From 2d9e4a2adf33fc3ce68d77995fadda7234520e5c Mon Sep 17 00:00:00 2001 From: Jin Qin Date: Fri, 25 Aug 2023 21:48:16 +0000 Subject: [PATCH] oauth2/google: remove meta validations for aws external credentials Remove the url validations to keep a consistency with other libraries. Change-Id: Icb1767edc000d9695db3f0c7ca271918fb2083f5 GitHub-Last-Rev: af89ee0c72964e70d5fb5a87d4ad659c280ccebb GitHub-Pull-Request: golang/oauth2#660 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/522395 Reviewed-by: Leo Siracusa TryBot-Result: Gopher Robot Reviewed-by: Cody Oss Run-TryBot: Cody Oss --- google/internal/externalaccount/aws.go | 43 ---- google/internal/externalaccount/aws_test.go | 216 +----------------- .../externalaccount/basecredentials.go | 4 - 3 files changed, 4 insertions(+), 259 deletions(-) diff --git a/google/internal/externalaccount/aws.go b/google/internal/externalaccount/aws.go index 2bf3202b2..a47b6de7f 100644 --- a/google/internal/externalaccount/aws.go +++ b/google/internal/externalaccount/aws.go @@ -274,49 +274,6 @@ type awsRequest struct { Headers []awsRequestHeader `json:"headers"` } -func (cs awsCredentialSource) validateMetadataServers() error { - if err := cs.validateMetadataServer(cs.RegionURL, "region_url"); err != nil { - return err - } - if err := cs.validateMetadataServer(cs.CredVerificationURL, "url"); err != nil { - return err - } - return cs.validateMetadataServer(cs.IMDSv2SessionTokenURL, "imdsv2_session_token_url") -} - -var validHostnames []string = []string{"169.254.169.254", "fd00:ec2::254"} - -func (cs awsCredentialSource) isValidMetadataServer(metadataUrl string) bool { - if metadataUrl == "" { - // Zero value means use default, which is valid. - return true - } - - u, err := url.Parse(metadataUrl) - if err != nil { - // Unparseable URL means invalid - return false - } - - for _, validHostname := range validHostnames { - if u.Hostname() == validHostname { - // If it's one of the valid hostnames, everything is good - return true - } - } - - // hostname not found in our allowlist, so not valid - return false -} - -func (cs awsCredentialSource) validateMetadataServer(metadataUrl, urlName string) error { - if !cs.isValidMetadataServer(metadataUrl) { - return fmt.Errorf("oauth2/google: invalid hostname %s for %s", metadataUrl, urlName) - } - - return nil -} - func (cs awsCredentialSource) doRequest(req *http.Request) (*http.Response, error) { if cs.client == nil { cs.client = oauth2.NewClient(cs.ctx, nil) diff --git a/google/internal/externalaccount/aws_test.go b/google/internal/externalaccount/aws_test.go index 058b00424..fd962a4a9 100644 --- a/google/internal/externalaccount/aws_test.go +++ b/google/internal/externalaccount/aws_test.go @@ -585,25 +585,18 @@ func getExpectedSubjectToken(url, region, accessKeyID, secretAccessKey, security func TestAWSCredential_BasicRequest(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -631,25 +624,18 @@ func TestAWSCredential_BasicRequest(t *testing.T) { func TestAWSCredential_IMDSv2(t *testing.T) { server := createDefaultAwsTestServerWithImdsv2(t) ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -677,10 +663,6 @@ func TestAWSCredential_IMDSv2(t *testing.T) { func TestAWSCredential_BasicRequestWithoutSecurityToken(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } delete(server.Credentials, "Token") tfc := testFileConfig @@ -688,15 +670,12 @@ func TestAWSCredential_BasicRequestWithoutSecurityToken(t *testing.T) { oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -724,21 +703,15 @@ func TestAWSCredential_BasicRequestWithoutSecurityToken(t *testing.T) { func TestAWSCredential_BasicRequestWithEnv(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": "AKIDEXAMPLE", @@ -746,7 +719,6 @@ func TestAWSCredential_BasicRequestWithEnv(t *testing.T) { "AWS_REGION": "us-west-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -774,21 +746,15 @@ func TestAWSCredential_BasicRequestWithEnv(t *testing.T) { func TestAWSCredential_BasicRequestWithDefaultEnv(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": "AKIDEXAMPLE", @@ -796,7 +762,6 @@ func TestAWSCredential_BasicRequestWithDefaultEnv(t *testing.T) { "AWS_REGION": "us-west-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -823,21 +788,15 @@ func TestAWSCredential_BasicRequestWithDefaultEnv(t *testing.T) { func