8000 fix: adding one more pattern to relax the regex check for sts and imp… · TJB-1/google-auth-library-python@75326e3 · GitHub
[go: up one dir, main page]
Skip to content

Commit 75326e3

Browse files
BigTailWolfBigTailWolf
authored
fix: adding one more pattern to relax the regex check for sts and impersonation url endpoints (googleapis#1158)
* fix: relax regex for sts and impersonation url with one more pattern * adding more testcases for invalid url * chore: update token
1 parent 44a189f commit 75326e3

File tree

3 files changed

+22
-0
lines changed

3 files changed

+22
-0
lines changed

google/auth/external_account.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -443,6 +443,7 @@ def validate_token_url(token_url):
443443
"^sts\\.googleapis\\.com$",
444444
"^sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
445445
"^[^\\.\\s\\/\\\\]+\\-sts\\.googleapis\\.com$",
446+
"^sts\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
446447
]
447448

448449
if not Credentials.is_valid_url(_TOKEN_URL_PATTERNS, token_url):
@@ -455,6 +456,7 @@ def validate_service_account_impersonation_url(url):
455456
"^iamcredentials\\.googleapis\\.com$",
456457
"^iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$",
457458
"^[^\\.\\s\\/\\\\]+\\-iamcredentials\\.googleapis\\.com$",
459+
"^iamcredentials\\-[^\\.\\s\\/\\\\]+\\.p\\.googleapis\\.com$",
458460
]
459461

460462
if not Credentials.is_valid_url(

system_tests/secrets.tar.enc

0 Bytes
Binary file not shown.

tests/test_external_account.py

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,7 @@ def test_valid_token_url_shall_pass_validation(self):
289289
"https://us-east-1-sts.googleapis.com",
290290
"https://US-WEST-1-sts.googleapis.com",
291291
"https://us-west-1-sts.googleapis.com/path?query",
292+
"https://sts-us-east-1.p.googleapis.com",
292293
]
293294

294295
for url in valid_urls:
@@ -316,6 +317,15 @@ def test_invalid_token_url_shall_throw_exceptions(self):
316317
"https://us- -1.sts.googleapis.com",
317318
"https://-sts.googleapis.com",
318319
"https://us-east-1.sts.googleapis.com.evil.com",
320+
"https://sts.pgoogleapis.com",
321+
"https://p.googleapis.com",
322+
"https://sts.p.com",
323+
"http://sts.p.googleapis.com",
324+
"https://xyz-sts.p.googleapis.com",
325+
"https://sts-xyz.123.p.googleapis.com",
326+
"https://sts-xyz.p1.googleapis.com",
327+
"https://sts-xyz.p.foo.com",
328+
"https://sts-xyz.p.foo.googleapis.com",
319329
]
320330

321331
for url in invalid_urls:
@@ -335,6 +345,7 @@ def test_valid_service_account_impersonation_url_shall_pass_validation(self):
335345
"https://us-east-1-iamcredentials.googleapis.com",
336346
"https://US-WEST-1-iamcredentials.googleapis.com",
337347
"https://us-west-1-iamcredentials.googleapis.com/path?query",
348+
"https://iamcredentials-us-east-1.p.googleapis.com",
338349
]
339350

340351
for url in valid_urls:
@@ -362,6 +373,15 @@ def test_invalid_service_account_impersonate_url_shall_throw_exceptions(self):
362373
"https://us- -1.iamcredentials.googleapis.com",
363374
"https://-iamcredentials.googleapis.com",
364375
"https://us-east-1.iamcredentials.googleapis.com.evil.com",
376+
"https://iamcredentials.pgoogleapis.com",
377+
"https://p.googleapis.com",
378+
"https://iamcredentials.p.com",
379+
"http://iamcredentials.p.googleapis.com",
380+
"https://xyz-iamcredentials.p.googleapis.com",
381+
"https://iamcredentials-xyz.123.p.googleapis.com",
382+
"https://iamcredentials-xyz.p1.googleapis.com",
383+
"https://iamcredentials-xyz.p.foo.com",
384+
"https://iamcredentials-xyz.p.foo.googleapis.com",
365385
]
366386

367387
for url in invalid_urls:

0 commit comments

Comments
 (0)
0