From 98cc3c12017465fb3cbab1659ffd525c063bc1bb Mon Sep 17 00:00:00 2001
From: Patrick Jones <ithuriel@google.com>
Date: Thu, 12 Aug 2021 12:59:29 -0700
Subject: [PATCH] regexes ignore case.  Update tests.

---
 .../externalaccount/basecredentials.go        |  13 +--
 .../externalaccount/basecredentials_test.go   | 107 +++++++++++++++---
 .../externalaccount/impersonate_test.go       |   2 -
 3 files changed, 99 insertions(+), 23 deletions(-)

diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go
index 13353d5..b4ed2ee 100644
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"regexp"
 	"strconv"
+	"strings"
 	"time"
 
 	"golang.org/x/oauth2"
@@ -61,10 +62,10 @@ var (
 	validTokenURLPatterns = []*regexp.Regexp{
 		// The complicated part in the middle matches any number of characters that
 		// aren't period, spaces, or slashes.
-		regexp.MustCompile("^[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$"),
-		regexp.MustCompile("^sts\\.googleapis\\.com$"),
-		regexp.MustCompile("^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
-		regexp.MustCompile("^[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com$"),
+		regexp.MustCompile("(?i)^[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$"),
+		regexp.MustCompile("(?i)^sts\\.googleapis\\.com$"),
+		regexp.MustCompile("(?i)^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
+		regexp.MustCompile("(?i)^[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com$"),
 	}
 	validImpersonateURLPatterns = []*regexp.Regexp{
 		regexp.MustCompile("^[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com$"),
@@ -75,16 +76,14 @@ var (
 )
 
 func validateURL(input string, patterns []*regexp.Regexp, scheme string) bool {
-	fmt.Println(input)
 	parsed, err := url.Parse(input)
 	if err != nil {
 		return false
 	}
-	if parsed.Scheme != scheme {
+	if strings.ToLower(parsed.Scheme) != strings.ToLower(scheme) {
 		return false
 	}
 	toTest := parsed.Host
-	fmt.Println(toTest)
 
 	for _, pattern := range patterns {
 		valid := pattern.MatchString(toTest)
diff --git a/google/internal/externalaccount/basecredentials_test.go b/google/internal/externalaccount/basecredentials_test.go
index 3189b16..690580d 100644
--- a/google/internal/externalaccount/basecredentials_test.go
+++ b/google/internal/externalaccount/basecredentials_test.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"regexp"
+	"strings"
 	"testing"
 	"time"
 )
@@ -99,9 +100,9 @@ func TestToken(t *testing.T) {
 
 func TestValidateURLTokenURL(t *testing.T) {
 	var urlValidityTests = []struct {
-		input   string
-		pattern []*regexp.Regexp
-		result  bool
+		tokURL        string
+		pattern       []*regexp.Regexp
+		expectSuccess bool
 	}{
 		{"https://east.sts.googleapis.com", validTokenURLPatterns, true},
 		{"https://sts.googleapis.com", validTokenURLPatterns, true},
@@ -115,12 +116,60 @@ func TestValidateURLTokenURL(t *testing.T) {
 		{"https://-sts.googleapis.com", validTokenURLPatterns, false},
 		{"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false},
 		{"https://sts.googleapis.com.evil.com/whatever/path", validTokenURLPatterns, false},
+		{"https://us-eas\\t-1.sts.googleapis.com", validTokenURLPatterns, false},
+		{"https:/us-ea/st-1.sts.googleapis.com", validTokenURLPatterns, false},
+		{"https:/us-east 1.sts.googleapis.com", validTokenURLPatterns, false},
+		{"https://", validTokenURLPatterns, false},
+		{"http://us-east-1.sts.googleapis.com", validTokenURLPatterns, false},
+		{"https://us-east-1.sts.googleapis.comevil.com", validTokenURLPatterns, false},
+	}
+	//for _, tt := range urlValidityTests {
+	//	t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+	//		valid := validateURL(tt.input, tt.pattern, "https")
+	//		if valid != tt.result {
+	//			t.Errorf("got %v, want %v", valid, tt.result)
+	//		}
+	//	})
+	//}
+	//for _, el := range urlValidityTests {
+	//	el.input = strings.ToUpper(el.input)
+	//}
+	//for _, tt := range urlValidityTests {
+	//	t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+	//		valid := validateURL(tt.input, tt.pattern, "https")
+	//		if valid != tt.result {
+	//			t.Errorf("got %v, want %v", valid, tt.result)
+	//		}
+	//	})
+	//}
+
+	ctx := context.Background()
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = tt.tokURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+	for _, el := range urlValidityTests {
+		el.tokURL = strings.ToUpper(el.tokURL)
 	}
 	for _, tt := range urlValidityTests {
-		t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
-			valid := validateURL(tt.input, tt.pattern, "https")
-			if valid != tt.result {
-				t.Errorf("got %v, want %v", valid, tt.result)
+		t.Run(" "+tt.tokURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = tt.tokURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
 			}
 		})
 	}
@@ -128,9 +177,9 @@ func TestValidateURLTokenURL(t *testing.T) {
 
