fix: adding one more pattern to relax the regex check for sts and imp…

…ersonation url endpoints (#1158) * fix: relax regex for sts and impersonation url with one more pattern * adding more testcases for invalid url * chore: update token
googleapis · Oct 6, 2022 · 75326e3 · 75326e3
1 parent 44a189f
commit 75326e3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/google/auth/external_account.py b/google/auth/external_account.py
@@ -443,6 +443,7 @@ def validate_token_url(token_url):
             "^sts\\.googleapis\\.com$",
             "^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
             "^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$",
+            "^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
         ]
 
         if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url):
@@ -455,6 +456,7 @@ def validate_service_account_impersonation_url(url):
             "^iamcredentials\\.googleapis\\.com$",
             "^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
             "^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$",
+            "^iamcredentials\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
         ]
 
         if not Credentials.is_valid_url(

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/test_external_account.py b/tests/test_external_account.py
@@ -289,6 +289,7 @@ def test_valid_token_url_shall_pass_validation(self):
             "https://us-east-1-sts.googleapis.com",
             "https://US-WEST-1-sts.googleapis.com",
             "https://us-west-1-sts.googleapis.com/path?query",
+            "https://sts-us-east-1.p.googleapis.com",
         ]
 
         for url in valid_urls:
@@ -316,6 +317,15 @@ def test_invalid_token_url_shall_throw_exceptions(self):
             "https://us- -1.sts.googleapis.com",
             "https://-sts.googleapis.com",
             "https://us-east-1.sts.googleapis.com.evil.com",
+            "https://sts.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://sts.p.com",
+            "http://sts.p.googleapis.com",
+            "https://xyz-sts.p.googleapis.com",
+            "https://sts-xyz.123.p.googleapis.com",
+            "https://sts-xyz.p1.googleapis.com",
+            "https://sts-xyz.p.foo.com",
+            "https://sts-xyz.p.foo.googleapis.com",
         ]
 
         for url in invalid_urls:
@@ -335,6 +345,7 @@ def test_valid_service_account_impersonation_url_shall_pass_validation(self):
             "https://us-east-1-iamcredentials.googleapis.com",
             "https://US-WEST-1-iamcredentials.googleapis.com",
             "https://us-west-1-iamcredentials.googleapis.com/path?query",
+            "https://iamcredentials-us-east-1.p.googleapis.com",
         ]
 
         for url in valid_urls:
@@ -362,6 +373,15 @@ def test_invalid_service_account_impersonate_url_shall_throw_exceptions(self):
             "https://us- -1.iamcredentials.googleapis.com",
             "https://-iamcredentials.googleapis.com",
             "https://us-east-1.iamcredentials.googleapis.com.evil.com",
+            "https://iamcredentials.pgoogleapis.com",
+            "https://p.googleapis.com",
+            "https://iamcredentials.p.com",
+            "http://iamcredentials.p.googleapis.com",
+            "https://xyz-iamcredentials.p.googleapis.com",
+            "https://iamcredentials-xyz.123.p.googleapis.com",
+            "https://iamcredentials-xyz.p1.googleapis.com",
+            "https://iamcredentials-xyz.p.foo.com",
+            "https://iamcredentials-xyz.p.foo.googleapis.com",
         ]
 
         for url in invalid_urls: