Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity

made some changes

This commit is contained in:
Patrick Jones 2021-08-09 14:38:40 -07:00
parent 57c99ca18a
commit 109292283c
5 changed files with 56 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
google/internal/externalaccount/aws_test.go
View File

@ -28,8 +28,7 @@ func setTime(testTime time.Time) func() time.Time {
func setEnvironment(env map[string]string) func(string) string { func setEnvironment(env map[string]string) func(string) string {
return func(key string) string { return func(key string) string {
value, _ := env[key] return env[key]
return value
} }
} }

48
google/internal/externalaccount/basecredentials.go
View File

@ -55,64 +55,54 @@ type Config struct {
// Each element consists of a list of patterns. validateURLs checks for matches // Each element consists of a list of patterns. validateURLs checks for matches
// that include all elements in a given list, in that order. // that include all elements in a given list, in that order.
var ( var (
validTokenURLPatterns = []string{ validTokenURLPatterns = []*regexp.Regexp{
"https://[^\\.]+\\.sts\\.googleapis\\.com", regexp.MustCompile("https://[^\\.]+\\.sts\\.googleapis\\.com"),
"https://sts\\.googleapis\\.com", regexp.MustCompile("https://sts\\.googleapis\\.com"),
"https://sts\\.[^\\.]+\\.googleapis\\.com", regexp.MustCompile("https://sts\\.[^\\.]+\\.googleapis\\.com"),
"https://[^\\.]+-sts\\.googleapis\\.com", regexp.MustCompile("https://[^\\.]+-sts\\.googleapis\\.com"),
} }
validImpersonateURLPatterns = []string{ validImpersonateURLPatterns = []*regexp.Regexp{
"https://[^\\.]+\\.iamcredentials\\.googleapis\\.com", regexp.MustCompile("https://[^\\.]+\\.iamcredentials\\.googleapis\\.com"),
"https://iamcredentials\\.googleapis\\.com", regexp.MustCompile("https://iamcredentials\\.googleapis\\.com"),
"https://iamcredentials\\.[^\\.]+\\.googleapis\\.com", regexp.MustCompile("https://iamcredentials\\.[^\\.]+\\.googleapis\\.com"),
"https://[^\\.]+-iamcredentials\\.googleapis\\.com", regexp.MustCompile("https://[^\\.]+-iamcredentials\\.googleapis\\.com"),
} }
) )
func validateURL(input string, patterns []string) (bool, error) { func validateURL(input string, patterns []*regexp.Regexp) bool {
for _, pattern := range patterns { for _, pattern := range patterns {
valid, err := regexp.MatchString(pattern, input) valid := pattern.MatchString(input)
if err != nil {
return false, err
}
if valid { if valid {
return true, nil return true
} }
} }
return false, nil return false
} }
// TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials. // TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.
func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error) { func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error) {
return c.tokenSource(ctx, false) return c.tokenSource(ctx, validTokenURLPatterns, validImpersonateURLPatterns)
} }
// tokenSource is a private function that's directly called by some of the tests, // tokenSource is a private function that's directly called by some of the tests,
// because the unit test URLs are mocked, and would otherwise fail the // because the unit test URLs are mocked, and would otherwise fail the
// validity check. // validity check.
func (c *Config) tokenSource(ctx context.Context, testing bool) (oauth2.TokenSource, error) { func (c *Config) tokenSource(ctx context.Context, tokenURLValidPats []*regexp.Regexp, impersonateURLValidPats []*regexp.Regexp) (oauth2.TokenSource, error) {
if !testing {
// Check the validity of TokenURL. // Check the validity of TokenURL.
valid, err := validateURL(c.TokenURL, validTokenURLPatterns) valid := validateURL(c.TokenURL, tokenURLValidPats)
if err != nil {
return nil, err
}
if !valid { if !valid {
return nil, fmt.Errorf("oauth2/google: invalid TokenURL provided while constructing tokenSource") return nil, fmt.Errorf("oauth2/google: invalid TokenURL provided while constructing tokenSource")
} }
// If ServiceAccountImpersonationURL is present, check its validity. // If ServiceAccountImpersonationURL is present, check its validity.
if c.ServiceAccountImpersonationURL != "" { if c.ServiceAccountImpersonationURL != "" {
valid, err := validateURL(c.ServiceAccountImpersonationURL, validImpersonateURLPatterns) valid := validateURL(c.ServiceAccountImpersonationURL, impersonateURLValidPats)
if err != nil {
return nil, err
}
if !valid { if !valid {
return nil, fmt.Errorf("oauth2/google: invalid ServiceAccountImpersonationURL provided while constructing tokenSource") return nil, fmt.Errorf("oauth2/google: invalid ServiceAccountImpersonationURL provided while constructing tokenSource")
} }
} }
}
ts := tokenSource{ ts := tokenSource{
ctx: ctx, ctx: ctx,

