From 6fdb5e3db783d4a038a89fb82279727f80e7bf8e Mon Sep 17 00:00:00 2001 From: Ryan Kohler Date: Mon, 10 Oct 2022 13:25:46 +0000 Subject: [PATCH] google/internal/externalaccount: allowing PSC Urls Change-Id: I46c337f162bf84cbcfa068ce1680e5428c46286a GitHub-Last-Rev: 4d1190b904b58ab162a398e01fc33398d11e4636 GitHub-Pull-Request: golang/oauth2#596 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/439677 Auto-Submit: Cody Oss Reviewed-by: Cody Oss Reviewed-by: Leo Siracusa Run-TryBot: Cody Oss TryBot-Result: Gopher Robot --- .../externalaccount/basecredentials.go | 2 ++ .../externalaccount/basecredentials_test.go | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go index 2bf5391..9fc3553 100644 --- a/google/internal/externalaccount/basecredentials.go +++ b/google/internal/externalaccount/basecredentials.go @@ -74,12 +74,14 @@ var ( regexp.MustCompile(`(?i)^sts\.googleapis\.com$`), regexp.MustCompile(`(?i)^sts\.[^\.\s\/\\]+\.googleapis\.com$`), regexp.MustCompile(`(?i)^[^\.\s\/\\]+-sts\.googleapis\.com$`), + regexp.MustCompile(`(?i)^sts-[^\.\s\/\\]+\.p\.googleapis\.com$`), } validImpersonateURLPatterns = []*regexp.Regexp{ regexp.MustCompile(`^[^\.\s\/\\]+\.iamcredentials\.googleapis\.com$`), regexp.MustCompile(`^iamcredentials\.googleapis\.com$`), regexp.MustCompile(`^iamcredentials\.[^\.\s\/\\]+\.googleapis\.com$`), regexp.MustCompile(`^[^\.\s\/\\]+-iamcredentials\.googleapis\.com$`), + regexp.MustCompile(`^iamcredentials-[^\.\s\/\\]+\.p\.googleapis\.com$`), } validWorkforceAudiencePattern *regexp.Regexp = regexp.MustCompile(`//iam\.googleapis\.com/locations/[^/]+/workforcePools/`) ) diff --git a/google/internal/externalaccount/basecredentials_test.go b/google/internal/externalaccount/basecredentials_test.go index 5aa0d46..05e0127 100644 --- a/google/internal/externalaccount/basecredentials_test.go +++ b/google/internal/externalaccount/basecredentials_test.go @@ -231,6 +231,16 @@ func TestValidateURLTokenURL(t *testing.T) { {"https://", false}, {"http://us-east-1.sts.googleapis.com", false}, {"https://us-east-1.sts.googleapis.comevil.com", false}, + {"https://sts-xyz.p.googleapis.com", true}, + {"https://sts.pgoogleapis.com", false}, + {"https://p.googleapis.com", false}, + {"https://sts.p.com", false}, + {"http://sts.p.googleapis.com", false}, + {"https://xyz-sts.p.googleapis.com", false}, + {"https://sts-xyz.123.p.googleapis.com", false}, + {"https://sts-xyz.p1.googleapis.com", false}, + {"https://sts-xyz.p.foo.com", false}, + {"https://sts-xyz.p.foo.googleapis.com", false}, } ctx := context.Background() for _, tt := range urlValidityTests { @@ -287,6 +297,16 @@ func TestValidateURLImpersonateURL(t *testing.T) { {"https://", false}, {"http://us-east-1.iamcredentials.googleapis.com", false}, {"https://us-east-1.iamcredentials.googleapis.comevil.com", false}, + {"https://iamcredentials-xyz.p.googleapis.com", true}, + {"https://iamcredentials.pgoogleapis.com", false}, + {"https://p.googleapis.com", false}, + {"https://iamcredentials.p.com", false}, + {"http://iamcredentials.p.googleapis.com", false}, + {"https://xyz-iamcredentials.p.googleapis.com", false}, + {"https://iamcredentials-xyz.123.p.googleapis.com", false}, + {"https://iamcredentials-xyz.p1.googleapis.com", false}, + {"https://iamcredentials-xyz.p.foo.com", false}, + {"https://iamcredentials-xyz.p.foo.googleapis.com", false}, } ctx := context.Background() for _, tt := range urlValidityTests {