ func TestNonworkforceWithWorkforcePoolUserProject(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateURLTokenURL(t *testing.T) {
|
||||
var urlValidityTests = []struct {
|
||||
tokURL string
|
||||
expectSuccess bool
|
||||
}{
|
||||
{"https://east.sts.googleapis.com", true},
|
||||
{"https://sts.googleapis.com", true},
|
||||
{"https://sts.asfeasfesef.googleapis.com", true},
|
||||
{"https://us-east-1-sts.googleapis.com", true},
|
||||
{"https://sts.googleapis.com/your/path/here", true},
|
||||
{"https://.sts.googleapis.com", false},
|
||||
{"https://badsts.googleapis.com", false},
|
||||
{"https://sts.asfe.asfesef.googleapis.com", false},
|
||||
{"https://sts..googleapis.com", false},
|
||||
{"https://-sts.googleapis.com", false},
|
||||
{"https://us-ea.st-1-sts.googleapis.com", false},
|
||||
{"https://sts.googleapis.com.evil.com/whatever/path", false},
|
||||
{"https://us-eas\\t-1.sts.googleapis.com", false},
|
||||
{"https:/us-ea/st-1.sts.googleapis.com", false},
|
||||
{"https:/us-east 1.sts.googleapis.com", false},
|
||||
{"https://", false},
|
||||
{"http://us-east-1.sts.googleapis.com", false},
|
||||
{"https://us-east-1.sts.googleapis.comevil.com", false},
|
||||
{"https://sts-xyz.p.googleapis.com", true},
|
||||
{"https://sts.pgoogleapis.com", false},
|
||||
{"https://p.googleapis.com", false},
|
||||
{"https://sts.p.com", false},
|
||||
{"http://sts.p.googleapis.com", false},
|
||||
{"https://xyz-sts.p.googleapis.com", false},
|
||||
{"https://sts-xyz.123.p.googleapis.com", false},
|
||||
{"https://sts-xyz.p1.googleapis.com", false},
|
||||
{"https://sts-xyz.p.foo.com", false},
|
||||
{"https://sts-xyz.p.foo.googleapis.com", false},
|
||||
}
|
||||
ctx := context.Background()
|
||||
for _, tt := range urlValidityTests {
|
||||
t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
|
||||
config := testConfig
|
||||
config.TokenURL = tt.tokURL
|
||||
_, err := config.TokenSource(ctx)
|
||||
|
||||
if tt.expectSuccess && err != nil {
|
||||
t.Errorf("got %v but want nil", err)
|
||||
} else if !tt.expectSuccess && err == nil {
|
||||
t.Errorf("got nil but expected an error")
|
||||
}
|
||||
})
|
||||
}
|
||||
for _, el := range urlValidityTests {
|
||||
el.tokURL = strings.ToUpper(el.tokURL)
|
||||
}
|
||||
for _, tt := range urlValidityTests {
|
||||
t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
|
||||
config := testConfig
|
||||
config.TokenURL = tt.tokURL
|
||||
_, err := config.TokenSource(ctx)
|
||||
|
||||
if tt.expectSuccess && err != nil {
|
||||
t.Errorf("got %v but want nil", err)
|
||||
} else if !tt.expectSuccess && err == nil {
|
||||
t.Errorf("got nil but expected an error")
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateURLImpersonateURL(t *testing.T) {
|
||||
var urlValidityTests = []struct {
|
||||
impURL string
|
||||
expectSuccess bool
|
||||
}{
|
||||
{"https://east.iamcredentials.googleapis.com", true},
|
||||
{"https://iamcredentials.googleapis.com", true},
|
||||
{"https://iamcredentials.asfeasfesef.googleapis.com", true},
|
||||
{"https://us-east-1-iamcredentials.googleapis.com", true},
|
||||
{"https://iamcredentials.googleapis.com/your/path/here", true},
|
||||
{"https://.iamcredentials.googleapis.com", false},
|
||||
{"https://badiamcredentials.googleapis.com", false},
|
||||
{"https://iamcredentials.asfe.asfesef.googleapis.com", false},
|
||||
{"https://iamcredentials..googleapis.com", false},
|
||||
{"https://-iamcredentials.googleapis.com", false},
|
||||
{"https://us-ea.st-1-iamcredentials.googleapis.com", false},
|
||||
{"https://iamcredentials.googleapis.com.evil.com/whatever/path", false},
|
||||
{"https://us-eas\\t-1.iamcredentials.googleapis.com", false},
|
||||
{"https:/us-ea/st-1.iamcredentials.googleapis.com", false},
|
||||
{"https:/us-east 1.iamcredentials.googleapis.com", false},
|
||||
{"https://", false},
|
||||
{"http://us-east-1.iamcredentials.googleapis.com", false},
|
||||
{"https://us-east-1.iamcredentials.googleapis.comevil.com", false},
|
||||
{"https://iamcredentials-xyz.p.googleapis.com", true},
|
||||
{"https://iamcredentials.pgoogleapis.com", false},
|
||||
{"https://p.googleapis.com", false},
|
||||
{"https://iamcredentials.p.com", false},
|
||||
{"http://iamcredentials.p.googleapis.com", false},
|
||||
{"https://xyz-iamcredentials.p.googleapis.com", false},
|
||||
{"https://iamcredentials-xyz.123.p.googleapis.com", false},
|
||||
{"https://iamcredentials-xyz.p1.googleapis.com", false},
|
||||
{"https://iamcredentials-xyz.p.foo.com", false},
|
||||
{"https://iamcredentials-xyz.p.foo.googleapis.com", false},
|
||||
}
|
||||
ctx := context.Background()
|
||||
for _, tt := range urlValidityTests {
|
||||
t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
|
||||
config := testConfig
|
||||
config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
|
||||
config.ServiceAccountImpersonationURL = tt.impURL
|
||||
_, err := config.TokenSource(ctx)
|
||||
|
||||
if tt.expectSuccess && err != nil {
|
||||
t.Errorf("got %v but want nil", err)
|
||||
} else if !tt.expectSuccess && err == nil {
|
||||
t.Errorf("got nil but expected an error")
|
||||
}
|
||||
})
|
||||
}
|
||||
for _, el := range urlValidityTests {
|
||||
el.impURL = strings.ToUpper(el.impURL)
|
||||
}
|
||||
for _, tt := range urlValidityTests {
|
||||
t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
|
||||
config := testConfig
|
||||
config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
|
||||
config.ServiceAccountImpersonationURL = tt.impURL
|
||||
_, err := config.TokenSource(ctx)
|
||||
|
||||
if tt.expectSuccess && err != nil {
|
||||
t.Errorf("got %v but want nil", err)
|
||||
} else if !tt.expectSuccess && err == nil {
|
||||
t.Errorf("got nil but expected an error")
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestWorkforcePoolCreation(t *testing.T) {
|
||||
var audienceValidatyTests = []struct {
|
||||
audience string
|
||||
|
||||
Reference in New Issue
Block a user