TestAWSCredential_BasicRequestWithTwoRegions(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": "AKIDEXAMPLE", @@ -846,7 +805,6 @@ func TestAWSCredential_BasicRequestWithTwoRegions(t *testing.T) { "AWS_DEFAULT_REGION": "us-east-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -873,25 +831,18 @@ func TestAWSCredential_BasicRequestWithTwoRegions(t *testing.T) { func TestAWSCredential_RequestWithBadVersion(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) tfc.CredentialSource.EnvironmentID = "aws3" oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} - _, err = tfc.parse(context.Background()) + _, err := tfc.parse(context.Background()) if err == nil { t.Fatalf("parse() should have failed") } @@ -903,23 +854,16 @@ func TestAWSCredential_RequestWithBadVersion(t *testing.T) { func TestAWSCredential_RequestWithNoRegionURL(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) tfc.CredentialSource.RegionURL = "" oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -939,23 +883,17 @@ func TestAWSCredential_RequestWithNoRegionURL(t *testing.T) { func TestAWSCredential_RequestWithBadRegionURL(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } + server.WriteRegion = notFound tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -975,10 +913,7 @@ func TestAWSCredential_RequestWithBadRegionURL(t *testing.T) { func TestAWSCredential_RequestWithMissingCredential(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } + server.WriteSecurityCredentials = func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("{}")) } @@ -987,13 +922,10 @@ func TestAWSCredential_RequestWithMissingCredential(t *testing.T) { tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1013,10 +945,7 @@ func TestAWSCredential_RequestWithMissingCredential(t *testing.T) { func TestAWSCredential_RequestWithIncompleteCredential(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } + server.WriteSecurityCredentials = func(w http.ResponseWriter, r *http.Request) { w.Write([]byte(`{"AccessKeyId":"FOOBARBAS"}`)) } @@ -1025,13 +954,10 @@ func TestAWSCredential_RequestWithIncompleteCredential(t *testing.T) { tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1051,23 +977,16 @@ func TestAWSCredential_RequestWithIncompleteCredential(t *testing.T) { func TestAWSCredential_RequestWithNoCredentialURL(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) tfc.CredentialSource.URL = "" oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1087,23 +1006,16 @@ func TestAWSCredential_RequestWithNoCredentialURL(t *testing.T) { func TestAWSCredential_RequestWithBadCredentialURL(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } server.WriteRolename = notFound tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1123,23 +1035,16 @@ func TestAWSCredential_RequestWithBadCredentialURL(t *testing.T) { func TestAWSCredential_RequestWithBadFinalCredentialURL(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } server.WriteSecurityCredentials = notFound tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{}) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1159,10 +1064,6 @@ func TestAWSCredential_RequestWithBadFinalCredentialURL(t *testing.T) { func TestAWSCredential_ShouldNotCallMetadataEndpointWhenCredsAreInEnv(t *testing.T) { server := createDefaultAwsTestServer() ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } metadataTs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { t.Error("Metadata server should not have been called.") @@ -1174,11 +1075,9 @@ func TestAWSCredential_ShouldNotCallMetadataEndpointWhenCredsAreInEnv(t *testing oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": "AKIDEXAMPLE", @@ -1186,7 +1085,6 @@ func TestAWSCredential_ShouldNotCallMetadataEndpointWhenCredsAreInEnv(t *testing "AWS_REGION": "us-west-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1214,28 +1112,21 @@ func TestAWSCredential_ShouldNotCallMetadataEndpointWhenCredsAreInEnv(t *testing func TestAWSCredential_ShouldCallMetadataEndpointWhenNoRegion(t *testing.T) { server := createDefaultAwsTestServerWithImdsv2(t) ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": accessKeyID, "AWS_SECRET_ACCESS_KEY": secretAccessKey, }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1263,28 +1154,21 @@ func TestAWSCredential_ShouldCallMetadataEndpointWhenNoRegion(t *testing.T) { func TestAWSCredential_ShouldCallMetadataEndpointWhenNoAccessKey(t *testing.T) { server := createDefaultAwsTestServerWithImdsv2(t) ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", "AWS_REGION": "us-west-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1312,28 +1196,21 @@ func TestAWSCredential_ShouldCallMetadataEndpointWhenNoAccessKey(t *testing.T) { func TestAWSCredential_ShouldCallMetadataEndpointWhenNoSecretAccessKey(t *testing.T) { server := createDefaultAwsTestServerWithImdsv2(t) ts := httptest.NewServer(server) - tsURL, err := neturl.Parse(ts.URL) - if err != nil { - t.Fatalf("couldn't parse httptest servername") - } tfc := testFileConfig tfc.CredentialSource = server.getCredentialSource(ts.URL) oldGetenv := getenv oldNow := now - oldValidHostnames := validHostnames defer func() { getenv = oldGetenv now = oldNow - validHostnames = oldValidHostnames }() getenv = setEnvironment(map[string]string{ "AWS_ACCESS_KEY_ID": "AKIDEXAMPLE", "AWS_REGION": "us-west-1", }) now = setTime(defaultTime) - validHostnames = []string{tsURL.Hostname()} base, err := tfc.parse(context.Background()) if err != nil { @@ -1357,88 +1234,3 @@ func TestAWSCredential_ShouldCallMetadataEndpointWhenNoSecretAccessKey(t *testin t.Errorf("subjectToken = \n%q\n want \n%q", got, want) } } - -func TestAWSCredential_Validations(t *testing.T) { - var metadataServerValidityTests = []struct { - name string - credSource CredentialSource - errText string - }{ - { - name: "No Metadata Server URLs", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "", - URL: "", - IMDSv2SessionTokenURL: "", - }, - }, { - name: "IPv4 Metadata Server URLs", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone", - URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials", - IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token", - }, - }, { - name: "IPv6 Metadata Server URLs", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone", - URL: "http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials", - IMDSv2SessionTokenURL: "http://[fd00:ec2::254]/latest/api/token", - }, - }, { - name: "Faulty RegionURL", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "http://abc.com/latest/meta-data/placement/availability-zone", - URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials", - IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token", - }, - errText: "oauth2/google: invalid hostname http://abc.com/latest/meta-data/placement/availability-zone for region_url", - }, { - name: "Faulty CredVerificationURL", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone", - URL: "http://abc.com/latest/meta-data/iam/security-credentials", - IMDSv2SessionTokenURL: "http://169.254.169.254/latest/api/token", - }, - errText: "oauth2/google: invalid hostname http://abc.com/latest/meta-data/iam/security-credentials for url", - }, { - name: "Faulty IMDSv2SessionTokenURL", - credSource: CredentialSource{ - EnvironmentID: "aws1", - RegionURL: "http://169.254.169.254/latest/meta-data/placement/availability-zone", - URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials", - IMDSv2SessionTokenURL: "http://abc.com/latest/api/token", - }, - errText: "oauth2/google: invalid hostname http://abc.com/latest/api/token for imdsv2_session_token_url", - }, - } - - for _, tt := range metadataServerValidityTests { - t.Run(tt.name, func(t *testing.T) { - tfc := testFileConfig - tfc.CredentialSource = tt.credSource - - oldGetenv := getenv - defer func() { getenv = oldGetenv }() - getenv = setEnvironment(map[string]string{}) - - _, err := tfc.parse(context.Background()) - if err != nil { - if tt.errText == "" { - t.Errorf("Didn't expect an error, but got %v", err) - } else if tt.errText != err.Error() { - t.Errorf("Expected %v, but got %v", tt.errText, err) - } - } else { - if tt.errText != "" { - t.Errorf("Expected error %v, but got none", tt.errText) - } - } - }) - } -} diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go index dcd252a61..7c4c2b045 100644 --- a/google/internal/externalaccount/basecredentials.go +++ b/google/internal/externalaccount/basecredentials.go @@ -185,10 +185,6 @@ func (c *Config) parse(ctx context.Context) (baseCredentialSource, error) { awsCredSource.IMDSv2SessionTokenURL = c.CredentialSource.IMDSv2SessionTokenURL } - if err := awsCredSource.validateMetadataServers(); err != nil { - return nil, err - } - return awsCredSource, nil } } else if c.CredentialSource.File != "" {