29
google/internal/externalaccount/basecredentials_test.go
View File

@ -9,6 +9,7 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"regexp"
"testing" "testing"
"time" "time"
) )
@ -96,10 +97,10 @@ func TestToken(t *testing.T) {
} }
func TestValidateURL(t *testing.T) { func TestValidateURLTokenURL(t *testing.T) {
var urlValidityTests = []struct { var urlValidityTests = []struct {
input string input string
pattern []string pattern []*regexp.Regexp
result bool result bool
}{ }{
{"https://east.sts.googleapis.com", validTokenURLPatterns, true}, {"https://east.sts.googleapis.com", validTokenURLPatterns, true},
@ -112,7 +113,23 @@ func TestValidateURL(t *testing.T) {
{"https://sts..googleapis.com", validTokenURLPatterns, false}, {"https://sts..googleapis.com", validTokenURLPatterns, false},
{"https://-sts.googleapis.com", validTokenURLPatterns, false}, {"https://-sts.googleapis.com", validTokenURLPatterns, false},
{"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false}, {"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false},
// Repeat for iamcredentials as well }
for _, tt := range urlValidityTests {
t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
valid := validateURL(tt.input, tt.pattern)
if valid != tt.result {
t.Errorf("got %v, want %v", valid, tt.result)
}
})
}
}
func TestValidateURLImpersonateURL (t *testing.T) {
var urlValidityTests = []struct {
input string
pattern []*regexp.Regexp
result bool
}{
{"https://east.iamcredentials.googleapis.com", validImpersonateURLPatterns, true}, {"https://east.iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
{"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true}, {"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
{"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true}, {"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true},
@ -126,11 +143,7 @@ func TestValidateURL(t *testing.T) {
} }
for _, tt := range urlValidityTests { for _, tt := range urlValidityTests {
t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability. t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
valid, err := validateURL(tt.input, tt.pattern) valid := validateURL(tt.input, tt.pattern)
if err != nil {
t.Errorf("validateURL returned an error: %v", err)
return
}
if valid != tt.result { if valid != tt.result {
t.Errorf("got %v, want %v", valid, tt.result) t.Errorf("got %v, want %v", valid, tt.result)
} }

5
google/internal/externalaccount/impersonate_test.go
View File

@ -10,6 +10,7 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"regexp"
"testing" "testing"
) )
@ -77,7 +78,9 @@ func TestImpersonation(t *testing.T) {
defer targetServer.Close() defer targetServer.Close()
testImpersonateConfig.TokenURL = targetServer.URL testImpersonateConfig.TokenURL = targetServer.URL
ourTS, err := testImpersonateConfig.tokenSource(context.Background(), true) allURLs := regexp.MustCompile(".*")
fmt.Println(allURLs)
ourTS, err := testImpersonateConfig.tokenSource(context.Background(), []*regexp.Regexp{allURLs}, []*regexp.Regexp{allURLs})
if err != nil { if err != nil {
fmt.Println(testImpersonateConfig.TokenURL) fmt.Println(testImpersonateConfig.TokenURL)
t.Fatalf("Failed to create TokenSource: %v", err) t.Fatalf("Failed to create TokenSource: %v", err)

3
google/internal/externalaccount/sts_exchange_test.go
View File

@ -128,6 +128,9 @@ func TestExchangeToken_Opts(t *testing.T) {
} }
var opts map[string]interface{} var opts map[string]interface{}
err = json.Unmarshal([]byte(strOpts[0]), &opts) err = json.Unmarshal([]byte(strOpts[0]), &opts)
if err != nil {
t.Fatalf("Couldn't parse received \"options\" field.")
}
if len(opts) < 2 { if len(opts) < 2 {
t.Errorf("Too few options received.") t.Errorf("Too few options received.")
} }