 func TestValidateURLImpersonateURL(t *testing.T) {
 	var urlValidityTests = []struct {
-		input   string
-		pattern []*regexp.Regexp
-		result  bool
+		impURL        string
+		pattern       []*regexp.Regexp
+		expectSuccess bool
 	}{
 		{"https://east.iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
 		{"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
@@ -144,12 +193,42 @@ func TestValidateURLImpersonateURL(t *testing.T) {
 		{"https://-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://us-ea.st-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://iamcredentials.googleapis.com.evil.com/whatever/path", validImpersonateURLPatterns, false},
+		{"https://us-eas\\t-1.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https:/us-ea/st-1.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https:/us-east 1.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://", validImpersonateURLPatterns, false},
+		{"http://us-east-1.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://us-east-1.iamcredentials.googleapis.comevil.com", validImpersonateURLPatterns, false},
+	}
+	ctx := context.Background()
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
+			config.ServiceAccountImpersonationURL = tt.impURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
+			}
+		})
+	}
+	for _, el := range urlValidityTests {
+		el.impURL = strings.ToUpper(el.impURL)
 	}
 	for _, tt := range urlValidityTests {
-		t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
-			valid := validateURL(tt.input, tt.pattern, "https")
-			if valid != tt.result {
-				t.Errorf("got %v, want %v", valid, tt.result)
+		t.Run(" "+tt.impURL, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			config := testConfig
+			config.TokenURL = "https://sts.googleapis.com" // Setting the most basic acceptable tokenURL
+			config.ServiceAccountImpersonationURL = tt.impURL
+			_, err := config.TokenSource(ctx)
+
+			if tt.expectSuccess && err != nil {
+				t.Errorf("got %v but want nil", err)
+			} else if !tt.expectSuccess && err == nil {
+				t.Errorf("got nil but expected an error")
 			}
 		})
 	}
diff --git a/google/internal/externalaccount/impersonate_test.go b/google/internal/externalaccount/impersonate_test.go
index d8eccf2..6fed7b9 100644
--- a/google/internal/externalaccount/impersonate_test.go
+++ b/google/internal/externalaccount/impersonate_test.go
@@ -6,7 +6,6 @@ package externalaccount
 
 import (
 	"context"
-	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -81,7 +80,6 @@ func TestImpersonation(t *testing.T) {
 	allURLs := regexp.MustCompile(".+")
 	ourTS, err := testImpersonateConfig.tokenSource(context.Background(), []*regexp.Regexp{allURLs}, []*regexp.Regexp{allURLs}, "http")
 	if err != nil {
-		fmt.Println(testImpersonateConfig.TokenURL)
 		t.Fatalf("Failed to create TokenSource: %v", err)
 	}